Cockpit CMS 0.11.1 NoSQL Injection / Remote Command Execution Exploit

This Metasploit module exploits two NoSQL injection vulnerabilities to retrieve the user list and password reset tokens from the system. Next, the USER is targeted to reset their password. Then, a command injection vulnerability is used to execute the payload. While it is possible to upload a...

Fibaro Home Center MITM / Missing Authentication / Code Execution Vulnerabilities

Fibaro Home Center Light and Fibaro Home Center 2 versions 4.600 and below suffer from man-in-the-middle, missing authentication, remote command execution, and missing encryption vulnerabilities. Fibaro Home Center MITM / Missing Authentication / Code Execution Vendor description:...

Cisco RV Authentication Bypass / Code Execution Vulnerability

Cisco RV-series routers suffer from an authentication bypass vulnerability. The RV34X series are also affected by a command injection vulnerability in the sessionid cookie, when requesting the /upload endpoint. A combination of these issues would allow any person who is able to communicate with t...

Phone Shop Sales Management System 1.0 Shell Upload Exploit

Exploit Title: Phone Shop Sales Management System - Arbitrary File Upload Unauthenticated Exploit Author: Richard Jones Vendor Homepage: https://www.sourcecodester.com/php/10882/phone-shop-sales-managements-system.html Version: 1.0 Tested on: Windows 10 build 19041 + xampp 3.2.4 import requests...

WordPress Photo Gallery 1.5.69 Cross Site Scripting Vulnerability

WordPress Photo Gallery plugin versions 1.5.69 and below suffer from multiple reflective cross site scripting vulnerabilities. WordPress Photo Gallery 1.5.69 Cross Site Scripting Vulnerability Researcher Name: ThuraMoeMyint Twitter: https://twitter.com/mgthuramoemyint Vendor Url:...

Plantronics HUB 3.21 Privilege Escalation Vulnerability

Plantronics HUB versions 3.21 and below are affected by a privilege escalation vulnerability allowing any local unprivileged user to acquire elevated access rights and take full control of the system. Plantronics HUB 3.21 Privilege Escalation Vulnerability...

Nagios XI 5.7.3 Remote Code Execution Exploit

This Metasploit module exploits CVE-2020-5791, an OS command injection vulnerability on Nagios XI versions 5.6.0 through 5.7.3 in admin/mibs.php that enables an authenticated user with admin privileges to achieve remote code execution as either the apache user or the www-data user. This module...

Linux/x86 - execve(/bin/sh) Shellcode (17 bytes)

Linux/x86 - execve/bin/sh Shellcode 17 bytes Author: s1ege Tested on: i686 GNU/Linux Shellcode length: 17 / ; nasm -felf32 shellcode.asm && ld -melfi386 shellcode.o -o shellcode section .text global start start: push 0x0b pop eax push 0x0068732f push 0x6e69622f mov ebx, esp int 0x80 / include...

glFTPd 2.11a - Remote Denial of Service Exploit

Exploit Title: glFTPd 2.11a - Remote Denial of Service Exploit Author: xynmaps Vendor Homepage: https://glftpd.io/ Software Link: https://glftpd.io/files/glftpd-LNX-2.11a1.1.1kx64.tgz Version: 2.11a Tested on: Parrot Security OS 5.9.0 ------------------------------- encoding=utf8 author =...

Linux/x64 - execve(/bin/sh) Shellcode (21 bytes) (2)

Linux/x64 - execve/bin/sh Shellcode 21 bytes Author: s1ege Tested on: x8664 GNU/Linux Shellcode Length: 21 / objdump disassembly 401000: 50 push %rax 401001: 48 31 d2 xor %rdx,%rdx 401004: 48 bb 2f 62 69 6e 2f movabs $0x68732f2f6e69622f,%rbx 40100b: 2f 73 68 40100e: 53 push %rbx 40100f: 54 push...

GetSimple CMS My SMTP Contact Plugin 1.1.1 - CSRF to Remote Code Execution Exploit

Exploit Title: GetSimple CMS My SMTP Contact Plugin 1.1.1 - CSRF to RCE Exploit Author: Bobby Cooke boku Vendor Homepage: http://get-simple.info Software Link: http://get-simple.info/extend/download.php?file=files/18274/1221/my-smtp-contact1.1.1.zip&id=1221 Vendor: NetExplorer Version: = v1.1.1...

Nagios XI Remote Code Execution Exploit

This Metasploit module exploits a command injection vulnerability in the /admin/monitoringplugins.php page of Nagios XI versions prior to 5.8.0 when uploading plugins. Successful exploitation allows an authenticated admin user to achieve remote code execution as the apache user by uploading a...

Tileserver-gl 3.0.0 - (key) Reflected Cross-Site Scripting Vulnerability

Exploit Title: Tileserver-gl 3.0.0 - 'key' Reflected Cross-Site Scripting XSS Exploit Author: Akash Chathoth Vendor Homepage: http://tileserver.org/ Software Link: https://github.com/maptiler/tileserver-gl Version: versions alertdocument.domain 0day.today 2021-10-22...

htmly 2.8.0 Cross Site Scripting Exploit

Exploit Title: htmly 2.8.0 allows stored XSS Authors: @nu11secur1ty & G.Dzhankushev Date: 04.15.2021 Vendor: htmly Link: https://github.com/danpros/htmly CVE: CVE-2021-30637 Software Link: https://github.com/danpros/htmly Video: https://www.youtube.com/watch?v=xKRQZYqVlS4 Steps to Reproduce:...

Native Church Website 1.0 Shell Upload Exploit

Exploit Title: Native Church Website - Arbitrary File Upload Authenticated Exploit Author: Richard Jones Vendor Homepage: https://www.sourcecodester.com/php/11764/native-church-website-phpmysql.html Version: 1.0 Tested on: Windows 10 build 19041 + xampp 3.2.4 /usr/bin/python3 import requests impo...

Horde Groupware Webmail Edition 5.2.22 XSS / Remote Code Execution Exploit

Webmail Edition version 5.2.22 suffers from remote code execution and cross site scripting vulnerabilities via the HordeTextFilter library. Exploit Title: Remote code execution XSS HordeTextFilter library Webmail Edition through 5.2.22 Author: Alex Birnberg Testing and Debugging: Ventsislav...

Digital Crime Report Management System 1.0 - SQL Injection (Authentication Bypass) Vulnerability

Exploit Title: Digital Crime Report Management System 1.0 - SQL Injection Authentication Bypass Exploit Author: Galuh Muhammad Iman Akbar GaluhID Vendor Homepage: https://iwantsourcecodes.com/digital-crime-report-management-system-in-php-with-source-code/ Software Link:...

CITSmart ITSM 9.1.2.22 - LDAP Injection Vulnerability

Exploit Title: CITSmart ITSM 9.1.2.22 - LDAP Injection Google Dork: "citsmart.local" Exploit Author: skysbsb Vendor Homepage: https://docs.citsmart.com/pt-br/citsmart-platform-9/get-started/about-citsmart/release-notes.html Version: = 9.1.2.23 Using this LDAP query in the username field of login...

Chrome V8 JavaScript Engine Remote Code Execution Exploit

Chrome V8 Javascript Engine remote code execution zero day exploit. Google is expected to release an update to their browser on tuesday 04/14/2021 that will address this vulnerability. / BSD 2-Clause License Copyright c 2021, rajvardhan agarwal All rights reserved. Redistribution and use in sourc...

Nagios XI getprofile.sh Remote Command Execution Exploit

This Metasploit module exploits a vulnerability in the getprofile.sh script of Nagios XI versions prior to 5.6.6 in order to upload a malicious checkping plugin and thereby execute arbitrary commands. For Nagios XI 5.2.0 through 5.4.13, the commands are run as the nagios user. For versions 5.5.0...

CITSmart ITSM 9.1.2.27 - (query) Time-based Blind SQL Injection (Authenticated) Vulnerability

Exploit Title: CITSmart ITSM 9.1.2.27 - 'query' Time-based Blind SQL Injection Authenticated Google Dork: "citsmart.local" Exploit Author: skysbsb Vendor Homepage: https://docs.citsmart.com/pt-br/citsmart-platform-9/get-started/about-citsmart/release-notes.html Version: = 9.1.2.28 Vendor has...

Microsoft Azure DevOps Server 2020.0.1 Cross Site Scripting Vulnerability

Webmail Edition version 5.2.22 suffers from remote code execution and cross site scripting vulnerabilities via the HordeTextFilter library. ======================================================================= title: Reflected cross-site scripting product: Microsoft Azure DevOps Server vulnerab...

Genexis PLATINUM 4410 2.1 P4410-V2-1.28 - Remote Code Execution Vulnerability

Exploit Title: Genexis PLATINUM 4410 2.1 P4410-V2-1.28 - RCE Exploit Author: Jay Sharma Version: Genexis PLATINUM 4410 2.1 P4410-V2-1.28 Tested on: V2.1 CVE : CVE-2021-29003 steps to reproduce Genexis PLATINUM 4410 2.1 P4410-V2-1.28 devices allow remote attackers to execute arbitrary code via she...

jQuery 1.2 - Cross-Site Scripting Vulnerability

Exploit Title: jQuery 1.2 - Cross-Site Scripting XSS Exploit Author: Central InfoSec Version: jQuery versions greater than or equal to 1.2 and before 3.5.0 CVE : CVE-2020-11022 Proof of Concept 1: 0day.today 2021-10-19...

jQuery 1.0.3 - Cross-Site Scripting Vulnerability

Exploit Title: jQuery 1.0.3 - Cross-Site Scripting XSS Exploit Author: Central InfoSec Version: jQuery versions greater than or equal to 1.0.3 and before 3.5.0 CVE : CVE-2020-11023 Proof of Concept 1: Proof of Concept 2 Only jQuery 3.x affected: " 0day.today 2021-10-19...

MariaDB 10.2 /MySQL - (wsrep_provider) OS Command Execution Vulnerability

Exploit Title: MariaDB 10.2 /MySQL - 'wsrepprovider' OS Command Execution Exploit Author: Central InfoSec Version: MariaDB 10.2 before 10.2.37, 10.3 before 10.3.28, 10.4 before 10.4.18, and 10.5 before 10.5.9; Percona Server through 2021-03-03; and the wsrep patch through 2021-03-03 for MySQL...

ExpressVPN VPN Router 1.0 - Router Login Panels Integer Overflow Vulnerability

Exploit Title: ExpressVPN VPN Router 1.0 - Router Login Panel's Integer Overflow Exploit Author: Jai Kumar Sharma Vendor Homepage: https://www.expressvpn.com/ Software Link: https://www.expressvpn.com/vpn-software/vpn-router Version: version 1 Tested on: Windows/Ubuntu/MacOS CVE : CVE-2020-29238...

Blitar Tourism 1.0 - Authentication Bypass SQL Injection Vulnerability

Exploit Title: Blitar Tourism 1.0 - Authentication Bypass SQLi Exploit Author: sigeri94 Vendor Homepage: https://sourcecodeaplikasi.info/source-code-aplikasi-biro-travel-berbasis-web/ Software Link: https://codeload.github.com/satndy/Aplikasi-Biro-Travel/zip/master Version: 1.0 POST /travel/Admin...

Simple Student Information System 1.0 - SQL Injection (Authentication Bypass) Vulnerability

Exploit Title: Simple Student Information System 1.0 - SQL Injection Authentication Bypass Exploit Author: Galuh Muhammad Iman Akbar GaluhID Vendor Homepage: https://www.sourcecodester.com/php/11400/simple-student-information-system-ajax-live-search.html Software Link:...

vsftpd 2.3.4 - Backdoor Command Execution Exploit

Exploit Title: vsftpd 2.3.4 - Backdoor Command Execution Exploit Author: HerculesRD Software Link: http://www.linuxfromscratch.org/thomasp/blfs-book-xsl/server/vsftpd.html Version: vsftpd 2.3.4 Tested on: debian CVE : CVE-2011-2523 !/usr/bin/python3 from telnetlib import Telnet import argparse fr...

Google Chrome SimplfiedLowering Integer Overflow Exploit

This Metasploit module exploits an issue in Google Chrome versions before 87.0.4280.88 64 bit. The exploit makes use of an integer overflow in the SimplifiedLowering phase in turbofan. It is used along with a typer hardening bypass using ArrayPrototypeShift to create a JSArray with a length of -1...

PrestaShop 1.7.6.7 - (location) Blind Sql Injection Exploit

Exploit Title: PrestaShop 1.7.6.7 - 'location' Blind Sql Injection Exploit Author: Vanshal Gaur Vendor Homepage: https://www.prestashop.com/ Version: 1.7.5.x 1.7.6.8 Tested on: Debian 10 buster CVE : CVE-2020-15160 !/usr/bin/python3 ''' Setup Vulnerable Docker on "localhost:8080": docker network...

DMA Radius Manager 4.4.0 - Cross-Site Request Forgery Vulnerability

Exploit Title: DMA Radius Manager 4.4.0 - Cross-Site Request Forgery CSRF Exploit Author: Issac Briones Vendor Homepage: http://www.dmasoftlab.com/ Software Download: https://sourceforge.net/projects/radiusmanager/ Version: 4.4.0 CVE: CVE-2021-30147...

Check Point Identity Agent Arbitrary File Write Vulnerability

Check Point Identity Agent Arbitrary File Write Vulnerability Description =========== The Check Point Identity Agent allows low privileged users to write files to protected locations of the file system. Details ======= Advisory ID: usd-2021-0005 Product: Check Point Identity Agent Affected Versio...

D-Link DSL-320B-D1 Pre-Authentication Buffer Overflow Vulnerability

The D-Link DSL-320B-D1 ADSL modem suffers from multiple pre-authentication stack buffer overflow vulnerabilities. Multiple Pre-Auth Stack Buffer Overflow in D-Link DSL-320B-D1 ADSL Modem ======== ========================================= 0. Overview 1. Details 2. Solution 3. Disclosure Timeline 4...

CMSimple 5.2 - (External) Stored XSS Vulnerability

Exploit Title: CMSimple 5.2 - 'External' Stored XSS Exploit Author: Quadron Research Lab Version: CMSimple 5.2 Tested on: Windows 10 x64 HUN/ENG Professional Vendor: https://www.cmsimple.org/en/ Description The CMSimple 5.2 allow stored XSS via the Settings CMS Filebrowser "External:" input field...

Linux Kernel 5.4 - (BleedingTooth) Bluetooth Zero-Click Remote Code Execution Exploit

Exploit Title: Linux Kernel 5.4 - 'BleedingTooth' Bluetooth Zero-Click Remote Code Execution Exploit Author: Google Security Research Andy Nguyen Tested on: 5.4.0-48-generic 52-Ubuntu SMP Thu Sep 10 10:58:49 UTC 2020 x8664 x8664 x8664 GNU/Linux CVE : CVE-2020-12351, CVE-2020-12352 / BleedingTooth...

Pulse Secure VPN Arbitrary Command Execution Exploit

Pulse Secure Pulse Connect Secure versions 9.0RX before 9.0R3.4, 8.3RX before 8.3R7.1, 8.2RX before 8.2R12.1, and 8.1RX before 8.1R15.1 and Pulse Policy Secure versions 9.0RX before 9.0R3.2, 5.4RX before 5.4R7.1, 5.3RX before 5.3R12.1, 5.2RX before 5.2R12.1, and 5.1RX before 5.1R15.1 have an...

Dell OpenManage Server Administrator 9.4.0.0 - Arbitrary File Read Exploit

Exploit Title: Dell OpenManage Server Administrator 9.4.0.0 - Arbitrary File Read Exploit Author: Rhino Security Labs Version: :' exit This XML to imitate a Dell OMSA remote system comes from https://www.exploit-db.com/exploits/39909 Also check out https://github.com/hantwister/FakeDellOM class...

Gitea Git Hooks Remote Code Execution Exploit

This Metasploit module leverages an insecure setting to get remote code execution on the target OS in the context of the user running Gitea. This is possible when the current user is allowed to create git hooks, which is the default for administrative users. For non-administrative users, the...

Monospace Directus Headless CMS File Upload / Rule Bypass Vulnerabilities

======================================================================= title: Arbitrary File Upload and Bypassing .htaccess Rules product: Monospace Directus Headless CMS vulnerable version: v8.8.2 fixed version: v8.8.2, v9 is not affected because of different architecture CVE number:...

Atlassian Jira Service Desk 4.9.1 - Unrestricted File Upload to XSS Vulnerability

Exploit Title: Atlassian Jira Service Desk 4.9.1 - Unrestricted File Upload to XSS Exploit Author: Captainhook Vendor Homepage: https://www.atlassian.com/ Version: 4.10.0 Tested on: All OS CVE: CVE-2020-14166 Summary: The /servicedesk/customer/portals resource in Jira Service Desk Server and Data...

Composr CMS 10.0.36 - Cross Site Scripting Vulnerability

Exploit Title: Composr CMS 10.0.36 - Cross Site Scripting Exploit Author: Orion Hridoy Vendor Homepage: https://compo.sr/ Software Link: https://compo.sr/download.htm Version: 10.0.36 Tested on: Windows/Linux CVE : CVE-2021-30150 Vulnerable Endpoint:...

Composr 10.0.36 - Remote Code Execution Vulnerability

Exploit Title: Composr 10.0.36 - Remote Code Execution Exploit Author: Orion Hridoy Vendor Homepage: https://compo.sr/ Software Link: https://compo.sr/download.htm Version: 10.0.36 Tested on: Windows/Linux CVE : CVE-2021-30149 A RCE on Composr CMS has been discovered by BugsBD Private LTD. We hav...

OpenBSD OpenSMTPD 6.6 Remote Code Execution Exploit

smtpmailaddr in smtpsession.c in OpenSMTPD version 6.6, as used in OpenBSD version 6.6 and other products, allows remote attackers to execute arbitrary commands as root via a crafted SMTP session, as demonstrated by shell metacharacters in a MAIL FROM field. This affects the "uncommented" default...

Gogs Git Hooks Remote Code Execution Exploit

This Metasploit module leverages an insecure setting to get remote code execution on the target OS in the context of the user running Gogs. This is possible when the current user is allowed to create git hooks, which is the default for administrative users. For non-administrative users, the...

Ignition 2.5.1 Remote Code Execution Exploit

Ignition versions prior to 2.5.2, as used in Laravel and other products, allows unauthenticated remote attackers to execute arbitrary code because of insecure usage of filegetcontents and fileputcontents. This is exploitable on sites using debug mode with Laravel versions prior to 8.4.2. Exploit...

Apache OFBiz SOAP Java Deserialization Exploit

This module requires Metasploit: https://metasploit.com/download Current source: https://github.com/rapid7/metasploit-framework class MetasploitModule 'http://ofbiz.apache.org/service/', 'soapenv' = 'http://schemas.xmlsoap.org/soap/envelope/' .freeze def initializeinfo = super updateinfo info,...

Google Chrome 81.0.4044 V8 - Remote Code Execution Exploit

Exploit Title: Google Chrome 81.0.4044 V8 - Remote Code Execution Exploit Author: Tobias Marcotto Tested on: Kali Linux x64 Version: 83.0.4103.106 Description: Out of bounds write in V8 in Google Chrome prior to 83.0.4103.106 allowed a remote attacker to potentially exploit heap corruption via a...

Mini Mouse 9.3.0 - Local File inclusion / Path Traversal Vulnerabilities

Exploit Title: Mini Mouse 9.3.0 - Local File inclusion / Path Traversal Author: gosh Vendor Homepage: http://yodinfo.com Software Link: https://apps.apple.com/us/app/mini-mouse-remote-control/id914250948 Version: 9.3.0 Tested on: iPhone; iOS 14.4.2 GET /op=getdeviceinfo HTTP/1.1 Host:...