Pichaya Morimoto

9 exploits Active since Jul 2014
CVE-2014-125116 EXPLOITDB CRITICAL ruby WORKING POC
HybridAuth 2.0.9-2.2.2 - Unauthenticated Remote Code Execution via install.php Config Injection
A remote code execution vulnerability exists in HybridAuth versions 2.0.9 through 2.2.2 due to insecure use of the install.php installation script. The script remains accessible after deployment and fails to sanitize input before writing to the application’s config.php file. An unauthenticated attacker can inject arbitrary PHP code into config.php, which is later executed when the file is loaded. This allows attackers to achieve remote code execution on the server. Exploitation of this issue will overwrite the existing configuration, rendering the application non-functional.
CVE-2014-125116 EXPLOITDB CRITICAL text WORKING POC
HybridAuth 2.0.9-2.2.2 - Unauthenticated Remote Code Execution via install.php Config Injection
A remote code execution vulnerability exists in HybridAuth versions 2.0.9 through 2.2.2 due to insecure use of the install.php installation script. The script remains accessible after deployment and fails to sanitize input before writing to the application’s config.php file. An unauthenticated attacker can inject arbitrary PHP code into config.php, which is later executed when the file is loaded. This allows attackers to achieve remote code execution on the server. Exploitation of this issue will overwrite the existing configuration, rendering the application non-functional.
CVE-2025-34120 METASPLOIT HIGH ruby WORKING POC
LimeSurvey <2.06+ Build 151014 - Info Disclosure
An unauthenticated file download vulnerability exists in LimeSurvey versions from 2.0+ up to and including 2.06+ Build 151014. The application fails to validate serialized input to the admin backup endpoint (`index.php/admin/update/sa/backup`), allowing attackers to specify arbitrary file paths using a crafted `datasupdateinfo` payload. The files are packaged in a ZIP archive and made available for download without authentication. This vulnerability can be exploited to read arbitrary files on the host system, including sensitive OS and configuration files.
CVE-2015-2208 METASPLOIT ruby WORKING POC
phpMoAdmin 1.1.2 - Remote Code Execution via Object Parameter
The saveObject function in moadmin.php in phpMoAdmin 1.1.2 allows remote attackers to execute arbitrary commands via shell metacharacters in the object parameter.
CVE-2014-125116 METASPLOIT CRITICAL ruby WORKING POC
HybridAuth 2.0.9-2.2.2 - Unauthenticated Remote Code Execution via install.php Config Injection
A remote code execution vulnerability exists in HybridAuth versions 2.0.9 through 2.2.2 due to insecure use of the install.php installation script. The script remains accessible after deployment and fails to sanitize input before writing to the application’s config.php file. An unauthenticated attacker can inject arbitrary PHP code into config.php, which is later executed when the file is loaded. This allows attackers to achieve remote code execution on the server. Exploitation of this issue will overwrite the existing configuration, rendering the application non-functional.
EIP-2026-111201 EXPLOITDB text WORKING POC
phpSFP Schedule Facebook Posts 1.5.6 - SQL Injection
EIP-2026-110559 EXPLOITDB text WORKING POC
pfSense 2.1 build 20130911-1816 - Directory Traversal
CVE-2014-4663 EXPLOITDB text WORKING POC
TimThumb 2.8.13-WordThumb 1.07 - RCE
TimThumb 2.8.13 and WordThumb 1.07, when Webshot (aka Webshots) is enabled, allows remote attackers to execute arbitrary commands via shell metacharacters in the src parameter.
EIP-2026-103963 EXPLOITDB text WORKING POC
Laravel - 'Hash::make()' Password Truncation Security