DZCP (deV!L`z Clanportal) 1.3.6 - Arbitrary File Upload

S Y N O P S I S / =================' - access: remote severity: high - deV!Lz Clanportal allows nearly arbitrary files to be uploaded and stored on the server's filesystem, which enables anyone, even without a user account, to upload PHP code and execute it, leading to arbitrary code execution. B...

VidiScript - SQL Injection

====================================== VidiScript Sql Injection Vulnerability ====================================== + Title: VidiScript Sql Injection Vulnerability + Date: 23.02.2011 + Author: ThEtA.Nu + Software Link: VidiScript.com + Where : From Remote Founded by : ThEtA.Nu Team: Kosova Hacke...

systemd 246 - Local Privilege Escalation

Exploit Title: systemd 246 - Local Privilege Escalation Exploit Author: Iyaad Luqman K init6 Application: systemd 246 Tested on: Ubuntu 22.04 CVE: CVE-2023-26604 systemd 246 was discovered to contain Privilege Escalation vulnerability, when the systemctl status command can be run as root user. Th...

Apache HTTP Server 2.4.50 - Remote Code Execution (RCE) (3)

Exploit Title: Apache HTTP Server 2.4.50 - Remote Code Execution RCE 3 Date: 11/11/2021 Exploit Author: Valentin Lobstein Vendor Homepage: https://apache.org/ Version: Apache 2.4.49/2.4.50 CGI enabled Tested on: Debian GNU/Linux CVE : CVE-2021-41773 / CVE-2021-42013 Credits : Lucas Schnell...

Microsoft SQL Server Reporting Services 2016 - Remote Code Execution

Exploit Title: Microsoft SQL Server Reporting Services 2016 - Remote Code Execution Google Dork: inurl:ReportViewer.aspx Date: 2020-09-17 Exploit Author: West Shepherd Vendor Homepage: https://www.microsoft.com Version: Microsoft SQL Server 2016 32-bit/x64 SP2 CU/GDR, Microsoft SQL Server 2014...

ProFTPd 1.3.5 - 'mod_copy' Remote Command Execution (2)

Exploit Title: ProFTPd 1.3.5 - 'modcopy' Remote Command Execution 2 Date: 25/05/2021 Exploit Author: Shellbr3ak Version: 1.3.5 Tested on: Ubuntu 16.04.6 LTS CVE : CVE-2015-3306 !/usr/bin/env python3 import sys import socket import requests def exploitclient, target: client.connecttarget,21...

Exim 4.87 / 4.91 - Local Privilege Escalation (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'expect' class MetasploitModule 'Exim 4.87 - 4.91 Local Privilege Escalation', 'Description' = %q This module exploits a flaw in Exim versions 4.87 to 4.91...

Binwalk v2.3.2 - Remote Command Execution (RCE)

Exploit Title: Binwalk v2.3.2 - Remote Command Execution RCE Exploit Author: Etienne Lacoche CVE-ID: CVE-2022-4510 import os import inspect import argparse print"" print"" print"------------------CVE-2022-4510----------------" print"" print"--------Binwalk Remote Command Execution--------"...

TikiWiki 1.9.5 Sirius - 'sort_mode' Information Disclosure

/==========================================/ //tikiwiki version 1.9.5 CVS -Sirius- PoC // Product: Tikiwiki // URL: http://tikiwiki.org/ // RISK: critical /==========================================/ there's a critical security bug in tikiwiki version 1.9.5 CVS -Sirius- a anonymous user , can dum...

Exchange Control Panel - Viewstate Deserialization (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework require 'bindata' class MetasploitModule 'Exchange Control Panel Viewstate Deserialization', 'Description' = %q This module exploits a .NET serialization vulnerability i...

Oracle WebLogic Server 10.3.6.0 - Java Deserialization Remote Code Execution

Exploit Title: Oracle WebLogic Server Java Deserialization Remote Code Execution Date: 27/09/2017 Exploit Author: SlidingWindow , Twitter: @kapilkhot Vulnerability Author: FoxGloveSecurity Vendor Homepage: http://www.oracle.com/technetwork/middleware/weblogic/overview/index.html Affetcted Version...

Apache - Denial of Service

/ This is a reverse engineered version of the exploit for CVE-2011-3192 made by ev1lut10n http://jayakonstruksi.com/backupintsec/rapache.tgz. Copyright 2011 Ramon de C Valle Compile with the following command: gcc -Wall -pthread -o rcvalle-rapache rcvalle-rapache.c / include include include inclu...

PHP-FPM + Nginx - Remote Code Execution

PHuiP-FPizdaM What's this This is an exploit for a bug in php-fpm CVE-2019-11043. In certain nginx + php-fpm configurations, the bug is possible to trigger from the outside. This means that a web user may get code execution if you have vulnerable config see below. What's vulnerable If a webserver...

Hikvision IP Camera - Backdoor

Exploit Title: Hikvision IP Camera - Backdoor Date: 14/03/2022 Exploit Author: Sobhan Mahmoodi Reference: https://ipvm.com/reports/hik-exploit GitHub: https://github.com/bp2008/HikPasswordHelper/ Hikvision included a magic string that allowed instant access to any camera, regardless of what the...

Nginx 1.20.0 - Denial of Service (DOS)

Exploit Title: Nginx 1.20.0 - Denial of Service DOS Date: 2022-6-29 Exploit Author: Mohammed Alshehri - https://Github.com/M507 Vendor Homepage: https://nginx.org/ Software Link: https://github.com/nginx/nginx/releases/tag/release-1.20.0 Version: 0.6.18 - 1.20.0 Tested on: Ubuntu 18.04.4 LTS bion...

WebLogic Server 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0 - Unauthenticated RCE via GET request

!/usr/bin/python3 Exploit Title: Oracle WebLogic Server 10.3.6.0.0 / 12.1.3.0.0 / 12.2.1.3.0 / 12.2.1.4.0 / 14.1.1.0.0 - Unauthenticated RCE via GET request Exploit Author: Nguyen Jang CVE: CVE-2020-14882 Vendor Homepage: https://www.oracle.com/middleware/technologies/weblogic.html Software Link:...

Dnsmasq < 2.78 - Stack Overflow

''' Sources: https://raw.githubusercontent.com/google/security-research-pocs/master/vulnerabilities/dnsmasq/CVE-2017-14493.py https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html 1 Build the docker and open two terminals docker build -t dnsmasq . docker run --rm -t -i...

OpenSSH < 7.4 - agent Protocol Arbitrary Library Loading

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1009 The OpenSSH agent permits its clients to load PKCS11 providers using the commands SSHAGENTCADDSMARTCARDKEY and SSHAGENTCADDSMARTCARDKEYCONSTRAINED if OpenSSH was compiled with the ENABLEPKCS11 flag normally enabled and the age...

Cisco RV110W/RV130(W)/RV215W Routers Management Interface - Remote Command Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework linux/armle/meterpreter/bindtcp - segfault linux/armle/meterpreter/reversetcp - segfault linux/armle/meterpreterreversehttp - works linux/armle/meterpreterreversehttps -...

PHP 5.2.6 - 'chdir()' Function http URL Argument Safe_mode Restriction Bypass

source: https://www.securityfocus.com/bid/29796/info PHP is prone to multiple 'safemode' restriction-bypass vulnerabilities. Successful exploits could allow an attacker to determine the presence of files in unauthorized locations; other attacks are also possible. Exploiting these issues allows...

MGB OpenSource Guestbook 0.7.0.2 - 'id' SQL Injection

Exploit Title: MGB OpenSource Guestbook 0.7.0.2 - 'id' SQL Injection Dork: N/A Date: 2018-10-23 Exploit Author: Ihsan Sencan Vendor Homepage: http://www.m-gb.org/ Software Link: https://sourceforge.net/projects/mopzz-gb/files/latest/download Version: 0.7.0.2 Category: Webapps Tested on:...

Shoutbox 1.0 - 'Shoutbox.php' Remote File Inclusion

source: https://www.securityfocus.com/bid/25254/info Shoutbox is prone to a remote file-include vulnerability because it fails to sufficiently sanitize user-supplied data. Exploiting this issue may allow an attacker to compromise the application and the underlying system; other attacks are also...

PRTG Network Monitor 18.2.38 - (Authenticated) Remote Code Execution

!/bin/bash echo -e "\n\e00;33m++ \e00m" echo -e "\e00;32m Authenticated PRTG network Monitor remote code execution \e00m" echo -e "\e00;33m++ \e00m" echo -e "\e00;32m Date: 11/03/2019 \e00m" echo -e "\e00;33m++ \e00m" echo -e "\e00;32m Author: https://github.com/M4LV0 [email protected]...

Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution (RCE) (Unauthenticated)

Exploit Title: Confluence Server 7.12.4 - 'OGNL injection' Remote Code Execution RCE Unauthenticated Date: 01/09/2021 Exploit Author: h3v0x Vendor Homepage: https://www.atlassian.com/ Software Link: https://www.atlassian.com/software/confluence/download-archives Version: All 7.12.x versions befor...

PhreeBooks 5.2.3 ERP - Remote Code Execution (2)

Exploit Title: PhreeBooks 5.2.3 - Remote Code Execution Date: 22 Jan 2021 Exploit Author: Kr0ff Vendor Homepage: https://www.phreesoft.com/ Software Link: https://sourceforge.net/projects/phreebooks/ Version: 5.2.3 Tested on: Windows Server 2016 !/usr/bin/env python3 ''' DESCRIPTION: - PhreeBooks...

Samba 3.5.0 < 4.4.14/4.5.10/4.6.4 - 'is_known_pipename()' Arbitrary Module Load (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Samba isknownpipename Arbitrary Module Load', 'Description' = %q This module triggers an arbitrary shared library load vulnerability in Samba...

Apache Httpd mod_proxy - Error Page Cross-Site Scripting

The trick is to use a vertical tab %09 and then place another URL in the tag. So once a victim clicks the link on the error page, she will go somewhere else. As you can see, the browser changes the destination from relative / to an absolute url https://enoflag.de. The exploit is...

phpMyAdmin - 'pmaPWN!' Code Injection / Remote Code Execution

?php $list = array '/phpmyadmin/', '/phpMyAdmin/', '/PMA/', '/pma/', '/admin/', '/dbadmin/', '/mysql/', '/myadmin/', '/phpmyadmin2/', '/phpMyAdmin2/', '/phpMyAdmin-2/', '/php-my-admin/', '/phpMyAdmin-2.2.3/', '/phpMyAdmin-2.2.6/', '/phpMyAdmin-2.5.1/', '/phpMyAdmin-2.5.4/',...

Apache 2.2.14 mod_isapi - Dangling Pointer Remote SYSTEM

/ Apache 2.2.14 modisapi Dangling Pointer Remote SYSTEM Exploit CVE-2010-0425 ------------------------------------------------------------------------------ Advisory: http://www.senseofsecurity.com.au/advisories/SOS-10-002 Description: pwn-isapi.cpp exploits a dangling pointer vulnerabilty in...

Tiny File Manager 2.4.6 - Remote Code Execution (RCE)

Exploit Title: Tiny File Manager 2.4.6 - Remote Code Execution RCE Date: 14/03/2022 Exploit Author: FEBIN MON SAJI Software Link: https://github.com/prasathmani/tinyfilemanager Version: Tiny File Manager Example: $0 http://files.ubuntu.local/index.php admin "admin@123" " log-in URL=$1 admin=$2...

thesystem App 1.0 - 'username' SQL Injection

Exploit Title: thesystem App 1.0 - 'username' SQL Injection Author: Anıl Baran Yelken Discovery Date: 2019-09-26 Vendor Homepage: https://github.com/kostasmitroglou/thesystem Software Link: https://github.com/kostasmitroglou/thesystem Tested Version: 1.0 Tested on OS: Windows 10 CVE: N/A...

vsftpd 3.0.3 - Remote Denial of Service

Exploit Title: vsftpd 3.0.3 - Remote Denial of Service Date: 22-03-2021 Exploit Author: xynmaps Vendor Homepage: https://security.appspot.com/vsftpd.html Software Link: https://security.appspot.com/downloads/vsftpd-3.0.3.tar.gz Version: 3.0.3 Tested on: Parrot Security OS 5.9.0...

Linux Kernel < 2.6.28 - 'fasync_helper()' Local Privilege Escalation

/ source: https://www.securityfocus.com/bid/37806/info Linux kernel is prone to a local privilege-escalation vulnerability. Local attackers can exploit this issue to execute arbitrary code with kernel-level privileges. Successful exploits will result in the complete compromise of affected...

GitLab 13.10.2 - Remote Code Execution (RCE) (Unauthenticated)

Exploit Title: GitLab 13.10.2 - Remote Code Execution RCE Unauthenticated Shodan Dork: https://www.shodan.io/search?query=title%3A%22GitLab%22+%2B%22Server%3A+nginx%22 Date: 11/01/2021 Exploit Author: Jacob Baines Vendor Homepage: https://about.gitlab.com/ Software Link:...

OpenSSH 2.3 < 7.7 - Username Enumeration (PoC)

!/usr/bin/env python Copyright c 2018 Matthew Daley Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files the "Software", to deal in the Software without restriction, including without limitation the rights to use, copy,...

Linux Kernel 2.6 < 2.6.19 (White Box 4 / CentOS 4.4/4.5 / Fedora Core 4/5/6 x86) - 'ip_append_data()' Ring0 Privilege Escalation (1)

/ 0x82-CVE-2009-2698 Linux kernel 2.6 . / include include include include include include include unsigned int uid, gid; void getrootuidunsigned task unsigned addr=task; whileaddr0!=uid||addr1!=uid||addr2!=uid||addr3!=uid addr++; addr0=addr1=addr2=addr3=0; / set uids / addr4=addr5=addr6=addr7=0; ...

Samba 3.5.0 - Remote Code Execution

!/usr/bin/env python Title : ETERNALRED Date: 05/24/2017 Exploit Author: steelo Vendor Homepage: https://www.samba.org Samba 3.5.0 - 4.5.4/4.5.10/4.4.14 CVE-2017-7494 import argparse import os.path import sys import tempfile import time from smb.SMBConnection import SMBConnection from smb import...

Webmin 1.920 - Unauthenticated Remote Code Execution (Metasploit)

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'Webmin 1.920 Unauthenticated RCE', 'Description' = %q This module exploits a backdoor in Webmin versions 1.890 through 1.920. Only the SourceForg...

Webmin 1.920 - Remote Code Execution

!/bin/sh CVE-2019-15107 Webmin Unauhenticated Remote Command Execution based on Metasploit module https://www.exploit-db.com/exploits/47230 Original advisory: https://pentest.com.tr/exploits/DEFCON-Webmin-1920-Unauthenticated-Remote-Command-Execution.html Alternative advisory spanish:...

WordPress Plugin Ajax Load More 5.3.1 - '#1' Authenticated SQL Injection

Exploit Title: Wordpress Plugin Ajax Load More 5.3.1 - '1' Authenticated SQL Injection Exploit Author: SunCSR Sun Cyber Security Research - Nguyen Khang Google Dork: N/A Date: 2020-05-18 Vendor Homepage: https://connekthq.com/plugins/ajax-load-more/ Software Link:...

JForum 2.1.8 - 'bookmarks' Module Multiple HTML Injection Vulnerabilities

source: https://www.securityfocus.com/bid/40600/info JForum is prone to multiple HTML-injection vulnerabilities because it fails to properly sanitize user-supplied input before using it in dynamically generated content. Successful exploits will allow attacker-supplied HTML and script code to run ...

WordPress Core 5.8.2 - 'WP_Query' SQL Injection

Exploit Title: WordPress Core 5.8.2 - 'WPQuery' SQL Injection Date: 11/01/2022 Exploit Author: Aryan Chehreghani Vendor Homepage: https://wordpress.org Software Link: https://wordpress.org/download/releases Version: 5.8.3 Tested on: Windows 10 CVE : CVE-2022-21661 VULNERABILITY DETAILS : This...

OpenSSH < 7.4 - 'UsePrivilegeSeparation Disabled' Forwarded Unix Domain Sockets Privilege Escalation

Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1010 This issue affects OpenSSH if privilege separation is disabled config option UsePrivilegeSeparation=no. While privilege separation is enabled by default, it is documented as a hardening option, and therefore disabling it shoul...

Elgg 1.7.10 - Multiple Vulnerabilities

Exploit Title: Elgg 1.7.10 Software Link: http://elgg.org/getelgg.php?forward=elgg-1.7.10.zip Version: 1.7.10 = 1. XSS...

Microsoft Windows - SMB Remote Code Execution Scanner (MS17-010) (Metasploit)

This module requires Metasploit: http://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework auxiliary/scanner/smb/smbms17010 require 'msf/core' class MetasploitModule 'MS17-010 SMB RCE Detection', 'Description' = %q Uses information disclosure to determine if...

CUPS 1.1.x - '.HPGL' File Processor Buffer Overflow

source: https://www.securityfocus.com/bid/11968/info CUPS is reported prone to a remote buffer overflow vulnerability. The issue is reported to exist in the 'hpgl-input.c' source file and is because of a lack of sufficient boundary checks performed on data contained in HPGL files. A remote attack...

Backdrop CMS 1.27.1 - Authenticated Remote Command Execution (RCE)

Exploit Title: Backdrop CMS 1.27.1 - Authenticated Remote Command Execution RCE Date: 04/27/2024 Exploit Author: Ahmet Ümit BAYRAM Vendor Homepage: https://backdropcms.org/ Software Link: https://github.com/backdrop/backdrop/releases/download/1.27.1/backdrop.zip Version: latest Tested on: MacOS...

Gym Management System 1.0 - Unauthenticated Remote Code Execution

Exploit Title: Gym Management System 1.0 - Unauthenticated Remote Code Execution Exploit Author: Bobby Cooke Date: 2020-05-21 Vendor Homepage: https://projectworlds.in/ Software Link: https://projectworlds.in/free-projects/php-projects/gym-management-system-project-in-php/ Version: 1.0 Tested On:...

elgg 1.5 - '/_css/js.php' Local File Inclusion

Product: elgg.org Version: dbname,$mysqldblink 48: if $simplecacheenabled || $override 49: $filename = $dataroot . 'viewssimplecache/' . md5$viewtype . $view; 51: $contents = filegetcontents$filename; 56: else 59: $contents = elggview$view; /lib/elgglib.php: 237: function elggview$view, .. 317:...

HFS (HTTP File Server) 2.3.x - Remote Command Execution (3)

Exploit Title: HFS HTTP File Server 2.3.x - Remote Command Execution 3 Google Dork: intext:"httpfileserver 2.3" Date: 20/02/2021 Exploit Author: Pergyz Vendor Homepage: http://www.rejetto.com/hfs/ Software Link: https://sourceforge.net/projects/hfs/ Version: 2.3.x Tested on: Microsoft Windows...